QUALIFICATION PROGRAMME

Professional Module 13

al
Business
3
Assurance

M13_FM.indd 1 2/25/2021 6:20:09 PM

 BUSINESS ASSURANCE

MODULE 13
BUSINESS ASSURANCE
Qualification Programme

M13_FM.indd 1 1/28/2021 5:32:15 PM

 First edition 2021

ISBN 9781119485629

Library of Congress Cataloging-in-Publication Data

Library of Congress Cataloging-in-Publication data is available for this book

Published by

John Wiley & Sons, Inc.

111 River Street
Hoboken
NJ 07030, USA

www.wiley.com

The copyright in this publication is jointly owned by

John Wiley & Sons, Inc. and HKICPA.

Cover image: © Lane Oaley/Blue Jean Images/Getty Images

Interior: © Andrey_Popov/Shutterstock

Set in 10/14pt OpenSans by SPi Global, Chennai, India

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form
or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how
to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

For details of Wiley’s global editorial offices, customer services, and more information about Wiley products visit us at
www.wiley.com.

Limit of Liability/Disclaimer of Warranty

While the publisher and authors have used their best efforts in preparing this work, they make no representations or
warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties,
including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may
be created or extended by sales representatives, written sales materials or promotional statements for this work.
The content of this work is for educational purposes and standards and regulations should be referred to as definitive
information sources. The fact that an organization, website, or product is referred to in this work as a citation and/
or potential source of further information does not mean that the publisher and authors endorse the information or
services the organization, website, or product may provide or recommendations it may make. This work is sold with the
understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained
herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers
should be aware that websites listed in this work may have changed or disappeared between when this work was written
and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages,
including but not limited to special, incidental, consequential, or other damages.

We are grateful to HKICPA for permission to reproduce the Learning Outcomes and past examination questions, the
copyright of which is owned by HKICPA.

©
HKICPA and John Wiley and Sons, Inc.
2021

M13_FM.indd 2 1/28/2021 5:32:15 PM

 T able o f C o ntents

T A B L E OF C O N T E N T S

Module 13: Business Assurance

Director’s Message v

Introductionvi

HKICPA Proficiency Levels and Taxonomy vii

Learning Outcomes x

Study Text Key Features xix

PART A PROFESSIONAL STANDARDS AND GUIDANCE 1

CHAPTER 1: 
Ethical Standards, Legislation, and Professional Guidance 3

PART B CORPORATE GOVERNANCE AND RISK MANAGEMENT 89

CHAPTER 2: Corporate Governance 91

PART C ASSURANCE ENGAGEMENTS 141

CHAPTER 3: 
Client and Engagement Acceptance Procedures 143

CHAPTER 4: Quality Control Considerations 199

CHAPTER 5: 
Planning and Risk Assessment 233

CHAPTER 6: 
Audit Procedures and Audit Evidence 323

CHAPTER 7: 
The Audit Programme 403

CHAPTER 8: 
Using the Work of Others 481

CHAPTER 9: 
Major Actions During the Audit Completion 507

CHAPTER 10: Auditor’s Reporting 573

CHAPTER 11: Group Audits 641

CHAPTER 12: Other Assurance Engagement Requirements 689

CHAPTER 13: Computerised Business Systems and Controls 763

iii

M13_FM.indd 3 1/28/2021 5:32:15 PM

 BUSINESS ASSURANCE

Further Reading 901

Glossary of Terms 903

Index 913

iv

M13_FM.indd 4 1/28/2021 5:32:15 PM

 D IR EC T O R ’ S M E SSA GE

DIRECTOR’S MESSAGE

Congratulations on choosing the Qualification Programme (‘QP’) of the Hong Kong Institute of
Certified Public Accountants (‘HKICPA’) as your pathway to becoming a CPA! You have joined
thousands of others on this exciting and important journey to develop the knowledge, skills
and perspectives you need to succeed in your career and becoming a valued member of the
Institute.

The world is evolving rapidly, so too is the business environment. The Accounting
profession faces a number of challenges and trends including technological enhancement,
regulatory development, changing societal expectations and more.

Professional accountants are no longer left only to deal with numbers, but also to analyse
and advise. We are also expected to be highly strategic, collaborative, and building trust by
demonstrating relevance and value to many aspects of society.

The QP of the HKICPA aims at qualifying accountants with the agility needed to embrace the
changing environment. You will grow and discover a plethora of relevant competencies through
QP by completing training programmes, passing professional examinations and acquiring
practical experience under an authorised employer or supervisor. In the longer term, we hope
that you will succeed not only in accountancy but also in enhancing your employability and
portability so that you will be able to help business and society move forward.

We are delighted to partner with you on your development journey.

The QP consists of three levels of designations:

• The Associate Level aims to build a solid foundation of technical accounting knowledge.

• The Professional Level aims to deepen your technical capabilities and develop core
enabling competences in the workplace.

• The Capstone integrates your knowledge, skills and experiences to resolve business
problems and emerge as a top tier accounting professional.

We have designed this Learning Pack to provide you with the valuable resources for your
development on attaining your CPA designation under the QP. I trust you will be successful and
enjoy your QP journey!

Should you require any assistance at any time, please feel free to contact us on (852) 2287 7228.

Kit Wong
Director of Education and Training
Hong Kong Institute of Certified Public Accountants

M13_FM.indd 5 1/28/2021 5:32:15 PM

 BUSINESS ASSURANCE

INTRODUCTION

Successfully preparing for a career in accounting is a significant undertaking. To better prepare

you for this challenging profession, the Hong Kong Institute of Certified Public Accountants
(HKICPA) provides a qualification programme (QP) comprising three progressive levels: A
10-module Associate Level, a four-module Professional Level including workshops and a
Capstone that includes three-day workshops and a final examination.

The Professional Level of the QP comprises four modules. Each of these modules involves
approximately 120 hours of self-study and an open-book module examination. There are also a
total of five workshops to be completed for the Professional Level. They include a prerequisite
Introductory Workshop and a one-day workshop for each Professional Module.

• Module 11: Financial Reporting

• Module 12: Business Finance
• Module 13: Business Assurance
• Module 14: Taxation

While each of the Associate Level and Professional Level modules stands on its own, the
modules are also arranged in a series of ‘verticals’ that map to the CPA competence blueprint.
These verticals are designed to develop an area of knowledge, through two or three modules,
from basic understanding to professional excellence.

The Financial Accounting and Reporting vertical runs from Module 1, through Module 6 to
Professional Level Module 11: Financial Reporting. A second vertical, Management Accounting,
runs from Module 2, via Module 7 to Professional Level Module 12: Business Finance. The
third vertical, Audit and Assurance, develops from Module 8 to Professional Level Module 13:
Business Assurance. The fourth vertical, Taxation, takes students from Module 9 to Professional
Level Module 14: Taxation.

Each Professional Level module of the new QP requires students to sit a three-hour
examination. Two exam sittings are held each year in June session and December session.

Please refer to the Student Handbook for the examination structure and the cut-off rule on
the examinable content.

vi

M13_FM.indd 6 1/28/2021 5:32:15 PM

 H K IC P A P R O F IC IENC Y L EV EL S A ND T A X ONOM Y

HKICPA PROFICIENCY LEVELS AND TAXONOMY

The proficiency level indicated in the table below reflects the level at which the topics covered
in particular learning outcome is tested. There are three levels of proficiency:

• Level 1 is the foundational level, covering the skills of knowledge and comprehension.

• Level 2 is the intermediate level, covering the skills of application and analysis.

• Level 3 is the advanced level, covering the skills of integration and evaluation.

You are expected to understand which skill is exercised based on the taxonomy verbs with
which it is associated.

Please note that the list of taxonomy verbs below is for reference only and does not
represent an exhaustive list.

LEVEL 1: FOUNDATION
Skill
Knowledge
The remembering of previously
learned material (recall of facts)
Comprehension
Demonstrative understanding
of facts and ideas by organising,
comparing, translating,
interpreting, giving descriptions
and stating main ideas
Verb Definition
Define Give the accepted meaning of
Identify List or ascertaining possibilities before
analysis; Point to the essential part or
parts
List Provide a concise summary of the
relevant points, often in bullet point
format
Outline Give the main facts about something
State Accurately articulate established
principles, concepts, terms etc.
Describe Communicate the key features of
something, present a detailed account
of something focusing on depth of
knowledge
Explain Make clear the details of something;
or show how the reason for, or
underlying cause of, or the means by
which something occurs
Illustrate Offer examples, to show how something
happens, that something happens,
or make concrete a concept by giving
examples
Interpret Make clear the meaning of something
and its implications
Summarise Describe something concisely; bring
together the main facts

vii

M13_FM.indd 7 1/28/2021 5:32:15 PM

 BUSINESS ASSURANCE
LEVEL 2: INTERMEDIATE
Skill
Application
Using new knowledge. Solve
problems to new situations by
applying acquired knowledge,
facts, techniques and rules in a
different way
Analysis
Examine and break information
into parts by identifying motives
or causes. Make inferences
and find evidence to support
generalisation
M13_FM.indd 8
Verb Definition
Account for / Demonstrate Give details of accounting entries to
be made for in the context of financial
reporting or justify (if used in a more
general context); Demonstrate the
accounting treatment by using a set of
accounts
Apply Demonstrate knowledge, concepts or
techniques; Use established methods /
tools / procedures to resolve relatively
straightforward scenarios or problems
Calculate / Compute Determine by computation or arrive at
by mathematical means or processes
Prepare Follow established procedures /
methods to create a report of financial
information or commentary (e.g. using a
proforma spreadsheet)
Solve To work out to a result or conclusion
Use Apply in a practical way
Analyse To examine methodically by
separating into parts and studying the
interrelationships in order to discover
essential features
Compare Critically consider two or more things,
emphasising their similarities
Contrast Critically consider two or more things,
emphasising their differences
Classify / Categorise Apply concepts to categorise
information or groups into categories
Justify Explain the reason for recommendation
made, or underlying cause of, based
on an analysis of a range of available
options
Prioritise / Determine Determine the order for dealing with
a series of items or tasks according to
their relative importance e.g. Determine
the priorities / determine the level of
importance
viii
1/28/2021 5:32:15 PM
 H K IC P A P R O F IC IENC Y L EV EL S A ND T A X ONOM Y

LEVEL 3: ADVANCED
Skill
Integration
Compile information together
in a different way by combining
elements in a new pattern or
proposing alternative solutions
Design
Evaluation
The ability to judge the value
of material for a given purpose
Verb Definition
Construct To form an idea, a process, or procedure
by bringing together various theoretical
and conceptual elements
Design Develop a procedure/process or course
of action based on selection of the
optimum combination from a range of
available options
Develop To bring something into existence that
has not previously existed, or to reshape
something from its initial position into
something more refined; Use judgement
to bring to a more advanced or effective
state or to create a plan
Formulate Devise and put a plan into words
Integrate Combine one aspect of learning with
another to form a holistic understanding of
a process, procedure or course of action
Plan / Propose Formulate a detailed proposal for doing
or achieving something
Produce Draw together similar or disparate items
to form a report containing financial
and/or non-financial information
Advise Communicate appropriately the
recommended course of action based
on an analysis of specific circumstances
in a manner suited to the recipient
Appraise Assess the value or quality of something;
or to assess its performance
Consider Think carefully about something before
making a decision, to look closely or
attentively at something through a
process involving critical thinking
Evaluate Assess and determine the value,
importance or qualities of something,
normally with reference to specific
criteria and draw conclusions
Recommend Select the best course of action or
choice; Advocate a particular outcome or
course of action based on an analysis of
a range of available options

References
Anderson, L. W., Krathwohl, D. R., Airiasian, W., Cruikshank, K. A., Mayer, R. E., & Pintrich, P. R. (2001).
A taxonomy for learning, teaching and assessing: A revision of Bloom’s Taxonomy of educational outcomes:
Complete edition. New York: Longman.
The International Federation of Accountants. (2016). Framework for International Education Standards for
Professional Accountants and Aspiring Professional Accountants. (2015). Retrieved from https://www.ifac.org
The Government of the Hong Kong Special Administrative Region. (2016). Qualification Framework – Generic
Level Descriptors. Retrieved from https://www.hkqf.gov.hk

ix

M13_FM.indd 9 1/28/2021 5:32:15 PM

 BUSINESS ASSURANCE

LEARNING OUTCOMES

Each module includes Principal Learning Outcomes and Supporting Learning Outcomes
arranged along a series of proficiency levels.

Module 13

Syllabus area Weighting (%)

Perform assurance engagements 65–75
Explain and analyse the professional standards and guidance applicable to 5–15
assurance engagements
Explain the importance of corporate governance and risk management 5–15
Evaluate and advise on computerized business systems and controls 5–15

The syllabus weighting table indicates the relative weightings of the syllabus areas encompassed
in this module. It serves as a guide to the percentage of study time spent on each syllabus area. In
the long run, the marks allocation in the module examinations would conform to the weightings as
shown above. The exact range of marks allocation in each module examination may deviate from
the weightings for suitably robust questions to be set.

M13_FM.indd 10 1/28/2021 5:32:15 PM

 L EA R NING O U T COM ES

Learning Outcomes Proficiency Chapter

Level where
covered
PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS
LO1.01: P
 repare, plan and develop assurance engagements including 2
the audits of financial statements in accordance with
relevant Hong Kong Standards of Quality Control, Auditing,
Assurance and Related Services, guidance and legislation with
emphasis on:
Other assurance engagement requirements
1.01.01 Explain why users need assurance reports 1 12
1.01.02 D
 escribe the level of assurance and the issues relating to other 1 12
assurance and non-assurance engagements, including:
• Reviews
• Agreed-upon procedures
• Pro-forma financial information
• Investment circular reporting engagements
• Preliminary announcements of annual results
• Continuing connected transaction
• Comfort letters
• Due diligence work
1.01.03 A
 nalyse the potential engagement for the risks it presents to 2 12
the auditor
1.01.04 Prepare an engagement letter 2 12
1.01.05 D
 etermine an approach to gathering sufficient appropriate 2 12
evidence
1.01.06 D
 etermine the methods, timing and content of communication 2 12
with those charged with governance
1.01.07 Analyse the results of evidence collected 2 12
1.01.08 Prepare the engagement report 2 12
LO1.02: Client and engagement acceptance procedures 2
1.02.01 E
 xplain the reasons why entities change their auditors/ 1 3
professional accountants
1.02.02 E
 xplain the requirements relating to the appointment of an 1 3
auditor under the Hong Kong Companies Ordinance
1.02.03 Explain the procedure for a change of an auditor 1 3
1.02.04 E
 xplain the rights of the auditor in the process of a change of 1 3
an auditor
1.02.05 Explain the professional clearance procedures 1 3
1.02.06 A
 nalyse the matters to be considered and the procedures that 2 3
an audit firm/professional accountant should carry out before
accepting a specified new client/engagement including:
• Client acceptance
• Engagement acceptance
• Agreement of the terms of engagement
• Transfer of books, papers and information
• E
 ngagement risk (including: Management characteristics
and integrity, Organisation and management structure,
Nature of the business, Business environment (including
cyber security), Financial results, Business relationships and
related parties and Prior knowledge and experience)

xi

M13_FM.indd 11 1/28/2021 5:32:15 PM

 BUSINESS ASSURANCE

Learning Outcomes Proficiency Chapter

Level where
covered
1.02.07 Identify different acceptance/ continuance issues (e.g. self- 1 3
review or familiarity threat) during acceptance procedures and
illustrate safeguard to address those threats
LO1.03: Q
 uality control considerations 3
1.03.01 E
 xplain the principles and purposes of quality control of audit 1 4
and other assurance engagements
1.03.02 A
 nalyse the features of a system of quality control relevant to a 2 4
specific firm
1.03.03 D
 esign quality control procedures relevant to a specific audit 3 4
engagement
1.03.04 C
 onsider whether an engagement has been performed in line 3 4
with professional standards and whether reports issued are
appropriate
LO1.04: P
 lanning and risk assessment 3
1.04.01 E
 xplain the need for planning an audit, the overall audit 1 5
strategy and the audit plan and their relationship
1.04.02 D
 evelop the planning documentation including the audit 3 5
strategy memorandum for a given scenario
1.04.03 A
 pply knowledge to demonstrate how auditors obtain an initial 2 5
understanding of the entity and its environment, including the
use of preliminary analytical review procedures
1.04.04 Explain the components of audit risk 1 5
1.04.05 E
 valuate the entity’s significant risks of material misstatements 3 5
at the financial statement and assertion levels
1.04.06 Identify significant account balances, classes of transactions 1 5
and presentation and disclosure
1.04.07 D
 etermine the effect of fraud and misstatements on audit 2 5
planning and work
1.04.08 E
 xplain the effect of laws and regulations, and non-compliance 1 5
on audit planning and procedures
LO1.05: D
 ocumentation 2
1.05.01 Explain the need for, and importance of, audit documentation 1 6
1.05.02 Explain the procedures required to pull together audit files 1 6
1.05.03 P
 repare the contents of audit work papers on the audit 2 6
permanent and audit engagement files
LO1.06: M
 ateriality 2
1.06.01 A
 pply materiality in the context of financial reporting and 2
auditing
LO1.07: I nternal audit 3
1.07.01 E
 xplain the purpose of an internal audit function and the types 1 8
of work undertaken
1.07.02 R
 ecommend the relevant work that internal audit could 3 8
undertake in an entity
1.07.03 R
 ecommend improvements to an entity’s internal audit function 3 8

xii

M13_FM.indd 12 1/28/2021 5:32:15 PM

 L EA R NING O U T COM ES

Learning Outcomes Proficiency Chapter

Level where
covered
LO1.08: A
 udit methodologies 2
1.08.01 S
 ummarise the key features of the following audit methodologies: 1 5
• Risk-based auditing
• Top-down auditing
• System-based auditing
• Systems audit
• Balance sheet approach
• Transaction cycle approach
• Directional testing
1.08.02 A
 nalyse the cost and performance efficiency of different audit 2 5
methodologies
LO1.09: A
 udit procedures 3
1.09.01 Define audit sampling 1 6
1.09.02 Explain the need for sampling 1 6
1.09.03 A
 pply the basic principles of sampling and explain how the 2 6
assessed risk and materiality affect sampling
1.09.04 Analyse and explain the results of sampling 2 6
1.09.05 E
 xplain the importance of internal control to an auditor and the 1 6
execution of tests of control
1.09.06 A
 pply knowledge to demonstrate how an auditor identifies 2 6
weaknesses in internal control systems and how those weaknesses
limit the extent of an auditor’s reliance on those systems
1.09.07 D
 etermine the types of substantive procedures used (including 2 6
big data analytics) and the issues in evaluating the results
obtained
1.09.08 E
 xplain what is meant by analytical review and apply 2 6
knowledge to demonstrate how analytical review procedures
are used in an audit
1.09.09 D
 esign, in response to the assessed risk, the appropriate audit 3 7
tests for:
• Tangible non-current assets
• Intangible non-current assets
• Inventory
• Receivables
• Bank and cash
• Trade payables and accruals
• Non-current liabilities
• Provisions and contingencies
• Capital and other issues
• Long-term investments
• Segment information
• Revenue
• Purchases
• Wages and salaries
• Financial instruments, e.g. derivative or forward contracts
• Treasury (e.g. bank loan/facility)

xiii

M13_FM.indd 13 1/28/2021 5:32:16 PM

 BUSINESS ASSURANCE

Learning Outcomes Proficiency Chapter

Level where
covered
1.09.10 D
 esign, in response to the assessed risk, the appropriate 3 6
procedures and relevant disclosure requirements for the
audit of:
• Accounting estimates
• Fair values
• Opening balances
• Comparatives
• Related party transactions
LO1.10: T
 he confirmation procedures, follow up or alternative 2
procedures for non-reply confirmation
1.10.01 A
 pply the confirmation procedures to prepare the external 2 6
confirmation requests
1.10.02 A
 pply the follow up procedures on those replied confirmation 2 6
with disagreements and apply the alternative procedures for
any exceptions or non-reply confirmation
LO1.11: A
 udit evidence 3
1.11.01 E
 xplain the procedures by which audit evidence may be 1 6
obtained
1.11.02 D
 escribe the appropriateness and sufficiency (relevance and 1 6
reliability) of different sources of audit evidence
1.11.03 Identify the information produced by the client which is used 1 6
as audit evidence and describe our work done
1.11.04 P
 lan an approach to gathering sufficient, appropriate audit 3 6
evidence
1.11.05 E
 xplain the assertions contained in the financial statements 1 6
and their use in obtaining evidence
1.11.06 E
 xplain the need to modify the audit strategy and audit plan 1 6
following the results of tests of control
1.11.07 Illustrate why an auditor may rely on the work of others, 1 8
including internal audit, experts (e.g. experts in cyber security)
and service entities
1.11.08 D
 evelop procedures to make use of the work of others, 3 8
including internal audit, experts and service entities
1.11.09 E
 valuate whether sufficient audit evidence has been obtained 3 6
during the audit
LO1.12: C
 ompletion procedures 3
1.12.01 E
 valuate whether sufficient appropriate audit evidence has 3 9
been obtained during the audit

xiv

M13_FM.indd 14 1/28/2021 5:32:16 PM

 L EA R NING O U T COM ES

Learning Outcomes Proficiency Chapter

Level where
covered
1.12.02 E
 xplain the purpose of and procedures to be used during audit 1 9, 11
completion:
• A subsequent events review
• A going concern review
• Obtaining written representations from management
• R
 eview of report by component auditors to the group
auditor
• Overall review of the financial statements
• Review of other published information
1.12.03 E
 xplain the procedures required to identify and audit related 1 9
party transactions
1.12.04 Evaluate misstatements identified during the audit 1 9
1.12.05 E
 xplain the follow up on illegal act or fraud found while 1 9
performing an audit especially in the case of money laundering
or corruption
1.12.06 P
 lan the procedures to be conducted at the completion of the 3 9
audit
1.12.07 Communicate with those charged with governance 2 9
LO1.13: R
 eporting 3
1.13.01 P
 repare a management letter to report on internal control 2 9
weaknesses and to make recommendations to overcome those
weaknesses
1.13.02 C
 ommunicate with management or those charged with 2 9
governance
1.13.03 A
 nalyse the format and content of modified and unmodified 2 10
auditor’s reports
1.13.04 R
 ecommend an appropriate audit opinion based on the audit 3 10
evidence collected
1.13.05 Prepare final reports for the audit 2 10
LO1.14: A
 udits of Group Financial Statements (including the work of 3
component auditors)
1.14.01 Explain how consolidated financial statements are produced 1 11
1.14.02 E
 valuate whether a group’s control environment and control 3 11
systems are effective
1.14.03 R
 ecommend control procedures that a group should 3 11
implement over its operations and the preparation of
consolidated financial statements
1.14.04 E
 valuate a potential group audit engagement for the 3 11
acceptance risks it presents to the audit firm
1.14.05 C
 onsider risk of group audit in addition to a single company 2 11
audit (e.g. different accounting policies)
1.14.06 Prepare an audit engagement letter for a group 2 11
1.14.07 P
 lan procedures to develop a sufficient understanding of the 3 11
group, as a client, and a component auditor for audit purposes

xv

M13_FM.indd 15 1/28/2021 5:32:16 PM

 BUSINESS ASSURANCE

Learning Outcomes Proficiency Chapter

Level where
covered
1.14.08 R
 ecommend an appropriate planning materiality to be applied 3 11
to components
1.14.09 C
 onsider the significant components and evaluate to 3 11
determine the type of work to be performed on the financial
information of significant components and components that
are not significant
1.14.10 P
 lan an approach to gathering sufficient appropriate audit 3 11
evidence from the component auditor
1.14.11 E
 valuate the information collected about a group to identify the 3 11
significant risks of material misstatement in the group financial
statements
1.14.12 D
 evelop the group audit strategy memorandum for 3 11
communication to a component auditor
1.14.13 P
 lan the methods, timing and content of communication with 3 11
those charged with corporate governance and with component
auditors during the audit
1.14.14 D
 esign procedures to substantively test the group’s 3 11
consolidation
1.14.15 Prepare the group audit completion documents 2 11
1.14.16 R
 ecommend an appropriate audit opinion for the group, 3 11
parent company and component financial statements based on
the audit evidence collected
PRINCIPAL LO2: EXPLAIN AND ANALYSE THE PROFESSIONAL STANDARDS AND GUIDANCE
APPLICABLE TO ASSURANCE ENGAGEMENTS
LO2.01: E
 xplain and analyse the relevant provisions of ethical 2
standards, legislation and professional guidance
2.01.01 D
 emonstrate an understanding of the fundamental auditing 2 1
principles and the conceptual framework approach to auditing
2.01.02 A
 nalyse threats to compliance with the fundamental ethical 2 1
principles
2.01.03 Analyse the effectiveness of available safeguards 2 1
2.01.04 A
 nalyse conflicts in the application of fundamental principles 2 1
for Professional Accountants in practice and in business
2.01.05 E
 xplain the importance of adherence to professional standards 1 1
and guidance
2.01.06 E
 xplain the regulatory framework for assurance and 1 1
non-assurance engagements in Hong Kong
2.01.07 E
 xplain the nature and purpose of assurance and 1 1
non-assurance engagements
PRINCIPAL LO3: EXPLAIN THE IMPORTANCE OF CORPORATE GOVERNANCE AND RISK MANAGEMENT
LO3.01: R
 ecommend appropriate practices an entity should put in 3
place to achieve good corporate governance
3.01.01 E
 xplain the roles of audit committee, auditor and management 1 2
in corporate governance

xvi

M13_FM.indd 16 1/28/2021 5:32:16 PM

 L EA R NING O U T COM ES

Learning Outcomes Proficiency Chapter

Level where
covered
3.01.02 E
 xplain the objectives, concepts, relevance and importance 1 2
of corporate governance to capital markets and preventing
corporate failure
3.01.03 D
 escribe the provisions of international codes of corporate 1 2
governance (such as OECD) that are most relevant to auditors
3.01.04 E
 xplain corporate governance developments in Hong Kong and 1 2
the structure of the Code on Corporate Governance Practices
and Corporate Governance Report in Hong Kong and how
these contribute to effective corporate governance
3.01.05 E
 xplain the concept of stakeholder theory in corporate 1 2
governance
3.01.06 D
 escribe the corporate governance requirements as set out 1 2
in the Companies Ordinance and Hong Kong Stock Exchange
Listing Requirements relating to directors’ responsibilities (e.g.
risk management and internal control)
3.01.07 E
 xplain the responsibilities of management within the 1 2
corporate governance framework
3.01.08 A
 nalyse the structure and roles of board committees and 2 2
discuss their drawbacks and limitations
3.01.09 E
 xplain an auditor’s responsibilities to consider and address 1 2
corporate governance requirements
3.01.10 E
 xplain the effect of the Sarbanes-Oxley Act on Hong Kong 1 2
companies and their auditors
3.01.11 E
 valuate the corporate governance arrangements in a given 3 2
scenario and recommend improvements to address identified
weaknesses
PRINCIPAL LO4: EVALUATE AND ADVISE ON COMPUTERISED BUSINESS SYSTEMS AND CONTROLS
LO4.01: E
 valuate and advise on computerised business systems and 3
controls of an entity
4.01.01 Explain how an effective IT department should be structured 1 13
4.01.02 D
 escribe the functions that should be carried out by the IT 1 13
department
4.01.03 Describe the contents of an IT strategy 1 13
4.01.04 Explain the importance of e-commerce to a business 1 13
4.01.05 E
 xplain the characteristics of an entity operating a networked 1 13
computer system
4.01.06 E
 xplain the characteristics of an entity operating with 1 13
standalone PCs
4.01.07 Describe examples of general and application controls 1 13
4.01.08 Prepare documentation of key systems 2 13
4.01.09 Analyse an entity’s controls within selected processes 2 13
4.01.10 D
 esign appropriate procedures to test the operation of an 3 13
entity’s control system, including the IT environment, and the
effectiveness of its cyber security safeguard

xvii

M13_FM.indd 17 1/28/2021 5:32:16 PM

 BUSINESS ASSURANCE

Learning Outcomes Proficiency Chapter

Level where
covered
4.01.11 E
 valuate the outcome of the testing of the control system to 3 13
address identified weaknesses
4.01.12 Recommend IT controls that are appropriate to the entity 3 13
4.01.13 Identify and explain the effect of e-commerce on the auditor’s 1 13
risk assessment and audit approach
4.01.14 Identify the knowledge and skills required to audit an entity’s 1 13
e-commerce activities
4.01.15 D
 esign effective business processes including key controls 3 13
activities
4.01.16 Advise on the risks relating to particular business processes 3 13

xviii

M13_FM.indd 18 1/28/2021 5:32:16 PM

 S T U D Y T EX T K EY F EA T UR ES

STUDY TEXT KEY FEATURES

Each of the Associate Level and Professional Module texts include a series of pedagogical
features designed to help QP candidates better absorb the material, reach the required
proficiency levels and meet the outlined Learning Outcomes (LOs).

The aim of these features is to help students understand the content while regularly
reinforcing concepts and building the skills necessary to successfully complete each of the
modules and progress through the Associate Level, the Professional Level and the Capstone.

Each chapter includes these features:

• Chapter topic list: A succinct list of the specific topics covered in the chapter.

• Learning outcomes: Outlines the specific knowledge points covered in the chapter and
the specific skills related to each learning outcome (LO) discussed in the chapter.

• Opening case: A case study that aims to relate the material covered in the chapter
to a real-life situation. At times, this opening case may be linked to opening cases in
other chapters.

• Overview: Provides a more detailed preview of the material covered in the chapter.

• Exhibits and charts: Through illustrations and examples, exhibits and charts aim to
convey information in graphic fashion or actual examples of accounting, reporting or
calculations that are likely to be used in actual practice.

• Illustrative examples: Case studies that explore specific issues related to the chapter
topics and further understanding of the LOs.

• Apply and analyse: Exam questions with analysis provided to show how to approach
answering the question and apply what was learned from the concepts presented in
the chapter.

• Ethics in practice: Ethical discussions on issues that may arise during professional practice.

• Key learning point: A concise summary of a salient point that is key to achieving
chapter LOs.

• Knowledge check questions: A set of questions geared at furthering students

understanding of specific topics, work through problems and meet the chapter LOs.

• Summary: A list of the concepts and topics covered in the chapter in an easy-to-
review format.

• Mind map: A graphic depiction of the knowledge conveyed in the chapter to facilitate
understanding of the LOs.

• List of formulas: A compilation of the equations introduced in the chapter.

• Exam practice questions: Questions similar to those likely to be featured in the

examination paper required for each QP module.

xix

M13_FM.indd 19 1/28/2021 5:32:16 PM

M13_FM.indd 20 1/28/2021 5:32:16 PM
 Part A
Professional
Standards and Guidance

Chapter 1 Ethical Standards, Legislation, and Professional Guidance

M13_c01.indd 1 1/26/2021 8:43:29 PM

M13_c01.indd 2 1/26/2021 8:43:29 PM
 1
Ethical Standards,
Legislation, and
Professional Guidance

CHAPTER TOPIC LIST

1.1 Auditing and Assurance 1.2.2 Hong Kong Standards and

1.1.1 Objectives of Auditing and
Assurance Services
1.1.2 Demands for Auditing and
Assurance Services
1.1.3 Financial Statement Users
1.2 Auditing and Assurance
Standards
1.2.1 Role of Regulators and
Regulation (including
Statutory Audits)
Guidelines for Auditing
and Assurance
1.3 International Standards
and Guidelines for Auditing
and Assurance
1.4 Types of Audits
1.4.1 External Audits
1.4.2 Internal Audits

M13_c01.indd 3 1/26/2021 8:43:29 PM

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO2: EXPLAIN AND ANALYSE THE PROFESSIONAL STANDARDS AND GUIDANCE
APPLICABLE TO ASSURANCE ENGAGEMENTS
LO2.01: E
 xplain and analyse the relevant provisions of ethical standards, legislation and
professional guidance
2.01.01 Demonstrate an understanding of the fundamental auditing principles and the conceptual
framework approach to auditing
2.01.02 Analyse threats to compliance with the fundamental ethical principles
2.01.03 Analyse the effectiveness of available safeguards
2.01.04 Analyse conflicts in the application of fundamental principles for Professional Accountants in
practice and in business
2.01.05 Explain the importance of adherence to professional standards and guidance
2.01.06 Explain the regulatory framework for assurance and non-assurance engagements
in Hong Kong
2.01.07 Explain the nature and purpose of assurance and non-assurance engagements

M13_c01.indd 4 1/26/2021 8:43:29 PM

 E thical Standards , L egislation , and Professional Guidance

OPENING CASE

BRIEFING THE AUDIT COMMITTEE OF A NEWLY

LISTED HONG KONG COMPANY

A s audit engagement manager, you have been requested to advise the recently formed
Audit Committee of Keeson Inc, a newly listed company. The company has previously
been developed as a tightly held family business and its senior management have technically
advanced computing skills. None of the senior managers have experience working with
external auditors, regulators, and financial markets. They are aware of the importance of good
governance and wish to earn a good rating in the market for running their operations well. The
senior management team understands the importance of audit and is keen not to be criticised
for their financial accounting or governance.

As part of their governance structure, an Audit Committee has been appointed by

the Board to oversee the financial reporting and auditing functions. It is comprised of
non-executive directors and is trying to understand the nature of auditing and assurance and
what services external auditors provide and what they, as an audit committee, can learn from
the reports and any briefings that arise from these engagements. They too have a technology
background rather than a significant history in financial or accountability matters. They say that
they value the benefits that could come from having external experts, with experience of many
other companies, consider their financial statements, their controls, and, more generally, how
they are developing their operations.

You recognise that Keeson Inc is a very promising company that is likely to require a range
of services. You have been invited to the first meeting of the Audit Committee to explain the
audit and to identify services your firm might provide to the company. At the same time, you
face the task of outlining the limits to providing those services that come from the firm being
the external auditor.

M13_c01.indd 5 1/26/2021 8:43:29 PM

 BUSINESS ASSURANCE

OVERVIEW

INTRODUCTION TO AUDITING
There is an increasing demand for those who are responsible for an activity to be accountable
for their performance to those parties who have a strong interest in the outcome of that
activity. The information that is provided to those interests forms part of the input to assist
in their decision making about those activities. These users of information need to have
confidence that the information provided by those responsible for the activity can be depended
upon. This demand is met in the form of ‘assurance’ reports issued by independent assurance
providers, of which members of the accountancy profession are a major example.

It is important to understand the broad concept of assurance and its role in reducing
information risk for user decision making in accountability and governance relationships.
Exhibit 1.1 provides a map for the coverage of the chapter.

Objectives of
auditing and
assurance
services

The assurance
The regulatory framework,
environment standards and
guidance
The
needs
of users

Non-traditional
Types of
assurance
engagement
services

EXHIBIT 1.1 The assurance environment

This chapter focuses primarily on the nature and purpose of the audit of financial
statements as a common form of assurance engagement. These engagements are subject to
statutory and professional regulation, which will be explained in this section. The chapter will
also cover some different types of assurance engagements that have developed in recent years
as different needs have emerged within the commercial and general community.

Two types of auditors, external and internal auditors, are introduced in this chapter and the
different roles both types have in the accountability and governance process are discussed.

M13_c01.indd 6 1/26/2021 8:43:29 PM

 E thical Standards , L egislation , and Professional Guidance

1 . 1 AUDITING AND ASSURANCE

Assurance engagements can be undertaken on a broad range of financial and non-financial

information. An audit is just one form of assurance engagement, with the financial statement
audit being one of the most common and prominent forms of independent assurance
engagement. It is prominent because the external auditor’s report accompanies the financial
statements that are lodged with corporate regulators and securities exchanges.

It is also important to understand that there is a difference between external and internal
auditors. While many of the techniques and processes used by these two groups of auditors
are similar, their roles and objectives are different.

An external auditor is independent of the entity being audited and is appointed to

express an opinion on a selected subject matter. For example, an auditor appointed under
the Companies Ordinance (Chapter 622) 2014 is to report to shareholders on the company’s
financial statements. Ethical guidance on how an external auditor determines whether they
are independent is provided in the profession’s code of ethics. The Code of Ethics is discussed
further in Section 1.2.2.2.

The concept of independence as it applies to external auditors requires that there is

a clear distinction between those who are responsible for the preparation of the financial
statements (i.e. company management on behalf of those charged with governance (the
Board of Directors)) and the auditor whose role is to provide to external users an opinion on
the financial statements prepared by management/directors. The auditing and accounting
functions are therefore separate activities and the responsibility of different parties in the
accountability process.

An internal auditor undertakes examinations and reviews of the activities of the entity as a
service to the entity’s management. For example, in the context of financial statement auditing,
the internal audit function is generally regarded as part of the internal control system that
assists the management of an entity in preparing reliable financial statements. An internal audit
can, however, have a much broader mandate within an entity and provide a range of services
to management and the directors, which will be dealt with later in Section 1.4. An internal audit
can be conducted by employees of the entity or by external service providers.

1.1.1 Objectives of Auditing and Assurance Services

As a broad concept, assurance is a service that aims to reduce information risk to users
of financial and other information. It aims to provide assurance about the relevance and
representational faithfulness of information so that users can make more informed decisions.
In other words, the assurance is confirming the pertinence of the information as a basis for
the decisions to be made and the correspondence of the information being reported to what
is transpiring. The preparer is making actual or implied assertions about the information being
made available and the assuring party is providing an independent opinion on those assertions
based on appropriate evidence gathered. An audit should assist the reader or user of a
document in determining how much trust they should place in the information that is being
presented to them.

M13_c01.indd 7 1/26/2021 8:43:29 PM

 BUSINESS ASSURANCE

1.1.1.1 Framework for Assurance Engagements

To understand an audit as one form of assurance engagement, it is important to consider the
Hong Kong Framework (Amended) for Assurance Engagements (Framework) issued by the Hong
Kong Institute of Certified Public Accountants. While this document does not mandate any
requirements for the performance of assurance engagements, it provides the framework for
the development of auditing standards and standards for other assurance services that do
establish such requirements.

Paragraphs 10 and 11 of the Framework define an assurance engagement as:

‘. . . an engagement in which a practitioner aims to obtain sufficient appropriate

evidence in order to express a conclusion designed to enhance the degree of confidence
of the intended users other than the responsible party about the outcome of the
measurement or evaluation of the underlying subject matter against criteria.

The outcome of the measurement or evaluation of the underlying subject matter is the
information that results from applying the criteria to the underlying subject matter’.

Paragraphs 22 and 26 of the Framework identify the following preconditions and elements
for an assurance engagement (Exhibit 1.2):

• A three-party relationship involving an assurance practitioner, a responsible party, being

those who are responsible for accounting for their performance, and an intended user
of the information. The role and responsibilities of these parties should be suitable in
the circumstances such that the engagement serves that accountability relationship.

• Appropriate underlying subject matter. This is the activity or area for which the
responsible party is accountable. Information on the subject matter can be qualitative,
quantitative, historical, and prospective, at a point in time or for a period.

• Suitable criteria as a benchmark for recognising, measuring, and presenting the subject
matter. They need to be suitable to the engagement circumstances. The criteria in
a specific engagement should be available to the intended users to facilitate their
effective use of the subject matter information.

• Sufficient appropriate evidence to support a conclusion as to whether the subject matter

is free of material misstatement. The approach to the planning and performance of
the engagement involves an attitude of professional scepticism involving a critical
assessment of the evidence obtained. It involves applying professional judgement in
considering materiality and determining the nature, timing, and extent of procedures to
obtain the evidence.

Three-party relationship Sufficient audit evidence

- Information preparers, users/potential - Gathered by applying assurance
users and the assurance provider principles and procedures

A subject matter and information

ASSURANCE
- Matter to be addressed and assertions
FRAMEWORK
therein

Criteria Written report

- Prepared in accordance with an - Assurance provider’s independent
applicable framework opinion

EXHIBIT 1.2 The assurance framework

M13_c01.indd 8 1/26/2021 8:43:29 PM

 E thical Standards , L egislation , and Professional Guidance

• A written report containing the practitioner’s conclusion after doing the work required
within the context of a specific type of assurance engagement. The form of the report
is to be appropriate in a reasonable assurance engagement or a limited assurance
engagement.

Assurance engagements can be undertaken on a range of different subject matters that

include, but may not be limited to:

1. Historical financial performance in financial statements,

2. Prospective financial information such as forecasts contained in due diligence or share

offer documents,

3. Adequacy and effectiveness of systems of internal control and IT systems,

4. Physical characteristics such as the capacity of a facility,

5. Compliance with legislation,

6. Greenhouse gas emissions, and

7. The efficiency and effectiveness of the use of an entity’s resources.

This range of subject matter has led to the development of a range of different types of
audit, such as compliance, performance, and comprehensive and social responsibility audits.
These will be addressed later in this chapter.

Apply and Analyse 1

Now consider the situation where the audit committee of Keeson Inc indicates that it has
a short-term concern about the preparation of the first set of financial statements for the
company. They want to know if you can assist in such preparation until all the planned
accounting staffing is hired over the next two years. They would want any of your firm’s
staff working on the financial statements to be separated from the external audit function
and to report to the CFO.

Explain how you would assist the Audit Committee with its request.

Analysis

The audit committee should be advised that as the audit is to be carried out under the
Companies Ordinance, in accordance with HKICPA standards and being mindful of HKEX
requirements, that preparation of the financial statements is the responsibility of the
directors of the company. The external auditor must remain independent of the company
and is to report to users. It is thus not possible for the auditor to assist in the preparation
of the financial statements on which they are reporting.

1.1.1.2 An Audit Assurance Engagement

The focus in this section is on the auditing standards developed under the Framework
described above and as applied to the audit of financial statements. These standards identify the
objective of a financial statement audit and the auditor’s responsibilities when conducting such

M13_c01.indd 9 1/26/2021 8:43:29 PM

 BUSINESS ASSURANCE

an audit. The underlying concept is more broadly discussed in Section 1.4.1 as the basis for
understanding the concepts and standards of auditing covered in later modules.

The elements of the Framework are satisfied for a financial statement audit in the
following manner:

• Three party relationship. For audits under Companies Ordinance there will be the
company directors (responsible party), the company shareholders, creditors and other
Framework third parties (intended users of the financial statements), and the auditor (assurance
27–38 practitioner) appointed by, and reporting to, the shareholders.

• Appropriate underlying subject matter. Financial statements showing the entity’s financial
Framework position, financial performance, and cash flows will be the subject matter and will
39–41 provide information.

• Suitable criteria. The criteria will come from the applicable financial reporting framework
relevant to the entity and its business. For example, they will come from the Hong Kong
Framework Financial Reporting Standards and Regulations that are to be complied with when
42–49 preparing the financial statements under the Companies Ordinance.

• Sufficient appropriate audit evidence. The audit principles and procedures applied by the
auditor in accordance with auditing standards will allow the auditor to obtain sufficient
Framework appropriate audit evidence as to whether the financial statements are prepared in
50–82 accordance with the applicable financial reporting framework.

• Written report. The auditor’s written conclusion/opinion will be provided in the auditor’s
Framework report on whether the financial statements have been prepared in accordance with the
83–92 applicable reporting framework.

This relationship is summarised in HKSA 200 Overall Objectives of the Independent Auditor
and the Conduct of an Audit in Accordance with Hong Kong Auditing Standards, paragraph 3:

‘ The purpose of an audit is to enhance the degree of confidence of intended users in the
financial statements. This is achieved by the expression of an opinion by the auditor on
whether the financial statements are prepared in all material respects in accordance with
an applicable financial reporting framework’.

1.1.1.3 Attest and Direct Reporting Audits

An audit can either be an ‘attest’ or a ‘direct’ reporting engagement.

In paragraph 12 of the Assurance Framework, an attest engagement is described as an

engagement where a party other than the auditor measures or evaluates the subject matter
against the criteria and then presents the information in a written report, that is, as a written
assertion. The auditor then issues a report/opinion as to the appropriateness of that assertion.
The auditor’s report/opinion enhances the credibility of the assertion.

In paragraph 13 of the Framework, a direct engagement is where a party other than the
auditor retains responsibility for the subject matter, but the auditor measures or evaluates the
underlying subject matter against the criteria. The auditor obtains sufficient appropriate evidence
about the outcome of the measurement or evaluation and reports that information and opinion
directly in the auditor’s report. The responsible party does not make a written assertion on the
subject matter. An example could be an auditor reporting on the compliance of a company with a
set of regulations without management/directors having asserted anything in writing.

10

M13_c01.indd 10 1/26/2021 8:43:29 PM

 E thical Standards , L egislation , and Professional Guidance

In most cases, a financial statement audit is an attest audit. This is the case under the
Companies Ordinance where the company’s financial statements are prepared and presented
by the directors, along with a report by the directors that the financial statements have been
prepared as required by the Companies Ordinance, that is, a written assertion.

1.1.1.4 Level of Assurance

To this point it has been assumed that all assurance engagements provide the intended users
with the same level of enhanced credibility with respect to the subject matter on which the
assurance provider has issued a report/opinion. However, the Framework identifies two levels
of assurance and assurance engagements:

• Reasonable

• Limited

The objective when designing a reasonable assurance engagement is to reduce the

assurance engagement risk. This is the risk that the assurance provider expresses an
Framework inappropriate conclusion on the subject matter to an acceptably low level in the circumstances
14 of the engagement. In the case of a financial statement audit, the audit objective is to reduce
the risk of not detecting a material misstatement in the financial statements. The risk of material
misstatement exists if there is a reasonable possibility of it occurring (likelihood) and material if
Framework it does occur (magnitude). This is communicated as a positive expression of opinion. For example,
84 under the Companies Ordinance the auditor expresses the opinion that the financial statements
are ‘true and fair in accordance with the financial reporting framework’.

The HKICPA Glossary (Clarified) of Terms Relating to Hong Kong Standards on Quality Control,
HKSA Auditing, Review, Other Assurance Related Services and Framework identify reasonable assurance
200.5 as a high, but not absolute level of assurance. This is the highest level of assurance provided by
an auditor and the level of assurance generally associated with an audit engagement.

An audit does not provide absolute assurance. While the auditor plans and conducts an
audit to obtain sufficient appropriate evidence on which to base the opinion, much of that
evidence is persuasive rather than conclusive, as there are inherent limitations to an audit.
For example:

• The auditor applies professional judgement in identifying the risks that the subject
matter is materially misstated, selecting the appropriate procedures to apply in the
circumstances and interpreting the evidence gathered during the audit process.

• The audit process generally involves the use of sampling techniques to limit the number
of transactions and events tested. It is often impracticable to test all transactions or
circumstances. The potential for misstatement (sampling error) exists if the entire
population is not tested in this way.

• In many situations the nature of the subject matter involves estimates and judgements
by the responsible party. Corroborative evidence is limited.

• The nature of fraud, which may involve collusion, deception, and attempts to conceal,
means that it may not be detected, even if an audit has been appropriately conducted
and due diligence applied.

• There are inherent limitations to control systems within entities. For example, systems
may fail due to human error or when inappropriately overridden.

11

M13_c01.indd 11 1/26/2021 8:43:29 PM

 BUSINESS ASSURANCE

Therefore, in a financial statement audit, reasonable assurance is the degree of satisfaction

that the evidence obtained by the auditor supports the assertions implicit in the financial
statements; that is, the auditor is sufficiently confident that the financial statements are not
materially misstated. This is conveyed to users in the audit opinion accompanying the financial
statements.

Apply and Analyse 2

Consider, for example, the situation where you have heard the Chair of the Audit
Committee of Keeson Inc say on several occasions that he wants to be sure their financial
statements are correct and free from error. The Audit Committee has responded by
wanting to set a very low bar for materiality for the preparation of financial statements.
If anything is missed by the company, they have expressed the hope that the external
auditor would then find it.

Explain what is implicit in the thinking of the Chair and Audit Committee. Describe how
you would advise the Audit Committee on this matter.

Analysis

Implicit in this view is a misunderstanding by the Audit Committee of the concept of

reasonable assurance. They need to understand that there are limits to the financial
statements that come from volume and complexity. The preparer needs to make many
judgements and have in place systems that capture as much relevant data as possible. The
Audit Committee also needs to understand the notion of ‘reasonable assurance’ from both
an auditor’s perspective and as a preparer, and that there are inherent limitations to the
audit process and that the audit opinion does not provide an absolute level of assurance
that no fraud or error has occurred.

Limited assurance engagements involve situations in which the level of risk of an

inappropriate conclusion is greater than for a reasonable assurance engagement and therefore
the level of assurance provided by the assurance provider cannot be as great. These
engagements are generally referred to as review engagements. The auditor will use audit
expertise and apply fewer audit procedures, primarily enquiry and analytical procedures, and
Framework any knowledge gained from any previous engagements with the client entity. This results in less
15, 16 evidence being obtained on which to form an opinion. The auditor reports in the form of a
negative expression of opinion; for example, the auditor has carried out a review of the financial
statements, but nothing has come to the auditor’s attention to indicate that those statements
Framework are not true and fair in accordance with the accounting framework. This is also known as
86 negative assurance.

Limited assurance engagements typically involve some practical constraint that precludes
the conduct of a full audit. A common example of the subject of such an engagement is an
interim set of financial reports. Such reports are more limited in content than full financial
statements and the timeliness of their issuance is considered critical. The auditor brings an

12

M13_c01.indd 12 1/26/2021 8:43:29 PM

 E thical Standards , L egislation , and Professional Guidance

audit-based knowledge to such an engagement but sets out only to provide limited assurance.
The design of the engagement is decided by the auditor.

Not all engagements undertaken by individuals or firms that commonly provide assurance
services are in fact assurance engagements. One such engagement is an agreed-upon-
procedures engagement. These engagements are covered by related services standard
HKSRS 400 (Revised) Engagements to Perform Agreed-Upon Procedures Regarding Financial
Information.

The practitioner applies procedures to which the auditor and entity, and any applicable
third party, have agreed, and that might be used in an audit of a specific subject matter.

For example, a client may have concerns about the fact that some items of equipment are
missing or that the asset records are not accurate. They may ask the auditor to undertake some
procedures in this area and request the following procedures be undertaken, and the auditor
agrees to perform those procedures and report the outcome:

• Check the addition of the asset register and compare the amount to the general
ledger account.

• Check that the asset register has recorded the bar code attached to each asset.

• Select a sample of assets from the asset register and physically sight those assets and
check that the bar code corresponds to the asset register recording.

• Select a random sample of physical assets and check that they are recorded correctly in
the asset register.

• Select a random sample of assets and verify the amount recorded in the asset register
against the original purchase invoice.

• Select a random sample of assets and check the depreciation calculation and the
recording of that amount in the accounting records.

The report provides the client with the factual findings from applying those procedures, but
does not offer a conclusion in the same way as they would for an audit. The client interprets
the factual findings in the context of their business and draws their own conclusions. A report
might find that some items of office equipment are missing from an entity when an assurance
practitioner applies the agreed procedures to an asset register. An entity’s management will
need to interpret those results and decide whether the findings need further investigation for
employee fraud or the accounting controls over their asset recording.

The user therefore derives their own assurance from the information provided. No
assurance is provided by the auditor as the independence requirements of the profession are
not met given that the auditor agrees the procedures with the entity/user rather than having
the ability to determine the nature, timing, and extent of the procedures that they might
require to be able to provide assurance.

Preparation of tax returns and consulting engagements are not assurance engagements
even though the client may take comfort from having a tax expert handle the assignment.

13

M13_c01.indd 13 1/26/2021 8:43:29 PM

 BUSINESS ASSURANCE

Apply and Analyse 3

Understanding that there are a number of potential assurance and non-assurance
engagements that can be provided by an auditor, consider the following in relation
to Keeson Inc. The Board has asked the Audit Committee to request that the external
auditor checks the number of patent applications lodged (granted and pending) and their
correspondence to the company’s register of contracts with co-venturers necessarily
involved in such applications. They are concerned that the application process may have
advanced more quickly than the formal contracting with those co-venturers.

Describe and explain the options that exist for an engagement to be undertaken to
assist with the above issue.

Analysis

The most likely type of engagement that could be entered into with Keeson Inc would
be an agreed-upon-procedures assignment. However, the Auditing Committee needs
to understand that this engagement will report factually on what was discovered and it
will provide no assurance about the state of the register and its correspondence with
applications lodged. For example, the Auditor might report that it tested a selection
of applications received from the client against the register and found that 5 were not
recorded as at the time of checking. The Auditing Committee might then wish to have more
work done by its staff on the register.

Another option would be to undertake a direct assurance review engagement in which

limited assurance would be provided. The auditor could apply limited audit procedures
and report whether anything was found to indicate that the register was inadequate. Given
the concerns of the client in the first place, it is likely that some limitations in the register
will be found and, given the limited procedures applied in a review engagement, the
auditor’s findings may be of limited use.

The third option is to do a direct audit of the register in which all relevant aspects of
the register are subject to a full-scale audit in which the auditor would form an opinion
on the implicit assertion that the register was complete and entered on a timely basis.
However, this may be too costly for the benefit sought by the client in this case.

In summary, a financial statement audit is therefore an engagement where the objective is

to provide a positive expression of opinion that provides a reasonable level of assurance about
the financial statement preparer’s assertion that the financial statements are true and fair
in accordance with the applicable financial reporting framework, in order to enhance the
credibility of that assertion for the users of the financial statements.

A review engagement is one in which the auditor is to provide a negative assurance opinion
that provides only limited assurance. The scope of the engagement is still determined by
the auditor but the auditor gathers less audit evidence and so is constrained in the form of
opinion expressed.

14

M13_c01.indd 14 1/26/2021 8:43:29 PM

 E thical Standards , L egislation , and Professional Guidance

Exhibit 1.3 provides a view of the possible engagements.

Engagements

Assurance Non-assurance

e.g. Account
Attest Direct
preparation

Reasonable Limited Reasonable Limited

No assurance
assurance assurance assurance assurance

EXHIBIT 1.3 Forms of engagement/levels of assurance

Given the array of possible engagements, it is fundamental to the acceptance of an

engagement that the nature of the engagement is clear as to what degree of assurance can or
cannot be provided.

1.1.1.5 Differences Between Auditing, Accounts Preparation, and External

and Internal Auditors
Accountability involves a relationship in which one party is responsible for its actions in
relation to a matter and is to report to another party, internal or external to the entity, as to its
performance in relation to that matter.

In the context of financial reporting under the Companies Ordinance, it is the responsibility
of the directors to provide information to the shareholders to assist shareholders in making
informed judgements about the financial position and performance of the company.

It is important to distinguish the different functions of the participants in that relationship.

There needs to be a clear distinction between the preparers of the financial statements and the
auditor, and between the role of external and internal auditors.

The responsibility for the preparation of financial statements rests with the directors/
management of a company as they have an accountability relationship with the shareholders.
It is the role of the independent external auditor to enhance the degree of confidence of the
shareholders that the financial statements have been prepared in accordance with the
applicable financial reporting framework for use in their decision making (Exhibit 1.4).

The financial statements issued by a company are in effect a summary of all the
transactions and events that have occurred in the past and during the relevant reporting
period, that determine its financial position and performance, and that are presented in
accordance with the applicable financial reporting framework. This framework for companies
comprises accounting standards issued for the preparation of general purpose financial
statements or special purpose financial statements, and any requirements required under the
Companies Ordinance.

15

M13_c01.indd 15 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

Management Independent auditor

Transactions
and events

Audit process and

procedures to gather
Process, systems evidence on which to
and internal control form a conclusion
structure to record whether the financial
transactions and events statements are in
accordance with
applicable financial
reporting framework
Summarise
accounting data

Assertions and
representations in the Issue audit report
form of financial to enhance confidence
statements in accordance in the assertions and
with applicable accounting representations in the
framework financial statement

Financial report and

auditor’s report
distributed to
shareholders and
available to other
third-party users

EXHIBIT 1.4 Accounts preparation and audit responsibility

The accounts preparation process involves the company’s accountant, management,

and directors preparing the financial statements from the accounting data contained in
the underlying accounting records, including judgements and estimates where necessary.
Embodied in the financial statements produced in the accounts preparation process are several
assertions that are generally recognised in accounting. In relation to classes of transactions and
events within the period under audit, these assertions are:

• Occurrence. The recorded or disclosed transactions and events have taken place and
relate to the company.

• Completeness. All the transactions and events that should have been recorded have
been recorded, and all related disclosures that should have been included in the
financial statements have been included.

• Accuracy. The transactions and events have been recorded at the appropriate amounts
and related data has been appropriately documented, and related disclosures have
been appropriately measured and described.

• Cut-off. Transactions and events have been recorded in the correct accounting period.

• Classification. The transactions and events have been recorded in the proper accounts.

• Presentation. Transactions and events are appropriately aggregated or disaggregated

and clearly described, and related disclosures are relevant and understandable in the
context of the requirements of the applicable financial reporting framework.

16

M13_c01.indd 16 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

In addition, the account balances and related disclosures at the end of the accounting
period include similar assertions:

• Existence. The recorded assets, liabilities, and equity interests exist.

• Rights and obligations. The entity holds or controls the rights to assets, and liabilities are
the obligations of the entity.

• Completeness. All assets, liabilities, and equity interests have been recorded and all
related disclosures included.

• Accuracy, valuation, and allocation. The financial statements include all assets, liabilities,
and equity interests at appropriate amounts, including the recording of any valuation or
allocation adjustments, and there is appropriate disclosure.

• Presentation. Assets, liabilities and equity interests are appropriately aggregated

or disaggregated and clearly described, and related disclosure are relevant and
understandable in the context of the requirements of the applicable financial reporting
framework.
HKSA
315.A190 • Classification. Assets, liabilities, and equity have been recorded in the proper accounts.

Accounts preparation is therefore the responsibility of the directors/management to:

• Establish a process, system, and internal control structure to record the transactions
and events of the company during the appropriate accounting period;

• Summarise the accounting data, maintain adequate accounting records, and

prepare financial statements in accordance with the applicable financial reporting
framework; and

• Present those financial statements to shareholders and other users who have a
vested interest in the company to assist in their decision-making process relating to
the company.

As previously stated, the financial statements are a series of assertions and representations
by the directors/management about the financial position and results of the company.

The independent external auditor is therefore providing an attestation function through the
process of assessing the risk that the assertions and representations in the financial statements
are not in accordance with the relevant financial reporting framework. To achieve this, external
auditors apply a process of gathering evidence about the assertions, evaluating that evidence,
and communicating their conclusion through their audit report as to whether in their opinion
the financial statements present a true and fair view in accordance with the applicable financial
reporting framework.

This therefore fulfils their role in the accountability process of improving the degree of
confidence as to the assertions and representations contained in the financial statements,
thereby enhancing the degree of confidence of the users of financial statements that those
statements have been prepared in accordance with the relevant financial reporting framework.

It is not possible to provide an independent opinion and also to be part of the preparation
and control functions of the party being audited.

As indicated above, it is also important to distinguish different types of auditors Involved

in the assurance process. In addition to the external audit function, there is another key audit
function that often exists within the accountability process, i.e. internal audit.

17

M13_c01.indd 17 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

Internal audit is defined in Hong Kong Auditing Standard HKSA 610 (Revised 2013) Using the
Work of Internal Auditors and Related Conforming Amendments, paragraph 14(a) as:

‘A function of an entity that performs assurance and consulting activities designed to

evaluate and improve the effectiveness of the entity’s governance, risk management and
internal control processes’.

There are three broad areas in which an internal audit could assist an entity:

• Assessing whether the entity achieves its objectives in areas such as ethics, values,
performance management and accountability, communication in relation to risk within
the entity, and communication with external parties such as the external auditor.

• Identification and evaluation of significant exposure to risk and contributing to

improving risk management and internal control, including systems relating to the
financial reporting process and fraud detection.

• Evaluation of internal control by reviewing the control systems and evaluating their
HKSA operation and making recommendations for improvement, in effect providing
610.A1 assurance on controls.

HKSA 610 also recognises that the internal audit mandate within an entity could include
examination of financial and operating information produced within an entity, including detailed
testing of transactions and financial statement balances. It also indicates that the internal function
could be involved in the review of the economy, efficiency and effectiveness of an entity’s operating
activities, and compliance with laws and regulations. However, at this point the internal audit is to
be addressed from the viewpoint of the external financial statement auditor. The broader view of
the internal audit in the governance activities of an entity is discussed further in Section 1.4.

Therefore, putting aside the nature of the range of activities that an external auditor and
internal auditor may undertake, the fundamental distinction between these auditors is their
role and status in the accountability process.

The internal audit function is undertaken as part of the accountability, internal control, and
governance processes within an entity in order to assist the entity to meet its objectives. It is
established within an entity by the management and its mandate and specific activities are
determined by the entity. Internal auditors are either employees of the entity or firms who
have been subcontracted by the entity to undertake the function as directed by the entity.
An internal auditor reports to senior levels of management to assist management to meet
its objectives. The internal auditor is therefore an integral part of an entity’s organisational
structure and is accountable to the management of the entity. An entity is not required to have
an internal audit function; it is a decision by the management as to whether to establish the
internal audit function and to establish the nature and scope of its activities within the entity.

The distinction between an external and internal audit is clearly demonstrated by

HKSA 610, which is primarily developed from a financial statement audit context, but the
principles are generic.

This auditing standard recognises that the external auditor can use the work of the
internal auditor to modify the nature, timing, and extent of the external auditor’s procedures
to be performed as part of the evidence gathering process. This can be done either by the
external auditor:

• Using the work of an internal auditor, for example where an internal audit has tested
the operating effectiveness of the internal controls over the accounting system and

18

M13_c01.indd 18 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

accounts preparation process, the external auditor could reduce the extent of audit
testing of the controls.

HKSA
• Using internal audit personnel to provide direct assistance by performing audit
610.8–9 procedures under the direction, supervision, and review of the external auditor.

In either of these circumstances the external auditor must undertake procedures to review and
HKSA
evaluate the work of the internal auditor to ensure that it is adequate and therefore appropriate to
610.15 be relied upon as part of the external auditor’s evidence gathering process.

The external auditor remains responsible for the audit report issued and cannot reduce
that responsibility by using the work of an entity’s internal auditor. While the status of internal
audit in the organisational structure should be established in such a way that it ensures that the
internal auditor is independent of the activities and information that it audits within the entity,
and be objective and competent in undertaking its work, the internal auditor does not achieve
the ‘arm’s length’ level of independence from the entity that is required of the external auditor.

For example, arising from a risk assessment by an entity’s internal auditor, the collection
of accounts receivable was identified as a matter to be addressed. The internal audit plan
therefore included procedures to assess the credit management policy, apply audit procedures
to test the billing and collection systems and controls, review and test the procedures for
dealing with overdue accounts, and reconcile the accounts receivable ledger with the general
ledger. The internal auditor issued a report to management on the outcome, including
recommendations for improvement.

While these are procedures that the external auditor would undertake as part of the
external audit process, the external auditor cannot directly substitute this work for what is
required for the purpose of the external audit. However, the auditor could review the work
done by internal audit and, if deemed of appropriate scope and quality, and provided evidence
that the accounts receivable system and controls were functioning properly, reduce, but not
eliminate, the nature and extent of the audit work in this area.

Apply and Analyse 4

It is important that the role of the internal and external audit is clearly understood by
management. The Audit Committee of Keeson Inc has asked whether an internal audit
function should be established or whether it should be outsourced to your firm. Generally,
they are concerned about their knowledge of the various laws and regulations impacting
listed entities. They want to know if, as external auditor, you can ‘keep them on track’
in all such matters. The Audit Committee recognises that the family behind Keeson
Inc will face many adjustments, including learning how to keep personal and company
matters separate.

Analyse the types of engagement that the company might need in relation to the above
and advise whether your firm could provide them. Your firm has a good deal of relevant
expertise to draw upon, but you are the external auditor.

Analysis

Implicitly, the concerns of the Audit Committee reveal that they do not have a clear
distinction in their minds between the roles of an external and internal audit. They also do
not seem to see how the issues relate to internal control. The company is responsible for

19

M13_c01.indd 19 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

Apply and Analyse 4 (continued)

having an internal control system in place that minimises the risk of non-compliance with
laws and regulations. That system also needs to contain checks and balances that minimise
the risks of business and private interests being mixed. Whilst your firm could assist by
providing audit, review, or agreed-upon procedure engagements in the areas of concern,
and can provide feedback in the light of audit findings, the firm cannot become part of the
internal control system.

1.1.2 Demands for Auditing and Assurance Services

The demand for auditing and assurance services derives from the accountability/governance
relationship that exists between individuals, entities, and those that they interact with or have
an obligation to pursue established objectives. That accountability relationship usually generates
a requirement that the responsible party provide information as to their performance to those
with an interest in the outcome of that relationship. The users of that information require some
assurance as to its relevance (i.e. pertinence to purpose) and representational faithfulness (the
information does cover what it purports to) as an input into their decision making about that
relationship.

The need for credibility that is provided by the auditing and assurance function arises
because the users of that performance information are not able to, or do not have the
expertise to, either obtain or produce that information directly, nor assess whether it has been
properly prepared and presented. It is also the case that accountability relationships exist
in situations where the subject matter of the relationship covers financial and non-financial
information. Many users will not have the expertise to conclude on the quality of the
information.

There are also limitations imposed by cost, legal, and time variables that prevent users
from assessing the quality of information.

Also, inherent in a process where one party delegates responsibility to another to act
on their behalf, or in accordance with specified requirements or user expectations, is the
possibility of bias in the information produced. The responsible party has, or may be perceived
as having, a vested interest in preparing information to present a preferred outcome.
Where the user of that information intends to use it in making decisions, the quality of that
information is particularly relevant.

These features of such relationships therefore create a demand for the independent
audit and assurance function to enhance the credibility of the information provided by the
responsible party about its performance to the users of that information.

The demands for information on an increasing range of subject matter are widening the
demand for assurance services. Users of information are concerned that it is relevant and
representationally faithful for their decision making. The increasing demand for assurance
services beyond the financial statement audit arises because of the broad range of subject
matter on which assurance is sought, a more diverse group of users, and an increasing number
of potential users with a range of different interests.

20

M13_c01.indd 20 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

The variables can also influence the level of assurance that users require. Depending on
the significance of the information to the users in their decision-making process, the demand
for assurance can be at the review or audit level. A higher level of credibility will attach to the
information when an audit is undertaken than for a review engagement.

In many jurisdictions this demand is reflected in legislation where public policy and the
public interest require that audit and assurance be mandated, for example the Companies
Ordinance. The legislative imposition of audit and assurance over the accountability and
governance process reflects the variables in a formal manner.

Further consideration of audits under the Companies Ordinance illustrates the rationale
for the demand for audit. The same principles apply to the demand for assurance on other
subject matter.

The demand for audits under the Companies Ordinance arises because of the separation
of the Board of Directors and investors, and the existence of other third parties who interact
with the company. The shareholders and other users of the company’s financial statements
want to be confident that the information they are using in their decision making is reliable and
prepared in accordance with the benchmark established for this information, i.e. accounting
standards and other regulations required by the Companies Ordinance.

In addition, there is a broad economic policy issue that is also important, and that is that
capital markets need to have timely and equitably accessible information for decision making;
otherwise parties with private information can profit at the expense of others. Audited financial
statements help facilitate enhanced resource allocation decisions in capital markets by
supporting improved decision making by users of the financial statements.

Furthermore, the demand for statutory audits reflects a view that audit impacts corporate
conduct. Company management and other company personnel are less likely to attempt to
provide misleading information knowing that it will be subject to an independent audit.

Further consideration of these factors in the context of a financial statement audit

illustrates the rationale for the demand for this service.

The process of converting the data about individual transactions and events into
information from which to prepare financial statements is complex. Financial statements are
prepared in accordance with accounting standards and, if under statute, other regulatory
requirements. While this may reduce the bias of the preparers of financial statements by
directing how information is prepared and presented, most financial statement users do not
have the access or expertise to be satisfied that these criteria have been appropriately applied.
In this sense, users of financial statements therefore require the auditor, as an expert in the
subject matter, to provide assurance. Users value the fact that the auditor’s report comes from
an expert in the subject matter and in the auditing processes required.

In summary, and applying this specific rationale more broadly, the demand for assurance
services arises where information is provided for decision making or accountability and the
user has not directly prepared the information or cannot be satisfied as to its credibility
through their own efforts. The quality of that information is provided by an independent
assurance service report to the user on the credibility of that information measured against an
appropriate benchmark.

21

M13_c01.indd 21 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

The demand for assurance services beyond the financial statement audits reflects the fact
that assurance is sought on a broad range of subject matter beyond financial information by a
more diverse group of users and potential users.

1.1.3 Financial Statement Users

Depending on the type of entity preparing financial statements, the range of users and their
need for financial statements can vary. In the case of companies, there is a diverse range of
potential users, for example:

• Existing and potential shareholders

• Creditors

• Suppliers

• Customers

• Bankers and other financial/lending institutions

• Employees

• Regulatory and taxation agencies

• Government

All of these groups may use financial statements as input into their decision making about
the company, current and future dealings, and compliance with statutory requirements.
Governments may also formulate policy based on such statements.

For example, individuals and entities that have shares in companies are the owners of
those companies. Shareholders invest in companies with the expectation that the investment
will prove beneficial in terms of returns via dividends from profits or increases in the value
of those shares. Financial statements provide current shareholders with information about
the company’s financial position and performance and decisions about what actions to take
in relation to their shareholding and management of the company; for example, election of
directors. Potential shareholders use the information as input into their decision to buy shares
in the company.

Other parties that transact with companies also have a vested interest that the entity meets
its obligations. For example, banks and other financial institutions use financial statements to
assess whether a company is meeting its contractual obligations under loan agreements or as
information that forms part of their decision-making process as to the extent of lending, terms
and conditions, and interest rates.

Suppliers of goods and services to a company may use the financial statements as an input
into their credit risk assessment and decision to transact with the company.

Governments are also concerned that the corporate sector is an efficient component of
the broader economy and financial statements facilitate an informed capital market. Taxation
authorities may use financial statements as part of the information for assessing a company’s
tax affairs.

Employees and unions may use financial statements to make decisions in relation to
negotiations relating to employee wages and conditions.

22

M13_c01.indd 22 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

The directors have a specific obligation to be accountable for their stewardship of the resources
under their control and to report the outcome of that stewardship periodically. Users expect that
this information is free from bias, which drives the demand for financial statement audits.

The auditor remains neutral in terms of meeting the needs of different financial statement
users. Company financial statements are prepared in accordance with a defined body of
accounting standards and any regulatory requirements relevant to the company’s status under
the Companies Ordinance. It is the auditor’s responsibility to provide an opinion as to whether
the reporting criteria have been appropriately applied. The auditor remains neutral as to
whether the reporting framework meets the differing needs of all users.

Nevertheless, it is also important that auditors understand the identity of the users, or
potential users, of the financial statements and their audit report. Shareholders, and in some
circumstances third parties, who can demonstrate reliance on audited financial statements in their
decision making, and suffered financial loss due to that reliance, could take legal action against the
auditor. If it is proven that the auditor’s opinion was inappropriate in the circumstances, and the
auditor has breached a duty of care, the users could take legal action to recover those losses.

These liabilities can arise from:

• Contract law, for example where the auditor has in effect entered into a contract
with a company on behalf of the shareholders, with a consequent duty to apply due
professional skill and care.

• Common law, based on court decisions relating to negligence.

• Statute, where the audit is undertaken pursuant to legislation.

This feature of the auditor/user relationship may provide a further indirect factor in
explaining the demand for audit services. Often referred to as the ‘deep pocket theory’, the fact
that financial statement users may have recourse to recover losses from the auditor is a further
factor that gives users added comfort in relation to the audit function.

However, financial statements provide information about management and the directors’
performance, which is useful to a range of users, and the need for that information to be
credible is the primary driver of the demand for financial statement audits.

Knowledge Check Questions

Question 1
Identify and explain how the elements of an assurance engagement are to be found in an
audit of financial statements.

Question 2
Define assurance and explain the difference between reasonable and limited assurance.

Question 3
Identify which of the following is not a feature of an agreed-upon procedures engagement.
A The nature, timing, and extent of procedures is determined by the engaging party.
B The sufficiency and appropriateness of evidence is assessed by the assurance practitioner.
C No conclusion or assurance is provided.
D The report includes details of the nature, timing, and extent of procedures performed.

23

M13_c01.indd 23 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 4
Compare the role that financial statement assertions play from a management and audit
perspective in the preparation and audit of financial statements.

Question 5
Identify which of the following describe how the concepts of audit and assurance are
connected.
A An audit and assurance engagement are identical.
B An assurance engagement is one category of audit.
C An audit is one form of assurance engagement.
D An assurance engagement provides a higher level of assurance than an audit.

Question 6
Identify which of the following describes how the company financial statement audit is
useful to users of the audit financial statements.
A The auditor is providing assurance that the company is a sound investment.
B Assurance is provided that no fraud has occurred.
C The information value of the financial statements for decision making has
been enhanced.
D The auditor is providing assurance that management has operated the company
efficiently.

1 . 2 AUDITING AND ASSURANCE STANDARDS

1.2.1 Role of Regulators and Regulation (including Statutory Audits)

In most jurisdictions regulatory policy and regulatory agencies increasingly shape the structure
and conduct of economic activity. Regulation, generally in the form of legislation, affects the
way in which participants in an activity perform. It influences the basis of decision making and
mandates that certain events occur. In substance, regulation reflects an implicit formal contract
between participants and society.

For companies, regulation impacts the conduct of their business and relationships with
various other groups. In the context of corporate governance and accountability, it mandates
requirements for the company and professionals associated with them. The role of regulatory
agencies complements the regulation in terms of implementation and enforcement.

Regulation and regulatory agencies can be either initiatives of government or self-regulation

by those involved in the activity.

24

M13_c01.indd 24 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

In the case of corporate financial reporting and auditing requirements, the primary
government regulation is found in the Companies Ordinance. The main statutory regulatory
bodies are:

• The Securities and Futures Commission of Hong Kong (SFC)

• The Stock Exchange of Hong Kong (HKEX)

In addition, the HKICPA represents a professional accounting organisation of Hong Kong. It is

the only statutory licensing body of accountants in Hong Kong responsible for the professional
training, development, and regulation of the accountancy profession.

The following briefly explains the role of these regulatory bodies:

• The HKICPA was incorporated by the Professional Accountants Ordinance (Cap.50)

(PAO) of the laws of Hong Kong. The PAO was implemented to establish the HKICPA
to provide for the registration and control of the accountancy profession. Under the
PAO, the HKICPA is the statutory body licensed by law to register and grant practicing
certificates to Certified Public Accountants (CPAs). It is responsible for the regulation
of the accountancy profession by regulating the conduct of its members and setting
codes of ethics and auditing and accounting standards. It also regulates entry to the
profession and continuing education programmes. The HKICPA also has a disciplinary
process whereby allegations of misconduct by members are investigated. If proven,
sanctions are applied, for example removal of membership, cancellation of practicing
certificates, and fines.

• The SFC is an independent statutory body established under the Securities and Futures
Ordinance (SFO). The regulatory objectives of the SFC include the development and
maintenance of a competitive, efficient, fair, orderly, and transparent securities market
and to provide protection for the investing public. One of the groups regulated by the SFC
is listed companies. One aspect of this regulation is surveillance of companies to enquire
into suspected inappropriate transactions and the provision of false or misleading
information, as well as reviews to identify corporate misconduct. The SFC also has the
power to take disciplinary measures and prosecute market participants for misconduct.

• The HKEX also has a statutory responsibility to ensure that the Hong Kong securities
market is fair, orderly, and informed. The HKEX supervises companies listed on the
Exchange for compliance with its listing rules and requirements. It also plays a role
in the information that listed companies need to provide. For example, it requires
listed companies to include a corporate governance report in each annual report. That
statement is to indicate whether the company has complied with the principles of the
Hong Kong Code of Corporate Governance Practices or, if not, an explanation as to why.
The Statement should also disclose the auditor’s remuneration for audit and non-audit
services. Further, it should include the nature and extent of the Board’s review of risk
management and internal control systems and whether they consider them to be
effective. It also has statutory powers of investigation and enforcement in relation
to corporate misconduct. The activities of the HKEX are subject to supervision and
monitoring by the SFC.

In considering the legislative requirements for the statutory audit of a company’s financial
statements under the Companies Ordinance, these provisions are found in the Companies
Ordinance, Chapter 622, Part 9, Division 4.

25

M13_c01.indd 25 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

The following will be restricted to considering, in summary, the basic provisions as they
relate to the regulation of a public company preparing an annual set of complete financial
statements.

It is the corporate model involving the separation of ownership and control that provides
the rationale for this regulation. The legislation mandates an accountability relationship
whereby the directors are required to communicate with the shareholders, the owners.

The regulation of the accounts preparation process is covered in Sections 373–378. These
require a company to keep accounting records to show the company’s transactions, disclose
the company’s financial position and performance, and enable the directors to prepare
financial statements that comply with the Companies Ordinance.

The records are to be kept at the registered company office or another location approved
by the directors, but must be available for inspection by the directors at all times. The records
can be in hard copy or electronic form and must be held for seven years.

Sections 379–387 contain the requirements for directors to prepare financial statements. In
brief, the directors are required to prepare financial statements of the company that give a true
and fair view of:

• The financial position as at the end of the financial year

• The financial performance for the year

The financial statements must comply with any other requirements specified by the
Companies Ordinance and with accounting standards. Section 380(4)(b) requires that the
accounting standards to be applied are those issued or specified by the HKICPA. These
comprise the Hong Kong Financial Reporting Standards (HKFRS) which include HKFRS
statements, Hong Kong Accounting Standards, and interpretations.

In addition, Section 383 specifies information relating to the company directors that must
be included in the notes to the financial statements, for example the directors:

• Emoluments

• Retirement benefits

• Termination payments

• Loans

The directors must approve and sign the statements.

Sections 388–391 require that the directors prepare, approve, and sign a directors’ report
that includes, for example:

• The directors’ names

• Any material matters relevant to shareholders understanding the company

Sections 429–436 require that the directors send copies of the financial statements and
reports to the shareholders prior to the company’s annual general meeting.

In the context of the elements of an assurance engagement and a financial statement audit
as an assurance engagement, it is clear from these provisions that legislation designates the
directors as the responsible party, the shareholders are the designated users, the financial

26

M13_c01.indd 26 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

statements are the subject matter information, and the criteria are the accounting standards
and other requirements under the Companies Ordinance. The third party in this accountability
relationship is the external auditor.

Part 9, Division 5 subdivision 2 deals with the appointment of auditors.

Section 393 provides that only a practice unit is eligible for appointment as a company
auditor. A practice unit means:

• A firm of Certified Public Accountants practicing accountancy (usually in the form of a

partnership)

• An individual CPA practicing accountancy

• A corporate practice

Any person who is an officer or employee of the company or a partner of such a person
is not eligible for appointment. This is an example of regulating the independence of
the auditors.

The primary statutory requirements for the appointment of an auditor are in Sections
395–400. An auditor must be appointed each financial year by a resolution of the shareholders
at the Annual General Meeting. The directors can appoint an auditor where a casual vacancy
arises. Where a firm is appointed, that is regarded as an appointment of the firm’s partners.

Where the auditor is appointed by the shareholders, Section 404 requires that the
remuneration of the auditor be fixed by a resolution of shareholders at a general meeting or in
the manner specified in such a resolution. If appointed by the directors, it can be determined
by the directors or, if not, by a resolution of the shareholders.

This relationship is formalised further under the requirements of HKSA 210 Agreeing the
Terms of Audit Engagements (June 2017), which requires the auditor to agree the terms of the
engagement with management or the directors through an engagement letter. This establishes
a contractual relationship with the company that supports the statutory appointment. That
letter would reflect the responsibilities of management, the Board, and the auditor, as required
under the Companies Ordinance.

Sections 405 and 406 require the auditor to report to the shareholders on the
financial statements at the Annual General Meeting. The report must state the auditor’s
opinion whether:

• The financial statements have been properly prepared in accordance with the
Companies Ordinance.

• The financial statements give a true and fair view of the financial position and
performance.

In forming this opinion, it is necessary that the auditor be satisfied that the HKFRSs have
been appropriately applied in the circumstances, with additional disclosure as necessary, to
achieve the true and fair view.

In the case of the accompanying Director’s Report, if the auditor concludes that it is
inconsistent with the financial statements, the report must include that opinion.

27

M13_c01.indd 27 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

Section 407 requires the auditor to also form an opinion whether:

• The company has kept adequate accounting records and

• The financial statements agree with the accounting records.

If the auditor concludes that this is not the case, that opinion must be included in the
auditor’s report.

In addition, in situations where the auditor has not been able to obtain all the information
and explanations necessary for the audit, the report must include a statement to that effect.

Where the company failed to disclose the information in relation to directors under
Section 383, this information must be included in the auditor’s report.

It is an offence under the Companies Ordinance if the auditor knowingly or recklessly omits
to report situations where the financial statements are not in accordance with the accounting
records or have not provided all the required information and explanations.

Consideration of some further provisions of the Companies Ordinance demonstrates how

regulation can reinforce the role and independence of the statutory audit function.

Section 410 provides that, in the absence of any malice, the auditor has qualified privilege
from defamation for any statements made or documents issued during the audit. Furthermore,
Section 411 gives the auditor the right to attend the general meeting and to be heard in
relation to audit matters. These provisions give the auditor the ability to communicate with
shareholders and other interested parties and therefore enhance the confidence that users can
have in the role of the statutory auditor.

The provisions dealing with termination of an auditor’s appointment in Subdivisions 6–8

provide the auditor with rights and obligations that support their independence. An auditor’s
appointment can be terminated if:

• The term of office has expired.

• The auditor resigns. In this case the auditor must give the company written notice and
a statement of circumstances that outlines any matters that the auditor believes should
be brought to the attention of the shareholders or creditors, or, if not, a statement to
that effect.

• The auditor is removed from office. This also requires the auditor to provide a
statement of circumstances to shareholders and requires an ordinary resolution of the
company at a general meeting of which special notice has been given and provided to
the auditor and the company Registrar.

• The company is subject to winding up orders.

The ability and obligation to communicate with shareholders and others gives the auditor
a degree of protection to plan and conduct the audit with due diligence and care, without the
potential for undue influence on their independence. Any issues in this regard are subject to a
transparent due process.

The above requirements clearly demonstrate the responsibility for accounts preparation
and the statutory audit function for companies in Hong Kong, and the extent to which regulation
under the Companies Ordinance supports the role of the auditor.

28

M13_c01.indd 28 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

1.2.2 Hong Kong Standards and Guidelines for Auditing and Assurance
1.2.2.1 Professional Standards
One of the attributes of a profession and its status with, and value to, third parties is that it
has formal professional standards that govern the activities and behaviour of its members
and provide a benchmark for the performance of its functions. Such standards also provide
members of the profession with information as to the expected quality of performance.

One of the functions of the HKICPA is the promulgation of Standards for the conduct of
audits and other assurance engagements. The growing demand for assurance on a broad range
of subject matter other than the audit of financial statements has resulted in an extensive body
of audit and assurance standards under the Framework.

Members of the HKICPA must comply with the professional standards. Suspected failure to
comply can be investigated by the HKICPA and lead to disciplinary action, including cancellation
of the CPA’s practising certificate. In that event the member would forfeit the right to conduct
audits and other assurance engagements.

The standards therefore represent a benchmark against which individual auditors can
demonstrate the application of professional competence and due care, and against which third
parties can assess an auditor’s performance.

Section 18A of the Professional Accountants Ordinance (PAO) gives the HKICPA Council the
power to issue standards of practice to be applied by its members. The Council established the
Auditing and Assurance Standards Committee (AASC) to develop HC Quality Control, Auditing,
Review, Other Assurance, and Related Services Pronouncements. In 2001 the Council mandated
that these pronouncements be developed to converge with the International Quality Control,
Auditing, Review, Other Assurance, and Related Services Pronouncements. The international
standards on auditing, assurance and related services are issued by the Auditing and Assurance
Standards Board (IAASB) of the International Federation of Accountants (IFAC).

The Amended Preface to the Hong Kong Quality Control, Auditing, Review, Other Assurance
and Related Services Pronouncements, July 2012, states that the objectives of convergence are to
establish high quality standards and guidance for:

• Financial statement audits that are generally accepted by auditors, investors,

governments, regulators; and other key stakeholders,

• Other types of assurance services on both financial and non-financial information,

• Other related services, and

• Quality control covering the scope of services covered by the AASC.

A further objective is to publish other pronouncements on auditing and assurance to

advance public understanding of the roles and responsibilities of auditors and assurance
providers.

Council has, however, taken the view that the HK Standards can include requirements
additional to the international pronouncements and in exceptional cases depart from those
Standards.

The professional standards do not, however, override local laws and regulations.

29

M13_c01.indd 29 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

The suite of Standards issued under this structure is extensive, recognising the growing
demand for assurance on a broad range of subject matter and the need for the profession to
ensure that it self-regulates to maintain its role and the confidence of the users of audit and
assurance services.

Standards issued comprise:

• Standards on Quality Control (HKSQCs). This requires a CPA firm to have a system of
quality control with policies to provide reasonable assurance that there is compliance
with professional standards and legal requirements and that reports issued are
appropriate in the circumstances. There should also be procedures to implement and
monitor compliance with the policies.

• Framework for Assurance Engagements. This provides the elements and structure for all
assurance engagements, of which the audit is one (Exhibit 1.5).

Pronouncements Issued by the HKICPA, and Their Relationship to Each Other and the Code
The Appendix illustrates the ambit of pronouncements issued by the HKICPA, and their relationship to each other and to
the Code of Ethics for Professional Accountants.
HKICPA Code of Ethics for Professional Accountants

Engagements Governed by the Standards of the HKICPA Engagements Not Governed by the Standards
of the HKICPA
HKSQCs 1–99 Hong Kong Standards on Quality Control

Hong Kong Framework for Assurance Engagements

Audits and Reviews of Other Assurance Related Services Consulting/ Other

Tax
Historical Financial Information Engagements Engagements Advisory Service

HKSAs HKSREs HKSAEs HKSIRs HKSRSs

100–999 2000–2699 3000–3699 100–999 4000–4699
Hong Kong Hong Kong Hong Kong Hong Kong Hong Kong
Standards Standards on Standards on Standards on Standards on
on Auditing Review Assurance Investment Related
Engagements Engagements Circular Services
Reporting
Engagements

PNs 100.9999/AGs HKAPGs, HKREPGs, HKAEPGs, HKRSPGs, Auditing and

Assurance Technical Bulletins, Circulars and
staff publications

EXHIBIT 1.5 The Hong Kong framework for assurance engagements

• Standards on Auditing (HKSAs). These are written in the context of financial statement
audits by an independent auditor, to be adapted as necessary when applied to other
historical financial information. These standards contain mandatory requirements
that must be complied with by a member undertaking a financial statement audit. See
Section 1.3 for further information about these standards.

• Standards on Review Engagements (HKSREs).

• Standards on Assurance Engagements (HKSAEs). For example, HKSAE 3000 (Revised)

Assurance Engagements Other than Audits or Reviews of Historical Financial Information and
on specific subject matters such as HKSAE 3410 Assurance Engagements on Greenhouse
Gas Statements.

30

M13_c01.indd 30 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

• Standards on Investment Circular Reporting Engagements (HKSIRs). For example,

HKSIR 500 Reporting on Profit Forecasts, Statement of Sufficiency of Working Capital and
Statement of Indebtedness. This applies to reporting accountants defined as CPAs
engaged to prepare public reports and letters for inclusion in, or in connection with, an
investment circular. It provides standards and guidance when providing such letters on
directors’ profit forecasts and statements of working capital and investment circulars.

• Standards on Related Services (HKSRSs). For example, HKSRS 4410 (Revised) Compilation
Engagements.

The AASC issues Practice Notes (PNs) and Auditing Guidelines (AGs) to address local
regulatory and reporting issues. These guidelines provide interpretative guidance and
assistance in applying the standards. While not mandatory in the direct way that standards are,
failure to apply the guidance would require the member to explain how the relevant standards
to which any guidance relates have been complied with.

As part of the convergence policy, the AASC requires that International Auditing Practice
Notes issued by the IAASB be regarded as non-authoritative guidance and do not impose
additional requirements. These are designated as Hong Kong Auditing Practice Guidance
(HKAPG). An example is HKAPG 1000 Special Considerations in Auditing Financial Instruments.

They are aimed at assisting in the understanding of the circumstances of an entity and
in the making of judgements about the identification and assessment of risks of material
misstatement, how to respond to those risks, and the appropriate procedures that may be
applied. They may also address issues in relation to the auditor’s opinion and communicating
with management and those charged with the governance.

It is important to recognise that adherence to professional standards is a significant

obligation on members of the HKICPA. However, not all engagements undertaken by
accountants in public practice are assurance engagements, but there are standards that
apply to non-assurance engagements. The example given of an HKSRS deals with compilation
engagements, where no assurance is provided. These engagements involve the use of the
professional accountant’s accounting knowledge and skills rather than auditing expertise.
This standard deals with engagements undertaken in situations where management
requires assistance with the preparation of historical financial information. The accountant
processes and summarises the accounting data and assists with the preparation of the
financial information. It is not an assurance engagement as the accountant does not verify the
accuracy or completeness of the data. Management retains the responsibility for the financial
information resulting from this process. The value to users of this type of engagement is that
professional accounting and financial reporting expertise has been applied by professional
accountants who are subject to professional standards, including ethical requirements.

1.2.2.2 Profession’s Code of Ethics

A further attribute of a profession is that it accepts a responsibility to act in the public interest.
In this regard a significant element of the HKICPAs self-regulatory regime is that members must
comply with the Code of Ethics for Professional Accountants (COE) November 2018 issued by
COE
Preface 10 the HKICPA.

As stated in the Preface to the COE, and consistent with the approach to HKSAs,
Section 18A of the Professional Accountants Ordinance provides that the HKICPA Council
may issue Statements of Ethics to be applied by members. The Council has mandated
the Ethics Committee to develop a Code of Ethics for Professional Accountants. As part

31

M13_c01.indd 31 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

of the convergence process, the HKICPA has decided to adopt the International Code of
Ethics for Professional Accountants issued by the International Ethics Standards Board for
Accountants (IESBA).

In a broad sense, ethics are concerned with the moral principles that govern an individual’s
behaviour or the performance of an activity. Codes of ethics do not, in themselves, cause
behaviour to be ethical, but they provide frameworks within which judgements and decisions
can be made consistently between professionals subscribing to an appropriate culture and
attitude. They can, therefore, be quite influential and can form the basis for judgements about
non-compliance in legal and professional proceedings.

The COE provides an official and methodological body of principles and rules to promote
appropriate behaviour and relationships between auditors/assurance providers and clients and
users. It also promotes the notion that where there are conflicts between participants in the
COE 100.1 accountability process, the CPA should put the public interest above their own or that of
A1 their client.

As indicated, included in the body of standards issued by the HKICPA is HKSQC1 (Clarified)
Quality Control for Firms that Perform Audits and Reviews of Financial Statements and Other
Assurance and Related Service Engagements. This standard requires that CPA firms implement
HKSQC1 and monitor a system of quality control for audits and reviews and other assurance and related
13–15 service engagements.
This system should comprise policies that provide reasonable assurance that the firm and
its employees comply with professional, legal, and regulatory requirements and that reports
issued by the firm are appropriate in the circumstances.

HKSQC1 states (paragraphs 20 and 21) that the firm shall establish policies and procedures
designed to provide it with reasonable assurance that:

• The firm and its personnel comply with relevant ethical requirements.

• The firm, its personnel, and, where applicable, others subject to independence
requirements (including network personnel) maintain independence where required by
relevant ethical requirements, laws, and regulation.

Furthermore, in the context of a financial statement audit, HKSA 200 states that a
mandatory fundamental principle of audit is that the audit shall comply with relevant ethical
requirements, including those relating to independence.
HKSQC1
13–15 The COE includes the following chapters:

• A – Requirements and Application Material for Professional Accountants, based on the

International Code. It establishes the fundamental principles of professional ethics
and provides a conceptual framework to be applied, with examples and safeguards
to address threats to compliance with the fundamental principles. It also addresses
situations where safeguards cannot address the threats and must be avoided.

• B – Not Used.

• C – Additional Ethical Requirements on specific areas, for example, changes in a

professional appointment, change of auditors of a listed issuer of the Stock Exchange of
Hong Kong, ethics in tax practice, and practice promotion.

• D – Comparison with the IESBA Code of Ethics for Professional Accountants.

32

M13_c01.indd 32 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

• E – Specialised Areas of Practice such as for liquidation and insolvency.

• F – Guidelines for Anti-Money Laundering and Counter-Terrorist Financing for

Professional Accountants.

The following material is extracted from a summary of the COE and will focus on Chapter A
and the following Parts of the COE (Exhibit 1.6):

• Part 1 – Complying with the Code, Fundamental Principles, and Conceptual Framework

• Part 2 – Professional Accountants in Business; for example, members in commerce,

industry, the public sector, education, not-for-profit, regulatory, or professional bodies

• Part 3 – Professional Accountants in Public Practice

• Part 4A – Independence for Audit and Review Engagements

• Part 4B – Independence for Assurance Engagements Other Than Audit and Review
Engagements (May 2020)

Overview of the code

Part 1
Complying with the code, fundamental principles and conceptual framework
(All professional accountants - Sections 100 to 199)

Part 2
Professional accountants in business Part 3
(Sections 200 to 299) Professional accountants in public practice
(Part 2 is also applicable to individual professional (Sections 300 to 399)
accountants in public practice when performing
professional activities pursuant to their
relationship with the firm)
International independence standards
(Parts 4A and 4B)
Part 4A – Independence for audit and review
engagements
(Sections 400 to 899)
Part 4B – Independence for assurance engagements
other than audit and review engagements
(Sections 900 to 999)

Glossary
(All professional accountants)

EXHIBIT 1.6 HKICPA Code of Ethics for Professional Accountants (COE) November 2018

A general description of COE Chapters E and F is provided later in this chapter.

The COE adopts a conceptual approach to ethics and independence (COE User Guide
6–8, 110.2 A1, R120.3). This recognises that it is not possible to identify every individual or
specific situation that creates a threat to compliance with the fundamental ethical principles.
The differing nature of engagements and the range of circumstances facing professional
accountants creates different threats.

1.2.2.3 Fundamental Ethical Principles

COE 110.1 A1 The COE contains five fundamental principles to be complied with as the foundation of the
R110.2 conceptual approach.

• Integrity. Be straightforward in all professional and business relationships. This requires

not knowingly being associated with reports, communications, and other information

33

M13_c01.indd 33 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

that is believed to be misleading, prepared recklessly, or omits or obscures information

such that it would be misleading.

• Objectivity. Not allow bias, conflict of interest, or undue influence of others to

compromise professional or business judgements.

• Professional competence and due care. Attain and maintain professional knowledge and
skill at the level required to ensure that a client or employing organisation receives a
competent professional service based on current technical and professional standards
and relevant legislation. This requires that the professional accountant act diligently
in accordance with applicable technical and professional standards. When applied
to assurance engagements more broadly, this requires that the assurance provider
has the skills and knowledge relevant to the nature of the subject matter of the
engagement, which often extends beyond financial statements and information.

• Confidentiality. Respect the confidentiality of information acquired because of

professional or business relationships in an audit context. Information obtained during
an audit should not be disclosed to third parties without proper and specific authority,
unless there is a legal or professional right or duty to disclose. Some provisions of the
Companies Ordinance, for example in relation to disclosures at a general meeting or in
relation to audit appointment and termination, may see this requirement overridden.
Confidentiality also requires that information should not be used for the personal
advantage of the auditor or third parties.

• Professional behaviour. Comply with relevant laws and regulations and avoid any conduct
that the professional accountant knows or should know might discredit the profession.

The conceptual approach requires that the professional accountant:

• Identify threats to compliance with the fundamental ethical principles.

• Evaluate identified threats.

• Address the threats by eliminating or reducing them to an acceptable level by applying

COE 120.1, 2 appropriate safeguards.

This avoids an approach where a particular circumstance that may be inappropriate is

accepted because it is not specifically precluded by the COE.

This approach recognises that accountants in public practice and business face moral and
ethical dilemmas that conflict with their self-interest. Various ethical decision-making models
and theories have developed over time to assist decision-making on ethical issues. The Code is
a model developed by the profession to assist in overcoming the conflict that members of the
profession face by providing a foundation for resolving situations involving a conflict of interest
on a proper and considered basis.

The same conceptual approach is to be applied to the specific sections of the ethics dealing
with independence for audit, review, and other assurance engagements.

In applying this conceptual approach, a professional accountant must:

• Exercise professional judgement, which requires relevant training, professional

knowledge, skill and experience with the facts and circumstances relevant to the
interests and circumstances involved with the issue identified. This understanding is a
prerequisite for an informed judgement and decision. Both quantitative and qualitative
factors need to be taken into account when evaluating the significance of a threat.

34

M13_c01.indd 34 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

• Remain alert for new information and to changes in facts and circumstances that could
lead to a need to re-assess a previous judgement as to whether a threat has been
eliminated or reduced to an acceptable level.

• Use the reasonable and informed third party test. This involves the professional
accountant, in exercising professional judgement, to consider whether a reasonable
and informed third party would be likely to reach the same conclusion given the same
facts and circumstances that the accountant knows or could reasonably be expected to
know. The third party need not be an accountant, but would possess the appropriate
level of knowledge and experience to understand and impartially evaluate the
COE R120.5 appropriateness of the accountant’s conclusion.

Supporting the conceptual approach is further guidance presented in a ‘standards’ format,

with ‘requirements’ designated by paragraphs with the letter ‘R’, which impose general and
specific obligations on a professional accountant or firm with respect to a subject matter and
stated in the form of ‘shall’.

Application Guidance provides context, explanations, suggestions for actions or matters to

consider, illustrations, and other guidance to consider in applying the conceptual framework
to particular circumstances and with the requirements. They are designated with an ‘A’. While
not imposing requirements, it is necessary to consider the material for proper application of
Chapter A and the conceptual framework.

Both the ‘R’ and ‘A’ paragraphs therefore are to be read and applied with the objective of
complying with the fundamental principles of the COE.

For example:

Part 1, Section 100, Complying with the Code states:

‘R100.4 .... A professional accountant who identifies a breach of any other provisions of
the Code shall evaluate the significance of the breach and its impact on the accountant’s
ability to comply with the fundamental principles. The accountant shall also:

(a) Take whatever actions might be available, as soon as possible, to address the
consequences of the breach satisfactorily and

(b) Determine whether to report the breach to the relevant parties.

100.4 A 1 Relevant parties to whom such a breach might be reported include those who
might have been affected by it, a professional body or an oversight authority’.

1.2.2.4 Threats to the Fundamental Principles

The threats to the fundamental principles identified in the COE are:

• Self-interest. The threat that a financial or other interest will inappropriately influence
judgement or behaviour. For example, where a member of the engagement team has
a direct financial interest in the audit client or an audit firm being reliant on total fees
from an audit client.

• Self-review. The threat that an accountant will not appropriately evaluate the work done
previously by another member of the accountant’s firm or for a client. For example, a
firm having prepared the original data to produce the accounting records that are the
subject matter of an audit engagement or a member of the engagement team having
recently been an officer of the audit client entity.

35

M13_c01.indd 35 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

• Advocacy. A threat that promoting a client or employer’s position will compromise

objectivity. For example, an audit firm promoting the shares of the audit client.

• Familiarity. A threat due to a long or close relationship with a client will result in taking a
too sympathetic position in relation to their interests or too accepting of their work. For
example, a member of the audit engagement team having a close family member who
is an officer of the audit client or senior audit personnel having a long association with
the audit client.

• Intimidation. A threat that an accountant may be deterred from acting objectively

because of actual or perceived pressures, including attempts to exercise undue
influence. For example, an audit firm being advised that it will not be appointed to
COE provide other services to the audit client if it continues to disagree with the client’s
120.6. A3 accounting policies for a transaction or transactions.

1.2.2.5 Safeguards to Threats

When a threat is identified it is assessed as to whether it is at an acceptable level, i.e. whether
the reasonable and informed third party would likely conclude that the professional accountant
complies with the fundamental principles.

Where the threat is not at an acceptable level, it must either be eliminated or reduced
to an acceptable level through the application of appropriate safeguards, or declining the
engagement or ending the activity.

The ethics describe in detail situations where threats may be created and the safeguards
that may be applicable as well as situations where safeguards are not available to address
threats and the circumstances are to be avoided.

Safeguards are measures established either through professional requirements, legislation,

or regulation, or implemented in the workplace environment. The COE identifies the following
examples of ways in which safeguards can be developed:

• Professional requirements for entry into the profession relating to education, training,
and experience.

• Ongoing professional development requirements.

• Professional standards.

• Corporate governance regulation.

• Professional or Regulatory Disciplinary Processes.

• Monitoring and review procedures.

Safeguards not only play a role in reducing threats to an acceptable level but they act as
a deterrent to unethical behaviour through readily available complaint systems and explicit
requirements to report breaches of the requirements.

1.2.2.6 Ethics for Professional Accountants in Business

Part 2 deals with professional accountants in business. It recognises that third parties such as
investors, creditors, employers, governments, and the general public might rely on professional
accountants working in a business, for example for the preparation of financial information on
which third parties rely. The ethics require that those accountants apply the conceptual
framework approach.

36

M13_c01.indd 36 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

In addition, ‘R’ and ‘A’ guidance is provided on situations that could create a threat to the
fundamental principles and the need to consider safeguards:

• Conflicts of interest. These situations create a threat to objectivity and may compromise
compliance with other fundamental principles. For example, acting for both parties in a
situation where a partnership is to be terminated or being involved in a management or
governance position in two entities and having access to confidential information about
one of those entities that could be used to the advantage or disadvantage of the other.
In such situations it is recommended that members seek guidance from appropriate
individuals within the entity or externally, such as legal counsel or the HKICPA, in order
to understand their obligations in relation to confidentiality. An appropriate safeguard
COE s.210 could be to withdraw from the decision-making process involved.

• Preparation and presentation of Information. Members in business often participate in

the preparation of information that is made publicly available or provided to other
parties, for example financial statements, budgets, and forecasts. Members are
responsible for preparing that information fairly and honestly and in accordance with
the applicable reporting requirements. Self-interest and intimidation threats may arise,
for example, where there is pressure applied by external parties or by the potential for
personal gain to prepare information that is misleading. Safeguards against external
pressure being applied to a member are processes to enable consultation with senior
COE s.220 personnel within the entity, the audit committee, or governing body.

• Acting with sufficient expertise. This requires that members have the appropriate training
and experience to undertake the task in which they are involved. Threats to this
requirement can arise, for example, where training and expertise is insufficient or there
is insufficient time and resources available to complete a task with the necessary level
of professional competence and due care. Safeguards include obtaining additional
COE s.230 training or obtaining assistance from personnel with the appropriate expertise.

• Financial Interests, compensation, and Incentives linked to financial reporting and decision
making. This creates a potential self-interest threat to the principle of objectivity and
confidentiality. Threats could arise, for example, where a member’s remuneration
includes a bonus based on the entity’s profit or share bonus scheme where the profit or
share value could be affected by decisions being made or influenced by the member. In
addition to a self-interest threat, there may also be an intimidation threat where more
senior personnel within the entity apply pressure to produce misleading outcomes to
enhance their remuneration outcome. Safeguards include, for example, having
remuneration determined by an independent committee within the entity or policies
COE s.240 that require disclosure within the entity as to trading in entity shares.

• Inducements, including gifts and hospitality. Members may be offered inducements such
as gifts, hospitality, preferential treatment, or approaches to take advantage of
friendship or loyalty. Such offers may be made with the intention to unduly influence a
member’s actions or decisions. These situations create self-interest, familiarity, and
intimidation threats to integrity, objectivity, and professional behaviour in particular.
Safeguards include, for example, a policy of reporting gifts and hospitality or informing
COE s.250 appropriate personnel within the organisation of such situations.

37

M13_c01.indd 37 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

• Responding to non-compliance with laws and regulations. During the course of

performing their duties, members may become aware of non-compliance or suspected
non-compliance with laws and regulations that impact the financial statements or
operating aspects of the business; for example, non-compliance with accounting
standards, fraud, money laundering, or environmental laws. The members ethical
responsibility is to act in the public interest and to comply with the principles of
integrity and professional behaviour, and to alert management so as to enable the
matter to be rectified or mitigate the circumstances, and to deter any action that has
not yet occurred. These situations may be subject to self-interest and intimidation
threats. The member needs to understand whether any legal or regulatory obligations
exist to report such matters to relevant authorities, which may include seeking advice
internally, seeking legal advice, or consulting with regulatory or professional
organisations. Safeguards might include protocols and procedures within an entity
as to how to deal with these matters, such as an internal ethics policy or a
whistle-blowing mechanism. Depending on the circumstances and those involved,
COE s.260 reporting to the governing body may be required.

• Pressure to breach the fundamental principles. Further to the specific situations already
dealt with, this section covers the broad issue of pressure being exerted on a member
to breach fundamental principles and provides further examples of those threats. It is
suggested that safeguards to deal with these intimidation threats and of pressure being
exerted on a member include an entity culture and leadership that mitigates against
such behaviour, HR policies and procedures to address pressure, and an environment
where matters can be discussed with others in the entity. Also, a member could request
a restructure or segregation of responsibilities and duties so that the member is no
COE s.270 longer involved with the individual or entity exerting the pressure.

1.2.2.7 Ethics for Professional Accountants in Public Practice

Part 3 deals specifically with professional accountants in public practice whether providing
assurance services or not. Again, this section requires the application of the conceptual
approach as the underlying decision model.

This Part also links back to Part 2 in that it recognises that a professional accountant in
public practice has a relationship with the professional accounting firm of which they are an
employee, contractor, or owner, and requires that they comply with the requirements of Part 2
as they relate to those relationships.

The COE cites as an example a situation where a professional accountant in public practice
is facing pressure from an engagement partner to incorrectly report chargeable hours for a
client engagement. It requires that professional accountant to apply the procedures identified
in relation to a professional accountant in business facing pressure to act inappropriately, such
as raising the matter at an appropriate senior level within the firm, disclosing the matter under
established procedures for reporting ethical issues, or raising the matter with human resources
personnel.

While Parts 4A and 4B deal specifically with independence in an assurance context, Part 3
also includes extensive examples of threats to independence for professional accountants in
public practice, generally under each of the categories identified earlier, along with suggested
safeguards.

38

M13_c01.indd 38 1/26/2021 8:43:30 PM

 E thical Standards , L egislation , and Professional Guidance

When evaluating the threats under the conceptual model, the COE requires that
consideration also be given to the client and accounting firm’s operating environment and the
nature and scope of the professional service.

The COE gives the example of the provision of a non-assurance service to an audit client
where that client is a public interest entity, for example a publicly listed entity, where the threat
to audit objectivity might be assessed as higher because of the potential greater scrutiny and
implications of any inappropriate outcome.

The threat assessment should also be influenced by factors within the professional
accounting firm such as:

• Leadership that develops a culture of compliance with the fundamental principles and
creates an expectation that engagement team members will act in the public interest.
This could, for example, be communications that reflect ethical values and actions and
decisions by senior personnel that reflect ethical principles. An inappropriate ‘tone at
the top’ could lead to an inappropriate firm culture.

• Documented policies and procedures for monitoring and compliance that emphasise
the need to identify threats, evaluate the threat and apply safeguards, and identify
processes to implement the policies. For example, such policies would require the
disclosure and recording of relationships between engagement team members and the
client entity. Such policies and procedures encourage and support a commitment to
ethical principles.

• Compensation, performance appraisal, and disciplinary policies and procedures that

promote compliance with the fundamental principles. For example, policies that
mitigate the impact that the amount of other services provided to an audit client would
affect the audit partners’ performance appraisal and compensation. Inappropriate
incentives and lack of enforcement of policies may encourage unprofessional
behaviour.

• Authority of engagement partners for decisions concerning compliance with ethical

principles and in relation to client service decisions and prohibiting non-members of an
audit engagement team influencing the outcome of the engagement.

• Educational, training, and experience requirements. Policies that require engagement

personnel to have the necessary competence and to maintain their skill base through
ongoing professional development support compliance with the fundamental
principles.

COE 300.7
• Complaint processes to ensure that concerns are dealt with and disciplinary processes
A5 applied support a compliance culture.

Part 3 then provides extensive guidance on the following specific situations. The following
has been extracted from the COE and is a brief summary of some of the primary matters
covered in these sections as illustrations, but is not comprehensive or a substitute for
reading the COE:

• Conflicts of interest. This relates to avoiding situations that could compromise

professional and business judgements. It deals with threats to objectivity that could
arise where a professional accountant provides professional services on a matter to
two or more clients whose interests are in conflict. For example, preparing a valuation

39

M13_c01.indd 39 1/26/2021 8:43:30 PM

 BUSINESS ASSURANCE

of assets for two parties who are in an adversarial position with respect to the asset and
representing two clients in the same legal dispute, such as dissolving a partnership or
providing services to a seller and buyer involved in the same transaction. The
professional accountant is required to identify the nature of relationships between
parties involved and the implications for the relevant parties before accepting a new
client. Consideration needs to be given to whether consent of the parties is appropriate
as a safeguard and if not given where considered necessary, the engagement or
relationship must be terminated. The professional accountant must document the
matter and decisions made. This section also deals with situations where the interests
COE s.310 of the professional accountant and client on a matter are in conflict.

• Professional appointments. This can create threats to any of the fundamental principles,
but of most concern are threats to integrity and professional behaviour in situations
involving accepting new clients or changes in an existing engagement. The
requirements are to have knowledge and understanding of the client, management,
and the business and to be aware of issues such as illegal activities and questionable
financial reporting practices. There is also a self-interest threat to professional
competence and due care if the accountant does not have the appropriate skills and
knowledge for the engagement and business. Examples of safeguards are assigning
management personnel with the appropriate skills or using experts where necessary.
Where an accountant is replacing another accountant, it is recommended that there is
communication between the two accountants to identify relevant issues, particularly in
an audit or review situation where communication with the predecessor auditor is
required to obtain information as to whether the incoming auditor should accept the
engagement. If the client does not allow such communication, consideration needs to
COE s.320 be given as to whether to accept the engagement.

• Second opinions. This covers situations where a professional accountant’s opinion is

sought on the application of accounting, auditing, reporting, or other standards or
principles for an entity that is not an existing client regarding a specific transaction or
circumstance. This is a self-interest threat to the fundamental principle of competence
and due care if not based on the same facts and circumstances as the other party
providing the initial advice. A safeguard would be to obtain client permission to contact
the other accountant. If that permission is not provided it would be appropriate to
COE s.321 consider whether to accept the engagement.

• Fees and other types of remuneration. The ethics accept that quoting fees is not unethical.
However, it is recognised that a self-interest threat to competence can arise if the
quoted fee is so low that it might be difficult to perform an engagement in accordance
with standards. If such a threat is identified, safeguards such as adjusting fees to an
appropriate level or having a review of the work performed by a person not involved in
the engagement to be satisfied that it is of the appropriate quality could reduce the
threat to an appropriate level. This section also deals with contingent fees and referral
fees and commissions. Contingent fees can be used for some non-assurance
engagements, but may create a self-interest threat to objectivity. Safeguards are to
have the work done by a member not involved with the engagement or to obtain a
written agreement in advance from the client. These could be referral fees and
commissions, for example a commission from a software vendor for sales of products
to clients or a fee for referring a client of another accountant because of an inability to

40

M13_c01.indd 40 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

provide a specific service. These situations can create self-interest and professional
competence and due care threats. The suggested safeguards are to disclose the
matters to the client and obtain in advance a written agreement with the client as to the
COE s.330 arrangements.

• Inducements including gifts and hospitality. It is recognised that these could create a
self-interest, intimidation or familiarity threat, and non-compliance with the
fundamental principles of integrity, objectivity, and professional behaviour. Unless
trivial or inconsequential, no inducements should be offered or accepted if a
reasonable and informed third party may conclude that the intent is to improperly
influence behaviour. Consideration must also be given to laws and regulations that may
be relevant to these circumstances. Assessing whether or not the intent of an action is
to improperly influence behaviour involves a judgement considering, for example, the
nature, frequency, and value of the matter, its proximity to the timing of a decision,
whether it reflects a customary or cultural practice, whether it is available to only an
individual or a broader group, and the degree of transparency as to its occurrence. If it
is determined that an action was not intended to unduly influence behaviour, the level
of any threat can be reduced by safeguards such as being transparent about the matter
with senior personnel within the firm, maintaining a log of such matters that is regularly
reviewed by senior personnel, or having the work in relation to the service reviewed by
a member not involved in the engagement. Donating gifts to charity or reimbursing the
COE s.340 cost of gifts and hospitality could overcome the threats created.

• Custody of client assets. Custody of client monies is not permitted unless permitted by
law. Custody of assets can create self-interest threats to professional behaviour and
objectivity. Safeguards could be keeping those assets separate from firm assets and
using them only as intended, ensuring that any dividends or gains are accounted for
COE s.350 and comply with relevant laws and regulations.

• Responding to non-compliance with laws and regulations. Self-interest or intimidation

threats could undermine the principles of integrity and professional behaviour if a
professional accountant becomes aware of non-compliance or suspected
non-compliance with laws and regulations by a client. The obligation is to obtain an
understanding of legal requirements facing a client. Any non-compliance is to be
discussed with management, advising them to take appropriate action if they have not
already done so. An assessment of management’s response is required to determine
whether any further action is required by the accountant in accordance with relevant
laws, regulations and standards, and to ensure that any action is in the public interest.
COE s.360 Actions taken and the outcomes must be documented.

1.2.2.8 Ethics and Independence

It is generally accepted that independence is a fundamental distinguishing feature of the
professional accountancy profession that supports its role as an assurance provider. Assurance
is valuable to a user of information if the assurance provider is, and is seen to be, unbiased,
objective, and has no vested interest in the entity and the information about which the
assurance is given.

The COE emphasises that the professional accountant must be independent when
undertaking audits, reviews, and other assurance engagements, and links independence to the
fundamental principles of objectivity and integrity.

41

M13_c01.indd 41 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

The COE recognises that independence is linked to the principles of integrity and objectivity
and comprises:

• Independence of mind that supports expression of a conclusion without factors that

compromise professional judgement and support acting with integrity, objectivity, and
professional skepticism.

• Independence in appearance by avoiding circumstances that a reasonable and informed

third party would be likely to conclude that there has been a lack of integrity, objectivity,
COE 400.5 or professional skepticism.

There is an additional link in this area to the fundamental audit/assurance principle of

professional skepticism as an inter-related concept, and which is supported by the fundamental
ethical principles outlined earlier.

For example, the COE indicates that by being straightforward and honest when dealing
with a position taken by a client, and pursuing inquiries about inconsistent information, or
seeking further evidence about potentially misleading statements, the professional accountant
complies with the principle of integrity. This critical assessment of evidence contributes to the
application of professional skepticism necessary for an assurance engagement.

Part 4A therefore includes extensive principles specifically in relation to independence for

audit and review engagements. Part 4B deals with assurance engagements other than audit
and review engagements. The conceptual approach is also required to be applied in this regard,
i.e. identify threats to independence, evaluate the significance of any threats identified, and
apply safeguards to eliminate or reduce the threats to an acceptable level, but also includes
extensive requirements (‘R’) and application material (‘A’) on a range of specific circumstances
that could create threats to independence.

Part 4A addresses in detail Independence for Audit and Review Engagements. It emphasises
that when performing audit engagements, the auditor must comply with the fundamental COE
principles and be independent.

Independence is required during:

• The engagement period

COE R400.30 • The period covered by the financial statements

There is a requirement that documentation to evidence judgements made in relation to

independence issues is produced and maintained by the accounting firm.

Where there is a breach of the COE, the following is required:

• Discontinue the interest or relationship and address any consequences.

• Consider any legal or regulatory implications.

• Communicate the breach to appropriate firm personnel.

• Evaluate any impact on the ability to issue an audit report.

COE R400.80 • Consider whether to continue the engagement.

In the context of applying the conceptual approach it describes in detail:

• Facts, circumstances, activities, interests, and relationships that create or may

create threats.

42

M13_c01.indd 42 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

• Potential actions/safeguards.

• Situations where threats cannot be eliminated or safeguards cannot reduce them to an

acceptable level.

It is also recognised that because of the public interest in some entities (public interest
entities), such as entities listed on the Hong Kong Stock Exchange, specific requirements are
included to reflect this perspective. Member firms are encouraged to determine whether
other clients with which they have a relationship should also be subject to those requirements
because of their size, number of employees, and business, for example holding assets in a
fiduciary relationship.

The following is a brief summary and examples of the threats and safeguards that could
arise in practice and that are public practice, covered in Part 4A:

• Compensation and evaluation policies. A self-interest threat may be created where an

engagement team member is evaluated or compensated on the basis of the level of
non-audit fees obtained from a client. This can be dealt with by eliminating the threat
by revising the policy or removing the individual from the engagement team.
A safeguard to reduce the threat would involve reviewing the work of the member
COE s.411 involved. Key audit partners are not to be evaluated or compensated on this basis.

• Fees. Depending on the nature, level, and types of remuneration, fees can create
self-interest and intimidation threats. This could be a concern where the total fees from
one client represent a significant proportion of the total fees of the firm. A safeguard is
to increase the client base to reduce reliance on the fees from that client. Similarly, if
the fees from one client represent a large proportion of the revenue base of one audit
partner. Suggested safeguards in this area are to increase the client base of the partner
or subject the work of that partner to more extensive review. For public interest entities,
the ethics are more specific and onerous in seeking to avoid threats. If for two years the
total fees from one client represent more than 15% of the total fees of the firm, this has
to be disclosed to the client management and either a ‘pre’ or ‘post’ issuance quality
control review by a member not in the firm or by a professional body should be
undertaken of that audit. A ‘pre-issuance’ review would be undertaken prior to the issue
of the audit opinion for the second year. A ‘post-issuance’ review would occur after the
issue of the opinion for the second year but before the issue of the opinion for the third
year. If the fees from one client are significantly greater than 15%, a ‘pre-issuance’
review is seen as preferable. Overdue fees also create a self-interest threat and action
taken to recover those fees, or if significant consideration is given to a review of the
audit. If fees are overdue for a long period, they take on the characteristic of a loan and
consideration needs to be given as to whether to continue the engagement or seek
re-appointment. As a specific prohibition, a firm cannot charge a contingent fee for an
audit engagement when a fee is calculated on a pre-determined basis relating to the
COE s.410 outcome of the service performed.

• Gifts and hospitality. Firms or audit team members cannot accept gifts or hospitality
COE s.420 unless the value is trivial or inconsequential.

• Actual or threatened litigation between the firm and client creates self-interest and
intimidation threats. Such situations may affect the relationship between management
and the auditor that impedes the full and effective disclosure relating to the client’s

43

M13_c01.indd 43 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

business, which is necessary for the audit process. The safeguard available in this
case is to have the audit work reviewed by a member not involved in the audit
COE s.430 engagement.

• Financial interests in a client create a self-interest threat. This threat is seen as significant
and therefore no direct or material indirect financial interest in a client can be held by
the firm, network firm, engagement team member, immediate family member, or other
parties in the office of the engagement partner or other partner or managerial
employee providing other services. Similarly, no financial interest is permitted in an
entity controlling an audit client. The same applies for the situation where the firm acts
as trustee unless the interest is immaterial to the trust or the trust cannot exert
COE s.510 influence over the audit client.

• Loans and guarantees. These relationships can create self-interest threats. A firm or
member of an engagement team cannot make a loan or provide a guarantee to a loan
to a client unless it is immaterial to all parties. A firm or member of an engagement
team cannot accept a loan from a client unless it is made under normal lending
procedures, conditions, and terms, such as a bank overdraft. If the loan is material the
threat may still exist and the safeguard of having the audit work reviewed by a member
COE s.511 not involved in the audit may be necessary.

• Business relationships. A close business relationship between a firm, member of the

management team, or a member of that member’s immediate family and the audit
client or its management involves a financial interest that could cause a self-interest or
intimidation threat. For example, in the case of an interest in a joint venture, unless the
financial interest is immaterial or the business relationship insignificant to the client, its
management and the firm or engagement team member, such arrangements should
not be entered into or should be terminated. However, the purchase of goods and
services from a client may be acceptable if it is in the normal course of business and
undertaken at arm’s length through the normal purchase process. Consideration as to
the nature and magnitude of the transaction may still result in a determination that the
threat still exists and is unacceptable unless the arrangement is modified to be less
COE s.520 significant.

• Family and personal relationships. Where a family member or a personal relationship

exists between an engagement team member and an employee of the audit client, a
self-interest, familiarity, or intimidation threat may exist. Depending on the role of the
client’s employee in the financial reporting process and the nature of the relationship,
the appropriate safeguards are to remove the member from the engagement team or
restructure the responsibilities of the engagement team so that the member does not
COE s.521 deal with matters for which the family member is responsible.

• Recent services with an audit client. In situations where a member of the engagement
team had previously been employed by the client and had responsibility for the
preparation of accounting records now subject to audit, self-interest, self-review, and
familiarity threats may be created. Depending on the nature and extent of the
involvement of the member, the time period since being employed by the client, and
the expected role in the engagement team, the member should not be assigned to the
engagement team or, as a safeguard, the work of that member undertaken during the
COE s.522 audit should be reviewed.

44

M13_c01.indd 44 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

• Employment with an audit client. If a former member of the engagement team joins an
audit client and can exert significant influence over the financial reporting process, and
that individual maintains a connection with the audit firm, familiarity and intimidation
threats would compromise independence. If no significant connection remains, then
the significance of the threat depends on, for example, the position taken by the
individual with the client and any ongoing involvement with the engagement team.
Safeguards may be applied, such as modifying the audit plan, to reduce the threats to
an acceptable level. No partner or firm employee should serve as a director or officer of
COE s.523
an audit client, as the self-review and self-interest threats would be so significant as not
and 524 to be able to be reduced to an acceptable level.

• Temporary personnel assignments. A self-review, advocacy or familiarity threat may be

created where an audit firm provides staff to the audit client. Such staff should not have
management responsibilities and should be directed and supervised by the audit client.
Safeguards include conducting additional review of the work performed by the loaned
COE s.525 staff or not including that member on the engagement team.

• Long association with an audit client. Where senior personnel have been involved with an
audit client over a long period, familiarity and self-interest threats are created.
Safeguards include rotation of senior audit personnel off the engagement team, review
of the work of that member by an individual not involved in the audit, and internal and
external quality reviews of the engagement. For entities that are public interest entities,
a member cannot be a key audit partner for more than seven years and cannot be
COE s.540 involved again with that client engagement for five years.

• Provision of non-assurance services. These requirements as a general rule prohibit the

provision of a non-assurance service that would result in the audit firm or member
assuming a management responsibility within the client entity. They also require a
re-assessment of non-assurance services currently or previously provided on
independence if the client becomes a public interest entity. The following services are
COE s.600 dealt with specifically.

• Accounting and bookkeeping. Depending on the nature of the service a self-review threat
may exist. Accounting services that are mechanical or routine and require minimal
professional judgement, for example payroll calculations based on client data and
approved entries to the trial balance, are acceptable. Where the service is more
substantial, safeguards, such as having the service performed by a professional that is
not part of the audit team or having a review of the audit or services provided by
another member of the firm not involved, could be applied to reduce the risk to an
COE s.601 acceptable level.

• Administrative. Tasks that are routine and mechanical in the normal course of
operations, such as word processing or preparing statutory forms for client approval,
COE s.602 are acceptable.

• Valuation. A valuation service may create a self-review or advocacy threat where that
valuation relates to an asset, liability, or business and whether it will have a material
impact on the financial statements. The significance of the threat also depends on such
factors as the availability of established methodologies, the subjectivity of the data, and
the extent of management’s involvement in determining and approving the
methodology. Safeguards include review by a member not involved in the process or

45

M13_c01.indd 45 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

the audit or having the valuation performed by a member not involved in the
COE s.603 engagement team.

• Tax. Taxation services cover a range of activities from preparation of the tax return,
calculation for inclusion in the financial statements, tax planning, and assistance in
resolving tax disputes. Assistance with tax return preparation is acceptable as long as
management takes responsibility for the return and the significant judgements made in
its preparation. However, preparing calculations for items to be included in the financial
statements creates a self-review threat, the significance of which depends on the
materiality of the item, the complexity of the law, and the level of expertise of the
client’s staff involved. Safeguards include having the service provided by a member who
is not part of the engagement team or obtaining external expert advice. Tax planning
may also create a self-review threat where such advice impacts items in the financial
statements. Assisting a client to resolve a tax dispute may create an advocacy or
COE s.604 self-review threat. The same safeguards are again applicable.

• Internal audit. The provision of internal audit services to an audit client creates a
self-review threat. This arises where the firm provides an internal audit service to assist
the client perform its internal audit activities and that work is relied upon during the
course of the external audit. The extent of the threat depends on the nature and extent
of the internal audit services provided. For example, the firm’s personnel providing the
internal audit service should not take on any management responsibility. Whether the
risk can be reduced to an acceptable level will depend on factors such as the materiality
and likelihood of misstatement in the areas in which the internal audit service was
provided and the degree of reliance to be placed on that work. An appropriate
safeguard is to have the service provided by members who are not part of the audit
COE s.605 engagement team.

• Information technology systems. A self-review threat is created where the firm provides a
service to design or implement hardware or software systems that are integral to the
client entity’s accounting, internal control, and financial reporting systems and are
prohibited because the threat cannot be addressed through safeguards. Services that
relate to systems that are unrelated to accounting records or financial statements or
are ‘off-the-shelf’ accounting systems and require minimum customisation for the client
are acceptable. If safeguards are deemed necessary having a member not involved in
COE s.606 the audit engagement team can be applied.

• Litigation support. An advocacy or self-review threat is created when a firm is requested

to assist in resolving a dispute or litigation that materially impacts the financial
COE s.607 statements. This type of service is not permitted.

• Legal. Depending on the nature of the service and the relationship to the outcome on
the financial statements, providing legal services may create self-review or advocacy
threats, for example providing support to complete a transaction. Safeguards include
using a firm member who is not a member of the engagement team or obtaining
COE s.608 professional advice to review the matter and its financial statement implications.

• Recruiting. The provision of recruiting services may create self-interest, familiarity, or

intimidation threats. Such services are permitted except that the firm should not be
involved in management responsibilities negotiating on the entity’s behalf or making
COE s.609 the hiring decision.

46

M13_c01.indd 46 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

• Corporate financial services. Depending on the nature of the service, advocacy or

self-review threats may be created. For example, advice on the structuring of a
transaction or financing arrangements that will impact the financial statements may
create a self-review threat. Safeguards such as having the service provided by a
member who is not part of the engagement team or seeking advice from a professional
not involved in providing the service for financial statement issues would be
appropriate. However, where the advice depends on an accounting treatment with
which the engagement team is not supportive or the outcome is material to the
financial statements, such a service should not be provided. Services promoting, dealing
COE s.610 in, or underwriting a client’s shares are not permitted.

It is not possible to deal in detail with all of these issues in this chapter, so reference to the
COE is required to understand the independence issues associated with each of these potential
threats to independence.

Part 4B provides guidance in relation to independence for other assurance engagements,

with the starting point being application of the conceptual model (Exhibit 1.7). Examples of
such engagements are audits of specific elements, accounts or items of a financial statement,
or performance on a company’s key performance indicators. Because assurance engagements
other than the audit or reviews of financial statements have the same objective, that is,

Independence
(actual/perceived)

Identify threats
• Familiarity • Self-review
• Self-interest • Advocacy
• Intimidation

Evaluate identified
threats

No threats

Safeguards to
reduce threat to
an acceptable level
(third-party test)

Eliminate
Independence
circumstances

Withdraw or not
accept engagement

EXHIBIT 1.7 Conceptual approach to ethics for independence

47

M13_c01.indd 47 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

to enhance the intended users’ degree of confidence about the outcome or evaluation or
measurement of a subject matter against criteria, the assurance provider must also be
independent. Accordingly, the ethical requirements are similar to those identified in Part 4A.

However, Part 4B recognises that these requirements can be modified where the assurance
providers report includes a restriction on use and distribution. The independent requirements
can be modified if:

• The firm communicates with the intended users of the report in relation to the modified
independent requirements and

• The intended users understand the purpose, subject matter information, and
limitations of the report and explicitly agree to the application of the modifications.

The modifications can only be applied to the aspects of the requirements relating to:

• Financial interest

• Loans and guarantees

• Close business relationships

• Family and personal relationships

Chapter C of the COE covers additional requirements to be applied using the conceptual
approach. It covers:

• Changes in professional appointment

• Change of auditors of a listed issuer of the Stock Exchange of Hong Kong

• Unlawful acts or defaults by clients of members

• Unlawful acts of defaults by or on behalf of a member’s employer

• Ethics in tax practice

• Corporate financial advice

• Use of designations and institute’s logo

• Practice promotion

• Client’s monies

It is evident that the extensive body of ethical pronouncements that regulate the behaviour
and actions of members in public practice, and promote independence, illustrate that the
independent audit of financial statements and other assurance engagements is a heavily self-
regulated activity of the accountancy profession.

It should be noted that professional judgement is a critical element in applying the

conceptual approach, however the extensive requirements ‘R paragraphs’ and application
guidance ‘A paragraphs’ in the COE should facilitate high-quality decision making by
professional accountants.

In the context of a financial statement audit, in combination with the statutory regulatory
requirements under the Companies Ordinance, the statutory audit of financial statements is
therefore subject to significant regulation. This is important to maintain the integrity of the
audit function and to its important role in the accountability process between companies and

48

M13_c01.indd 48 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

the users of the financial statements. Auditors must be independent and be perceived as
independent, and their work must be subject to appropriate quality control through standards
of performance; otherwise the audit function loses its credibility and the demand for audits
would decline.

A feature of the governance structure of many companies and other entities that has gained
prominence in recent years, and now plays a significant role in assisting auditors meet their
obligations, is the establishment of audit committees. An audit committee is a sub-committee of
the Board of Directors, often comprising a majority of independent directors. The broad function
of an audit committee is to oversee the financial reporting and auditing functions within the
company. The audit committee takes on the role of an intermediary between the Board and
the auditor. While an audit committee is part of the governance structure within a company,
its responsibilities are directed at protecting the interests of users and other vested interests,
independent of the Board and management.

The audit committee provides the auditor with an independent structure within a company
with which the auditor can communicate and discuss issues affecting the financial statements
and audit, for example:

• Significant or contentious accounting issues and policies, and decisions taken by

management in choosing accounting policies and making judgements and estimates.

• Significant accounting adjustments required by the auditor during the audit process.

• Disagreements with management.

• Deficiencies in the system of internal control or accounting process.

• Difficulties and problems encountered during the audit.

• Ethical issues arising in relation to the client/auditor relationship.

An audit committee is normally involved in making a recommendation as to the

appointment of the external auditor and the adequacy of the audit fee necessary to undertake
the audit in accordance with all requirements. The audit committee also reviews the broad
audit strategy and results.

It is important to note that the Board of Directors cannot delegate its responsibility for the
financial statements to the Committee, and nor does it reduce the obligations of the auditor
to meet all professional and legal responsibilities and obligations. The existence of an effective
audit committee does, however, strengthen the auditor’s independence by providing a function
within the company, independent of management and the Board, to which audit issues can
be dealt with on a timely basis. The auditor would normally also meet with the full Board of
Directors at appropriate times.

The significance of audit committees has been recognised by the HKEX. Under its Listing
Rules every issuer must establish an audit committee. The Committee is to comprise non-
executive directors only, with a minimum membership of three. One member must be a
non-executive director with appropriate professional qualifications or accounting or related
financial management expertise. The Committee must be chaired by an independent non-
executive Director.

In 2002, the HKICPA issued A Guide for Effective Audit Committees.

49

M13_c01.indd 49 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

1.2.2.9 Specialised Areas of Practice Such as Liquidation and Insolvency

This section applies to insolvency practitioners undertaking or preparing to undertake
liquidation and insolvency appointments and sets out the standards of conduct of those
practitioners.

It requires the insolvency practitioner to comply with the same fundamental principles of
the COE applicable to other members; that is, integrity, objectivity, professional competence
and due care, confidentiality, and professional behaviour.

It notes that objectivity is the fundamental principle that creates most ethical dilemmas
and provides more specific guidance in this area. It notes that the preservation of objectivity
is to be demonstrated by the maintenance of independence from influences that could affect
objectivity and to recognise both actual and perceived objectivity.

The chapter adopts the same framework approach to ethical issues, that is, identify threats
to the fundamental principles (such as self-review, self-interest), evaluate those threats, and
apply safeguards to mitigate them to an acceptable level.

Specific and detailed guidance is provided in relation to:

• Accepting or not accepting appointments, covering such matters as conflicts of interest,

practice mergers, transparency, professional competence, and due care.

• Professional and personal relationships.

• Dealing with the assets of an entity.

• Obtaining specialist advice and services.

• Fees and other types of remuneration.

• Obtaining appointments.

• Gifts and hospitality.

• Record keeping.

The chapter includes a section that provides examples of specific circumstances that create
threats to compliance with the framework principles. For example, it indicates that a
practitioner should not take on an appointment (other than a voluntary liquidation) if the
COE ch.E practice or an individual practitioner within the practice has previously carried out audit-related
s.500 work within the last two years. It deals with a range of other specific circumstances.

1.2.2.10 Guidelines for Anti-money Laundering and Counter Terrorism Financing

for Professional Accountants
These Guidelines provide requirements applicable to practitioners arising from the Anti-money
Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance 2018 (AML/CFT).

The following has been extracted from and is a summary of selected areas of paragraphs
COE ch.F 620–670 of the Guidelines, but is not a substitute for reading the COE. It should be noted that
s.600–670 the material in the Guidelines is often prescriptive (i.e. required) in nature.

The Guidelines apply primarily to practices and members working in practice. They
recognise that under the professional ethics members must conduct themselves with
objectivity and professionalism and act in the public interest. Practices will be expected to

50

M13_c01.indd 50 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

have in place customer due diligence procedures to minimise the risk of involvement in money
laundering and terrorist financing. While the Guidelines are not legal requirements, they would
be admissible in any court proceedings under the AML/CFT.

The Guidelines are intended to:

• Provide general guidance on AML/CFT requirements.

• Indicate good practice in relation to Financial Action Taskforce requirements.

• Summarise relevant legislative provisions.

• Ensure compliance by members with prescribed requirements to prevent money

laundering and terrorist financing.

The Guidelines include the following sections:

• AML/CFT Policies, Procedures, and Controls. This requires practices to have internal
policies, procedures, and other controls to address money laundering and terrorist
financing concerns and compliance with legal requirements. Adopting a risk-based
approach is suggested as being the most effective approach.

• Customer Due Diligence (CDD). Implementation of procedures to form a reasonable

belief that they know the true identity of the client, the types of business and
transactions that the client is likely to have, and the source and intended use of funds.

• Ongoing Monitoring Implementation. Implementation of controls that require periodic

review of documents, data, and information, paying attention to transactions for
consistency with knowledge of the client and business, identifying transactions that are
complex or unusual, and examining the background and purpose.

• Lodging Suspicious Transactions Reports (STRs) as required by legal requirements.

• Financial Sanctions and Terrorist Financing. Comply with legal obligations and the need
to make STRs, for example whether clients are listed by the UN in relation to imposed
restrictions.

• Record Keeping. Maintenance of relevant documentation, which are to be kept for

five years.

• Staff Hiring and Training Policies. To ensure staff understand AMLO requirements.

For practices providing the following services, the Guidelines in relation to policies,
procedures and controls, CDD and monitoring, and suspicious transactions reporting staff
requirements are mandatory:

• The preparation or carrying out for a client a transaction involving buying and selling
real estate, managing client money, securities or other assets, management of bank
savings or securities accounts, organisation of contributions for creation, operation,
or management of a company or legal persons, or arrangements buying and selling
business entities.

• Providing trust or company services and, by way of business, preparing for or carrying
out for a client a transaction involving forming corporations or other legal persons, and
acting as, or arranging for, another person to act as a director or secretary of a
COE ch.F
company, a partner of a partnership, or a similar position in relation to other legal
s.600.2.1–2 persons.

51

M13_c01.indd 51 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

When a practice is providing other services, the Guidelines represent good practice except
for the requirements in relation to suspicious transactions reporting and sanctions that remain
mandatory for those practices.

AML/CFT Policies, Procedures, and Controls

With respect to AML/CFT policies, procedures and controls, the Guidelines recommend a risk-
based approach that takes into consideration circumstances such as:

• Types of clients involved and geographical location

• The services/products offered

• Method of delivery of the service/products

• Size of the practice

Such an approach would involve classifying the money laundering and terrorist financing
risks of the client and establishing reasonable measures based on the identified risks. Practices
can then apply appropriate controls and oversight to clients in relation to:

• The extent of CDD to be performed on the client, the extent of the measures to be
applied to identify any beneficial owner and any person purporting to act on the
client’s behalf.

• The level of ongoing monitoring to be applied to the relationship.

• Measures to mitigate any identified risks.

Client risk assessments need to be monitored and adjusted as information is obtained and
the extent and frequency of CDD reviewed in the context of the client’s circumstances.

Senior management is responsible for managing compliance with the AML/CFT and as part of
the arrangements must appoint a partner, director, or equivalent as a Compliance Officer (CO),
and also appoint a Money Laundering Reporting Officer (MLRO), who can be the same individual.

The CO’s role includes review and oversight of the Practice’s AML/CFT systems and controls.

The CO has a high-level role supporting and providing guidance to senior management. The
MLRO deals with identifying and reporting suspicious transactions, and includes:

• Review of internal disclosures and exception reports and determining whether the
circumstances warrant making an STR to the Joint Financial Intelligence Unit (JFIU).

• Maintaining records related to the internal reviews.

• Providing guidance on how to avoid ‘tipping off’ the client.

• Acting as the main point of contact with the JFIU and other relevant authorities.

An independent compliance function should also be established to review the

COE ch.F implementation of the AML/CFT controls, and practices should also ensure appropriate
s.610 procedures to be satisfied as to the integrity of new employees.

Customer Due Diligence (CDD)

The focus of CDD measures is to reduce the risk of a client not being who they appear to be
and to find out who the client is. The CDD can be either ‘Enhanced CDD’ (EDD) for high-risk
individuals, including foreign politically exposed persons, or ‘Simplified SDD’ (SDD) for low-risk
individuals.

52

M13_c01.indd 52 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

Practices must perform the following CDD measures:

• Identify the client and the client’s identity using evidence provided by a government
body or other reliable, independent source.

• Identify the beneficial owner, where there is one, and take reasonable steps to verify
their identity, ensuring an understanding of complex legal and ownership structures.

• Understand and obtain information on the purpose and intended nature of the
business relationship (if any) to be established with the practice, unless obvious.

• Identify and take reasonable measures to verify any person purporting to act on behalf
of the client, including their authority to act.

Three interrelated factors are identified in relation to CDD. They are client risk, country/
geographic risk, and service risk, including delivery channel risk.

The judgement as to whether there is a higher level of client risk will take into account:

• Indications that the client is attempting to obscure understanding of its business,

ownership, or the nature of its transactions.

• Indications of certain transactions, structures, geographical locations, international

activities, or other factors that are inconsistent with the practice’s understanding of the
client’s business or economic position.

• The client’s operations, such as operating in industries, sectors, or categories where

opportunities for money laundering or terrorist financing are common.

Higher geographical risk can include circumstances where clients are located in, or are
sending funds to, a country subject to sanctions or identified as lacking an appropriate AML/
CTF regime, or are identified as having a significant level of corruption or of supporting terrorist
activities. Appendix B to the Guidelines provides further examples of risk factors.

The CDD process must be completed before establishing any client relationship. For all new
clients, practices must be satisfied as to the intended purpose and reason for establishing the
relationship and document that information. Once the client identification has been verified it
does not need to be revisited although the process should ensure that information remains up
to date and relevant.

Where SDD is applied, the measures to be implemented will reflect the lower risk profile,
for example the beneficial ownership can be established after the client relationship is in
place. The SDD approach may be applied, for example, where reliable information about the
client is publicly available, the practice has previously dealt with the client and is familiar with
the AML/CFT controls, or the client is a listed company that is subject to regulatory disclosure
requirements.

EDD requires additional measures to mitigate the risk and must include:

• Senior management’s approval to commence or continue the relationship.

• Taking reasonable steps to establish the wealth source of the relevant clients or beneficial
owners, or other measures to mitigate the risk, such as obtaining additional information
about expected account activity, regular updating of the client profile, and performing
stronger monitoring of the relationship through increasing the number and timing of the
controls applied and selecting patterns of transactions that need further examination.

53

M13_c01.indd 53 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

Practices should attempt to establish whether a beneficial owner is a Politically Exposed

Person (PEP), as the risk is higher with these individuals, being regarded as more prone to
corruption, especially foreign PEPs.

Identified PEP risk factors include:

• The PEPs country of origin

• Unexplained sources of wealth or income

• Receipts of large sums from government bodies

• Commission earned on government contracts

• Requests for secrecy in relation to a transaction

• Use of government accounts as the source of transaction funds

A practice can rely on an intermediary to perform CDD such as an accountant or lawyer,

COE ch.F including an appropriate overseas intermediary, but the practice retains ultimate
s.620 responsibility for it.

Ongoing Monitoring
The Guidelines note that effective monitoring is essential to understanding the client’s business
and is integral to effective controls. The extent of monitoring is a function of the client’s risk
profile established through the risk assessment, and practices are therefore required to
monitor the client business relationships by:

• Periodically reviewing documents, data, and information to ensure they are up to date
and relevant.

• Paying attention to transactions undertaken for the client to ensure that they are
consistent with knowledge of the client and the nature of the business, risk profile,
source of funds, and looking for unusual activity.

COE ch.F • Identifying and examining complex, large, or unusual transactions that have no
s.630 apparent legal or economic purpose, and recording the findings.

Making Suspicious Transaction Reports

A Suspicious Transaction Report (STR) must be made to the JFIU as soon as practicable where
indications of money laundering exist. While confidentiality remains a fundamental ethical
principle, the obligation to make an STR overrides this, and in fact it is an imprisonable offence
for the MLRO to have knowledge or suspicion of money laundering and fail to make an STR.

From an employee perspective, the employee should have enough knowledge of the client’s
business to recognise suspicious transactions, and their obligation is to report to the MLRO.

Practices need to be careful to ensure that their line of enquiry with the client cannot
be construed as alerting the client, as this carries a penalty of a maximum of three month’s
imprisonment and a fine of up to $500,000. Employees are protected if they did not know or
suspect that money laundering was occurring or that law enforcement was investigating.

Effective internal reporting requires that staff know the identity of the MLRO and should
normally make their reports directly to the MLRO, although they may consult with managers
or supervisors prior to doing so. Such reports must be documented and acknowledged by the
MLRO with a reminder to avoid tipping off the client.

54

M13_c01.indd 54 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

The MLRO evaluates the report to establish whether there are grounds for suspicion and
COE ch.F
whether a report to the JFIU is required. The MLRO needs to document the basis for any
s.640 decision.

Financial Sanctions and Terrorist Financing

Practices must also be alert to the existence of targeted financial sanctions, such as those made
by the United Nations and implemented in Hong Kong.

A maximum seven year’s imprisonment and a fine of an unlimited amount applies for
an offence of making funds or financial assets available to individuals or entities subject to
sanctions. The HKICPA may inform members of the targets of such sanctions through the
Government Gazette and against which practices can undertake name checks of their clients and
beneficial owners.

Regarding terrorist financing, the Secretary of Security of the Hong Kong Special
COE ch.F
Administrative Region can freeze suspected terrorist property. Practices should not make
s.650 property or financial services available to such persons/entities.

Record Keeping
Normal practice documentation systems may be sufficient to meet Guideline requirements to
maintain and retain records of their relationships and transactions. Records must be sufficient
to ensure that:

• Any client/beneficial owner can be identified.

• The audit trail for specific transactions is clear and complete.

• The original or suitable copies of all relevant records are available on a timely basis.

• Practices are able to provide evidence with any relevant requirements of the Guidelines.

COE ch.F
They must be retained for at least five years after the end of a business relationship or
s.660 transaction.

Staff Hiring and Training

Employee hiring and training must be included in a practice’s AML/CFT policies, procedures, and
controls. Practices must undertake appropriate staff training as an important component of
preventing and detecting AML/CFT activities. MLROs may require more specific training to
COE ch.F
effectively meet their responsibilities. Records must be kept of staff training and should
s.670 monitor its effectiveness.

Knowledge Check Questions

Question 7
The assurance framework identifies a number of elements necessary for an engagement
to be classified as an assurance engagement. Identify which of the following is not an
element of the assurance framework that is identified in the reporting and audit provisions
of the Companies Ordinance.
A The legislation identifies the responsible party.
B The legislation identifies the intended users.

55

M13_c01.indd 55 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

C The legislation defines the level of assurance to be required to be provided by the auditor.
D The legislation identifies the reporting criteria.

Question 8
An auditor appointed under the Companies Ordinance has to report on a range of matters.
Identify which of the following is not a reporting obligation of an auditor.
A Whether the emoluments paid to company directors and disclosed in the notes to the
financial statements are adequate for the services provided.
B The company has kept adequate accounting records and the financial statements agree
with those records.
C The financial statements have been properly prepared in accordance with the Companies
Ordinance.
D Circumstances where the Director’s Report is inconsistent with the financial statements.

Question 9
Identify which of the following is responsible for sending the financial statements and
reports to shareholders under the Companies Ordinance.
A The audit committee
B The company’s directors
C The external auditor
D The company’s chief financial officer

Question 10
External auditing is a function performed by the accountancy profession. Identify which
of the following is not a role that auditing standards play in supporting the value of the
profession to third parties.
A Standards provide a public benchmark for the performance of audits that provides users
with a level of confidence about audit quality.
B Standards inform members of the profession as to the expected quality of performance.
C Standards provide the directors with a framework for management to approve the
audit plan.
D Standards provide a basis for disciplinary action against auditors.

Question 11
Identify which of the following is inconsistent with the audit principles of an
external auditor.
A The auditor must exercise a significant level of professional judgement.
B The auditor’s firm must have a system of quality control to provide reasonable assurance
that professional standards are complied with.
C If using the work of an internal auditor in the audit process the auditor should evaluate
that work.
D The auditor can assist their client’s management design and implement the hardware
and software for a new accounting information technology system and related controls.

56

M13_c01.indd 56 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

Knowledge Check Questions (continued)

Question 12
Identify which of the following is not normally the responsibility of an audit committee of a
company regulated by the Companies Ordinance.
A Considering problems encountered by the independent financial statement auditor
during the audit.
B Assess whether the provision of other services by the external auditor could affect the
auditor’s independence.
C Approving and signing the entity’s financial statements on behalf of the directors.
D Making a recommendation as to the appointment of the external auditor.

Question 13
Identify which of the following explains why it is important that the auditor be independent
of the entity being audited.
A It is a suggestion in the profession’s COE.
B It supports the auditor in providing unbiased assistance to management in preparing the
financial statements.
C To ensure the audit opinion is not, or is not seen to be, influenced by any relationship
between the auditor and the entity, allowing the auditor to be unbiased and give an
honest opinion on the entity’s financial statements.
D To enable the auditor to act as a third party advocate for the entity in a litigation action
against the entity that may be material to the financial statements.

Question 14
By referring to the COE, review each of the following situations and identify which of the
fundamental principles of the COE are threatened and the nature of the potential threat to
be assessed.
(a) A senior audit manager in your firm has requested that the remuneration policy
of that manager takes into account the amount of fees from non-audit services
obtained from the manager’s audit clients.

(b) One of your audit partners has advised of a potential new client that if accepted
would constitute a significant proportion of that partner’s audit fees.

(c) The consulting division of your firm has indicated that it may become involved in
litigation with an audit client.

(d) An audit partner receives a personal loan from an audit client, which is a financial
institution.

(e) One of your partners has shares in a company that has no association with your
firm but is about to enter into a joint venture with a company that is an audit client.

(f) The managing director of one of your audit clients is a long-time tennis partner of
the engagement partner.

(g) The husband of the engagement partner of an audit client has inherited shares in
the audit client.

57

M13_c01.indd 57 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

(h) One of your audit clients is having difficulty completing its financial statements so
your firm agrees to provide staff to the audit client on a temporary basis to assist.

(i) Your firm has recently lost some audit clients to other audit firms and is looking to
regain its market share. Accordingly, fee quotes are very low relative to the size of
the prospective clients in order to obtain clients.

(j) You firm has recently prepared for an audit client a periodic valuation of a
significant asset under the terms of the audit client’s loan agreement with a financial
institution that requires confirmation with the terms of the agreement, and which
the management of the audit client will include in the financial statements.

(k) Your audit client is involved in a transaction with a major supplier and has
requested that your firm provide legal support to complete the transaction.

(l) One of your audit partners has been the auditor of a client for many years and is
reluctant to change as he regards his friendly relationship with management as
facilitating a timely audit outcome.

(m) Your firm is providing accounting and bookkeeping services to an audit client
that involve the preparation of payroll using data from the client and processing
accounting entries approved by the client.

(n) Your firm is providing your audit client assistance in preparing the company’s tax
return for which management takes responsibility for the outcome.

1.3 INTERNATIONAL STANDARDS AND GUIDELINES

FOR AUDITING AND ASSURANCE

The demand for audit and assurance standards at the international level reflects the
globalisation of business and other activities. The fact that organisations operate in several
jurisdictions means that there is a need for the services provided by assurance service
providers to be harmonised to achieve a uniform level of quality. The International Federation
of Accountants (IFAC) was established in 1977 to facilitate this. It represents over 175 members
and associates, of which the HKICPA is one, in over 130 countries.

The IFAC website (www.ifac.org) states:

‘IFAC is the global organisation for the accountancy profession dedicated to serving the
public interest by strengthening the profession and contributing to the development of
strong international economies’.

The website states its vision as:

‘. . . the global accountancy profession be recognised as essential to strong and

sustainable organisations, financial markets, and economies’.

58

M13_c01.indd 58 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

To achieve its mission, it:

• Supports the development of high-quality international standards;

• Promotes adoption and implementation of those standards;

• Builds the capacity of professional accountancy organisations; and

• Speaks out on public interest issues.

To achieve these goals in auditing and assurance services, IFAC established the IAASB, one
of its operational Boards. The IFAC website states:

‘The IAASB is an independent standard-setting body that serves the public interest by
setting high quality international standards for auditing, assurance and other related
areas, and by facilitating their adoption and implementation. In doing so, the IAASB
enhances the quality of practice throughout the world and strengthens public confidence
in the global auditing and assurance profession’.

To this end, the IAASB has issued an extensive set of auditing, assurance, and other
related standards. As indicated in the previous section, they are the basis on which the HKICPA
standards are developed and issued, a policy adopted in many of the IFAC member countries.

The structure of the standards issued by the IAASB, and therefore the HKICPA Standards,
has been modified over the years. It is important to understand this structure in understanding
the obligation to comply with them.

To achieve greater consistency in the application of the auditing standards globally, the
IAASB undertook a project to restructure the auditing standards into a ‘clarity’ format. While
some of the other standards have a different structure, the auditing standards, and therefore
the HKICPA auditing Standards, have the following structure:

• Introduction. Sets out scope of standards and the effective date.

• Objectives. Sets out the objectives to be achieved by the auditor.

• Definitions.

• Requirements. These are the mandatory requirements with which the auditor must
comply. If, in exceptional circumstances, the auditor judges it necessary to depart from
a relevant requirement, alternative procedures are to be performed to achieve the
requirement. If an objective cannot be achieved the auditor evaluates whether the overall
audit objective can be achieved. If not, the auditor’s opinion will need to be modified or, if
possible, under law or regulation, the auditor might withdraw from the engagement.

• HKICPA standards have a section on Conformity and Compliance with International

Standards on Auditing. This identifies any additions or departures from the
International Standard.

• Application and other explanatory material. This provides authoritative guidance and
explanation on the application of the requirements. This material aims to assist
auditors’ understanding of the requirements and provides illustrative audit procedures
and practical examples to improve consistent implementation of the requirements.

Through this process and the issue of these standards, the IAASB has sought to achieve
global best practice.

59

M13_c01.indd 59 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

The process of harmonisation has also been applied in relation to ethical pronouncements
where IFAC ethical statements are adopted, amended as necessary by the HKICPA.

Through the extensive implementation of a harmonisation policy by national professional

accountancy organisations, users of audit and assurance services have greater confidence in
the services provided by auditors and assurance service providers.

This internationalisation of assurance and auditing standards has been significant for
auditors who audit companies with subsidiaries or components, such as a branch or division,
that operate in different countries. When multinational companies are required to prepare
consolidated financial statements, the financial information from the subsidiary companies
is generally provided by those subsidiaries and audited in the country in which they operate.
The auditor of those consolidated financial statements needs to be satisfied that the audit of
the subsidiary undertaken in another country is of an appropriate quality, and provides the
required level of assurance to the financial information provided by the overseas entity in order
that it can be used to prepare the consolidated financial statements.

HKSA 600 Special Considerations – Audits of Group Financial Statements (Including the Work of
Component Auditors) (June 2017) paragraph 11 states:

‘The group engagement partner is responsible for the direction, supervision and
performance of the group audit engagement in compliance with professional standards
and applicable legal and regulatory requirements, and whether the auditor’s report that
is issued is appropriate to the circumstances’.

This requires that the group auditor evaluates the work of the component auditor and is
satisfied that the component auditor is competent and the work of that auditor complies
with relevant ethical and auditing standards. Where the component auditor operates in
a jurisdiction that adopts international auditing and ethical standards and is subject to
appropriate professional and regulatory oversight, the group auditor can, through appropriate
communication, enquiry, use of questionnaires and checklists, determine whether sufficient
appropriate audit evidence has been obtained from the component entity and auditor for the
purpose of preparing the group financial statements.

This process of internationalisation has also facilitated the operation of global accounting
firm networks. Within these international firms with practices or affiliates in various countries,
they have developed international audit methodologies that comply with the international
auditing and ethical standards. Therefore, there is greater certainty that there is a uniform level
of audit quality for multinational audit clients and facilitates the communication of the outcome
of audits in different geographical areas.

Similarly, securities regulators have also recognised the benefits of international standards.
The International Organisation of Securities Commissions (IOSCO), of which the SFC is a
member, encourages securities regulators to accept audits performed and reported in
accordance with international auditing standards for cross-border offerings and listings.

Knowledge Check Question

Question 15
Explain the convergence policy of the HKICPA as it applies to auditing standards. Describe
the objective of the convergence/harmonisation policy.

60

M13_c01.indd 60 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

1 . 4 TYPES OF AUDITS

1.4.1 External Audits

1.4.1.1 Financial Statement Audits
The HKSA 200 objective of financial statement audits has been identified in Section 1.1.2.

However, neither that Standard nor the Glossary includes a stand-alone definition of
auditing. This section outlines the broad foundations of auditing as a discipline as a basis for
further understanding the auditing generally and the audit concepts and standards covered in
later Modules.

As a generic concept, an early and accepted definition of auditing can be found in

A Statement of Basic Accounting Concepts issued by the American Accounting Association (AAA) in
1972. It defined auditing as:

‘A systematic process of objectively obtaining and evaluating evidence regarding

assertions about economic actions and events to ascertain the degree of correspondence
between those assertions and established criteria and communicating the results to
interested users’.

It is evident from the above material that this definition underpins what has become one
of the most common forms of audit engagement undertaken by professional accountants in
public practice in many jurisdictions, i.e. the independent audit of financial statements. The
HKSAs are a body of professional requirements in effect to operationalise this definition.

It is therefore useful to understand the elements in this early definition as they are
concepts that underpin the study of contemporary standards on financial statement auditing.

• Systematic process. The audit process is dealt with in detail in the large number and
volume of requirements and guidance contained in the HKSAs. These documents detail
a structure under which such engagements are to be conducted. An audit involves
developing an overall audit strategy by identifying the risks of possible misstatements
in the financial statements and then applying that strategy to develop an audit plan and
audit programme detailing the detailed audit procedures to be applied.

• Objectivity. An essential element of the financial statement audit concept is that the
auditor be independent of the entity and financial statements being audited. To this
end the professional standards include a requirement that the auditor comply with
professional ethical requirements relating to independence. As indicated, the COE has
specific requirements in relation to independence for audit and review engagements
(Part 4A). There is also a requirement that auditors exercise professional scepticism
when planning and performing the audit, recognising that the financial statements
may be misstated. The professional requirements in relation to objectivity are aimed at
promoting freedom from bias, conflicts of interest, or undue influence by others.

• Evidence. Many of the standards dealing with the audit process are directed at
requirements and processes to gather sufficient (quantity) appropriate (quality)
audit evidence to support the conclusions on which the opinion of the financial
statements is based.

61

M13_c01.indd 61 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

• Assertions about economic events and actions. The evidence requirements are focussed
on the appropriateness of the assertions in the financial statements. HKSA 200 is
consistent with this element in its definitions in paragraphs 13(f) and (g). It defines
financial statements in terms of a structured representation of historical financial
information to communicate in relation to an entity’s economic resources or
obligations. Historical information is that derived from the accounting system about
past economic events and economic conditions.

• Established criteria. HKSA 200 recognises that financial statements are to be prepared
in accordance with the applicable financial reporting framework appropriate to the
circumstances and objective of the financial statements, e.g. accounting standards
or prescribed by law or regulation. This is the benchmark against which the financial
statements are assessed by the auditor.

• Communication. The auditing standards require that the auditor issue a written report
containing the opinion as to whether the financial statements have been prepared in
accordance with the applicable financial reporting framework. That communication
includes various permutations depending on the conclusions drawn by the auditor
because of evaluating the evidence obtained from the audit process.

The current concept of an independent financial statement audit is derived from this early
AAA definition of audit. As indicated above, it is a common audit function required by corporate
statutory regulation and subject to extensive self-regulation through international and national
auditing standards. It is a significant element of the accountability relationship between those
who manage financial resources on behalf of others and the providers of those resources who
need reliable information for financial decision making.

The HKSA series of Standards deal with the audit of financial statements. Consistent with the
above background, HKSA 200 applies these concepts and identifies the main principles for
these types of audits. It reinforces the view that the financial statements subject to audit are
those of the entity, prepared by management on behalf of those charged with governance.
HKSAs do not impose requirements on those charged with governance and notes that an audit
does not relieve them from their responsibilities. HKSAs require the auditor to obtain
HKSA reasonable assurance that the financial statements, as a whole, are free from material
200.4,5 misstatement whether due to fraud or error.

HKSA 200 requires that the auditor apply materiality in planning and performing the audit
and assessing the impact of misstatements on the audit and financial statements. It recognises
that misstatements are material if, individually or in aggregate, in the auditor’s judgement, they
could reasonably be expected to influence the economic decisions of users of the financial
statements. That judgement is made in the light of the circumstances and the auditor’s
perception of the financial information needs of users of the financial statements, and both the
size and nature of any misstatement. It notes that the auditor’s opinion is on the financial
HKSA 200.6,7 and
statements as a whole and that the auditor is not responsible for detecting misstatements that
HKSA 200.14–17 are not material to the financial statements as a whole. The Standard establishes the basic
principles of financial statement audits as:

• Ethical requirements. Requires compliance with the HKICPA ethical standards.

• Professional scepticism. The audit is to be planned and performed with an attitude

of professional scepticism, recognising that circumstances may exist that cause the
financial statements to be materially misstated.

62

M13_c01.indd 62 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

• Professional judgement. Professional judgement is to be applied in the planning and

performance of an audit.

• Sufficient appropriate audit evidence and audit risk. To obtain reasonable assurance,
sufficient appropriate audit evidence is to be obtained to reduce audit risk to an
acceptably low level to enable the auditor to draw reasonable conclusions on which to
base an opinion.

• Conduct an audit in accordance with HKSAs. All HKSAs relevant to the circumstances of
the audit are to be complied with. This requires the auditor to understand the entire
content of the standards, including the application and other explanatory material.
The auditor cannot represent compliance with HKSAs in the auditor’s report unless all
HKSAs relevant to the audit have been complied with. The auditor is also required to
assess whether, to achieve the objectives stated in any HKSA, additional procedures
to those required by the HKSAs are necessary to obtain sufficient appropriate audit
evidence. An HKSA or a requirement in an HKSA need not be complied with if in the
circumstances of the engagement the standard is not relevant or the condition in a
standard is not applicable. In exceptional circumstances, if the auditor determines
that a specific procedure in a standard would not be effective, the auditor can depart
from the standard and perform an additional procedure. If an auditor cannot achieve
an objective in a relevant HKSA, the auditor needs to consider whether the overall
objective of the audit can be achieved and whether the auditor needs to modify the
opinion or, if possible, withdraw from the engagement.

While an audit involves the exercise of a high degree of professional judgement, as a body
of standards, the HKSAs are comprehensive in establishing the objectives and requirements for
planning, performing, and reporting for a financial statement audit (Exhibit 1.8). The HKSAs cover:

• The audit objectives, requirements in relation to documentation, detection of fraud and

error, consideration of laws and regulations, and communication with those charged
with corporate governance.

• The audit planning process involving understanding the entity and identifying the risks
of material misstatement, the role of materiality, addressing the assessed risks in the
performance of the audit, and evaluating risks identified during the audit.

• Audit evidence in relation to specific items such as inventory, segment information,

litigation and claims, use of external confirmation, analytical procedures, sampling and
evidence, and issues arising in relation to related parties, going concerns, and reviewing
events subsequent to the balance date that impact the financial statements.

• Using the work of internal auditors or experts and the work of subsidiary auditors in a
group situation.

• Audit conclusions and reporting, including where the auditor is required to issue
a modified opinion and the auditor’s responsibility for other information that
accompanies the audited financial statements.

The standards also deal with audits of financial statements prepared in accordance with
a reporting framework other than Hong Kong Financial Reporting Standards, such as financial
statements prepared in accordance with a special purpose financial reporting framework.
There are also standards on audits of specific elements or individual accounts of a financial
statement and summary financial statements.

63

M13_c01.indd 63 1/26/2021 8:43:31 PM

 BUSINESS ASSURANCE

Objectivity
Independence,
ethics,
professional
scepticism

Established criteria Systematic process

Applicable financial Apply
reporting HKSAs/professional
framework judgement

Financial
statement
audit

Evidence
Sufficient
Assertions appropriate audit
Financial statements evidence - Apply
HKSAs/professional
judgement

Communication
Audit report -
HKSAs/professional
judgement

EXHIBIT 1.8 Relationship between the basic elements of

a financial statement audit and HKSAs

As indicated earlier, the audit of financial statements is one of the most common forms of
assurance engagement undertaken by members of the HKICPA. It is subject to a high level of
professional and statutory regulation. The HKSAs and COE are a significant body of knowledge
in understanding this type of audit and the requirements for undertaking such an engagement.

1.4.2 Internal Audits

1.4.2.1 Objective of the Internal Audit
The nature of the internal audit function within an entity has been evolving over time. The
narrow and traditional view that its role was to review and assess the effectiveness of an
entity’s internal control has been superseded by a more contemporary and broader view.

The interaction between internal and external auditors has been dealt with in
Section 1.1.1.1 and HKSA 610. This section explains further the role that an internal audit can
play within an entity.

Like the professional accountancy profession, the internal audit profession has established
an international body, the Institute of Internal Auditors Inc (IIA) to establish ethics and
standards applicable to its members. The IIA Inc Mission (www.theiia.org) states:

‘To enhance and protect organisational status by providing risk-based and objective
assurance advice and insight’.

The Institute of Internal Auditors of Hong Kong, established in 1979, is affiliated with that
international organisation.

64

M13_c01.indd 64 1/26/2021 8:43:31 PM

 E thical Standards , L egislation , and Professional Guidance

The IIA defines internal auditing as:

‘. . . an independent, objective assurance and consulting activity designed to add value

and improve an organisation’s operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes’.

Within that definition, the role and responsibilities of an internal audit function within
an individual entity is governed by its Charter. An internal audit Charter is developed by the
management of an entity to govern the role of internal audit. The IIA Glossary defines the
charter as:

‘. . . a formal document that defines the Internal Audit activities, purpose, authority and
responsibility. The Internal Audit Charter establishes the internal audit activities within
the organisation, authorises access to records, personnel and physical properties relevant
to the performance of engagements and defines the scope of internal audit activities’.

To understand the role and objectives of an internal audit, the elements of the IIA definition
need to be considered further.

Independence and objectivity, while related, are different concepts.

Independence is the same concept as for an external auditor, i.e. that the internal auditor
should be, and be seen to be, unbiased. However, as internal auditors are engaged by an entity
as employees or sub-contractors and are an integral part of the entity, their independence
derives from their organisational independence. This is essentially derived from their mandate
and Charter. The Charter should give internal auditors appropriate status and authority within
the entity, for example reporting to senior management or the audit committee, adequate
resources and budgets, autonomy and authority to access records, personnel, and explanations
as internal audit deems necessary. The internal auditor should not be associated with any of
the activities that it audits.

In many entities, where as part of the governance process an audit committee has been
established, that committee can have as part of its mandate oversight of the internal audit
function. The independence of the internal auditor can be enhanced in those situations.

Objectivity is a personal attribute that requires an unbiased attitude and approaching an

investigation without a preconceived position, nor having to be subordinate to the judgements
of others.

Both independence and objectivity require that the internal auditor have appropriate skills
and knowledge of the subject matter of the audit.

Assurance and consulting. Assurance is a concept similar to that applicable for the public
accounting profession. The objective is to improve the credibility of the outcomes of activities
within an entity and information relating to those activities. It is defined in the IIA Glossary as:

‘An objective examination of evidence for the purpose of providing an independent

assessment on governance, risk management and control processes for the
organisation. . .’.

‘. . . for example, compliance with company policies, contractual conditions, laws and
regulations’.

Consulting is essentially an advisory function to identify problems and provide

possible solutions to management, but without any responsibility for implementing any

65

M13_c01.indd 65 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

recommendations, an obligation that remains with management. It includes providing counsel,

advice, facilitation, and training.

Add Value. This is the feature of internal audit that directly links it to the interests of
management and other stakeholders in an entity. Depending on the nature and scope of
the internal audit function it adds value when it provides objective and relevant assurance
and facilitates the effectiveness and efficiency of governance, risk management, and
control systems.

Systematic and disciplined approach. This again is a similar attribute to that required for
external financial statement audits and other assurance engagements undertaken in the
public accountancy profession. To achieve its goals, internal audit needs to approach each
investigation with a structured approach with a clear plan and programme to obtain sufficient
appropriate audit evidence on which to base its findings, conclusions, and recommendations.
The IIA has developed standards for internal auditors to facilitate this outcome.

Control risk management and governance processes. The expanded role of an internal audit
into improving these processes is recognition of the fact that the role of management in these
areas has increased in significance in recent times.

Not all entities will have an internal audit function, and the nature and extent of the internal
audit function will vary between entities depending on size, type of business and industry, etc.
It is recognised, however, that an internal audit has a broad objective of adding value within an
entity by contributing to the risk management, governance, and control processes.

Arising from this broader role, several different types of audit have evolved:

• Compliance audits

• Performance audits

• Comprehensive audits

• Corporate Social Responsibility audits

These types of audits are not restricted to an internal audit. They can and are undertaken
by external auditors in the public accountancy profession and in the public sector where a public
accountability obligation arises.

1.4.2.2 Compliance Audits

The activities of an entity comprise relationships with various parties both within and
external to the entity. These impose obligations and responsibilities on entity employees and
management to comply with company policies, achieve operational targets, and for the entity
to comply with contractual arrangements and laws and regulations.

The added value provided by compliance audits undertaken by internal auditors is that
they provide assurance that those within the entity and the entity are complying with the
relevant operational policies, laws, and regulations.

Such engagements undertaken by external auditors or public-sector auditors generally

arise, for example, where an entity has an obligation to comply with laws and regulations and
is required to provide an independent auditors report on compliance to an external party. An
external auditor could be engaged by an entity to report to a client’s lending institution that it
has complied with the terms and conditions of a loan agreement.

66

M13_c01.indd 66 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

1.4.2.3 Performance Audits

Performance audits are often referred to under different titles, for example ‘value for money
audits’, ‘operational audits’, or ‘efficiency auditing’.

These engagements are common in the public sector and can also be undertaken in the
private sector by both external and internal auditors. However, under the broad internal audit
mandate discussed above, they have become an integral component of the internal audit
function. They are concerned with the economy, efficiency, and effectiveness with which an entity
achieves its goal and objectives.

These audits have developed from the governance principle that management of an
entity should give due consideration to improving the achievement of the entity’s objectives
efficiently, effectively, and economically, and, in an external reporting context, being
accountable for that performance. Performance audits are therefore consistent with the
accountability and governance concepts that underpin the concepts of audit and assurance.

The degree of symmetry between the broad internal audit function and this type of audit in
the public sector can be found in the example of this type of mandate in the Mission statement
of the Hong Kong Audit Commission (www.aud.gov.hk). That Mission is, through the provision
of independent audit services, to enhance public sector performance and accountability. In
addition to regulatory audits of government financial reporting, the Commission undertakes
‘value for money’ audits to provide government with independent advice and assurance about
the economy, efficiency, and effectiveness with which government entities have discharged
their functions.

Like all audit and assurance engagements undertaken by external and internal auditors,
they require a subject matter, and suitable criteria against which to evaluate that subject
matter. In these engagements they extend beyond financial statements and accounting
standards to potentially encompass all areas of the entity’s activities and operations.

It is therefore important to clearly establish the objectives of the audit and what
information is expected to be provided by the auditor.

The criteria that will provide the basis for the conclusion can often be more subjective
than for financial statement audits or be drawn from non-traditional sources. For example,
they could be developed by benchmarking against industry standards or trends, management
objectives and performance indicators, and codes of practice, or may need to be specifically
developed and agreed by the auditor with management. The reporting phase is generally
extended beyond just the expression of a conclusion to identifying potential improvements and
developing recommendations for implementation.

It is important to understand the difference between the three areas of audit within these
engagements:

• Economy focusses on resource acquisition and whether the appropriate quality and
quantity of resources have been obtained at the lowest cost (for example, whether
an entity has implemented appropriate policies and procedures for the acquisition of
resources).

• Efficiency addresses issues of resource usage and whether maximum output has been
achieved for a given input without decreasing effectiveness (for example, whether
employment practices avoid overstaffing or duplication of effort).

67

M13_c01.indd 67 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

• Effectiveness related to outcomes and whether the entity’s resources and operations
have achieved the relevant objectives (for example, whether a product or service meets
customer needs).

Like all audit and assurance engagements, performance audits require a structured and
systematic approach involving a strategy, planning, audit programme and procedures, evidence
gathering evaluation and analysis of the evidence, and reporting. However, the varied nature
of the subject matter may require the use of a wider variety of different evidence gathering
techniques (for example, the use of surveys, structured interviews, and market research).
Consistent with other types of audits, the planning and conduct of these engagements involve a
high level of professional judgement.

The extent to which an internal audit function addresses these issues will depend on the
Charter establishing that function within an entity. For external auditors, any such engagements
would be normally undertaken as a specific contractual engagement.

For examples of a publicly available performance audit report refer to the Hong Kong Audit
Commission referenced above and search ‘performance audits’. These reports are illustrative of
the nature of these engagements and the reporting outcome.

1.4.2.4 Comprehensive Audits

These audits derive from a mandate that comprises a combination of the different audit types
covered to date, i.e. financial statement, compliance, and performance. They are common in
the public sector and can be established under a broad internal audit Charter.

1.4.2.5 Corporate Social Responsibility Audits

These types of audits are relatively new and can be complex. They arise because of the
internationalisation of business and increasing public scrutiny of the impact that business can
have on, for example, the environment and human rights, obligations for product safety and
employee health and safety, ethical business practices, and community involvement.

These issues are important to a business, as poor social responsibility can impact the
sustainability and profitability of an entity through, for example, adverse publicity and
reputational damage, lawsuits and government intervention, and regulation and workplace
disruption.

Social issues are therefore areas that require risk assessment and strategic management.

These audits have elements of both compliance and performance auditing. Corporate
social responsibility auditing addresses an entity’s environmental, social, or governance
risks to assess the policies and processes to identify and manage those risks. That role is
consistent with the broad role that an internal audit can play within an entity. A corporate social
responsibility mandate could be integrated into an internal audit Charter to address policies,
projects, control and review processes, performance measures and risk management in
sensitive areas for a particular entity, and to the extent to which an entity impacts society and
stakeholders in the entity.

The nature of some of the subject matter of these audits means that suitable criteria
may be difficult to identify, but as codes, standards, and management policies and practices
develop, these audits have the potential to be a significant value adding component of the
internal audit function.

68

M13_c01.indd 68 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

An interesting example of this type of reporting and audit engagement can be found in
the Corporate Social Responsibility Report issued by the HKEX (www.hkexgroup – refer to
the Corporate Social Responsibility Report, Section 2017 Report). Included in this Report is a
‘Verification Report’ issued by the Hong Kong Quality Assurance Agency. The Verification Report
indicates that the engagement has been undertaken in accordance with the IFAC International
Standard on Assurance Engagements ISAE 3000 Assurance Engagements Other than Audits or
Reviews of Historical Financial Information. It is stated that it provides ‘reasonable assurance’.

In summary, the range of assurance engagements and subject matter that can be provided
by internal and external auditors continues to evolve.

Apply and Analyse 5

Consider the situation where certain younger members of the Board of Directors of
Keeson Inc have strong views about the company playing a positive role in the community.
They have asked the Audit Committee to consider recommending metrics to assess the
company’s financial performance and the impact of new technology being developed by
the company on certain disadvantaged groups. They have asked the Audit Committee to
enquire whether the external auditor can help develop financial and non-financial metrics.
Describe what advice could be given to the Audit Committee about:

(a) the possible provision of metrics for:

i. Financial performance

ii. Socially oriented performance

(b) and who could undertake a performance audit in either of these areas.

Analysis

The key to these areas is whether they overlap with, or complement, financial reporting
and the purpose of the audit. The financial performance metrics are highly likely to relate
to the financial statements and constitute other information that the external auditor
needs to read to ensure it contains nothing that is inconsistent with what is in the financial
statements. They may impact management decision making and remuneration. Thus, it is
unlikely that the external firm will be able to assist with the design of financial performance
metrics due to their interrelationship with the financial statements subject to audit.
However, again, those metrics developed independently of the external auditor could be
the subject of other forms of assurance and non-assurance engagements.

A performance audit could be carried out in relation to both sets of metrics. It would
be an audit of the implied assertions that the metrics are properly measuring the two
types of performance.

69

M13_c01.indd 69 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 16
HKSAs contain mandatory requirements that the auditor must comply with when
conducting an audit. Identify which of the following describes a situation where a
mandatory requirement need not be followed.
A The application and other explanatory material in the HKSA overrides the requirement.
B In exceptional circumstances specific to a particular audit.
C The international auditing standard provides an alternative requirement.
D The auditor applies professional judgement to apply an alternative procedure preferred
by the auditor on all engagements for a particular issue.

Question 17
Identify which of the following is not an attribute you would expect is needed for an
external financial statement audit.
A Understanding the HKICPA ethical standards.
B Applying an attitude of professional scepticism.
C An audit plan agreed with management.
D Understanding the audit objectives in the HKSAs.

Question 18
Identify which of the following is unlikely to be included in an internal audit charter of a
large business entity.
A Reviewing the entity’s social responsibility risk management.
B Assurance engagements to report to external third parties.
C Reviewing accounting controls to report to management.
D Testing compliance with the entity’s statutory requirements to report to management.

Question 19
Internal audit is defined as an independent, objective assurance and consulting function
within an entity to assist management. Identify which of the following is not an attribute of
an internal audit function that is necessary to support independence and objectivity.
A The director of internal audit has direct access to senior management and the Board.
B Regular training and performance assessments.
C Internal auditors not having operating responsibilities in addition to their internal
audit role.
D An appropriate mandate and organisational status with audit committee oversight.

Question 20
For each of the following, categorise whether the features are common to or different
from a financial statement audit and a performance audit and explain why this is the
case for each.
(a) Subject matter and information that can be broad and varied.

(b) Professional judgement is required during the audit process.

70

M13_c01.indd 70 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

Knowledge Check Questions (continued)

(c) A benchmark of appropriate criteria is required for the auditor to form a conclusion.

(d) Qualitative evidence requires a broadening of the range of audit techniques.

(e) There is a defined subject matter, which is derived from an accountability

relationship.

(f) The sources of suitable evidence vary and are often developed for the specific audit.

(g) The conclusions and basis of reporting are the result of a systematic process to
obtain sufficient appropriate audit evidence.

Question 21
A performance audit requires suitable criteria to measure and evaluate the subject matter.
Identify which of the following would be least likely to be the source of appropriate criteria.
A Best practice established by the profession’s or industry organisations.
B The auditor’s personal experience.
C Best practice among other entities involved with the same activities and subject matter
as the auditee entity.
D Formal entity objectives developed by management with expert consultants.

71

M13_c01.indd 71 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

SUMMARY

This chapter addressed the nature of assurance and the assurance and audit services provided
by independent external assurance providers, with an emphasis on external audits of financial
statements. It also examined the nature and role of the internal audit.
The chapter has dealt with the following:
• The nature and elements of assurance engagements and the application of those to
understanding a financial audit.
• The difference between attest and direct audits has been explained as well as the different
levels of assurance that can be provided, being reasonable (audit) or limited (review) assurance.
• The responsibility of management and those charged with governance for the responsibility
to prepare financial statements was differentiated from the role of the external auditor to
provide an opinion on whether the financial statements have been properly prepared in
accordance with the appropriate reporting framework.
• The demand for assurance and audit services being sought and provided recognises the
need to reduce information risk in decision making by users of financial and non-financial
information where an accountability relationship exists or governance structure requires
information on performance to be reported.
• The role of regulation, both professional self-regulation and statutory, exists in a co-regulatory
environment in Hong Kong. The professional requirements under the auditing standards
issued by the HKICPA and the statutory requirements under the Companies Ordinance play
a significant role in regulating the independent financial statement audit environment. The
HKSAs are a product of the internationalisation of auditing standards aimed at achieving a
high quality and uniform approach to auditing.
• The nature and extent of the professional ethical requirements as they apply to professional
accountants and firms, and independence in relation to audit and assurance engagements.
Explanation of the conceptual approach applied in evaluating compliance with the
fundamental ethical principles that are significant in maintaining the profession’s status and
role as assurance providers.
• The steps of a financial statement audit were broken down to provide greater insight into the
process of financial statement audit.
• Internal audit was described and the differences between the internal audit and external audit
processes were outlined.
• The different types of audits that practitioners may conduct for clients were discussed. These
include compliance audits, performance audits, comprehensive audits, and corporate social
responsibility audits. Each of these audits has a different purpose.
The application of auditing standards in financial statement audits needs to reflect the
circumstances under which those engagements are undertaken. The advent of the Coved 19
pandemic is an example of circumstances that require consideration. Guidance on this can be
found in the HKICPA Alert, Issue 22 (February 2020) ‘Updates on financial reporting, auditing
and ethics’ and on the IFAC website (www.ifac.org) ‘Summary of Coved 19 Audit Considerations’,
3 June 2020.

72

M13_c01.indd 72 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

MIND MAP
AUDITING AND ASSURANCE INTERNATIONAL STANDARDS AND
GUIDELINES FOR AUDITING AND ASSURANCE
Objectives of Auditing and Assurance Services
• Framework for assurance engagement IFAC
• An audit assurance engagement HKICPA
• Attest and direct reporting audits
• Level of assurance
• Differences between auditing, account
preparation, external and internal auditors
Demands for Auditing and Assurance Services
Financial Statement Users
ETHICAL STANDARDS,
AUDITING AND ASSURANCE STANDARDS LEGISLATION, AND
Role of Regulators and Regulation PROFESSIONAL
GUIDANCE
Hong Kong Standards and Guidelines for
Auditing and Assurance
• Professional standards
• Profession’s code ethics
• Fundamental ethical principles TYPES OF AUDITS
• Threats to the fundamental principles External Audits
• Safeguards to threats • Financial statement audits
• Ethics for professional accountants in business Internal Audits
• Ethics for professional accountants in public practice • Objective of the internal audit
• Ethics and independence • Performance audits
• Specialised areas of practice such as liquidation • Comprehensive audits
and insolvency • Corporate social responsibility audits
• Guidelines for anti-money laundering and counter
terrorism financing for professional accountants

Answers to Knowledge Check Questions

Question 1
There is a three-party relationship, being management as preparers of the financial
statements, users being the shareholders, potential shareholders, and other third parties, and
the auditor who provides an independent opinion on the financial statements to those users.
The financial statements are the subject matter and provide information in relation to
an entity’s financial position and performance.
The financial statements are prepared in accordance with an applicable financial
reporting framework, generally accounting standards, which are the criteria against which
the auditor assesses the financial statements and forms a conclusion.
The auditor applies a process and a range of procedures to gather evidence on which
to form a conclusion.
The auditor issues an audit report containing an opinion on whether the financial
statements have been prepared in accordance with the applicable financial reporting
framework.

Question 2
Assurance is a service provided by assurance practitioners with the objective of enhancing
the credibility of information to users of that information to improve its usefulness in
decision making.
Reasonable assurance is the level of assurance the auditor obtains from the evidence
gathered during the audit process and conveyed to users by the assurance provider.
Reasonable assurance is associated with audit engagements and is the highest level of
assurance provided by an auditor.

73

M13_c01.indd 73 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

The auditor has assessed the risks that the information subject to audit could be
materially misstated and, based on the evidence obtained, has formed a conclusion that
the risk of giving an incorrect opinion is at an acceptably low level. This is expressed in the
form of a positive opinion that the information is in accordance with the relevant criteria. It
is not absolute assurance because of the level of judgement and other inherent limitations
involved in the audit process.
In a limited assurance engagement, the assurance practitioner applies procedures that
are less extensive than applied in a reasonable assurance engagement and therefore the
evidence on which the opinion is expressed is less. Accordingly, the risk of an inappropriate
opinion being given is higher and therefore the level of assurance provided is less. This is
expressed in the form of a negative expression of opinion.

Question 3
Answer A is incorrect. The engaging party is responsible for determining the nature, timing,
and extent of the procedures to be applied. The engaging party identifies what work it
wants undertaken to meet its information requirements.
Answer B is correct. The practitioner undertakes the procedures determined by the
engaging party who has identified those procedures as providing the evidence required
for their purpose. The practitioner undertakes those procedures as instructed and is not
responsible for making any assessment of the resulting evidence.
Answer C is incorrect. The practitioner reports the factual findings resulting from the
procedures applied and does not report any conclusion or provide any opinion/assurance.
Answer D is incorrect. The report includes details of the procedures applied as determined
by the engagement party.

Question 4
Management is responsible for maintaining accounting records and systems to record
the transactions and events of the entity for the accounting period to prepare financial
statements in accordance with the relevant financial reporting framework. Those systems
should be directed at ensuring that the financial report assertions are embodied in the
resulting financial records and statements.
The audit process is directed at obtaining sufficient appropriate audit evidence to
provide assurance that those assertions are appropriately embodied in the financial
statements subject to audit. The assertions therefore provide the elements inherent
in the financial statements that form the basis of the nature, timing, and extent of the
audit procedures to be applied to gather evidence that the financial statements are in
accordance with the financial reporting framework. The auditor’s task in relation to each
assertion then is to consider the evidence available to support or contradict the assertion,
select a method of obtaining the evidence, and then collect and evaluate that evidence.

Question 5
Answer A is incorrect. Assurance engagements cover a range of subject matter and levels
of assurance, for example a review engagement.
Answer B is incorrect. Assurance engagements is the overriding category of engagements
where an assurance practitioner provides some level of assurance on a subject matter. An
audit is one form of assurance engagement.

74

M13_c01.indd 74 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

Answer C is correct. As indicated in B, an audit is one form of assurance engagement.

Answer D is incorrect. ‘Assurance engagements’ is the generic term for engagements that
provide different levels of assurance – for example, limited assurance for reviews and
reasonable assurance for an audit.

Question 6
Answer A is incorrect. The financial statements reflect the results of the transactions and
events of the historical reporting period and are not necessarily indicative of the future
financial performance of the company. The auditor’s opinion is on whether the financial
statements have been prepared reflecting the historical results in accordance with the
relevant financial reporting requirements.
Answer B is incorrect. While an auditor will assess the risk of fraud affecting the financial
statements as part of the audit process, and include procedures to reduce the risk that
fraud has resulted in a material misstatement in the financial statements, the nature of
fraud, which generally involves collusion, deception, and attempts to conceal the activity
and manipulation of records, means that it may remain undetected, even if the audit has
been properly conducted.
Answer C is correct. Assurance improves the quality of information by providing an
independent opinion that it has been prepared in accordance with the applicable financial
reporting framework. Accordingly, it improves the decision-making process by providing
more reliable information.
Answer D is incorrect. The auditor’s opinion is whether the financial statements have been
prepared in accordance with the applicable financial reporting framework. It provides users
with information that indicates that the information is reliable to assist decision making
about their investment or potential investment in a company, not that the auditor has
formed any conclusion about whether management has managed the company efficiently.

Question 7
Answer A is incorrect. The legislation identifies that the directors are responsible for the
preparation of the financial statements and are therefore the responsible party.
Answer B is incorrect. The legislation identifies the shareholders as the intended users
as the financial statements and audit reports are to be sent to shareholders prior to a
company’s annual general meeting.
Answer C is correct. While the legislation requires the financial statements to be audited,
it does not prescribe the level of assurance that is associated with an audit. The level of
assurance, that is ‘reasonable’ assurance associated with an audit, is a concept developed
by the profession based on the nature of the audit process.
Answer D is incorrect. The legislation requires that the financial statements be prepared in
accordance with Hong Kong accounting standards, which are the criteria for measuring the
subject matter.

Question 8
Answer A is correct. The auditor is not required to form an opinion or report on the
adequacy of the emoluments but only whether they are properly reported.
Answers B, C, and D are incorrect. These are requirements under the Companies Ordinance.

75

M13_c01.indd 75 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

Question 9
Answer A is incorrect. An audit committee generally has oversight of the external audit
function to manage the relationship between the Board and the auditor and review of
the financial statement preparation process, but it does not have any authority under the
Companies Ordinance to issue reports to the shareholders or assume the responsibilities of
the directors.
Answer B is correct. The Companies Ordinance gives the responsibility for distribution of the
reports to the company directors as the directors’ accountability is to the shareholders. In
addition, the directors must approve and sign the financial statements.
Answer C is incorrect. The auditor provides the audit report to the directors to distribute to
the shareholders with the financial statements.
Answer D is incorrect. While the CFO would be involved in the preparation of the financial
statements for the directors, the directors are ultimately responsible for the financial
statements and providing the reports to the shareholders as they are accountable to the
shareholders. The CFO in most cases will be an employee of the company and accountable
to the directors.

Question 10
Answer A is incorrect. Professional standards are a fundamental component of a
profession that prescribes a level of performance. Users of the audit function derive
comfort from the fact that the provision of audit services are subject to a benchmark that
govern the auditor’s activities and quality of work.
Answer B is incorrect. Standards provide members of the profession with information
about the quality of work to be performed.
Answer C is correct. The responsibility for the audit plan is that of the auditor and the basis
of the independent audit function is that it is free from the influence of management.
Management has no role in the approval of the audit plan.
Answer D is incorrect. Members of the HKICPA must comply with auditing standards.
Failure to comply can be investigated by the HKICPA and can lead to disciplinary action
including the cancellation of a member’s practising certificate and therefore the right to
undertake audit engagements.

Question 11
Answer A is incorrect. HKSA 200 requires that the auditor apply professional judgement in
planning and performing an audit. Professional judgement is applied within the context of
auditing principles and standards.
Answer B is incorrect. The HKICPA Standard on quality control mandates that a CPA
firm has a system of quality control to provide reasonable assurance that professional
standards and legal requirements are complied with and that there are procedures to
monitor compliance.
Answer C is incorrect. While the internal auditor often applies procedures similar to the
external auditor in areas where the external auditor needs to obtain evidence and can
provide the external auditor with evidence relevant to the work of the external auditor, given
that the internal audit function is an integral part of the entity being audited, that work must
be tested by the external auditor as to its appropriateness for use as external audit evidence.

76

M13_c01.indd 76 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

Answer D is correct. This activity would create a self-review threat to independence where
such systems are integral to the client’s accounting and internal control systems. There are
no safeguards that would adequately address that threat.

Question 12
Answer A is incorrect. The audit committee provides a forum for the auditor to discuss,
with a body within the company, independent of those directly responsible for the
management of the company and preparation of the financial statements, any problems
arising during the audit. For example, any lack of co-operation or failure to provide
explanations or evidence. The Committee can seek to redress these problems.
Answer B is incorrect. The audit committee should be aware of, and discuss with the
auditor, any management or Board requests to provide other services and whether such
services would affect the auditor’s independence. This provides a further level of scrutiny
over the independence of the audit function.
Answer C is correct. The audit committee is a sub-committee of the Board. The Board and
its individual directors cannot abrogate or delegate their statutory responsibilities to the
audit committee. The Committee can assist directors to fulfil their responsibilities and
facilitate decision making but is not the body designated in the statute to approve and sign
the financial statements.
Answer D is incorrect. The audit committee can play a role in providing a recommendation
as to the appointment of the auditor. The committee can assess the overall audit strategy
and capabilities of different auditors as they apply to the circumstances of the company,
for example experience in the industry in which the company operates. The Committee
cannot appoint the auditor, as that is the role for shareholders, but they can facilitate an
informed decision.

Question 13
Answer A is incorrect. Independence is a fundamental principle that is a mandatory
requirement of the COE and not merely a suggested attribute.
Answer B is incorrect. Management is responsible for the preparation of the financial
statements and the auditor should not be involved in that process.
Answer C is correct. The fundamental principle is that the auditor be independent in fact
and perception.
Answer D is incorrect. This would create advocacy and self-interest threats that would be
perceived as inconsistent with the auditor being perceived as providing an unbiased and
objective expression of opinion.

Question 14
(a) Fundamental principle that being breached: Objectivity
Threat created: self-interest threat.
The manager’s decisions and audit judgement may be affected in an attempt to
have the clients engage the firm to undertake other services.
(b) Fundamental principle that being breached: Objectivity
Threat created: self-interest threat.
The dependence on the client and concerns about losing the client may
influence the partners audit decisions and judgements, especially if the partners
remuneration is significantly affected by the level of fees generated.

77

M13_c01.indd 77 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

(c) Fundamental principles that being breached: Integrity and objectivity

Threats created: Intimidation – self-interest threats.
By being laced in a potentially adversarial position with management,
the relationship and exchange of information and disclosure between
management and the auditor may break down and pressure exerted to favour a
particular outcome.
(d) N
 o threat if under normal lending criteria, terms, and conditions and immaterial to
the partner and audit client. If not, then objectivity is being breached, a self-interest
threat exists, and the situation is unacceptable. Having a financial obligation to the
client may impact audit judgements and the perception of independence.
(e) Fundamental principle that being breached: Objectivity
Threats created: self-interest or intimidation.
This would effectively involve the partner having a financial and business
interest in a client entity. This could impact the partner’s audit judgements to
favour a particular outcome or be subject to pressure from the entity.
(f) Fundamental principle that being breached: Objectivity
Threats created: familiarity and self-interest.
A personal relationship may result in the audit partner not applying an
appropriate degree of skepticism to information and explanations provided by the
managing director or placing maintenance of the relationship above the interests
of an audit judgement.
(g) Fundamental principle that being breached: Objectivity
Threat created: self-interest.
By the family having a financial interest in the client entity the decisions of the
audit partner may be influenced toward the enhancement of that investment.
(h) Fundamental principle that being breached: Objectivity
Threat created: self-review.
The work undertaken by the staff would be reviewed by the auditor but may
not be subject to the same level of scrutiny as the work of the client’s staff.
(i) Fundamental principle that being breached: Professional competence and due care
Threats created: self-interest and intimidation.
Fees should be commensurate with the work required to undertake an
appropriate audit. Where fees are not commensurate with the audit, appropriate
audit procedures may not be applied and the auditor may succumb to client
pressure in relation to preferred client outcomes.
(j) Fundamental principle that being breached: Objectivity
Threat created: self-review and advocacy.
The audit client is responsible for the preparation of the financial statements
and the items and valuations in those financial statements. A valuation prepared
by the audit firm would be subject to review by the audit team during the audit,
which creates a self-review threat. Providing a valuation to a third party on behalf
of the client may also be seen as being to be acting as an advocate for the client.
(k) Fundamental principle that being breached: Objectivity
Threats created: self-review and advocacy.

78

M13_c01.indd 78 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

This potential threat could arise because the outcome of the service may need
to be reviewed as part of the audit and the firm could be seen as an advocate of
the entity’s interest.
(l) Fundamental principle that being breached: Objectivity
Threat created familiarity.
The partner may not apply the same level of scepticism to information and
explanations when considering audit evidence because of the close relationship
with the entity.
(m) No threat as the services are routine and no professional judgement is involved.
(n) N
 o threat as management takes responsibility for the returns including any
significant judgements made.

Question 15
Convergence is the policy adopted by the HKICPA to use the International Standards
on Auditing issued by the IAASB of IFAC as the basis for developing HKSAs and related
guidance materials. The Hong Kong AASC adopts a due process that integrates with the
IAASB and provides input to the development of international auditing standards. Once
issued by the IAASB, the AASC assesses the standard and issues the equivalent HKSA, with
any additional material deemed appropriate and, if necessary, amended to reflect local
circumstances such as laws or regulations.
The objective of convergence, referred to as harmonisation at the international
level, is to develop and support the implementation of a set of uniform standards to be
applied internationally in order to provide quality audit services. At the national level, it
is to establish a body of high-quality national standards that support CPAs and promote
the professional accountant’s status and acceptance with users and regulators and are
recognised internationally.

Question 16
Answer A is incorrect. The Application and Other Explanatory Material is authoritative
guidance but is included to assist auditors understand the Requirements of the standard
and provide illustrative procedures and practical guidance to enhance the consistency
of implementation of the Requirements. The guidance does not override the mandatory
Requirements or provide alternative Requirements.
Answer B is correct. Some Requirements are to be applied only when certain circumstances
are identified during an audit. Where such a situation occurs, this is an exceptional
circumstance where the Requirement does not have to be applied. For example, if the client
does not have an internal audit function, HKSA 610 does not apply or if the client does not
have segment reporting, the audit Requirements in that area do not apply. An exceptional
circumstance could also arise where it is judged necessary to depart from a relevant
Requirement and apply alternative procedures where, due to the specific circumstances of
the audit, an audit procedures would be ineffective in achieving the aim of the Requirement.
Answer C is incorrect. HKSAs are based on international auditing standards. In the rare
case where an HKSA has adopted a different Requirement from an international standard,
this will be identified in the HKSA in a section dealing with conformity and compliance
with international standards. The Requirement adopted in the HKSA is the mandatory
Requirement for audits under the HKSAs. The international standard does not override the
HKSA Requirement.

79

M13_c01.indd 79 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

Answer D is incorrect. The auditor’s preference does not override a mandatory

Requirement. The exercise of professional judgement to not comply with a Requirement
can only occur if the matter subject to the Requirement is immaterial in the financial
statements being audited or the exceptional circumstance criteria apply, and not just
because an auditor has a preferred approach.

Question 17
Answer A is incorrect. It is mandatory under the HKSAs that the COE be complied with by
auditors, including the independence requirements.
Answer B is incorrect. HKSA 200 requires that the auditor plans and performs the audit
with professional scepticism, being an attitude that includes a questioning mind and being
alert to conditions that may indicate potential misstatements due to fraud and error and a
critical assessment of audit evidence.
Answer C is correct. The detailed audit plan developed from the audit strategy is the
responsibility of the auditor. It does not require the approval of company management as
the auditor is required to be independent and not subject to any management bias.
Answer D is incorrect. Each HKSA has an audit objective to be achieved by the auditor. The
auditor must apply the mandatory Requirements to achieve that objective, unless there
are exceptional circumstances that justify alternative procedures.

Question 18
Answer A is incorrect. Because of the increasing impact that business has in relation to
social issues, entities are more aware of the scrutiny and responsibility they face in relation
to their impact in this regard. An internal audit could play a role in assisting management’s
risk assessment and controls in this area.
Answer B is correct. Because an internal audit is a function established within the entity
to evaluate the activities of the entity to assist management, and is regarded as part of
the control environment, it is unlikely that third parties would accept internal reports as
providing an acceptable level of independent assurance.
Answer C is incorrect. This is a function undertaken by an internal audit to assist management.
Answer D is incorrect. An internal audit is a function established within an entity to
assist management. Reviewing compliance with statutory requirements and reporting to
management is a function that the internal audit could undertake to assist management
meet its responsibilities by providing a level of assurance that the entity is complying with
the relevant requirements.

Question 19
Answer A is incorrect. This supports the internal auditor meeting responsibilities in an
unbiased manner and the ability to act with appropriate authority.
Answer B is correct. This relates to the quality of work and may not prevent undue
influence on actions and decisions.
Answer C is incorrect. Objectivity requires individuals within an internal audit having
an impartial, unbiased attitude and not be, or seen to be, in a position whereby their
judgement could be impaired. Having operating responsibilities outside the internal audit
role could create conflicts of interest or be seen to undermine the perception that the
individual is objective.

80

M13_c01.indd 80 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

Answer D is incorrect. A mandate that gives the internal function a broad role in an
entity with a status that allows the internal audit function to undertake its tasks with
an appropriate degree of authority, access, and resources, along with audit committee
oversight, gives the function independence within the entity.

Question 20
(a) D
 ifferent. The financial statement audit deals with a defined subject matter being
the financial statements, whereas a performance audit can be undertaken on a
broad range of subject matter.

(b) Common. Both types of audit require the exercise of professional judgement in
developing audit strategies and plans and applying audit procedures relevant to
the specific engagement circumstances, and in evaluating the evidence obtained to
form a conclusion.

(c) Common. All assurance engagements require a benchmark of appropriate criteria

as the basis on which the auditor develops a conclusion. The criteria provide a
basis for the evaluation and measurement of the subject matter and indicate to
the intended users the basis on which the conclusion was formed. In the case of a
financial statement audit, this is accounting standards and for a performance audit,
criteria appropriate for the subject matter of the audit.

(d) D
 ifferent. Because performance audits can cover a broader range of subject matter
and the evidence available can often be more subjective and qualitative, a broader
range of evidence-gathering techniques needs to be applied in these engagements.

(e) Common. Both types of audit are aimed at providing assurance on a particular
subject matter and arise due to an accountability relationship where a party
responsible for the subject matter is accountable to others in relation to the
matters covered by the subject matter.

(f)  ifferent. Financial statement audits have some criteria based on some form of
D
accounting model, whereas because performance audits can cover a broad range
of subject matter, suitable criteria are drawn from a range of different sources and
are developed for the specific engagement subject matter.

(g) C
 ommon. Both types of audits require a systematic process to be applied to gather
sufficient appropriate evidence on which to form a conclusion and report. The
basic audit methodology, expertise and techniques of audit are applicable to both
types of engagement.

Question 21
Answer A is incorrect. This is an external source that provides a determinable benchmark
indicating what is being applied as best practice.
Answer B is correct. The auditor’s experience may be limited and may not reflect best
practice or entity objectives.
Answer C is incorrect. This is an external source that is indicative of what is acceptable for
the subject matter involved.
Answer D is incorrect. The use of expert consultants provides evidence that the practices
adopted by management reflect relevant principles and are an available benchmark of
objectives to be achieved by the entity.

81

M13_c01.indd 81 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

EXAM PRACTICE

QUESTION 1
Your client is a large shareholder in a private company that manufactures car parts.
The company is expanding and has requested that your client consider providing a large
loan to the company to facilitate the expansion. Your client has not been active in the
operations of the company but has been satisfied with the return on investment through
dividends received in recent years, and with receiving the monthly management accounts
approved by the management and prepared as special purpose financial statements on a
modified cash basis.

There have been some changes to the senior management team in recent months and
management has indicated to the shareholder that the expansion process has commenced
and is having a more significant negative impact on cash flows than anticipated.

Your client has decided that the monthly management accounts are not sufficient to
make a decision as to whether to provide the loan being sought and that more significant
information needs to be provided. Your client has requested and management has agreed
to provide the following:

• A complete set of financial statements prepared in accordance with Hong Kong

accounting standards for the preceding six months ending at the end of the current
month approved by management.

• Management’s approved cash flow forecast for the next 12 months.

Your client also wants to be satisfied that any large cash payments incurred during the
last three months are due to normal operations or the expansion project.

Your client has also decided that some level of assurance over the information to be
provided is necessary and asks your advice on the types of engagements that would be
appropriate.
Required:

Explain and justify to your client what levels of assurance would be appropriate to add
credibility to the information being sought.

QUESTION 2
The regulatory process for corporate financial reporting and auditing in Hong Kong is
described as a co-regulatory model. Explain the basis for this description.

QUESTION 3
As audit partner you are preparing to present to the audit committee of a prospective
audit client required to report under the Companies Ordinance for the first time. The audit
committee chairman asks that your tender document include your reporting responsibilities
and rights to communicate with shareholders under the Ordinance.

Required:

(a) Summarise the matters that would be included relating to your reporting and
communication with shareholders in preparing your tender document.

(b) The Companies Ordinance gives the auditor qualified privilege in relation to defamation
for any statements made or documents used during the audit. Explain in your tender
document why this is important.

82

M13_c01.indd 82 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

QUESTION 4
Your client is a private company for which you have been providing a review engagement
on their annual financial statements for some years. Some company shareholders have
requested the company provide a higher level of assurance on the financial statements and
the chairman of the Board has indicated that he intends to engage you to conduct an audit
in future reporting periods. The chairman has indicated to you that this absolute level of
assurance will satisfy the shareholders that the company remains a good investment and
that the financial statements are correct.

Required:

Respond to the chairman’s view and explain your reasons.

QUESTION 5
(a) An external financial statement auditor needs to be independent in both mind and
appearance. Explain the two concepts and why independence is a fundamental
principle of auditing.

(b) Explain the difference between independence as it applies to the external and internal
audit functions.

(c) For the following situations identify the nature of any threats to the fundamental
principle of independence for an external financial statement auditor and advise
safeguards, if any, that may mitigate those threats.

I. You are the engagement partner for a large audit client and it has come to your
attention that the senior audit manager assigned to the audit team was recently
employed by the client company as a senior accountant. It has been suggested that
the manager’s knowledge of the client will facilitate and enhance the audit process.

II. It has come to your attention that for the prior year, and this current financial
reporting period, the fees from one of your public interest audit clients will
represent more than 15% of the total audit fees of your firm.

III. Your audit client is seeking your assistance in structuring a financing arrangement
with a financial institution.

IV. Your firm has been approached by an audit client to enter into a joint venture to
supply and market computer software.

V. You are aware that one of your audit clients is looking to undertake a recruitment
process as a result of the expansion of your business and you offer to provide them
with a recruitment service.

QUESTION 6
The Code of Ethics has been developed requiring a conceptual approach to ethical decision
making by accountants in public practice.

Required:

(a) Explain why a conceptual approach has been adopted.

(b) Explain what is involved in applying the conceptual approach to ethical issues.

83

M13_c01.indd 83 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

ANSWERS TO EXAM PRACTICE

QUESTION 1
As your client does not regard the management accounts as significant in their own right to
the decision to invest, a review engagement would be appropriate. A review engagement
provides limited assurance as fewer audit procedures are performed and less evidence
is gathered. The review report would state whether anything has come to the auditor’s
attention to indicate that the accounts have not been prepared in accordance with the
modified cash basis. This would be more cost effective compared to an audit. It would be
an attest engagement as the special purpose financial statements have been approved by
management.

As the information in relation to the large cash transactions and the financial statements
are significant to your client’s decision making, an audit engagement is recommended. This
would provide a reasonable (high) level of assurance as to whether there are any unusual
cash transactions and whether the financial statements have been prepared in accordance
with the accounting standards.

The audit of the transactions would be a direct audit as there is no representation/

assertion by management that all transactions are in the normal course of business or are
project related. The auditor’s report would include information about the nature of the
transactions as well as the auditor’s opinion.

The audit of the financial statements would be an attest audit, as the signing of the
financial statements by management provides a written assertion.

The focus on cash flows indicates that the cash flow forecast is significant information
for the decision making of your client. However, due to the nature of forecast information
being more subjective and reflecting future estimates, only negative assurance can be
provided through a review engagement.

QUESTION 2
The model is described as co-regulatory because the actions of a company and auditor
subject to the requirements of the Hong Kong Companies Ordinance are governed by both
the statutory requirements of the Ordinance and mandatory professional requirements that
apply to members of the HKICPA.

The Companies Ordinance imposes statutory requirements on companies for the

preparation and presentation of financial statements and to appoint an auditor to audit
those financial statements and report to shareholders.

The legislation imposes statutory requirements on auditors appointed under the

legislation in terms of their responsibilities and reporting obligations.

Both the companies and auditors are regulated by the Hong Kong Securities
Commission.

Auditors appointed pursuant to the Ordinance are private sector organisations and
accredited by the HKICPA. The HKICPA is a professional organisation that mandates
requirements that its members must comply with when appointed as a statutory auditor.
This represents a self-regulatory aspect to the accountability process. The self-regulatory
aspect requires an auditor to comply with the professional standards that govern the

84

M13_c01.indd 84 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

activities and behaviour of its members and provides a benchmark for the performance of
its members. For audits, the primary standards are the HKSAs, HKSQC 1, and the COE.

Under both components of the model, failure to comply can result in sanctions. Non-
compliance with statutory requirements by a company or auditor would be investigated
by the Securities Commission and non-compliance with professional standards would be
investigated by the HKICPA. In both cases the action taken could result in penalties. In the
case of auditors under the HKICPA process this could include cancellation of the members
Practicing Certificate and right to conduct audits.

Co-regulation is therefore a combination of mandatory statutory requirements and

sanctions and professional standards and sanctions.

QUESTION 3
(a) The following reporting and communication responsibilities would be included when
preparing the tender document:

• Reporting to shareholders an opinion on whether the financial statements have

been prepared in accordance with the Companies Ordinance and give a true and fair
view of financial position and performance in accordance with HKFRSs.

• Report if the Director’s Report is inconsistent with the financial statements.

• If the company has not kept adequate accounting records and/or the financial
statements do not agree with the accounting records, this must be reported.

• Report if unable to obtain all the information and explanations necessary for
the audit.

• The audit report would include details of any failure by the directors to report
in the notes to the financial statements their emoluments, retirement benefits,
termination payments, and loans.

• In addition to these matters the Companies Ordinance gives the auditor the right to
attend the company general meeting and to be heard in relation to audit matters.

(b) The ability to communicate with shareholders creates confidence in the role of the
statutory auditor and protection to plan and conduct the audit with due care and
diligence and supports audit independence. This protection supports this position.

QUESTION 4
The audit requested will provide a reasonably (high) level of assurance that the financial
statements are not materially misstated. This is not an absolute level of assurance. While
an audit is planned and conducted to obtain sufficient appropriate evidence on which to
support the opinion, much of that evidence is persuasive rather than conclusive.

There are limitations to the audit process that involve the auditor making professional
judgements to identify risks that the financial statements are materially misstated and
determining the nature and extent of the audit procedures to be applied.

The auditor generally applies sampling techniques that limit the number of transactions
tested for cost and efficiency reasons. As not all transactions are tested there is the potential
for misstatement.

85

M13_c01.indd 85 1/26/2021 8:43:32 PM

 BUSINESS ASSURANCE

The financial statements themselves involve the preparers making judgements and
estimates, and the evidence is limited by the nature of that process.

There are inherent limitations of the system of internal control over the preparation of
the financial statements. For example, human error or deliberate override of the system
may lead to transactions not being recorded correctly.

A properly conducted audit may not detect fraud due to its nature, which involves
collusion and attempts to conceal it.

Accordingly, a properly conducted audit in accordance with auditing standards does not
provide absolute assurance, but the standards are designed to result in a reasonable/high
level of assurance.

QUESTION 5
(a) Independence in mind requires the auditor to avoid circumstances that would influence
or compromise professional judgement, and therefore allows the auditor to act with
integrity, objectivity, and professional scepticism.

Independence in appearance involves the auditor avoiding circumstances that

a reasonable and informed individual would be likely to conclude that the auditor’s
objectivity and professional scepticism has been compromised.

Independence is necessary to maintain the confidence of financial statement users.

As an audit is undertaken to enhance the intended users’ degree of confidence in the
information audited, the audit function must have credibility to support the value of
the function as a useful assurance service. That credibility derives from the situation
whereby the auditor has no involvement in the preparation of the information and no
vested interest in the outcome and therefore would be, and would be perceived to be,
objectives in expressing the auditor’s opinion.

(b) It is important that both external and internal auditors would be, and would be
perceived to be, independent and objective. From the perspective of the external audit
function, it involves being independent from the entity being audited and being able to,
and be seen to, have no vested interest that would compromise audit judgement and
outcomes to give that function credibility for the intended users of the auditor’s report.
From the internal audit perspective, the concept is similar, except that the internal audit
is part of the entity and the internal auditor is an employee of the entity. Independence
in the sense that it applies to an external auditor cannot be achieved. Internal audit
independence is therefore related to the role that it has in the entity as defined by its
charter such that it has appropriate authority and reporting lines to act with autonomy
or bias within the entity, and is not involved in the areas and activities of the entity that
it audits. It also involves ensuring that internal audit staff can bring an objective attitude
to their role by not having operational responsibilities of conflicts of interest within
the entity.

(c) I.  his potentially creates self-interest, self-review, and familiarity threats to

T
independence of the senior audit manager. Partner further information should
be sought as to the nature and extent of the team members’ involvement in the
financial statement preparation process within the client and the role to be played in
the audit team. If the manager had a significant role at the client, that person should

86

M13_c01.indd 86 1/26/2021 8:43:32 PM

 E thical Standards , L egislation , and Professional Guidance

not be assigned to the audit team or as a safeguard the work of that member should
be reviewed during the audit process.

II. This situation creates self-interest and intimidation threats. Under the COE this
fact must be disclosed to the client management and either a pre- or post-issuance
quality control review should be undertaken by a member not in the firm or by a
professional body. A pre-issuance review would be undertaken before the issues of
the audit opinion were made for the second year. A post-issuance review would be
undertaken after the issue of the opinion for the second year but before the issues
of the opinion for the third year.

III. As such a transaction is likely to affect the financial statements, this creates a
self-review threat. A safeguard would be to have this service provided by another
member of the firm not involved in the engagement team.

IV. Unless the financial interest is immaterial this relationship could create self-interest
or intimidation threats and should not be entered into.

V. This may create self-interest, familiarity, or intimidation threats. You can offer such
services under the conditions that you do not take on management responsibilities
negotiating on management’s behalf or making the hiring decision.

QUESTION 6
A conceptual approach recognises that there is a large number of different circumstances
that a professional accountant could encounter in their relationship with a client, and a
range of different services and activities that could affect the behaviour and actions of the
accountant. It is not possible to specifically identify and provide rules for every possible
situation that might arise. The conceptual approach avoids situations where a potentially
inappropriate behaviour or activity that could contravene the fundamental ethical principles
of the profession may be seen as appropriate because it is not specifically prohibited.

The conceptual approach involves the professional accountant:

• Identifying threats to compliance with the fundamental principles of integrity,

objectivity, professional competence, confidentiality. and professional behaviour;

• The threats are self-interest, self-review, advocacy, familiarity, and intimidation;

• Evaluating the significance of those threats and applying safeguards to eliminate

the threat or reduce it to an acceptable level, and making a judgement based on a
reasonable and informed third party test; and

• Where appropriate safeguards are not available, the relationship or circumstances

creating the threat must be eliminated or the engagement declined or discontinued.

87

M13_c01.indd 87 1/26/2021 8:43:32 PM

M13_c01.indd 88 1/26/2021 8:43:32 PM
 Part B
Corporate Governance
and Risk Management

Chapter 2 Corporate Governance

89

M13_c02.indd 89 1/26/2021 9:03:26 PM

M13_c02.indd 90 1/26/2021 9:03:26 PM
 2
Corporate Governance

CHAPTER TOPIC LIST

2.1 Roles in Corporate Governance 2.3 Provisions of International

2.1.1 Serving Stakeholders
2.1.2 Having an Effective
Audit Committee
2.1.3 Working Closely with
the Auditor
2.1.4 Managing Strategically
2.2 Background of Corporate
Governance
2.2.1 Importance to Capital
Markets and Preventing
Corporate Failure
2.2.2 Fairness
2.2.3 Openness and Transparency
2.2.4 Independence
2.2.5 Probity and Honesty
2.2.6 Responsibility
2.2.7 Accountability
2.2.8 Reputation
2.2.9 Judgement
2.2.10 Integrity
Codes of Corporate Governance
(such as the Organization for
Economic Cooperation and
Development (‘OECD’)) That Are
Most Relevant to Auditors
2.3.1 Limitation of International
Codes
2.4 Corporate Governance
Developments in Hong Kong and
the Structure of the Code on
Corporate Governance Practices
and Corporate Governance
Report in Hong Kong
2.4.1 Structure of the Corporate
Governance Code
2.4.2 Corporate Governance Report
2.5 Directors’ Responsibilities
as Defined by the Companies
Ordinance and Hong Kong Stock
Exchange Listing Rules

91

M13_c02.indd 91 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE
2.5.1 HKEx Listing Rules
2.5.2 Management Responsibilities
within Corporate Governance
2.5.3 Board Committees’ Structure
and Roles and Drawbacks and
Limitations
2.5.4 Internal Control (ISO)
92
M13_c02.indd 92
2.6 Auditor’s Responsibilities in
Regard to Corporate Governance
2.7 Sarbanes–Oxley Act Effect on
Hong Kong Companies and
Their Auditors
2.8 Corporate Governance
Arrangement’s Analysis and
Improvement Recommendations
1/26/2021 9:03:26 PM
 C orporate G o v ernance

LEARNING OUTCOMES

PRINCIPAL LO3: EXPLAIN THE IMPORTANCE OF CORPORATE GOVERNANCE AND RISK

MANAGEMENT
LO3.01: R
 ecommend appropriate practices an entity should put in place to achieve good
corporate governance
3.01.01 Explain the roles of audit committee, auditor, and management in corporate governance
3.01.02 Explain the objectives, concepts, relevance, and importance of corporate governance to
capital markets and preventing corporate failure
3.01.03 Describe the provisions of international codes of corporate governance (such as OECD) that
are most relevant to auditors
3.01.04 Explain corporate governance developments in Hong Kong and the structure of the Code on
Corporate Governance Practices and Corporate Governance Report in Hong Kong and how these
contribute to effective corporate governance
3.01.05 Explain the concept of stakeholder theory in corporate governance
3.01.06 Describe the corporate governance requirements as set out in the Companies Ordinance and
Hong Kong Stock Exchange Listing Requirements relating to directors’ responsibilities (e.g.
risk management and internal control)
3.01.07 Explain the responsibilities of management within the corporate governance framework
3.01.08 Analyse the structure and roles of board committees and discuss their drawbacks and
limitations
3.01.09 Explain an auditor’s responsibilities to consider and address corporate governance
requirements
3.01.10 Explain the effect of the Sarbanes–Oxley Act on Hong Kong companies and their auditors
3.01.11 Evaluate the corporate governance arrangements in a given scenario and recommend
improvements to address identified weaknesses

93

M13_c02.indd 93 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

OPENING CASE

88 TANDI COMPANY

8 8 Tandi Company is in a pre-IPO position and the current seven directors, who are all
executive directors, are trying to determine what effect listing will have on the way the
business is run, managed, and controlled.

88 Tandi is a very successful hotel chain that is looking to expand across Asia and into
the lucrative United States (US) market. Given the boutique and quintessentially Chinese feel
of the hotels, the directors believe listing on the Hong Kong Stock Exchange (‘HKEx’) will help
successfully finance the planned expansion.

The directors also want to consider what is required from a corporate governance
perspective if they were to also list in the US. Not only are the directors in current discussions
with lawyers as the preparation for the IPO continues, but also with their auditors, Quality
Audit Firm (‘Quality’), as the directors want to further understand the likely external audit
ramifications of a listing on the HKEx and also a potential listing in the US.

94

M13_c02.indd 94 1/26/2021 9:03:26 PM

 C orporate G o v ernance

OVERVIEW

Corporate governance has become one of the most talked about areas of today’s corporate
world. Large corporate failures, such as those of Enron, WorldCom, Polly Peck International,
Barings Bank, Lehman Brothers, and Carillion plc, have made it a predominant issue with
various governments, led by the UK and the US. Regulatory authorities have made efforts
to install more stringent governance regimes to ensure the smooth running of corporate
organisations for all stakeholders and to reduce the risk of such failures. Corporate governance
systems have been developed around the world on the basis of country-specific frameworks of
legal, institutional, and cultural factors that shape the patterns of influence that shareholders
(or stakeholders) can exert on managerial decision making. Though developed on a country-by-
country basis, these frameworks have influenced each other. In this chapter, we are going to
explore the specific framework for Hong Kong as well as looking at those of the OECD and the
Sarbanes–Oxley requirements in the US.

The importance to auditors of corporate governance frameworks and the effectiveness of

implementation links directly to the auditor’s risk assessment to identify the risk of material
misstatement at the financial statement and assertion levels as required by HKSA 315 (Revised
2019), Identifying and Assessing the Risks of Material Misstatement. Auditors have obligations in
relation to other information in financial statements, which is where a considerable amount
of disclosure is made in relation to an entity’s corporate governance activities and compliance
with the corporate governance requirements in Hong Kong. While auditors do not have any
direct responsibilities in relation to assessing the effectiveness of the corporate governance
activities of entities, this chapter will highlight how good corporate governance can assist
the auditor.

2 . 1 ROLES IN CORPORATE GOVERNANCE

Outside of the board and board committees, which will be explored later in this chapter, there
are four dimensions that are important to the success or otherwise of a corporate governance
framework.

2.1.1 Serving Stakeholders

The concept of serving stakeholders, while not a new concept, is now one that is very much
built on the historical focus on service shareholders exclusively.

An early stakeholder model was detailed by Ian Mitroff in his book Stakeholders of the
Organizational Mind, published in 1983. This book identifies and models the groups that

95

M13_c02.indd 95 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

are stakeholders of a corporation, and both describes and recommends methods by which
management can give due regard to the interests of those groups. In short, it attempts to
address the ‘principle of who or what really counts’. Stakeholder theory argues that there
are other parties involved, not just shareholders, including employees, customers, suppliers,
financiers, communities, governmental bodies, political groups, trade associations, trade
unions, and sometimes competitors, who are counted as stakeholders. The nature of what
represents a stakeholder is highly debated. Whatever the merits of these stakeholder theories,
community attitudes and legal systems have increasingly recognised that the needs of a broad
group of interested parties require the attention of directors.

It is noteworthy that the conceptual framework for financial reporting in Hong Kong
(and globally through the International Accounting Standards Board) identifies a range of users
that should be served by financial reporting. The reporting by auditors, in turn, expresses an
opinion in the context of the applicable accounting framework. It is therefore evident that
stakeholder thinking has gained widespread support and influences both financial reporting
and auditing.

From the viewpoint of corporate governance, the existence of a range of stakeholders

means that there are multiple dimensions to the conduct of business operations, the gathering
of information, the design of controls, and the forms of accountability. The auditor needs to
understand those dimensions in the context of particular entities, in order to comply with HKSA
315 (Revised 2019).

2.1.2 Having an Effective Audit Committee

The audit committee plays a major role in corporate governance regarding a company’s
financial direction, control, and accountability. As a representative of the full board of directors
and main part of the corporate governance mechanism, the audit committee is involved
in a company’s strategy in relation to its internal audit function and is responsible for the
appointment of the company’s external auditors. The audit committee receives reports from
management on internal control, accounting and financial reporting, regulatory compliance,
and risk management.

The audit committee monitors the integrity of a listed company’s financial statements
(annual and interim) and of the accounting records supporting those forms of reporting to
users, but the full board has overall responsibility for the financial statements.

The audit committee needs to have the full cooperation of management and to be provided
with sufficient information and reasonable resources to carry out its role and function in
accordance with its terms of reference. An effective audit committee will take an active interest
in, and take a proactive approach towards, understanding the affairs of the entity and will take
the appropriate actions when there are indicators of unplanned issues and risks.

The roles of the audit committee are, therefore, very relevant to the auditor when designing
and carrying out audit procedures, and critically when communicating with the full board.

2.1.3 Working Closely with the Auditor

One of the primary roles of external auditors in corporate governance is protecting the interests
of shareholders and other stakeholders through forming an independent opinion on the truth
and fairness of the financial reports in the context of the applicable accounting framework.

96

M13_c02.indd 96 1/26/2021 9:03:26 PM

 C orporate G o v ernance

The expressing of that opinion provides assurance to the users of the financial reports. The
provision of this assurance is only possible because the external auditor’s opinions and reports
are developed independently of the company’s influence. Indirectly, the work of the external
auditor contributes to the board itself, helping to ensure that they receive relevant and
representationally faithful information. The board may also question the auditor’s views and
assessment of the appropriateness of the accounting policies and controls used by an entity.
They value the experience and expertise of auditors gained through working with a great variety
of entities.

Good governance is characterised by a strong mutual respect between the board of

directors and the auditor. Conversely, where the relationship between them is adversarial or
the audit is treated as a compliance exercise deserving little attention, it is most unlikely that
governance will be strong.

2.1.4 Managing Strategically

The CEO and other management are the conduit for the board’s responsibility for good
corporate governance, strategy, and the delivery of the activities that support this objective.
One of the key roles of the board of directors is to appoint the best CEO possible for the entity.
This is also a key decision for the governance of the entity.

The auditor needs to have a good understanding of the way in which an entity is managed
strategically and its business model, in line with the requirements of HKSA 315 (Revised 2019).
The auditor has a vital interest in how the board and management interact, a critical feature of
corporate governance.

A key focus of a board, and one very relevant to the auditor to observe, is monitoring,
evaluating, and confirming decisions made by the CEO and how they are implemented by
senior management.

This focus can be served if all the following conditions are met:

• Directors are satisfied that appropriate systems and policies are in place and have
been demonstrated to be effective. The important point is demonstration or evidence
of effectiveness rather than just the assurance of the CEO or other members of
management.

• Directors are satisfied that information reported by the CEO includes relevant indicators
and other information that directly reflects the integrity of the activities of management.

• Directors are able to exercise critical and independent judgement.

Knowledge Check Questions

Question 1
Identify which of the following is not a key role of the audit committee.
A Conduit between the full board and management.
B Takes full responsibility for the accuracy of the financial statements.
C Involved in the direction of the internal audit.
D Corresponds with the external auditors.

97

M13_c02.indd 97 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

2 . 2 BACKGROUND OF CORPORATE
GOVERNANCE

Corporate governance failures resulting in corporate failure have demonstrated several

common behavioural traits that work against corporate success. This section outlines the
behaviours that need to be demonstrated to support corporate governance effectiveness and
reduce the risks to auditors of fraudulent activity.

2.2.1 Importance to Capital Markets and Preventing Corporate Failure

Corporate governance supports the accountability of an entity and is intended to reduce the
vulnerability of the entity to severe or unexpected risks. Poor governance can lead to the
circumstances that destroyed energy giant Enron and bankrupted many of its stakeholders and
employees, as well as leading to the demise of its well-credentialled auditor.

In terms of business, an entity with good corporate governance is widely accepted by the
public. This is mostly due to the disclosure and transparency that comes with good corporate
governance. With full disclosure and the ability for people who work in the business to get
information, as well as investors and the general public, there is a higher degree of trust
built with all stakeholders. Diligent attention to corporate governance by the board and
management can lead to a lower chance of unexpected risks emerging, fraud, or company-wide
criminal activity.

An entity’s corporate reputation is extremely important to the board and the entity’s
operations and financing. Profitability alone does not necessarily bring a good reputation.
Entities are judged on many factors. Making sure there is a high level of awareness
of management about stakeholders’ needs, making ethical behaviour the norm, and
understanding what the public wants are all aspects of good corporate governance.

Illustrative Example 1
The Volkswagen controversy is a good example of the impacts that poor corporate
governance can have on a global brand and reputation. In 2015, the United States
Environmental Protection Agency (EPA) found that Volkswagen had fitted cars with
‘defeat devices’ – software that could detect test conditions and cut its emissions
accordingly to improve results. The technology allowed cars to continue to emit up to
40 times the permissible levels of harmful nitrogen oxide during driving, whilst the cars
apparently met tests.

Volkswagen has since admitted that about 11 million cars worldwide were fitted with
the ‘defeat device’.

The scandal reportedly cost the auto giant as much as US$30 billion in fines, settlements,
and remediation, making it by far the biggest business crisis in its 80-year history.

98

M13_c02.indd 98 1/26/2021 9:03:26 PM

 C orporate G o v ernance

Illustrative Example 1 (continued)

US prosecutors went on to accuse former Volkswagen executive Oliver Schmidt of
participating in ‘one of the largest corporate fraud schemes in American history’.

This is a case in which a very successful and profitable company, with an iconic global
brand, through the lack of good corporate governance, saw its market value falling
by US$30 billion initially, not to mention significant erosion of consumer confidence.
Commentators noted at the time that a company’s corporate governance can often prove
instructive on whether trouble lies ahead.

2.2.2 Fairness
Fairness means treating people equally and respectfully. It entails avoiding bias towards one or
more parties as compared to others.

For boards, being fair can be difficult in some circumstances as stakeholders can have
competing interests. When a company is engaged in an acquisition or reconstruction, for
instance, it can be very hard to be as fair to individual stakeholders when maximising the
outcome for stakeholders as a whole. For this reason, many companies are turning to what is
known as ‘fairness or second opinions’. This involves calling in an independent knowledgeable
entity to assess a transaction and give an opinion on its fairness. In the law, sometimes there
are requirements for such an opinion (e.g. when recommending considering acceptance of an
offer from a potential acquirer).

2.2.3 Openness and Transparency

Openness and transparency are central qualities of processes, media, and reporting by
an entity that chooses as it shares information with its stakeholders. This openness and
transparency of an entity helps to engender trust and confidence in the entity. On the other
hand, defensiveness and secrecy lead to stakeholders building greater allowances for risk into
their assessments and pricing.

After the global economic crisis of 2008, many governments across the world called for
entities to demonstrate greater transparency to rebuild the trust lost in financial institutions in
the first instance and then more broadly.

2.2.4 Independence
In corporate governance, independence is important in several contexts. At the most basic
level, the board and management need to have a commitment to stakeholders and the
community to pursue ethical directions that are independent of self-interest. Individuals need
to be able to stand up for values without fear.

It is equally vital that external auditors are independent of their clients, that internal
auditors are independent of the aspects of the business they are auditing, and that
non-executive directors have a degree of independence from the executive directors on a
board and from senior management.

99

M13_c02.indd 99 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

Independence is a quality that can be possessed by individuals and is an essential element

of professionalism and professional behaviour. It is the avoidance of being unduly influenced
by a vested interest and being free to bring expertise and experience to bear without any
constraints that would prevent an appropriate decision to be made or course of action
undertaken. It is an ability to ‘stand apart’ from inappropriate influences and to be free of
managerial capture.

A common problem in many entities is ensuring independence where it could represent an

ethical threat if absent. In the real world, friendships and networks build up over many years
in which relationships exist at several different levels of intensity. Audit engagement partners
can get to know clients very well over many years, for example, and serving together on boards
can cement friendships between the non-executive directors and executive directors of a board.
The benefits of those relationships should not be allowed to be offset by a lack of independence.

2.2.5 Probity and Honesty

Probity is the quality of having values based on strong moral principles, including honesty and
decency. For entities, probity requires the setting of policies about values at an organisation
level, and then ensuring implementation of those policies through effective communications
and examples and, where appropriate, codes of practice. It is then for management to
demonstrate those values through leadership, to positively reinforce the values, and also to
ensure compliance with, and enforcement of, the values. Stakeholders need to see the entity
as honest.

The issuance of self-serving or misleading information is inconsistent with probity

and honesty.

The conduct of individuals on a board can raise several probity issues. Unless managed
effectively, probity issues, whether perceived, potential, or actual, can damage the reputation of
an entity and reflect poorly on the reputations of board members or the entire board.

There are a number of common strategies that can be adopted to avoid issues at board
level. These include having policies on handling conflicts of interest, having annual declarations
of interests by directors, and having clear delegation authorities in place.

2.2.6 Responsibility
Directors and management have significant power to approve transfers and distributions of
assets in the ordinary course of business without shareholder approval, including distributions,
asset purchases and sales, deployment of corporate property, contributions to charity, and
managerial compensation. This is a great responsibility. Directors can decide whether to
recommend extraordinary transactions to the shareholders, including the sale of substantial
corporate assets, acquisitions, spin-offs, mergers, dissolution, and charter amendments. The
board can not only screen entity-level transactions but also impede the shareholders from
transferring control by enacting strong defences to hostile takeovers. The important question
is how management can be made accountable to the shareholders or anyone else in exercising
their substantial powers within the constraints of the corporate form.

The increasing challenge for boards and management are the expectations around corporate
social responsibility (CSR). Prioritising CSR, and holding corporations accountable for effecting
social change with their business beliefs, practices, and profits, is of increasing importance to

100

M13_c02.indd 100 1/26/2021 9:03:26 PM

 C orporate G o v ernance

entity stakeholders. In fact, some will even turn their back on entities if they believe they are not
taking a stand for societal and environmental issues.

Recognising how important social responsibility is to their customers, many companies now
focus on and practise a few broad categories of CSR:

• Environmental efforts. The environment is a primary focus of CSR. All entities,

regardless of size, have a large environmental footprint. Any steps they can take to
reduce these footprints (e.g. reducing carbon emissions) are considered good for the
entity and society.

• Ethical labour practices. Entities demonstrate their CSR by treating employees fairly and
ethically.

• Philanthropy. Donating money, products, or services to social causes is another way

that entities practise social responsibility. Larger entities tend to have resources that
can benefit charities and local community programmes.

• Volunteering. Entities can express their sincere concern for specific issues and support
for certain organisations by doing good deeds, like volunteering, without expecting
anything in return.

Again, the auditor needs to understand how social responsibilities are being addressed by
companies and their impact on culture and on the design, implementation, and monitoring
of controls. For example, if the auditor knew that a company had voluntarily decided on
environmental performance targets beyond those required by law, but found middle management
was ignoring the policy, it would raise serious questions about how the board was monitoring the
implementation of policy, specifically for the policy in question and perhaps more broadly.

2.2.7 Accountability
Accountability is the responsibility of management to provide the information that is useful to
the needs of the variety of stakeholders. It is a very important pillar of corporate governance
as it helps form the basis for the principle and agent relationship between stakeholders and
management. With that basis, the confidence of stakeholders in management can be increased.

Accountability can be taken at different levels depending on how much trust there is
between the parties to that relationship. There are three key components to accountability:

• Delegation. This occurs when responsibility for a decision or a task is given to someone
else in the expectation that they will ensure its correct fulfilment.

• Responsibility. A sense of obligation to ensure that a task that has been delegated is
fulfilled and to the standards expected.

• Legitimacy. Accountability of the ‘right’ of those demanding such an ‘account’ to make

that demand.

Accountability should have both an internal and an external focus, and to be truly effective
it must be recognised and accepted by all within an entity.

The auditor is intrinsically involved with management’s discharge of its responsibility

to be accountable, as the auditor’s primary responsibility is to provide assurance about the
assertions of management in financial statements and in other assurance circumstances
involving external reporting.

101

M13_c02.indd 101 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

2.2.8 Reputation
Reputation or brand is one of an entity’s most valuable assets. According to a 2012 study by the
World Economic Forum, on average approximately 25% of an entity’s market value is directly
attributable to its reputation. Holding on to a good reputation or brand is critical to the value of
a company and thus significant focus should be placed on protecting and enhancing it. Where
companies have been seen to have done the wrong things economic losses can be significant.

The board has a major role to play in helping advise management and the entity of the
potential reputational risks associated with the strategic directions of the company set by
the board. Non-executive directors (‘NEDs’) can be very beneficial in this process as they can
bring their external perspectives and experiences to assist in this process. Often the board will
require management to undertake sensitivity analysis or scenario development to determine
possible impacts that a strategy may have on the reputation of the company. The board
should play an active role in this assessment by providing perspective and feedback that could
ultimately lead to changes to the strategy and the associated identified risks and opportunities.

Entities often look internally to strengthen their ability to detect and mitigate reputation
problems. An effective whistle-blower programme, for example, can help bring to light problems
within the entity that may be compromising its reputation. Entities must, however, be aware of
what is being said about them by parties outside the entity as well, which can often be achieved
through engaging in dialogue with brokers or doing broad surveys of stakeholders.

The auditor can look at the ways in which an entity guards its reputation and better
understands the motivations and actions of management. Positively, commitment
to a strong reputation is likely to be a characteristic of strong corporate governance.
Negatively, preoccupation with reputation can see management being unwilling to candidly
reveal bad news.

2.2.9 Judgement
Judgement can take two perspectives. Firstly, there is the quality of decision making by the
board and management of an entity and, secondly, by parties outside the entity linked to
an assessment of the decisions made by the entity, when determining whether to become a
stakeholder of the entity. Judgements will be made on an entity’s delivery on all the corporate
governance principles addressed in this chapter. The value of any entity is only as good
as how it is driven and maintained. Poor internal judgements around strategy, risk, and
corporate governance can have a long-lasting detrimental effect on the underlying value of
an entity.

Respect by an auditor for the judgement of a board and senior management will be
influential in how an auditor goes about forming an independent opinion. Expressed,
differently, a lack of regard for judgement is likely to see the auditor’s risk assessment increase,
resulting in seeking more evidence for assertions made by management.

102

M13_c02.indd 102 1/26/2021 9:03:26 PM

 C orporate G o v ernance

2.2.10 Integrity
Integrity is generally understood to describe moral virtue. A person of integrity is one who
observes a steadfast adherence to a moral or ethical code notwithstanding any other pressures
on him or her to act otherwise.

Integrity is very important in the corporate governance framework for a number of reasons:

1. Corporate governance will not cover every situation the company may face. The
maintenance of good corporate governance will sometimes depend on judgement that
the areas of most significance to stakeholders are being sufficiently managed. In this
instance, integrity would play an important role.

2. Integrity is partly about proper dealing in relationships, which is key to managing and
maintaining relationships with all stakeholders.

3. Good corporate governance is also about maintaining confidence that the company is
being run honestly and that the directors have integrity. This will promote confidence in
the entity.

As with the other characteristics described above, the presence of integrity is critical for the
quality of corporate governance and for how the external auditor designs an audit.

Ethics in Practice 1
The characteristics and behavioural traits discussed above of good corporate governance
are consistent with the HKICPA’s Code of Ethics for Accountants. Expressed differently, they
are also of vital importance to auditors in understanding their clients and in providing
their professional auditing services.

Key Learning Point

The behavioural traits of individuals within an entity are critical to the success or otherwise
of corporate governance. Entities should articulate very clearly their expectations of the
behaviours that should be exhibited by all personnel, including board members.

Knowledge Check Questions

Question 2
Explain why a company’s reputation is important and how good corporate governance can
assist in maintaining or improving the company’s reputation.

103

M13_c02.indd 103 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

2 . 3 PROVISIONS OF INTERNATIONAL CODES

OF CORPORATE GOVERNANCE (SUCH
AS THE ORGANIZATION FOR ECONOMIC
COOPERATION AND DEVELOPMENT
(‘OECD’)) THAT ARE MOST RELEVANT
TO AUDITORS

There are several international codes relating to corporate governance that have relevance
for auditors. The OECD code covered here and the ISO codes covered in Section 2.5.4 have an
indirect relevance. The provisions of the Sarbanes–Oxley Act covered in Section 2.7 have direct
relevance where Hong Kong entities are listed on a US stock exchange or for subsidiaries in
Hong Kong of US listed entities.

The OECD started considering the need for a corporate governance code in the 1990s,
partly as a result of corporate scandals but partly in response to the needs of a rapidly
expanding global marketplace.

The G20/OECD Principles of Corporate Governance help country level policy makers
evaluate and improve the legal, regulatory, and institutional framework for corporate
governance. They also provide guidance for stock exchanges, investors, corporations, and
others that have a role in the process of developing good corporate governance. The Principles
were first issued in 1999 and endorsed by the G20, an international forum for the governments
and central banks of the twenty richest countries in the world, with the aim to discuss
policy pertaining to the promotion of international financial stability. They have become the
international benchmark in corporate governance. The Principles have been adopted as one of
the Financial Stability Board’s key standards for sound financial systems and have been used by
the World Bank Group in more than 60 country reviews worldwide. They also serve as the basis
for the guidelines, issued by the Basel Committee on Banking Supervision, on the corporate
governance of banks.

Many individual jurisdictions have issued their own corporate governance principles, which
can create difficulties where entities operate across several jurisdictions.

The six OECD principles are:

1. The corporate governance framework should promote transparent and fair markets
and the efficient allocation of resources. It should be consistent with the law and
support effective supervision and enforcement.

2. The corporate governance framework should protect and facilitate the exercise of
shareholders’ rights and ensure the equitable treatment of all shareholders, including
minority and foreign shareholders. All shareholders should have the opportunity to
obtain effective redress for violation of their rights.

3. The corporate governance framework should provide sound incentives throughout the
investment chain and provide for stock markets to function in a way that contributes to
good corporate governance.

104

M13_c02.indd 104 1/26/2021 9:03:26 PM

 C orporate G o v ernance

4. The corporate governance framework should recognise the rights of stakeholders

established by law or through mutual agreements and encourage active co-operation
between corporations and stakeholders in creating wealth, jobs, and the sustainability
of financially sound enterprises.

5. The corporate governance framework should ensure that timely and accurate
disclosure is made of all material matters regarding the corporation, including the
financial situation, performance, ownership, and governance of the company.

6. The corporate governance framework should ensure strategic guidance of the

company, the effective monitoring of management by the board, and the board’s
accountability to the company and the shareholders.

A number of the provisions supporting the six OECD principles are relevant to external
auditors. These discussions are outlined in Exhibit 2.1.

The duties The provisions provide a reinforcement that should indirectly assist external
of directors auditors as they encourage independence, integrity, and due care, which if
applied appropriately could reduce the likelihood of fraud.
Division of It is stated that they should be clearly articulated and designed to serve
responsibilities public interest. This could help external auditors if the control mechanisms
surrounding the divisions are considered to be effective.
Related party These are to be approved and conducted in a manner that ensures proper
transactions management of conflicts of interest and protects the interest of the company
and its shareholders. There should be adequate disclosures and minority
shareholders should be protected. If followed, this principle may assist external
auditors with their obligations under HKSA 550 (Clarified), Related Parties.
Acquisitions, They should be clearly communicated so that investors understand their rights
mergers, and sales and recourse. Transactions should occur at transparent prices and under fair
conditions. If effectively implemented, this principle may assist the external
auditor with their obligations under HKFRS 3 (Revised), Business Combinations,
HKSA 540 (Revised) Auditing Accounting Estimates and Related Disclosures.
Stakeholders Including individual employees and their representative bodies, being able
to freely communicate their concerns about illegal or unethical practices to
the board and to the competent public authorities, and their rights should
not be compromised for doing this. If effectively implemented, this principle
might assist the external auditor with their obligations under the Code of Ethics
in relation to Non-compliance with Laws and Regulations (NOCLAR) and the
obligations under HKSA 240, The Auditor’s Responsibilities Relating to Fraud in an
Audit of Financial Statements.
Open disclosure • Remuneration of members of the board and key executives.
of financial and • Foreseeable risk factors.
operating results
• Issues regarding employees and other stakeholders.
of the company
including: • Governance structures and policies including content of any corporate
governance code or policy and the process by which it is implemented.
The provisions could assist external auditors in determining the
completeness and accuracy of financial information to be presented in the
entity’s financial statements.
The preparation of Needs to be in line with reputable accounting standards. If effectively
financial statements implemented this would facilitate the completion of an audit.

EXHIBIT 2.1 Provisions supporting OECD principles

105

M13_c02.indd 105 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

The audit Conducted by an independent, competent, and qualified auditor in accordance

with high-quality auditing standards in order to provide an external and
objective assurance to the board and shareholders that the financial statements
fairly represent the financial position and performance of the company in all
material respects in accordance with the applicable accounting framework. This
complies with auditing standards.
External auditors Need to be accountable to the shareholders and owe a duty of care to the
company. This is compatible with long-established auditing principles.
Channels for Provision of equal, timely, and cost-efficient access to relevant information by
disseminating users. Auditors will need to be mindful of the various means of communication
information to ensure that what is said is not incompatible with the audited financial
statements.

EXHIBIT 2.1 (Continued )

2.3.1 Limitation of International Codes

The inherent limitation of international codes is that they are not linked specifically to the laws,
regulations, and culture of any one country. More specifically, they are not written for Hong
Kong. While the OECD or other jurisdictional codes can act as an excellent reference base, it is
important that their key themes are moulded to the relevant jurisdiction.

Knowledge Check Questions

Question 3
Nominate the five supporting provisions to the OECD principles that should register with
external auditors the most and explain why.

2 . 4 CORPORATE GOVERNANCE DEVELOPMENTS

IN HONG KONG AND THE STRUCTURE OF
THE CODE ON CORPORATE GOVERNANCE
PRACTICES AND CORPORATE GOVERNANCE
REPORT IN HONG KONG

In Hong Kong, the first formal corporate governance initiative was launched in 1992 when
the HKEx introduced the corporate governance project, leading to the Code of Best Practice in
1993. In 2005, the HKEx adopted the Code of Corporate Governance in place of the Code of Best
Practice. The current code was last updated in 2016; however, further improvements based on
the outcomes of a review undertaken by HKEx became effective from 1 January 2019 and will
be discussed in Section 2.8 later in this chapter.

106

M13_c02.indd 106 1/26/2021 9:03:26 PM

 C orporate G o v ernance

One of the roles of the HKEx is to provide a sound and effective corporate governance
framework for issuers in the furtherance of investor protection. The HKEx achieves this through
a combination of Listing Rules and other provisions in the Corporate Governance Code.

The Listing Rules require a mandatory standard of corporate governance for all Hong Kong
Listed Companies (‘issuers’). Breaches may lead to sanctions.

2.4.1 Structure of the Corporate Governance Code

The Code sets out the principles of good corporate governance and two levels of
recommendations:

• Code provisions

• Recommended best practices.

Issuers are expected to comply with, but may choose to deviate from, the code provisions.
The recommended best practices are for guidance only. Issuers have the option of devising
their own code on corporate governance on the terms they believe appropriate. This should
not be at a lower level than the code, unless adequately disclosed.

Issuers must state whether they have complied with the code provisions for the relevant
accounting period in their interim reports (and summary interim reports, if any) and annual
reports (and summary financial reports, if any).

Every issuer must carefully review each code provision and, where it deviates from any of
them, it must give considered reasons:

• In annual reports (and summary financial reports), in the Corporate Governance

Report, and

• In interim reports (and summary interim reports), either:

° By giving considered reasons for each deviation or

° To the extent it is reasonable and appropriate, by referring to the Corporate

Governance Report in the preceding annual report, and providing details of any
changes with considered reasons for any deviation not reported in that annual
report. The references must be clear and unambiguous and the interim report
(or summary interim report) must not contain only a cross-reference without any
discussion of the matter.

Issuers are encouraged, but not required, to state whether they have complied with the
recommended best practices and give considered reasons for any deviation.

The Code consists of six sections:

A. Directors;

B. Remuneration of directors and senior management;

C. Accountability and audit;

D. Delegation by the board;

E. Relationships with shareholders and other stakeholders; and

F. Company secretary.

107

M13_c02.indd 107 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

A summary of the focus points in each of the six sections are as follows:

A. Directors

There should be structure around the everyday function of the board, to instill
stakeholder confidence in the overall governance of the entity. To this end there should
be specific arrangement in relation to:

• Major roles and functions of the board;

• Board process;

• Roles and responsibilities of the chairman and chief executive;

• Board composition (number, diversity);

• Appointment, election, and removal of directors;

• Independence of directors (executive versus non-executive directors);

• Responsibilities and the expected conduct of directors;

• Supply of and access to financial and non-financial information; and

• Board evaluation.

B. Remuneration of directors and senior management

The remuneration policy of an entity should be as transparent as possible, particularly

that of the directors and senior management. This is in order to demonstrate the
objective of attracting and retaining high-quality personnel to deliver the long-term
growth and sustainability of the entity. The entity should consider the following:

• The major role and function of the remuneration committee.

• The overall remuneration policy for the entity.

• Remuneration structure.

• Share-based payment offerings.

C. Accountability and audit

The board has the ultimate responsibility for ensuring the integrity of the entity’s
financial statements, accounting policies, financial reporting systems, and internal
controls, as well as effective systems of risk management. The board must ensure
that it is given sufficient and appropriate information to enable it to discharge its
responsibilities. The board through the audit and risk committees needs to set:

• Internal audit, charter, methodology, and process, including assessing who best to
conduct such a role, whether internal or external.

• Understand and respond to the findings of the internal audit function.

• The criteria for appointment of the external auditor. This should include an outline
and understanding of the objectivity and independence of the external auditor.

• Policy on the provision on non-assurance services provided by the external auditor.

• The board through the audit committee needs to consider the recommendations
of the external auditor on the operational and financial risks identified through the
audit process at the half year and the full year.

108

M13_c02.indd 108 1/26/2021 9:03:26 PM

 C orporate G o v ernance

D. Delegation by the board

The responsibilities of board members are vast and often an entity’s board comprises
people from varying backgrounds, knowledge, skills, and experience. To direct an
entity that is listed on any of the Hong Kong exchanges can be very complex, and key
messages from the business could be lost if dealt with in detail only when the full
board meets. Over the years there has been strong recognition of the need for more
specialised meetings of board sub-committees, which are normally as follows:

Board Committees:

• Audit committee;

• Corporate social responsibility committee;

• Executive committee;

• Investment advisory committee;

• Nomination and governance committee;

• Panel member selection committee; and

• Risk committee.

E. Relationships with shareholders and other stakeholders

Candid and constructive communication with shareholders and wider stakeholders is

critical in a system of good corporate governance. The following should be considered:

• Particulars of shareholders’ rights and, if applicable, obligations.

• Limitation on shareholding is applicable.

• Shareholder communication policy.

• Structure of the conduct of general meetings.

• Shareholder guide.

• Stakeholder communication policy.

F. Company secretary

The company secretary supports the chairman in promoting the highest standards
of corporate governance and facilitating the effective functioning of the board and
its committees, where appropriate. One of the key roles the company secretary plays
is to ensure that all applicable laws and regulations are complied with by each of the
directors on the board.

2.4.2 Corporate Governance Report

Listed companies are required to include a Corporate Governance Report (CGR) in each annual
report and summary financial report, if any. (These can be viewed in Appendix 14, Main Board
Listing Rules of the HKEx, and Appendix 15 of the GEM Listing Rules of the HKEx.) There are two
levels of disclosure set out by a CGR: mandatory disclosure requirements (Sections G to Q) and
recommended disclosures (Sections R to T).

109

M13_c02.indd 109 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

Auditors, while not opining on the content of the CGR, have responsibilities for other
information disclosed in the annual reports, such as HKSA 720 (Revised), The Auditor’s
Responsibilities Relating to Other Information. HKSA 720 (Revised) requires the auditor to read
and consider other information for material inconsistencies with the financial statements
or with the auditor’s knowledge (this topic is covered in detail in Chapter 10 of this module).
Auditors therefore need to be aware of the full extent of the annual report disclosures in order
to meet the requirements of HKSA 720 (Revised).

2.4.2.1 Mandatory Disclosure Requirements

These disclosure requirements have been established to increase transparency, with the
following information needing to be included for each accounting period, supplemented by
information about significant subsequent events up until the date of publication of the Annual
Report (including the audited financial statements):

G. Corporate governance practices

(a) A narrative statement explaining how the issuer has applied the principles in the Code,
enabling its shareholders to evaluate how the principles have been applied;

(b) A statement as to whether the issuer meets the code provisions. If an issuer has
adopted its own code that exceeds the code provisions, it may draw attention to this
fact in its annual report; and

(c) For any deviation from the code provisions, details of the deviation during the financial
year (including considered reasons).

H. Directors’ securities transactions

For the Model Code set out in Appendix 10 of the Main Board Listing Rules of the HKEx and
Appendix 14 of the GEM Listing Rules:

(a) Whether the issuer has adopted a code of conduct regarding directors’ securities
transactions on terms no less exacting than the required standard set out in the
Model Code;

(b) Having made a specific enquiry of all directors, whether the directors of the issuer
have complied with, or whether there has been any non-compliance with, the required
standard set out in the Model Code and its code of conduct regarding directors’
securities transactions; and

(c) For any non-compliance with the required standard set out in the Model Code, if
any, details of these and an explanation of the remedial steps taken by the issuer to
address them.

I. Board of directors

(a) Composition of the board, by category of directors, including name of chairman,

executive directors, non-executive directors, and independent non-executive directors;

(b) Number of board meetings held during the financial year; and

(c) Attendance of each director, by name, at the board and general meetings.

110

M13_c02.indd 110 1/26/2021 9:03:26 PM

 C orporate G o v ernance

Notes:

1. Subject to the issuer’s constitutional documents and the law and regulations of its
place of incorporation, attendance by a director at a meeting by electronic means
such as telephonic or video-conferencing may be counted as a physical attendance.

2. If a director is appointed part way during a financial year, his attendance should be
stated by reference to the number of board meetings held during his tenure.

(d) For each named director, the number of board or committee meetings he attended and
separately the number of board or committee meetings attended by his alternative.
Attendance at board or committee meetings by an alternative director should not be
counted as attendance by the director himself;

(e) A statement of the respective responsibilities, accountabilities, and contributions of

the board and management. In particular, a statement of how the board operates,
including a high-level statement on the types of decisions taken by the board and those
delegated to management;

(f) Details of non-compliance (if any) with rules 3.10(1) and (2), and 3.10A (GEM rules
5.05(1) and (2), and 5.05A) and an explanation of the remedial steps taken to address
non-compliance. This should cover non-compliance with appointment of a sufficient
number of independent non-executive directors and appointment of an independent
non-executive director with appropriate professional qualifications, or accounting or
related financial management expertise;

(g) Reasons why the issuer considers an independent non-executive director to be

independent where they fails to meet one or more of the guidelines for assessing
independence set out in rule 3.13 (GEM rule 5.09);

(h) Relationship (including financial, business, family, or other material/relevant

relationship(s)), if any, between board members and, in particular, between the
chairman and the chief executive; and

(i) How each director, by name, complied with A.6.5 of the Code (GEM same reference).

J. Chairman and chief executive

(a) The identity of the chairman and chief executive; and

(b) Whether the roles of the chairman and chief executive are separate and exercised by
different individuals.

K. Non-executive directors

The term of appointment of non-executive directors.

L. Board committees

The following information for each of the remuneration committee, nomination committee,
audit committee, risk committee, and corporate governance functions:

(a) The role and function of the committee;

(b) The composition of the committee and whether it comprises independent

non-executive directors, non-executive directors, and executive directors (including
their names and identifying the chairman of the committee);

111

M13_c02.indd 111 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

(c) The number of meetings held by the committee during the year to discuss matters and
the record of attendance of members, by name, at meetings held during the year; and

(d) A summary of the work during the year, including:

(i) For the remuneration committee, determining the policy for the remuneration of
executive directors, assessing performance of executive directors and approving
the terms of executive directors’ service contracts, performed by the remuneration
committee. Disclose which of the two models of remuneration committee described
in B.1.2(c) of the Code (GEM same reference) was adopted;

(ii) For the nomination committee, determining the policy for the nomination of
directors, performed by the nomination committee or the board of directors (if
there is no nomination committee) during the year. The nomination procedures
and the process and criteria adopted by the nomination committee or the board
of directors (if there is no nomination committee) to select and recommend
candidates for directorship during the year. If the nomination committee (or the
board) has a policy concerning diversity, this section should also include the board’s
policy or a summary of the policy on board diversity, including any measurable
objectives that it has set for implementing the policy, and progress on achieving
those objectives;

(iii) For corporate governance, determining the policy for the corporate governance of
the issuer, and duties performed by the board or the committee(s) under D.3.1 of
the Code (GEM same reference); and

(iv) For the audit committee, a report on how it met its responsibilities in its review
of the quarterly (if relevant), half-yearly, and annual results, and unless expressly
addressed by a separate risk committee, or the board itself, its review of the risk
management and internal control systems, the effectiveness of the issuer’s internal
audit function, and its other duties under the Code. Details of non-compliance with
rule 3.21 (if any) (GEM rule 5.28 (if any)) and an explanation of the remedial steps
taken by the issuer to address non-compliance with establishment of an audit
committee; and

(v) For the risk committee (if any), a report on how it met its responsibilities in its
review of the risk management and internal control systems and the effectiveness
of the issuer’s internal audit function.

M. Auditor’s remuneration (all GEM references in this section are the same)

An analysis of remuneration in respect of audit and non-audit services provided by the

auditors (including any entity that is under common control, ownership, or management
with the audit firm or any entity that a reasonable and informed third party having
knowledge of all relevant information would reasonably conclude as part of the audit firm
nationally or internationally) to the issuer. The analysis must include, in respect of each
significant non-audit service assignment, details of the nature of the services and the
fees paid.

Note that the code provisions expect issuers to make certain specified disclosures
in the Corporate Governance Report. Where issuers choose not to make the expected

112

M13_c02.indd 112 1/26/2021 9:03:26 PM

 C orporate G o v ernance

disclosure, they must give considered reasons for not doing so under paragraph G(c) of the
Code. For ease of reference, the specific disclosure expectations of the code provisions are:

1. Directors’ acknowledgement of their responsibility for preparing the accounts

and a statement by the auditors about their reporting responsibilities (C.1.3 of
the Code);

2. Report on material uncertainties, if any, relating to events or conditions that may cast
significant doubt upon the issuer’s ability to continue as a going concern (C.1.3 of
the Code);

3. A statement that the board has conducted a review of the effectiveness of the internal
control system of the issuer and its subsidiaries (C.2.1 of the Code); and

4. A statement from the audit committee explaining its recommendation and the
reason(s) why the board has taken a different view from the audit committee on
the selection, appointment, resignation, or dismissal of external auditors (C.3.5 of
the Code).

N. Company secretary

(a) Where an issuer engages an external service provider as its company secretary, its
primary corporate contact person at the issuer (including they name and position); and

(b) Details of non-compliance with rule 3.29 (GEM rule 5.15).

O. Shareholders’ rights

(a) How shareholders can convene an extraordinary general meeting;

(b) The procedures by which enquiries may be put to the board and sufficient contact
details to enable these enquiries to be properly directed; and

(c) The procedures and sufficient contact details for putting forward proposals at
shareholders’ meetings.

P. Investor relations

Any significant changes in the issuer’s constitutional documents during the year.

Q. Risk management and internal control

Where an issuer includes the board’s statement that it has conducted a review of its risk
management and internal control systems in the annual report under code provision C.2.1
(GEM same reference), it must disclose the following:

(a) Whether the issuer has an internal audit function;

(b) How often the risk management and internal control systems are reviewed, the
period covered, and where an issuer has not conducted a review during the year, an
explanation why not; and

(c) A statement that a review of the effectiveness of the risk management and internal
control systems has been conducted and whether the issuer considers them effective
and adequate.

113

M13_c02.indd 113 1/26/2021 9:03:26 PM

 BUSINESS ASSURANCE

2.4.2.2 Recommended Disclosures

The disclosures set out in the following paragraphs (Section R to T) on corporate governance
matters are provided for issuers’ reference. They are not intended to be exhaustive or
mandatory. They are intended to show the areas on which issuers may comment in their
Corporate Governance Report. The level of detail needed varies with the nature and complexity
of issuers’ business activities. Issuers are encouraged to include the following information in
their Corporate Governance Report:

R. Share interests of senior management

The number of shares held by senior management (i.e. those individuals whose
biographical details are disclosed in the annual report).

S. Investor relations

(a) Details of shareholders by type and aggregate shareholding;

(b) Details of the last shareholders’ meeting, including the time and venue, major items
discussed, and voting particulars;

(c) Indication of important shareholders’ dates in the coming financial year; and

(d) Public float capitalisation at the year end.

T. Management functions

The division of responsibility between the board and management.

Note that issuers may consider that some of the information recommended under
paragraphs R to T is too lengthy and detailed to be included in the Corporate Governance
Report. As an alternative to full disclosure in the Corporate Governance Report, issuers may
choose to include some or all of this information:

(a) On its website highlight to investors where they can:

(i) Access the soft copy by giving a hyperlink direct to the relevant webpage; and/or

(ii) Collect a hard copy of the relevant information free of charge; or

(b) Where the information is publicly available, by stating where the information can be
found. Any hyperlink should be direct to the relevant webpage.

Knowledge Check Questions

Question 4
List the considerations a board should address when establishing governance pertaining to
shareholders and other stakeholders.

Question 5
Describe what must be disclosed in the Corporate Governance Report in relation to
corporate governance practices.

114

M13_c02.indd 114 1/26/2021 9:03:26 PM

 C orporate G o v ernance

Knowledge Check Questions (continued)

Question 6
Identify which of the following is not a recommended disclosure in the Corporate
Governance Report.
A Share interests of senior management
B Investor relations
C Share interests of directors
D Management functions.

2 . 5 DIRECTORS’ RESPONSIBILITIES AS DEFINED

BY THE COMPANIES ORDINANCE AND HONG
KONG STOCK EXCHANGE LISTING RULES

Directors’ legal responsibilities, as defined under Part 10, Part 11, and Part 12 of the Hong Kong
Companies Ordinance (Cap.622), are covered under the following provisions. They are listed in
Exhibits 2.2 and 2.3 as a useful directory, as Company Law per se is beyond the scope of this
module. It should be noted that this section covers all legal responsibilities of those directing
a company. This is because, in governing a company, directors have a responsibility to comply
with the law. Expressed differently, non-compliance with director responsibilities under the law
is not in keeping with proper governance and is potentially quite damaging for the company.
This section provides a single place to see those responsibilities.

Section Section requirement

s.453 Public company and company limited by guarantee required to have at least two
directors.
s.454 Private company required to have at least one director.
s.456 Restriction on a body corporate from being a director.
s.457 Requirement to have at least one director who is a natural person.
s.459 Minimum age for the appointment of a director is 18.
s.460 Appointment of each director is to be by vote at an Annual General Meeting (AGM) for a
public company and a company limited by guarantee.
s.461 Directors acts are valid even if a subsequent discovery finds that the person should not
have been appointed as a director.
s.462 Directors can be removed at an AGM by a normal resolution before the end of the
directors’ tenures.
s.463 Directors have the right to protest against removal.

EXHIBIT 2.2 Companies Ordinance

115

M13_c02.indd 115 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

Section Section requirement

s.464 A director of a company may, unless it is otherwise provided in the articles of the
company or by any agreement with the company, resign as a director at any time.
s.465 Duty to exercise reasonable care, skill, and diligence.
(1) A director of a company must exercise reasonable care, skill, and diligence.
(2) ‘Reasonable care, skill, and diligence’ means the care, skill, and diligence that would
be exercised by a reasonably diligent person with:
(a) The general knowledge, skill, and experience that may reasonably be expected
of a person carrying out the functions carried out by the director in relation to
the company; and
(b) The general knowledge, skill, and experience that the director has.
(3) The duty specified in subsection (1) is owed by a director of a company to
the company.
(4) The duty specified in subsection (1) has effect in place of the common law rules
and equitable principles as regards the duty to exercise reasonable care, skill, and
diligence owed by a director of a company to the company.
(5) This section applies to a shadow director as it applies to a director.
(6) For the purposes of subsection (5), a body corporate is not to be regarded as a
shadow director of any of its subsidiaries by reason only that the directors, or a
majority of the directors, of the subsidiary are accustomed to act in accordance with
its direction or instructions.
s.468 Any provisions protecting a director from liability will be void if the director is in
contravention of Section 465.
s.469 Limited indemnity provisions.
s.470 Permitted indemnities to be disclosed in the directors’ report.
s.471 Copy of permitted indemnity provision should be kept at the registered office.
s.472 Members have a right to inspect and request a copy.
s.500 Without the prescribed approval of its members a company must not make a loan, etc.,
to a director or body corporate controlled by a director.
s.501 Without the prescribed approval of its members a specified company must not make a
quasi-loan, etc., to a director.
s.502 Without the prescribed approval of its members a specified company must not make a
loan or quasi-loan, etc., to a connected entity.
s.503 Without the prescribed approval of its members a specified company must not enter
into a credit transaction, etc., as a creditor for a director or connected entity.
s.504 Company must not take part in an arrangement purporting to circumvent Sections
500 to 503.
s.505 Exception for loan, quasi-loan, and credit transaction of value not exceeding 5% of net
assets or called-up share capital.
s.506 Exception for expenditure on company business.
s.534 Without the prescribed approval of its members a company must not agree to any
provisions under which the guaranteed term of the employment of a director of the
company with the company exceeds or may exceed 3 years.

EXHIBIT 2.2 (Continued )

116

M13_c02.indd 116 1/26/2021 9:03:27 PM

 C orporate G o v ernance

Section Section requirement

s.536 Director must declare material interests.
(1) If a director of a company is in any way, directly or indirectly, interested in a
transaction, arrangement, or contract, or a proposed transaction, arrangement, or
contract, with the company that is significant in relation to the company’s business,
and the director’s interest is material, the director must declare the nature and
extent of the director’s interest to the other directors in accordance with Sections
537, 538, and 539.
(2) If an entity connected with a director of a public company is in any way, directly
or indirectly, interested in a transaction, arrangement, or contract, or a proposed
transaction, arrangement, or contract, with the company that is significant in
relation to the company’s business, and the connected entity’s interest is material,
the director must declare the nature and extent of the connected entity’s interest to
the other directors in accordance with Sections 537, 538, and 539.
(3) If a declaration made under Subsection (1) or (2) proves to be, or becomes,
inaccurate or incomplete, the director must make a further declaration in
accordance with Sections 537, 538, and 539.
(4) This section does not require a director to declare an interest:
(a) If the director is not aware of the interest or the transaction, arrangement, or
contract in question; or
(b) If, or to the extent that, the interest concerns the terms of the director’s service
contract that have been or are to be considered by:
(i) A meeting of the directors; or
(ii) A committee of the directors appointed for the purpose under the
company’s articles.
(5) For the purposes of subsection (4)(a), a director is to be regarded as being aware of
matters of which the director ought reasonably to be aware.
(6) This section does not affect the operation of any other Ordinance or rule of law
restricting a director of a company from having any interest in a transaction,
arrangement, or contract with the company.
s.537 A declaration made under Section 536 must be made as soon as reasonably practical.
s.538 Declaration to directors, the procedures.
s.566 Members’ power to request directors to call a general meeting with at least 5% of the
total voting rights of all members having the right to vote at a general meeting.
s.567 As a result of Section 566, directors have a duty to call a general meeting within 21 days
after the date on which they become subject to the requirement.
s.575 Duty to give notice of a general meeting to the auditor.
s.610 Requirement to hold an annual general meeting, for a private company or a company
limited by guarantee, within nine months of the end of the accounting period, in the
case of all other companies 6 months after the end of the accounting period.
s.618 A company must keep copies of resolutions passed by members at general meetings.
s.619 A company must keep the records mentioned in Section 618 at the company’s registered
office or a prescribed place.
s.643 Particulars of directors to be registered.

EXHIBIT 2.2 (Continued )

117

M13_c02.indd 117 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

Part 4 ss.140 and 141 Directors of a company may exercise a power to:
(a) Allocate shares in the company; or
(b) Grant rights to subscribe for, or convert any security into, shares in the
company, if the company gives approval in advance by resolution of
the company.
Part 5 Division 2 Director requirement to make a solvency statement.
Part 9 ss.373, A company must keep accounting records and they must be accessible at
374, and 375 any time to directors and directors must be allowed to make a copy of the
accounting records in the course of inspection.
Part 9 s.379 Directors must prepare financial statements, a copy of which is laid before
a company in a general meeting under Section 429, or is sent to a member
under Section 430.
Part 9 s.380 The annual financial statements for a financial year:
(a) Must give a true and fair view of the financial position of the company/
group, such as at the end of the financial year; and
(b) Must give a true and fair view of the financial performance of the
company/group for the financial year.
The financial statements must also comply with any other requirements
of the Hong Kong Companies Ordinance (Cap.622) in relation to the financial
statements and the accounting standards applicable to the financial
statements.
Part 9 s.383 (1) Notes to the financial statements must contain information on directors’
emoluments:
(a) The directors’ emoluments;
(b) The directors’ retirement benefits;
(c) Payments made, or benefits provided, in respect of the termination of
the service of directors, whether in the capacity of directors or in any
other capacity while directors;
(d) Loans, quasi-loans, and other dealings in favour of:
(i) Directors of the company and of a holding company of
the company;
(ii) Bodies corporate controlled by such directors; and
(iii) Entities connected with such directors;
(e) Material interests of directors in transactions, arrangements, or
contracts entered into by the company or another company in the
same group of companies; and
(f) Consideration provided to or receivable by third parties for making
available the services of a person as director or in any other capacity
while director.

EXHIBIT 2.3 Other responsibilities elsewhere in Hong Kong Companies Ordinance (Cap.622)

118

M13_c02.indd 118 1/26/2021 9:03:27 PM

 C orporate G o v ernance

Part 9 s.383 (2) In subsection (1):

(a) A reference to a director:
(i) In the case of subsection (1)(b), includes a former director;
(ii) In the case of subsection (1)(c), includes a former director and
shadow director; and
(iii) In the case of subsection (1)(d) and (e), includes a
shadow director;
(b) A reference to a body corporate controlled by a director has the
meaning given by Section 492; and
(c) A reference to an entity connected with a director has the meaning
given by Section 486.
(3) Despite subsection (1)(d), the financial statements for a financial year
are not required to contain the information prescribed by the Regulation
for the purposes of that subsection if the company complies with the
requirements prescribed by the Regulation for the purposes of this
subsection.
(4) The notes to any financial statements must also comply with other
requirements prescribed by the Regulation.
(5) A person who is, or has been during the preceding 5 years, a director or
shadow director of a company must give notice to the company of any
matter that:
(a) Is prescribed by the Regulation;
(b) Relates to the person; and
(c) Is necessary for the purposes of subsection (1).
Part 9 s.388 Directors must prepare the directors’ report.
Part 9 s.391 Directors’ report to be approved and signed.

EXHIBIT 2.3 (Continued )

As described elsewhere in this chapter, there are many components to a corporate

governance framework, not only the board and the requirements of the board as
summarised here but also management and board committees. Board committees are
established to give deeper consideration to certain areas of the business, e.g. the audit
committee. This section will also explore a number of the board committees that a listed
entity would be required to have.

2.5.1 HKEx Listing Rules

Exhibit 2.4 is a summary of the HKEx Listing Rules in relation to board responsibilities and
effectiveness.

Note that for financial periods commencing 1 January 2019, it is a ‘comply or explain’
requirement that issuers should explain in the Corporate Governance Report that the proposed
independent non-executive director (‘INED’) would be able to devote sufficient time to the
board if the person will be holding their seventh (or more) listed issuer directorship or provide
the reasons why they cannot meet this requirement. INEDs sitting on multiple boards will need
to ensure that they devote sufficient time to each board and each board’s committees.

119

M13_c02.indd 119 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

The board’s Leading, directing, and supervising the issuer’s affairs to enable the long-term
responsibilities success of the issuer;
should include:
Setting strategic objectives with appropriate focus on value creation and risk
management.
Ensuring transparency; that is, appropriate and adequate reporting in annual
reports including financial statements, corporate governance, and environmental
social, and governance (‘ESG’) disclosures of the board’s practices and policies.
Being accountable.
Ensuring adequacy of resources, staff qualifications, and experience, especially for
issuer’s accounting, internal audit, and financial reporting.
All directors: Whether they are executive directors (‘EDs’), non-executive directors (‘NEDs’), or
independent non-executive directors (‘INEDs’), they are subject to the same legal
duty under the Hong Kong Companies Ordinance (Cap.622) and the Listing Rules.
They must, in the performance of their duties as directors, act honestly and in
good faith in the interests of the issuer as a whole and avoid actual and potential
conflicts of interest.
Before accepting a role as a director, they should devote time to understand
the issuer, such as visiting the operations of the issuer, speaking to staff, and
researching what has been written about the issuer and what financial brokers
are saying.
When joining a board they should have access to an induction training programme
designed for new directors. It is the responsibility of all directors to ensure that they
keep abreast of the latest developments in the laws and regulations as they pertain
to the issuer to enable them to discharge their responsibilities. Directors should
access appropriate training to maintain their skills at an adequate level.
Need to understand that they are not expected to be a subject expert in all matters.
However, they should have an appropriate level of knowledge to understand
matters raised at board meetings and be able to actively probe and otherwise
discharge their responsibilities.
Should carry out sufficient due diligence on matters and not simply rely on
representations of management or reliance on professional advisors or experts.
Management have a responsibility to ensure the board is getting the right level of
information in order for directors to gain a good understanding of the transactions
or issues at hand.
They must understand that, when faced with disciplinary proceedings for failing to
discharge their duties and responsibilities, it is not a defence to claim that they did
not receive adequate information from the issuer or that they did not understand
the relevant transactions.
Executive Are involved in the everyday operations of the issuer. EDs should ensure that
directors (‘EDs’) management, especially other members of senior management, is accountable to
the board and ultimately to the shareholders.
Non-executive Are not independent but do not come from the issuer’s management team.
directors (‘NEDs’)

EXHIBIT 2.4 Summary of the HKEx Listing Rules relating to board responsibilities and
effectiveness

120

M13_c02.indd 120 1/26/2021 9:03:27 PM

 C orporate G o v ernance

Independent Are independent directors fulfilling the independence criteria under the HKEx
non-executive Listing Rules.
directors (‘INEDs’)
For a new listing entity, it is recommended that they be appointed at least two
months prior to listing.
Are expected to:
• Bring an independent judgement to bear on issues of strategy, policy,
performance, accountability, and resources;
• Take the lead where potential conflicts of interest arise; and
• Serve on committees if invited.
May not be industry experts, but they may have more broad skills, such as legal,
accounting, IT, and human resources, which enhance the skills matrix of the board.
Should not accept a board appointment if they have insufficient time to devote
to the role.

EXHIBIT 2.4 (Continued )

2.5.2 Management Responsibilities within Corporate Governance

Senior management comprise those managers responsible for managing and controlling the
entity’s business and day-to-day operations with the aim of securing significant, sustained
increase in the value of the entity for its shareholders as directed by the board. The Chief
Executive Officer (‘CEO’) prepares matters for decision by the board of directors, develops the
entity and any group it has in line with the targets agreed upon with the board of directors, and
ensures proper implementation of the decisions of the board of directors. Senior management
has the responsibility to ensure that there is an appropriate controls framework such that
there is openness and transparency in relation to the operations of the entity to maintain the
integrity and reputation of the entity.

It is further the duty of the CEO to ensure that the entity’s operations are in compliance
with the laws and regulations applicable at the time.

Senior management makes the important decisions in executive meetings, and such
decisions need to be recorded in the minutes of these meetings. Those minutes need to be
available to the Board.

2.5.3 Board Committees’ Structure and Roles and Drawbacks

and Limitations

2.5.3.1 Nomination Committee

The composition of the Nomination Committee is a minimum of five independent
non-executive directors.

The expectations of the Nomination Committee as set out in the HKEx Listing Rules are:

(1) The nomination committee’s key role is board recruitment. It must evaluate and assess
the best mix of skills and knowledge of the board, taking into consideration the entity’s
agreed strategies and objectives. The nomination committee focuses on the skills that
are available as a board, and determines whether these are appropriate for the current
situation that the entity is in, the challenges it might be facing, and the opportunities
that it might wish to explore.

121

M13_c02.indd 121 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

Note that for Amendments to the Corporate Governance Code with effect on 1 January
2019 in addition to the above there should be an established policy on how to identify
potential directors. The selection process should be transparent and fair. Issuers are
encouraged to select from a broad range of candidates who are outside those known to
the entity, and reference should be made to the entity’s diversity policy.

(2) Developing a list of desirable skills is a strategic way of determining what to look for in
director candidates. There is an increasing trend for boards to complete a skills matrix,
with the process being either internally or externally arranged.

(3) The nomination committee not only assesses potential board candidates but also
should assess the performance of the existing board members, including the chairman.
Many directors historically have not been assessed and remain on boards for lengthy
periods of time. The nomination committee or nominated external party should
annually review whether directors have met their obligations successfully or take
appropriate action. The nomination committee should be mindful of the need to
refresh the board regularly enough to avoid entrenchment and bias and to attract new
and fresh thinking in line with where the entity is moving strategically. The committee
should also consider and have a policy in place for succession planning to ensure the
long-term success of the entity.

The nomination committee is dependent on the quality of potential candidates in the

marketplace to fill board positions. The nomination committee may at times need
external assistance in ensuring that the board has the right mix of skills, diversity, and
experience.

The nomination committee must be very transparent with its performance assessment
of board members, including the chairman, or its effective governance may be
questioned or reduced.

2.5.3.2 Audit Committee

The composition of the Audit Committee is prescribed by Section 3.21 of the Main Board Listing
Rules as follows:

• Comprise non-executive directors only.

• A minimum of three non-executive directors.

• A minimum of one independent non-executive director who has the appropriate

professional qualifications.

• The majority of the committee members must be independent non-executive directors.

• The chair of the committee must be one of the independent non-executive directors.

The expectations of the Audit Committee as set out in the HKEx Listing Rules are:

(1) The audit committee has the important functions of monitoring the integrity of
the entity’s financial statements, annual and interim reports and accounts, risk
management (if there is not a separate committee, which in the case of a larger entity
or groups there arguably should be), and internal control, as well as maintaining an
appropriate relationship with the entity’s external auditors. The audit committee should
have a primary focus on the integrity of financial reporting.

122

M13_c02.indd 122 1/26/2021 9:03:27 PM

 C orporate G o v ernance

(2) The audit committee has the responsibility of ensuring that the internal audit function
is resourced adequately with personnel with appropriate qualifications, experience,
integrity, and independence of mind. The audit committee should ensure that the
internal audit function operates effectively in line with the internal audit charter set by
the entity’s full board.

(3) The audit committee should ensure full co-operation with management and be
supplied with sufficient information to carry out its role. The audit committee must take
an active interest and be proactive and probing in understanding the financial affairs of
the entity and be able to see red flags where they exist.

(4) The audit committee should have a detailed understanding of the judgements of key
assumptions underlying critical accounting estimates. The often-material impact such
estimates can have on the entity’s financial statements explains the need for such
knowledge.

(5) The audit committee should meet with the auditors at least twice a year. Practically
speaking this is normally at the planning phase of an external audit and at its
completion for any accounting period.

(The role of the external auditor is important to ensure the integrity of the entity’s financial
reporting. How this is achieved by the external auditor will be explored in detail through
this module.)

(6) The independence of the external auditor should be reviewed by the audit committee
annually. Focus should be placed where the external auditor also provides non-audit
services. The audit committee should specifically consider:

(a) The nature of the non-audit services;

(b) Whether there are appropriate safeguards in place to ensure that there is not a
threat to the fundamental principles and independence as set out in the HKICPA
Code of Ethics for Professional Accountants; and

(c) The aggregate fees paid to the external auditors and the breakdown of the fees
paid for audit and non-audit services for the financial period should be understood.

(7) The audit committee should also monitor the change process and execution of
implementing new accounting standards. There should be appropriate skill to
understand and keep up to date with tax legislation and other regulatory developments
in relation to financial reporting.

The audit committee is only as effective as the skills that sit on the committee and only as
effective as the information that it requests and receives from management, internal audit, and
the external auditors.

2.5.3.3 Remuneration Committee

The composition of the Remuneration Committee is prescribed by Section 3.25 of the Main
Board Listing Rules as follows:

• The majority of the members of the remuneration committee must be independent

non-executive directors.

• The committee must be chaired by one of the independent non-executive directors.

123

M13_c02.indd 123 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

The expectations of the Remuneration Committee as set out in the HKEx Listing Rules are:

(1) The main role of the remuneration committee is to assist and advise the board
on the remuneration of the board and senior management. In achieving this the
remuneration committee should have a clear policy as well as documented formal
and transparent procedures to implement the policy. The key objective is to attract,
motivate, and retain the best talent for the entity, so as to maximise shareholder
and stakeholder value.

• The remuneration committee should consider all aspects of remuneration by:

(a) Researching what salaries, time commitments, and employment

responsibilities are undertaken by comparable entities.

(b) Ensuring the fairness of employment and termination terms for directors
and senior management.

(c) Ensuring a reasonable and appropriate compensation arrangement relating

to the dismissal or removal of directors for misconduct.

One of the limitations that the committee needs to focus on avoiding is that of
being compromised in setting commercial levels of remuneration or favouring directors
through a dismissal process. The other is ensuring confidentiality of the discussions and
the resulting remuneration outcomes.

2.5.4 Internal Control (ISO)

Internal control play an important role in corporate governance systems. Controls help a
company prepare financial statements for each reporting period (including interim periods
as needed by the company). A company may also limit, or protect against, operating risks by
implementing functional controls.

The International Organization of Standardisation (‘ISO’) based in Geneva has been

responsible for developing and publishing a wide range of international standards for many
aspects of business since the 1940s. Effective adoption of ISO standards enables companies
to demonstrate a higher level of corporate governance, which is again enhanced if adoption is
audited and certified.

The two ISO standards where effective adoption would maximise the brand strength of a
company and work seamlessly within the corporate governance framework are:

• The ISO 9001 family of standards, which sets out the criteria for a quality management
system. The standards provide guidance and tools for companies who want to ensure
that their products and services consistently meet customers’ requirements and that
quality is consistently improved; and

• ISO 31000 provides principles, framework, and a process for managing risk. It can be
used by any organisation regardless of its size, activity, or sector.

Using ISO 31000 can help companies increase the likelihood of achieving objectives,
improve the identification of opportunities and threats, and effectively allocate and use
resources for risk treatment. Companies using it can compare their risk management
practices with an internationally recognised benchmark, providing sound principles for
effective management and corporate governance.

124

M13_c02.indd 124 1/26/2021 9:03:27 PM

 C orporate G o v ernance

Apply and Analyse 1

In the current environment of 88 Tandi Company looking to conduct an IPO, the current
directors will need to make a number of changes to the corporate governance model to
meet the requirements of the Companies Ordinance and Hong Kong Stock Exchange Listing
Rules in relation to the Board structure and activities.

Analysis

During the listing process the directors should be advised that they will need to ensure
that the following changes are made to their current board structure and activities and the
requirements for committees:

• If the number of board members is to stay at the current level of seven, then there
will need to be a change in composition to ensure at least one-third are INEDs.
These INEDs should be appointed at least two months prior to the IPO.

• There may need to be a skills assessment completed to ensure that the board
has the appropriate balance of skills to manage the company now and with its
growth strategy.

• The directors must be made aware that, in the performance of their duties as
directors, they act honestly and in good faith, in the interests of the issuer as a
whole, and avoid actual and potential conflicts of interest.

The board, when establishing its sub-committees, must be aware that:

Audit Committee

• Only has NEDs as members.

• Minimum of one INED.

• The chair must be an INED with appropriate knowledge and experience.

Nomination Committee

• NEDs only.

• Minimum of three members.

Remuneration Committee

• Majority INEDs.

• The chair must be one of the INEDs.

125

M13_c02.indd 125 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 7
Explain what a duty to exercise reasonable care, skill, and diligence means.

Question 8
Advise when a director must declare material interests.

Question 9
Determine which of the following is the responsibility of all directors.
A All directors must be independent.
B Involvement with management and everyday responsibilities.
C Be industry experts.
D Keeping abreast of the latest developments with laws and regulations in relation to
the entity.

Question 10
Analyse the structure and roles of board committees and discuss their drawbacks and
limitations.

2 . 6 AUDITOR’S RESPONSIBILITIES IN REGARD

TO CORPORATE GOVERNANCE

The auditor does not have direct corporate governance responsibility but rather provides a
check on the information aspects of the governance system.

Therefore, where does the auditor fit in?

Corporate governance involves decision making, accountability, and monitoring (Exhibit 2.5).

Internal Audit Shareholders

Audit Committee Board of Directors Stakeholders

External Auditor Regulators

EXHIBIT 2.5 Corporate governance within an organisation

(Note: solid lines represent formal communication relationships. The dotted
line represents informal communication relationships.)

126

M13_c02.indd 126 1/26/2021 9:03:27 PM

 C orporate G o v ernance

• Decisions require relevant and representationally faithful information.

• Accountability is the responsibility of management to provide that information.

• Monitoring involves using surveillance systems and managing feedback.

The auditor’s primary role is to provide assurance by forming an independent

opinion as to whether the financial information given to shareholders is relevant and
representationally faithful.

The relationship between the board and the auditor is an important one. To meet
its obligations to shareholders, the board must ensure that it receives relevant and
representationally faithful information. Auditors, though appointed to serve the needs of users
of financial statements, indirectly assist the board in achieving this goal. There must be open
and frank dialogue between the auditors and the board with independence of the auditor
always maintained. The auditors must maintain a similar relationship with the board audit
committee.

Key Learning Point

The key learning point is therefore that, while auditors do not have a direct corporate
governance responsibility, the independent nature of the role an external auditor plays
brings confidence in a company when an unmodified auditor’s opinion is issued.

2 . 7 SARBANES–OXLEY ACT EFFECT ON HONG

KONG COMPANIES AND THEIR AUDITORS

The Sarbanes–Oxley Act of 2002 (or ‘SOX’ as it is referred to) is a United States federal law
that set expanded requirements for all US public company boards, management, and public
accounting firms. The Act, which contains 11 sections, was enacted following several major
corporate and accounting scandals, including Enron and WorldCom. Sections of the Act cover
the responsibilities of a public corporation’s board of directors.

SOX increased the oversight role of boards of directors and the independence of the
outside auditors who review the accuracy of corporate financial statements.

It created a new, quasi-public agency, the Public Company Accounting Oversight Board
(PCAOB), charged with overseeing, regulating, inspecting, and disciplining accounting firms
in their roles as auditors of public companies. The act also covers issues such as auditor
independence, corporate governance, internal control assessment, and enhanced financial
disclosure.

For Hong Kong, SOX applies to any company that is also listed on a United States (US)
exchange and has more than 500 US-based shareholders. Companies not listed in Hong
Kong that are subsidiaries of US listed companies may also need to be compliant with the
requirements of SOX when they are material to the overall group or when the rotational

127

M13_c02.indd 127 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

testing rules are applied to subsidiaries that are not material. For any company in Hong Kong
listed on a US exchange, the board must build into its governance framework the compliance
requirements of SOX.

The most important Sarbanes–Oxley sections for compliance are listed below. Note
that certification and specific public actions are required by companies to remain in SOX
compliance.

(1) SOX Section 302: Corporate Responsibility for Financial Reports. The following must be
stated in the Section 302 declaration in the Financial Report that the:

(a) CEO and CFO have reviewed all financial reports.

(b) Financial report does contain any misrepresentations.

(c) Information in the financial report is ‘fairly presented’.

(d) CEO and CFO are responsible for the internal accounting controls.

(e) CEO and CFO must report any deficiencies in the internal accounting controls or any
fraud involving the management of the audit committee.

(f) CEO and CFO must pay attention to any material changes in internal
accounting controls.

(2) SOX Section 401: Disclosures in Periodic Reports. All financial statements and their
requirements are to be accurate and presented in a manner that does not contain
incorrect statements or omission of material information. Such financial statements
should also include all material off-balance sheet liabilities, obligations, and
transactions.

(3) SOX Section 404: Management Assessment of Internal Controls. All annual financial
reports must include an Internal Control Report stating that management is responsible
for an ‘adequate’ internal control structure and an assessment by management of the
effectiveness of the control structure. Any shortcomings in these controls must also
be reported. In addition, registered external auditors must attest to the accuracy of
the company management’s assertion that internal accounting controls are in place,
operational, and effective.

(4) SOX Section 409: Real Time Issuer Disclosures. Companies are required to disclose
on an almost real-time basis information concerning material changes in its financial
condition or operations.

(5) SOX Section 806: Protection for Employees of Publicly Traded Companies Who Provide
Evidence of Fraud. This section deals with whistle-blower protection.

(6) SOX Section 902: Attempts and Conspiracies to Commit Fraud Offenses. It is a crime
for any person to corruptly alter, destroy, mutilate, or conceal any document with the
intent to impair the object’s integrity or availability for use in an official proceeding.

(7) SOX Section 906: Corporate Responsibility for Financial Reports. Section 906 addresses
criminal penalties for certifying a misleading or fraudulent financial report. Under SOX
906, penalties can be upwards of US$5 million in fines and 20 years in prison.

To conduct an audit of a company required to report under SOX, the auditor must be
registered with the PCAOB and be adequately educated in the requirements of US Accounting

128

M13_c02.indd 128 1/26/2021 9:03:27 PM

 C orporate G o v ernance

and Auditing standards. This is not easy to achieve if an auditor is not part of a global
accounting network. The PCAOB has very complex criteria for registration.

An auditor of a SOX report must in effect conduct two audits, one for the purpose of
issuing the Section 404 attestation on management’s Section 302 declaration on the control
environment and the auditor’s opinion on the financial statements as a whole. In reality, the
firm’s conduct is what is generally referred to as an integrated audit to affect both conclusions.

For a company in Hong Kong that must report under SOX there is a significant amount
of work for both management and those charged with governance to enable a Section 302
declaration and for the auditor who must take the integrated approach noted above.

2 . 8 CORPORATE GOVERNANCE
ARRANGEMENT’S ANALYSIS AND
IMPROVEMENT RECOMMENDATIONS

As has been demonstrated throughout this chapter, the HKEx has long seen the need for the
corporate governance principles for Hong Kong and has had a programme for constant review
and improvement. To this end on 27 July 2018, the HKEx published its latest conclusions on its
review of the Corporate Governance Code and Related Listing Rules.

In addition to the changes noted in Section 2.5 of this chapter, the following listing rule
amendments are required to be followed from 1 January 2019.

(1) Issuers are to have a policy on diversity of board members and to disclose the policy or
a summary of the policy in their corporate governance reports.

(2) Extended cooling-off periods:

(a) For a director, partner, or principal or employee of a former professional advisor,

the period between being with that advisor and appointment as an independent
director (INED) has been extended from one to two years.

(b) For a former partner of an issuer’s existing audit firm, that intervening period has
also been extended from one year to two years before becoming a member of the
issuer’s audit committee.

° For persons with previous material interests in the issuer’s principal business
activities, an intervening period of one year has been introduced before being
eligible to become an INED.

(3) New disclosure requirements as to reasons why proposed directors are considered
independent, including when they hold cross-directorships and have significant
links with other directors through involvements in other companies or bodies
(new recommended best practice).

It should be noted that changes in Listing Rules amendments have been made both
to the Main Board Listing Rules and to the GEM Listing Rules.

129

M13_c02.indd 129 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

For companies looking to improve their corporate governance outside the recommendations
above the following factors should be considered:

• Reviewing the corporate governance reports of other companies listed on the relevant
board in Hong Kong;

• Learning from the directors on the company’s board what other boards they are sitting
on are doing in this space (this would need to be on a no names confidential basis);

• Keeping abreast of the changes to laws and regulations;

• Ensuring the organisational culture is aligned with the strategy of the company and the
governance framework established by the board;

• Take a balanced scorecard approach when setting KPIs for how well the company
complies with the requirements of the HKEx, which is well beyond simply assessing
director performance;

• Seek external advice and review to ensure best practice; and

• At least annually, conduct a formal review of the corporate governance framework and
feedback into it any improvements that can be made.

Apply and Analyse 2

Assume that the changes were made in line with the analysis in Apply and Analyse 1 in
Section 2.5. The board now need to consider what further changes they may need to make
given the recent changes to demonstrate their compliance with the Corporate Governance
Code and Related Listing Rules.

Analysis

The board needs to make sure of the following:

• To have a policy and actively demonstrate diversity of board members. Make policy
disclosures in the corporate governance statement.

• Ensure all directors with previous contact with the company in a professional
capacity apply the appropriate cooling-off periods to be able to have the
designated INED.

• Disclose reasons why proposed directors are considered independent, including

when they hold cross-directorships and have significant links with other directors
through involvements in other companies or bodies.

130

M13_c02.indd 130 1/26/2021 9:03:27 PM

 C orporate G o v ernance

SUMMARY

Effective corporate governance has to be seen as a pre-requisite for entities to be viable.

Corporate failures have demonstrated the consequences of not having such governance. The
key aspects of a strong corporate governance framework are:

• The behavioural traits that need to be present in the culture of an entity.

• Following the requirements of the Hong Kong Companies Ordinance (Cap.622), the Listing
requirements of the HKEx and the Corporate Governance Code.

• Understanding the importance of the role of the board of directors and their sub-committees
and the degree of interactions with management in the delivery of the corporate governance
requirements.

• Ensuring a strong internal control framework.

• Understanding the requirements when doing business in jurisdictions outside Hong Kong.

131

M13_c02.indd 131 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

MIND MAP

ROLES IN CORPORATE GOVERNANCE DIRECTORS’ RESPONSIBILITIES AS DEFINED BY

COMPANIES ORDINANCE AND HONG KONG
Serving Stakeholders
STOCK EXCHANGE LISTING RULES
Having an Effective Audit Committee
Management Responsibilities within
Working Closely with the Auditor
Corporate Governance
Managing Strategically
Board Committees’ Structure and Roles
BACKGROUND OF CORPORATE GOVERNANCE and Drawbacks and Limitations
• Nomination Committee
Importance to Capital Markets and • Audit Committee
Preventing Corporate Failure • Remuneration Committee
Fairness Internal Control (ISO)
Openness and Transparency
AUDITORS' RESPONSIBILITIES IN REGARD TO
Independence
CORPORATE CORPORATE GOVERNANCE
Probity and Honesty
GOVERNANCE Decision making
Responsibility
Accountability
Accountability
Monitoring
Reputation
Judgement SARBANES–OXLEY ACT EFFECT ON HONG KONG
Integrity COMPANIES AND THEIR AUDITORS
Section 302 – Corporate Responsibility for
PROVISIONS OF INTERNATIONAL CODES OF
Financial Reports
CORPORATE GOVERNANCE
Section 401 – Disclosures in Periodic Reports
The Organization for Economic Cooperation Governance
and Development (’OECD’)
Section 404 – Management Assessment of
Limitation of International Codes Internal Controls
CORPORATE GOVERNANCE DEVELOPMENTS Section 409 – Real Time Issuer Disclosures
IN HONG KONG AND THE STRUCTURE OF Section 806 – Protection for Employees of
THE CODE ON CORPORATE GOVERNANCE Publicly Traded Companies Who Provide
PRACTICES AND CORPORATE GOVERNANCE Evidence of Fraud
REPORT IN HONG KONG Section 902 – Attempts and Conspiracies to
Structure of the Corporate Governance Code Commit Fraud Offenses
Corporate Governance Report Section 906 – Corporate Responsibility for
Financial Reports
CORPORATE GOVERNANCE ARRANGEMENT’S
ANALYSIS AND IMPROVEMENT
RECOMMENDATIONS
Disclosures in corporate governance reports
Extended cooling-off periods
New disclosure requirements for
independence of directors

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. The audit committee is a conduit to the full board.
Answer B is correct. The full board and not just the audit committee members have full
responsibility for the accuracy of the financial statements.
Answer C is incorrect. The audit committee plays a key role in directing the efforts of the
internal audit.
Answer D is incorrect. The audit committee should correspond with the external auditors.

132

M13_c02.indd 132 1/26/2021 9:03:27 PM

 C orporate G o v ernance

Question 2
Reputation or brand is one of an entity’s most valuable assets – according to a 2012 study
by the World Economic Forum, on average approximately 25% of an entity’s market value
is directly attributable to its reputation. Holding on to a good reputation or brand is critical
to the value of a company, and thus significant focus should be placed on protecting and
enhancing it. Where companies have been seen to have done the wrong things economic
losses can be significant.
The board has a major role to play in helping advise management and the entity of the
potential reputational risks associated with the strategic directions of the company set by
the board. Non-executive directors (‘NEDs’) can be very beneficial in this process as they
can bring their external perspectives and experiences to assist in this process. Often the
board will require management to undertake sensitivity analysis or scenario development
to determine possible impacts that strategy may have on the reputation of the company.
The board should play an active role in this assessment by providing perspective and
feedback that could ultimately lead to changes to the strategy and the associated identified
risks and opportunities.
Entities often look internally to strengthen their ability to detect and mitigate
reputational problems. An effective whistle-blower programme, for example, can help
bring to light problems within the entity that may be compromising its reputation. Entities
must, however, be aware of what is being said about them by parties outside the entity
as well. This can often be achieved through engaging in dialogue with brokers or doing
surveys of broad stakeholders.

Question 3
The following five supporting principles are the ones that should register with external
auditors the most and why:

• Related party transactions should be approved and conducted in a manner that

ensures proper management of conflicts of interest and protects the interest of the
company and its shareholders. There should be adequate disclosures and minority
shareholders should be protected. If complete and effective this may assist external
auditors with their obligations under HKSA 550 (Clarified), Related Parties.
• Open disclosure of financial and operating results of the company, including:

°° Remuneration of members of the board and key executives.

°° Foreseeable risk factors.

°° Issues regarding employees and other stakeholders.

°° Governance structures and policies including content of any corporate

governance code or policy and the process by which it is implemented.

This could assist external auditors in determining the completeness and

accuracy of financial information to be presented in the entity’s financial
statements.

• Preparation of financial statements should be in line with reputable accounting

standards. If effective, this could make the completion of an audit more
straightforward for the external auditor.

133

M13_c02.indd 133 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

• An annual audit should be conducted by an independent, competent, and qualified

auditor in accordance with high-quality auditing standards in order to provide an
external and objective assurance to the board and shareholders that the financial
statements fairly represent the financial position and performance of the company
in all material respects.
• External auditors should be accountable to the shareholders and owe a duty of care
to the company.

Question 4
The critical thing for the Board to think about is communication with both shareholders
and other stakeholders. The following should specifically be addressed in the governance
framework:
• The rights and obligations of shareholders;
• Any limitations on the levels of shareholding;
• Shareholder communication policy;
• Structure of the conduct of the general meetings;
• Shareholder guide; and
• Stakeholder communication policy.

Question 5
1. A narrative statement explaining how the issuer has applied the principles in the
Code, enabling its shareholders to evaluate how the principles have been applied;

2. A statement as to whether the issuer meets the code provisions. If an issuer has
adopted its own code that exceeds the code provisions, it may draw attention to
this fact in its annual report; and

3. For any deviation from the code provisions, details of the deviation during the
financial year (including considered reasons).

Question 6
Answer A is incorrect. It is a recommended disclosure.
Answer B is incorrect, It is a recommended disclosure.
Answer C is correct. It is a required disclosure.
Answer D is incorrect. It is a recommended disclosure.

Question 7
Section 465 of the Hong Kong Companies Ordinance (Cap.622) defines a duty to exercise
reasonable care, skill, and diligence as:

(1) A director of a company must exercise reasonable care, skill, and diligence.

(2) Reasonable care, skill, and diligence means the care, skill, and diligence that would
be exercised by a reasonably diligent person with:

(a) The general knowledge, skill, and experience that may reasonably be expected
of a person carrying out the functions carried out by the director in relation to
the company; and

(b) The general knowledge, skill, and experience that the director has.

134

M13_c02.indd 134 1/26/2021 9:03:27 PM

 C orporate G o v ernance

(3) The duty specified in subsection (1) is owed by a director of a company to

the company.

(4) The duty specified in subsection (1) has effect in place of the common law rules
and equitable principles as regards the duty to exercise reasonable care, skill, and
diligence, owed by a director of a company to the company.

(5) This section applies to a shadow director as it applies to a director.

(6) For the purposes of subsection (5), a body corporate is not to be regarded as a
shadow director of any of its subsidiaries by reason only that the directors, or
a majority of the directors, of the subsidiary are accustomed to act in accordance
with its direction or instructions.

Question 8
Section 536 of the Hong Kong Companies Ordinance (Cap.622) states that the following must
be declared in terms of directors’ material interests:
(1) If a director of a company is in any way, directly or indirectly, interested in a
transaction, arrangement, or contract, or a proposed transaction, arrangement, or
contract, with the company that is significant in relation to the company’s business,
and the director’s interest is material, the director must declare the nature and
extent of the director’s interest to the other directors in accordance with Sections
537, 538, and 539.

(2) If an entity connected with a director of a public company is in any way, directly
or indirectly, interested in a transaction, arrangement, or contract, or a proposed
transaction, arrangement, or contract, with the company that is significant in
relation to the company’s business, and the connected entity’s interest is material,
the director must declare the nature and extent of the connected entity’s interest
to the other directors in accordance with Sections 537, 538, and 539.

(3) If a declaration made under subsection (1) or (2) proves to be, or becomes,
inaccurate or incomplete, the director must make a further declaration in
accordance with Sections 537, 538, and 539.

(4) This section does not require a director to declare an interest:

(a) If the director is not aware of the interest or the transaction, arrangement, or
contract in question; or

(b) If, or to the extent that, the interest concerns the terms of the director’s service
contract that have been or are to be considered by:

(i) A meeting of the directors; or

(ii) A committee of the directors appointed for the purpose under the company’s
articles.

(5) For the purposes of subsection (4)(a), a director is to be regarded as being aware of
matters of which the director ought reasonably to be aware.

(6) This section does not affect the operation of any other Ordinance or rule of law
restricting a director of a company from having any interest in a transaction,
arrangement, or contract with the company.

135

M13_c02.indd 135 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

Question 9
Answer A is incorrect. Executive directors are not independent, and nor are NEDs; only
INEDs have to be independent.
Answer B is incorrect. Only executive directors should be involved in the everyday
responsibilities of management.
Answer C is incorrect. Industry expertise is not required of all directors; different directors
bring different skills to the board.
Answer D is correct. All directors should keep abreast of the latest developments with laws
and regulations that affect the entity.

Question 10
The two key roles of the nomination committee are to:
• Develop a list of desirable skills in a very strategic way to determine what to look
for in director candidates. There is an increasing trend to complete a skills matrix
internally or outsource the process.
• The nomination committee not only assesses potential board candidates but also
should assess the performance of the existing board members, including the
chairman. Many directors historically have not been assessed and remain on boards
for lengthy periods of time. The nomination committee or nominated external party
should annually review whether directors have met their obligations successfully or
take appropriate action. The nomination committee should be mindful of the need
to refresh the board regularly enough to avoid entrenchment and bias and to attract
new and fresh thinking in line with where the entity is moving strategically. The
committee should also consider and have a policy in place for succession planning to
ensure the long-term success of the entity.

EXAM PRACTICE

QUESTION 1
Describe why accountability is such an important pillar of Corporate Governance.

QUESTION 2
Maxwell Park LLP is a listed entity on the New York Stock Exchange, as well as the Hong
Kong Main Board. Management is about to present their reports for the financial period to
the board. At the same time, the board has decided to purchase a considerable number of
hotel properties in New York, Chicago, Boston, and Los Angeles, which will have a significant
impact on the company.

1. Under SOX, describe the responsibility of management.

2. Describe the corporate responsibilities for the financial reports of the CEO and CFO.

3. Identify the responsibilities under SOX the board has for their decision to purchase the
hotel properties.

136

M13_c02.indd 136 1/26/2021 9:03:27 PM

 C orporate G o v ernance

QUESTION 3
Explain why having an effective audit committee is important to a good corporate
governance framework.

QUESTION 4
List the areas that a board could delegate some of the more specialised discussions.

QUESTION 5
(Adapted from Module C December 2016 Paper)

The Code on Corporate Governance Practices (the ‘HK Code’) published by the Hong Kong
Stock Exchange contains a combination of broad principles, specific code provisions, and
recommended best practices. Company A is a garment manufacturing company and
plans for an initial public offering (‘IPO’) in the coming year. Company A is primarily owned
by Mr. Lee and Mr. Chung, who are the Chairman and Chief Executive Director (‘CEO’) of
Company A, respectively. You are the auditor of Company A. During the audit planning
meeting, Mr. Lee and Mr. Chung seek your advice as to how Company A should comply with
the HK Code to prepare Company A to be listed on the Hong Kong Stock Exchange.

Company A’s board of directors consists of seven members including Mr. Lee, Mr. Chung,
and one independent non-executive director who meet on a regular basis to discuss key
business matters. Company A’s board of directors consists of members who have extensive
experience in the textiles industry and strong finance backgrounds.

Company A has an internal audit team but has yet to set up any audit committee or any
other committees to support the board. The head of the internal audit team reports directly
to Mr. Lee.

Company A’s company secretary is a third-party service provider who provides Mr. Lee
and Mr. Chung with the latest corporate governance information on a regular basis.

The prior year audit evidenced that Company A has set a good practice at the top and
introduced a clear business code of conduct to all of its employees. The tests of controls also
indicated that Company A’s key controls over financial reporting were effective.

Required:

(a) Explain the current approach required by the Hong Kong Stock Exchange for a listed
company in Hong Kong when applying the HK Code.

(b) Identify which elements of the current corporate governance structure indicates that
Company A is in compliance with the HK Code.

(c) Recommend how Company A can improve its corporate governance in preparation
for the IPO.

ANSWERS TO EXAM PRACTICE

QUESTION 1
Without it, the agency problem would be hard to defeat. With it, the confidence of
stakeholders is increased. It is achieved through faithfulness in various aspects of corporate
governance, especially reporting.

137

M13_c02.indd 137 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

Financial accounting imposes obligations to show how money has been used within an
organisation. However, there are wider meanings for accountability in financial accounting.

There is a sense of responsibility that goes with the feeling of obligation. The essence
of accountability is the moral relationship between those who delegate authority and those
who receive it.

Accountability takes different forms depending on the quality of the relationship and the
degree of trust between the parties to that relationship. There are three key components to
an accountability relationship:

• Delegation. This occurs when the management of a task or a decision is handed over
to another with the expectation that it is completed. This can involve a lesser or greater
degree of discretion.

• Responsibility. This is the view from the other side of the relationship. This involves the
sense of obligation to ensure that a task that has been delegated is implemented, and
to the standards expected.

• Legitimacy. This involves a recognition on the part of those being held to account of the
‘right’ of those demanding such an ‘account’ to make that demand, and it is the heart of
the accountability relationship.

Accountability should have both an internal and external focus and to be truly effective must
be recognised and accepted by all within an entity.

QUESTION 2
1. Section 404 of SOX requires management’s assessment of internal controls. All annual
financial reports must include an Internal Control Report stating that management
is responsible for an ‘adequate’ internal control structure and an assessment by
management of the effectiveness of the control structure. Any shortcomings in these
controls must also be reported.

2. SOX Section 302, Corporate Responsibility for Financial Reports, is to be asserted by the
CEO and CFO as follows:

(a) CEO and CFO must review all financial reports.

(b) Financial report does not contain any misrepresentations.

(c) Information in the financial report is ‘fairly presented’.

(d) CEO and CFO are responsible for the internal accounting controls.

(e) CEO and CFO must report any deficiencies in internal accounting controls or any
fraud involving the management of the audit committee.

(f) CEO and CFO must indicate any material changes in internal accounting controls.

3. Section 409 of SOX requires companies on an almost real-time basis information

concerning material changes in its financial conditions or operations. Such a disclosure
would be required for the purchase of the hotels, given its material nature.

QUESTION 3
The audit committee plays a major role in corporate governance regarding a company’s
financial direction, control, and accountability. As a representative of the full board of
directors and main part of the corporate governance mechanism, the audit committee is

138

M13_c02.indd 138 1/26/2021 9:03:27 PM

 C orporate G o v ernance

involved in a company’s strategy in relation to its internal audit function and is responsible
for the appointment of the company’s external audits. The audit committee receives reports
from management on internal control, accounting and financial reporting, regulatory
compliance, and risk management.

The audit committee monitors the integrity of a listed company’s financial statements
(annual and interim) and of the accounting records supporting those forms of reporting to
users, but the full board has overall responsibility for the financial statements.

The audit committee needs to have the full cooperation of management and to be provided
with sufficient information and reasonable resources to carry out its role and function in
accordance with its terms of reference. An effective audit committee will take an active interest
in, and take a proactive approach towards, understanding the affairs of the entity and will take
the appropriate actions when there are indicators of unplanned issues and risks.

QUESTION 4
There has been a strong recognition over the years of the need for more specialised
meetings of the board, so board sub-committees were established. The most common
committees where this is facilitated are:

• Audit committee

• Corporate social responsibility committee

• Executive committee

• Investment advisory committee

• Nomination and governance committee

• Risk committee.

QUESTION 5
(a) Listed companies in Hong Kong are required to adopt the ‘comply or explain’ approach
to the HK Code. They are required to confirm their compliance with the HK Code or,
where they do not comply, to provide explanations for any variation in practice.

(b) The following indicates that Company A is in compliance with the HK Code: Company A
has a balanced board of directors, which is evidenced by the following:

• Company A’s board of directors consists of different members who have relevant
expertise and experience in the garment manufacturing/textiles industry. The board
also consists of members who have expertise in finance.

• Company A’s board of directors also meets regularly to discuss key business matters.

• Company A’s Chairman and CEO are different persons. Mr. Lee and Mr. Chung
are the Chairman and CEO of Company A, respectively, so they can balance the
power of each other in the board. Company A maintains a sound system of internal
control to safeguard shareholders’ investments and the company’s assets, which is
evidenced by the following:

° Company A has an internal audit team, with good practice at the top and a clear
business code of conduct to employees.

° The prior year audit also indicated that Company A’s key controls over financial
reporting were effective.

139

M13_c02.indd 139 1/26/2021 9:03:27 PM

 BUSINESS ASSURANCE

(c) The recommendations should include:

• At least one-third of an issuer’s board should be independent non-executive

directors.

• Company A has only one independent non-executive director out of seven board of
directors. Company A should consider increasing the number of independent non-
executive directors in the composition of the board.

• Company A should set up an audit committee, nomination committee, and a

remuneration committee that consist of independent non-executive directors.

• Company A’s internal audit team should report to the audit committee but not
report to Mr. Lee directly.

• Company A should hire an in-house company secretary who has day-to-day

knowledge of Company A’s affairs but not out-source the company secretary’s role
to a third-party service provider. The company secretary should provide advice
to the board on board procedures and ensure the board follows applicable law,
rules, and regulations. The company secretary should not just report to Mr. Lee and
Mr. Chung.

• Issuers are to have a policy on the diversity of board members and to disclose the
policy or a summary of the policy in their corporate governance reports.

For companies looking to improve their corporate governance outside the

recommendations above, the following factors should be considered:

• Reviewing the corporate governance reports of other companies listed on the

relevant board in Hong Kong;

• Learning from the directors on the company’s board what other boards they
are sitting on are doing in this space (this would need to be on a no names
confidential basis);

• Keeping abreast of the changes to laws and regulations;

• Ensuring the organisational culture is aligned with the strategy of the company and
the governance framework established by the board;

• Take a balanced scorecard approach when setting KPIs for how well the company
complies with the requirements of the HKEx; this is well beyond simply assessing
director performance;

• Seek external advice and review to ensure best practice; and

• At least annually conduct a formal review of the corporate governance framework

and feedback into it any improvements that can be made.

140

M13_c02.indd 140 1/26/2021 9:03:28 PM

 Part C
Assurance Engagements

Chapter 3 Client and Engagement Acceptance Procedures

141

M13_c03.indd 141 1/26/2021 8:47:40 PM

M13_c03.indd 142 1/26/2021 8:47:40 PM
 3
Client and Engagement
Acceptance Procedures
CHAPTER TOPIC LIST
3.1 Client and Engagement
Acceptance Procedures
3.1.1 Auditor Appointment
Requirements
3.1.2 Auditor Appointment Guidance
and Guidelines
3.2 Change of Auditor
3.2.1 Auditor Resignation
3.2.2 Communication with the Audit
Committee and the Board of
Directors (Outgoing Auditor)
3.2.3 The Incoming Auditor’s
Requirements
3.2.4 Change of Auditor of a Listed
Issuer of the Stock Exchange
of Hong Kong
143
M13_c03.indd 143
3.2.5 The Announcement to be Made
by the Listed Issuer on the
Change of Auditor
3.3 Procedures for Accepting a New
Engagement Overview
3.3.1 Standards Affecting Auditor
Appointments
3.3.2 Key Procedures Performed
Prior to Accepting an
Engagement
3.3.3 Terms of the Engagement
Considerations
3.3.4 Opening Balances – Initial
Engagement
1/26/2021 8:47:40 PM
 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.02: Prepare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Client and engagement acceptance procedures
1.02.01 Explain the reasons why entities change their auditors/professional accountants
1.02.02 Explain the requirements relating to the appointment of an auditor under the Hong Kong
Companies Ordinance
1.02.03 Explain the procedure for a change of an auditor
1.02.04 Explain the rights of the auditor in the process of a change of an auditor
1.02.05 Explain the professional clearance procedures
1.02.06 Analyse the matters to be considered and the procedures that an audit firm/professional
accountant should carry out before accepting a specified new client/engagement including:
• Client acceptance
• Engagement acceptance
• Agreement of the terms of engagement
• Transfer of books, papers and information
• Engagement risk (including: Management characteristics and integrity, Organisation and
management structure, Nature of the business, Business environment (including cyber
security), Financial results, Business relationships and related parties and Prior knowledge
and experience)
1.02.07 Identify different acceptance/ continuance issues, e.g. self review or familiarity threat, during
acceptance procedures and illustrate safeguard to address those threats

144

M13_c03.indd 144 1/26/2021 8:47:40 PM

 Client an d Engagement A cceptance P roce dures

OPENING CASE

BRIEFING TO AUDIT COMMITTEE OF

YAY MANUFACTURING COMPANY LIMITED,
AN ESTABLISHED LISTED HONG KONG COMPANY,
ON APPOINTING AN AUDITOR

A s lead audit partner of Jin & Co, you have been requested to advise the Audit Committee
of Yay Manufacturing Company Limited (‘Yay’), an established company listed on the Stock
Exchange of Hong Kong (SEHK), the steps necessary to appoint you as their external auditor
under the Hong Kong Companies Ordinance (Cap.622) and any other applicable requirements
under the Hong Kong Institute of Certified Public Accountants (HKICPA). You understand that
Jiang & Co have been the existing auditors of Yay for the past five years. Jiang & Co’s audit
opinion on the most recent Yay, 31 December 20X6, financial statements was unqualified.
Yay’s Audit Committee have explained to you that they want to change auditor to ensure
auditor independence, given that Yay have been the incumbent for five years. The first financial
statements subject to a new auditor will be the financial year ended 31 December 20X7.

Yay are principally engaged in the manufacture of battery components used in the
manufacture of consumer mobile devices, with the majority of its manufacturing facilities
located in mainland China. Due to a continued worldwide economic boom in mobile device
sales, demand for Yay’s components has increased significantly in the last two years, resulting
in Yay doubling the capacity of their facilities, with a consequential uplift in their revenue
of more than 40%. Most of Yay’s customers are located in mainland China and other Asian
countries.

While members of the Audit Committee are experienced non-executive directors, they have
little prior experience in working with external auditors, regulators, and financial markets. As
part of your advice to the Audit Committee you will need to explain the statutory requirements
of the Companies Ordinance in terms of both the new auditor appointment and the outgoing
auditor obligations, as well as the requirements of applicable auditing and ethical standards
of the HKICPA. They would also like to understand what initial audit procedures, if any, you
will need to perform to facilitate your understanding of the Yay business and its financial
statements, and to ensure a smooth, professional, transition from Jiang & Co to your firm,
Jin & Co.

145

M13_c03.indd 145 1/26/2021 8:47:40 PM

 BUSINESS ASSURANCE

OVERVIEW

This chapter focuses on the client acceptance and engagement procedures required for audits,
being reasonable assurance engagements.

The auditor’s engagement acceptance procedures depend on whether:

(a) The engagement is to continue as the auditor of an established company;

(b) An initial engagement for a newly established company; or

(c) A prospective new engagement of an established company seeking to change

auditor.

In all scenarios, the requirements for appointing and removing an auditor are mandated
by the relevant legislation, being the Hong Kong Companies Ordinance (Cap.622) (Companies
Ordinance) (specifically Part 9 ‘Accounts and Audit’, and the Professional Accountants Ordinance
(Cap.50), which mandates compliance with HKICPA accounting, auditing and assurance, and ethical
standards). In terms of the hierarchy of legislation, the requirements of the Companies Ordinance
take precedence over any conflicting requirements contained in the HKICPA’s standards.

Additionally, for entities listed on the SEHK, the Securities and Futures Ordinance requires
that entities and their auditor comply with specific Listing Rules in respect of the appointment
and resignation of an auditor. These entities are referred to as ‘listed issuers’ in this chapter.

3 . 1 CLIENT AND ENGAGEMENT ACCEPTANCE

PROCEDURES

3.1.1 Auditor Appointment Requirements

3.1.1.1 Who Can Be Appointed as an Auditor?
The Companies Ordinance specifies the legal requirements for who can be appointed an auditor
of a company. All section references are to the Companies Ordinance unless otherwise specified.
As auditor of the company, the auditor is responsible for reporting on the company’s financial
statements.

As covered in Chapter 1, an auditor can be a natural person or a firm. Only a ‘practice unit’
is eligible for appointment (being a firm of certified public accountants, an individual certified
public accountant practising accounting, or a corporate practice). In all cases, the auditor must

146

M13_c03.indd 146 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

be a certified practising accountant (CPA) and a member of the HKICPA. There are certain
persons disqualified from being an auditor:

(a) A person who is an officer or employee of the company.

(b) A person who is a partner or employee of a person mentioned in paragraph (a).

(c) A person who:

(i) Is, by virtue of paragraph (a) or (b), disqualified for appointment as auditor of any
other undertaking that is a subsidiary undertaking, or a parent undertaking, of the
company, or is a subsidiary undertaking of that parent undertaking; or
Cap.622
s.393 (ii) Would be so disqualified if the undertaking were a company.
Cap.622
s.394 An auditor must be appointed by a company for each financial year.

If the company appoints a firm as auditor, the firm’s appointment is regarded as an

appointment of persons within that firm who are the partners in the firm from time to time
Cap.622 during the currency of the appointment and eligible for, and not disqualified from, appointment
s.399 as auditor of the company under Section 393 of the Companies Ordinance.

3.1.1.2 Who Can Appoint the Auditor?

The company has an ‘indisputable’ right to choose its auditor and to also change them if they
so choose.

The Companies Ordinance (Chapter 622, Part 9, Division 5, Subdivision 2) sets out the
formal appointment requirements of an auditor and specifies who can appoint the auditor in
different circumstances. These circumstances are if it is an initial appointment of an auditor
for a newly established company or an ongoing appointment of an existing auditor for an
established company.

Regardless of who appoints the auditor, the auditor is ordinarily appointed to hold office
until the conclusion of the next general meeting at which financial statements are submitted.
An auditor is entitled to attend the annual general meeting to answer questions about the
conduct of the audit, the preparation and content of their auditor’s report, the accounting
policies, and auditor independence.

Provided the relevant statutory procedure within the Companies Ordinance is followed, the
members of the company are entitled in the general meeting to appoint an auditor other than
the existing auditor.

Auditor Appointed by the Directors of the Company

Directors can appoint the initial (first) auditor of a newly incorporated company or fill a
casual vacancy.

The directors may appoint the first auditor:

Cap.622
s.610 (a) If the company is required to hold an annual general meeting in respect of its first
financial year, the directors may appoint the auditor of the company for that first
financial year at any time before the annual general meeting; or

147

M13_c03.indd 147 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

(b) If the company is not required to hold an annual general meeting (in accordance with
Section 610 of the Companies Ordinance) in respect of its first financial year, the
Cap.622
directors may appoint the auditor of the company for that first financial year at any
s.395 time before the appointment period in relation to the next financial year.

The directors may appoint a person to fill a casual vacancy in the office of auditor of the
company. If the directors have not done so within one month after the casual vacancy occurs,
Cap.622
the members may, by a resolution passed at a general meeting, appoint a person to fill the
s.397 casual vacancy.

Auditor Appointed by the Company’s Members

A company must appoint the auditor of the company for a financial year by a resolution passed
Cap.622
at the annual general meeting held in respect of the previous financial year, unless an annual
s.396 general meeting is not required to be held under Section 612 of the Companies Ordinance.

A company must appoint the auditor of the company for a financial year, by a resolution
passed at a general meeting, if no annual general meeting is required and no person is deemed
to be reappointed as auditor of the company for the financial year. If, at the annual general
meeting held in respect of the previous financial year, a company has not appointed the
Cap.622 auditor of the company for a financial year, the company must make the appointment by a
s.396 resolution passed at another general meeting.
Auditor Appointed by the Court
The Court may, on application by a member of a company, appoint the auditor of the company
for a financial year in two circumstances. These circumstances are:

(a) In the case of a company required to hold an annual general meeting in respect of
the previous financial year at the annual general meeting, when no person has been
appointed as auditor of the company for the financial year or no annual general
meeting has been held; or

(b) In the case of a company not required to hold an annual general meeting at the end of
the appointment period in relation to the financial year, when no person has been
Cap.622 appointed as auditor of the company for the financial year and no person is deemed to
s.398 be reappointed as auditor of the company for the financial year.

Key Learning Point

The auditor can be appointed by different persons associated with the company,
depending on the circumstances of the company.

3.1.1.3 The Legislative Process of Appointing an Auditor

The Companies Ordinance specifies the formal reporting requirements for appointing
and removing a company auditor. This section has been dealt with earlier in Chapter 1

148

M13_c03.indd 148 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

(Section 1.2.1: ‘Role of Regulators and Regulation (Including Statutory Audits)’). Briefly, these
requirements include:

Cap.622 1. The formal reporting process for changing an auditor, including the resolution notice
s.401 required.

2. The key reporting requirements of the incoming auditor’s appointment, including

the notice resolution, remuneration, and key statutory responsibilities in respect of the
financial statements (including their rights to access accounting records, access the
company’s information and persons to perform the audit, their right to attend the
Cap.622
ss.402–405, annual general meeting, and their right to ‘qualified privilege’ in performing their
410–413 auditor duties).

Cap.622 3. The process for reporting the resignation or termination of an existing auditor’s
ss.416–420 appointment, including their rights.

3.1.2 Auditor Appointment Guidance and Guidelines

Pre-engagement procedures performed prior to accepting the auditor appointment are
discussed in detail in Section 3.3.

Chapter A, Part 3, Section 200 (Professional Appointment) and Chapter C, Section 200
(Changes in Professional Appointment) of the Code of Ethics for Professional Accountants
(November 2018) (Code of Ethics) deals with the requirements for the appointment and
resignation of professional accountants from engagements, including audits. Specifically, these
requirements cover:

• Professional clearance procedures by the incoming auditor prior to accepting the

auditor nomination.

• Joint auditors.

• Filling a casual vacancy auditor appointment.

• Business acquired by a new company.

• Any unpaid fees of a previous auditor.

• Outgoing auditor’s transfer of audit books and papers and providing relevant
information to the incoming auditor.

• Reference to relevant statutory provisions of the Companies Ordinance.

3.1.2.1 Appointment as Joint Auditor

If an auditor is invited to accept a nomination as a joint auditor of the company with another
auditor, the same procedures should be followed as if they had been invited to accept a
nomination as the sole auditor. Such appointments give rise to ‘common law joint and several’
responsibility for the audit between the joint auditors.

The proposed withdrawal or displacement of a joint auditor creates a circumstance in

which the nature of the appointment is substantially changed, such that a ‘surviving’ joint
auditor should communicate formally with all fellow joint auditors as though they were being
asked to undertake a completely new appointment.

149

M13_c03.indd 149 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

3.1.2.2 Filling a Casual Vacancy

If an auditor is invited to accept a nomination to fill a casual vacancy as auditor of the company,
the same procedures should be followed as if they had been invited to accept an ongoing
nomination, adapted to the individual engagement circumstances.

3.1.2.3 Appointment by a Company Acquired by a New Company

If an auditor is invited to accept a nomination of a new company formed to acquire an existing
business, and the ownership of the company is substantially the same as it was of the acquired
business, the same procedures should be followed as if they had been invited to accept an
ongoing nomination, adapted to the individual engagement circumstances.

3.1.2.4 Previous Auditor Unpaid Fees

If an auditor is invited to accept a nomination of a company that has not paid outstanding fees
to the previous auditor, this does not preclude, in itself, acceptance of the nomination. If the
nomination is accepted, the auditor could assist in achieving a satisfactory resolution of the
unpaid fees to the previous auditor.

3.1.2.5 Providing Information to the Incoming Auditor

The outgoing auditor has obligations to provide certain information to the incoming auditor
to assist in a smooth transition audit handover process. This information includes any books
and papers of the company held by the outgoing auditor and any other reasonable, requested
information connected to the audit.

In respect of the transfer of any company held books and papers, the outgoing auditor is
required to provide the incoming auditor with all books and papers in their possession that are
the property of the company (unless they are entitled to exercise a lien when their audit fees
are unpaid/outstanding). An auditor’s lien under common law would enable them to retain
possession of some of their client’s records/books until all their audit fees are paid. There
are specific conditions under which a lien will be able to be exercised. All conditions must be
satisfied. These conditions include: the client’s records/books retained by the auditor must be
owned by the company itself and obtained by the auditor by ‘proper means’ (i.e. during the
course of the audit and in connection with the audit), the auditor must have completed the
audit work and issued their fee invoice in connection with that work, and, lastly, the fee invoice
must relate to the client’s retained records/books.

Duty to provide other information – the outgoing auditor should promptly provide, free of
charge, any requested information to the incoming auditor in respect of the company, unless
there is an unusual amount of work involved (i.e. the information should be reasonable carry-
over information from the audit).

Allow access to audit working papers (part of the audit file) – these are owned by the
auditor who generated the papers within the final audit file as evidentiary support for their
issued auditor’s report. While there is no legal obligation for the outgoing auditor to provide
the incoming auditor with access to their working papers, they do have an ethical obligation
to promptly provide information related to the incoming auditor’s specific enquiries, which
would ordinarily include providing audit working papers on matters of continuing accounting

150

M13_c03.indd 150 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

significance, and in determining consistent application of accounting principles. This assists

with ensuring continuity of the company affairs. (Note that the company does not have
a right to access the audit working papers given they are owned by the auditor and not
the company.)

3.1.2.6 Statutory Provisions

There are various statutory provisions in the Companies Ordinance covering auditor’s reporting
and communication rights when the auditor resigns, the job is terminated, or the auditor
ceases to act as auditor of the company.

An outgoing auditor is entitled, by the Companies Ordinance, to be able to communicate

with members of the company or its creditors over matters connected with ceasing to hold
office (whether by resigning, retiring, or being terminated) and which they consider should be
brought to their notice.

Auditor Resigns (Withdrawal)

If the auditor determines it is appropriate to resign, the auditor should discuss this decision
with the appropriate level of the company’s management and those charged with governance
and explain if the resignation is a withdrawal from the audit engagement or from both the
engagement and the client relationship. They should also explain the reasons for the
withdrawal. An auditor may resign by giving the company a notice in writing that is
accompanied by the required statement. The statement should explain whether there are any
circumstances connected with the resignation that should be brought to the attention of the
company’s members or creditors, include a statement of those circumstances or whether there
are no such circumstances. The resignation shall be effective at the end of the day on which
notice is given to the company or else a specified time for resignation to be effective. The
company must then deliver the notification to the Company Registrar within 15 days beginning
Cap.622 on the date on which the company receives a notice of resignation; if not, the company would
s.417 be penalised.

Cap.622 The auditor’s term of office expires at the end of the day on which the notice is given to the
s.417(1) company or at a later date as specified in the notice.

Refer to Section 3.2.1, Auditor Resignation, for considerations the auditor makes prior to
formally resigning before the term of appointment ends.

The resigning auditor may, by another notice given to the company with the notice of
resignation, require the directors to convene a general meeting of the company. The meeting
purpose is for members to receive and consider the auditor’s explanation of the circumstances
connected with the resignation that the auditor places before the meeting. The directors must
convene a general meeting for a date falling within 28 days after the date on which the notice
convening the meeting is given. Every director who failed to take all reasonable steps to secure
that a general meeting was convened as required is liable for a penalty.

(Note that, in circumstances where the auditor has withdrawn from the audit
engagement, under the Code of Ethics, Chapter C, ‘Responding to Non-Compliance with
Laws and Regulations’, Sections R360.21, 360.21 A1, and 360.21 A2, at the request of
the incoming auditor, the outgoing auditor is still required to provide all facts and other

151

M13_c03.indd 151 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

information concerning the identified or suspected non-compliance with laws and

regulations to the incoming auditor. The company’s consent to such communications
is not required, unless required by law or regulation. Such information provided is
to be held by the incoming auditor in strict confidence. Where there has been failure
or refusal by the company to supply the existing auditor with information properly
required for the performance of duties, the existing auditor should so inform the
proposed new auditor.)

If a general meeting is convened under Section 421(2) of the Companies Ordinance, the
resigning auditor:

(a) May give the company a statement that sets out, in reasonable length, the
circumstances surrounding the resignation.

(b) May request the company to comply with the requirement:

(i) To state, in every notice of the meeting given to the members, that the statement
has been made; and

(ii) To send a copy of the statement to every member to whom a notice of the meeting
is or has been given; or

(iii) If the company has not sent a copy of the statement to every member to whom a
notice of the meeting is or has been given, to ensure that the statement is read out
at the meeting.

(c) Is entitled to be given every notice of, and every other item of, communication relating
to the general meeting, to attend the general meeting, and to be heard at the general
Cap.622 meeting on any part of the business of the meeting that concerns the last appointed
s.422(1) auditor.

Further, the resigning auditor:

• May give the company a statement that sets out in reasonable length the circumstances
surrounding the resignation (i.e. cessation statement).

• May request the company to state in every notice of the meeting given to the members
that the cessation statement has been made and to send a copy of the cessation
statement to every member to whom a notice of the meeting is or has been given, if the
company receives the statement on a date that is more than two days before the last
day on which notice may be given to call the general meeting.

• May request the company to ensure that the cessation statement is read out at the
meeting, if the company has not sent a copy of the cessation statement to every
member to whom a notice of the meeting is or has been given.

• Is entitled to be given every notice of, and every other item of, communication, relating
to the general meeting, that a member of the company is entitled to be given.

• Is entitled to attend the general meeting and to be heard at the general meeting on
any part of the business of the meeting that concerns the person as auditor or former
auditor of the company.

152

M13_c03.indd 152 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

In respect of the resigning auditor making those statements in the course of performing
duties as auditor of the company, Section 410 of the Companies Ordinance gives that auditor
‘qualified privilege’. This means, in the absence of malice, an auditor is not liable for defamation
in respect of any cessation statement or statement of circumstances connected with their
cessation of office.

An auditor who resigns from office must, on the resignation, give the company:

(a) If the auditor considers that there are circumstances connected with the resignation
that should be brought to the attention of the company’s members or creditors, a
statement of those circumstances; or

Cap.622 (b) If the auditor considers that there are no such circumstances, a statement to that
s.424 effect.

Auditor Ceases to Act

The auditor may cease to be the auditor of the company if they cease to be eligible, or becomes
disqualified, for appointment as auditor of the company. This means that the auditor
immediately ceases to be auditor of the company and notifies the company of the cessation in
Cap.622 writing within 14 days from the date of the cessation. A failure to comply results in a penalty to
s.418 the auditor.

Auditor Is Terminated
An auditor can be terminated/removed from the office of auditor by the company by an
ordinary resolution passed at a general meeting. This is despite any agreement between the
auditor and the company or anything in the company’s articles.

A special notice is required for an ordinary resolution and, on receipt of a special notice, the
company must send a copy of it to the auditor proposed to be removed. The company must
deliver a notice in the specified form of that fact to the Registrar for registration within 15 days
beginning on the date on which it is passed. If not so delivered, the company will be penalised.
Cap.622 The terminated auditor can still claim any compensation or damages in respect of the cessation
s.419 as auditor.

Additionally, when special notice is given by the company for a resolution for appointing an
incoming auditor, the outgoing auditor may:

(a) Give the company a statement that sets out, in reasonable length, the circumstances
surrounding the termination of the appointment as auditor (i.e. cessation statement).

(b) Request the company to state in every notice of the meeting given to the members
that the statement has been made and to send a copy of the statement to every
member to whom a notice of the meeting is or has been given, if the company receives
the statement on a date that is more than two days before the last day on which notice
may be given to call the general meeting.

(c) Request the company to ensure that the statement is read out at the meeting, if the
company has not sent a copy of the statement to every member to whom a notice of
the meeting is or has been given.

153

M13_c03.indd 153 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

(d) Is entitled:

• To be given every notice of, and every other item of communication relating to, the
general meeting, that a member of the company is entitled to be given;

• To attend the general meeting; and

Cap.622 • To be heard at the general meeting on any part of the business of the meeting
s.422(2) that concerns the person as auditor or former auditor of the company.

When a proposed written resolution is given by the company for appointing an incoming
auditor in place of the outgoing auditor, the outgoing auditor:

(a) May give the company a statement that sets out, in reasonable length, the
circumstances surrounding the proposed termination of the appointment as auditor
(i.e. cessation statement); and

(b) May require the company to send a copy of the statement to every member at the
Cap.622 same time when the written resolution is circulated under Section 550 or 552 of the
s.423 Companies Ordinance.

In circumstances where the auditor is terminated (the terminated auditor) and is not
re-appointed immediately after termination for a term immediately following the expiry term,
the auditor must give a statement to the company:

(a) If the terminated auditor considers that there are circumstances connected with the
termination that should be brought to the attention of the company’s members or
creditors, a statement of those circumstances; or

(b) If the terminated auditor considers that there are no such circumstances, a statement
to that effect.

The terminated auditor must send a statement to the company so that it will be received by
the company at least 14 days before the end of the appointment period in relation to the next
Cap.622 financial year or, in any other case, within 14 days beginning on the date of termination. If the
s.425 terminated auditor fails to send the statement, the auditor will be penalised.

If the terminated auditor makes such a statement, the company must, within 14 days
beginning on the date on which it receives the statement, send a copy of the statement to every
member of the company or apply to the Court for an order directing that copies of the
statement are not to be sent when it receives the statement. A terminated auditor who claims
to be aggrieved may, within 14 days beginning on the date on which the company receives the
Cap.622 statement, apply to the Court for an order directing that copies of the statement are not to
s.426 be sent.

If the Court is satisfied that the terminated auditor has abused the use of the statement of
circumstances or is using the statement to secure needless publicity for a defamatory matter,
the Court must direct that copies of the statement are not to be sent and may order the
Cap.622
terminated auditor, though not a party to the application, to pay the applicant’s costs on the
s.427 application in whole or in part.

154

M13_c03.indd 154 1/26/2021 8:47:41 PM


An overview of the statutory provisions in the Companies Ordinance is summarised in
Exhibit 3.1.
Has the auditor resigned, been terminated, or ceased to act?
Auditor resigned
(withdrawal)
(Section 417)
Auditor resigns by issuing
the company a notice of
resignation in writing.
Auditor can require
company directors to
convene a general
meeting within 28 days
of their resignation notice.
Auditor may prepare a
Statement to be provided
to company shareholders
either prior to or at the
general meeting.
Statement includes either
circumstances regarding
the resignation that the
auditor considers should
be brought to the
attention of members
or creditors or that there
are no circumstances
to report.
Auditor can attend the
general meeting and is
able to answer any
questions regarding
the audit.
EXHIBIT 3.1 Summary of statutory provisions
Key Learning Point
There are various Companies Ordinance provisions dealing with circumstances in which the
existing auditor resigns, is terminated by the company, or ceases to act.
M13_c03.indd 155
Client an d Engagement A cceptance P roce dures
Auditor was terminated
by the company and will Auditor has ceased to act
not be re-appointed
(Section 418)
(Section 419)
Company advises auditor
Auditor advises the
of intention to terminate
company that they are
their appointment as
no longer eligible to
auditor at a general
act or have become
meeting.
disqualified.
Auditor may prepare a
Statement to be provided
Auditor immediately
to company shareholders ceases to be the auditor
either prior to or at the
once they have notified
general meeting. the company.
Statement includes either
circumstances regarding
the termination that the
auditor considers should
be brought to the
attention of members
or creditors or that there
are no circumstances to
report.
Auditor can attend the
general meeting and is
able to answer any
questions regarding
the audit.
Company shareholders
then pass ordinary
resolution at a general
meeting to terminate the
auditor’s appointment.
155
1/26/2021 8:47:41 PM
 BUSINESS ASSURANCE

Knowledge Check Questions

Question 1
Identify whether a company (i.e. its shareholders) is able to change an auditor at any point
during the existing auditor’s term of appointment.
A No, the company has to wait until the end of the existing auditor’s term.
B Yes, the company is able to change auditor at any point during the existing auditor’s
term of appointment provided the relevant statutory procedure is followed.
C No, the company must get permission from the existing auditor before they can
change auditor.
D Yes, the company is able to change auditor at any point during the existing auditor’s
term of appointment provided they give the existing auditor formal notice of the reason
for the change.

3 . 2 CHANGE OF AUDITOR

Companies seek to change their existing auditor for different reasons (which are not required
to be disclosed):

• To comply with the Code of Ethics requirements – for example, due to auditor rotation
independence reasons or to enable the outgoing auditor to provide specific consulting
services not previously allowed when they were the appointed auditor.

• A professional relationship breakdown between the company and the auditor. This
could have arisen due to prior disagreements over a significant matter (e.g. accounting
policy choices/interpretations, litigation, audit approach, audit opinion issued).

• Seeking a reduction in their audit fees in a competitive market – providing the entity
with the ability to make significant cost savings (e.g. in switching from a ‘Big 4’ auditor to
a ‘mid-tier’ auditor).

• Seeking to access perceived improved quality of audit services from another audit
provider, e.g. for enhanced data analytics capabilities or possessing specific industry
knowledge.

• Strategic reasons – may want to have a Big 4 auditor for the value of the ‘professional
name’ rather than a mid-tier auditor (e.g. if intending to list on the exchange in the
short term).

Entities may make the change by terminating their auditor’s existing appointment before
the end of term or at the end of term.

Additionally, there are various other reasons for an auditor’s appointment to come to an
end, being the current auditor’s term of office has expired, they resigned or have ceased to
be the auditor. For example, the auditor may resign after performing the pre-engagement

156

M13_c03.indd 156 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

risk assessment. Refer to Section 3.3.2, Key Procedures Performed Prior to Accepting an
Engagement, for further details.

The legislative provisions within the Companies Ordinance that govern when the existing
auditor resigns, retires, or is terminated were explained in detail in Section 3.1.2.6, Statutory
Provisions, and by way of brief reminder are as follows:
Cap.622
s.417 • The person resigns from office.
Cap.622
s.418 • The person ceases to be the auditor.
Cap.622
s.419 • The person is removed (terminated) from office.

• A winding-up order is made in respect of an auditor that was appointed as a firm in

circumstances where every person who is regarded as being appointed as auditor by
virtue of Section 399 of the Companies Ordinance:

° Ceases to be a partner in the firm before the term of office expires; or

° Ceases to be eligible, or becomes disqualified, for appointment as auditor of

the company;

° Before the term of office expires;

° Where a body corporate is appointed as auditor of a company, the appointment is

also terminated;

° If the body corporate is dissolved (Section 416 of the Companies Ordinance).

3.2.1 Auditor Resignation

Prior to taking the step of formally resigning their office before their term ends, the
auditor should attempt as much as possible to resolve any issues that are leading to them
contemplating resigning. Under Sections 300.8 and 300.9 of Chapter C of the Code of Ethics, the
auditor is reminded that they have a duty to the company’s members (shareholders) to report
to them on the financial statements and should make every reasonable effort to discharge this
duty. An auditor should not attempt to avoid the responsibility of reporting on the financial
statements by simply resigning. The auditors’ proper course of action, once appointed, is to
report on the financial statements. If they are considering resigning during their term of office,
they should discuss any contentious issues that may lead to their resignation with the audit
committee and seek the audit committee’s assistance to resolve the issues with management
and to complete the audit. Having completed the audit, if they do not wish to be re-appointed,
they should decline to stand for re-appointment when their term of office expires.

Such issues may be the result of:

• Prior disagreement with management over a significant matter(s) which calls into
question management’s integrity (e.g. chosen accounting policy, discussions over the
appropriateness of the audit opinion, concerns over the degree of control of decision
making exercised by a dominating individual member of management).

• Management have taken an action that the auditor disagrees with that adversely
and significantly affects the relationship between the auditor and management
(e.g. restricting or withholding access to information or persons, trying to impose a
limitation/deadline on when the auditor can complete fieldwork, intimidating audit staff).

157

M13_c03.indd 157 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

• Evidence of ongoing poor governance at the company (e.g. significant internal control
weaknesses previously identified that remain unaddressed).

• A litigation matter (threatened or actual).

• The audit fee is commercially unsustainable (e.g. due to a change in nature or structure
of the company and a fee adjustment was unable to be agreed).

Additionally, an auditor may:

• Simply wish to retire.

• Be required to rotate and lacks appropriate competence within the audit firm to do so;
there are new independence/perceived conflict of situations.

• Considers they cannot appropriately perform the audit as the company has:

° Grown substantially and the auditor cannot commit the required resources to the
audit or perform the audit; or

° Diversified into industries where the auditor does not have the appropriate
competency or capability (or access to them) to perform the audit.

If the auditor resigns for professional, legal or regulatory reasons, the auditor should
consider if there are any requirements to advise appropriate regulatory authorities of their
withdrawal from the engagement, together with the reasons for the withdrawal.

3.2.2 Communication with the Audit Committee and the Board of

Directors (Outgoing Auditor)
Regardless of the circumstances in which the auditor becomes the outgoing auditor
(resignation, termination), Section 300 of Chapter C of the Code of Ethics, ‘Change of Auditors
of a Listed Issuer of the Stock Exchange of Hong Kong’, requires the auditor to prepare a letter
(‘Letter of Resignation or Termination’) addressed to the company’s Audit Committee and the
Board of Directors, detailing the circumstances (occurrences) that in their opinion affected their
relationship with the company and led to them becoming the outgoing auditor. The outgoing
auditor need not be concerned with breaching with their professional duty of confidentiality
owed to the company by sharing information with the incoming auditor as this is permitted
under the Code of Ethics.

Disagreements are essentially unresolved differences of opinion between the auditor

and the company. They are related to the audit of the listed issuer’s most recently completed
financial year or any period subsequent to the most recently completed financial period for
which an auditor’s report has been issued up to the date of the resignation/termination.

Disagreements could be any matter of audit scope, accounting principles or policies, or

financial statement disclosures that, if not resolved to the satisfaction of the outgoing auditor,
would have resulted in a qualification in the auditor’s report.

It is not necessary for there to have been an argument between the auditor and the
company for there to be a disagreement. Initial differences of opinion that have since been
resolved to the auditor’s satisfaction by the supply of additional facts or information are also
not included here.

158

M13_c03.indd 158 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

‘Unresolved’ differences of opinion refer to matters that came to the outgoing auditor’s
attention and that, in the outgoing auditors’ opinion, materially impact on the financial
statements or the auditor’s reports (or that could have a material impact on them), and where
the outgoing auditor has already advised the listed issuer about the matter and:

(a) The outgoing auditor has been unable to fully explore the matter and reach a
conclusion as to its implications prior to their resignation or termination;

(b) The matter was not resolved to the outgoing auditor’s satisfaction prior to their
resignation or termination; or

(c) The outgoing auditor is no longer willing to be associated with the financial statements
prepared by the listed issuer’s management. This is in relation to circumstances
described in HKSA 560 Subsequent Events when it becomes effective on ‘Facts which
become known to the auditor after the financial statements have been issued’,
resulting in the withdrawal of the relevant auditor’s report.

In determining if a matter is ‘unresolved’, the persons involved should be those responsible

for key decision-making activities, reflecting the seriousness of the matter. In the entity’s case
it should be those persons responsible for the finalisation of its financial statements and, from
the auditor, those responsible for authorising the issuance of the auditor’s report.

3.2.2.1 Sharing the Resignation Letter with the Incoming Auditor of a Listed Issuer
All incoming auditors are aware that the outgoing listed company auditor is required to provide
a Letter of Resignation or Termination to the company. It is not appropriate for the outgoing
auditor to directly share their Letter of Resignation/Termination directly with the incoming
auditor as the letter is required to be sent to the company’s Audit Committee/Board of Directors.

Instead, as part of the professional clearance process, the outgoing auditor should refer the
incoming auditor to their letter. The incoming auditor should then request a copy of the letter
(and any correspondence referred to in the letter) directly from the company and assess if they
should accept the appointment. If the listed issuer refuses to provide the incoming auditor
with a copy of the Letter of Resignation or Termination and any correspondence referred to
in the Letter of Resignation or Termination, the incoming auditor should decline to accept the
nomination. From the outgoing auditor’s perspective this reference effectively discharges the
requirement of providing details of any unusual circumstances surrounding the proposed
change of auditor in accordance with Section 200 ‘Changes in a Professional Appointment’ of
Chapter C of the Code of Ethics.

3.2.2.2 Professional Clearance

Incoming Auditor Responsibility to Request
A prospective incoming auditor is required by Section 200.1 of Chapter C of the Code of Ethics
to request a professional clearance from the outgoing auditor before accepting the auditor
appointment. Such a request must be made after the prospective client company has granted
permission to contact the existing auditor. In circumstances where such permission has not
been granted, the prospective incoming auditor is not allowed to accept the appointment.
Additionally, if the change process has not been dealt with by the company in accordance with
the Companies Ordinance, the prospective incoming auditor is also not allowed to accept the
appointment.

159

M13_c03.indd 159 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

The purpose of the clearance letter is for the prospective incoming auditor to understand
if there are any professional or other reasons (e.g. unusual circumstances) that should be
considered before accepting the appointment as the auditor.

Examples of such circumstances could be:

• Has had significant disagreement with the existing auditor that they consider is the
reason the company may be seeking to appoint a new auditor, or any perceived
impropriety in the conduct of its affairs.

• Where the existing auditor is aware of unsatisfactory business practices of

the company.

• Has suspicions of unlawful acts by directors that have not yet been proved.

The outgoing auditor is required to respond to a professional clearance request letter sent
by the prospective incoming auditor. Such information provided in the letter is to be held by
the incoming auditor in strict confidence.

If the outgoing auditor provides circumstances to the prospective incoming auditor

that relate to significant disagreement with the company, that auditor should provide all
relevant details about the disagreements and their full views on those disagreements.
This is to enable the prospective incoming auditor to consider these matters, discuss them
with the company where appropriate, and decide if it is ethically appropriate to accept the
appointment. The prospective incoming auditor will, for example, need to be assured that the
company will accept their right to a contrary opinion, and, if appropriate, expression of it in
the auditor’s report. If the prospective incoming auditor is unsatisfied with the handling of the
disagreements, the nomination for appointment should be declined.

In respect of any other circumstances (e.g. suspicions of unlawful acts by directors that
have not been proved or unsatisfactory business practices), the outgoing auditor should advise
the prospective incoming auditor immediately if there is any professional or other reason
(together with fully disclosing the circumstances for the reason) that they should be aware of
in deciding whether to accept the auditor’s appointment (e.g. nature of unlawful actions that
should be investigated). It is acceptable for the outgoing auditor to explain the circumstances
orally rather than in writing.

For the outgoing auditor, providing audit-related information to the incoming auditor
(appointed but not yet commenced or offered but not yet appointed), Section 414 of the
Companies Ordinance clarifies that they do not contravene any duty. This is providing that the
information came from knowledge gained in the capacity of being the auditor and that it is
provided in good faith and the outgoing auditor believes that the information is relevant to the
performance of the incoming auditor’s duties as auditor.

Failure to Receive a Response to the Request for Clearance

If the proposed incoming auditor does not receive a response to the clearance letter from the
outgoing auditor within a reasonable time, that auditor is able to follow up the outgoing auditor
by other means. If unable to do so, or unable to obtain a satisfactory outcome in this way, the
prospective incoming auditor should send a further letter, preferably by recorded delivery
service, stating that, unless a reply is received within a specified time, they will assume that
there are no matters of which they should be aware before deciding whether to accept. In any
case, the proposed incoming auditor should be prepared to accept nomination only if satisfied
it is ethically appropriate to do so.

160

M13_c03.indd 160 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

Failure of the Incoming Auditor to Request a Clearance Letter

In the absence of the incoming auditor sending the formal request for professional clearance,
the outgoing auditor is under no obligation to share any information with the incoming auditor.

Example of Clearance Letter (Appendix of HKICPA Code of Ethics for Professional Accountants)

Dear Sirs,

We have been nominated to act as auditor of .................... Limited.

In order to assist us in determining whether to accept such nomination, we should be grateful if

you would advise if there are any circumstances surrounding the proposed change of which we
should be aware.

Yours faithfully,

Firm name

Key Learning Point

Professional clearance letters are required to be requested for every audit engagement
where there is a change of auditor.

3.2.3 The Incoming Auditor’s Requirements

The incoming auditor, having requested the professional clearance letter and obtained and
evaluated the outgoing auditor’s response, should inquire of the company whether the change
of auditor has been made in accordance with applicable legislation (Companies Ordinance)
and then obtain permission to contact the outgoing auditor for confirmation. If the incoming
auditor has any issues with these matters, they need to discuss them with the company to
identify the appropriate remedial action. If significant concerns are not resolved, the incoming
auditor is required to decline the appointment.

The incoming auditor should also ensure their appointment is valid by inspecting a
copy of the resolution noting their appointment (passed by resolution at the company’s
general meeting).

3.2.4 Change of Auditor of a Listed Issuer of the Stock Exchange

of Hong Kong
Section 300 of Chapter C of the Code of Ethics specifies additional requirements for appointing
and removing a listed issuer’s auditor, and the auditor’s rights to attend the listed issuer’s
annual general meeting. (This section should be read in conjunction with Section 200 ‘Changes
in a Professional Appointment’ under Chapter C.)

The outgoing auditor of a listed issuer who has resigned or had their appointment
terminated should include in their required Letter of Resignation or Termination

161

M13_c03.indd 161 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

(Sections 417/424 of the Companies Ordinance – discussed in Section 3.1.2.6, Statutory

Provisions) a reminder to the company of the company’s responsibility to make an
announcement in accordance with the Listing Rules in respect of the change of auditor. The
outgoing auditor should include in their Letter of Resignation or Termination an express
consent to the letter being supplied to the SEHK.

3.2.4.1 Appointing an Auditor

Under SEHK Rule 13.88 of the Main Board Listing Rule and Rule 17.100 of the GEM (Growth
Enterprise Market) Listing Rule, a listed issuer must, at each annual general meeting,
appoint an auditor to hold office from the conclusion of that meeting until the next annual
general meeting.

3.2.4.2 Removing an Auditor

The listed issuer must not remove its auditor before the end of the auditor’s term of office
without first obtaining shareholders’ (members’) approval at a general meeting. A listed
issuer must send a circular proposing the removal of the auditor to shareholders, together
with any written representations from the auditor, not less than 10 business days before the
general meeting.

3.2.4.3 Auditor to Attend Annual General Meeting

A listed issuer must allow the auditor to attend the general meeting and make written and/or
verbal representations to shareholders at that general meeting. Under Code Provision E.1.2 in
Appendix 14 of the Main Board Listing Rule and Appendix 15 of the GEM Listing Rule, a listed
issuer’s management should ensure that the auditor attends the annual general meeting to
answer questions about the conduct of the audit, the preparation and content of their auditor’s
report, the accounting policies, and auditor independence.

3.2.5 The Announcement to be Made by the Listed Issuer on the Change

of Auditor
There are requirements of the Main Board and GEM Listing Rules (Listing Rules) regarding
changes in audit appointments for listed issuers.

These include that the listed issuer is required to make an announcement pursuant to the
Listing Rules setting out the reason(s) for the change of auditor and any other matters that
need to be brought to the attention of holders of securities of the issuer (including, but not
limited to, circumstances set out in the outgoing auditor’s Letter of Resignation or Termination
in relation to the change of auditor). It is advisable that prior to the listed issuer making the
announcement, practically, and without delay, they consult with the outgoing auditor and agree
on the details related to the communication of the reasons for the auditor change.

The outgoing auditor should read and assess whether the circumstances as reported in
their Letter of Resignation or Termination, which, in their opinion, need to be brought to the
attention of the listed issuer’s shareholders, are reflected in the announcement made by the
listed issuer. In the event that the outgoing auditor considers that the circumstances leading
to Resignation or Termination, as announced by the listed issuer, are materially different from
the circumstances as reported by the auditor in the Letter of Resignation or Termination, the

162

M13_c03.indd 162 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

outgoing auditor should write to the Audit Committee and Board of Directors of the listed
issuer indicating those differences.

If the listed issuer takes no adequate action in response to the outgoing auditor’s letter, the
outgoing auditor should consider whether the market has been adequately informed as to the
circumstances leading to the Resignation or Termination. If not, the outgoing auditor should
consider whether these should be brought to the attention of the relevant regulatory authority;
that is, the Securities and Futures Commission (SFC). Should the outgoing auditor decide it
necessary to report those matters to the SFC, they will be subject to the protection of Sections
380 and 381 of the Securities and Futures Ordinance.

(Note that Sections 380 and 381 of the Securities and Futures Ordinance provide immunity
to a person who is, or was, an auditor of a company which is listed, or any associated
company of the company, who reports to the SFC matters that come to their attention
that suggest that, at any time since the formation of the listed company, its shareholders
have not been given all the information with respect to its affairs that they might
reasonably expect.)

The outgoing auditor is advised to always consult their lawyer before any communications
with the SFC.

Apply and Analyse 1

Yay Manufacturing Company Limited is a company listed on the SEHK. Yay Manufacturing
Company and its subsidiaries (‘Yay’) are principally engaged in the manufacture of battery
components used in the manufacture of consumer mobile devices. Yay’s customers are
mostly technology companies in mainland China and other Asian countries. As at 31
December 20X7, over 90% of Yay’s manufacturing assets were located in mainland China.

As a result of the continued worldwide economic boom in sales of mobile devices

worldwide, Yay decided, two years ago, to more than double the size of its manufacturing
facilities to accommodate the increased demand. Consequently, revenue increased
more than 40%.

Yay’s previous auditor, Jiang & Co, was re-appointed in April 20X7 after it reported on
Yay’s financial statements for the year ended 31 December 20X6. However, Jiang & Co
resigned in October 20X7. Jiang & Co had been Yay’s auditor for five years.

Jiang & Co had proposed a doubling of the Yay audit fee. However, Yay would not
accept the increase. According to Yay, they wanted to change auditor periodically to ensure
independence. According to Jiang & Co, they had been prepared to rotate the engagement
partner in accordance with quality control standards.

The directors of Yay approached Jin & Co in November 20X7 and proposed to appoint
them as the auditor of Yay’s financial statements for the year ended 31 December 20X7.

Explain what Jiang & Co’s ethical obligations are in relation to Yay’s request for the
change in auditor.

163

M13_c03.indd 163 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

Apply and Analyse 1 (continued)

Analysis

Jiang & Co, as Yay’s outgoing auditor, must comply with the ethical obligations in relation
to the change in auditor that Yay set out in the Code of Ethics. In particular, Jiang & Co must
comply with the requirements of Section 300 ‘Change of Auditors of a Listed Issuer of the
Stock Exchange of Hong Kong’ under Chapter C of the Code of Ethics since Yay is listed on
the SEHK. According to Section 300 under Chapter C of the Code of Ethics, Jiang & Co should
prepare a Letter of Resignation addressed to Yay’s Audit Committee and the Board of
Directors.

The Letter of Resignation should disclose all the circumstances that, in the opinion of
Jiang & Co, affect the relationship between Yay and Jiang & Co. Such circumstances include,
but are not limited to, ‘disagreements’ and/or ‘unresolved issues’.

According to the Code of Ethics, Jin & Co should make a request in writing to Jiang & Co
to ask if there are any unusual circumstances surrounding the proposed change which
Jin & Co should be aware of, so that Jin & Co may determine whether it should accept the
audit nomination. On receipt of the written request, Jiang & Co should act promptly.

If there are no professional or other reasons why Jin & Co should not accept the
nomination, Jiang & Co should reply to Jin & Co’s written request without delay.

Apply and Analyse 2

Explain why Jiang & Co may wish to discuss the circumstances of the change of auditor
with Jin & Co.

Analysis

Jiang & Co might wish to discuss Yay’s affairs with Jin & Co due to circumstances
surrounding the change of auditor. Prior to this, Jiang & Co should first request Yay’s
permission to do so freely. If permission is not granted, Jiang & Co should report that
fact to Jin & Co (who in turn should not accept the nomination). Once Yay’s permission
is granted, Jiang & Co may inform Jin & Co of those factors or circumstances of which,
in the opinion of Jiang & Co, Jin & Co should be aware (e.g. the audit fee change request
and partner rotation offer). Jiang & Co may, for example, inform Jin & Co that the reasons
advanced by Yay for the change in auditor are not in accordance with their understanding
of the facts, given Jiang & Co had proposed a rotation of the engagement partner as an
appropriate safeguard against the familiarity threat to independence, and that Yay did not
accept the proposed increase in audit fee. Once Jin & Co have considered these facts, it is
then up to them to decide if it remains ethically appropriate for them to accept the auditor
appointment.

164

M13_c03.indd 164 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

Knowledge Check Questions

Question 2
If a company is unhappy with the timeliness, professionalism, and level of service their
existing auditor is providing to them, explain whether they can decide to change auditor
half-way through the auditor’s term.

Question 3
As part of your professional obligations as incoming auditor of Zhang Limited you sent
a professional clearance request to the existing auditor for their response. The existing
auditor’s response included a range of issues, including issues that had previously caused
significant disagreement with the company and also advising them of the fact they had
some suspicions regarding the company’s business practices in its shipping department.
Describe how you respond as prospective incoming auditor to the issues raised by the
existing auditor.

Question 4
If the outgoing auditor does not respond to the incoming auditor’s professional clearance
letter request, identify what the incoming auditor should do.
A Accept the engagement.
B Decline the engagement.
C Try to contact the outgoing auditor again by another means.
D Resend the request.

3 . 3 PROCEDURES FOR ACCEPTING A NEW

ENGAGEMENT OVERVIEW

3.3.1 Standards Affecting Auditor Appointments

There are mandatory HKICPA auditing and ethical standards that also impact accepting auditor
appointments, being:

• HKSQC 1 (Clarified) Quality Control for Firms that Perform Audits and Reviews of Financial
Statements, and Other Assurance and Related Services Engagements (February 2015).

• HKSA 220 Quality Control for an Audit of Financial Statements (June 2017)

• Code of Ethics for Professional Accountants (November 2018).

3.3.1.1 HKSQC 1
HKSQC 1 (Clarified) sets out audit engagements, detailed requirements for the firm to establish,
monitor, and maintain in respect of independence and client engagement and acceptance
procedures.

165

M13_c03.indd 165 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

While Chapter 1 (1.2.2.2 Profession’s Code of Ethics) discusses independence in detail, it

is appropriate to remind readers of the importance of independence in an audit engagement.
HKSQC 1 (Clarified) requires the auditor to comply with relevant ethical requirements in
conducting their audit, including independence. These relevant ethical requirements are
contained in the Code of Ethics. It details that any threats to independence identified by the
auditor need to be addressed either by eliminating those threats or by reducing them to an
acceptable level by applying safeguards. If the threats remain unacceptably high, the Code of
Ethics indicates that the auditor is to withdraw from the engagement.

The firm of which the auditor is part is required to ensure that the auditor considers in
their pre-engagement acceptance procedures that the auditor is competent to perform the
engagement, has the capabilities, including time and resources, to perform the audit, can
comply with relevant ethical requirements, has considered the integrity of the client (company),
and does not have information that would lead the auditor to conclude that the client lacks
integrity (see HKSQC 1 (Clarified), paragraph 26).

The auditor’s firm is required:

(a) To obtain such information as it considers necessary in the circumstances before

accepting an engagement with a new client;

(b) Consider whether there is a potential conflict of interest; and

(c) To document any issues identified when the firm was deciding to accept or continue
the client relationship or a specific engagement (see HKSQC 1 (Clarified), paragraph 27).

If the auditor’s firm obtains information after accepting that may have caused it to decline
the engagement, the auditor is to consider the professional and legal responsibilities that apply
to the circumstances, including whether there is a requirement for the firm to report to the
person or persons who made the appointment or, in some cases, to regulatory authorities,
and the possibility of withdrawing from the engagement or from both the engagement and the
client relationship (see HKSQC 1 (Clarified), paragraph 28).

3.3.1.2 HKSA 220

HKSA 220 applies to audit engagements and establishes the required systems of quality control
(consistent with HKSQC 1 (Clarified)) and role of the engagement team in the audit process
to ensure the audit complies with professional standards and applicable legal and regulatory
requirements, and that the issued auditor’s report is appropriate in the circumstances.

Specifically, for auditor acceptance and continuance procedures, it requires the

engagement partner be satisfied that appropriate procedures have been performed, and that
conclusions reached from those procedures were appropriate. If the engagement partner,
as the prospective incoming auditor of the company, obtains information that would cause
them not to accept the engagement, then they are responsible for advising the firm so the
appropriate action can be taken to not accept the auditor appointment.

3.3.1.3 The Code of Ethics (November 2018)

The Code of Ethics is mandatory to apply to all engagements conducted by members of the
HKICPA, including audit engagements. It has six chapters (A to F): two general chapters
(Chapters C and D) that apply to all engagements regardless of type and four specific chapters

166

M13_c03.indd 166 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

(Chapters A, B, E, and F) that apply to certain types of engagements undertaken. Additionally,

Chapter A ‘Professional Accountants in Public Practice’ has four parts (Parts 1 to 3, 4A and 4B).

Of particular application to auditor appointments in the general part is:

• Chapter A, Part 3 ‘Professional Accountants in Public Practice’, Section 320

‘Professional Appointments’;

• Chapter A, Part 4A ‘Independence for Audit and Review Engagements’; and

• Chapter C, Section 300 ‘Change of Auditors of a Listed Issuer of the Stock Exchange of
Hong Kong’ (SEHK).

A summary of the Code of Ethics, Section 320 and Part 4A is provided directly below. The
detail of Section 300 under Chapter C is found in Section 3.1.2 ‘Auditor Appointment Guidance
and Guidelines’ and for Section 300 in Section 3.2.2 ‘Communication with the Audit Committee
and the Board of Directors (Outgoing Auditors)’.

Chapter A, Part 3, Section 320 ‘Professional Appointment’

This section sets out the client acceptance and continuance requirements for professional
accountants in terms of determining if acceptance could create any threats to the fundamental
principles of the Code of Ethics (integrity, objectivity, professional competence and due care,
confidentiality, and professional behaviour). These were previously explained in Chapter 1,
Section 2.2.2 of the Profession’s Code of Ethics and are not repeated here.

Chapter A, Part 4A ‘Independence for Audit and Review Engagements’

The overarching principle in Chapter A, Part 4A of the Code of Ethics is to require the auditor to
be independent of audit clients. Independence is critical to the auditor performing an unbiased,
impartial, and non-conflicted audit engagement (independence of mind and in appearance).
Part 4A provides detailed examples to assist the auditor and ensure they are independent,
as it is recognised that independence is an area requiring the auditor to exercise significant
professional judgement. For more detail on ‘Independence’ refer to Chapter 1, Section 2.2.2 of
the Profession’s Code of Ethics.

In essence, the auditor must not accept any audit engagement where the auditor cannot
be independent. It is therefore critical for the auditor to identify threats to independence prior
to accepting the audit engagement, evaluate any threats, and apply appropriate safeguards
when necessary to eliminate those threats or at least reduce them to an acceptable level.
Threats can be direct or indirect and be financially based or non-financially based and be actual
or perceived. They include threats that relate to self-interest, self-review, familiarity, advocacy,
or intimidation threats. In some cases, there may be no safeguards that can be put in place to
ensure independence; in which case the auditor declines to accept the auditor’s appointment
or, if already appointed, resigns/withdraws.

Key Learning Point

The auditor’s independence is fundamental to accepting a new appointment as company
auditor and to continuing with an existing auditor appointment. If the auditor assesses that
their independence is, or has been, threatened, and they have not identified and put in
place an appropriate safeguard to effectively mitigate or eliminate that threat, the auditor
must decline accepting or continuing the auditor appointment.

167

M13_c03.indd 167 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

3.3.2 Key Procedures Performed Prior to Accepting an Engagement

The three areas the auditor should consider prior to accepting an engagement are:

1. Assess the two preconditions for the audit (Section 3.3.1.1).

2. Perform the engagement risk assessment on the company (Section 3.3.1.2).

3. Assess if the auditor can comply with the relevant ethical requirements
(Section 3.3.1.3).

An auditor should, prior to commencing work on a continuing audit engagement,

consider the risk of continuing to accept the engagement due to any change in circumstances
of the company or the auditor. The continuing auditor, therefore, re-assesses each of
the three areas annually. Although the engagement risk assessment in Section 3.3.2.2 is
written from the perspective of a new engagement, it can be readily adapted to a continuing
engagement.

An auditor should prior to accepting a new audit engagement consider the risk of accepting
the engagement with that company (client). Note that this risk is different from the engagement
risk assessment, which is used by the auditor, post-acceptance, to design procedures based on
the company risks (its inherent risk, control risk, and detection risk) to enable them to conclude
on the audit and achieve the desired level of reasonable assurance. The Code of Ethics contains
the relevant ethical requirements the auditor must comply with for each audit and must be
considered at pre-engagement to ensure the auditor can accept the engagement. These are
already covered in detail in Chapter 1 of this module.

The engagement risk assessment should be made by the auditor prior to engagement
acceptance to ensure that they are fully informed of, and understand the nature of, the
company. This allows the auditor to make an informed professional judgement as to whether
they wish to be the company’s appointed auditor.

3.3.2.1 Assess Preconditions for the Audit

The two preconditions for the audit involve the auditor considering:

1. The acceptability of the financial reporting framework selected by those charged with
governance as the basis to prepare the financial statements; and

2. Whether management will agree to acknowledging and accepting responsibility for:

(a) The preparation of the auditable financial statements;

(b) Internal controls relevant to those financial statements to ensure they are free
from material misstatement (whether due to fraud or error); and

(c) Providing the auditor with access to all information relevant to preparation of
the financial statements and any information the auditor requests for audit and
unrestricted access to any person within the company the auditor requests so they
can obtain audit evidence (see HKSA 210, paragraph 6).

In respect of the auditor evaluating whether the company’s financial reporting framework
is acceptable, the auditor considers the purpose for which the financial statements have been
prepared, Companies Ordinance, and the requirements of the legislation in terms of what type
of financial statements are required to be prepared (e.g. general-purpose financial statements
in accordance with HKFRS).

168

M13_c03.indd 168 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

3.3.2.2 Perform Engagement Risk Assessment

In assessing the specific engagement risk, the following considerations are a helpful checklist
that can be used.

The auditor’s assessment is made based on the knowledge and understanding they have
obtained of the company primarily through a review of relevant information (sourced from a
wide range of different reputable sources) and discussions with relevant persons (including the
current auditor, the company’s management, and those charged with governance and internal
audit, and key service providers of the company including lawyers, bankers, and, if appropriate,
the regulatory authority). The outcomes of these considerations may cause the auditor to
question the auditor’s ability to accept the engagement on the basis of threats to independence
that cannot be appropriately safeguarded. Refer to Section 3.1.2 Auditor Appointment
Guidance and Guidelines for the earlier discussion on independence.

Management Characteristics and Integrity

The auditor needs to understand who the key management personnel of the company are
(and, if there have been recent changes, what they are and why they occurred). The auditor
also needs to obtain reputable external references, if those personnel are not known to
the auditor, to enable the assessment of their ‘business reputation’ and integrity. This may
include assessing key known related parties of management. (Refer to HKSA 550 (Clarified)
Related Parties, paragraph 10(b) for a definition of a related party of a reporting entity.
To understand who management’s related parties may be substitute ‘reporting entity’ for
‘management’.)

The auditor is to consider management’s attitude towards compliance with regulatory

or contractual obligations, whether their known business practices are satisfactory, and if
there has been any indication of money laundering or other criminal activity committed by
management. This includes being aware of any ongoing poor governance at the company
(e.g. significant internal control weaknesses previously identified, which remain unaddressed
by management). It is critical that the auditor assesses the overall ‘tone at the top’ at the
company, its workplace cultural values, and the impacts (if any) of these on the audit. The
auditor should consider corporate governance policies, public announcements, listings of
related parties, and other relevant information obtained from appropriate sources (e.g. via
the company website). A poor culture in the company (e.g. a culture where there is fraud,
misconduct, or employee disregard for approved company policies and procedures, without
consequence) substantially increases the audit risk of material misstatement as the company
lacks an effective internal control system. Consequently, the auditor would not accept the
auditor appointment.

The auditor needs to consider whether there is any indication of management’s intention
to try to limit the scope of the audit and whether management’s attitude towards the
interpretation of accounting standards is aggressive or that its maintenance/focus on the
internal control environment is lax.

The auditor should consider if there are any incentives (financial or otherwise) and
opportunities for management to engage in fraudulent financial reporting (e.g. to achieve
bonus conditions). Consideration should also be given to whether management decisions are
unduly dominated by one person or a small group of persons, leading to possible issues with
key decision-making processes.

169

M13_c03.indd 169 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

The auditor should try to determine whether there have been any instances of fraud
committed by management and whether the circumstances that enabled the fraud are still
present (indicating a lack of management willingness to be committed to good governance via a
strong internal control environment).

Overall, the auditor needs to conclude in their assessment whether those charged with
governance/management of the company exhibit appropriate integrity and attitudes towards
governance at the company (internal control environment), its financial reporting processes,
and the respect for the audit process.

Organisation and Management Structure

The auditor should assess the legal structure of the company and whether it is suitable for the
type of business the company conducts (e.g. is it simple or overly complex due to the use of
many subsidiaries or trusts, or complex alliances and joint ventures?).

The internal management structure of the company is also of interest to the auditor. Is it
suitable for the company and its operations or is it unduly top heavy or multilayered? Does
management appear to have sufficient professional expertise in the company’s business to
make appropriate business decisions? Are appropriately qualified people employed in all the
company’s areas of operation? Is there any potential for a few members of management to
dominate the day-to-day running of the company by virtue of their position? Is there a high
staff turnover, indicating issues in how the company is being run?
If the company is a group audit, and the auditor is to be a group auditor, the auditor needs
to consider if there are any known issues in conducting the group audit. For example, will the
auditor audit all the entities in the group or have to deal with different component auditors
and in different jurisdictions? In such cases, the auditor would need to consider the component
auditor’s professional competence and also take into consideration the jurisdictional
differences they operate in (e.g. there may be regulatory differences on what information they
can provide to the auditor as group auditor and also different professional requirements to
those of the HKICPA that will have to be assessed).

If the company is a group audit, and the auditor is to be the component auditor, the auditor
needs to consider if there are any known issues affecting the way in which they will be required
to report component results to the group auditor in terms of regulatory or professional
accounting requirements. Chapter 11 of this module considers in detail group audits, including
the situation of component auditors.

Nature of the Business

The auditor needs to consider the industry in which the company operates and whether that
presents any professional reputational issues for the auditor. For example, the industry may be
highly controversial by virtue of its nature or its known accepted business practices.

It is also important to consider the company’s related parties and associates (both locally
and internationally), and if there is any evidence of the company being economically dependent
on other parties including financiers.

The auditor will need to ascertain whether the business faces any significant litigation
claims or contingent liabilities and whether the nature of the business suggests a finite
business life. Is there any indication of the company being in economic difficulties? Are there
any significant financing covenants that the company has to regularly re-negotiate or has a

170

M13_c03.indd 170 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

history of missing? The auditor will also consider whether the company is in a competitive
industry or is a monopoly provider of goods/services.

If the company, or the group, operates in a diverse range of industries, the auditor will need
to assess whether the company’s personnel have the technical expertise and experience to
operate in those industries. Does the mix of industries the company is engaged in make sense,
given the company’s prior history (e.g. are there synergies of management skills and does the
mix achieve horizontal/vertical integration)?

Additionally, the auditor needs to consider whether the company operates in a highly
volatile, highly complex, and/or highly regulated environment (e.g. where the company faces
requirements in addition to the Companies Ordinance), has been the subject of regulatory or
government inquiries (and their outcomes, if known), and whether there have been significant
transactions/events and issues involving significant management assumptions or estimates.

If the company is a group of companies, the auditor needs to consider and apply the
considerations to each of the companies in the group.

IT Environment (Including Cyber Security)

The auditor needs to consider whether there are any unusually high business risks associated
with the company – any announced complex or risky transactions, aggressive deals or
diversifications into markets or areas where the company does not have known expertise or
known issues with the stability of its IT environment.

Of interest to the auditor will be whether the company has significant legacy (old) computer
systems upon which the company is heavily reliant to record/maintain its data, which have
not been upgraded and/or are unsupported. Generally, does the company regularly patch
updates of key software to reduce security vulnerabilities? How well maintained are the
systems? Additionally, for systems that the company is heavily reliant on, the auditor should
consider how long the company could effectively operate without these systems in the event
they suddenly stopped operating or became inaccessible, and what plans exist for addressing
this risk (e.g. having regular backups of data stored offsite, a parallel system housed offsite,
alternate premises used to store emergency computers).

In particular, the auditor will need to consider whether the company has the capabilities
in-house, or through its consultants, to manage the security of its data. Does it have
appropriate IT general and security controls to protect its data internally and externally? Is
there the possibility of risks of cyber-attacks on the company given the nature of the data it
holds (valuable, sensitive, one-of-a-kind data)? Does the company have adequate cyber security
policies, protocols, and prevention and detection tools to manage their cyber security? Also,
does the company have appropriate data protection policies in compliance with applicable
data privacy legislation? Does the company have a functioning disaster recovery plan that
is regularly tested, and does it perform regular stress testing and penetration testing of
key vulnerable systems? Does the company have a history of promptly remedying any
issues identified? Does it have an appropriate business continuity plan (covering loss of key
employees, suppliers, customers, IT systems (hardware and software), and unplanned outages
or acts of cyber-attacks, such as attacks caused by denial of service (DoS), phishing, malware
(malicious software), man-in-the-middle (MITM) attacks, a database SQL injection (inserting a
command into a database with nefarious intent), and/or zero day attacks that exploit previously
unknown weaknesses).

171

M13_c03.indd 171 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

Financial Results
A basic requirement is that the auditor needs to obtain and review available financial
statements to understand the company’s historical financial position, profitability, cash flow,
and other key financial indicators of the company’s health. The auditor will need to consider if
there are any significant matters (e.g. disclosures of commitments, litigation, or post-balance
date events) that are of consequence to a future audit and whether the financial statements
comply with accounting standards and other requirements.

The auditor will need to assess whether the company has any going concern issues that
may call into question their future viability.

As well as looking at past financial statements, the auditor will need to consider if there
have been any significant changes in the company’s financial condition or circumstances in the
current year as compared to prior years (e.g. deterioration of financing loan covenants that
affects its liquidity or future viability/prospects or significant divestments of business units or
changes in strategic direction).

Business Relationships and Related Parties of the Company

The auditor needs to consider who the company’s substantial business relationships are
with, including suppliers, creditors, shareholders, customers, financial institutions, associates,
and/or lawyers. The auditor needs to assess these relationships for any possible conflicts of
interest and to consider the completeness and adequacy of any disclosures in the financial
statements. The auditor should also consider their impact on the company’s ongoing viability
and professional reputation (as might come from significant transactions entered into by the
company with those entities with known poor business reputations).

The auditor also needs to consider the company’s related parties. These are essentially
entities with direct or indirect control or significant influence over the company, as defined in
HKSA 550 (Clarified) Related Parties, paragraph 10(b).

Prior Knowledge and Experience

The auditor will need to consider any issues in the prior year audit engagement that call into
question whether the auditor wants to be the appointed auditor. Some of these issues have
already been covered here and in Section 3.2 ‘Change of Auditor’ as reasons why an existing
auditor may consider resigning from the audit.

For example:

• Were there significant disagreements with management on accounting policy

judgements/choices or other significant matters affecting the financial statements?

• Did management pursue aggressive accounting standard interpretations?

• Were there issues with accessing information or persons when required and on a
timely basis?

• Did the auditor have difficulty obtaining sufficient appropriate evidence to support
material balances?

• Was the company the subject of adverse findings in legal cases or government
inquiries?

172

M13_c03.indd 172 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

• Were there any actions identified that called into question management’s integrity
(e.g. failure to remedy known significant internal control deficiencies or action of a
known fraud)?

• Were there any attempts to limit the scope of audit work in certain sensitive areas?

• Did the company have difficulty paying the prior year’s audit fee or have disagreements
over paying the audit fee?

Legal and Professional Issues

The auditor needs to be sure of being professionally qualified to act and that there are no legal,
regulatory, or technical barriers to the appointment. For example, was the outgoing auditor’s
resignation/termination properly conducted in accordance with the Companies Ordinance
or is the auditor aware that the company has not complied with the Companies Ordinance
requirements? Was the professional clearance process satisfactorily completed? The auditor
should obtain a copy of all notices and documentation from the company in respect of their
appointment and the prior auditor’s resignation/termination to ensure they are valid. Lastly,
the auditor needs to consider whether there are any legal impediments to accepting the
engagement (statute, contract, or common law).

Audit Administration Related Issues

The auditor needs to have appropriate and adequate audit resources to conduct a quality
audit. In making this assessment, the auditor needs to consider the availability of an
appropriate engagement quality control reviewer and whether assigned staff have the
appropriate competence, capability (industry knowledge, experience with relevant regulatory,
or reporting requirements), time availability, subject matter expertise, and ability to meet the
statutory report deadline of the company.

Also, the auditor needs to consider if the proposed audit fee is reflective of the work effort
required to conduct a quality audit. Quality cannot be sacrificed due to difficulties in having
the fee paid, for example when a company acts aggressively to keep audit fees below what is
reasonable.

3.3.2.3 Assess Whether the Auditor Can Comply with the Ethical Requirements
The auditor is required to assess all the information obtained from the pre-conditions and
the results of the engagement risk assessment to conclude whether the ethical requirements
can be met and the auditor can accept an audit engagement. That is, the auditor must
conclude that there is independence from the company and there are no conflicts of interest,
no issues with management’s integrity, and no concerns about being associated with
the company.

A high-level discussion on auditor independence considerations is already covered in

Chapter 1, Ethical Standards, Legislation, and Professional Guidance, Section 1.1, Auditing and
Assurance, and in this chapter in Section 3.1.2, Auditor Appointment Guidance and Guidelines
(independence) and Section 3.2.2.2, Professional Clearance (assessing the information received
from the outgoing auditor).

Possible threats to independence (in mind and appearance) may arise from the work
the auditor already performs for the company. In this regard, does the auditor need to

173

M13_c03.indd 173 1/26/2021 8:47:41 PM

 BUSINESS ASSURANCE

consider any non-assurance or consulting engagement services provided that impact the
financial statements to be audited? Common examples of such services include preparing the
financial statements, preparing the tax effect accounting entries for inclusion in the financial
statements, providing accounting valuation services on property plant and equipment/
specialised assets, providing internal audit services to the company, and/or providing
accounting advice on the proposed treatment of a material transaction that has occurred or
the interpretation of a new accounting standard for implementation in the current financial
year. Given the nature of these services, and assuming they have been provided in respect of
the current financial results for incorporation into the financial statements to be audited, they
represent threats that are highly unlikely to be mitigated, for the current financial statements,
through appropriate safeguards.

The rule of thumb to remember is that the auditor should not audit anything that
the auditor has prepared or provided advice on (to avoid self-review, self-interest, and
advocacy threats).

The auditor also needs to consider other possible threats to independence, such as those
detailed in Chapter 1. Examples include considering relationships between the auditor and
the company’s management/those charged with governance, over-reliance on the company,
economic dependence on the company due to the audit fee’s size, financial interests, and any
inducements received.

Key Learning Point

The auditor needs to perform and document their engagement risk assessment conclusion
prior to accepting any new auditor appointment and prior to commencing work on a
continuing audit engagement. This is a far-reaching assessment that cannot be treated as
being a matter of process.

3.3.3 Terms of the Engagement Considerations

The auditor needs to set down the terms of the engagement with the company in an
engagement letter, as evidence of the contractual relationship. The company has to accept
that letter.

3.3.3.1 Components of Acceptance of the Engagement

HKSA 210 Agreeing the Terms of Audit Engagements (January 2019) sets out the requirements
for the auditor in formalising the agreed terms of the assurance engagement between the
company and those charged with governance (directors or management as appropriate) as
required by the Companies Ordinance.

3.3.3.2 Agreed Engagement Terms

Under HKSA 210, before the start of any professional work, the auditor and its company should
agree, in writing, the scope and nature of the work to be undertaken. This ensures there can
be no misunderstanding of the audit engagement, confirms the respective responsibilities,

174

M13_c03.indd 174 1/26/2021 8:47:41 PM

 Client an d Engagement A cceptance P roce dures

confirms the applicable financial reporting framework used for the preparation of the financial
statements, and explains audit reporting outcomes and fee arrangements.

All first-time engagements require this letter to be prepared by the auditor and agreed with
management.

If management requests a change in the scope or objectives of the audit, then it is up to

the auditor to decide on acceptance of such a change. In such circumstances, the engagement
letter is to be updated and re-issued to evidence the change.

When to Issue an Engagement Letter

For new clients, the engagement letter should be sent before any professional work has been
started. If the audit is of a group, the auditor will send an engagement letter relating to the
group and identify the components for which the auditor is appointed.

For recurring audits, the auditor needs to decide if circumstances require that the letter
be updated and re-sent to management. Generally, whenever there is a significant change in
circumstances, a revised engagement letter should be sent. Significant changes include:

• The company has changed its name or financial year or there is a significant change in
the company’s ownership.

• The audit engagement partner has changed.

• The members of the company’s board or key management personnel have changed.

• Required management responsibilities have changed.

• Agreed fee, billing arrangements, or key deliverables have changed.

• The agreed audit scope or engagement terms have changed (e.g. the audit fees have
changed or the auditor feels it is appropriate to re-issue to the company to remind
them of their responsibilities).

• A significant change in the nature or size of the company’s business.

• Changes in the legal structure or form of the company (e.g. there are new or divested
entities or the company became a listed company).

• A change in the financial reporting framework is adopted in the preparation of the

financial statements or other significant regulatory changes have impacted the audit.

For an audit already in progress, if there has been a change in terms of the audit
engagement needing to be agreed between the auditor and management, these should be set
out in an updated engagement letter.

Key Learning Point

An engagement letter must be current and agreed by both the auditor and those charged
with governance/management (as appropriate) and include certain minimum terms for all
audit engagements.

175

M13_c03.indd 175 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

3.3.3.3 Contents of an Engagement Letter

HKSA 210, paragraph 10, contains the minimum requirements for the content of the
engagement letter:

(a) Objectives of services

• To audit the financial statements of the company.

• To provide reasonable assurance (explaining what that means and the inherent
limitations of the engagement) on those financial statements to conclude whether
as a whole they are free from material misstatement (whether due to fraud or
error) and to issue an auditor’s report that includes an opinion.

(b) Responsibilities of the directors

• To prepare financial statements for the company and its subsidiaries (if applicable)
that are in accordance with the applicable financial reporting framework, including,
where relevant, their fair presentation.

• To keep sufficient accounting records to support the financial statements.

• To prepare financial statements that comply with the disclosure requirements of

the Companies Ordinance (Cap.622 s.383) and associated ‘Disclosure of information
about Benefits of Directors’ regulation (Cap.622G) in respect of directors’
emoluments (all benefits received from the company, e.g. emoluments, retirement
benefits, termination payments, and loans).

• To establish such internal control as is necessary for the preparation of the financial
statements free of material misstatement.

• To provide the auditor with access to all information requested in connection with
the audit, all information relevant to the financial statement preparation, and
unrestricted access to persons within the company to enable the auditor to obtain
audit evidence.

• To provide the auditor with copies of any proposed (on or before circulation) and
passed written resolutions (together with related documents) that are required to
be sent to the member of the company.

• To prepare and approve the directors’ report in accordance with the Companies
Ordinance.

(c) Responsibilities of the auditor

• To prepare the auditor’s report and form an opinion on whether the company’s
financial statements dated XX are in accordance with the requirements of the
applicable financial reporting framework and comply with the Companies Ordinance.

• To also provide an opinion on whether the company has kept adequate accounting
records and whether those records agree with the financial statements.

• To include in the auditor’s report:

° A statement if they have not been able to obtain all information necessary and
material for the audit.

176

M13_c03.indd 176 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

° A statement of the details required to comply with the requirements of the

Companies Ordinance (Cap.622 s.383) and associated ‘Disclosure of information
about Benefits of Directors’ regulation (Cap.622G) in respect of directors’
emoluments in the event that the company does not disclose this.

• To report if the financial statements do not comply with the applicable financial
reporting framework (either the HKICPA’s issued financial reporting standards or
the financial reporting standard for private entities).

• To read the information included in the directors’ report for any inconsistencies
with the financial statements and to report if they exist.

• To read the other information included in the annual report and consider whether
it is materially inconsistent with the financial statements and/or knowledge the
auditor obtained through the audit process.

(d) Scope of audit

The engagement letter is to indicate that the audit is to:

• Be conducted in compliance with HKICPA auditing standards, including ethical

requirements.

If applicable, the engagement letter is to reference a requirement for the auditor to

communicate key audit matters (KAMs) in the auditor’s report (for a listed company)
in compliance with HKSA 701 Communicating Key Audit Matters in the Independent
Auditor’s Report. (Note that it is optional for the auditor to adopt and report KAMs
for a non-listed company, and this is usually done in conjunction with the company
through discussions and agreement.)

• Obtain sufficient appropriate evidence to provide a basis for the audit opinion.

• Obtain an understanding of internal controls relevant to the audit (i.e. the audit of
the financial statements).

• Evaluate the appropriateness of the accounting policies the company has selected
and the reasonableness of the accounting estimates and related disclosures.

• Conclude on the appropriateness of the use of the going concern basis of

preparation of the financial statements and consider related disclosures to assess
the impact, if any, on the form and content of the auditor’s report.

• Evaluate the overall presentation, structure and content of the financial statements
and whether they represent the company’s underlying transactions and events in a
manner that achieves fair presentation.

The engagement letter should also point out that the audit is subject to inherent
limitations, as is the company’s internal control, and that the audit may not detect all
material misstatements. If applicable, for group audits, the engagement letter should
include statements that the auditor:

• Has the right to obtain information/explanations from any related company of the
company under Section 412 of the Companies Ordinance to assist the auditor in the
performance of their duties as auditor of the holding company.

177

M13_c03.indd 177 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

• Will communicate with any auditor of a subsidiary, joint arrangement, or

associate to satisfy themselves that there is accounting policy uniformity (as far
as is practicable); that the consolidated financial statements contain information
as required by the Companies Ordinance, applicable accounting standards, and
any other relevant legislative requirements; and that all material aspects of the
consolidated financial statements have been subject to the audit in order to allow
them to form an opinion on those consolidated financial statements.

• Further, the engagement letter should indicate that the auditor:

° Will request written confirmation of representations obtained during the audit.

° Will request access to specific documents including the chairman’s statement,

operating, and financial review and the director’s report, which are issued with
the financial statements.

• Finally, the engagement letter should include statements that:

° The company is responsible for safeguarding its assets, prevention and

detection of fraud, error, and non-compliance with law or regulations. The
auditor will, however, plan the audit to give them a reasonable expectation
of detecting material misstatements that may result from fraud or error or
non-compliance with the law or regulations.

° The auditor will not share information gained from the audit with any members
of our firm other than those engaged on the audit.

° The auditor’s responsibilities end when the auditor’s report is issued on the
financial statements.

(e) Reporting

The engagement letter should include the expected form and content of the auditor’s
report and include a caveat that the report may need to be amended for the
circumstances.

(f) Other services

If applicable, the engagement letter should outline what other services have been
requested and that these are dealt with in a separate letter. (The auditor needs to
ensure that these other services are permissible by applicable law and do not pose a
conflict of interest/threat to their independence with the audit.)

(g) Fees

The engagement letter should set out the agreed fee for the audit (including out-
of-pocket expenses) and how the fees will be billed progressively throughout the
audit process.

(h) Agreement of terms

The engagement letter should indicate that it is effective from one audit appointment
to another, unless updated.

The company should be requested to sign and return the letter as

acknowledgement and agreement of its terms. If applicable, it should be indicated that

178

M13_c03.indd 178 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

the engagement letter covers all subsidiaries of the company and that the company
should forward a copy of the letter to the board of directors of all subsidiaries so they
can confirm acceptance of the letter as well.

Apply and Analyse 3 – Adapted from Module C June 2016 Paper and
Appendix 1 to HKSA 210 Agreeing the Terms of Audit Engagements
Yay Manufacturing Company Limited is your new audit client and a listed company,
and prepares general purpose financial statements. They are not consolidated. You are
engaged to perform the audit of its financial statements for the year ended 31 December
20X7. Based on a discussion with the Chief Financial Officer of Yay Manufacturing Company
Limited, your audit engagement manager has prepared the following draft engagement
letter for your review:

[On Jin & Co Letterhead]

[Date]

To the Board of Directors of Yay Manufacturing Company Limited,

Objective of Services

You have requested that we audit the financial statements of Yay Manufacturing Company
Limited for the year ended 31 December 20X7. We are pleased to confirm our acceptance
and our understanding of this audit engagement by means of this letter.

The objectives of our audit are to obtain reasonable assurance about whether the
financial statements as a whole are free from material misstatement, whether due to fraud
or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance
is a high level of assurance but is not a guarantee that an audit conducted in accordance
with Hong Kong Standards on Auditing (‘HKSAs’) will always detect a material misstatement
when it exists. Misstatements can arise from fraud or error and are considered material
if, individually or in the aggregate, they could reasonably be expected to influence the
economic decisions of users taken on the basis of these financial statements.

Scope of Audit

Our audit will be conducted in accordance with HKSAs issued by the Hong Kong Institute
of Certified Public Accountants. Those standards require that the auditor complies
with ethical requirements. As part of an audit in accordance with HKSAs, we exercise
professional judgement and maintain professional scepticism throughout. We also:

(a) Identify and assess the risks of material misstatement of the financial statements,
whether due to fraud or error, design and perform audit procedures responsive to
those risks, and obtain audit evidence that is sufficient and appropriate to provide
a basis for our opinion. The risk of not detecting a material misstatement resulting
from fraud is higher than for one resulting from error, as fraud may involve collusion,
forgery, intentional omissions, misrepresentations, or the override of internal control.

179

M13_c03.indd 179 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

Apply and Analyse 3 (continued)

(b) Obtain an understanding of internal control relevant to the audit in order to
design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of the company’s internal
control. However, we will communicate to you in writing concerning any significant
deficiencies in internal control relevant to the audit of the financial statements that
we have identified during the audit. Any such report may not be provided to third
parties without our prior written consent. Such consent will be granted only on the
basis that such reports are not prepared with the interests of anyone other than
the company in mind and that we accept no duty or responsibility to any other
party as concerns the reports.

(c) Evaluate the appropriateness of accounting policies used and the reasonableness
of accounting estimates and related disclosures made by you.

(d) Conclude on the appropriateness of your use of the going concern basis of
accounting and, based on the audit evidence obtained, whether a material
uncertainty exists related to events or conditions that may cast significant doubt
on the company’s ability to continue as a going concern. If we conclude that a
material uncertainty exists, we are required to draw attention in our auditor’s
report to the related disclosures in the financial statements or, if such disclosures
are inadequate, to modify our opinion. Our conclusions are based on the audit
evidence obtained up to the date of our auditor’s report. However, future events
or conditions may cause the Company to cease to continue as a going concern.

(e) Evaluate the overall presentation, structure, and content of the financial
statements, including the disclosures, and whether the financial statements
represent the underlying transactions and events in a manner that achieves fair
presentation.

Because of the inherent limitations of an audit, together with the inherent limitations
of internal control, there is an unavoidable risk that some material misstatements may
not be detected, even though the audit is properly planned and performed in accordance
with HKSAs.

Fees

Our fees are computed on the basis of the time spent on your affairs by the partners and
our staff and on the levels of skill and responsibility involved plus out-of-pocket expenses.
Unless otherwise agreed, our fees will be billed at appropriate intervals during the course
of the audit and will be due on presentation.

We propose an audit fee of HK$250,000.

Agreement of Terms

Once it has been agreed, this letter will remain effective, from one audit appointment
to another, until it is replaced. Please sign and return the enclosed copy of this letter to

180

M13_c03.indd 180 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

Apply and Analyse 3 (continued)

indicate your acknowledgement of, and agreement with, the arrangements for our audit of
the financial statements including our respective responsibilities.

Yours faithfully,

Jin & Co.

Certified Public Accountants

Date

We agree to the terms of this letter.

(Signed)

................................. Director, for and on behalf of the Board of Yay Manufacturing

Company Limited

Date

Required

Advise as to whether this draft engagement letter is compliant with HKSA 210 Agreeing the
Terms of Audit Engagements or, if not, what other information it should contain.

Analysis

Under HKSA 210 Agreeing the Terms of Audit Engagements, before the start of any
professional work, the auditor and the audited company should agree, in writing, the
scope and nature of the work to be undertaken. Paragraph 11 of HKSA 210 requires that
the agreed terms of the audit engagement must be in writing and in the form of a written
agreement. It further requires certain terms to be included in the engagement letter
including (but not limited to):

(a) The objective and scope of the audit of the financial statements;

(b) The responsibilities of the auditor;

(c) The responsibilities of management;

(d) Identification of the applicable financial reporting framework for the preparation of
the financial statements;

(e) Reference to the expected form and content of any reports to be issued by the
auditor; and

(f) A statement that there may be circumstances in which a report may differ from its
expected form and content.

181

M13_c03.indd 181 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

Apply and Analyse 3 (continued)

Based on these requirements, the draft engagement letter, as prepared by your audit
manager, does not meet the requirements of the standard. The following have not been
included in the draft engagement letter and are required:

• The ‘responsibilities of management’ section – setting out their acknowledgement

and understanding of their key responsibilities related to the audit including
that they are responsible for the preparation of the financial statements in
compliance with the named applicable financial reporting framework (which
on the facts should be the Hong Kong Financial Reporting Standards), for keeping
sufficient accounting records to explain the company’s transactions, for ensuring
compliance with relevant requirements of the Companies Ordinance, for internal
controls relevant to ensuring the financial statements prepared are free from
material misstatement (whether due to fraud or error) and agreeing to allow
the auditor access to all information and persons requested in connection with
the audit.

• The ‘responsibilities of the auditor’ section – setting out the auditor’s own
acceptance of key responsibilities, including that they will issue an auditor’s report
to the company’s members containing their opinion of the truth and fairness of the
financial statements the company has prepared as compared to the requirements
of the applicable financial reporting framework, whether the financial statements
are in compliance with director’s emoluments disclosures required by the
Companies Ordinance, if they have obtained all required information necessary
to the audit, and if they have identified any inconsistence between the financial
statements and any other information included in the annual report or the
director’s report.

• Identification of the applicable financial reporting framework for the preparation

of the financial statements (as noted above this would be the Hong Kong Financial
Reporting Standards given the circumstances).

• Include a reference to the expected form and content of any reports to be issued
by the auditor.

• Include a statement that there may be circumstances in which a report may differ
from its expected form and content.

Key Learning Point

The incoming, newly appointed auditor must perform audit work on the opening balances,
regardless of whether those balances have been audited by another auditor, in order to
provide the newly appointed auditor primarily with sufficient appropriate audit evidence
that the opening balances do not contain material misstatements that could affect the
current period balances.

182

M13_c03.indd 182 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

3.3.4 Opening Balances – Initial Engagement

A new auditor of a continuing company will have to perform work on the opening balances in
the financial statements as part of their audit planning procedures as required by HKSA 510
Initial Audit Engagements – Opening Balances (Exhibit 3.2). This is the case when:

• The financial statements for the prior period were not audited.

• The financial statements for the prior period were audited by a predecessor auditor.

PERFORM OPENING BALANCES WORK ON NEW AUDIT ENGAGEMENT

Review
The most recent financial
statements.
The predecessor auditor’s
report.
Other relevant documents.
Obtain sufficient
appropriate audit
evidence about whether
the opening balances
contain misstatements
that materially affect the
current period’s financial
statements.

Closing balances from
prior year
Have prior period’s
closing balances been
correctly brought
forward to the current
period?
Accounting policies
application
• Have opening
balances reflected
the application of
appropriate
accounting policies?
• Have accounting
policies been
consistently applied?
• Have changes in
accounting policies
been accounted
for and disclosed?
If prior year financial Current period
statements were • Evaluate whether
audited audit procedures
• Review the performed in the
predecessor auditor’s current period
working papers. provide evidence on
• Consider the opening balances or
professional performing other
competence and specific procedures
independence of the set out in Section
predecessor auditor. 3.3.4.1, Key
Procedures Required
If prior year financial on Opening Balances.
statements were not
audited
• Include a statement
in the auditor’s
report that the
corresponding figures
are unaudited.

EXHIBIT 3.2 Performing opening balances work on a new audit engagement

The work performed is designed to provide the incoming auditor with sufficient appropriate
audit evidence that the opening balances do not contain material misstatements that affect
the current period’s financial statements and the accounting policies adopted in the opening
balances have been consistently applied in the current period’s financial statements or, if there
have been changes, they have been appropriately accounted for and adequately presented and
disclosed in accordance with the applicable financial reporting framework.

Opening balances are defined in HKSA 510, paragraph 4 ‘as those account balances
that exist at the beginning of the period. Opening balances are based upon the closing

183

M13_c03.indd 183 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

balances of the prior period and reflect the effects of transactions and events of prior periods
and accounting policies applied in the prior period. Opening balances include matters
requiring disclosure that existed at the beginning of the period, such as contingencies and
commitments’.

Below are the specific procedures required by HKSA 510:

(a) The auditor is to read the most recent financial statements, if any, and the predecessor
auditor’s report thereon, if any, for information relevant to opening balances, including
disclosures.

(b) The auditor is to obtain sufficient appropriate audit evidence about whether the
opening balances contain misstatements that materially affect the current period’s
financial statements by:

i. Determining whether the prior period’s closing balances have been correctly
brought forward to the current period or, when appropriate, have been restated;

ii. Determining whether the opening balances reflect the application of appropriate
accounting policies; and

iii. Performing one or more of the following:

1. Where the prior year financial statements were audited, reviewing the
predecessor auditor’s working papers to obtain evidence regarding the
opening balances;

2. Evaluating whether audit procedures performed in the current period provide

evidence relevant to the opening balances; or

3. Performing specific audit procedures to obtain evidence regarding the

opening balances.

(c) The auditor is to obtain sufficient appropriate audit evidence about whether the
accounting policies reflected in the opening balances have been consistently applied
in the current period’s financial statements and whether changes in the accounting
policies have been appropriately accounted for and adequately presented and
disclosed in accordance with the applicable financial reporting framework.

3.3.4.1 Procedures Required on Opening Balances

If the prior period’s financial statements were audited by a predecessor auditor and there was
a modification to the opinion, the auditor is required to evaluate (under HKSA 315 (Revised
2019), Identifying and Assessing the Risks of Material Misstatement) the effect of the matter giving
HKSA rise to the modification in assessing the risks of material misstatement in the current period’s
510.9 financial statements.

For current assets and liabilities some audit evidence may be obtained as part of
performing the current period’s audit procedures. For example, the collection (payment) of
opening accounts receivable (accounts payable) during the current period will provide some
audit evidence of their existence, rights and obligations, completeness, and valuation assertions
at risk at the beginning of the period. In the case of inventories, however, the current period’s
audit procedures on the closing inventory balance provide little audit evidence regarding
inventory on hand at the beginning of the period.

184

M13_c03.indd 184 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

Therefore, additional audit procedures may be necessary and one or more of the following
may provide sufficient appropriate audit evidence:

(a) Observing a current physical inventory count and reconciling it back to the opening
inventory quantities.

(b) Performing audit procedures on the valuation of the opening inventory items.
HKSA
510.A6 (c) Performing audit procedures on gross profit and cut-off.

For non-current assets and liabilities, some audit evidence may be obtained by examining
the accounting records and other information underlying their opening balances. In certain
cases, the auditor may be able to obtain some audit evidence regarding opening balances
HKSA through confirmation with third parties, e.g. for long-term debt and investments. In other cases,
510.A7 the auditor may need to carry out additional audit procedures.

Results of Audit Work

If the auditor obtains audit evidence that the opening balances contain misstatements that
could materially affect the current period’s financial statements, the auditor shall perform such
additional audit procedures as are appropriate in the circumstances to determine the effect on
the current period’s financial statements. If after the additional procedures the auditor
concludes that such misstatements exist in the current period’s financial statements, the
auditor shall communicate the misstatements with the appropriate level of management and
HKSA those charged with governance in accordance with HKSA 450 Evaluation of Misstatements
510.7 Identified During the Audit. Chapter 10 in this module deals with audit reporting in detail.

Effect on Auditor’s Opinion

The auditor either concludes that there are no issues with opening balances, that they are
unable to obtain sufficient appropriate evidence to form an opinion on a certain area, there is a
material misstatement in respect of one or more opening balances, or that there is a continuing
issue with a balance(s) carried forward from the prior auditor.
If the auditor is unable to obtain sufficient appropriate audit evidence regarding the
opening balances, the auditor modifies their opinion in accordance with HKSA 705 (Revised)
HKSA Modifications to the Opinion in the Independent Auditor’s Report and expresses a qualified opinion
510.10 or disclaimer and opinion on the financial statements, as appropriate.

Below are illustrative examples of the inability to obtain evidence.

Illustrative Example 1 – HKSA 510 Illustration 1

If the auditor did not observe the counting of the company’s physical inventory (which is
material) at the beginning of the current period, he or she was therefore unable to obtain
sufficient appropriate audit evidence regarding the opening balances of inventory. The
possible effect is material but not pervasive to the company’s financial performance and
cash flows, and the financial position at the year end is fairly stated.

185

M13_c03.indd 185 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

Illustrative Example 1 (continued)

Extract from Auditor’s Report of the qualification wording to reflect the above situation:

Qualified opinion

In our opinion, except for the possible effects of the matter described in the Basis for Qualified
Opinion paragraph, the financial statements give a true and fair view of the state of the
company’s affairs as at 31 December 20X1, and of its profit and cash flows for the year then
ended in accordance with Hong Kong Financial Reporting Standards and have been properly
prepared in accordance with the disclosure requirements of the Hong Kong Companies
Ordinance.

Basis for qualified opinion

We were appointed as auditor of the Company on 30 June 20X1 and thus did not observe the
counting of the physical inventories at the beginning of the year. We were unable to satisfy
ourselves by alternative means concerning inventory quantities held at 31 December 20X0. Since
opening inventories enter into the determination of the profit and cash flows, we were unable to
determine whether adjustments might have been necessary in respect of the profit for the year
reported in the statement of profit or loss and other comprehensive income and the net cash
flows from operating activities reported in the statement of cash flows.

Illustrative Example 2 – HKSA 510 Illustration 2

If the auditor did not observe the counting of the company’s physical inventory (which
is material) at the beginning of the current period, he or she was therefore unable to
obtain sufficient appropriate audit evidence regarding the opening balances of inventory.
The possible effect is material but not pervasive to the company’s financial performance
and cash flows, and the financial position at year end is fairly stated. An opinion that is
qualified regarding the financial performance and cash flows and unmodified regarding
the financial position is considered appropriate in the circumstances.

Extract from Auditor’s Report of the qualification wording to reflect the above situation:

Qualified opinion on the financial performance and cash flows

In our opinion, except for the possible effects of the matter described in the Basis for Qualified
Opinion section of our report, the statement of profit or loss and other comprehensive
income and statement of cash flows give a true and fair view of the financial performance
and cash flows of the Company for the year ended 31 December 20X1 in accordance with
Hong Kong Financial Reporting Standards issued by the Hong Kong Institute of Certified Public
Accountants and have been properly prepared in compliance with the Hong Kong Companies
Ordinance.

186

M13_c03.indd 186 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

Illustrative Example 2 (continued)

Opinion on the financial position

In our opinion, the statement of financial position gives a true and fair view of the state of the
Company’s affairs as at 31 December 20X1 in accordance with Hong Kong Financial Reporting
Standards and have been properly prepared in accordance with the Hong Kong Companies
Ordinance.

Basis for qualified opinion, including basis for qualified opinion on the financial
performance and cash flows

We were appointed as auditor of the Company on 30 June 20X1 and thus did not observe the
counting of the physical inventories at the beginning of the year. We were unable to satisfy
ourselves by alternative means concerning inventory quantities held at 31 December 20X0. Since
opening inventories enter into the determination of the profit and cash flows, we were unable to
determine whether adjustments might have been necessary in respect of the profit for the year
reported in the statement of profit or loss and other comprehensive income and the net cash
flows from operating activities reported in the statement of cash flows.

If the auditor concludes that the opening balances contain a misstatement that
materially affects the current period’s financial statements, and the effect of the
misstatement is not appropriately accounted for or not adequately presented or disclosed,
HKSA the auditor is required to express a qualified opinion or an adverse opinion, as
510.11 appropriate.

If the auditor concludes that:

(a) The current period’s accounting policies are not consistently applied in relation
to opening balances in accordance with the applicable financial reporting
framework; or

(b) A change in accounting policies is not appropriately accounted for or not

adequately presented or disclosed in accordance with the applicable financial
reporting framework

HKSA the auditor is required to express a qualified opinion or an adverse opinion as appropriate
510.12 in accordance with HKSA 705 (Revised).

If the predecessor auditor’s opinion regarding the prior period’s financial statements
included a modification to the auditor’s opinion that remains relevant and material to the
current period’s financial statements, the auditor is required to modify the auditor’s
opinion on the current period’s financial statements in accordance with HKSA 705 (Revised)
HKSA and HKSA 710 Comparative Information – Corresponding Figure and Comparative Financial
510.13 Statements.

187

M13_c03.indd 187 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

Apply and Analyse 4 – Adapted from Module C December 2013 Paper

You are Andy Jin, an audit partner of Jin & Co (‘Jin’). Recently you accepted a new audit
engagement of an established listed company, Yay Manufacturing Company Limited (‘Yay’).
The predecessor auditor issued an unmodified opinion for the most recent audited annual
financial statements. Yay manufactures battery components used in consumer mobile
devices and has an annual turnover exceeding US$700 million.

Its organisation structure is simple, with two manufacturing plants in China and a
trading company in Hong Kong. Yay’s business has experienced high growth given the
continued worldwide high demand for mobile devices. Due to more than doubling the
plant’s output in the last two years, revenue has increased more than 40%, with Yay’s
overall financial position improving due to the increased cashflow. Accounts receivables
have remained stable as Yay are very proactive in collecting their debts within their
required 60-day payment period.

Below is an extract of Yay’s significant statement of financial position items from the
prior year’s audited financial statements for the year ended 31 December 20X6. Assume
other items are regarded as insignificant.

US$ m
Property, plant, and equipment 1,500
Accounts receivables 100
Inventory 200
Cash 30
Accounts payable 240

You are now considering the overall audit approach for the opening balances.

Required

(a) Propose your overall opening balance audit strategy, with consideration that the
last appointed auditor might have had performance issues.

(b) Propose, with explanations, the audit procedures for each of the statements of
financial position items listed above.

Analysis

Answer to Part (a)

We should make reference to the Standard, HKSA 510 Initial Audit Engagements – Opening
Balances, which provides guidance on an opening balance audit when conducting an initial
engagement. Procedures to perform include:

• Given the last appointed auditor might have had performance issues, we should
question and carefully consider the competence and independence of the last
appointed auditor.

• We may consider a review of the last appointed auditors’ working papers and plan
to conduct certain re-performance of their work.

188

M13_c03.indd 188 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

Apply and Analyse 4 (continued)

• We should assess whether the prior period’s closing balances have been correctly
brought forward to the current period.

• We should evaluate the appropriateness of the accounting policies applied –

including whether the opening balances reflect the application of appropriate
accounting policies, if accounting policies have been consistently applied, and
whether any changes in accounting policies have been accounted and disclosed.

• We should also consider if we need to plan to perform current period audit

procedures to provide audit evidence on opening balances.

Answer to Part (b)

Given the significance of the following statement of financial position items, suggested
additional procedures to perform include:

• Property, plant, and equipment. Additional procedures to perform include:

° Given that the property, plant, and equipment balance is so materially

significant, we should validate the title of respective significant non-current
assets by examining their legal documents to verify the rights and obligations
assertion. A physical inspection of the property, plant, and equipment may also
provide some audit evidence as to the existence of the non-current assets at
the beginning of the period;

° Recalculating depreciation expense to ensure the depreciation policy is

consistently applied. Reviewing significant disposals during the year and checking
these are included in the opening balance of property, plant, and equipment; and

° Reviewing and assessing evidence in respect of the valuation of property, plant,

and equipment.

• Accounts receivables – The collection of opening accounts receivables tested during

the current period may provide some audit evidence as to their existence and
valuation at the beginning of the period. However, additional procedures may be
required, such as sending receivables confirmations on a sample basis to confirm
the existence and valuation of the larger balances with the larger customers at the
beginning of the period.

• Accounts payable – The payment of opening accounts payables tested during

the current period may provide some audit evidence as to their completeness
and valuation at the beginning of the period. However, additional procedures
may be required, such as sending confirmation on a sample basis to confirm the
completeness and valuation of the larger balances with the major suppliers at the
beginning of the period.

• Inventory – The current period’s audit procedures for the closing inventory balance
provide little audit evidence regarding the inventory on hand at the beginning of
the period. Additional procedures are necessary, for example:

° Observing a current physical inventory count and reconciling it with the

opening inventory quantities;

189

M13_c03.indd 189 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

Apply and Analyse 4 (continued)

° Performing audit procedures on the valuation of the opening inventory items; or

° Performing audit procedures on gross profit and cut-off.

• Cash – Consider sending bank confirmations to confirm the existence and accuracy
of the opening bank balance if it is believed that the last auditor’s work does not
provide sufficient audit evidence as to the opening bank balance.

Knowledge Check Questions

Question 5
Explain why it is important to perform an assessment of engagement risk prior to
accepting the auditor’s appointment to the company.

Question 6
Chan & Co have been auditors of Ly Distribution Company for three years and have relied
on the same engagement letter issued when they were first appointed auditors of the
company, rather than re-issuing the letter each financial year. This has been on the basis
that nothing of audit significance has changed to require a new engagement letter being
issued. However, during the current financial year, Ly appointed a new Chief Executive
Officer. Explain whether this appointment warrants Chan & Co needing to issue a new
engagement letter.

190

M13_c03.indd 190 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

SUMMARY

Exhibit 3.3 shows a summary of the client and engagement procedures covered in the chapter.

ACCEPT THE ENGAGEMENT?

Consider any
• Ethical issues
• Legal or regulatory issues
• Entity specific issues

Prospective new client? Existing client?

Audit procedures Audit procedures

Obtain details of last appointed auditors Consider continuing pre-engagement risk.
and consult with them.
Consider pre-engagement risk.

Accept (or continue to accept) the engagement?

YES NO

Audit procedures
Ensure outgoing auditor’s removal/resignation
was properly conducted.
Obtain and review special notice.
Perform professional clearance procedures.
Prepare and submit engagement letter.
Verify opening balances.

EXHIBIT 3.3 Client and engagement procedures

191

M13_c03.indd 191 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

MIND MAP

CLIENT AND ENGAGEMENT ACCEPTANCE PROCEDURES FOR ACCEPTING A NEW

PROCEDURES ENGAGEMENT OVERVIEW
Auditor appointment requirements Standards affecting auditor appointments
• Who can be appointed as an auditor? • HKSQC 1
• Who can appoint the auditor? • HKSA 220
• Legislative process of appointing an auditor • Code of Ethics
Auditor appointment guidance and guidelines Key procedures performed prior to accepting
• Appointment as joint auditor an engagement
• Filling a casual vacancy • Assess preconditions for the audit
• Appointment by a company acquired by • Perform engagement risk assessment
a new company • Assess if the auditor can comply with
• Previous auditor unpaid fees the ethical requirements
• Providing information to the incoming auditor Terms of the engagement considerations
• Statutory provisions • Components of acceptance of the engagement
CLIENT AND • Agreed engagement terms
CHANGE OF AUDITOR ENGAGEMENT • Contents of an engagement letter
Auditor Resignation ACCEPTANCE
Opening balances – initial engagement
PROCEDURES
Communication with the Audit Committee and
the Board of Directors (Outgoing Auditor)
The Incoming Auditor’s requirements
Change of Auditor of a Listed Issuer of
the Stock Exchange of Hong Kong
The Announcement to be made by the Listed
Issuer on the Change of Auditor

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. The company can change at any point.
Answer B is correct. The company is able to change auditor at any point during the
existing auditor’s term of appointment provided they have followed the correct statutory
procedure.
Answer C is incorrect. The company has complete ability to change auditor at any time and
does not need the existing auditor’s permission in order to change auditor.
Answer D is incorrect. The company is not required to give the existing auditor any
formal notice of the reasons for the change. They may give reasons informally, but this is
not required.

Question 2
Yes, the company is able to change their auditor at any time during the existing auditor’s
term, and for any reason, provided they adhere to the process set out in the Companies
Ordinance.

Question 3
You would contact the existing auditor to obtain additional information about the
issues raised in order to understand their impact, if any, on future audits and assess
their response when received. If appropriate, you would discuss with the company to
understand their perspective on the issues raised and to ascertain their position if the
issues have implications for future audits. Based on the information obtained from both
sources you would then decide whether it was still appropriate to accept the auditor
appointment.

192

M13_c03.indd 192 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

Question 4
Answer A is incorrect. The auditor cannot accept the engagement if the outgoing auditor
has not responded to the letter request.
Answer B is incorrect. The incoming auditor is able to contact the outgoing auditor by other
means before deciding to decline the engagement.
Answer C is correct. Try contacting the incoming auditor again by other means.
Answer D is incorrect. The incoming auditor is required to resend the request but by other
means to have the best opportunity of receiving a response.

Question 5
The auditor may become aware of issue(s) they were previously unaware of, that they
consider in their professional judgement represent threats to the auditor’s independence,
which cannot be appropriately safeguarded. This in turn will cause the auditor to have to
decline the auditor appointment of the company.

Question 6
Yes, Chan & Co should issue a new engagement letter as the appointment of a new Chief
Executive Officer represents a significant change in key management personnel of Ly
Distribution Company and it is important that the new Chief Executive Officer understands,
acknowledges, and accepts the terms of the audit engagement on the company’s financial
statements. Consequently Chan & Co should attend to re-issuing the engagement letter to
the Chief Executive Officer.

EXAM PRACTICE

QUESTION 1
(Adapted from Module C June 2013 Paper)

You are the audit partner of Jintian CPA Hong Kong and have just received a request from
Jintian CPA London regarding a fee proposal for the audit of Mark Hong Kong Limited, a
material subsidiary of Peter Limited, which is the potential audit client of Jintian CPA London
for the year ending 30 June 20X7. During your firm’s standard client acceptance procedures,
you have identified that the spouse of a tax partner in your office is the Chief Financial
Officer of Mark Hong Kong Limited.

Required:

Analyse and explain the independence issues for the acceptance of the audit engagement of
Mark Hong Kong Limited and advise as to any relevant safeguards.

QUESTION 2
(Adapted from Module C September 2008 Paper)

YYY Holdings Limited (‘YYY’) is a listed company on the Main Board of the SEHK and was
established ten years ago. YYY manufactures and sells a wide range of electronic products
including portable speakers, sound bars, and TVs. YYY has over 6,000 employees located at
its four factories in mainland China.

193

M13_c03.indd 193 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

Ms. Kim Au is the founder (and the Chief Executive) of YYY and has always placed a great
emphasis on her company producing innovative and quality products. In May 20X8, YYY’s
previous auditor (Yau and Co) retired and therefore declined to stand for re-appointment
after reporting on the financial statements for the year ended 31 December 20X7 at YYY’s
annual general meeting. In August 20X8, Ms. Au invited Ms. Pear Or’s firm (Bright and Co) to
be the new auditor. Ms. Au had previously met Ms. Or (an audit partner of Bright and Co) at
a charity dinner in 20X8, which YYY was sponsoring.

Ms. Or is in the process of assessing whether to accept this prospective audit

engagement. YYY’s Chief Financial Officer, Mr. Lim, has provided Ms. Or with the most recent
audited financial statements (from the year ended 31 December 20X8) and also provided the
current unaudited management accounts for the eight months ended 31 August 20X9.

Required:

(a) Consider what pre-engagement audit procedures (other than the independence
considerations) Bright and Co should carry out as prospective auditors before accepting
YYY’s audit engagement.

(b) Following on from part (a), explain how Ms. Or should assess the integrity of Ms. Au and
the key management of YYY.

(c) Explain the ethical obligations of Bright and Co regarding the change in auditor.

QUESTION 3
Your firm, Zhau and Company CPAs (‘Zhau’), currently provides a range of consulting services
to Industrial Transformers Group Pty Ltd (‘the Group’), a mid-sized private company with its
head office in Hong Kong and with two manufacturing plants in Zhejiang in mainland China.
The Group manufactures high quality electrical transformers (ISO 9001 certified) for use
in large scale industrial factories throughout China and has been growing steadily yearly
since it started over four years ago. These consulting services have included tax advisory,
corporate finance services (for acquisitions), internal audit services (co-sourced with their
internal audit function), and performing the ISO 9001 quality assurance accreditation
review. These services have been provided by Zhau’s advisory services practice and have
not involved any external auditors. You are aware that the group want to list on the SEHK in
the next year or two, due to their continued strong growth. Recently the new Chief Executive
Officer, Mr. Wong, approached you, as the senior audit partner of Zhau, to accept the
engagement to audit the Group for the next financial year, 31 December 20X9. The current
auditors are only a small CPA firm with one audit partner and Mr. Wong considers the group
have got to the size that the current auditors can no longer appropriately service their audit
requirements. The most recent auditor’s report issued on the 31 December 20X8 financial
year was unmodified and the fee appeared reasonable from what you understand of the
Group. Additionally, Mr. Wong is conscious that they intend to list the Group on the SEHK
within a couple of years and would like a firm of your size and reputation as auditors in
anticipation of this.

Required:

Describe the issues, if any, that Zhau and Company CPAs will have in accepting the auditor’s
appointment. Explain how they may mitigate these issues.

194

M13_c03.indd 194 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

QUESTION 4
Your firm, Chiang Partners CPAs, have been the appointed auditors of Chen Manufacturing
Company Limited for the past three years and you have been the audit partner. Chen
manufacture clothes hangers and are the largest manufacturer in Shandong province.
Their financial position is solid and they have experienced modest growth in the last three
years. They have not expanded or acquired any other businesses in the last three years, but
you are aware they are looking to acquire the third largest Shandong manufacturer in the
next year to further improve their economies of scale and increase profitability. You have
just issued the new engagement letter for the upcoming 31 December 20X9 audit, with an
unchanged audit fee, and reflecting the recent appointment of a new Chief Financial Officer,
Ms. Deng. Having now received the letter, Ms. Deng has contacted you seeking a meeting to
discuss the proposed audit fee, with a view to you reducing the fee by 20%. Her reason for
the request is that she does not see the value in the financial statement audit process and is
focused on saving on compliance costs wherever possible.

Required:

Explain your position with respect to accepting Ms. Deng’s proposed 20% audit fee reduction
for the 31 December 20X9.

ANSWERS TO EXAM PRACTICE

QUESTION 1
A family member of a partner of Jintian CPA Hong Kong is an officer of Mark Hong Kong
Limited and this constitutes a serious threat to independence. These are familiarity threat,
self-interest threat, and intimidation threat due to the family and personal relationships. The
significance of the threats is assessed against the following criteria:

• The individual’s responsibilities on the assurance engagement. The tax partner is

a member of the audit engagement team and would provide taxation advice on
the audit.

• The closeness of the relationship. As a ‘spouse’ is an immediate family member as

defined in the Code of Ethics, there is a close relationship.

• The role of another party at the company. We need to assess the responsibilities of
the Chief Financial Officer in the company. Normally, the Chief Financial Officer is
responsible for the accounting and financial functions of the company who will prepare
the accounting information for the audit.

Based on the above assessment, the threat should be considered to be significant.

Jintian CPA Hong Kong should inform Jintian CPA London of the threat and determine the
appropriate measures to eliminate the threats such as:

• Removing the tax partner from the engagement team, any other engagements with the
company, or within the company’s industry.

• Considering if removing the tax partner is sufficient in itself to sufficiently mitigate the
threat of perceived conflict of independence or the perception of bias by Jintian CPA
Hong Kong in respect of the audit of both Mark Hong Kong Limited and Peter Limited.

195

M13_c03.indd 195 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

• Moving the tax partner’s spouse from the Mark Hong Kong Limited Chief Financial
Officer role to another position within the company that does not involve the
accounting and financial functions of the company or make significant decisions that
have consequences for the Mark Hong Kong Limited financial statements (unlikely).

• Declining the engagement.

Jintian CPA Hong Kong should not provide any assurance services to Jintian CPA London
on its services rendered on Mark Hong Kong Limited, including group reporting, as long as
the threat still exists.

QUESTION 2
(a) Bright and Co as a firm should already have established documented policies and
procedures for the acceptance and continuance of client relationships and specific
audit engagements in accordance with HKSQC 1 (Clarified) Quality Controls for Firms
That Perform Audits and Reviews of Financial Statements, and Other Assurance and Related
Services Engagements.

In respect of this individual prospective audit engagement, Bright and Co should

also ensure that appropriate procedures regarding the acceptance of the new client
relationships are performed and that conclusions on those procedures are appropriate
and documented, in accordance with HKSA 220 Quality Control for an Audit of Financial
Statements.

With the facts provided, Bright and Co should consider the following matters:

• The integrity of Ms. Au (founder and the Chief Executive).

• The integrity of other principal shareholders, key management personnel, and

those charged with governance. Bright and Co should also consider the extent of
influence by Ms. Au on those parties given she is the founder of YYY and also the
Chief Executive.

• Whether the engagement team has the competence and expertise to perform an
audit of a business operating in the fast-moving consumer electronic products
industry and has the necessary time and resources to perform a quality audit
(noting that Bright and Co is short of manpower).

• Whether Bright and Co and the engagement team can comply with the ethical
requirements. The engagement team should obtain such information as it
considers necessary in the circumstances before accepting an engagement by YYY
as a new client. Where issues have been identified and Bright and Co has decided
to accept the client relationship with YYY (in particular, the audit of its financial
statements for the year ended 31 December 20X8), Bright and Co should document
how the issues were appropriately resolved.

(b) Ms. Pear Or should consider the following when assessing the integrity of Ms. Au:

• The known business reputation of Ms. Au as founder and Chief Executive, other key
members of management, any significant related parties, and those charged with
YYY’s governance.

• The nature of YYY’s operations, e.g. whether or not YYY has engaged in any
speculative activities, accepted any unusually high business risks, has business

196

M13_c03.indd 196 1/26/2021 8:47:42 PM

 Client an d Engagement A cceptance P roce dures

dealings with questionable third parties, or engaged in complex transactions

or aggressive deals that make the determination of the effects on the financial
statements unnecessarily highly subjective. These factors could all suggest that the
management is not acting in the best interests of YYY.

• Assess Ms. Au’s knowledge, attitude, and commitment towards matters related to
governance, internal control, and compliance with regulatory requirements and
contractual obligations. For example, do YYY have an aggressive interpretation of
certain accounting standards affecting their business, is there any evidence that YYY’s
internal control environment is poor or non-existent, or that Ms. Au may be able to
exercise her authority to override internal controls unnecessarily. Additionally, Ms.
Pear Or should conduct appropriate enquiries to assess if there is any indication of
money laundering and/or other criminal activities by Ms. Au (or YYY).

• Confirm whether the reason for the non-appointment of Yau and Co related to any
issues to do with the integrity of Ms. Au.

(c) Under the Code of Ethics for Professional Accountants (November 2018) (the Code)
Chapter A, Part 3, Section 200, Changes in a Professional Appointment, Bright and
Co should confirm whether the change of auditor has been properly dealt with in
accordance with the Companies Ordinance or other legislations/regulations.

If the change of auditor has not been properly dealt with, Bright and Co should not
accept the invitation to be appointed auditor of YYY. Bright and Co should also request
YYY’s permission to communicate with the outgoing auditor, Yau and Co. Bright and
Co should not accept the invitation without first sending Yau and Co a professional
clearance request as required by Chapter A, Part 3, Section 200 of the Code. This
request is to inquire if Yau and Co raise any issue/circumstance with Bright and Co in
respect of the proposed auditor change that Bright and Co should be aware of when
deciding whether or not to accept the auditor appointment nomination.

Since YYY is a listed company, the change in auditor is also governed by Chapter
A, Part 3, Section 300 of the Code, Change of Auditors of a Listed Issuer of the Stock
Exchange of Hong Kong. In accordance with Chapter A, Part 3, Section 300 of the Code,
Bright and Co should request a copy of the letter of resignation and any correspondence
referred to in the letter directly from YYY for consideration in addition to the professional
clearance from Yau and Co before accepting the appointment. If YYY refuses to provide
Bright and Co with a copy of the letter of resignation and any correspondence referred to
in the letter of resignation, Jiang and Co should decline the appointment.

QUESTION 3
First, Zhau needs to consider if any of the consulting services currently provided would
prevent them from accepting the auditor’s appointment due to perceived or actual conflicts
of interest in independence.

You would need further information on the exact nature and scope of each of the
consulting engagements (tax advisory, contractual assistance, internal audit services, and
quality assurance accreditation) that would be performed by members of your advisory
service practice.

You would then need to consider if any of the consulting work already performed by the
advisory services practice would be required to be audited through the financial statement

197

M13_c03.indd 197 1/26/2021 8:47:42 PM

 BUSINESS ASSURANCE

audit process, due to their material impact on individual financial statement line items.
Any engagements where you or your external team could be auditing your own firm’s work
as part of the financial statement audit work would be inappropriate (conflict of interest)
and Zhau can only mitigate this by either not accepting the audit appointment until such
time as you would not be auditing such work and cease to perform the consulting work,
or continuing, or simply not accepting, the audit appointment and continue providing
consulting services to the Group. This decision would be made by the firm.

QUESTION 4
As the audit partner, you should not automatically accept the proposed fee reduction
as it is without basis, other than the new Chief Financial Officer, Ms. Deng, does not see
value in your statutory audit process. If you, as an audit partner, consider the reduced fee
reasonable and still enables you to perform a quality, compliant audit in accordance with the
HKSAs, then you can consider accepting the proposed fee reduction. If you do not consider
the reduced fee to be reasonable, refuse to accept the reduction and find Ms. Deng insists,
then you should first discuss the proposal with Chen’s board of directors to assess if there is
any possibility of continuing the audit engagement on the current fee arrangement basis. If
you assess they agree with Ms. Deng, you have the following options:

• Further discussing with Ms. Deng, subsequent to your discussion with the board of
directors, her approach to the audit process to assess if you are satisfied you will be
able to conduct a compliant, quality audit.

• If you are satisfied by the outcome of your discussions with Ms. Deng, accept the
reduced fee. If this option is chosen, you would need to consider the impact on the
audit of a Chief Financial Officer who does not see the value of the audit process.
You would assess her attitude to the audit process and how committed she is to a
smooth audit process such that you can meet your required deadline for issuing the
auditor’s report. To this end, you would assess any prior knowledge of her from her
prior company(s) (if known or publicly available) and whether she appears to have a
commitment to quality financial statements being prepared by her finance team for
audit. For example, you would potentially increase your professional scepticism in your
dealings with her, including designing additional procedures to perform to corroborate
information she may have prepared or that you obtained directly from her. You may
also consider the impact of her attitude on whether there is an increased risk of her,
in her management role, and with such a cost focus, streamlining processes and
approvals, and potentially overriding key established internal controls to save time and
therefore money. Again, you would consider designing and performing additional audit
procedures to appropriately respond to any risk of this occurring.

• If you are not satisfied by the outcome of your discussions with Ms. Deng, decline to
continue as Chen’s auditor and resign before your end of term, due to the reduced
fee proposed by Chen. This is the most likely option as client’s seeking an arbitrary
reduction in audit fees, without basis, and simply from a cost control perspective may
not be willing to accept their responsibilities as outlined in HKSA 210 Agreeing the Terms
of Audit Engagements. Also, when you consider the additional procedures you may have
to perform (as outlined in the bullet point above), on a reduced fee base, the audit may
simply not be economically feasible to accept and still conduct an HKSA compliant,
quality audit.

198

M13_c03.indd 198 1/26/2021 8:47:42 PM

 4
Quality Control
Considerations

CHAPTER TOPIC LIST

4.1 Quality Control Considerations 4.2.7 Engagement Performance

4.1.1 Hong Kong Institute of Certified
Public Accountants (HKICPA)
4.1.2 IAASB Framework for Audit
Quality
4.1.3 Scope and Terminology
4.2 Quality Control Requirements
4.2.1 Applying and Complying
with Relevant Requirements
Including HKSQC 1 and
HKSA 220
4.2.2 Elements of a System of
Quality Control
4.2.3 Leadership Responsibilities for
Quality within the Firm
4.2.4 Relevant Ethical Requirements
Including Independence
4.2.5 Acceptance and Continuance
of Client Relationships and
Specific Engagements
4.2.6 Human Resources
4.2.8 Monitoring Quality Control
Policies and Procedures
4.2.9 Summary of Quality Control
Requirements
4.3 Documentation of the System of
Quality Control
4.3.1 Engagement Quality Control
Review Documentation
4.4 Conformity and Compliance
with International Standards on
Quality Control Overview
4.4.1 International Forum
of Independent Audit
Regulators (IFIAR)
4.4.2 Strengthening Regulation in
Hong Kong – the Financial
Reporting Council (FRC)
4.4.3 Proposed Changes to the
Quality Standards

199

M13_c04.indd 199 1/26/2021 9:03:58 PM

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.03: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Quality control considerations
1.03.01 Explain the principles and purposes of quality control of audit and other assurance
engagements
1.03.02 Analyse the features of a system of quality control relevant to a specific firm
1.03.03 Design quality control procedures relevant to a specific audit engagement
1.03.04 Consider whether an engagement has been performed in line with professional standards
and whether reports issued are appropriate

200

M13_c04.indd 200 1/26/2021 9:03:58 PM

 Q ualit y C ontrol C onsiderations

OPENING CASE

CHINA FOODS LTD

C hina Foods Ltd (CFL) operates in mainland China and is listed in Hong Kong. CFL’s stock
price crashed by 95% after an investment analyst said the company was worth nothing.
CFL’s management had made fraudulent statements in its earnings reports and overstated its
capital spending on farm acquisitions. Its chairman was accused of embezzling RMB 200 million
in company funds.

Before joining CFL, the company’s chief financial officer had worked for CFL’s auditor for
10 years. At CFL, he received an annual salary of RMB eight million. News of CFL’s stock price
collapse came after its auditor, a large-sized CPA firm, had approved the company’s past three
annual reports. According to CFL’s most recent annual report, the audit fee was RMB seven
million. How did the auditor fail to detect the fraud?

An investment analyst could not have convinced CFL to assist in its investigation, and yet
the analyst worked out that CFL’s stock was worthless. In contrast, the auditor had unrestricted
access to CFL’s books, and could also ask for external confirmation of the company’s finances
from banks, lawyers, customers, and others. Are auditors truly so incompetent that they failed
to notice anything wrong? Or were they complicit in the CFL fraud?

201

M13_c04.indd 201 1/26/2021 9:03:58 PM

 BUSINESS ASSURANCE

OVERVIEW

To perform audits, auditors, like other professionals, must be licensed by governments and
professional associations. As explained by public interest theory, auditors provide a social good
when they report reliable information to regulators, markets, and other stakeholders about
businesses and other organisations. This information is valuable because, as reported by EY in
their Global Fraud Survey 2018:

• 11% of companies have experienced significant fraud in the last two years.

• 11% of respondents stated it is common practice to use bribery to win contracts.

In order to provide this important public service, an auditor’s report must possess the
characteristics of any good performance measure. It must be reliable, relevant, timely,
complete, and clear. Such a report can only be achieved by a high-quality audit. Audit quality is
critical to the stakeholders – the shareholders, customers, employees, regulators, markets, and
others – who rely on the information auditors provide.

Audit risk is a measure of the likelihood of audit failure – the risk that the auditor’s opinion
will state that the financial statements are free of material misstatement when they are not.
High-quality audits reduce audit risk and the frequency of audit failure. They enhance the
reputation of the profession and ensure its economic viability.

In contrast, low-quality audits increase audit risk and the frequency of audit failure; the
reputation of the profession is damaged, audit firms are sued for negligence, and audit firm
profitability is threatened. Audit quality is fundamental to the usefulness of the auditor’s report,
and the reputation and economic viability of the profession.

Many mechanisms exist that support audit quality. These exist at the individual, firm,
professional, national, and international levels. This chapter discusses mechanisms that operate
at all of these levels with a focus on those under the control of the auditor, the audit firm, and
the profession. Section 4.1 introdsuces some quality control mechanisms at the Professional
(HKICPA and IAASB) level. Sections 4.2 and 4.3 provide a summary of the requirements of
the quality control standards provided by these same two bodies for audit firms and audit
engagements. Finally, Section 4.4 discusses recent developments in national (Hong Kong’s
Financial Reporting Council, or FRC) and international (International Forum of Independent
Audit Regulators) regulatory mechanisms.

Key Learning Point

The objective of an audit is to provide assurance on information relevant to market
participants. This objective can only be achieved by a high-quality audit. Poor-quality audits
lead to audit failure, damage to the reputation of the profession, and lawsuits against auditors.

202

M13_c04.indd 202 1/26/2021 9:03:58 PM

 Q ualit y C ontrol C onsiderations

4 . 1 QUALITY CONTROL CONSIDERATIONS

Quality control (QC) is a broad concept. For a public accounting firm, QC comprises:

• All of those policies and procedures adopted and carried out by the firm to ensure it
meets its responsibilities to its clients; and

• Policies and procedures that ensure the firm meets its responsibilities to national
and international regulators (e.g. the FRC and the Hong Kong Stock Exchange), to the
profession (HKICPA and the International Federation of Accountants, or IFAC), and
under the law (in Hong Kong, the Companies Ordinance and the Professional Accountants
Ordinance).

4.1.1 Hong Kong Institute of Certified Public Accountants (HKICPA)

4.1.1.1 Standards
The key professional standards dealing with QC are:

• Hong Kong Standards on Quality Control 1 (Clarified) (HKSQC 1), Quality Control for Firms
that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related
Services Engagements; and

• HKSA 220, Quality Control for an Audit of Financial Statements.

The professional body is also involved in other aspects of quality control. Notably, their
practice review programme, their publication programme, and their education programme
for the qualification of new CPAs and the professional development of members.

4.1.1.2 Practice Review

Practice review is a quality assurance programme for audit and other assurance services
provided in Hong Kong by audit firms. The Institute first introduced practice review in 1992
under the Professional Accountants Ordinance (Cap.50).

The review process has a focus on risk in the selection of audit firms and audit
engagements for review. Attention is paid to firms that are engaged in auditing listed entities.
Practices with listed entity client(s) are visited at least once every three years. In the most recent
year, the Quality Assurance Department carried out over 300 practice reviews.

Some of the common concerns that surface during practice reviews are summarised in the
latest Quality Assurance Department report.

A practice review complaint may result in the cancellation of the practising certificate of the
respondent. Practice units should make quality and compliance a prime concern in their audit
work and cooperate with the practice review process.

In October 2018, a programme of monitoring of compliance with the Guidelines on

Anti-Money Laundering (AML) and Counter-Terrorist Financing for Professional Accountants was
introduced as part of the practice review programme.

203

M13_c04.indd 203 1/26/2021 9:03:58 PM

 BUSINESS ASSURANCE

4.1.1.3 Publications
HKICPA has published A Guide to Quality Control by Stuart Hartley and Marcus A. Guenther. The
guide is aimed at helping public accounting firms design, document, implement, and maintain
a system of quality control. It provides sample policies and procedures for different sizes of
practice that can be used as a starting point in developing a customised quality assurance
manual for the firm.

A further publication of the HKICPA is Audit Committees and Audit Quality. A key component
of good corporate governance, and of audit quality, is the audit committee. The guide is
designed to foster better communication, interaction, and understanding between audit
committees, board members, and their external auditor.

Key Learning Point

The main quality control mechanisms established by the accounting profession are their
educational programmes for entrants and members, their practice review programme, and
their publication programme.

4.1.2 IAASB Framework for Audit Quality

IFAC is a global organisation for the accountancy profession dedicated to serving the public
interest by strengthening the profession and contributing to the development of strong
international economies. IFAC consists of over 175 members and associates in more than
130 countries and jurisdictions. This represents almost three million accountants in all areas
and industries.

IFAC oversees four independent standard setting bodies:

• The IAESB (education standards);

• The IESBA (ethics standards);

• The IPSASNB (public sector standards); and

• The IAASB (audit and assurance standards).

The International Auditing and Assurance Standards Board (IAASB) is an independent

standard-setting body that serves the public interest by setting high-quality international
standards for auditing, quality control, review, other assurance, and related services, and by
facilitating the convergence of international and national standards.

IFAC, through the International Forum of Independent Audit Regulators (IFIAR), collects
information from audit regulators throughout the world about deficient audit engagements
and audit firms. This information is compiled and used to guide the improvement of existing
standards.

The IAASB published a very useful document, A Framework for Audit Quality. In this
document, the IAASB identifies five elements of audit quality. They state that the existence of
these five elements will provide an environment supportive of audit quality. The five elements
are listed and described in Exhibit 4.1.

204

M13_c04.indd 204 1/26/2021 9:03:58 PM

 Q ualit y C ontrol C onsiderations

1. Inputs. The key input to audit quality is auditors who:

• Have appropriate ethics and attitudes;

• Are knowledgeable, skilled, and experienced; and

• Have sufficient time to perform their work.

2. Processes. Key processes that support audit quality include:

• Rigorous plans and work programmes governing all stages of the engagement
including:

°° Client acceptance;

°° Risk assessment;

°° Control system assessment;

°° Evidence gathering; and

°° Reporting.

• Quality control procedures that comply with laws, regulations, and professional
standards.

3. Outputs. Quality outputs of the audit process include reports that are useful, reliable,
trustworthy, and timely.

4. Interactions. While the auditor is primarily responsible for audit quality, supportive
interactions are important to the audit process. Key stakeholders in the reporting
supply chain include:

• Auditors and audit firms;

• Client entity management and board of directors;

• Professional associations (e.g. HKICPA);

• Regulators; and

• Users – shareholders, investors, and other market participants.

5. Contextual factors. A number of contextual factors impact on audit quality. These

contextual factors are found at international, national, and local levels:

• Laws and regulations governing financial reporting;

• The litigation environment;

• Business practices and commercial law;

• Audit regulation;

• The financial reporting framework;

• The financial reporting timetable;

• Corporate governance;

• Information systems; and

• Cultural factors.

EXHIBIT 4.1 Elements of the IAASB Framework for Audit Quality (Source: IAASB A Framework for Audit Quality.)

205

M13_c04.indd 205 1/26/2021 9:03:58 PM

 BUSINESS ASSURANCE

While the audit quality framework summarised in Exhibit 4.1 is focused solely on audit
engagements, it can be generalised to all assurance engagements and, as such, could be
considered a ‘framework for assurance quality’.

Apply and Analyse 1

Review the opening case on China Foods Ltd and apply the elements of the IAASB
Framework for Audit Quality in Exhibit 4.1 to the facts of the case.

Analysis

Inputs

• Inputs relate to the auditor. The case raises questions about both the competence
and the ethics of the auditor. Either the auditor made a very obvious error and
was incompetent, or they were complicit in the fraud.

• The case also points to a significant independence threat (familiarity) because CFL’s
CFO was a 10-year employee of the audit firm.

Processes

• Senior management at CFL were criminals and lacked integrity. Client continuance
procedures were clearly deficient.

• Given the repeated audit failures, we can conclude that the evidence gathering
processes carried out by the auditor were also deficient.

Outputs

Due to the consistent and repeated audit failures, the auditor’s reporting processes and
reports were deficient and the auditor’s opinion was wrong.

Interactions

While the auditors were primarily responsible for the audit failures, other participants in
the process were also deficient. Senior management of CFL were criminals. The HKICPA
and the FRC both failed in their regulation and oversight responsibilities. The only party
in the case who made a significant contribution to the public interest was the
investment analyst.

Contextual Factors

• The law and the litigation environment failed to deter either the criminal activity of
CFL’s senior management or the negligence of the audit firm.

• Audit regulations in Hong Kong, and the professional standards, similarly failed
to prevent, or to detect and correct, the auditor’s poor-quality work and the
audit failure.

• The corporate governance of CFL was inadequate.

206

M13_c04.indd 206 1/26/2021 9:03:58 PM

 Q ualit y C ontrol C onsiderations

Key Learning Point

The IAASB has published a useful document, the Framework for Audit Quality. The
framework has five elements: inputs, processes, outputs, interactions, and contextual
factors.

4.1.3 Scope and Terminology

4.1.3.1 Scope
Compliance with the professional standards is an important part of quality control (QC),
but an effective system of QC is far broader and affects every aspect of a public accounting
firm’s activity.

QC policies and procedures cannot be universally prescribed. Appropriate systems of QC

are determined by many variables including firm size, number of offices, network affiliations,
regulatory requirements, and the nature of the work performed by the firm.

Illustrative Example 1
A multinational CPA firm performing complex audits in multiple jurisdictions controlled
by numerous regulators and legal codes would be expected to have a very extensive
system of QC. In contrast, a much simpler system of QC would be appropriate to a
small CPA firm serving a number of small audit clients in a single jurisdiction. While very
different, when appropriately designed, both firm’s QC systems would comply with the
professional standards and relevant regulations.

4.1.3.2 Terminology
The literature on quality control is derived from a vast and imprecise management literature on
quality management. There is some inconsistency between this management literature and
that of the accounting profession. For example, quality control in the management literature
is concerned with just that – controlling quality. Other aspects of quality management include
quality planning, quality assurance, and quality improvement.

The accounting literature takes a different approach. Under the IAASB’s framework, all of
quality planning, quality assurance, quality control, and quality improvement are treated as
aspects of quality control.

On the positive side, the IAASB is undertaking a project to revise the current International
Standard on Quality Control ISQC 1 (see Section 4.4.3 of this chapter). An exposure draft of
the new International Standard on Quality Management ISQM 1 is currently available for
comment (April 2019). The new standard has adopted the more traditional and sensible
approach described above, where all aspects of quality are treated as part of ‘quality
management’.

207

M13_c04.indd 207 1/26/2021 9:03:58 PM

 BUSINESS ASSURANCE

Key Learning Point

There are some inconsistencies between the terminology of the quality management
literature and the quality control standards published by the accounting profession.

Knowledge Check Questions

Question 1
Describe in what ways professional associations ensure the quality of audits.

Question 2
Explain the benefits of high-quality audit work.

4 . 2 QUALITY CONTROL REQUIREMENTS

As noted above, the two main professional standards dealing with quality control include:

• HKSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements,
and Other Assurance and Related Services Engagements; and

• HKSA 220, Quality Control for an Audit of Financial Statements.

Section 4.2 is mainly concerned with addressing the requirements of these fundamental
QC standards. The objective of this section is to provide a useful and readable introduction
to the two standards. It is, however, incomplete. Many of the requirements and supporting
explanations found in the standards are not mentioned here. It is intended that the information
provided here will give readers a familiarity with the standards, which will facilitate future
reference as required.

4.2.1 Applying and Complying with Relevant Requirements Including

HKSQC 1 and HKSA 220
The key differences between HKSQC 1 and HKSA 220 are made clear in their titles.

• HKSQC 1 relates to a firm’s responsibilities for its system of quality control for all
assurance engagements (audits and reviews of financial statements and other
assurance and related services engagements), while HKSA 220 relates to the
responsibilities of firm personnel regarding quality control procedures for audit
engagements.

Unsurprisingly, a comparison of the content of HKSQC 1 and HKSA 220 shows that they
are very similar. The fundamental requirement of both standards is that the responsible party
(the assurance firm in HKSQC 1 and the audit engagement partner in HKSA 220) shall establish
and maintain a system of quality control that addresses each of the six elements of a system

208

M13_c04.indd 208 1/26/2021 9:03:58 PM

 Q ualit y C ontrol C onsiderations

of quality control as defined in HKSQC 1. Most of the content in both standards identifies the
responsibilities of auditors with respect to these six elements.

4.2.2 Elements of a System of Quality Control

HKSQC The following list of elements is taken from HKSQC 1, paragraph 16. Sections 4.2.3 through
1.16 4.2.8 of this chapter discuss each of these elements in turn.

4.2.2.1 Elements of a System of Quality Control

1. Leadership responsibilities for quality within the firm.

2. Relevant ethical requirements.

3. Acceptance and continuance of client relationships and specific engagements.

HKSA
220.14 4. Human resources (Element 4 is ‘Assignment of Engagement Teams’).

5. Engagement performance.

6. Monitoring.

As can be seen above, the ‘Elements of a System of Quality Control’ listed in HKSQC 1 are
similar, but not identical to, the ‘Elements of Audit Quality’ found in the IAASB’s Framework
for Audit Quality (see Section 4.1.2). The differences arise because HKSQC 1 is concerned with
accounting firms, and HKSA 220 is concerned with audit engagements, so these standards
focus mainly on those elements of audit quality that are under the control of audit firms and
auditors. As noted by the IAASB, auditors are primarily responsible for audit quality, but they
perform audits in an environment that may be more or less supportive of their work. The IAASB
framework is accordingly concerned with auditors, but also with the broader business and
regulatory environment.

Key Learning Point

HKSQC 1 and HKSA 220 discuss six elements of QC, which are focused on assurance
engagements and the audit firm.

4.2.3 Leadership Responsibilities for Quality within the Firm

The first element of a QC system identified in HKSQC 1 is ‘leadership responsibility for quality’.
HKSA Leadership is dealt with briefly in HKSA 220, which states that audit quality is the responsibility
220.8 of the engagement partner. In HKSQC 1, paragraphs 18 and 19 state that the firm’s system of
quality control is the ultimate responsibility of the firm’s CEO or board of management. Where
responsibility is delegated to another person by the responsible party, appropriate policies
HKSQC must exist to ensure that the person has appropriate authority, experience, and ability to carry
1.18–19 out the role effectively.

HKSQC 1 application paragraphs A4 and A5 discuss the importance of a quality culture.

The firm’s leadership significantly influences the firm’s internal culture. The promotion of a
quality-oriented internal culture depends on clear, consistent, and frequent actions like training
seminars, meetings, dialogue, mission statements, and newsletters that emphasise the firm’s

209

M13_c04.indd 209 1/26/2021 9:03:58 PM

 BUSINESS ASSURANCE

HKSQC quality control policies and procedures, and a culture that recognises and rewards
1.A4, A5 high-quality work.

QC policies should show:

• How performance evaluation, compensation, and promotion all reflect the firm’s
overriding commitment to quality;

• That commercial considerations do not override the quality of work performed; and

• Provision of resources for the development, documentation, and support of quality.

4.2.4 Relevant Ethical Requirements Including Independence

The second element of a QC system identified in HKSQC 1 is ‘relevant ethical requirements’.
Chapter 1 of this Module is titled Ethical Standards, Legislation, and Professional Guidance.
All of the important QC issues relating to ethics and independence are dealt with in
Section 1.2.2.2 of Chapter 1. The following is a brief summary of relevant material from
Chapter 1.
HKSQC 1.20–25,
A7–A17 HKSQC 1 includes several paragraphs relating to ethics.

Paragraphs 20 and 21 require firms to establish policies and procedures designed to

provide reasonable assurance that:

• The firm and its personnel comply with relevant ethical requirements (the Code of Ethics
for Professional Accountants).

• The firm and its personnel maintain independence where required by relevant ethical
requirements (the Code of Ethics), laws, and regulation.

It is appropriate to remind readers of the critical importance of independence in an audit

engagement. HKSQC 1 requires the auditor to comply with relevant ethical requirements
in conducting their audit, including independence. The relevant ethical requirements are
contained in the Code of Ethics for Professional Accountants. The Code of Ethics details that any
threats to independence identified by the auditor need to be addressed either by eliminating
those threats, or by reducing them to an acceptable level by applying safeguards. If the threats
remain unacceptably high, the Code of Ethics indicates that the auditor is to withdraw from the
engagement.

Paragraph 22 requires ongoing collection of information from firm personnel regarding

independence so that the firm can assess, document, and act on independence threats.

Paragraph 23 requires that independence breaches be dealt with expeditiously, and that a
chain of command be established to achieve this outcome.

Paragraph 24 requires annual collection of data from all firm personnel regarding their
independence status.

Paragraph 25 requires firms to (i) establish safeguards in circumstances where staff have
a long-term relationship with a client (a familiarity threat); and (ii) for audits, to rotate the
engagement partner, the quality control reviewer, and other senior staff.
HKSA 220.9–11,
A4–A7 HKSA 220 paragraphs 9–11 and A4–A7 deal with ethics in the audit engagement. The content
here is very similar to HKSQC 1.

210

M13_c04.indd 210 1/26/2021 9:03:58 PM

 Q ualit y C ontrol C onsiderations

Paragraphs 9 and 10 establish the responsibility of the audit engagement partner to

monitor engagement personnel’s ethical behaviour, and to act when necessary.

Paragraph 11 deals with independence. The engagement partner must identify and
evaluate threats to independence and act to eliminate or reduce any identified threats to an
acceptable level; or withdraw from the audit.

4.2.4.1 Quality Control Deficiencies

See Section 4.4.1 for a listing of deficiencies in auditor’s ethics, independence, and other
matters as reported to the IFIAR.

Key Learning Point

Independence is fundamental to audit quality. The Code of Ethics for Professional Accounts
provides an extensive discussion on independence. The Code of Ethics first identifies
threats to independence, and then safeguards which might be used to reduce or eliminate
these threats.

Apply and Analyse 2

Refer to the opening case of China Foods Ltd. In that case, it was noted that:

• Before joining CFL, the company’s chief financial officer had worked for CFL’s audit
firm for 10 years; and

• According to CFL’s most recent annual report, the audit fee was RMB seven million.

Describe the safeguards that should have been put in place to deal with these threats
to the auditor’s independence.

Analysis

The first point above is a familiarity threat; the second an intimidation threat and a
self-interest threat.

• Familiarity. Safeguards regarding familiarity suggest the rotation of senior audit

staff including the engagement partner and the EQC Reviewer.

• Intimidation and self-interest. Safeguards regarding audit fees suggest that if a

client’s fees represent a significant proportion of the revenue of one partner, the
firm should have the partner’s work reviewed by another partner. For a client that
is a listed entity (CFL is listed), an EQCR is required.

4.2.5 Acceptance and Continuance of Client Relationships and

Specific Engagements
The third element of a QC system identified in HKSQC 1 is ‘acceptance and continuance of client
relationships and specific engagements’. Chapter 3 of this Module is titled Client and

211

M13_c04.indd 211 1/26/2021 9:03:58 PM

 BUSINESS ASSURANCE

Engagement Acceptance Procedures. All of the important QC issues relating to client

HKSQC engagement and acceptance are dealt with in Section 3 of that chapter. The following is a brief
1.26–28 summary of relevant material from Chapter 3.

The firm is required to ensure that the assurance provider:

• Is competent to perform the engagement.

• Has the capabilities, including time and resources, to perform the engagement.

• Can comply with relevant ethical requirements.

• Has considered the integrity of the client and does not have information that would
lead them to conclude that the client lacks integrity.

The firm should consider whether the engagement involves a potential conflict of interest
and if the engagement should be declined. Where a potential conflict of interest exists and the
engagement is accepted, the firm must document how the conflict has been resolved.

If the firm obtains information after accepting a client that may have caused it to decline
the engagement, the firm is to consider the professional and legal responsibilities that apply to
the circumstances, and the possibility of withdrawing from the engagement.

HKSA 220 paragraphs 12–13 require the engagement partner to be satisfied that
appropriate procedures regarding the acceptance and continuance of a client have been
performed and that conclusions reached from those procedures were appropriate. If the
engagement partner obtains information that would have caused them to decline the
engagement, they are required to advise the firm so that appropriate action can be taken.

Key Learning Point

When accepting or continuing a client engagement, the firm must consider its own
HKS
capabilities and the independence of its personnel, but also the integrity of the client
management. HKSA

4.2.6 Human Resources

The fourth element of a QC system identified in HKSQC 1 is ‘human resources’.
HKSQC 1.29–31,
A24–A31 HKSQC 1 deals with human resources in paragraphs 29–31 and A24–A31. The firm must
assign a responsible engagement partner and ensure their identities are communicated to the
client management and those charged with governance. Firms must also ensure that
personnel, including the engagement partner, have the appropriate competence, capabilities,
and commitment to ethical principles necessary to perform engagements in accordance with
professional standards and legal and regulatory requirements, and that the firm is able to issue
appropriate reports.

Relevant personnel policies to be included in the QC system should address:

• Recruitment

• Performance evaluation

212

M13_c04.indd 212 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

• Capabilities, including time to perform assignments

• Competence (education and experience)

• Career development

• Promotion

• Compensation

• The estimation of personnel needs.

HKSA 220 (paragraph 14) deals with human resources only in terms of the ‘Assignment of
Engagement Teams’. Similar to HKSQC 1, HKSA 220 requires the engagement partner to ensure the
team has the competence and capabilities to perform the audit in accordance with professional
standards and legal and regulatory requirements. The partner must also ensure an appropriate
report can be issued. Matters that contribute to a competent engagement team include:

• Practical experience with audit engagements of a similar nature and complexity

through appropriate training and participation, knowledge of the client’s industry.

• Expertise with relevant information technology and specialised areas of accounting

or auditing.

• Ability to apply professional judgement.

• Understanding of the firm’s quality control policies and procedures.

4.2.6.1 Quality Control Deficiencies

See Section 4.4.1 for a listing of common deficiencies found in audit firms and in audit
engagements by regulatory authorities regarding human resources.

4.2.7 Engagement Performance

HKSQC 1.32–47,
A32–63
The fifth element of a QC system identified in HKSQC 1 is ‘engagement performance’. This
HKSA 220.15–22,
element is dealt with in paragraphs 32–47 and A32–A63 of HKSQC 1 and in paragraphs 15–22
A14–A33 and A14–A33 of HKSA 220.

Much of the section of HKSQC 1 on engagement performance is concerned with the firm’s
responsibilities with respect to the Engagement Quality Control Review (EQCR). All matters
concerning EQCR are dealt with in Section 4.2.7.1.

Other requirements dealt with in the engagement performance section of HKSQC 1 include
the firm’s responsibility to establish policies and procedures to ensure that engagements are
performed in accordance with professional standards and applicable legal and regulatory
requirements. Key matters include supervisory responsibilities, review responsibilities, and
consultation. Each of these matters is dealt with in the application section of both HKSQC 1
and HKSA 220.
HKSQC
1.A34 Supervision means:

• Tracking the progress of the engagement.

• Considering the competence and capabilities of personnel, whether they have sufficient
time to carry out their work, whether they understand their instructions, and whether
the work is being carried out in accordance with the engagement plan.

213

M13_c04.indd 213 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

• Addressing matters arising during the engagement, considering their significance, and
modifying the plan appropriately.

• Identifying matters for consultation or consideration by more experienced engagement

team members during the engagement.
HKSQC
1.A35 Review means ensuring that:

• The work of less experienced team members is reviewed by more

experienced members.

• The work has been performed in accordance with professional standards and
applicable legal and regulatory requirements.

• The work performed supports the conclusions reached and is appropriately documented.
HKSQC
1.A36–A40 Consultation means:

Consultation includes discussion with individuals who have specialised expertise.

Appropriate recognition of consultation in the firm’s policies and procedures helps to promote
a culture in which consultation is recognised as a strength and encourages personnel to consult
on difficult or contentious matters.

Effective consultation on significant technical or ethical matters can be achieved when

those consulted are given all the relevant facts and have appropriate knowledge, seniority, and
experience, and when conclusions resulting from consultations are appropriately documented
and implemented.

HKSA 220 mainly concerns the responsibilities of the engagement partner and the
Engagement Quality Control Reviewer (EQC Reviewer). As noted above, all matters concerning
the EQCR and the EQC Reviewer are dealt with in Section 4.2.7.1.

HKSA 220 Responsibilities of the Engagement Partner

• The direction, supervision, and performance of the audit engagement in compliance
with professional standards and applicable legal and regulatory requirement.

• On or before the date of the auditor’s report, be satisfied that sufficient appropriate
audit evidence has been obtained to support the conclusions reached, and for the
auditor’s report to be issued.

• Undertake consultation on difficult or contentious matters, and be satisfied that

members of the engagement team have undertaken appropriate consultation and that
conclusions resulting from such consultations have been implemented.

• For audits of financial statements of listed entities, ensure that an EQC Reviewer has
been appointed. Discuss significant issues with the EQC Reviewer and do not date the
auditor’s report until the completion of the EQCR.

Key Learning Point

Satisfactory engagement performance is achieved when the engagement partner ensures
that sufficient appropriate evidence has been obtained to support the conclusions
reached, and for the assurance report to be issued. Engagement performance includes
three key activities: supervision, review, and consultation.

214

M13_c04.indd 214 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

4.2.7.1 Engagement Quality Control Review (EQCR)

An Engagement Quality Control Review (EQCR) provides an objective evaluation, on or before
the date of the auditor’s report, of the significant judgements made by the engagement team
and their conclusions reached in formulating the report.

HKSQC 1 Responsibilities of the Firm Regarding EQCR

The standard requires an EQCR for all audits of financial statements of listed entities, for
significant ‘public interest’ entities, and for other assurance and related service engagements
as appropriate. The firm must establish policies and procedures setting out the nature, timing,
and extent of an EQCR. The extent of an EQCR depends on the complexity of the engagement,
whether the entity is a listed entity, and the risk of an inappropriate report. The performance of
an EQCR does not reduce the responsibilities of the engagement partner.

The duties of an EQC Reviewer include:

• Discussing significant matters with the engagement partner.

• Reviewing financial statements and the proposed report.

• Reviewing selected engagement documents that relate to significant judgements made

by the engagement team and the conclusions that they reached.

• Evaluating the conclusions that were reached in the formulation of the report and
considering whether the proposed report is appropriate.

Additional EQC Reviewer requirements for audits of listed entities include assessing:

• The engagement team’s evaluation of the firm’s independence in relation to the specific
engagement.

• Whether appropriate consultation has taken place on matters involving differences of

opinion and the conclusions arising from those consultations.

• Whether documentation selected for review reflects the work performed in relation to
the significant judgements and supports the conclusions reached.

Policy regarding the eligibility of the EQC Reviewer should specify:

• The technical qualifications required to perform the role, including the necessary
experience and authority.

• The degree to which an EQC Reviewer can be consulted on the engagement without
compromising the reviewer’s objectivity.

• The replacement of the EQC Reviewer where the reviewer’s ability to perform an
objective review is impaired.

The engagement partner may consult the EQC Reviewer during the engagement, for
example to establish that a judgement made by the engagement partner will be acceptable
to the EQC Reviewer. Such consultation need not compromise the EQC Reviewer’s eligibility to
perform the role (due to a self-review threat).

The audit report should not be signed until the EQCR is completed and the EQC Reviewer
is not aware of any unresolved matters that would cause the reviewer to believe that the
significant judgements the engagement team made and the conclusions it reached were not
appropriate.

215

M13_c04.indd 215 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

HKSA 220 Responsibilities of the EQC Reviewer

The EQCR section of HKSA 220 has almost the same requirements as those found in HKSQC 1.

Quality Control Deficiencies

See Section 4.4.1 for a listing of common deficiencies found in audit firms and in audit
engagements by regulatory authorities regarding engagement performance.

Key Learning Point

An EQCR provides an objective evaluation of the engagement team’s judgements made
and conclusions reached in formulating their report. The extent of an EQCR depends on
engagement complexity and risk.

An EQCR is required for all audits of financial statements of listed entities and for
significant ‘public interest’ entities.

Apply and Analyse 3

Refer to the opening case of China Foods Ltd. In that case it was noted that ‘CFL
management had made fraudulent statements in its earnings reports and overstated its
capital spending on farm acquisitions. Its chairman was accused of embezzling RMB 200
million in company funds.’

(a) Explain the effect of these three material misstatements in CFL’s financial
statements.

(b) Describe the engagement performance requirements in HKSQC 1 and HKSA 220
that the auditor failed to meet.

Analysis

(a) Material misstatements.

1. ‘Fraudulent statements in its earnings reports’. This indicates either

an overstatement of revenue or an understatement of expenses. An
overstatement of revenue is a very common form of fraud.

2. ‘Overstated its capital spending on farm acquisitions’. This indicates an

overstatement of property, plant, and equipment (PPE). The company either
recorded the purchase of non-existent farms or recorded a fraudulently high
price for the farms.

3. ‘Its chairman was accused of embezzling RMB 200 million’. It is likely that the
embezzlement occurred in connection with the farm acquisition transactions.
Non-existent farms were purchased or an excessive price was paid for the
farms, and the chairman pocketed the full purchase price or the excessive
amount. Cash was understated.

216

M13_c04.indd 216 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

Apply and Analyse 3 (continued)

(b) Engagement performance failures. The relevant requirements of HKSQC 1 and
HKSA 220 are very similar.

From HKSQC 1.

The evidence obtained and conclusions made are sufficient and appropriate
to support the report and the objectives of the engagement have been
achieved.

From HKSA 220.

On or before the date of the auditor’s report, be satisfied that sufficient

appropriate audit evidence has been obtained to support the conclusions
reached, and for the auditor’s report to be issued.

4.2.8 Monitoring Quality Control Policies and Procedures

The sixth and final element of a QC system identified in HKSQC 1 is ‘monitoring QC policies and
procedures’. Responsibility for the monitoring process should be assigned to partners or others
HKSQC 1.48–56,
A64–A72 with sufficient and appropriate experience and authority.
HKSA 220.23,
A34–A36 According to HKSQC 1 and HKSA 220, QC policies and procedures must be monitored to
ensure the system is relevant, adequate, and operating effectively. Relevance refers to
adherence to professional standards and the law.

Monitoring comprises a process of ongoing consideration and evaluation of the QC

system, which includes:

• Analysis of new developments in professional standards and their appropriate inclusion

in the QC system.

• Documentary evidence of compliance of personnel with independence policies.

• An assessment of the design and effectiveness of training programmes.

• Inspection of documentation of decisions regarding client acceptance and

continuance.

• Determinations of corrective actions taken and improvements made to the QC system.

• Communication to appropriate firm personnel of weaknesses identified in the system,

in the level of understanding of the system or compliance with it.

• Follow-up by appropriate firm personnel so that necessary modifications are promptly

made to the quality control policies and procedures.

The selection of engagements for inspection, and the timing of inspections, should be
determined by:

• The size and complexity of the firm and the number and geographic locations.

• The results of previous inspections including inspections by independent bodies

(e.g. the HKICPA).

217

M13_c04.indd 217 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

• The degree of authority both personnel and offices have.

• The degree of risk associated with specific clients and engagements.

4.2.8.1 Evaluating, Communicating, and Remedying Deficiencies

HKSQC
1.49 HKSQC 1. Deficiencies noted during the monitoring process may be one-off or systematic. The
latter require prompt remedial action. Actions may involve:

• The retraining or disciplining of an individual employee;

• Changes to the employee training programme; or

• Changes to the system of quality control.

Where monitoring procedures indicate that an engagement report may be inappropriate or

that procedures were omitted during the performance of an engagement, the firm should act
to comply with professional standards and legal requirements and consider whether to obtain
legal advice.

The firm shall communicate to senior personnel, at least annually, a description of the
monitoring procedures carried out and conclusions drawn so that these individuals can
take prompt and appropriate action on deficiencies. Communications should also describe
actions taken.

Where firms within a network operate under common monitoring policies and procedures,
the same procedures as described earlier in this chapter regarding evaluating, communicating,
and rectifying deficiencies must be carried out on a network-wide basis.

4.2.8.2 Complaints and Allegations

Complaints may be made by firm personnel, clients, or other third parties. The partner
supervising the investigation of the complaint should not be involved in the relevant
engagement.

HKSCQ 1. Firm monitoring policies and procedures should provide reasonable assurance
that the firm deals appropriately with complaints and allegations that work performed by the
firm fails to comply with professional standards and applicable legal requirements, or with the
firm’s system of quality control. As part of this process, the firm shall establish channels for firm
personnel to raise concerns in a manner that enables them to come forward without fear of
reprisal (whistleblowing).

Quality Control Deficiencies

See Section 4.4.1 for a listing of deficiencies in auditor’s performance as reported to the IFIAR.

4.2.9 Summary of Quality Control Requirements

Exhibit 4.2 shows the overall framework for quality control considerations.

218

M13_c04.indd 218 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

Audit Firm QC
• Leadership
• Ethics
• Client acceptance
• Human resources
• Performance
- EQCR
• Monitoring
• Documentation

Regulator Client
• FRC • Integrity
• Law • Governance
• Inspection - Audit committee
Audit Quality
Quality auditors
↓
Quality processes
↓
Quality reports

Environment Profession
• Litigation • Education
• Culture • Inspection
• Technology • Standards
• Business practice - IAASB
- IFIAR

EXHIBIT 4.2 Framework of quality control considerations

Key Learning Point

QC policies and procedures must be monitored to ensure the QC system is relevant,
adequate, and operating effectively. Relevance refers to adherence to professional
standards and the law.

Knowledge Check Questions

Question 3
Explain what a quality control system is and identify its elements.

Question 4
After accepting an engagement, an audit firm realises that they are not competent
to deal with some significant aspects of the client’s operation. Explain what the firm
should do.

Question 5
Describe the quality control policies that should be established regarding the assignment
of personnel to an audit engagement.

Question 6
Describe what an Engagement Quality Control Review is.

219

M13_c04.indd 219 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 7
List the criteria for the eligibility of an Engagement Quality Control Reviewer.

Question 8
You are the audit engagement partner for Yang Co, a company listed on the Hong Kong
Stock Exchange that operates clothing factories in mainland China. Explain your quality
control responsibilities regarding the performance of the engagement.

Question 9
Define the term monitoring (in relation to quality control). Identify the key monitoring
policies and procedures that should be included in an assurance firm’s system of
quality control.

4 . 3 DOCUMENTATION OF THE SYSTEM

OF QUALITY CONTROL

HKSQC 1. The firm shall document evidence of the operation of each of the six elements of its
system of quality control. The extent of documentation depends on the size and complexity
of the firm and the number of offices. Policies should require retention of documentation
sufficient to permit the completion of monitoring procedures, or longer if required by
regulation.

Appropriate documentation includes, for example:

• Monitoring procedures, including the procedure for selecting completed engagements

to be inspected.

• Evidence of adherence to professional standards and applicable legal and regulatory

requirements.

• Complaints and allegations and the firm’s response.

• Identification of deficiencies noted, an evaluation of their effect, and the basis for
determining whether and what further action is necessary.

HKSA 220. Audit documentation should include:

• Issues identified with respect to compliance with relevant ethical and independence
requirements, and how issues were resolved.

220

M13_c04.indd 220 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

• Conclusions reached regarding the acceptance and continuance of client relationships

and audit engagements.

• The nature and scope of, and conclusions resulting from, consultations undertaken
during the course of the audit engagement.

4.3.1 Engagement Quality Control Review Documentation

The audit EQC Reviewer must document that the firm’s EQCR procedures have been
performed, the EQCR was completed on or before the date of the auditor’s report, and the
reviewer is not aware of any unresolved matters indicating that the judgements made, and the
conclusions reached by the engagement team, were inappropriate.

4 . 4 CONFORMITY AND COMPLIANCE WITH

INTERNATIONAL STANDARDS ON
QUALITY CONTROL OVERVIEW

In the early 2000s, the Hong Kong Institute of Certified Public Accountants (HKICPA) decided
that Hong Kong standards should fully converge with international standards. HKICPA
developed due process for the successful convergence of Hong Kong Quality Control, Auditing,
Review, Other Assurance, and Related Services Pronouncements with the international
standards.

4.4.1 International Forum of Independent Audit Regulators (IFIAR)

The IFIAR is an international leader in audit quality matters.

Every year, the IFIAR convenes a meeting for member representatives to discuss
emerging regulatory issues, challenges facing the audit profession, and strategic
approaches to sustainable audit quality. The IAASB’s projects for the improvement of
auditing standards are to a large extent driven by the findings of the IFIAR’s annual survey
of member organisations.

This survey summarises the findings of audit inspections carried out by regulators in
member countries throughout the world. For example, see Section 4.4.2 of this chapter
regarding the project for the revision of the international quality standards ISQC 1 and ISA 220.
This project was driven by adverse findings reported by IFIAR members.

Significant deficiencies in audit quality noted in the most recently released IFIAR survey of
inspections of audit firms and audit engagements are summarised in Exhibit 4.3.

221

M13_c04.indd 221 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

Audit Firms Engagement Performance

• Insufficient engagement quality control review (EQCR); and
• Failure to establish and/or implement policies and procedures for
sufficient, timely engagement supervision and review.
Human Resources
• Non-compliance with the firm training and learning plan; and
• Failure to evaluate audit quality as part of partner performance
evaluation.
Independence and Ethical Requirements
• Failure to maintain independence due to the existence of financial
relationships;
• Failure to apply firm or partner rotation rules;
• Failure to monitor firm staff and partner personal independence;
• Failure to consider and evaluate threats created by non-audit (consulting)
services provided to issuer;
• Failure to implement a reliable system for tracking business
relationships; and
• Failure to communicate to the audit committee relationships that bear on
independence.
Monitoring
• Failure to analyse the root cause of deficiencies and to take remedial
actions; and
• Failure to identify audit performance issues.
Audit Engagements • For Accounting Estimates, failure to assess the reasonableness of
management assumptions, including consideration of contrary or
inconsistent evidence.
• For Internal Control Testing, failure to obtain sufficient evidence to support
reliance on manual internal controls; and controls over data or reports
produced by management.

EXHIBIT 4.3 Deficiencies in audit quality (Source: IFIAR Survey of Inspection Findings 2018.)

Key Learning Point

IFIAR is the International Forum of Independent Audit Regulators. The IAASB’s projects
for the improvement of auditing standards are to a large extent driven by the findings of
IFIAR’s annual survey of national regulators’ inspection programmes.

Apply and Analyse 4

Review the opening case of China Foods Ltd and examine the audit deficiencies listed
in Exhibit 4.3. Identify those deficiencies that might apply to the CFL audit engagement.
(Assume that the audit firm was merely incompetent, and not complicit in the fraud.)

Analysis

Based on the limited information provided in the case, the following deficiencies might be
indicated in the CFL audit engagement.

222

M13_c04.indd 222 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

Apply and Analyse 4 (continued)

Engagement Performance

• Insufficient engagement quality control review.

• Failure to establish and/or implement policies and procedures for sufficient, timely
engagement supervision and review.

• For internal control testing, failure to obtain sufficient evidence to support reliance
on controls over data or reports produced by management.

Independence and Ethical Requirements

With respect to CFL’s CFO:

• Failure to monitor audit firm staff and partner personal independence.

• Failure to implement a reliable system for tracking business relationships.

Monitoring

• Failure to identify audit performance issues.

4.4.2 Strengthening Regulation in Hong Kong – the Financial Reporting

Council (FRC)
The FRC was established in 2006. Its role is:

• To conduct independent investigations into possible auditing or reporting irregularities

by auditors of listed entities.

• To enquire into possible non-compliance with accounting requirements by listed entities.

In 2013, consultants of the FRC carried out a study with an aim to identify the key gaps
between Hong Kong and other IFIAR and European Commission (EC) equivalence requirements
and propose possible approaches.

In 2019, the Financial Reporting Council (Amendment) Bill 2018 was enacted. When the
amendments take effect, the FRC will have new powers to inspect, investigate, discipline,
and oversee the HKICPA, thereby enhancing audit quality and investor protection in
Hong Kong.

Since 2013, some of the regulatory functions previously carried out by the HKICPA
have been taken over by the FRC, but, until now, the FRC’s powers have been limited. The
amendment bill addresses these limitations by empowering the FRC to sanction auditors.
Auditors who commit offences such as producing false working papers now face penalties
including jail terms of up to seven years, and fines of up to HK$10 million.

Key Learning Point

The Financial Reporting Council is a Hong Kong government body that investigates auditing
or reporting irregularities by auditors of listed entities. The FRC has recently been given
new powers to oversee the HKICPA, and to penalise auditors who commit offences.

223

M13_c04.indd 223 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

4.4.3 Proposed Changes to the Quality Standards

The IAASB has proposed new standards to replace the International Standard on Quality
Control ISQC 1 with the International Standards on Quality Management (ISQM 1 and ISQM 2),
and to revise ISA 220. The new ISQM 1 focuses on the six existing quality control elements
discussed in ISQC 1 (see Section 4.2 of this chapter) and, in addition, risk assessment. ISQM 2
focuses on the role and responsibilities of the EQC Reviewer. The main changes in ISQM 1 (per
the Exposure draft) include:

• A new proactive risk-based approach to an effective system of quality management.

• Increasing firm leadership responsibilities and accountability, and improved firm

governance.

• Enhancing the standard to take into consideration the evolving and increasingly
complex environment, including addressing the impact of technology, networks, and
the use of external service providers.

• More rigorous monitoring of quality management systems and remediating deficiencies.

The main changes in ISQM 2 are:

• The eligibility criteria for EQC Reviewers; and

• Expanded EQC Reviewer performance and documentation requirements.

Changes to ISA 220 include:

• Highlighting the public interest role of audits, the appropriate application of

professional judgement and the exercise of professional skepticism.

• Clarifying the responsibilities of the engagement partner.

• Modernising ISA 220 for changes in audit delivery models and the use of technology.

• Clarifying the relationship between ISA 220 and the International Standards on Quality
Control/Management (the new ISQM 1 and 2).

Key Learning Point

The IAASB is currently undertaking a project to improve ISQC 1 and ISA 220. ISQC 1 will be
replaced with ISQM 1 and ISQM 2. ISQM 1 is focused on the elements of quality control,
and ISQM 2 on the EQCR.

Knowledge Check Questions

Question 10
List the advantages and disadvantages of regulation of the audit profession.

Question 11
Describe the way in which the new Hong Kong legislation relating to the FRC changes the
responsibilities of the FRC.

224

M13_c04.indd 224 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

SUMMARY

Audit objective. The objective of an audit of financial statements is to form an opinion based
on evidence about the existence of material misstatements.

Quality audits. Users can only be confident that this objective has been achieved if a quality
audit has been performed.

Audit quality is supported by broader cultural factors which include:

• Technology;

• Practices of the business community; and

• The litigation environment.

Reporting supply chain. Audit quality is the responsibility of:

• The audit firm;

• The audit engagement partner

• The Engagement Quality Control Reviewer.

and other parties in the reporting supply chain including:

• Regulators and lawmakers;

• Professional associations at the national and international levels; and

• The management and board of the audit client.

Regulatory framework. Lawmakers, regulators, and the profession provide a framework of

laws, regulations, standards, and other guidance to govern and facilitate the auditor’s work.

Compliance. In order to ensure compliance with the regulatory framework, and to meet the
objective of an audit, audit firms must establish quality control systems as specified in HKSQC 1
and HKSA 220.

Elements. Both HKSQC 1 and HKSA 220 are structured around six elements of quality control
identified in HKSQC 1:

• Leadership;

• Ethics;

• Client acceptance and continuance;

• Human resources;

• Engagement performance; and

• Monitoring.

Each of these elements is dealt with at length in Section 4.2 of this chapter, and in Chapter 1
(ethics) and Chapter 3 (client acceptance and continuance).

225

M13_c04.indd 225 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

Engagement performance. Sufficient appropriate evidence must be obtained to support the

conclusions reached, and for the assurance report to be issued. Engagement performance
includes three key activities:

• Supervision;

• Review; and

• Consultation.

EQCR. An EQCR provides an objective evaluation of the engagement team’s:

• Judgements made; and

• Conclusions reached.

The extent of an EQCR depends on engagement:

• Complexity; and

• Risk.

An EQCR is required for all audits of financial statements of:

• Listed entities; and

• Significant ‘public interest’ entities.

Monitoring. QC policies and procedures must be monitored to ensure the QC system is:

• Relevant;
• Adequate; and

• Operating effectively.

Relevance refers to adherence to professional standards and the law.

Improving the standards. Audit quality control is evolving. Projects are underway to revise
HKSQC 1 and HKSA 220 with the aim of:

• Improving audit quality; and

• Reducing audit failure.

This project is being undertaken by the IAASB in response to information about audit
deficiencies collected by the IFIAR from independent audit regulators in over 50 countries.

Improving regulation and oversight. Hong Kong has recently amended its regulation of
auditors. The FRC has been given new powers to inspect, investigate, discipline and oversee the
HKICPA, thereby enhancing audit quality and investor protection in Hong Kong.

226

M13_c04.indd 226 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

MIND MAP

QUALITY CONTROL CONSIDERATIONS DOCUMENTATION OF THE SYSTEM OF

QUALITY CONTROL
Standards
• HKSQC 1 HKSQC 1 Documentation
• HKSA 220 HKSA 220 Documentation
Practice review EQCR Documentation
Publications
CONFORMITY AND COMPLIANCE WITH
IAASB Framework INTERNATIONAL STANDARDS ON
QUALITY CONTROL REQUIREMENTS QUALITY CONTROL QUALITY CONTROL OVERVIEW
Applying and Complying with Relevant CONSIDERATIONS International Forum of Independent Audit
Requirements Regulators (IFIAR)
Elements of a System of Quality Control Financial Reporting Council (FRC)
• Leadership responsibilities Proposed Changes to Quality Standards
• Relevant ethical requirements
• Acceptance and continuance of client
relationships and specific engagements
• Human resources
• Engagement performance
• Monitoring

Answers to Knowledge Check Questions

Question 1
Professional associations include both national organisations like the HKICPA, and
international organisations like IFAC. The HKICPA ensures audit quality mainly through
their education programme for entry level accountants and members, through their
publication programme, and through their inspection programme. IFAC’s main role is the
production of the international standards governing accounting and auditing that form
the basis of most country’s standards. IFAC also collects information from audit regulators
throughout the world about deficient audit engagements and audit firms. This information
is compiled and used to guide the improvement of existing standards.

Question 2
High-quality audits reduce the audit risk of audit failure – the risk that the auditor’s opinion
will describe the financial statements as fairly stated when they contain material errors.
Higher quality audits will:
• Reduce the incidence of lawsuits against auditors;
• Improve the reputation of the audit profession;
• Reduce the agency problem in organisations by providing relevant, reliable, and
timely information to shareholders; and
• Increase the efficiency of markets.

Question 3
A quality control system is a set of policies and procedures designed to improve the overall
quality of a product. In the case of the audit, a QC system will reduce the incidence of audit
failure and so improve the reliability of the auditor’s opinion and report. The six elements
of QC are identified in HKSQC 1 and include:

1. Leadership responsibilities for quality within the firm.

2. Relevant ethical requirements.

227

M13_c04.indd 227 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

3. Acceptance and continuance of client relationships and specific engagements.

4. Human resources.

5. Engagement performance.

6. Monitoring.

Question 4
The firm should consider ways in which their level of competence might be improved. Staff
training or the hiring of an auditor’s expert competent in areas where the firm is deficient
are possible options. If the firm believes that they are unable to achieve an acceptable level
of competence, they should consider withdrawing from the engagement.

Question 5
HKSA 220 deals with the ‘Assignment of Engagement Teams’. The engagement partner
must ensure the team has the competence and capabilities to perform the audit in
accordance with professional standards and legal and regulatory requirements, and that
an appropriate report can be issued. A competent engagement team should have:
• Practical experience with similar audit engagements and knowledge of the
client’s industry;
• Expertise with relevant IT and specialised areas of accounting or auditing;
• The ability to apply professional judgement; and
• Understanding of the firm’s QC policies and procedures.

Question 6
An EQCR provides an objective evaluation, on or before the date of the auditor’s report,
of the significant judgements made by the engagement team and their conclusions
reached in formulating the report. It is carried out by a senior auditor who is not otherwise
associated with the audit.

Question 7
To be eligible to carry out an EQCR, the reviewer should not be associated with the audit to
a degree to which it might compromise the reviewer’s objectivity, and should have:
• The technical qualifications required to perform the role; and
• The necessary experience and authority.

Question 8
As engagement partner for the Yang Co audit, your QC responsibilities include:
• The direction, supervision, and performance of the audit engagement are in
compliance with professional standards and applicable legal and regulatory
requirements.
• On or before the date of the auditor’s report, be satisfied that sufficient appropriate
audit evidence has been obtained to support the conclusions reached and for the
auditor’s report to be issued.

228

M13_c04.indd 228 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

• Undertake consultation on difficult or contentious matters, and be satisfied that

members of the engagement team have undertaken appropriate consultation and
that conclusions resulting from such consultations have been implemented.
• Because Yang Co is a listed entity, ensure that an EQC Reviewer has been appointed.
Discuss significant issues with the EQC Reviewer. Do not date the auditor’s report
until completion of the EQCR.

Question 9
Monitoring is an ongoing process for the consideration and evaluation of the firm’s system
of QC. It should provide the firm with reasonable assurance that its system of QC is
operating effectively. Key monitoring policies include:
• The periodic inspection of engagements;
• Analysis of changes to professional standards and their appropriate application;
• Collecting evidence of compliance of personnel with independence policies;
• Assessment of the effectiveness of training programmes;
• Inspection of documentation of decisions regarding client acceptance and
continuance; and
• Review of corrective actions taken, and improvements made, to the QC system.

Question 10
Advantages of regulation.
• Where audit engagements and audit firms are deficient, independent regulation
can ensure that audit quality is upheld through the imposition of sanctions and
penalties.
• Standard setters like the IFIAR and the IAASB collect information from regulators
and use this to guide the development of programmes for the improvement of
standards.
Disadvantages of regulation.
• Regulation is costly.
• In some cases, the regulations being enforced may be deficient or
counterproductive.
• Regulators are subject to pressure from industry groups and the profession to
minimise their activities, and so may be ineffective or promote special interests at
the expense of the public interest.

Question 11
The FRC will be given new powers to inspect, investigate, discipline, and oversee the
HKICPA, thereby enhancing audit quality and investor protection in Hong Kong. Auditors
who commit offences in breach of the new law, such as failing to produce working papers
or producing false or misleading work, face severe penalties, including jail terms of up to
seven years or penalties of up to HK$10 million.

229

M13_c04.indd 229 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

EXAM PRACTICE

QUESTION 1
FashBiz is a clothing manufacturer based in mainland China and listed in Hong Kong. Audit
Co is the FashBiz auditor. Li has been the audit engagement partner for five years and Ann
the audit manager for 10 years. Yang, another Audit Co partner, has been newly assigned as
the EQC Reviewer (EQC Reviewer). The audit engagement team has a good relationship with
the FashBiz management team.

During the year, the performance of FashBiz deteriorated significantly as FashBiz lost
several major customers. There is a risk of impairment of FashBiz’s fixed assets. However,
management and the audit engagement team agree that no impairment of fixed assets
should be recorded.

Required:

(a) Explain the differences in the roles and responsibilities of Li and Yang in FashBiz’s audit.

(b) In response to the facts and circumstances above, recommend what Yang should do to
discharge his responsibilities as the EQCR.

QUESTION 2
New Co is a company that is dually listed on the stock exchanges of both mainland
China and Hong Kong. Every five years, New Co is required to change its auditor. Your
accounting firm has been approached to act as the auditor of New Co for the year ending
31 December 202X.

Required:

Describe the procedures that you should perform before accepting New Co as an audit client.

QUESTION 3
You have recently been assigned to lead the audit team on the audit of Wing Ltd. It has
become apparent that last year’s audit was deficient. That audit had been carried out by a
single auditor who had left your audit firm following that engagement. It appears that the
auditor recorded work that was not carried out. Non-existent documents were referenced,
and audit findings are inconsistent with your understanding of Wing Ltd’s business.

Required:

(a) Describe the quality control deficiencies of this situation.

(b) Explain how the situation described above could have been avoided.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) As the audit engagement partner, the full responsibility for the overall quality of
the FashBiz audit engagement falls on Li. The importance of audit quality should be
emphasised to the audit engagement team in the following ways:

• Complying with the quality control policies and procedures of Audit Co;

• Performing work in compliance with professional, regulatory, and legal requirements;

230

M13_c04.indd 230 1/26/2021 9:03:59 PM

 Q ualit y C ontrol C onsiderations

• Issuing an appropriate auditor’s report for the circumstances; and

• Allowing the audit engagement team to raise issues without fear of reprisals.

Li and Yang should discuss significant matters and ensure the audit report is not issued
until the quality control review has been completed and any contentious matters resolved.

Yang has responsibility for the following:

• Reviewing the proposed auditor’s report and the financial statements;

• Discussing any significant matters with Li;

• Reviewing selected audit documentation relating to the significant judgements the

audit team made and the conclusions reached; and

• Evaluating the conclusion reached for compiling the auditor’s report.

Since FashBiz is a listed company, Yang should also consider the following:

• Whether appropriate consultation has taken place on matters involving differences

of opinion or other difficult or contentious matters, and the conclusions arising
from those consultations;

• The audit engagement team’s evaluation of the firm’s independence in relation to

the audit engagement; and

• Whether documentation selected for review reflects the work performed in relation
to the significant judgements, and supports the conclusions reached.

(b) As FashBiz is a listed company, Yang should consider the following facts and
circumstances:

(i) Independence. Whether the engagement team has formed an appropriate

judgement on the firm’s independence to FashBiz. As Li has only been working on
the audit engagement for five years, he is not subject to the rotation requirement.
However, he and Ann maintain a very good relationship with the management
team. Yang should remind the audit engagement team to thoroughly assess the
audit engagement team’s familiarity threat and if there is a need to reconsider
the team mix. The audit engagement team should document thoroughly their
consideration and conclusion regarding independence.

Yang should review the relevant assessment documented by the audit

engagement team and review its correspondence with those charged with
governance on such matters (e.g. relevant discussion in the Audit Committee report).

(ii) Fixed asset impairment. For any significant accounting and auditing matter, Yang
should ensure the team has considered all the relevant facts and circumstances,
and that significant audit evidence and conclusions are properly documented.
Yang should:

• Discuss with the audit team their review of management’s assessment of

fixed asset impairment and audit evidence obtained that supported the audit
engagement team’s conclusion.

• Review the auditor’s report and financial statements to ensure relevant and
sufficient disclosure relating to the fixed asset impairment has been made.

231

M13_c04.indd 231 1/26/2021 9:03:59 PM

 BUSINESS ASSURANCE

• Ensure the audit engagement team has sufficient communication with those
charged with governance (e.g. the Audit Committee) about the fixed asset
impairment.

QUESTION 2
The incoming auditor can perform the following procedures before accepting New Co as its
audit client:

Review New Co’s previously published financial statements and other relevant information
regarding managers or directors’ reputations to determine if there have been integrity
problems in the past.

Consult the prior auditors to ensure that there are no reasons behind the vacancy that the
new auditors should know.

Evaluate New Co’s competence to perform the engagement and whether they have the
capabilities, time, and resources to do the engagement.

A different financial reporting framework may be required since New Co is a dual-listed

company in mainland China and Hong Kong. If an overseas regulatory requirement is
relevant, the incoming auditor should assess if he or she has the expertise to carry out
the audit of New Co. In addition, he or she should ensure that the audit can be carried
out without any legal barriers, e.g. the requirement for a professional qualification in
mainland China.

Comply with relevant ethical requirements. The incoming auditor should ensure that there
are no independence issues that are a barrier to accepting this audit client. For example, if
the auditor has a business relationship with New Co that may create a self-interest threat.

Request a copy of the letter of resignation or termination and any correspondence issued
by the last auditors of New Co. If New Co refuses to send the incoming auditor the letter of
resignation/ termination, the auditor should decline the nomination.

QUESTION 3
(a) The audit firm has failed in its ‘engagement performance’ responsibilities. In particular,
the firm has failed to properly supervise and review the auditor’s work. The QC system
is clearly deficient and the senior personnel responsible for the QC system need to
investigate whether this is an isolated incident, or systematic. If systematic, the QC
system needs revision and improvement. In either case, the individuals responsible
for this lapse should be disciplined or should undertake additional training as to their
engagement performance responsibilities.

Where monitoring procedures indicate that an engagement report may be

inappropriate or that procedures were omitted during the performance of an
engagement, the firm should obtain legal advice.

(b) A properly functioning system of QC consistent with HKSQC 1 and HKSA 220 would have
ensured that supervision and review of engagement performance had been undertaken
in an appropriate and timely manner. In particular, timely monitoring procedures would
have identified the deficiencies in the audit work before the completion of the audit.

In this context, (monitoring) the engagement partner was deficient in their work.
The work of the auditor should have been reviewed by the partner assigned to the
engagement both at the planning stage and before the signing of the audit report at the
very least. The engagement partner is ultimately responsible for engagement quality.

232

M13_c04.indd 232 1/26/2021 9:03:59 PM

 5
Planning and
Risk Assessment
CHAPTER TOPIC LIST
5.1 Planning an Audit
5.1.1 Audit Strategy and Audit Plan
5.2 Planning Documentation
Development
5.2.1 Preliminary Engagement
Activities
5.2.2 Planning Activities
5.3 Gaining Initial Understanding of
the Entity and Its Environment,
Including the Use of Preliminary
Analytical Review Procedures
5.4 The Entity’s Business Model
5.4.1 Organizational and External
5.4.2 Financial Performance
5.4.3 Financial Reporting Framework
5.4.4 System of Internal Control
5.4.5 Audit Strategy
5.4.6 Information Sources for
Obtaining an Understanding
5.4.7 Entity Level
5.4.8 Industry Level
5.4.9 Economy Level
233
M13_c05.indd 233
5.5 Audit Risk Components
5.5.1 Inherent and Control Risk
5.5.2 Detection Risk
5.6 Risk Assessment Procedures and
Related Activities
5.6.1 Understanding the Entity and
its Environment
5.6.2 Internal Control and Control
Environment
5.6.3 Impact of Fraud and
Misstatement on Audit Planning
Considerations
5.6.4 Consideration of Laws and
Regulations in an Audit of
Financial Statements
5.7 Materiality
5.7.1 Setting Materiality Limits
5.7.2 Relationship to Relevance in
Financial Reporting
5.8 Audit Methodologies
5.8.1 Risk-Based Auditing
5.8.2 Top-Down Auditing
1/26/2021 9:06:05 PM
 BUSINESS ASSURANCE

5.8.3 System-Based Auditing 5.8.6 Transaction Cycle Approach

5.8.4 Systems Audit 5.8.7 Directional Testing
5.8.5 Balance Sheet (Statement of 5.8.8 Performance of Different Audit
Financial Position) Approach Methodologies

234

M13_c05.indd 234 1/26/2021 9:06:05 PM

 Pla nn i ng a n d R isk A ssessment

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.04: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Planning and Risk Assessment
1.04.01 Explain the need for planning an audit, the overall audit strategy and the audit plan and their
relationship
1.04.02 Develop the planning documentation including the audit strategy memorandum for a
given scenario
1.04.03 Apply knowledge to demonstrate how auditors obtain an initial understanding of the entity
and its environment, including the use of preliminary analytical review procedures
1.04.04 Explain the components of audit risk
1.04.05 Evaluate the entity’s significant risks of material misstatements at the financial statement
and assertion levels
1.04.06 Identify significant account balances, classes of transactions and presentation and disclosure
1.04.07 Determine the effect of fraud and misstatements on audit planning and work
1.04.08 Explain the effect of laws and regulations, and non-compliance on audit planning and
procedures
LO1.06: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Materiality
1.06.01 Apply materiality in the context of financial reporting and auditing
LO1.08: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit Methodologies
1.08.01 Summarise the key features of the following audit methodologies:
• Risk-based auditing
• Top-down auditing
• System-based auditing
• Systems audit
• Balance sheet approach
• Transaction cycle approach
• Directional Testing
1.08.02 Analyse the cost and performance efficiency of different audit methodologies

235

M13_c05.indd 235 1/26/2021 9:06:05 PM

 BUSINESS ASSURANCE

OPENING CASE

HWA LTD – PLANNING THE AUDIT ENGAGEMENT

H WA is a listed public company that manufactures components for the IT industry. The
company has been operating for three years and has been profitable during that period.

HWA’s customers are all domestic and it has several short-term contracts with significant
manufacturers of IT equipment and mobile phones.

The management is highly regarded in the industry and the company has a reputation of
being well managed. Management is well remunerated, including a generous share bonus plan
based on a specified return on total assets. The company’s share price has been steadily rising
with a consistent dividend stream and a strong demand for the shares.

The company’s technical staff have a strong reputation for being technically competent and
progressive and are supported by good research and development funding.

You have been the audit partner of HWA since its inception and have not had any
significant audit issues during that time. Your assessment of the internal control systems in the
past has allowed you to take an audit approach that places a heavy reliance on those systems
and performs minimal substantive procedures.

To date, the company has not sought any other services from your audit firm.

Your engagement team over the three years has changed. This year’s team will include a
new audit manager and two new junior staff members.

236

M13_c05.indd 236 1/26/2021 9:06:05 PM

 Pla nn i ng a n d R isk A ssessment

OVERVIEW

A financial report audit has been described in Chapter 1 as a systematic process of objectively
obtaining and evaluating evidence about the assertions in financial statements with the
objective of providing reasonable assurance that enhances the credibility of those statements.

An efficient and effective audit requires adequate planning, the nature and extent of
which varies according to the size and complexity of the audit client and the auditor’s previous
experience with the client.

While planning is a process that continues throughout the audit engagement and must
react to changing circumstances during the audit, the auditing standards outline requirements
that are to be undertaken at the commencement of that process. This chapter explains those
requirements and their objectives.

The audit process under auditing standards is primarily a ‘risk-based’ methodology

requiring the auditor to obtain an understanding of the client and its environment in order to
identify the areas in the financial statements and the underlying financial statement assertions
that are at risk of material misstatement. This methodology is focused on ensuring that the
audit is directed towards the areas of significance in the client’s financial statements.

This chapter focuses on the steps involved in implementing this approach and the matters
to be considered in identifying the risks of material misstatement at the initial planning phase
of the audit.

Planning commences with a decision as to whether the auditor should accept a new client
or continue the ongoing relationship with an existing client.

The process then proceeds to the gaining of an understanding of the client and its activities
so as to develop an overall audit strategy, with a detailed audit plan to implement that
strategy. This involves the engagement partner and key members of the engagement team
using their experience and insights to develop an efficient and effective planning process,
including discussions with other team members. Much of the information about the client and
its business is obtained through discussion with management and other client staff involved in
the financial reporting process.

Developing a strategy requires consideration of the level of acceptable audit risk, being
the risk of issuing an inappropriate opinion. This consideration forms part of the audit process,
as do the judgements about materiality, in determining the nature, timing, and extent of
audit procedures necessary to obtain sufficient appropriate audit evidence on which to base
an opinion.

237

M13_c05.indd 237 1/26/2021 9:06:05 PM

 BUSINESS ASSURANCE

5 . 1 PLANNING AN AUDIT

In Chapter 1, financial statement auditing was identified as a systematic process to gather

sufficient appropriate evidence on which to form a conclusion and express an opinion on
whether an entity’s financial statements are prepared and presented in accordance with the
applicable financial reporting framework.

The objective was stated as being to enhance the degree of confidence that users have in
the financial statements to assist their decision-making.

To operationalise this concept, and to conduct an efficient and effective audit, the
process involves planning and the development and implementation of an audit strategy
(the audit judgement about scope and approach to be taken in the audit, based on an
understanding of the client and its environment) and audit plan (the documented plan for
the nature, timing and extent of specific audit procedures to implement the strategy).

HKSA 300 Planning an Audit of Financial Statements identifies the following benefits of
planning to the audit:

• Giving appropriate attention to important areas of the audit.

• Assisting with identifying and resolving potential problems on a timely basis.

• Properly organising and managing the audit.

• Selecting an engagement team that has the appropriate levels of skills and competence
to respond to anticipated risks, and properly assign tasks to them.

• Directing and supervising engagement team members and reviewing their work.

• Coordinating the work of component auditors and experts.

The first phase of the audit planning process is to apply the provisions of HKSA 220 Quality
Control for an Audit of a Financial Report and Other Historical Information and an evaluation
of whether:

• To accept an entity as a new audit client.

• To continue to provide audit services to an existing client.

This step in the process of client acceptance or continuing an audit relationship also
includes evaluating the auditor’s compliance with the professional ethical standards, including
independence.

In a recurring engagement, the auditor has the benefit of previous knowledge and
experience with that client, which provides an ongoing basis for the audit strategy and plan.

In an initial audit engagement, the auditor does not have the same level of knowledge and
understanding of the client and its business and systems. Planning for an initial engagement
therefore involves additional steps as compared with a recurring engagement. For example,
the auditor should communicate with the previous auditor to identify any relevant issues and
obtain an understanding of the client and audit approach, and, if possible, review that auditor’s
working papers.

238

M13_c05.indd 238 1/26/2021 9:06:05 PM

 Pla nn i ng a n d R isk A ssessment

The next step in the process is issuing an engagement letter as required by HKSA 210
Agreeing the Terms of Audit Engagements to ensure that the terms and scope of the engagement
are understood.

The planning process involves a discussion involving the engagement partner and key
members of the audit team to take advantage of their experience and expertise and ensure
that the strategy and plan is effective and efficient. For example, the engagement team should
use their knowledge of the client to discuss the areas for potential material misstatement in
the financial statements. The outcome of these discussions is then communicated to other
members of the engagement team.

The auditor should also include discussions with management and the audit committee in
gaining an understanding of potential issues, but it must be remembered that the audit scope
remains the sole responsibility of the auditor. Any discussions with management should not
be at a level that would compromise the effectiveness of the audit; for example, it would not
involve any discussion as to the nature of timing and the extent of detailed audit procedures
that would make them predictable to the client.

As the client’s audit committee has oversight of the financial reporting and auditing
activities within an entity, the auditor will generally advise the committee of the broad strategy
to facilitate the coordination of the audit fieldwork and audit process with the client.

In addition to the above, the professional requirements for implementing an audit planning
process are found primarily in the following auditing standards:

• HKSA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement

• HKSA 320 Materiality in Planning and Performing an Audit (June 2017)

• HKSA 330 The Auditor’s Response to Assessed Risks (June 2017)

From these requirements, the planning process can be summarised as comprising the
following steps:

• Understanding the entity and its environment

• Understanding the applicable financial reporting framework and the entity’s

accounting policies

• Understanding the entity’s system of internal control

• Identifying and assessing the risk of material misstatement

• Developing a response to assessed risks

More details in relation to each of these steps will be considered throughout this chapter.

While the generic planning process for developing an overall audit strategy and plan is
standardised through the requirements of the above-mentioned HKSAs, the strategy and
plan is specific to the individual entity’s circumstances. For example, the size of the entity, its
governance structures, the complexities of its business and operating environments, IT systems,
and accounting and internal control systems will have an impact on the strategy and plan.

The planning process is continuous throughout the audit, and generally commences early
in the financial reporting period. The audit strategy and plan are dynamic in nature. They are
to be reviewed and revised as the audit progresses if conditions change or the results of audit
procedures produce unexpected results.

239

M13_c05.indd 239 1/26/2021 9:06:05 PM

 BUSINESS ASSURANCE

In summary, audit planning involves developing an audit strategy that establishes the
scope and direction of the audit. The strategy in turn governs the development of the detailed
audit plan, which documents the nature, timing, and extent of the audit procedures to obtain
sufficient appropriate audit evidence on which the audit opinion and report are based.

Apply and Analyse 1

As the audit partner, you are about to start planning for the current year’s audit of
HWA Ltd. Your new junior staff members ask when they can attend the client premises
and start the audit fieldwork testing. Some are keen to have the chance to perform certain
audit procedures to improve their knowledge. Explain what your response would be.

Analysis

You should advise these members of the engagement team that before any fieldwork
occurs you must be satisfied that the pre-conditions for audit exist and that it is
appropriate to continue the relationship with the client, and to then meet with the client
management to develop an audit strategy and plan.

You should explain that you have to be satisfied that nothing has occurred since the
completion of the last audit that would indicate that any concerns with the integrity of
management, any issues with ethical requirements, including independence with the
change in the engagement team or other circumstances, whether the staff resources are
adequate and competent to deal with the client in the industry in which it operates, or
any other issues that may indicate that it would be inappropriate to continue with the
engagement.

In addition, you would indicate that you have to decide whether a new engagement
letter is needed to ensure that management understands their responsibilities and
the terms of the engagement. To do this you need to consider whether there has been
any change in management, whether the client is seeking to change the terms of the
engagement, any changes in the nature and size of the business, or new regulatory or
reporting requirements.

You should also indicate that an audit strategy and plan will be needed to begin, and
they will specify how the audit will proceed. You should caution them that learning to be an
auditor is not just about learning how to apply audit procedures.

5.1.1 Audit Strategy and Audit Plan

As indicated, the overall audit strategy sets the scope, timing, and direction of the engagement
and provides the foundation for the development of the more detailed audit plan and specific
audit procedures. (The audit plan is often referred to as the ‘audit programme’. The term ‘audit
plan’ will be used in this chapter.)

HKSA 300 indicates the matters that must be addressed in developing the overall audit
strategy and includes a detailed list of matters that could be considered. You should refer to
HKSA 300 Appendix ‘Considerations in Establishing the Overall Audit Strategy’ for an extensive
listing of specific matters that could affect the audit strategy.

240

M13_c05.indd 240 1/26/2021 9:06:05 PM

 Pla nn i ng a n d R isk A ssessment

The following are the broad matters that need to be addressed and some selected
examples of the relevant factors to be addressed:

• The characteristics of the audit engagement that define its scope, such as the required
financial reporting framework, industry-specific reporting requirements, and the entity
structure in terms of the existence and location of subsidiary companies, branches, or
divisions.

• The timetable for the various phases of the audit fieldwork, which usually occur in
identifiable steps throughout the financial reporting period, and the proposed reporting
of interim and final results and communications with management.

• The auditor’s judgement in relation to factors governing the focus of the audit team’s
activities; for example, identifying material classes of transactions and account
balances, identifying areas of potential high risk of material misstatement, as well
as the impact of the assessed risk of material misstatement at the overall financial
statement level and how these affect the audit process. Also to be considered is an
initial consideration of factors that influence the extent to which the auditor may place
reliance on the entity’s accounting and internal control systems and the testing thereof
in the audit process, including the internal audit function.

• The results of preliminary engagement activities identified in HKSA 220 and, where
applicable, knowledge obtained by the engagement partner in the provision of other
services to the entity.

• The nature, timing, and extent of resources required, for example selecting an
engagement team with the appropriate experience and assigning work in the areas
of higher risk of material misstatement to more senior staff, and considering whether
specialists will be required because of the nature of some transactions and account
balance calculations, such as an actuary for the calculation of employee entitlement
provisions.

As an illustration, following the initial planning phase, the audit strategy could fall at
either end of the strategy spectrum. If the initial audit judgement based on the preliminary
assessments of the entity’s internal control system, materiality, audit risk, and the evidence
required to form the opinion is that the entity’s accounting and control systems is likely to
be effective, then the strategy would be to emphasise a controls-based audit approach. This
would consequently lead to less reliance on extensive substantive testing of transaction details,
accounts, and balance, and a strategy to obtain a detailed understanding of the internal control
system and extensive testing as to the effectiveness of that system.

If, however, the initial assessment is that the accounting and internal control systems are likely
to be ineffective, the strategy would be to adopt a more substantive-based approach relying on
extensive tests of details, accounts, and transactions and analytical procedures to gather sufficient
appropriate audit evidence. An audit must always involve some level of substantive testing. Thus,
even in a controls-based approach, there will be a combination of controls testing and substantive
testing and the strategy should indicate the balance between the two approaches.

There are several differing audit methodologies available to an auditor. The strategy will
also determine whether the audit approach is to be ‘risk-based’, ‘top down’, ‘system-based‘,
or a ‘balance sheet’ or ‘transaction cycle’ model. The auditing standards prescribe a ‘risk-
based’ methodology, but within that the other methodologies can be integrated to achieve
the strategy. In some cases, the engagement circumstances may warrant the application of a
combination of these approaches. These will be explained further in Section 5.7.

241

M13_c05.indd 241 1/26/2021 9:06:05 PM

 BUSINESS ASSURANCE

Having established the broad audit strategy, the auditor implements this strategy through
the development of the audit plan, which specifies in detail the natural timing and extent of
the audit procedures to be undertaken during the audit in each area of the financial statement
account categories, such as inventory, accounts receivable, fixed assets, accounts payable, loan
liabilities, and shareholders’ equity.

If the strategy was that the audit needed to be heavily reliant on evidence from substantive
testing, the audit plan would detail the nature, timing, and extent of the specific audit
procedures to be applied at the assertion level for each account balance.

If the initial assessment was that the internal control system was strong and able to be
relied upon to produce reliable financial information at the assertion level, the development
of the plan requires that the auditor gain a deeper understanding of the entity’s accounting
system and controls. For example, the extent of IT processing and the extent to which the
system may be automated to initiate, record, and process transactions would be reflected
in the audit plan emphasising the detailed procedures to test that system to ensure that it is
operating as expected and is effective.

The procedures specified in the audit plan are directed at providing audit evidence to draw
reasonable conclusions on which to base the auditor’s opinion. Following on from the audit
strategy, the procedures include:

• Tests of controls (assuming the initial assessment is that reliance can be placed on
internal controls).

• Substantive procedures, including tests of account balance, transactions, and

analytical procedures applied at the assertion level.

HKSA 500 Audit Evidence (June 2017) identifies the following procedures:

• Inspection of records, documents, or physical items.

• Observation of the performance of processes or procedures, including the performance

of control procedures.

• External confirmation in writing from third parties.

• Re-calculation for mathematical accuracy.

• Re-performance by the auditor of controls originally performed as part of the client’s

internal controls.

• Analytical procedures and investigation of any fluctuations or departures from expected

financial statement relationships or values.

• Inquiry of personnel internal and external to the entity.

The audit plan would specify the combination of these procedures and the extent and
timing of these procedures, while recognising that information may only be available at discrete
points in time where client activities occur only at certain times during the financial period (for
example, the auditor’s observation of the client’s physical inventory count).

In effect, the audit plan documents the auditor’s response to the risks identified during the
process of obtaining information about the client and developing the audit strategy. HKSA 330
The Auditor’s Responses to Assessed Risks requires the auditor to design and implement an
overall response to the assessed risk at both the financial statement and assertion levels.
The response is to be in the form of tests of controls, where appropriate, and substantive
procedures to obtain sufficient appropriate audit evidence regarding the assessed risks.

242

M13_c05.indd 242 1/26/2021 9:06:05 PM

 Pla nn i ng a n d R isk A ssessment

In summary, the audit strategy is the initial audit judgement as to the scope and broad
approach to be taken during the audit process, based on an understanding of the entity and its
business. It involves a preliminary assessment of materiality, the risk of material misstatement
at the financial statement level, an understanding of the accounting and internal control
system, and the requirements for obtaining sufficient appropriate audit evidence. The audit
plan then operationalises the strategy by detailing the nature, timing, and extent of the specific
audit procedures to be applied at the financial statement assertion level.

Exhibit 5.1 shows an overview of the planning through the audit process.

• Audit preconditions
P • Understanding the entity and
L
A its environment
N • Internal controls
N • Risk assessment of material
I misstatement
N
G

• Overall audit scope, audit

approach and methodology
Audit to be applied to address risks
Strategy of material misstatement at
the financial report level

• Audit programme: setting out nature,

Audit timing and extent of specific audit
Plan procedures to implement audit plan
and detect material misstatements
at the assertion level
I
N
T
E • Testing effectiveness of internal
R controls and business processes
I • Initial substantive testing
M

Ongoing
review of
Audit Plan

F
I • Tests of detail of transactions
E
L and balances and substantive
D analytical procedures on final
W financial statement results
O
R
K

• Final review of financial

Review and
statements and audit
completion
working papers

Audit opinion

EXHIBIT 5.1 Audit process – the role of planning

243

M13_c05.indd 243 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 1
Identify which of the following is normally used to communicate the responsibilities of the
auditor and client.
A Audit strategy
B Audit plan
C Engagement letter
D Meeting with the client

Question 2
Identify which of the following factors is not relevant to the auditor’s consideration as to
whether to accept a new engagement or continue with an existing client relationship.
A The integrity of management.
B The likelihood that the client may subsequently require other services from the
audit firm.
C The engagement team’s knowledge and skills relevant to undertaking the audit.
D Whether the audit firm can comply with relevant ethical requirements.

Question 3
Identify which of the following is true of adequate planning.
A It leads to a reduction in the audit fee.
B It reduces the level of substantive testing of account details and transactions.
C It ensures that the audit addresses significant areas of the audit and areas of potential
risk of material misstatement.
D It allows management to be involved in all areas of the audit process.

Question 4
Identify which of the following primarily determines the nature, timing and extent of audit
procedures necessary to obtain sufficient appropriate audit evidence on which to base the
audit opinion.
A The audit plan
B The audit strategy
C Auditing standards
D The auditor’s judgement

244

M13_c05.indd 244 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

5 . 2 PLANNING DOCUMENTATION
DEVELOPMENT

The requirement to document the planning and conduct of an audit is a fundamental principle
of auditing. HKSA 230 Documentation (June 2017) states:

The auditor shall prepare audit documentation on a timely basis.

Documentation is defined as the record of audit procedures performed, relevant audit

evidence obtained, and conclusions the auditor reached. It is often referred to as audit
‘working papers’ and can be developed and kept in paper, electronic, or other media form.
This documentation evidences the auditor’s basis for the audit report and that the audit was
planned and performed in accordance with professional auditing standards and any legal or
regulatory requirements.

Documentation also assists the engagement team’s planning and conduct of the audit and
facilitates the supervision and review of work completed during the engagement for quality
control during the audit process. It also provides the material necessary for firms to meet
their responsibilities for quality control review and inspections under the firm’s overall quality
control programme or for any external inspections required under legislation.

The documentation is to be of a quality that would enable an experienced auditor not

involved in the audit to:

• Understand the nature, timing, and extent of procedures undertaken in accordance

with auditing standards.

• The results of the audit procedures and the evidence obtained.

• The significant matters dealt with during the audit.

• The matters on which audit judgements were required.

• The conclusions reached during the audit.

The workpapers should be prepared on a timely basis; that is, contemporaneously as the
audit work is undertaken. This allows the review process in relation to the evidence obtained
and conclusions reached at various stages of the audit to be undertaken, and the audit plan
and process to be updated as necessary, during the course of the audit. It is also important
that all relevant matters are documented so that the audit evidence and conclusions can be
reviewed prior to finalising the audit report.

The nature and extent of documentation is a matter for professional judgement in the
specific engagement circumstances. HKSA 230, paragraph A2, identifies the following factors
that determine the form content and extent of audit documentation:

• Size and complexity of the entity.

• Nature of the audit procedures performed.

• The risk of material misstatement identified.

• The significance of the audit evidence obtained.

245

M13_c05.indd 245 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

• The nature and extent of exceptions identified.

• The audit methodology and tools used during the audit.

For example, the documentation for the audit of a smaller entity will be less extensive than
for a larger entity. The nature and extent of the entity’s IT systems will also affect the nature
and extent of the audit documentation, as will the extent to which audit software is used
during the audit process. Many audit firms have special audit software for preparing audit
documentation.

The following are examples of audit documentation:

• Planning memorandums and checklists.

• Audit programmes.

• Analyses and summaries of significant issues.

• Engagement budgets and staffing requirements and allocations.

• Audit fee calculations.

• Checklists.

• Correspondence.

• Abstracts or copies of client records.

• Reviews of the work of internal audit or experts used during the audit.

The fundamental principle for documentation is specifically reiterated in the auditing

standard on planning. HKSA 300, paragraph 12, requires documentation of:

• The overall audit strategy.

• The audit plan.

• Any significant changes to the strategy or plan made during the audit and the reasons
for those changes.

5.2.1 Preliminary Engagement Activities

As indicated, the initial phases of planning involve acceptance or continuance of audit
engagements and agreeing the terms of the engagement. In both cases the requirement for
documentation is applied.

In relation to client relationships, the documentation must include:

• How any issues relating to compliance with ethical standards were resolved.

• The basis for the conclusion that the independence requirements have been met.

• The conclusions reached regarding acceptance and continuance.

When applied specifically to client acceptance and continuance, this involves

documentation that the pre-conditions for an audit outlined in HKSA 210 have been complied
with. The documentation should include:

• The basis for the auditor’s assessment that the financial reporting framework to be
applied in the preparation of the financial statements is acceptable.

246

M13_c05.indd 246 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

• Evidence that management has acknowledged its responsibility for the preparation
of the financial statements in accordance with the appropriate financial reporting
framework that is free from material misstatement, and for the accounting and internal
control systems supporting the preparation of those financial statements.

• Evidence that the auditor is satisfied that access will be given to all information available to
management in preparing the financial statements, any additional information requested
by the auditor will be provided and access to entity personnel will not be impeded.

This documentation evidences compliance with HKSA 220 in ensuring that the client
relationship is appropriate and that there is a sound basis for the audit to be properly
conducted and to comply with professional standards.

Similarly, the audit engagement letter is part of the planning documentation process.
HKSA 210 requires that the auditor agree the terms of the engagement with those charged
with governance/management (the term management will use throughout this chapter) in an
engagement letter or other form of written agreement.

The letter includes the objective and scope of the audit, the responsibilities of both the
auditor and management, and identifies the applicable financial reporting framework and
details of the reports to be issued.

This document is sent by the auditor to the client requiring a copy signed by management
to be returned to the auditor. This document is prepared and provided for the client after the
pre-conditions for the audit have been satisfied and confirms the common understanding
of the engagement terms. It effectively documents the outcome of these deliberations and
establishes them in a contractual sense with the client management and becomes part of the
audit workpapers.

5.2.2 Planning Activities

5.2.1.1 Overall Audit Strategy
When applied to the development of the overall strategy, the documentation requirements
reflect the process outlined above, for example, documenting the discussions with engagement
staff, management, the basis for the judgements in relation to materiality, internal control, the
combination of control testing and substantive testing, timing, and assessment of the risk of
misstatement.

The outcome of this process is generally a strategy memorandum that summarises the
strategy and approach to be taken in developing the audit plan.

The strategy memorandum will be developed based on the specific entity circumstances
but will generally include narrative covering the following matters:
• Confirmation of the pre-conditions for the audit. A statement is produced that is based
on a review of the relationship with the client entity and audit firm policies and shows
that the professional independence and other ethical requirements have been met and
that there are no issues with management integrity that may impact the auditor’s ability
to continue the engagement. It would also include confirmation that the client has been
advised and understands the terms of the engagement. Details of any other services
provided to the client would be disclosed.

247

M13_c05.indd 247 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

• The scope of the audit work is made in terms of the financial reporting framework
that provides the criteria for measuring and evaluating the financial statements and
the nature and objective of the reporting obligations. This would include details of the
financial reporting framework applicable to the financial statements being audited;
for example, the Hong Kong financial reporting standards and any other mandated
statutory, industry, or legal reporting requirements. This would also identify any
significant changes in these reporting requirements during the reporting period or in an
ongoing client relationship, as well as changes since the prior audit.

• The key judgements as to the significant risks identified in terms of potential material
misstatements in the financial statements, whether due to fraud or error, and the audit
approach to mitigating those risks. This would summarise the outcome of the meetings
with management to gain an understanding of their view of the business and financial
reporting risks as compared with the auditor’s preliminary knowledge obtained
during the process of obtaining an understanding of the client and its business (for
example, information in relation to the entity’s operating structure, including the
number and location of components and, where applicable, the relationship between
parent and subsidiary entities and changes in the entity’s business operations and key
management). Details would be given of significant business developments impacting
the entity, including changes in IT, key management, any business acquisitions or
divestments, and changes in the legal and industry environment affecting the entity,
would also be documented.

• The nature of the evidence to be obtained in key areas of the financial statements and
any indications of potential restrictions that may arise. In an ongoing audit situation,
this includes the expected use of audit evidence obtained from the prior audit period;
for example, evidence relating to risk assessment procedures and tests of controls, the
nature of identified deficiencies and evidence of the actions taken to address them.

• The nature of the audit methodology to be applied; for example, the combination
of tests of controls and substantive procedures in the context of risk-based,
systems-based, etc. In the case of a risk-based approach, where the audit focus is on
aspects of the business that have a higher risk of material misstatement (such as those
affected by management judgement and estimation, application of new or amended
reporting requirements, changes in operations or where material errors have been
found in the past) these would be identified and the planned response outlined. For
example, management override of controls may be identified as a significant risk in
relation to fraud and judgement issues. The planned response could be identified as
more extensive procedures to be applied to material accounting estimates and journal
entries and the review of unusual or significant transactions outside the normal course
of business.

• Where a risk-based approach is to be applied, details are needed as to the transactions

and balances based on prior year audit work and/or a preliminary assessment of
controls and the extent to which the controls are to be tested and reliance placed.
There should be identification of areas where controls are not appropriately designed
or where it is determined to be more efficient to take a substantive approach to testing.

• The preliminary identification of significant and material classes of transactions,

account balance and disclosures and an indication of the preliminary overall and
performance materiality levels, the basis of their determination, and the factors that

248

M13_c05.indd 248 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

team members need to be continuously monitored as to the ongoing appropriateness.

Details of any potential significant risk areas where materiality may need to be
set specifically for a financial statement account; for example, senior employee
remuneration may be given a specific materiality level different to the overall level.

• The use of experts. For example, one of the areas of significant risk of material
misstatement may be pension liabilities based on estimates and judgements and
actuaries engaged by the client to assist in their calculation. The memorandum
would outline the nature and extent to which the auditor would engage or use their
own actuarial experts to provide assurance as to the work of the client’s actuary.
Other auditors may be involved where a parent subsidiary structure is involved and
information as to the relationship between the auditors would be included, such as the
basis for assessing the work of the other auditor and the timing of any meetings and
reporting arrangements.

• The relationship with an internal audit and the nature and extent of any reliance on the
work of the internal audit and the review and testing of that work. This could include
details of the specific areas of the controls and/or financial statements on which
reliance will be placed, the nature and extent of the testing, and the projected timing of
that work by the external auditor.

• The nature, extent, and timing of IT resources required in both the controls testing and
substantive testing processes where applicable.

• The structure and composition of the engagement team in terms of the quantity of
resources and the required competencies and experience, and the assignment of those
resources to areas of the audit commensurate with those attributes. This includes
specifying the assignment of appropriately experienced team members to areas where
there may be higher risks of material misstatement.

• The timetable for the various phases of the audit, including key communication
dates and the parties involved. This would be a schedule of proposed meetings with
management and the audit team concerning such matters as the availability of client
data and personnel necessary for the audit and the expected dates for the nature
and timing of reports. This would also include the timing of the work programme;
for example, the timing of the interim phase of documenting systems and controls,
walk-through procedures, controls testing, including IT, early substantive testing, and
liaison with group auditors. The fieldwork phase involves reviewing draft financial
statements, substantive testing, reassessing the strategy and revising it, if necessary,
communicating on emerging issues, and dealing with those issues. The completion
phase involves final review, communicating with the audit committee, reviewing of post
balance date events, and the signing and issuing of the audit opinion.

• The audit budget and fee and arrangements for any other services would be provided.
The budget should identify the time allocated to various phases and elements of the
audit and be consistent with an allocation that reflects the areas where there may be
higher risk.

In summary, the audit strategy documentation should meet the fundamental test required
under HKSA 230 in that an experienced auditor would be able to understand how the audit is
to be approached, the nature of the major risks to be mitigated, the basis for the judgements
made, and how the strategy will be operationalised into a complementary audit plan.

249

M13_c05.indd 249 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

5.2.1.2 Audit Plan Development

The audit plan is a detailed list of the specific audit procedures applied to obtain the required
evidence for specific account balance assertions or classes of transactions.

HKSA 300, paragraph 9, states:

The auditor shall develop an audit plan that shall include a description of:

(a) The nature, timing and extent of planned risk assessment procedures . . .

(b) The nature, timing and extent of planned further audit procedures at the assertion
level . . .

(c) Other planned audit procedures that are required to be carried out so that the
engagement complies with HKSAs.

In addition, the plan:

• Provides a record of proper planning of the audit work in a form that can be reviewed
and approved prior to the work being performed and then amended as necessary.

• Directs the work of the engagement team, especially junior staff, as to the specific
procedures to be undertaken.

• Evidences the work undertaken by having the engagement team member sign off on
each task completed and indicating the outcome.

• Provides documentation that facilitates the supervision and review processes by senior
staff as the audit progresses so that the plan can be updated as circumstances may
change during the audit.

The documentation of the plan can be in the form of a standard audit firm programme and
audit checklists modified to reflect the client circumstances or a plan developed specifically
for the circumstances of the client and unique to the client. The plan will specify the audit
objectives for the component of the financial information being audited and the procedures
to gather, document, and evaluate the evidence. Where sampling is to be used it should
address the number of transactions to be tested and the population from which the sample is
to be drawn.

For example, a basic audit programme for accounts payable could be as follows.

Audit Objectives
1. The accounts payable are financial obligations of the entity.

2. All accounts payable are recorded and accounted for.

3. Related party balances are identified and properly accounted for.

4. Accounts payable are properly presented and disclosed in the financial report.

Audit Procedures
• Obtain a listing of accounts payable, check the additions, and compare the total to the
general ledger.

• Select a sample of recorded accounts payable and check against the creditor’s
statement.

250

M13_c05.indd 250 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

• Select a sample of creditors invoices and check that they have been correctly recorded.

• Select a sample of accounts payable and confirm the amount with the creditor.

• Identify any balances outstanding for a lengthy period and obtain an explanation.

• Examine a sample of invoices recorded after the balance date and ensure that they
have been recorded in the correct accounting period.

• Examine a sample of payments after the balance date and check that the accounts
payable were recorded in the correct accounting period.

Depending on the nature and complexity of the client’s computer systems, these
procedures may need to be completed using audit software.

Whether completed through a paper trail or electronically, the member of the engagement
team completing the procedures will record that the procedure has been completed and record
the details of the transactions and balances tested and the results of the testing.

The documentation of the testing and the outcome will be reviewed to determine whether
the audit plan needs to be amended to include more and/or different procedures, or whether
the results are consistent with the auditor’s expectations and the evidence obtained is sufficient
and appropriate to support a conclusion on the specific financial statement assertions reflected
in the audit objectives for that identified financial statement item.

In summary, the audit plan specifies the audit objective(s) and detailed procedures to be
performed to gather and document the evidence, and the basis for the conclusions drawn from
evaluating that evidence in relation to specific financial report assertions.

Knowledge Check Questions

Question 5
Auditing standards require that auditors prepare documentation as evidence to support the
basis for the audit opinion. Explain what an experienced auditor, without any connection
with the audit, should be able to understand by reviewing the audit workpapers.

5 . 3 GAINING INITIAL UNDERSTANDING

OF THE ENTITY AND ITS ENVIRONMENT,
INCLUDING THE USE OF PRELIMINARY
ANALYTICAL REVIEW PROCEDURES

The first step in developing the overall audit strategy is to obtain an understanding of the
entity and its business and the environment in which it operates, including any regulatory
requirements and the associated business and financial reporting risks.

251

M13_c05.indd 251 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

This understanding is critical to the auditor making sound judgements as to the areas of
audit focus and the risk of material misstatement in the financial statements as a whole. This in
turn determines the nature, timing, and extent of the detailed audit procedures to be included
in the audit plan in relation to individual financial statement assertions, which are determined
to be significant to understanding the financial statements and to obtain sufficient appropriate
audit evidence to support the auditor’s opinion. This will also identify the resourcing
requirements, including any potential reliance on the internal audit or, in the case of a client
with subsidiaries or branches, the work of other auditors.

HKSA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement,
paragraph 11, states:

The objective of the auditor is to identify and assess the risks of material misstatement, whether
due to fraud or error, at the financial report and assertion levels, thereby providing a basis for
designing and implementing responses to the assessed risks of material misstatement.

HKSA 315 (Revised 2019) requires the auditor to obtain an understanding of the
entity and its environment, the applicable financial reporting framework and the entity’s
accounting policies and reasons for changing those policies, the susceptibility of assertions
to misstatement due to inherent risk and the entity’s system of internal control. This provides
the foundation for developing initial expectations about the classes of transactions, account
balances and disclosures relevant to developing an audit strategy and plan. These matters
are regarded as being interdependent and facilitate the identification and assessment of the
preliminary expectation of risk. The audit strategy and plan may be modified as the initial
understanding and risk expectations are enhanced as a result of applying audit evaluations
during the audit process.

Obtaining this required understanding means the auditor needs to determine and assess
the factors that may affect the business risks facing the entity. Business risk is the risk that an
entity may not achieve its business objectives or implement its strategies due to internal and
external conditions, events or circumstances, actions or inactions. Understanding business
risk and the extent to which it has financial consequences is a factor in assisting the auditor to
identify and assess the potential for material misstatements in the financial statements, and
identifying transactions and events that may require specific or more detailed procedures when
developing the audit plan.

Applying HKSA 315 (Revised 2019), to understand business risk includes assessing
information about a range of matters including the state of the industry within which the entity
operates and its position in that industry, the applicable financial reporting framework and
accounting policies applied, regulatory requirements, the entity’s operations, ownership and
governance structure, its business model and the extent to which that model integrates IT,
business strategies and policies, types of investments, and financing structure. Paragraphs A56-
84 OF HKSA 315 (Revised 2019) contain an extensive explanation and listing of these matters
and are summarized in the following Sections.

252

M13_c05.indd 252 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

5 . 4 ­T HE ENTITY’S BUSINESS MODEL

One of the significant features of the entity and its environment that affects business risk is the
entity’s business model. Appendix 1 to HKSA 315 (Revised 2019) identifies the considerations
for understanding the entity and its business model. It notes that the business model includes
strategies by which management plans to achieve its objectives and address the risks and
opportunities facing the entity. The model could include, for example, the scope and scale of
the entity’s operations, the markets or geographical or demographic areas of interest in which
it operates, the resources necessary for success and its use of IT. A business risk can arise from
these characteristics and can impact the risk of material misstatement at the assertion level.
The following characteristics arising from an entity’s business model are matters that may
indicate a business risk, and may need to be considered when obtaining an understanding of
the entity, for example:

• Business operations, nature of products, services, involvement in e-commerce, joint

ventures, geographic dispersion and location of production facilities

• Investments and investing activities such as planned acquisitions, investments in or

disposal of securities and loans

• Financing and financing activities such as changes in structure of subsidiaries, debt

structure, leasing arrangements and the use of derivatives.

The entity’s business model and strategies also indicate the ability of the entity to react to
changes in the circumstances facing the entity and the business risks that could increase the
susceptibility to the risk of material misstatement.

5.4.1 Organizational and External

In applying the requirement to obtain an understanding of the entity and its environment, in
addition to understanding the entity’s business model, HKSA 315 (Revised 2019) identifies the
following factors that need to be considered:

• The complexity of the entity’s structure, for example whether the entity is a single entity
or includes subsidiaries or other components in multiple locations. The more complex
the structure the greater the potential for material misstatement;

• The relationship between owners and other entities and individuals (which may, among
other matters, indicate the existence of related parties);

• The distinction between the owners, those charged with governance and management.
For example, in a less complex entity the owners may also be the managers compared
with a listed entity where there is a clear distinction between the management, owners
and directors;

253

M13_c05.indd 253 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

• The organizational structure and governance, for example where those charged with
governance hold positions such as directors, and the existence of sub-groups such as
an audit committee (which may say much about how controls and performance are
regarded and assessed);

• The structure and complexity of the IT environment, for example the level of integration
of IT systems (which may indicate whether a complex IT environment needs to be
addressed);

• Regulatory changes such as tax laws and prudential requirements (which may require
changes in financial systems and reporting); and,

• The entity’s basis and processes for selecting and applying accounting policies and the
reasons for any changes (which may draw attention to significant transactions such as a
business combination).

5.4.2 Financial Performance

Understanding the basis of how the entity’s financial performance is measured internally
and externally is also important as a factor to be considered as it creates pressure on entity
management to meet financial targets. For example, financial institutions may need to
meet regulatory requirements such as capital adequacy and liquidity ratios. The auditors
understanding of these matters would identify the risk of material misstatement to ensure that
such targets are met.

5.4.3 Financial Reporting Framework

The understanding of the applicable financial reporting framework involves considering the
basis for the selection and application of accounting policies and changes thereto and the
reasons why. For example, the auditor would consider industry specific practices, accounting
for unusual transactions and new accounting standards.

Based on the auditor’s understanding of the identified in sections 5.4.1–5.4.3, the auditor
gains an understanding about how inherent risk factors could impact compliance with the
applicable financial reporting framework. This is dealt with further in Section 5.6.

5.4.4 System of Internal Control

Critical to understanding an entity and its environment, the auditor must understand the
client’s system of internal control. The objective of the entity’s internal control system is to
assist the entity to achieve its objectives and manage risks in terms of financial reporting,
operational effectiveness and efficiency and compliance with laws and regulations.

HKSA 315 (Revised 2019), paragraph 12(m), defines the system of internal control as:

‘The system designed, implemented and maintained by those charged with governance,
management and other personnel, to provide reasonable assurance about the achievement of
the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations.’

254

M13_c05.indd 254 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

HKSA 315 (Revised 2019) requires that the auditor obtain an understanding of the following
interrelated components of the system and specifies the specific risk assessment matters to
be addressed and evaluated for each component relevant to the preparation of the financial
statements. The following is a brief summary as to why these elements are of interest to the
auditor as part of the risk assessment process.

It is important to note (see HKSA 315 (Revised 2019) paragraph 91), that the components
of an entity’s system of internal control may not necessarily reflect how an entity designs,
implements and maintains its system of internal control or how it may classify any particular
component. Entities and auditors may use different terminology or frameworks to describe
various aspects of a system. The important point is that all the following components are
addressed.

• Control environment. The auditor evaluates how the entity demonstrates behavior
consistent with management’s commitment to integrity and ethical values to determine
whether the control environment provides an appropriate foundation for other
components of the system of internal control. This assists in identifying potential issues
in other components and in understanding risks that can impact the assessment of
risks of material misstatement. (HKAS 315.21, A99–108)

• The entity’s risk assessment process to identify business risks and their significance
This assists the auditor’s evaluation of how the entity identifies its business risks and
how it addresses those risks and whether they are appropriate to the nature and
complexity of the entity (HKAS 315.22, A109–113)

• The entity’s process for monitoring the system of internal control. This involves
the auditor understanding the processes and sources of information used to monitor
the system of internal control and whether they are relevant and reliable, and the
monitoring is appropriate. The auditor can then assess whether other components
of the internal control system are present and functioning as input into the risk
assessment process (HKAS 315.24, A114–122)

• The entity’s information processing system and communication of significant

matters. This aspect focusses on the flow of transactions and other information
processing related to the preparation of the financial statements and whether this
component supports the preparation of the financial statements and auditor’s
identification and assessment of the risks of material misstatement at the assertion
level. If the results of the auditor’s procedures are inconsistent with expectations about
the system of internal control this may also indicate risks of material misstatement at
the financial statement level. This includes the use of IT applications and other aspects
of the IT environment that may result in IT risks. In addition to understanding the
systems and controls as it relates to information from the entity’s internal processing,
it covers information obtained from outside the general and subsidiary ledgers, for
example fair value calculations, estimates and modelling assumptions for financial
statement figures and disclosures. (HKAS 315,25, A123–146)

• The control activities that deal with the risk of misstatement at the assertion level
and risk that is assessed as significant including the IT applications and general IT
controls. These are controls to ensure the proper application of policies with the

255

M13_c05.indd 255 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

auditor’s evaluation focused on the processing of information that directly affects

risks to the integrity of information, particularly for significant classes of transactions,
account balances and disclosures. This includes controls such as authorization,
approvals, reconciliations, verification, edit and validation checks, automated
transactions, segregation of duties and physical or logic controls. Understanding
management’s approach in this area facilitates the auditor’s decisions as to the
approach to the performance of substantive procedures and controls testing where
substantive procedures do not provide sufficient appropriate audit evidence. (HKAS
315.26, A147–174)

5.4.5 Audit Strategy

Within the framework outlines in Section 5.4.3, the initial understanding of the components
of internal control is to assess whether the design of controls is consistent with the objective
of effectively preventing, detecting, or correcting material misstatements in the accounting
system and related operational systems. It is important to understand the extent to which the
control system comprises manual and automated components, as this affects the auditor’s risk
assessment and the basis for determining further audit procedures; for example, whether the
audit strategy should recognise the need for specialist IT resources in the audit team or the use
of audit software and how this will flow through to the audit plan.

Understanding and subsequently assessing the effectiveness of internal controls allows the
auditor to consider the effect of internal control weaknesses and potential errors that might
occur in the financial reporting process. This is significant to developing the audit strategy as
the auditor needs to make a judgement as to the extent that reliance can be placed on the
system of internal control, which affects the nature timing and extent of the more detailed
audit procedures to be included in the audit plan, including the extent of testing of the
control system.

For example, if the initial assessment of internal control is that it can be relied upon, the
audit strategy will be to test the system, thereby reducing the nature, timing, and extent of
substantive tests of transactions and balances and analytical procedures. On the other hand,
if the understanding of the system indicates that it is a weak system and reliance cannot be
placed on it, then the audit strategy will be one based on substantive procedures involving
extensive testing of transactions and balance and analytical procedures, and the audit plan is
developed accordingly.

Obtaining an understanding of the entity and the environment in which it operates is

important because it impacts the auditor’s assessment of risk from which the auditor devises
specific audit procedures to be applied to those areas of the financial statements that are
at risk of material misstatement. If the auditor does not gain a sufficient understanding, a
thorough risk assessment is unlikely and hence audit risk (the risk that the auditor expresses an
incorrect opinion on the financial statements) is increased.

HKSA 315 (Revised 2019) recognises that the nature and extent of risk assessment
procedures used by the auditor and the way in which the entity’s system of internal control is
designed, implemented and maintained are scaleable (that is, they differ according to the size
and complexity of the entity), and will also vary based on the nature of the entity (for example,
for a financial institution that takes customer deposits compared to a manufacturing entity).

256

M13_c05.indd 256 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

5.4.6 Information Sources for Obtaining an Understanding

Exhibit 5.2 indicates the broad sources of information that provide an understanding of an
entity, its environment, and controls.

Information from Information from

the firm external sources

Partner Websites
Manager Trade press
Last year’s team Credit agencies
Last year’s audit file Public filing records
Industry experts

Discussion
Observation
Prior experience
Website
Brochures

Information from Information from

the auditor the client

EXHIBIT 5.2 Sources of information that provide an

understanding of an entity, its environment, and its controls

In particular, the auditor’s understanding of the client and its environment can be obtained
through discussion with entity management and operational personnel, including internal
audit, review of entity documentation, correspondence, manuals, legal correspondence,
industry publications, budgets, board minutes, significant agreements and contracts,
observation of operations and inspection of the plant and facilities, and the application of
preliminary analytical procedures on entity data.

Within the broad framework identified earlier from HKSA 315 (Revised 2019),
the understanding of the matters relating to the entity and its environment
can be addressed at three levels. The following is a brief summary of the levels
at which those matters can be addressed.

1. Entity Level

The auditor is required to gain an understanding as to the nature of the entity,

which includes:

• Its operation.

• Its ownership and governance structures.

• Its business model

• The types of investments it makes.

• The way it is structured and financed.

257

M13_c05.indd 257 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

In addition, HKSA 315 (Revised 2019) requires the auditor to understand:

• The entity’s selection and application of accounting policies.

• The entity’s objectives, strategies, and related business risks.

• The measurement and review of the entity’s financial performance.

• The internal controls relevant to the audit.

If the entity has an internal audit function, the auditor must also obtain an
understanding of that function; in particular, the role that internal audit plays in
monitoring the entity’s internal control environment over financial reporting.

2. Industry Level

The auditor must obtain an understanding of the entity at the industry level. This
requires a much broader understanding of the business and the impact of external
factors than at the entity level, for example:

• The market and competition, including demand, capacity, and price competition.

• Cyclical or seasonal activity.

• Product technology relating to the entity’s products.

• Energy supply and cost.

Linked to risks at the industry level are regulatory factors that the auditor must
also consider. HKSA 315 (Revised 2019) recognises that the industry in which the entity
operates may give rise to specific risks of material misstatement arising from the
nature of the business or the degree of regulation. For example, long-term contracts
may involve significant estimates or revenues and expenses that give rise to risks of
material misstatement. The auditor may consider the following matters arising from the
regulatory environment:

• Accounting principles and industry-specific practices.

• The regulatory framework for a regulated industry, including disclosure

requirements.

• Legislation and regulation that impact the entity’s operations, including direct
supervisory activities.

• Taxation (corporate and other).

• Government policies currently affecting the entity’s business, such as monetary

policy, foreign exchange, fiscal policy, tariffs or other trade restriction policies.

• Environmental requirements.

3. Economy Level

When gaining an understanding of the client the auditor assesses how economy-level
factors affect the client. This includes an assessment of economic upturns and
downturns (recession), a change in interest rates, and currency fluctuations. Here the
auditor is concerned with the entity’s susceptibility to any changes and its ability to deal
with economic pressures.

258

M13_c05.indd 258 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

When the economy is strong, entities are generally under pressure to perform well
or, at the very least, better than their competitors. Company shareholders, for example,
will expect an improvement in profits, and therefore the focus of the auditor’s attention
will be overstatement of revenue and understatement of expenses because the
inherent risk is that management wish to meet shareholders’ expectations and report
a healthy profit and strong balance sheet position.

When the economy is poor, management may purposefully understate profits

by maximising write-offs as a fall in profits can be easily explained as a downturn in
the economy. Here, the auditor’s focus is on the risk of understated revenues and
overstatement of expenses.

In addition to inquiries of management and other appropriate entity personnel,

and observation and inspection, HKSA 315 (Revised 2019), paragraph 14(b), mandates
analytical procedures as one of the risk assessment procedures to be applied in the
planning process.

Analytical procedures are defined in the Glossary (Clarified): Glossary of Terms

Relating to Hong Kong Standards on Quality Control, Auditing, Review, Other Assurance and
Related Services (February 2015):

. . . evaluations of financial information through analysis of possible relationships

among both financial and non-financial data. Analytical procedures also encompass
such investigation as is necessary of identified fluctuations or relationships that are
consistent with other relevant information or that differ from expected values by a
significant amount.

Analytical procedures are applied at various phases of the audit process, i.e. in
planning, as a substantive test during the audit fieldwork to obtain evidence about
account balance or class of transactions assertions, and during the final stage of the
audit as part of an overall review of the financial statements.

When applying analytical review as a risk assessment procedure, HKSA 315 (Revised
2019) notes that analytical review may assist in identifying and assessing the risks
of material misstatement by directing attention to matters of which the auditor may
be unaware or understanding how inherent risk factors, such as change, impact the
potential for assertions to be misstated. This assists the auditor to focus on these areas
of potential concern when planning the audit.

Analytical procedures involve comparing recorded amounts or ratios developed

from recorded amounts to plausible expected outcomes established by the auditor
based on the auditor’s knowledge of the entity and its business. For example, the
following information may be used to develop the auditor’s expectations:

• Financial information from corresponding prior accounting periods.

• Predicted results based on budgets, forecasts, or interim financial results projected

for the full accounting period.

• Plausible relationships between components of the financial statements, such as

sales and accounts receivable.

259

M13_c05.indd 259 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

• Industry information, trends, and statistics.

• Economic conditions and statistics.

• Analysts’ reports.

• The correlation between financial and non-financial information.

The advantages of applying preliminary analytical procedures at the planning

stage are:

• The auditor needs to obtain information about the entity and its industry to
implement these procedures, such as identifying the relevant industry data.

• The procedures identify potential risks, unusual transactions, and events or trends
that may indicate the risk of material misstatement in the financial statement and
that require attention during the audit, thereby facilitating the determination of the
nature, timing, and extent of audit procedures on a timely basis.

• Attention may be drawn to matters of which the auditor was unaware, requiring
further enquiries and investigation.

It must be remembered that the effectiveness of analytical procedures is a function

of the reliability of the data on which they are based. For example, data from external
sources are usually more reliable than internal data and internal data are more reliable
if the system of internal control is sound.

Common analytical procedures include:

• Comparisons with prior period data, industry statistics, or expectations.

• Ratio analysis involving calculations of ratios of one element of financial statement

data to another related element.

• Trend analysis involving the comparison of account balances over a period.

• Models based on, for example, time series modelling and regression analysis. These
are more complex techniques that can incorporate client operational data, external
industry, or economic data to predict account balances.

Apply and Analyse 2

As an audit partner, you and the new audit manager have just met with the management
of HWA Ltd and they have provided you with the following information:

• New competitors have entered the market and have managed to secure contracts
with some HWA customers and selling prices and profit margins are under pressure.

• The process of renewing contracts is very competitive and HWA is reacting

accordingly.

• The key member of the technical staff in product development has left to work for
one of the new competitors and has yet to be replaced.

260

M13_c05.indd 260 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

Apply and Analyse 2 (continued)

• As a result of the increasing competitiveness in the industry, management is in
the process of expanding the business by diversification into the importation and
wholesaling of electrical appliances, a market and activity in which it has not been
involved before.

• The new product activity has been established as a new division within the
company with separate sales and purchasing staff, but integrated with the central
administrative function. The new division has been put in place and is about to
commence operations.

• Management has indicated that it may need to seek additional services from your
firm in relation to its move into the new industry.

Explain the implications of this information for your planning.

Analysis

The above are matters that the auditor would need to address in applying the
requirements of HKSA 315 (Revised 2019) in updating the understanding of the entity’s
organizational structure, governance, business model and use of IT. The auditor would
need to assess these events in terms of updating the assessment of the risk of material
misstatement.

The change in the entity’s organizational structure and business model indicates
that the client’s business risk has increased from prior years and indicates that the audit
strategy will need to be focused on the risk of material misstatement in the financial
statements in areas that were not as significant as in the past. Management’s inexperience
in the new area of the business and the challenges in managing the business in an
environment that they are not used to dealing with increases the inherent risk. The auditor
would need to review the systems, processes, and controls that management has in place
to manage both the increasingly competitive environment for its existing business and the
transition into the new business and industry, including any regulatory matters associated
with the new division and product.

The auditor will need to undertake a more extensive review of the business strategies
and updated business plan that management has put in place to deal with the change in
circumstances and whether the internal control systems and integration of IT are robust
enough to deal with the changes in circumstances and the potential for fraud and error.

The auditor will also need to assess how the entity has communicated its plans
and changes within the entity to address the risk that controls will be effective and that
the information system and other components of the system of internal control are
understood and implemented.

Attention will need to be given to the controls over the physical purchasing and sale of
the new products and inventory, as well as the accounting systems for those transactions.
Consideration will need to be given to a strategy that involves more extensive substantive
testing of account balance details and classes of transactions.

261

M13_c05.indd 261 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

Areas that may require more audit attention as a result of the increased risk of
material misstatement are:

• Inventory obsolescence and valuation as sales may be declining and inventory

turnover may be declining or may not be meeting new technical requirements if
product development may not be as strong as in the past.

• Inventory valuation for the new products.

• Revenue recognition and recording.

• The recognition and accounting treatment of the costs of establishing the

new division.

• The risks associated with foreign exchange transactions on the products imported
by the new division.

• Cash flow and financing and the recognition and recording of accounts payable.

In addition, consideration will need to be given to what other services HWA may be
requesting and the implications for audit independence.

The change in circumstances indicates that the level of audit work that will need to
be undertaken will increase from previous years and the audit budget and fee will need to
be reassessed.

The composition of the engagement team will need to be addressed as to whether

the team has the knowledge to understand the transactions and events associated
with the new products and market or whether there will be a need for the use of experts
during the audit process. The level of supervision and review of junior staff may need to be
increased during the audit fieldwork as the risk of material misstatement has increased.

5.4.7 Entity Level

Bear in mind that the preliminary analytical review for planning will generally be undertaken at
an early point in the financial period under audit. Common techniques applied at this point are
the more basic comparisons and ratio analysis using data available at that early stage, which
will generally be unaudited, and interim data available at the time of the planning.

The auditor will need to use the results of these procedures in conjunction with other
information gained during the process of gaining an understanding of the entity, and
knowledge from the prior audit in a continuing engagement, as to whether any fluctuations
or variances from expected relationships warrant further investigation and discussion
with management. Maintaining an attitude of professional skepticism is important during
this process.

At this stage, comparing amounts from prior periods to identify significant changes in
account balances or against industry averages and budgets and investigating the reasons
for those changes provides useful information for planning purposes. For example, a simple

262

M13_c05.indd 262 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

comparison of the level of accounts receivable compared with the same time for the prior
period, and indicating a significant increase in that balance while sales are at the same level for
the prior period, may indicate a problem with accounts receivable collection. This may suggest
that the provision for doubtful debts is an area of risk of material misstatement that needs
audit attention.

Similarly, significant variations from calculation of ratios and comparison with prior years,
budgets, and industry averages can highlight potential risks of misstatement and lead to
relevant inquiries about the client’s current activities and business conditions. It should be
understood, however, that ratios are calculated at a point in time when they are most useful
when compared over time and also when the relationship between the ratios are assessed for
consistency.

The basic ratios that may be useful at this point focus on entity internal relationships.
For example, the following ratios are often used:

Current ratio Current assets / Current liabilities

This ratio is often referred to as the working capital ratio and provides an indication of
an entity’s ability to meet short-term obligations. A ratio of less than 1 may indicate that the
entity does not have short-term resources to meet short-term obligations. A ratio of greater
than 1 may indicate that the entity is solvent in the short term. It is important to consider the
components of this ratio in considering what it indicates; for example, a high ratio may be
the result of the fact that the entity does not collect accounts receivable quickly or has high
levels of inventory.

The nature of the business can also mean that the size or sign of the ratio differs. For
example, a business that collects and invests proceeds quickly, but pays creditors slowly, and
may even have negative working capital at certain times of the trading cycle. However, the
pattern of inflows of proceeds may be such that there are no difficulties paying creditors in
due course.

It is important then, when assessing ratios, to have a good understanding of the business
and of how the ratios appear over time.

Quick ratio Liquid assets / Current liabilities

This ratio provides an indication of short-term liquidity and the ability of an entity to meet
its short-term obligations with its most liquid assets that can be quickly realised ,such as cash
and short-term investments. Items such as Inventory would be excluded. Low ratios or a
declining ratio may indicate that the client is having difficulty in meeting its current obligations
or that there is a risk of material misstatement in the relevant account balances. Equally, a high
ratio or increase may indicate the risk of accounting issues in the component balances.

Accounts receivable turnover Credit sales / Accounts receivable

263

M13_c05.indd 263 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

This ratio can help in identifying the effectiveness of an entity’s credit sales policy and
in collecting accounts receivable. It measures how many times an entity collects receivables
during the period over which it is measured. A decline in this ratio may indicate problems with
collections or issues with the credit control system and the risk of material misstatement in the
provision for doubtful debts.

Inventory turnover Cost of goods sold / Inventory balance

Inventory management is important as it can indicate how well the sales process is in
generating sales of inventory. This ratio indicates the frequency with which inventory is turned
over in terms of the cost of manufacturing during the period. If the ratio is declining compared
with prior periods, or industry averages, it may indicate obsolete or slow-moving inventory and
raise issues of inventory valuation.

Gross profit Gross profit / Net sales

Unexpected or changing results in this ratio could occur for several reasons in the areas of
sales and inventory. It is a measure of how good an entity is in creating a product and selling
it. Unless circumstances change, the gross profit margin should remain relatively stable over
time and needs to be adequate to allow for the payment of operating expenses. It is a useful
ratio to compare business models with competitors, for example in terms of the costs of
manufacture.

Net profit Net profit / Revenue

This ratio is a measure of how much profit each dollar of sales generates. This measures
profitability after all expenses, with variations in the ratio indicating potential issues with the
recognition and recording of expenses.

Return on assets Net profit / Total assets

This measures how profitable an entity is relative to the total assets. The higher the ratio
the greater is the efficiency with which assets are used to generate revenue. Net profit is
usually calculated before interest and taxes.

Debt to equity Total liabilities / Shareholders equity

This ratio looks at the extent to which an entity is debt funded in financing its assets.
Increases in this ratio or the ratio being high relative to industry standards may indicate risks in
the areas of interest expense, cash flows, and the ability to meet financial commitments.

264

M13_c05.indd 264 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

Any changes noted during the review of comparisons or ratios can highlight risks of
misstatement and should be discussed with management in order to seek an explanation. In
conjunction with other information obtained by the auditor, significant indicators of potential
misstatement should be reflected in the audit strategy and plan.

The developments in IT technology also provide sources of information that could be used
for analytical purposes at the planning stage. The availability of databanks and data analytics
provide accessible information that can identify an array of relationships relevant to a client’s
business and financial reporting issues.

Databanks (data warehousing) provide a repository of aggregated information relating to

specific aspects of a client’s business and transactions. These databanks can be maintained
internally by the client as part of their business management systems or externally produced
and publicly available online, providing data about the industry in which the client operates.

More sophisticated data analytics are also available that use computer systems to identify
relationships that can be used in audit planning. These techniques take large volumes of raw
data and use software to, for example, apply algorithms that identify trends and relationships,
anomalies and comparisons with industry data.

These sources of information provide auditors of large clients who utilise these facilities,
or auditors who have the IT capacity to use this technology, with a broader range of analytical
procedures at the planning stage.
All the information, explanations, and decisions in terms of the impact on the strategy
and plan obtained during this phase of planning the audit should be documented in the audit
workpapers.

5.4.8 Industry Level

Preliminary analytical review at the industry level involves:
• Comparison of client ratios and other information with industry data.

• Direct use of industry publications and statistics to establish trends, expectations, or

understand developments in the industry sector(s) in which the company operates.

Both may identify potential problems or assist the auditor in understanding trend and
issues facing the client that should be reflected in the entity level data. Industry information can
often be more focused on qualitative information about the nature and developments in the
industry. For example, if through industry publications it is evident that technological advances
have recently made the industry riskier unless participants adapt their products quickly, the
audit strategy would need to recognise inventory obsolescence and valuation as areas of
potential risk.

5.4.9 Economy Level

As in the case of industry sources, data and statistics about the level of economic activity, and
general economic factors within the jurisdiction(s) in which the client operates, are relevant
analytical input for the strategy and plan. Depending on the nature of the client’s services and
products, the client’s business risk is impacted by trends in economic activity. Knowledge of this

265

M13_c05.indd 265 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

through government publications or reports by economic analysts provides the auditor with
information that assists in developing informed expectations about relationships in areas of
the client’s business and financial reporting. Government policies may also impact the client’s
business risk. For example, government policy and economic factors may affect currency
exchange rates. A client involved in transactions with overseas entities will face risks due to
currency fluctuations that would affect account balances and the recording of transactions. The
risk of material misstatement and the client’s controls in this area would need to be addressed
in the strategy and plan.

Another example would be information about credit conditions when assessing the
collectability of loans in a financial institution. International Financial Reporting Standard
IFRS 9 Financial Instruments requires that expected losses be measured by evaluating a range
of possible outcomes, time value of money, and information relating to past events, current
conditions, and forecasts of future economic conditions. The standard requires that expected
credit losses be based on the probability of a loss occurring or not occurring. The loss model
therefore requires information about economic conditions.

In summary, preliminary analytical procedures provide a basis for identifying risks and
developing expectations about the client’s financial statement account balances, especially over
time. The development of an effective audit strategy and audit plan based on an understanding
of the entity and its environment is enhanced through the appropriate use of analytical
information.

Apply and Analyse 3

Following the meeting with HWA management, you undertake some preliminary analytical
procedures on the interim financial information to date and obtain the following results:

• The current ratio is 2 to 1, which is comparable to the prior year.

• The quick asset ratio is 0.5 to 1 and has declined from 1 to 1 in the prior year.

• The accounts receivable turnover ratio is steady at 12 compared with the industry
average of 6 in both its existing business and the new division.

• The inventory turnover ratio is 11 compared with 15 in the prior year and an
industry average of 13.

• The gross profit ratio is 45% compared to 50% in the prior period and the industry
average is 45%.

• The net profit ratio is 30% and remains similar to the previous period and a little
higher than the industry average.

• The return on assets ratio is 30% and is similar to prior periods.

• The debt to equity ratio is 1.5 compared to the prior year of 1.10 and the industry
average of 1.2.

In conjunction with the other information already provided by HWA, explain what
impact these results have on your planning considerations.

266

M13_c05.indd 266 1/26/2021 9:06:06 PM

 Pla nn i ng a n d R isk A ssessment

Apply and Analyse 3 (continued)

Analysis

HKSA 315(Revised 2019) analytical procedures are to be applied, in the risk assessment, to
identify unusual or unexpected relationships, transactions and trends that may have audit
implications and identify risks of material misstatement.

The level of the current ratio is indicative of a sound short-term liquidity position
and HWA’s ability to meet its current obligations. However, the decline in the quick ratio
suggests that the short-term liquidity position is not as strong as it has been. As the quick
asset ratio excludes inventory it may suggest that the sound current ratio is due to large
inventory holdings. Given the concerns expressed earlier about inventory obsolescence
and slow-moving inventory from the discussions with management, inventory is an area
of the audit that will need to be given increased attention in terms of control testing and
substantive testing.

The accounts receivable turnover ratio converts to receivables being collected within
30 days (365/12) compared with the industry average of 60 days (365/6). This is a high ratio
and indicates that the company is efficient in collecting its accounts receivable and has a
good customer base in terms of quick payment for goods supplied. It may also indicate
that it has a conservative credit policy in terms of offering credit sales. However, given the
increasingly competitive environment and the move into a new market, HWA may need
to change its approach to maintain or attract new customers, as indicated by the industry
average for the current business. The audit strategy will need to give greater attention to
this area and the provision for doubtful debts.

The inventory turnover ratio indicates a decline in the speed of moving inventory.
Converted to days in inventory (i.e. the number of days it takes to sell inventory), the
ratio has increased from 24 days (1/15 × 365) to 36 days (1/10 × 365) and is higher than
the industry average of 28 days (1/13 × 365). This again supports the possibility that
inventory is now becoming more difficult to move, which may point to a risk of obsolete
inventory. It also indicates that HWA may be incurring additional costs in holding inventory.
The audit strategy should also include consideration as to whether the controls and
business processes over production are reflecting the changing market circumstances and
product demand.

The gross profit ratio has declined, which is to be expected due to the pressure on
profitability and higher inventory levels, and is consistent with other firms in the industry.

The net profit ratio seems inconsistent with expectations based on the information
provided and the analytical results. As profitability is under pressure in the existing
business and the new division has yet to commence operations but has been established
and costs incurred, it would be expected that the ratio would be declining. This indicates
that consideration needs to be given to the recognition and accounting for expenses and
the costs of the new division.

The return on assets ratio is inconsistent with expectations given the competitive
pressures and expenses being incurred to establish the new division. This could indicate
a risk of material misstatement and warrants increased audit attention to revenue

267

M13_c05.indd 267 1/26/2021 9:06:06 PM

 BUSINESS ASSURANCE

Apply and Analyse 3 (continued)

and expense recognition and recording. This is especially significant given that the
management’s bonus share scheme is based on the company achieving a specified return
on assets.

The debt to equity ratio is declining, which indicates that HWA has increased its debt
levels in recent times to support its ongoing contracts and to fund the establishment of
the new division. The audit strategy will need to indicate a focus on auditing the terms and
conditions of new financing arrangements and the recording of increased borrowing costs,
which would also be expected to be reflected in a lower net profit ratio. Audit planning
should also indicate the need to consider HWA’s ability to meet its financial commitments
and the ability to generate revenue and cash flows and any loan covenants that may
now exist.

In summary, the preliminary analytical review has identified several issues that indicate
that the risk of material misstatement in the financial statements has increased from the
prior year. The audit strategy will need to address these matters, including the evaluation
of the impact of the establishment of the new division on the internal control systems and
greater reliance on substantive testing in the areas identified above.

The audit will also need to focus on the business model and processes and controls
that management have applied to support its ongoing viability and the ability to generate
future revenue streams to meet its financial commitments.

Knowledge Check Questions

Question 6
Identify why the auditor obtains an understanding of the entity and its environment.
A To understand the transactions and events that could affect the client’s financial
statements.
B To provide the client with recommendations to improve the system of internal control.
C To assess the level of known misstatements to determine whether the financial
statements overall are materially misstated.
D To understand how professional skepticism relates to the financial statement assertions.

Question 7
Identify which of the following is a client’s business risk.
A The risk that an entity may not achieve its business objectives due to internal and
external factors
B The risk that some account balances and transactions are inherently more susceptible to
error due to the nature of the client’s business.
C The risk that the auditor will face litigation arising from the audit.
D The risk that the auditor will give an incorrect audit opinion.

268

M13_c05.indd 268 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

Knowledge Check Questions (continued)

Question 8
Identify which of the following is not a typical analytical procedure.
A Reviewing the correlation between financial and non-financial information.
B Comparing client financial information with relevant industry information.
C Comparing the amount of recorded sales with the entity’s budget.
D Comparing the recorded amount of material cash payments with related invoices.

Question 9
Explain why analytical procedures are applied at the planning stage of the audit.

Question 10
The auditor is required to obtain an understanding of the entity’s organizational structure
and ownership. Identify which of the following is a matter to which this risk assessment
procedure is directed.
A The entity’s information processing activities
B The financial reporting process used to prepare the financial statements
C The distinction between the owners, those charged with governance and management
D The controls in place to determine the significant risks of material misstatement.

Question 11
The auditor designs and performs risk assessment procedures to obtain audit evidence to:
A Identify and assess the risk of material misstatement at the financial statement and
assertion levels
B Develop an audit strategy and plan appropriate to the entity’s circumstances
C Develop further audit procedures relevant to the entity’s circumstances
D Determine the form of the audit opinion to be issued.

5 . 5 AUDIT RISK COMPONENTS

Audit risk is a concept that is integral to audit planning and the process of developing an audit
strategy and plan. Its assessment requires an understanding of the entity and its environment,
including the client’s business strategy and risks. With an understanding of these, the auditor
can focus on the potential impact on financial report assertions and the impact on audit risk.
Audit risk is assessed by the auditor at the planning stage and that assessment is reviewed as
the audit progresses.

269

M13_c05.indd 269 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

Audit risk is defined in HKSA 200 Overall Objectives of the Independent Audit and the Conduct
of an Audit in Accordance with Hong Kong Auditing Standards (June 2017), paragraph 13, as:

. . . the risk that the auditor expresses an inappropriate audit opinion when the financial
report is materially misstated. Audit risk is a function of the risks of material misstatement and
detection risk.

Paragraph 17 of HKSA 200 states:

To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to
reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable
conclusions on which to base the auditor’s opinion.

Audit risk (AR) is a function of the risk of material misstatement and detection risk (DR).
HKSA 200, paragraph 13 states that the risk of material misstatement comprises inherent risk
(IR) and control risk (CR).

The risk of material misstatement exists at both the overall b, which impacts the whole
financial report and many assertions, and the assertion levels for classes of transactions,
balances, or disclosures.

Assessment of the risk of material misstatement at the assertion level forms the basis for
determining the nature, timing, and extent of audit procedures to obtain sufficient appropriate
audit evidence. The auditing standards recognise that there are different acceptable
approaches to assessing the risk of material misstatement. However, the relationship between
elements of the audit risk model is generally summarised as:

AR IR CR DR

and application of the model can be in quantitative (percentages) or non-quantitative terms.

This will be illustrated further at the end of this section.

5.5.1 Inherent and Control Risk

As indicated in Section 5.5, the auditor is required to perform risk assessment procedures
to obtain an understanding of the entity and its environment and the applicable financial
reporting framework, including the entity’s accounting policies and the reasons for changes to
those policies. As a result, the auditor has a basis for understanding how inherent risk factors
may impact the likelihood and magnitude of misstatement for financial statement assertions to
be misstated.

Having identified risks of material misstatement at the financial statement level and
whether such risks affect risks at the assertion level, HKSA 315 (Revised 2019) paragraph
31 states:

'For identified risks of material misstatement at the assertion level, the auditor shall assess
inherent risk by assessing the likelihood and magnitude of misstatement. In doing so, the
auditor shall take into account how, and the degree to which:

(a) Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and

270

M13_c05.indd 270 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

(b) The risks of material misstatement at the financial statement level affect the
assessment of inherent risk of material misstatement at the assertion level.

'Inherent risk (IR) acknowledges that some account balance, transaction, and disclosure
assertions are more susceptible to misstatement, whether due to fraud or error, due to their
inherent nature or the client’s business and environment that creates complexity, subjectivity,
uncertainty or changes in events or conditions affecting the entity and before consideration
of any related controls. For example, complex and technical calculations are more likely to
have errors than simple calculations, and accounts based on estimates are inherently riskier.
The auditor needs to identify these areas and reflect the higher inherent risk in the audit
plan. Inherent risk can also be impacted because of external factors affecting the entity’s
business risk. Changes in economic conditions that create pressure on the entity’s business
and consequent uncertainty in relation to cash flows and working capital could, for example,
increase the risk of misstatement in order to maintain compliance with debt covenant ratios.
Similarly, the nature of the entity’s business itself may have inherent business risks that affect
inherent risk. An entity that operates in an industry that is subject to rapid technological
change, for example, faces a higher level of inherent risk in relation to inventory obsolescence.
Factors within the entity can also impact inherent risk. For example, an entity whose business
operations are highly IT dependent has a higher level of inherent risk than an entity that relies
on IT only for its financial accounting functions.

The greater the level of inherent risk due to complexity, subjectivity, change or uncertainty,
the greater is the susceptibility to misstatement. This is exacerbated by any management bias.
The auditor needs, in such circumstances, to apply professional skepticism. Management bias
may arise, either intentionally or unintentionally where significant management judgement
is involved, for example in making accounting estimates or forming conclusions about
methodology, data and assumptions.

Depending on the degree to which inherent risk factors affect the susceptibility of
misstatement of an assertion, the level of inherent risk varies on a scale referred to as the
spectrum of inherent risk, and can be measured in quantitative or qualitative terms.

The following inherent risk factors are taken from Appendix 2 to HKSA 315 (Revised 2019)
which contains detailed guidance on understanding inherent risk factors in the following
categories:

• Complexity, for example a business model that includes joint ventures

• Subjectivity, for example where the applicable financial reporting framework allows a
range of possible measurement criteria such as depreciation

• Change, for example operations exposed to volatile markets such as futures trading

• Uncertainty, for example pending litigation and contingent liabilities

• Management bias or other fraud risk factors for example a significant amount of
non-routine transactions such as intercompany transactions at year end.

Control risk (CR) is defined in the auditing standards as the risk that a material misstatement
in an assertion about a class of transactions, account balance, or disclosure and that could
be material, either individually or when aggregated with other misstatements, will not be
prevented, detected, or corrected on a timely basis by the entity’s internal control.

271

M13_c05.indd 271 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

This is a function of the design, implementation, maintenance, and monitoring of

internal control by management to address risks that threaten the achievement of the
entity’s objectives relevant to preparation of the entity’s financial statements. This recognises
the possibility that errors in recording may occur and not be detected during the normal
accounting process or that some assertions may be subject to a higher risk because of
weaknesses in control. For example, poor credit controls may result in some accounts
receivables not being collectible.

Control risk can vary between classes of transactions. For example, routine transactions
such as the recording of sales may be strong, but controls over non-routine transactions such
as foreign currency transactions may be weaker. There will always be some internal control risk
because of the inherent limitations of internal control systems.

The Canadian Institute of Chartered Accountants’ (CICA) Research Study, ‘Extent of Audit
Testing’, identified four major factors affecting the level of control risk, which are as follows:

1. Evaluation of internal control. In general, the stronger the internal controls, the lower
the risk. After the assessment of control risk, auditors should carry out a test of control
to obtain reasonable assurance that the internal control on which they intend to rely is
operating effectively during the reporting period.

2. Work performed by internal and other auditors. If the audit client has an internal audit
function and the auditors decided to rely on work performed by the internal auditors
after the assessment, the control risk can be adjusted to lower. In addition, if the
auditor can rely on the work performed by another independent auditor in the case of
subsidiaries or branches, the control risk can also be lowered.

3. The nature of the audit trail. As defined by CICA, audit trail refers to the documentary
evidence either of compliance with internal control procedures or of the transfer of
accounting information from its point of origin through intermediate records to its final
inclusion in the general ledger. Lack of an audit trail suggests a high control risk.

4. Computerised accounting system. The existence of such a system and the use of the
computer as an audit tool will affect the assessment of control risk made by the auditor.

The combined risk of IR and CR is that a material misstatement has occurred and remains
undetected in the accounting records prior to the audit. These risks are the client’s risks and
exist independently of the audit of the financial statements, and, as such, cannot be changed
by the auditor. The auditor must make a preliminary assessment of these risks during
the planning stage of the audit based on the auditor’s understanding of those risks. That
assessment will then be reflected in the nature, timing, and extent of the audit procedures
detailed in the audit plan, which is the element of the model that the auditor does control, and
a final assessment will be determined as a result of the tests of control undertaken during the
audit process.

Paragraph A40 of HKSA 200 notes that the auditing standards do not ordinarily refer
to inherent risk and control risk separately, but rather to a combined risk of material
misstatement. However, elements need to be assessed separately at the assertion level to
determine a basis for developing a basis for designing further audit procedures as part of the
audit plan.

272

M13_c05.indd 272 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

5.5.2 Detection Risk

The third element of the audit risk approach is detection risk. This is defined in HKSA 200,
paragraph 13, as:

. . . the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low
level will not detect a misstatement that exists and that could be material, either individually or
when aggregated with other misstatements.

At the planning stage detection risk is determined for each significant assertion and
would be revised during the audit if evidence indicates that the initial inherent and control
risks change.

Detection risk can arise from either:

• Sampling risk where the sample may not be representative of the population and
therefore any conclusion would be different had the entire population been subject
to the audit procedure. This risk can be reduced by increasing the sample size or
stratifying the population into sub-populations of items with a particular characteristic.
This should be addressed while developing the audit plan when considering IR and CR.

• Non-sampling risk is an incorrect conclusion due to the application of inappropriate

or ineffective audit procedures, not applying the procedures correctly, or drawing
incorrect conclusions.

Detection risk relates to the inability of the auditors to examine all evidence. Audit evidence
is usually persuasive rather than conclusive, so some detection risk is usually present, allowing
the auditors only to seek ‘reasonable assurance’, not absolute assurance.

Detection risk can be controlled by the auditor through adequate planning, the selection
of an appropriate engagement team, and the nature, timing, and extent of audit procedures
selected when developing the audit plan. Throughout the audit process, detection risk is
evaluated on an ongoing basis, through the supervision and review process and the application
of professional skepticism, to ensure that the procedures are effectively applied, and
appropriate conclusions are being drawn.

In summary, the greater the risk of material misstatement (because of a high IR and/or CR),
the more detection risk must be set at a lower level. This will need to be reflected in the nature,
timing, and extent of the audit procedures in the audit plan.

HKSA 315 (Revised 2019), paragraph 13, requires that the risk assessment procedures be
designed and performed in a manner that is not biased towards obtaining audit evidence that
may be corroborative or towards excluding evidence that may be contradictory.

The following are examples of a non-quantitative application of the audit risk model. Let us
assume that:

AR IR (High) CR (High) DR (Low )

There is an inverse relationship between the risk of material misstatement (IR and CR) and
detection risk. In the example, the risk of material misstatement is high:

273

M13_c05.indd 273 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

• The auditor has made a preliminary assessment that the client’s system of internal control
is weak in relation to the transactions and account balance assertion being addressed.

• The nature of the transaction is inherently difficult or there is some motivation to

misstate the account balance.

Accordingly, detection risk needs to be kept low to reduce audit risk. The auditor will have
to plan to apply more substantive procedures to directly test the account balance. Testing the
operation of internal controls where those controls are weak would not provide the auditor
with any reliable evidence.

Assume now that the assessments were as follows:

AR IR (Low ) CR (Low ) (DR ) (High)

In this case, as the risk of material misstatement is low and as the input into the relevant
account balance is assessed as reliable, a higher detection risk can be accepted while keeping
audit risk at an acceptable level. The audit plan would focus on testing the control system and
only a minimal amount of work directly on the account balance. If, however, subsequent testing
of the internal control system found that it was not working as initially assessed, the CR would
need to be adjusted and the audit plan amended accordingly.

Some other potential relationships could include:

AR IR (Medium) CR (High) DR (Low )

AR IR (Low ) CR (Medium) DR (High)

The judgements made at the planning stage are based on the auditor’s understanding of
the client’s business and its environment and need to be documented.

Exhibit 5.3 illustrates the elements of audit risk described in this section.

Audit risk

Risks of material Detection risks

misstatement

At financial At assertion
statement level

Inherent risks Control risks

Auditors perform risk assessment procedures Auditors perform

to undertand the entity and its environment procedures in
and than assess the risks response to assessed
risks to reduce audit
risks to an acceptably
low level.

EXHIBIT 5.3 Audit risk

274

M13_c05.indd 274 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

The relationship between the components of audit risk is further elaborated in Exhibit 5.4.
It illustrates that the overall level of inherent risk of potential material misstatements is
mitigated through the entity’s internal control to prevent such misstatements, which is assessed
and tested by the auditor as to its effectiveness. The auditor then applies audit procedures to
accounts balances and classes of transactions to also detect material misstatements. Audit risk
is the residual to the extent that the internal control system and audit procedures fail to detect
material misstatements and that the risk of expressing an inappropriate opinion is to be kept to
an acceptably low level.

Auditor’s assessment of potential risks

Inherent risk of misstatements due to the nature of
client’s business

Control effectiveness – misstatements

Control risk
not detected by internal control

Detection risk Audit procedures

Remaining misstatements not detected

Audit risk
by the auditor

EXHIBIT 5.4 Audit risk as a residual

Apply and Analyse 4

Your discussions with management and your engagement team have revealed that the
risk of material misstatement in HWA’s financial statements has increased from prior years
due to a change in industry market conditions. Management has put in place a strategy to
deal with declining profits by creating a new division and expanding into a new market in
which they have no previous experience. To accommodate this there have been changes to
the system of internal control. Your preliminary analytical review also indicates that there
are potential risks of misstatement in the financial statements, particularly in the areas of
inventory, revenue, costs of the new division, foreign exchange fluctuations, and issues
arising from increased debt levels.

Based on the information obtained from management and the results of the
preliminary analytical procedures in relation to HWA Ltd, explain how you would reflect
this in the audit risk model.

275

M13_c05.indd 275 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

Apply and Analyse 4 (continued)

Analysis

Due to the changes in the market for its established products and its moving into a new
market in which it has no experience, and some anomalies in the ratios, an assessment
of IR as high on the spectrum would appear warranted. There are several financial report
assertions that have been impacted by the change in circumstances.

Control risk would seem to warrant a medium risk classification. While no issues were
found in prior periods, the introduction of the new division would require changes to the
accounting and internal control systems that will need to be evaluated and, depending on
that evaluation, tested as to their effectiveness. This will need to be reflected in the audit
strategy and subsequently in the detailed procedures in the audit plan.

Based on these variables, DR would need to be classified as low to keep AR to an

acceptably low level.

AR IR (High) CR (Medium) DR (Low )

In terms of the audit strategy, this suggests greater reliance on substantive tests of the
details of account balances, classes of transactions, and analytical procedures to obtain
sufficient appropriate audit evidence on which to base the audit opinion.

HKSA 200 indicates that reducing detection risk requires that the audit be well planned,
appropriate personnel be assigned to the engagement team and be properly supervised
and work reviewed, professional skepticism be applied, the nature, timing, and extent
of audit procedures be appropriate to the circumstances, and that they be effectively
performed and the results evaluated.

In the context of HWA, therefore, this suggests more extensive substantive tests of the
details of account balances and classes of transactions than in prior years, and that the
less experienced staff be closely supervised, and their work regularly reviewed.

Knowledge Check Questions

Question 12
Your client manufactures computer and photocopier printer cartridges and has a growing
problem of theft. Identify which of the following is the key audit risk that should be
addressed at the year-end.
A Recording of inventory purchases and sales
B Inventory existence
C Legal rights in relation to inventory
D Inventory valuation

276

M13_c05.indd 276 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

Knowledge Check Questions (continued)

Question 13
An auditor wishes to maintain audit risk at the level determined during the planning phase.
However, audit testing reveals that the initial level of control risk needs to be increased.
Identify what the auditor would need to do.
A Increase the tests of controls
B Increase inherent risk
C Decrease substantive testing
D Decrease detection risk.

Question 14
Explain what detection risk is and why it cannot be reduced to zero.

Question 15
Identify which of the following will increase inherent risk.
A There is evidence of incorrect reconciliations in the debtor’s statements.
B An entity has a new technological product and entered a volatile market in which it has
not previously operated.
C An entity operates in a stable and developed market.
D The entity’s management is renowned for its integrity.

5 . 6 RISK ASSESSMENT PROCEDURES

AND RELATED ACTIVITIES

As indicated above, the planning process under the auditing standards requires the auditor to
obtain an understanding of the client, its business, and the environment in which it operates.
This provides a basis for the identification and assessment of the risk of material misstatement
at the overall financial statement and assertion levels. This section deals in more depth with
various aspects of the risk assessment process.

5.6.1 Understanding the Entity and its Environment

Discussions with management and other entity personnel involved in the financial statement
preparation process, observation and inspection, and preliminary analytical procedures
provide the basis for the risk assessment. This is supplemented by information obtained
during the acceptance or continuance process and the auditor’s previous experience with the
client from prior audits or the provision of other services. The audit partner also discusses the
susceptibility of the client’s financial statements having material misstatements with the senior
engagement team members.

277

M13_c05.indd 277 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

Furthermore, as indicated in Section 5.3, HKSA 315 (Revised 2019), this requires that the
auditor obtain an understanding of the entity and its environment which was addressed
extensively in that Section and can be summarized as:

• Relevant industry, regulatory, other external factors, and the applicable financial
reporting framework, for example supplier and customer relationships, technological
developments, and seasonal activity.

• The entity organization structure, operations, and ownership and governance

structures, types of investments, and financing arrangements.

• The basis for the entity’s selection and application of accounting policies and the
rationale for any changes.

• The entity’s objectives and business model and strategies and plans to achieve those
objectives. Business risks that might result in this regard may ultimately have financial
consequences and create risks of material misstatement; for example, the risks
associated with new products or services.

The auditor then uses this understanding in assessing how inherent risk factors affect the
potential misstatement of financial statement assertions.

This process also involves an initial assessment of the client’s system of internal control
relevant to financial reporting, and whether the entity has a process for identifying, assessing,
and dealing with business risks relevant to financial reporting. In combination with the
procedures identified in Sections 5.1 to 5.4 of this chapter, these are also elements included in
understanding theentity and its environment and the risk assessment process.

HKSA 315 (Revised 2019), paragraph 13, requires the auditor to evaluate the risk of
material misstatement, whether due to fraud or error, at both the financial statement level and
individual account balance assertion level. The risk of material misstatement at the financial
statement level are risks that are pervasive to the financial statements as a whole and could
impact a number of financial statement assertions. For example, circumstances conducive to
management override of internal control or the lack of competent management would increase
the risk of material misstatement at the assertion level generally, but not initially be identifiable
with a specific financial statement assertion. They may be extremely relevant to analysis of the
risks of material misstatement due to fraud.

HKSA 315 (Revised 2019), paragraph 13, requires the auditor to identify the risks of
material misstatement at the assertion level for classes of transactions, account balances, and
disclosures. This provides a more detailed framework for developing specific audit objectives
for material account balances and disclosures. These assertions fall into the following
categories:

1. Assertions about classes of transactions and events for the period under audit:

a. Occurrence – recorded transactions have occurred and relate to the entity.

b. Completeness – all transactions and events that should have been recorded
have been.

c. Accuracy – amounts and other data have been recorded correctly.

278

M13_c05.indd 278 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

d. Cut-off – transactions and events have been recorded in the correct

accounting period.

e. Classification – transactions and events have been recorded in the correct accounts.

2. Period end account balance assertions:

a. Existence – assets, liabilities, and equity interests exist.

b. Rights and obligations – assets represent rights controlled and liabilities are
obligations of the entity.

c. Completeness – all assets, liabilities, and equity interests that should have been
recorded have been.

d. Valuation and allocation – account balances are recorded at the appropriate

amounts and valuations or allocation adjustments recorded.

3. Presentation and disclosure assertions, which cover occurrence and rights and
obligations, completeness, classification and understandability, and accuracy and
valuation.

For example, the following identifies the financial report assertions and audit
objectives for accounts receivable:

1. Existence – the accounts receivable included in the financial statements exist.

2. Rights and obligations – the entity has a legal entitlement/control of the right to the
receivable.

3. Completeness – the amount recorded includes all receivables of the entity.

4. Valuation and allocation – the accounts receivable are correctly recorded, bad debts
are written off, and the provision for doubtful debts is appropriate.

Consideration of the risks of material misstatement in this way provides information and
a framework for developing the audit strategy and plan specific to the issues relevant to the
entity’s financial statements. HKSA 315 (Revised 2019), in paragraphs 31 and 32, requires
that the auditor, when assessing inherent risk in relation to the susceptibility of assertions to
misstatement, to determine whether any of the risks are significant.

In addition to providing input for developing the audit strategy and audit plan, part of the
risk assessment process is for the auditor to make a judgement as to whether any of the risks
identified are significant. This judgement is made without consideration of identified internal
controls related to the risk.

HKSA 315 (Revised 2019), paragraph 12, defines a significant risk as:

. . . an identified and assessed risk of material misstatement that, in the auditor’s judgement,
requires special consideration.

(i) For which the assessment of inherent risk is close to the upper end of the spectrum of
inherent risk due to the degree to which inherent risk factors affect the combination
of the likelihood of a misstatement occurring and the magnitude of the potential
misstatement should that misstatement occur; or

(ii) That is to be treated as a significant risk in accordance with the requirements of

other HKSAs.

279

M13_c05.indd 279 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

Consideration needs to be given as to whether the risk:

• Is a risk of fraud.

• Relates to recent significant economic, accounting, or other external developments.

• Reflects the complexity of transactions.

• Involves significant transactions with related parties.

• Reflects the degree of subjectivity in the measurement of financial information and

measurement uncertainty.

• Relates to significant transactions that are outside the normal course of business or
are unusual.

This category of risks often relates to non-routine transactions or events that occur
periodically rather than recurring transactions; for example, dealing with a lawsuit or the
calculation of depreciation, or matters that require significant judgement, such as accounting
estimates, for example management estimates of doubtful debts.

If risks are identified, the auditor must obtain an understanding of the controls relevant to
that risk.

HKSA 315 (Revised 2019) para.22(a)(ii) requires that the auditor’s understanding of the
entity’s risk assessment process include how the entity assesses the significance of risks and
the likelihood of their occurrence to the preparation of the financial statements.

While it is the case that non-routine and judgemental matters are less likely to be subject
to the routine internal control system, the auditor needs to consider whether management
has implemented controls for these transactions and events, such as the referral of matters to
appropriate experts or the review of assumptions by senior management or experts.

In addition to the documentation requirements identified under the planning process,

HKSA 315 (Revised 2019) requires that the audit workpapers document:
• The discussion with the engagement team and the significant decisions reached.

• The major matters identified from the gaining of an understanding of the client’s
industry, regulatory environment, operations, ownership structure, governance,
business model, financial performance measures, financing, accounting policies, and
business risks, and the sources of that information.

• The understanding of the control environment, the entity’s risk assessment process,
its process for monitoring the system of internal control and its information and
communication processes.

• Risk assessment procedures performed.

• The identified risks of material misstatement at both the financial statement and
assertion levels.

• The significant risks identified and the understanding of relevant controls.

• The risks for which substantive procedures alone will not provide sufficient appropriate
audit evidence.

• The rationale for significant judgements.

280

M13_c05.indd 280 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

Apply and Analyse 5

Based on the changed circumstances facing by HWA Ltd noted in Section 5.3, identify the
risk of material misstatement in relation to the financial report assertions associated with
inventory.

Analysis

In relation to the inventory for existing products, the usual assertions in relation to the
existence of the inventory, rights and obligation, and completeness would not seem to
be affected from prior periods. However, the valuation and allocation assertion would be
subject to a greater risk of material misstatement due to the inventory being slow moving
and of greater risk of obsolescence given the nature of the products. This would require
more extensive audit procedures on the identification of inventory items and the valuation
policies applied by the entity.

In relation to the new inventory that will be introduced during the financial reporting
period under audit, the risk of material misstatement exists at a high level for all the
financial report assertions at the account balance level. As the inventory involves new
items, the existence assertion is subject to greater risk in the sense of the auditor being
satisfied that what is recorded in the financial statements is represented and identified as
physically on hand. As the inventory to be imported, the completeness assertion is subject
to the risk that there may be items in transit or stored at another location, but which
should be recorded in the inventory. This also incorporates the rights and obligations
assertion, which faces a greater risk of material misstatement on the basis of when the
entity has the legal right to control of inventory in transit. The valuation and allocation
assertion is at a greater risk of material misstatement given that the products are new to
the entity’s business and subject to transit costs, etc., that will need to be addressed as
part of the inventory valuation process, and consideration as to whether the sales of the
new products are at levels to ensure that HWA Ltd is not left with inventory that becomes
obsolete or slow moving and that might warrant valuation adjustments.

5.6.2 Internal Control and Control Environment

HKSA 315 (Revised 2019), in paragraphs 21–26, requires the auditor to obtain an understanding
of the components of the entity’s system of internal control relevant to the preparation of the
financial statements.

A client’s internal control system is a fundamental component of a client’s governance and

risk management function. The quality of internal control affects the reliability of financial data
as well as the ability of the client to manage operational and business risk situations.

281

M13_c05.indd 281 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

The system of internal control has been defined earlier and the following components
identified in Sections 5.4 and 5.5:

• The control environment

• The risk assessment process

• The monitoring process

• The information system including the related business processes relevant to financial
reporting and communication

• The control activities

The following elaborates on each of these components based on the application

paragraphs identified in Section 5.6. They are indicative of matters the auditor would consider
in applying risk assessment procedures to understand the system of internal control at the
planning stage of the audit to support the preparation of the detailed audit plan. The extent
to which the matters raised are relevant in an audit depends on the size and complexity of the
entity being audited.

5.6.2.1 Control Environment

The control environment represents the foundation for other elements of the internal control
system. It includes management oversight processes and the attitude and culture established
by management, as well as their commitment to support a strong control culture. Obtaining
an understanding of the control environment would include, for example, considering
communication and enforcement, commitment to competence relevant to the tasks assigned,
management’s operating style, and human resource policies and practices. These components
are summarised in the following paragraphs and are indicative of the issues that would be of
interest to an auditor in understanding the control environment.

The effectiveness of internal control policies and procedures is strongly linked to the
integrity and ethical values of the personnel who create, administer, and monitor them.
Those values derive from an entity’s ethical and behavioural standards and how they are
communicated and reinforced. They include management’s actions to remove or mitigate
incentives to become involved in dishonest, illegal, or unethical activities.

The control environment is also affected by management’s commitment to ensuring that

individuals have the competence, knowledge, and skills to undertake their individual tasks.

Participation of management in the oversight of policy development and effective operation

of procedures that influences control consciousness within the entity, including the process
for reviewing the effectiveness of internal control. This could also include whistleblower
procedures and at the corporate level the establishment of an audit committee.

Management’s philosophy and operating style. This involves management’s approach to

achieving entity objectives and how their activities are perceived within the entity. For example,
management’s attitude and how it deals with financial reporting and the conservative or
aggressive selection of accounting policies and preparation of accounting estimates, as well as
management’s attitude to following up identified problems.

An organizational structure that has appropriate lines of responsibility, authority, and

communication consistent with the entity’s size and the nature of operations is essential

282

M13_c05.indd 282 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

to effective control. This variable is important in controlling risk, for example the degree to
which individuals within the entity can commit the entity to transactions such as approving
expenditure and how the risk of transactions and events that are inconsistent with the entity’s
objectives can be reduced. This element also relates to the assignment of authority and
responsibility and policies relating to appropriate business practices and communicating to
facilitate personnel understanding of the entity’s objectives and matters to which individuals
will be held accountable.

Human resource policies and practices relating to recruiting, training, promotion, and
compensation demonstrate an entity’s commitment to competence and personnel that are
expected to meet their responsibilities and facilitate the control processes within the entity.

An internal control function provides management with a control function to evaluate the
effectiveness of other controls and risk management processes.

Evidence for understanding this component is usually obtained through a combination

of inquiries and other risk assessment procedures such as observation and inspection
of documents. The understanding of the extent to which management demonstrates its
commitment to integrity and ethical issues can be obtained from inquiries of management and
employees, communication processes and inspecting written codes of conduct and observation
of management and employee activities. The extent to which considerations about the control
environment are relevant depends on the complexity of governance, for example in an
owner-manager situation not all considerations would be applicable.

5.6.2.2 Risk Assessment Process

This involves understanding how management establishes what are the business risks
relevant to financial reporting to be managed, evaluating their significance, and deciding
how to address the risks. It covers the plans, programmes, or actions that management
has in place or may take to identify, for example, changes in the operating environment,
rapid growth, changes in technology, expanded foreign operations, and new accounting and
regulatory requirements.

This involves the auditor considering for example the precision and clarity with which
management has specified the entity’s objectives to enable the assessment of the risks arising
from those objectives, how management analyses the risks to determine how to manage them
and consider the potential for fraud. This assists the auditor in understanding where the entity
has identified risks that may occur and responded to those risks and therefore whether the
risks are being identified, assessed and addressed appropriately.

The auditor needs to understand the basis upon which management determine the risks to
be managed that arise from both internal and external transactions or circumstances and how
they assess the potential impact for financial reporting purposes. Risks can arise or change for
example due to changes in the regulatory or economic environment that change competitive
pressures and generate different risks.

In the context of financial reporting, the auditor’s understanding is directed at the entity’s
risk assessment process to address risks relevant to the preparation of the financial statements
in accordance with the applicable financial reporting framework and how they are addressed.
For example, how the entity deals with the possibility of unrecorded transactions and identifies
significant estimates to be included in the financial statements.

283

M13_c05.indd 283 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

5.6.2.3 Monitoring of controls

The auditor needs to understand the entity’s process to monitor the system of internal
control. The focus is on how the entity oversees the design and operation of controls and
corrects any deficiencies. Management is responsible for establishing and maintaining
internal control on an ongoing basis. It is their responsibility to establish procedures to
monitor the effectiveness of the control procedures and rectify any deficiencies. This can
be done through reviews of system operations and checking that procedures and policies
are being applied. Monitoring may occur on an ongoing or periodic basis through separate
evaluations with the auditor considering the frequency and timeliness of monitoring and how
identified deficiencies are addressed.

A monitoring activity is different from a control in the information system that is in place to
deal with a specific risk to detect and correct errors. A monitoring activity would assess whether
controls are operating as intended and address why errors occur and the actions to fix the
process to prevent future errors.

The auditor needs to understand the sources and reliability of the information used by
management to monitor the system. Communications from external parties, for example, may
also provide information as to the operation of internal controls. Information from customers
or other parties dealing with an entity can indicates areas where controls are ineffective. For
example, complaints from debtors that their accounts are incorrect may indicate that the
controls over sales and/or accounts receivable are ineffective. Management needs to monitor
their business activities and be aware of any such issues and address the cause.

If the entity has an internal audit function, that function’s role also needs to be addressed.
Appendix 4 to HKSA 315 (Revised 2019) contains guidance on understanding an entity’s
internal audit function. In summary, the role of internal audit varies within entity’s depending
on the size, complexity and structure of the entity and the requirements of management. If
the responsibilities of internal audit include providing assurance to management about the
design and effectiveness of risk management, the system of internal control and governance
processes it can play an important role in the monitoring process. Inquiries of appropriate
individuals within the function may provide the auditor with useful information about
aspects of the entity and its environment and system of internal control and the risks of
material misstatement. The work of internal audit may have identified business risks, control
deficiencies and other matters that assist the auditor’s understanding. These inquiries are
made irrespective of whether the auditor expects to use the work of internal audit. If the
auditor’s inquires indicate internal audit findings that are relevant to the financial reporting
process, the auditor would read the relevant internal audit reports and consider how consider
how management has responded to the findings and recommendations, and whether they
have been implemented and subsequently evaluated by internal audit.

Not only does understanding the role of internal audit assist the auditor in understanding
the control environment, but provides input in to the decision as to whether to use the work
of internal audit to modify the nature, timing and extent of procedures undertaken directly by
the auditor.

The auditor needs to understand and assess the effectiveness of internal controls to
be able to determine the extent to which errors or irregularities may go undetected within
the accounting process and recording system, and ultimately the potential for material
misstatement in the financial statements. To that end understanding the entity’s monitoring

284

M13_c05.indd 284 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

process assists in understanding other components of the system of internal control and the
risks of material misstatement at the financial statement and assertion levels.

The auditor’s understanding of internal control and the assessment of its potential to
prevent and detect the risk of material misstatement is part of the information used to develop
the audit strategy and plan. As indicated earlier in this chapter, the determination of the
nature, timing and extent of audit procedures to test the effectiveness of internal control and
substantive testing of transactions and account balances is based on that understanding.

5.6.2.4 The information processing system including the related business processes
relevant to financial reporting and communication
The information system needs to be understood to the extent that it relates to the preparation
of financial statements. It consists of activities, policies and accounting and supporting records
used to initiate, record or support transactions, and controls designed to resolve incorrect
processing and document system overrides.

This understanding includes the use of information technology and the recording of
unusual transactions. A major focus here is on the controls over the maintenance of the
general ledger and preparation of journal entries (in electronic or manual form).

This component also involves the processes by which client personnel are made aware of
and understand their role within the financial reporting process, and how they communicate
within the entity on matters such as exceptions. It includes policy manuals supporting these
activities.

Where extensive use of IT is a feature of the information system, the control environment
extends to ensuring that policy manuals and related documentation establish appropriate
controls to ensure that all transactions are captured on a timely basis and processed
appropriately. This includes controls that maintain the quality of system-generated information
that is used by management to make decisions about the entity’s operations and preparation
of the financial statements.
The auditor is required to understand this component because understanding the policies
relating to the flow of transactions and the entity’s information processing relevant to the
preparation of the financial statements provides input as to whether the auditor’s assessment
of risks at the assertion level is supported. It may also identify risks of material misstatement
at the financial statement level that are inconsistent with expectations about the system
of internal control based on information obtained during the engagement acceptance or
continuance process.

The auditor’s understanding at this level may confirm or further impact the auditor’s
expectations about significant classes of transactions, account balances and disclosures
identified during the process of understanding the entity and its environment. This
understanding also provides information that the auditor uses to identify controls in the control
activities component that need to be identified and to be focused upon.

In understanding this component, the auditor should also recognize that the entity’s
application of internal control in relation to the entity’s operations and compliance objectives
may have aspects that impact financial reporting, and these integrated policies and systems
need to be considered. Similarly, the auditor needs to understand the entity’s business
processes because these result in transactions that are recorded, processed and reported by

285

M13_c05.indd 285 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

the information system, for example the sale and distribution of products and compliance with
laws and regulations.

Another important area that the auditor should consider in understanding this component
is the resources available to support the information processing activities such as the
competence of the personnel undertaking the work, whether there are adequate resources and
appropriate segregation of duties.

5.6.2.5 Control Activities

These are the specific control activities that are designed to ensure the proper application
of policies in all other components of the system of internal control and are focused on
information processing controls. Understanding the entity’s policies for its information
processing and identification of related control activities influences the identification of the
risks of material misstatement at the assertion level. These are the control processes that
the auditor judges to be relevant to assess the risk of material misstatement at the assertion
level and require further audit procedures to respond to those risks. They are the policies and
procedures to help ensure that management directives are carried out. Whether within an IT
or manual system, the activities generally include authorisation and approval, reconcillations,
review, processing, verification, physical and logic controls, and segregation of duties.

This component includes controls that are expected to be identified in all audits; that is,
controls over journal entries being the mechanism by which transactions are processed into
the general ledger.

In addition to routine control activities, this component can include management controls
to address material misstatements that may arise relating to disclosures required under the
reporting framework, including information that is obtained outside the general and subsidiary
ledgers. They also include controls that address significant risks, and over journal entries for
non-routine, unusual transactions or adjustments.

These controls are those that the auditor when planning the audit identifies for testing for
operating effectiveness and for determining the basis for substantive testing, including controls
where the auditor’s assessment of inherent risk at the assertion level has identified significant
risks. For example, where there are large volumes of homogenous transactions the auditor
may plan to test the operating effectiveness of controls over those transactions as an efficient
and effective way to obtain evidence as to the completeness and accuracy of the information.

Irrespective of whether the auditor intends to test the operating effectiveness of controls
that address significant risks, the understanding obtained by the auditor about management’s
approach assists the auditor in determining how to approach those risks. In the case of non-
routine matters, they are less likely to be subject to routine controls, but understanding this
may lead to understanding that risks in such matters are addressed by management through
other procedures for example, documenting processes for accounting estimates and the review
of assumptions by management or experts.

Where systems are IT-based, these controls comprise both general and application
controls. General controls affect the overall information system and the effective operation
of the application controls; for example, data centre controls, software acquisition and
change, programme change, and access security. Application controls cover the processing
of transactions within a specific accounting area to ensure that accounting data are

286

M13_c05.indd 286 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

completely and accurately processed; for example, payroll preparation and sales invoicing.
Controls include edit checks of input data and exception reports. HKSA 315 (Revised 2019), in
paragraphs 26(b) and (c), requires the auditor to understand the risks associated with using IT,
and the general IT controls to address those risks.

HKSA 315 (Revised 2019), in Appendices 5 and 6, provides detailed guidance for
understanding IT and general IT controls and are addressed in Chapter 13.

In summary, when planning the audit, and based on the auditor’s understanding of
the components of the system of internal control, the auditor plans to test the operating
effectiveness of controls that address the risks of material misstatement at the assertion level
where it is not possible to obtain sufficient appropriate audit evidence through substantive
procedures alone.

5.6.3 Impact of Fraud and Misstatement on Audit Planning

Considerations
Integral to the process of understanding the entity and its environment to identify the risks
of material misstatement is the identification of significant risks. The auditor is required to
specifically consider whether there is a risk of fraud when making a judgement as to which risks
are significant. The considerations in Section 5.5.1 above in relation to significant risks also
apply here.

HKSA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Statement
(June 2017), paragraph 16, states:

When performing risk assessment procedures and related activities to obtain an understanding
of the entity and its environment, the applicable reporting framework and the entity’s system of
internal control . . . the auditor needs to obtain information for use in understanding the risk of
material misstatement due to fraud.

HKSA 240.25 states that, in accordance with HKSA 315 (Revised 2019), the auditor shall
identify and assess the risk of material misstatement due to fraud at the financial statement
and assertion levels. HKSA 240.27 requires that assessed risks of material misstatement
of fraud be treated as significant risks and that the auditor evaluates the design and
implementation of controls that address such risks. While the responsibility for the prevention
and detection of fraud rests with management, HKSAs 240 and 315 (Revised 2019) require the
auditor to be proactive and specifically consider the risk of material misstatement due to fraud.

Fraud is defined in HKSA 240 ,paragraph 11, as:

. . . an intentional act by one or more individuals among management, those charged with
governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal
advantage.

Fraud risk factors are conditions that suggest a motivation or pressure to perpetrate or
provide the opportunity to commit fraud.

While fraud as a legal concept is broad, the auditor’s concern is focused on fraud that
causes a material misstatement in the financial statements arising from either fraudulent
financial reporting or misappropriation of assets.

287

M13_c05.indd 287 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

Fraudulent financial reporting involves deliberate misstatements to mislead financial

statement users. This may arise, for example, where management is under pressure to achieve
an earnings target or financial position or meet targets under a management compensation.
Actions could include:

• Manipulating, falsifying, or altering financial records or documents from which the

financial statements are prepared.

• Omitting transactions from the accounting records.

• Intentionally misapplying accounting policies.

Misappropriation of assets includes:

• Embezzling receipts.

• Stealing physical assets or intellectual property.

• Facilitating the entity to pay for goods and services not received.

• Using entity assets for personnel use.

The auditor needs to distinguish between misstatements due to fraud rather than
error. Error is the result of unintentional mistakes such as the misinterpretation of facts or
unintentional misapplication of accounting policies. Fraud by its nature is inherently more
difficult to detect as it generally involves schemes to conceal it, collusion, or override of the
internal control system. When aware of circumstances that might indicate misstatements due
to fraud or error, the auditor needs to maintain an attitude of professional skepticism when
evaluating the fraud risk factors, circumstances, and explanations provided as to the potential
for misstatement.

Appendix 1 to HKSA 240 contains an extensive listing of fraud risk factors relating to
misstatements arising from fraudulent financial reporting and misappropriation of assets.

The fraud risk assessment process involves:

• A discussion with the engagement partner and team as to the vulnerability of

the entity’s financial report to material misstatement due to fraud and how that
might occur based on their experience and knowledge of the client. For example,
circumstances that might be indicative of earnings management and how that might be
implemented, knowledge of any factors that may create pressure to commit fraud, or
unusual changes in management or employee behaviour.

• Enquiries of management as to their assessment of the controls in place to prevent

and detect fraud and how they respond to any instances of fraud, and whether there is
communication within the entity of appropriate management policies and conduct in
relation to fraud risk. Enquiries of management and internal audit as to whether they
have knowledge of any suspected or actual fraud having occurred within the entity.

• Evaluation of any unusual or unexpected relationships identified from the

preliminary analytical procedures or from other information obtained during the
planning process.

It is recognised that the risk of fraud is greater for some financial statement items than
others. HKSA 240 formalises this in relation to revenue recognition and requires a presumption
of fraud risk in relation to the financial statement assertions in this area. The auditor must

288

M13_c05.indd 288 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

evaluate this risk specifically to determine whether the presumption is applicable in the
circumstances of the engagement. The auditor’s conclusion and reasons must be documented.

When planning the audit, fraud risk is a specific matter that must be considered in
applying the inherent and control risk elements of the audit risk model. If the assessed risk
of material misstatement due to fraud is identified as a significant risk, the auditor needs to
obtain an understanding of the internal controls relevant to address that risk. Effective control
reduces the inherent risk due to fraud; however, the nature of fraud makes it susceptible to
management override of controls and the assessment of control risk should be determined
accordingly.

HKSA 240 identifies examples of management override and includes:

• Recording fictitious journal entries, especially close to the end of the reporting period,
in order to manipulate results or achieve other objectives.

• Inappropriately adjust assumptions and change judgements used to estimate

account balances.

• Omit, advance, or delay recognition in the financial statements of events and

transactions that have occurred during the reporting period.

• Conceal or not to disclose facts that could affect the amounts recorded in the financial
statements.

• Engage in complex transactions that are structured to misrepresent the entity’s

financial position or performance.

• Alter records and terms related to significant and unusual transactions.

If fraud risk is determined to be significant, the audit plan needs to be modified accordingly
to include proactive substantive procedures to search for fraud.

HKSA 240 also requires the discussion among the engagement team members, in relation
to audit planning, to include specific emphasis on the risk of material misstatement due to
fraud and how fraud might occur. The discussion would address the audit team member’s
views about the existence of incentives or pressures and opportunities to commit fraud, and
the attitude or ability to rationalise fraud. The discussion could include, for example, such
matters as:

• An exchange of ideas about how and where they believe the client’s financial
statements could be susceptible to material misstatement due to fraud and how
management could perpetrate and conceal fraudulent financial reporting. For example,
awareness of complex transactions and management discussions as to interpretations
of accounting standards that team members would see as potentially inappropriate
or concern that assumptions and judgements used in accounting estimates are
intentionally biased.

• How assets could be misappropriated due to the volume and nature of cash
transactions and handling or the type of inventory the entity holds that may be
susceptible to theft.

• Circumstances that might be indicative of earnings management, such as management

bonus schemes linked to the entity’s financial performance or individual’s private
wealth tied to the entity’s performance and survival, and the practices that
management might employ to achieve this.

289

M13_c05.indd 289 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

• Known internal and external factors affecting the entity that could create an incentive
or pressure for management or others to commit fraud, provide the opportunity
for fraud to be perpetrated, and indicate a culture or environment that enables
management or others to rationalise committing fraud. For example, the entity may be
struggling to maintain its working capital to comply with debt covenants or the industry
has become more competitive and the entity is struggling to maintain its position within
the industry.

• Unusual or unexplained changes in the behaviour or lifestyle of management or others

that has come to the auditor’s attention.

• The types of circumstances that, if encountered, might indicate the possibility of fraud;
for example, significant related party transactions, high turnover of key accounting
department personnel, frequent changes in legal advisors.

The documentation of the understanding of the entity and its environment at the audit
planning and strategy development stages should include the significant decisions made during
the meeting of the engagement team in relation to fraud risk and the identified risks of material
misstatement due to fraud at both the financial statement and assertion levels. This should
include the identified controls in the control activity component of the system of internal
control. This should also include how that risk has been addressed in the audit plan.

Apply and Analyse 6

Based on the information provided about HWA, and as part of the audit planning process,
you and your audit manager are discussing the risk that the financial statements may be
misstated due to fraud. Explain what factors might be significant in this regard.

Analysis

While management has a sound reputation for integrity and there have been no audit issues
in prior periods, the change in circumstances and the fact that management’s remuneration
includes a generous share bonus scheme, there is an incentive for management to
manipulate the financial statement outcome in terms of maintaining the return on assets
ratio at the required level and to try to maintain the share price. This indicates that
management’s override of controls may be a risk factor that should be considered.

HKSA 240 requires several audit procedures to be applied during the audit that,
depending on the outcome, will indicate whether management override is a significant
risk and whether further audit procedures are warranted. The audit strategy and plan
should reflect an approach that ensures that these procedures are emphasised and the
appropriate level of professional skepticism applied. These include, for example, testing
the appropriateness of journal entries and adjustments made in the preparation of the
financial statements, the review of accounting estimates and the judgements and decisions
made by management, and the evaluation of unusual transactions outside the normal
course of the business.

Further, HKSA 240 requires that when identifying and assessing the risks of material
misstatement due to fraud there should be a presumption that there is a risk of fraud
in revenue recognition. Given the information available in relation to HWA Ltd, this
presumption should be reflected in the audit strategy.

290

M13_c05.indd 290 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

5.6.4 Consideration of Laws and Regulations in an Audit of

Financial Statements
When gaining an understanding of the entity and its environment for audit planning, specific
attention must also be given to the laws and regulations under which the entity operates. Laws
and regulations can directly affect the financial reporting framework governing the preparation
and presentation of the financial statements. They can also establish the fundamental structure
under which the client conducts its business. In heavily regulated industries such as the
finance and pharmaceutical industries, non-compliance with laws and regulations can result
in significant fines, litigation, and legal penalties that could affect the client’s business and
financial statements. Audit planning involves consideration of illegal acts that have a material
impact on the financial statements.

The auditor’s responsibilities are mandated in HKSA 250 Consideration of Laws and
Regulations in an Audit of Financial Statements Including Related Conforming Amendments to Other
Hong Kong Standards (June 2017).

The Standard (paragraph 12) defines non-compliance with laws and regulations as:

Acts of omission or commission, intentional or unintentional, committed by the entity, or by

those charged with governance, by management or by other individuals working for or under the
direction of the entity, which are contrary to the prevailing laws and regulations.

HKSA 250, paragraph 13, requires:

As part of obtaining an understanding of the entity and its environment . . . the auditor shall obtain
a general understanding of:

(a) The legal and regulatory framework applicable to the entity and the industry or
sector in which the entity operates; and

(b) How the entity is complying with that framework.

It is recognised, however, that some laws and regulations have a more direct effect on the
client’s financial statements than others, and the auditor’s responsibilities can be differentiated
accordingly.

For laws and regulations that directly affect the amounts or disclosures in the financial
statements, for example tax law, the audit plan should include detailed audit procedures to
obtain sufficient appropriate audit evidence to support the client’s compliance with those laws
and regulations.

For other laws and regulations that the entity must comply with to continue its business
and avoid material penalties that may ultimately affect the financial statements, the
auditor’s responsibility is limited. In this case, procedures would be directed at identifying
any non-compliance that may impact the financial statements and include inquiries of
management as to whether the entity complies with relevant laws and regulations and reviews
of correspondence with regulatory authorities.

HKSA 250, paragraph 17, requires the auditor to request a written representation from
management as to whether all relevant matters have been disclosed to the auditor.

291

M13_c05.indd 291 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

The Standard does recognise that while the auditor is responsible for obtaining reasonable
assurance that the financial statements as a whole are free of material misstatement due
to error or fraud, the risk that the auditor may not detect material misstatements due to
non-compliance with laws and regulations is greater because:

• Many of the laws relate to client operating matters and do not affect the financial
statements and are not part of the system and controls relevant to financial reporting.

• Non-compliance often involves conduct to conceal the matter, for example collusion,
override of controls, and misrepresentation.

• The effectiveness of audit procedures is affected by the inherent limitations of internal

control and by the use of testing.

• Much of the audit evidence obtained by the auditor is persuasive rather than conclusive
in nature.

It is important therefore that in obtaining an understanding of the entity and its

environment for planning the audit, that the auditor obtains information about the laws and
regulations under which the entity operates. For those laws and regulations that directly affect
the financial statements, the audit strategy and plan should reflect a proactive assessment
of the risk of material misstatement and obtain sufficient appropriate audit evidence as to
compliance with those provisions.

HKSA 250, paragraph A15, identifies the following procedures to bring instances of
non-compliance or suspected non-compliance to the auditor’s attention:

• Reading minutes.

• Inquiring of the entity’s in-house and/or external legal counsel in relation to any
litigation, claims, and assessments.

• Performing substantive tests of details of transaction, account balances, or disclosures.

The following matters may be an indication of non-compliance with laws and regulations:

1. Investigation by regulatory organisations and government departments or payment of

fines or penalties.

2. Payments for unspecified services or loans to consultants, related parties, employees,

or government employees.

3. Sales commissions or agent’s fees that appear excessive in relation to those ordinarily
paid by the entity or in its industry or to the services actually received.

4. Purchasing at prices significantly above or below market price.

5. Unusual payments in cash, purchase in the form of cashier’s checks payable to the
bearer, or transfers to numbered bank accounts.

6. Unusual transactions with companies registered in tax havens.

7. Payments for goods and services made other than to the country from which the goods
or services originated.

292

M13_c05.indd 292 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

8. Payments without proper exchange control documentation.

9. Existence of an information system that fails, whether by design or accident, to provide

an adequate audit trail or sufficient evidence.

10. Unauthorised transactions or improperly recorded transactions.

11. Adverse media comment.

In the absence of identified or suspected non-compliance, the auditor is not required

to perform audit procedures to identify non-compliance, but must remain alert to this
possibility when performing other audit procedures and apply professional skepticism where
circumstances suggest a risk may exist.

If the auditor becomes aware of an instance of non-compliance or suspected

non-compliance, the auditor must pursue the matter and obtain an understanding of the
circumstances that has led to this situation, and evaluate the potential impact on the financial
statements. The matter needs to be discussed with management and, depending on the
appropriateness of the response, consideration given as to whether legal advice, from
either the company’s in-house legal counsel or external counsel, is required. The existence of
non-compliance or suspected non-compliance should also cause the auditor to re-assess prior
risk assessment judgements.

Knowledge Check Questions

Question 16
Identify which of the following describes the auditor’s responsibility in relation to the
risk of fraud.
A Provide reasonable assurance that the financial statement is not materially misstated
due to fraud.
B Be satisfied that no fraud has occurred before issuing a clean audit opinion.
C Develop the audit plan to reflect the expectations of users of the financial statements in
relation to the auditor’s responsibility to detect fraud.
D Develop the audit plan to ensure that all instances of fraud are detected.

Question 17
Identify the sources of client information the auditor would use to assess fraud risk.

Question 18
Identify which of the following is not an indicator of an increased risk of fraud.
A There is evidence of management override of controls.
B There is a need to obtain additional working capital from financial institutions.
C The entity is subject to a new and complex accounting standard.
D The IT system is subject to poor access controls.

293

M13_c05.indd 293 1/26/2021 9:06:07 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 19
Explain how each circumstance listed below impacts the auditor’s assessment of risk.
(a) The client has opened an overseas branch.
(b) Management’s remuneration is strongly influenced by financial results.
(c) The client operates in a rapidly changing technology market.
(d) Recent management decisions have adversely affected their reputation for integrity in
the industry.
(e) The quick ratio has declined significantly.
(f) The wages and salaries account was misstated in previous years.
(g) Management is inexperienced.
(h) The client has material-related party transactions.
(i) The provision for warranties is material and complex.
(j) The client has several unusual transactions that are not processed through the normal
accounting system process.

Question 20
Identify which of the following is not a responsibility of an auditor in relation to detecting
non-compliance by a client with laws and regulations.
A Obtaining sufficient appropriate audit evidence regarding compliance with laws and
regulations that directly affect the financial statements.
B Performing audit procedures to identify non-compliance with all laws and regulations
relevant to the client’s business.
C Seeking a written representation from management that all know instances of
non-compliance with laws and regulations affecting the financial statements that have
been disclosed to the auditor.
D Remaining alert during the audit for non-compliance with laws and regulations that may
be identified as a result of other audit procedures.

5 . 7 MATERIALITY

Materiality is defined in the HKICPA Conceptual Framework for Financial Reporting (Revised) (June
2018), paragraph 2.11:

Information is material if omitting it or misstating it could influence decisions that the primary
users of general purpose financial reports . . . make on the basis of the reports, which provide
financial information about a specific reporting entity. In other words, materiality is an entity-
specific aspect of relevance based on the nature, or both, on the items to which information relates
in the context of an individual entity financial report. Consequently, the HKICPA cannot specify
a uniform quantitative threshold for materiality or predetermine what could be material in a
particular situation.

294

M13_c05.indd 294 1/26/2021 9:06:07 PM

 Pla nn i ng a n d R isk A ssessment

The overall objective of an audit of a financial statement is to obtain reasonable assurance

that the financial report is free of material misstatement, whether due to fraud or error. A
fundamental component of the planning process therefore is making a preliminary estimate of
materiality to provide reasonable assurance that material misstatements will be detected.

The determination of a materiality level is an audit judgement to be made based on the

auditor’s understanding of the entity and its environment, including the auditor’s perception
of who are, or are likely to be, the main users of the financial statements and their information
needs. In effect it is the auditor’s judgement as to the maximum level of misstatement that
those users would tolerate or cause them to make a different decision if they were aware of the
misstatement.

This judgement is significant in the planning as it provides the foundation for:

• Determining the nature, timing, and extent of risk assessment procedures.

• Identifying and assessing the risks of material misstatement.

• Determining the nature, timing, and extent of further audit procedures.

5.7.1 Setting Materiality Limits

HKSA 320 Materiality in Planning and Performing an Audit (June 2017), paragraph 10, establishes
the primary role that materiality plays in the audit process.

When establishing the overall audit strategy, the auditor shall determine materiality for the
financial statements as a whole. If, in the specific circumstances of the entity, there is one or more
particular classes of transactions, account balances, or disclosures for which misstatements
of lesser amounts than materiality for the financial statements as a whole could reasonably
be expected to influence the economic decisions of users taken on the basis of the financial
statements, the auditor shall determine the materiality level or levels to be applied to those
particular classes of transactions, account balances or disclosures.

Determining materiality requires consideration of both quantitative and qualitative factors.

HKSA 320 requires the auditor to set a level of performance materiality for assessing
the risks of material misstatement and determining the nature, timing, and extent of audit
procedures.

Performance materiality recognises that planning the audit on the basis of detecting only
individual material misstatements does not recognise that single immaterial misstatements
when aggregated could result in the financial statements being materially misstated. In
addition, the possibility of undetected misstatements needs to be considered. Performance
materiality is therefore set to reduce to an appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements exceeds the materiality level for the
financial statements as a whole.

As indicated, the setting of materiality levels is a matter of professional judgement based

on the circumstances of each audit engagement. The auditing standards do not prescribe any
specific levels or base for materiality.

The method for determining materiality at the planning stage varies between audit firms
and ranges from formulas to rules of thumb or leaving the decision to the judgement of the
individual engagement auditor.

295

M13_c05.indd 295 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

At the basic level, materiality is a relative concept where generally the level is set by
establishing a percentage that is applied to a given base, for example net profit, total revenue,
or total assets. Often cited rules of thumb are:

• 5–10% of net profit

• 0.5–1% of revenue

• 0.5–1% of total assets

Under the above, for example, an account balance would be considered significant if it
represents 1% of total assets, and therefore this item would be reflected in the development of
the audit strategy and plan.

Alternatively, a material misstatement may be determined to be an amount that is 5% of

net profit and this would form part of the decision making that is reflected in the audit plan.

Application of the performance materiality requirement would see the percentage

materiality level lowered to reduce the probability that the aggregate of uncorrected
or undetected misstatements in the financial statements does not exceed the overall
materiality level.

The judgement as to the level of performance materiality to be used is affected by a number

of factors, such as the control environment, the history and nature of errors, engagement risk,
and changes in the entity’s business and operations. For example, if internal control is assessed
as effective this would increase the percentage level of performance materiality.

A rule of thumb approach often sees this adjustment set at 60% for high-risk clients and
80% for low risk. For example, if a judgement is made for materiality at the 5% level of net
profit and that figure is $HK10 million, and the client is assessed as high risk, the performance
materiality is $HK6 million (HK$10 million × 60%).

The base chosen should be one that is relatively stable over time to avoid fluctuations
between audits and relevant to the nature of the entity’s activities. For example, net profit
may not be a relevant base for not-for-profit entities (even though a loss may be), but is
usually significant for publicly listed entities as this is a determinant of dividends to be paid
to shareholders and an entity’s share price. However, because net profit can fluctuate from
one period to another it is not as stable a base as total assets or total revenue as entity size is
less variable than profit, the calculation of which can be affected by a number of variables and
economic fluctuations.

An entity’s financing arrangements can also affect the appropriateness of the base
chosen. For example, the base chosen for an entity that has debt covenants associated
with its financing arrangements that reflect working capital levels will focus on that working
capital base.

It is also important that the auditor considers the entity’s ownership structure when
establishing a materiality base. All stakeholders should be considered as some transactions
may be of greater significance to some groups than others and the base chosen should be
such that the level of materiality would lead to the auditor considering the specific financial
transactions of interest to those stakeholders.

The preliminary materiality judgement for the overall financial statements at the planning
stage identifies elements of the financial statements that warrant specific attention when
developing the audit plan. A lower level of materiality will result in more extensive testing.

296

M13_c05.indd 296 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

It is also important to understand that the relationship between materiality and audit risk
is fundamental to the audit process. At the transaction and account balance level, the greater
the audit risk, the lower will be the materiality level set by the auditor. For significant account
balances the auditor’s tolerance of error is low and therefore the materiality level would be set
at a low level. This means that when developing the audit plan the extent of audit procedures
would be increased or more effective procedures selected.

In addition to the quantitative element of materiality, the auditor needs to consider

the qualitative nature of transactions and account balances. For example, related party
transactions are significant because by nature they are open to manipulation and, because
of the relevance of the information about those transactions, they require specific disclosure
in the financial statements. Materiality would generally be set at a low level and the nature,
timing, and extent of audit procedures applied to this element of the financial report would be
more extensive, irrespective of the recorded amount of those transactions.

The materiality level is used throughout the audit and is adjusted where circumstances
and the results of audit procedures applied indicate that the initial planning determination is
no longer appropriate. This could arise, for example, due to a change in the entity’s operations
during the audit period, new information becoming available, or a change in the auditor’s
understanding of the entity and its business as a result of performing audit procedures.

An appropriate materiality level is important as it is used to evaluate the outcome of audit

procedures and to identify what action is appropriate to deal with detected misstatements.

5.7.2 Relationship to Relevance in Financial Reporting

As indicated above, the concept of materiality is fundamental to the nature and purpose of
auditing. The auditor is to report whether the financial statements are presented in all material
respects in accordance with the applicable reporting framework. Accordingly, the audit should
be planned and performed to reduce the risk of material misstatement to an acceptably
low level.
The Glossary defines a misstatement as:

A difference between the amount, classification, presentation, or disclosure of a reported financial

statement item and the amount, classification, presentation, or disclosure that is required for the
item to be in accordance with the applicable financial reporting framework. Misstatements can be
from fraud or error.

The applicable financial reporting framework prescribes the basis for the preparation and
presentation of the financial statements. The framework is based on the presumption that
the information provided in the resultant financial statements is relevant to the users of the
financial statements for economic decision making. A material misstatement would mean
that the financial information does not faithfully represent the conditions of the business and
the relevance of the information in the financial statements would be adversely impacted.
Accordingly, underlying this concept in auditing is the auditor’s judgement as to what is
important to the users of financial statements.

The auditor applies materiality to evaluate the effect of any identified misstatement and
uncorrected misstatements in forming an opinion on the financial statements. In effect the
auditor is evaluating whether the effect of the misstatement will affect the decisions of the
users of the financial statements.

297

M13_c05.indd 297 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

Integral to the audit process for determining materiality is understanding who the users
or potential uses of the financial statements are and how the information in the financial
statements is to be used.

The nature and purpose of financial reporting and the presentation of financial statements
in accordance with the applicable reporting framework is therefore integral to establishing
materiality in auditing. Therefore, as part of gaining an understanding of the client and
its environment, the auditor needs to consider all stakeholders that may use the financial
statements.

This judgement is made on the basis of users as a group and not just individuals.
It assumes that the users have a reasonable knowledge of business, economics, and accounting
standards and will apply reasonable diligence in studying the financial statements. Also, it is
assumed that the users understand that financial statements are prepared and audited to a
level of materiality and involve estimates and judgements relating to future events.

In summary, materiality reflects relevance in financial reporting to the extent that the
audit focus is on misstatements that could reasonably be expected to influence the economic
decisions of users or potential users of the financial statements.

Apply and Analyse 7

Your firm has determined that the base to be used for the determination of materiality
can be chosen from net profit, total revenue, total assets, and equity and is a matter of
judgement by the engagement partner depending on the client’s circumstances. In the
past you have used net profit for the HWA audit because the focus of the users of financial
statements will be on profitability of the entity, which also influences the level of dividends
to be paid and the share price. However, this year you decide to use total assets for setting
planning materiality because of your concern as to the stability of the net profit. The rule of
thumb applied by your firm for this base is 0.75–1% of total assets.

Explain to your engagement team how you would determine performance materiality
for this year’s audit of HWA Ltd.

Analysis

The relationship between materiality and audit risk results in a lower materiality level
where the audit risk is high. In this case, due to the changing circumstances, AR has
increased and could be classified as high. In that case a base materiality level closer to the
0.75% of total assets would seem appropriate. Performance materiality is generally set
at a lower level than base materiality to reduce the risk that aggregated uncorrected or
undetected misstatements do not exceed the base level. A judgement needs to be applied
to such an adjustment to the base materiality level. For example, in the case of HWA it may
be appropriate to adjust the level to 70% of the base. This would result in a performance
materiality level of 0.525 of total assets. This reduces the level of error that can be
tolerated and reflects the nature, timing, and extent of audit procedures.

298

M13_c05.indd 298 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

Knowledge Check Questions

Question 21
Identify which of the following describes the level of performance materiality.
A The level set by management when preparing the financial statements to make
judgements as to whether the financial statements are materially misstated.
B The level established by an audit firm as a rule of thumb to be applied in all audit
engagements.
C The level adjusted to ensure that individual misstatements in aggregate do not exceed
overall materiality.
D The overall level of materiality that considers both quantitative and qualitative factors.

Question 22
By comparing the concepts of audit risk and materiality, justify the statement that under
the risk-based approach to auditing materiality is inextricably linked.

5 . 8 AUDIT METHODOLOGIES

The approach to auditing has changed over many years from an audit of all transactions
to recognition that accounting and control systems, and the manner in which entities are
organised and operated, can be used to produce reliable financial information. This is reflected
in the current audit objective of obtaining reasonable assurance that the financial statements
are not materially misstated. In conjunction with this, different audit methodologies have
evolved, and this section identifies some of those different audit processes.

5.8.1 Risk-Based Auditing

This approach to auditing is reflected in the current auditing standards. As indicated above, it
involves the auditor gaining an understanding of the client entity, environment, and system of
internal control to identify the risks of material misstatement and the processes and controls
the entity has in place to identify and address those risks in order to develop an audit strategy
and plan that concentrates audit attention on the areas of greatest risk.

Over time it has evolved from a methodology that focused on the risk of material
misstatement through the processing and recording of transactions to also include a broader
business risk focus and how management deals with those risks and to understand the impact
that has on the financial statements.

299

M13_c05.indd 299 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

5.8.1.1 Advantages and Disadvantages

The primary advantage of this approach is that it requires the auditor to have a broad
understanding of the entity and the range of risks that it faces due to the nature of its activities,
the business environment in which it operates, and how the components of its system of
internal control are designed and implemented to identify and address those risks. This
means that the auditor is more likely to become aware of a broader range of potential risks of
misstatement and can evaluate their potential impact on the financial statements.

The nature of the process facilitates an outcome whereby the audit strategy and plan
should result in the selection of the most efficient and effective audit procedures being applied
to the most significant accounts, and minimises the possibility of material misstatement going
undetected. Integral to the audit risk model is that specific attention is given to inherent risk
and control risk and a systematic approach to applying the judgements that need to be made
as to risk and materiality. It also ensures that auditors give due regard to the positive effect that
internal control can have in reducing the risk of material misstatement.

The requirement to apply the risk analysis at two levels, i.e. at the financial statement level
and at the level of account balances assertions, facilitates an integrated approach. By assessing
risk at the financial statement level, risks that could affect many assertions can be identified.
This context enhances the identification of risk and the risk assessments at the individual
assertion level for account balances, classes of transactions, and disclosures. The nature,
timing, and extent of audit procedures are therefore more likely to be directed at the areas
of greatest potential concern. The audit focus is on ‘what could go wrong’ rather than over
auditing assertions that are at a low risk of material misstatement.

The potential disadvantages of this model are similar to those that apply to all audit
methodologies, but are more significant in a risk-based approach. The approach is reliant on
the quality of several subjective judgements to be made and on the information used to make
those judgements. A risk-based audit requires that the audit resources be sufficiently skilled
and experienced to understand and interpret the relationships inherent in the information
about the client and its environment, and that the audit is properly planned, supervised, and
reviewed. Audit teams must be business aware.

5.8.2 Top-Down Auditing

This approach is essentially a controls-based approach. Its focus is on determining the
individual controls over the preparation of financial statements to be tested.

Under this approach, matters to be considered include:

• The control environment. for example, management’s attitude and commitment to the
control function and the organisational structure supporting the internal functions.

• The entity’s risk assessment process. for example, how business risks relevant to the
financial statements are identified, assessed, and addressed.

• Monitoring of controls. for example, how the entity monitors controls relevant to
financial reporting and initiates remedial actions to address deficiencies, and the
involvement of internal audit in this process.

300

M13_c05.indd 300 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

• The information system and related business processes relevant to financial reporting.

• Controls over the end of year accounting process.

This approach also involves the auditor identifying the material accounts and classes of
transactions and related assertions and the risk of material misstatement. The auditor then
identifies the control objectives relevant to the significant assertions and drills down to the
specific controls relevant to each assertion. Through this process the auditor retains the
relationship between the financial statements and internal control and can readily understand
the effect of a particular control on the related financial statement assertion.

As a result, the auditor then tests the specific controls that address the risk of material
misstatement.

5.8.2.1 Advantages and Disadvantages

The advantage of this approach is that the testing of controls is directed specifically at those
controls relevant to the financial statements and that have been assessed as relevant to
the audit. Rather than obtaining an understanding of all controls, controls over immaterial
accounts and transactions and assertions that are irrelevant are eliminated. The intended
result is an efficient audit approach.

This approach also requires that the auditor focuses on the design of controls. By first
establishing control objectives and then identifying controls to achieve the objectives, the
auditor must consider whether the controls are designed effectively to achieve the objectives. If
the controls are ineffective, the auditor can adjust the nature, timing, and extent of other audit
procedures to achieve the audit objective.

As indicated under the risk-based approach, this model requires skilled and experienced
audit resources, as well as specific expertise where the controls systems are heavily IT based.

5.8.3 System-Based Auditing

This approach is the forerunner to the current risk-based approach. Like the risk-based
approach, it recognises that the accounting records provide the underlying evidence and
data from which the financial statements are prepared. This approach addresses the types of
transactions the entity enters into and how they are processed through the system.

The process focuses on the structure of the information system and the internal controls
supporting the flow of the documents and their recording in the accounting records. The
auditor tests transactions for compliance with the controls. Like the risk-based approach, if
the controls are found to be operating effectively in a particular subsystem in the accounting
process, the auditor places reliance on those controls and reduces the nature, timing, and
extent of substantive procedures.

5.8.3.1 Advantages and Disadvantages

The advantage of this approach is that, like the risk-based method, it recognises that systems
of internal control can be used by auditors to improve the efficiency of the audit process. This
approach, however, is not as directly focused on ‘at risk’ assertions but more on document
flows within an overall system, for example the payroll or accounts receivable system. As such,
the extent of internal control testing may be greater than under a risk-based approach.

301

M13_c05.indd 301 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

5.8.4 Systems Audit

A systems audit is a process to determine whether a particular system is designed and
operating to achieve stated objectives and whether the effectiveness of the system could be
improved. It is most often used as a management tool to obtain objective evidence that the
entity’s policies and objectives are being met. To be constructive, such audits need to include
judgements as whether the system subject to audit is effective, not just that the elements
within the system have been complied with. Effectiveness requires that the system protects
the entity’s information assets and makes information available only to authorised personnel.
These audits can be used by management to improve an entity’s performance as a result of the
focus on determining whether the systems are both implemented effectively and are suitable
to achieve the stated organisational objectives.

Given that the focus of these audits is on whether the elements of the system are
appropriate and effective, and have been developed and documented in accordance with
specified requirements, particular attention is given to management policy and whether this
is adequately documented and complied with. It is also important that particular attention
be given to evaluating whether these elements are updated as the system changes. The
effectiveness of systems generally relies upon appropriate segregation of duties so that
no individual has incompatible functions, for example in relation to transactions that the
authorisation, recording, and custody functions are separate. Systems audits would focus on
these matters. Another area of particular focus in these audits is system security in order to
ensure that there are effective policies in place and that they are complied with.

These audits can be undertaken for a range of reasons, for example:

• To evaluate an entity’s system against an industry standard.

• To establish whether the system conforms with defined criteria.

• To satisfy legal or regulatory requirements.

5.8.4.1 Advantages and Disadvantages

From the perspective of an external audit of financial statements, these audits are of limited
value. While they provide evidence as to the reliability of systems and controls, the objectives
that the system is directed to achieving may not relate to financial reporting issues and they
do not provide evidence of a substantive nature in terms of detailed tests of transactions
and balances.

5.8.5 Balance Sheet (Statement of Financial Position) Approach

This approach involves the application of audit procedures to obtain sufficient appropriate
audit evidence to verify the asset, liability, and equity accounts in an entity’s statement of
the financial position at the end of the financial reporting period. The underlying premise is
that if these accounts are not materially misstated, then the corresponding transactions that
produced the year end balances comprising the statement of financial performance are also
likely to be appropriately recorded.

The focus is therefore on assertions relating to completeness, existence, valuation rights,

and obligations inherent in the statement of financial position items that are the result of the
accounting system, rather than the system and process. Because the audit deals with balances

302

M13_c05.indd 302 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

outstanding at the end of the financial reporting period, the audit procedures are concentrated
at the year end. Any evidence as to the operation of internal controls during the period
inherent in the final balances being correct is therefore limited.

5.8.5.1 Advantages and Disadvantages

This approach has advantages where an entity is just commencing business or has large
accounts and a small number of transactions.

It does not, however, address fraud risk or misclassification or errors where amounts
are netted off and therefore affect the preparation and presentation of financial statements.
It does not give due consideration to the importance of the statement of profit or loss and
other comprehensive income and the fact that entities with many transactions and complex
accounting systems must be capable of processing data over the complete accounting
period and the importance of a sound system of effective internal controls to ensure that all
transactions are appropriately recorded during that period.

5.8.6 Transaction Cycle Approach

This approach recognises that a transaction cycle involves a series of linked transactions that
reflect an operational process and that result in account balances. For example, the following
are generally recognised as the financial statement cycles that most business transactions in a
business that buys and sells goods can be aggregated:

• Sales collection cycle – sales-accounts receivable-cash receipts. The entity receives an

order, assesses the customer’s credit rating, delivers the goods, issues a sales invoice,
records the receivable. and collects the cash payment.

• Purchasing cycle – purchase-inventory-accounts payable-cash payment. The entity

issues a purchase order, receives the goods, records the inventory, receives an invoice,
records the payable, and pays the invoice.
• Payroll cycle.

• Other purchase cycles, for example assets.

• Finance cycle.

Understanding the flow of transactions and their conversion under accrual accounting,
and the reports generated, is a useful means of understanding the accounting system and
related control procedures. Tests of transactions involve the application of audit procedures
to the accounting record of transactions by examining the evidential support for them with
procedures such as tracing, vouching, and recomputation. The audit process is designed to test
the internal controls over the related transactions within each operating cycle, but can also be
used as a substantive test.

5.8.6.1 Advantages and Disadvantages

This approach is considered more cost effective for large entities than the balance sheet
approach as, through the testing of the processing of transactions, there is a relatively lower
level of testing of the large number of transactions comprising the balance sheet accounts at
year end. As it focuses on testing of controls there is a higher probability of fraud detection.
Because it deals with identifiable and common transaction cycles, it lends itself to the

303

M13_c05.indd 303 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

development of standardised internal control checklists applicable across several audit clients.
This has the disadvantage of giving less emphasis to the individual circumstances and risks
facing individual clients. This approach is therefore seen as less effective than the business risk
approach where the audit strategy is more directly focused on where the risk of misstatements
is greatest.

5.8.7 Directional Testing

This approach has its foundations in the double-entry accrual accounting model, where for
every debit there must be an equal credit in the accounting records, and the relationship
between account balances. It involves testing transactions or balances and confirming, for
example, the debit balances in a trial balance; if they are found to be correct, so also should be
the credits, although the evidence is indirect.

This method is directed at testing for either overstatements or understatements

separately from each other. One side of a transaction is examined at a time, either a debit
or a credit, and after selecting the direction, considering whether there is an overstatement
or an understatement in other account balances. Assets are most commonly tested for
overstatement, primarily whether transactions have occurred. For example, if accounts
receivable is overstated revenue may be overstated. These tests use the underlying financial
statement records as the starting point and check back to supporting documents. Liabilities are
commonly tested for understatement, primarily whether all transactions have been recorded.
Unrecorded liabilities may indicate understatement of expenses or assets. These tests start
from reviewing underlying documents and checking to ensure that the transactions and events
have been recorded in the accounting records.

5.8.7.1 Advantages and Disadvantages

This approach is seen as leading to greater audit efficiency in that it focuses on accounts that
are more likely to be materially misstated in a particular direction because of their nature or
indications of management motivation to misstate the financial statements. The evidence
obtained by an auditor as to whether an account balance is materially misstated comes from a
variety of sources, and directional testing assists the auditor to understand the significance of
different individual pieces of evidence.

Whether the method improves efficiency depends on the nature of the evidence
available as an indicator of over- or understatement and the extent of testing that needs to
be undertaken. The evidence in relation to the other side of the ‘directional’ outcome is only
indirect and requires further audit procedures.

5.8.8 Performance of Different Audit Methodologies

The preceding sections have briefly outlined a number of different methodologies that have
been developed over the years. They can still be utilised if the circumstances warrant.

However, as is evident, in most cases the methodologies would not by themselves provide
sufficient appropriate audit evidence on which an auditor could base an opinion on a set of
financial statements, nor meet the requirements of the auditing standards.

304

M13_c05.indd 304 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

In a sense the different approaches represent alternative means of auditing individual

assertions.

The audit of some entities, because of their nature, requires a particular approach. For
example, the extent of controls and their documentation within smaller entities may be limited
and not provide the auditor with a basis on which to rely on the testing of controls. In these
cases, a substantive approach/balance sheet approach may be the most effective.

In most financial statement audits, the risk-based methodology required by the auditing
standards would result in a combination of review and testing of the system of internal control
combined with substantive tests of transactions and balances and analytical procedures. For
example, the approach to the review and testing of internal control could be undertaken using
a top-down or transaction cycle approach, supported by substantive procedures that reflect
audit procedures that would be used under the balance sheet approach.

What is cost effective is a function of the circumstances of the engagement and the nature
of the client’s business and systems and the strength or weakness of the client’s system of
internal control and use of IT.

Knowledge Check Questions

Question 23
Identify which of the following explains why the risk-based methodology is cost effective:
A It does not require the use of the balance sheet approach, which may lead to
over-auditing.
B It focuses on an entity’s transactions cycles to determine their effectiveness.
C The business risk strategy directs the audit to areas where the real risk of misstatement
may occur.
D Audit fieldwork can be spread more evenly over the financial reporting period.

Question 24
An audit client has advised that they are uncertain as to whether the internal control
system over property plant and equipment account was effective due to staff changes for a
three month period. They are seeking assurance that the account and related depreciation
account is correctly recorded. Explain how the transaction cycle approach could be used to
provide assurance that the controls were effective during that period.

305

M13_c05.indd 305 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

SUMMARY

This chapter addressed the importance of planning the audit of a financial statement to
support the conduct of an efficient and effective audit. It recognises that under auditing
standards the planning process is essentially the application of risk-based audit methodology.
The planning approach is based on the auditor gaining an understanding of the client and its
environment, including the system of internal control to identify the potential risks of material
misstatement at both the overall financial statement level and at the level of account balance
assertions.

The information obtained about the client’s circumstances and the initial audit
judgements based on that information are formalised in the development of an audit
strategy. The strategy document identifies the areas of audit focus in terms of the risk of
material misstatement and the audit approach as to the relative emphasis on the reliance
on internal control testing and substantive procedures to obtain sufficient appropriate audit
evidence on which to base the audit opinion. This is then reflected in a detailed audit plan
to respond to the risk of material misstatement in financial statement assertions and which
documents the detailed audit procedures to be performed during the audit. Both the audit
strategy and plan are dynamic in nature and are reviewed and updated as necessary as the
audit progresses based on the results of the application of the audit procedures undertaken
during the audit.

The chapter has dealt with the following:

• Engagement acceptance and continuance as the first step in establishing the audit
relationship and basis for planning.

• Implementing the risk-based audit methodology as required under auditing standards.

• The importance of planning in identifying the matters that should be given the greatest audit
attention and determining the audit resources needed to perform the audit.

• The process of gaining an understanding of the client and its environment, and the system
of internal control, as the basis for identifying the risks of material misstatement in financial
statements and for developing the audit strategy and audit plan.

• The relationship between the audit strategy and audit plan. outlining that the relationship
starts with the audit strategy documenting the balance between the reliance on a controls-
based approach and substantive approach with the plan implementing that approach by
documenting the detailed tests of control and substantive procedures to obtain sufficient,
appropriate, audit evidence.

• The audit risk model as a means of formalising the components of risk and implementing the
risk-based audit methodology.

• Within the risk-based audit approach the requirement in the auditing standards to specifically
address the risk of fraud and to consider non-compliance with laws and regulations.

306

M13_c05.indd 306 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

• The role of materiality in both qualitative and quantitative terms in planning the audit
and identifying the significance of individual transactions and balances and evaluating the
aggregate of misstatements.

• The role of documentation in the audit planning process.

• Identification of different audit methodologies that are available and that can be used as a
discrete approach or in combination to achieve a particular audit objective, depending on the
circumstances.

307

M13_c05.indd 307 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

MIND MAP

PLANNING AN AUDIT RISK ASSESSMENT PROCEDURES AND

RELATED ACTIVITIES
Audit Strategy and Audit Plan
Audit planning Understanding the Entity and its Environment
• Understanding the entity and its Internal Control and Control Environment
environment Impact of Fraud and Misstatement on
• Understanding the entity’s internal control Audit Planning Considerations
structure and systems
Consideration of Laws and regulations in
• Identifying and assessing the risk of material
an Audit of Financial Statements
misstatement
• Developing a response to assessed risks MATERIALITY
PLANNING DOCUMENTATION DEVELOPMENT PLANNING AND Setting Materiality Limits
Preliminary Engagement Activities RISK ASSESSMENT Relationship to Relevance in Financial
Reporting
Planning Activities
• Overall Audit Strategy AUDIT METHODOLOGIES
- Confirm preconditions
- Audit scope, approach and methodology Risk-based Auditing
- Identify significant risks Top-down Auditing
- Resourcing, budget and audit timetable System-based Auditing
• Audit Plan Development
System Audit
- Nature, timing and extent of detailed
audit procedures Balance Sheet (Statement of Financial
- Direct work of engagement team and Position) Approach
evidence of work completed Transaction cycle approach
- Review and supervision of audit work Directional Testing
GAINING INITIAL UNDERSTANDING OF Performance of Different Audit Methodologies
THE ENTITY AND ITS ENVIRONMENT
Entity Level
Industry Level
Economy Level

AUDIT RISK COMPONENTS

Inherent and control risk
Detection risk

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. The audit strategy is developed by the auditor and represents the
basis upon which the auditor expects to conduct the audit and from which the more
detailed audit plan is developed. It is an audit document.
Answer B is incorrect. The audit plan specifies the nature, timing, and extent of the detailed
audit procedures to implement the audit strategy. It provides the audit team with a set of
instructions as to how to vary the audit and is not available to management.
Answer C is correct. The engagement letter is the formal communication between
the auditor and client management that documents the auditor’s acceptance of the
engagement, its scope, and the extent of the auditor’s and management’s responsibilities.
Answer D is incorrect. While the auditor will meet with the client to discuss the audit
arrangements and expectations of both parties, this is formalised through the written
engagement letter.

Question 2
Answer A is incorrect. Lack of integrity may indicate that management is likely to produce
misleading financial statements and an association with a client whose management lacks
integrity may affect the auditor’s reputation and should be avoided.

308

M13_c05.indd 308 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

Answer B is correct. Whether a client may or may not request additional services from
the audit firm is not relevant to whether the auditor can accept or continue an audit
relationship. That is a decision based on the auditor’s ability to conduct an appropriate
audit and having an appropriate client relationship for that purpose. Any subsequent
request by the client for the audit firm to provide other services would be a decision to be
made at the time, albeit that it would be subject to ensuring that ethical standards are not
contravened.
Answer C is incorrect. An audit engagement should not be accepted or continued if the
auditor and engagement team do not have the appropriate skills and knowledge of
the client’s business and industry to understand the financial statement implications.
The auditor would not be competent to conduct an audit in accordance with auditing
standards without the skills and knowledge of the client’s business.
Answer D is incorrect. Compliance with the profession’s ethical standards is mandatory for
members of the HKICPA in order to accept appointment or to continue as an auditor.

Question 3
Answer A is incorrect. The audit fee should reflect the cost of the audit based on the audit
plan, i.e. the plan is the means of determining the fee in the first place.
Answer B is incorrect. The plan determines the level of substantive procedures required to
obtain sufficient appropriate audit evidence in conjunction with other audit procedures.
Answer C is correct. The audit plan is based on the auditor’s understanding of the client
and its business, and from this identifying the areas of potential material misstatement
in the financial statements and developing a strategy and plan to address the risk. The
formal risk-based planning requirements ensure that this process focuses attention on the
significant areas of the audit.
Answer D is incorrect. The audit strategy and plan are the responsibility of the auditor and
are developed to facilitate and direct the audit process. While an auditor will discuss issues
with management during the planning process to obtain information about the client and
its business, and which is relevant to planning the audit, the audit must be planned and
performed independently of management.

Question 4
Answer A is incorrect. While the audit plan (programme) documents the audit procedures
to be applied in performing the audit, it is derived from the audit strategy and based on
judgements made by the auditor in developing that strategy.
Answer B is incorrect. The audit strategy is developed from the auditor’s understanding of
the client and its environment and does not include detailed audit procedures.
Answer C is incorrect. Auditing standards identify the requirements that an auditor
must comply with when undertaking an audit, and the types of procedures available
to an auditor to obtain evidence, but they do not provide a standardised set of audit
procedures to be applied in individual engagements. The standards require that the
audit procedures be tailored to reflect the specific engagement circumstances.
Answer D is correct. The audit strategy and plan are based on the auditor’s judgement as
to the risk of material misstatement in the financial statements and financial statement

309

M13_c05.indd 309 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

assertions based on their knowledge of the client and its environment. The specific
procedures to be applied to address those risks are based on the auditor’s professional
judgement as to what is necessary to obtain sufficient appropriate audit evidence.

Question 5
The auditor should be able to:
• Understand the nature, timing, and extent of procedures undertaken in
accordance with the auditing standards.

• Ascertain the results of audit procedures and the evidence obtained.

• Identify the significant matters dealt with during the audit.

• Identify the matters on which judgement was required.

• The conclusions reached during the audit.

Question 6
Answer A is correct. In order to develop an audit strategy and plan and to direct the audit
to the areas of potential risk of material misstatement, the auditor needs to understand
the transactions and events that affect the financial statements.
Answer B is incorrect. While an auditor might identify weaknesses in a client’s internal controls
during the performance of an audit and report them to management, this is a by-product of
the audit. The understanding is to achieve audit objectives and facilitate the audit process.
Answer C is incorrect. The process of assessing known misstatements occurs after
the auditor has performed the planned audit procedures and obtained evidence that
identifies misstatements. Understanding the client and its environment is the initial
process of identifying the risks and determining the procedures to be applied to detect
misstatements.
Answer D is incorrect. The auditor must apply an attitude of professional skepticism
throughout the audit, but understanding the client and its environment does not develop
that attitude. It is a process to gather information about the client, not how the auditor
should apply skepticism.

Question 7
Answer A is correct. This is the risk that at the overall business level are risks that the entity
may not achieve its business objectives and are factors that could identify areas within the
client’s financial statements that may be subject to the risk of material misstatement due
to these business variables.
Answer B is incorrect. This is the risk that at the more detailed level, and due to the nature
of the business, some specific transactions and events are inherently more at risk of being
materially misstated.
Answer C is incorrect. This is a risk that may arise as a result of the auditor not meeting
their audit obligations.
Answer D is incorrect. This would occur where the auditor has not applied due care and
diligence when performing an audit.

310

M13_c05.indd 310 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

Question 8
Answer A is incorrect. Financial information reflects the outcome of transactions and
events comprising goods and services. There should be a relationship between the
information about the underlying transactions and events and the financial reporting that
enables a comparison to be made that would reveal any unusual differences.
Answer B is incorrect. Any differences between a client’s ratios and those of the industry in
which the client operates indicate areas that may require audit attention.
Answer C is incorrect. Deviations of actual amounts from the budget direct the auditor’s
attention to areas that require audit attention.
Answer D is correct. This is an audit procedure to obtain direct evidence as to the recording
of an amount in the accounting records.

Question 9
Because analytical procedures involve the analysis of plausible relationships between both
financial and non-financial information, identified fluctuations or relationships that are
inconsistent with other relevant information or expectations provide information about
the entity and its operations. This may identify issues of which the auditor may otherwise
not be aware at this stage of the audit, and assists in identifying areas of potential risk
requiring audit attention in developing the audit strategy and plan, including the nature,
timing, and extent of audit procedures.

Question 10
Answer A is incorrect. This is a matter arising from the auditor’s understanding of the
entity’s information system and communication component of the system of internal
control through performing risk assessment procedures.
Answer B is incorrect. This is a matter arising from understanding the entity’s information
and communications component of the system of internal control.
Answer C is correct. This is an element of the entity’s organizational and governance
tructure that the auditor is required to obtain an understanding under HKSA
315(Revised 2019).
Answer D is incorrect. This is a matter arising from understanding the control activities
component of the entity’s system of internal control.

Question 11
Answer A is correct. This facilitates the audit process being focused on areas which are
susceptible to material misstatement.
Answer B is correct. The initial audit strategy and plan reflects evidence obtained during
the initial risk assessment process which identifies the areas of susceptibility to material
misstatement and the entity’s policies and procedures to deal with those matters.
Answer C is correct. The audit strategy and plan identify the audit process and the
nature, timing and extent of further audit procedures appropriate to obtaining sufficient
appropriate audit evidence on which to base the audit opinion.

311

M13_c05.indd 311 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

Answer D is incorrect. The audit opinion issued at the conclusion of the audit is based
on all of the evidence obtained during the audit process as a result of applying all of the
audit procedures arising from the implementation of the test of control and substantive
procedures developed from the risk assessment process.

Question 12
Answer A is incorrect. The assertion that all purchase and sales relating to inventory have
been recorded is not affected by inventory theft.
Answer B is correct. Theft would result in recorded inventory being no longer physically
available to the client.
Answer C is incorrect. The client has not lost the right to the inventory as an asset, but
no longer has access to that right. This assertion is affected by theft, but flows from the
existence assertion.
Answer D is incorrect. This assertion relates to inventory being recorded at an appropriate
amount at the time of acquisition.

Question 13
Answer A is incorrect. As the system of internal control has not proven to be as strong as
initially planned and therefore less reliance can be placed on it, increasing tests of control
will not be effective in providing reliable audit evidence.
Answer B is incorrect. Inherent risk has not changed as it the risk of an assertion
about a class of transactions or account balance being misstated due to the nature
of transactions and events without considering internal control. The nature of the
transactions and events has not changed but the control system has proven to be
weaker than anticipated.
Answer C is incorrect. As less reliance can be placed on the system of internal control
to provide evidence as to the reliability of the financial information produced by the
accounting system, substantive testing would need to be increased to provide sufficient,
appropriate audit evidence.
Answer D is correct. As less reliance can be placed on internal control, detection risk would
need to be decreased through applying more substantive procedures.

Question 14
Detection risk is the risk that an auditor’s substantive procedures will not detect a material
misstatement in an account balance or class of transactions. It cannot be reduced to zero
due to sampling risk where there is a risk that a sample may not be representative of
the population and the conclusion drawn from a sample may not be the same as if the
whole population of transactions in an account balance had been tested. There is also the
possibility of non-sampling risk where the auditor may draw an incorrect conclusion by not
applying effective audit procedures or drawing incorrect conclusions from the evidence
obtained. Further, much of the evidence available to the auditor is persuasive and not
conclusive.

312

M13_c05.indd 312 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

Question 15
Answer A is incorrect. This affects control risk as it increases the risk of misstatement in
that account balance.
Answer B is correct. As the entity is operating with products of which it has limited
knowledge at this point and a market that it is unfamiliar with and which is subject to rapid
change, there are risks associated with financial report assertions in relation to inventory
obsolescence and valuation.
Answer C is incorrect. This will decrease inherent risk as the entity’s activities are likely
to be more predictable and stable and their financial statement issues more reliable to
predict and manage.
Answer D is incorrect. This will reduce inherent risk as it indicates that management is less
likely to attempt to produce materially misstated financial statements.

Question 16
Answer A is correct. The nature of fraud means that it is difficult to detect as it generally
involves attempts to conceal it, collusion, or overriding of controls. The auditor must assess
the risk of material misstatement due to fraud and to address those risks in developing the
audit strategy and plan. The overall audit objective is to provide an opinion on the financial
statements that provides reasonable assurance that the financial statements are not
materially misstated and that gives the level of assurance that no material fraud has occurred.
Answer B is incorrect. Refer to Answer A.
Answer C is incorrect. While many financial report users have an expectation that an audit
will detect all fraud, the objective of the audit is to provide an opinion on the financial
statements. In that context the auditor’s responsibility is to apply reasonable skill and care
in planning and conducting the audit.
Answer D is incorrect.

Question 17
The auditor would enquire of management as to the nature, extent, and frequency of their
assessment of material misstatement due to fraud, their process for identifying fraud, and
how they respond to fraud that they become aware of. The auditor should ask whether
management has identified any actual or expected fraud or been made aware of any
such matters. The auditor would also consider management’s communication within the
entity as to its attitude and behavioural expectations in relation to fraud. Where there is
an internal audit function, enquiries would be made as to whether the internal audit was
aware of any actual expected fraud and their views as to the risk of fraud.

Question 18
Answer A is incorrect. This indicates that reliance on the system of internal control
is weakened and that management may have been involved in activities that could
involve fraud.
Answer B is incorrect. This is indicative of pressure within the entity and on management
to meet the expectations of other parties external to the entity.

313

M13_c05.indd 313 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

Answer C is correct. This is an indicator of a higher inherent risk as the implementation of

a new and complex accounting standard increases the risk that a material misstatement
may occur.
Answer D is incorrect. Lack of control over IT provides the opportunity for manipulation of
information.

Question 19
(a) Inherent risk is increased as transactions involving foreign currency are subject to
gains and losses due to foreign exchange fluctuations. If the client enters into foreign
exchange risk transactions, they may be complex. Given the lack of experience with
accounting for these transactions and the accounting requirements associated with
foreign exchange transactions the possibility of errors occurring is increased.
(b) There is an incentive for management to produce good results. Depending on other
factors, the fraud risk is increased as management may seek to manipulate accounting
policies or reporting of transactions.
(c) The inherent risk is increased because of the nature of the business. The nature
of the product indicates an inherent risk of industry obsolescence due to changing
technology.
(d) Lack of management integrity increases the risk that they may be prepared to produce
materially misstated financial statements through, for example, overriding controls.
(e) A decrease in the quick asset ratio suggests cash flow and liquidity problems. This
increases the risk that the client may seek to produce financial results that reflect a
position that appears better than it is.
(f) Accounts that were previously misstated are at a higher risk of again being misstated
unless the causes of the previous misstatement have been addressed by the client. The
auditor may need to look more closely at control risk in these areas.
(g) Inexperienced management increases the risk that the financial statements may be
materially misstated. Poor decision-making may also increase the pressure to engineer
a better financial result.
(h) Related party transactions by their nature have a higher risk as they are not
undertaken at arm’s length and so are open to manipulation. As such, they are subject
to specific accounting standards requirements and disclosures, which adds complexity
and increases the risk of fraud and error.
(i) Accounts that require complex calculations and subjective judgements are more likely
to contain errors and have an increased risk of manipulation.
(j) Transactions processed outside the normal system have an increased risk of error
and fraud.

Question 20
Answer A is incorrect. The auditor needs to be satisfied that the financial statements
comply with the applicable financial reporting framework and undertake audit procedures
to form a conclusion that laws and regulations affecting the preparation and presentation
of the financial statements have been complied with.

314

M13_c05.indd 314 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

Answer B is correct. In the absence of identified or suspected non-compliance, the auditing

standards do not require the auditor to undertake procedures to detect all non-compliance
with laws and regulations.
Answer C is incorrect. Because the effect on the financial report of laws and regulations
can vary considerably, seeking written confirmation from management is necessary given
their responsibility for complying with laws and regulations, albeit that this does provide
sufficient appropriate audit evidence on its own.
Answer D is incorrect. As non-compliance with laws and regulations could impact the
financial statements, the auditor needs to remain alert to any circumstances that may
affect the financial statements, including non-compliance with laws and regulations.

Question 21
Answer A is incorrect. Performance materiality is an audit concept to be applied by
the auditor. Management should prepare the financial statements ensuring that all
transactions and events are appropriately recorded.
Answer B is incorrect. Materiality is a matter of judgement and rules of thumb provided
by audit firms are only guidance to their audit staff to facilitate their decision-making in
relation to materiality in the circumstances of each engagement.
Answer C is correct. This is the amount or amounts set by the auditor at less than the
materiality for the financial statements as a whole to reduce to an acceptably low level the
probability that the aggregate of individually uncorrected or undetected misstatements
exceeds materiality for the financial statements as a whole.
Answer D is incorrect. Materiality overall requires consideration of both quantitative and
qualitative factors, not just performance materiality.

Question 22
The risk-based approach requires the auditor to identify the risk that an account balance
is misstated and then develop and adapt procedures appropriate to minimising the
possibility that misstatement due to fraud or error will not be detected. If the risk
assessment is appropriate this results in an efficient and effective audit that concentrates
the audit process on the most important accounts and minimises the potential that
misstatement will not be detected.
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when
the financial statements are materially misstated. Materiality is the concept that identifies
the significance of financial statement items that, if omitted or misstated, could affect
resource allocation decisions made by financial statement users. The audit is planned to
reduce audit risk to an acceptably low level and to limit the risk of audit procedures not
detecting material misstatements. The audit is therefore planned based on the nature,
timing, and extent of audit procedures reflecting the level of materiality established by the
auditor. The relationship between audit risk and materiality is inverse in that the greater
the audit risk the lower the materiality level is set by the auditor. This has implications,
for example, for the extent of audit procedures and the need to select more effective
procedures or performing procedures closer to the balance date where the materiality
level is low (i.e. even a low level of error in the account balance cannot be tolerated).

315

M13_c05.indd 315 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

The concepts are therefore inextricably linked with materiality, reflecting the precision
of the audit procedures required, audit risk, and the degree of certainty achieved.

Question 23
Answer A is incorrect. The audit risk model under auditing standards requires some level
of substantive testing, even where internal controls are found to be effective. Substantive
procedures applied under the risk-based methodology include some of the audit
procedures that would be used under the balance sheet approach.
Answer B is incorrect. While the approach to the review and testing of internal controls
may reflect an entity’s transaction cycles, this approach does not directly focus on the
areas of greatest risk of material misstatement, and may result in more extensive testing of
internal controls than a risk-based approach.
Answer C is correct. Because the risk-based approach is a business risk model based on
identifying the areas of the financial statements that are most susceptible to material
misstatement, the audit approach is more direct and focused on those risk areas.
Answer D is incorrect. The timing of fieldwork is a matter of audit scheduling once the
audit strategy and plan have been developed. It is the process of implementing the audit
methodology and not developing the methodology.

Question 24
The transactions involved in this cycle would commence with an order document or
contract to purchase an item of property plant or equipment, an invoice for payment,
payment for the acquisition, and a depreciation calculation once the item is received based
on its useful life. It also involves transactions relating to repairs and maintenance and a
decision as to whether to capitalise or expense such amounts.
The transaction cycle approach would involve selecting the transactions recorded in
the PP&E account during the three month period and comparing them to the underlying
supporting documents being an order/contract and invoice to confirm that the amounts
recorded are correct and the items recorded are appropriate for inclusion in the PP&E
account. Physical inspection of the items purchased would confirm their existence.
Similarly, the amount of repairs and maintenance recorded as capitalised as PP&E would
be traced back to the underlying documents to confirm that they have been appropriately
accounted for. Transactions recorded in the repairs and maintenance account during that
period would also be selected and compared with the underlying documents, such as
orders and invoices to ensure that no PP&E amounts were expensed.
Recalculation of the depreciation expense for that period would confirm the
depreciation expense.
If the results did not identify any misstatements, this would provide assurance that the
controls were effective during that period and that the PP&E and related accounts were
correctly stated during that period.

316

M13_c05.indd 316 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

EXAM PRACTICE

QUESTION 1
Tong Tan Ltd is a company listed on the Hong Kong Stock Exchange and manufactures
cardboard containers and packaging. It has operated successfully in the industry for many
years and its management is experienced and stable, and is regarded within the industry as
having a high level of integrity.

To date the company’s products are sold to local manufacturers. However, during your
discussions with management as part of planning this year’s audit, they advise you that the
industry has become very competitive and profit margins have declined in recent months.

The company has sought to improve its performance by seeking additional markets, and
has secured some short-term contracts with overseas customers to provide a limited range
of packaging designed specifically for each customer. However, as yet, the profit margins
are not high.

The company is also seeking to raise additional finance to support its move into the
international market and has been advised by its bank that such finance is available based
on the bank’s assessment of its future profitability.

The company’s total revenue is $HK10 billion, total assets $HK14 billion, net assets
$HK8 billion, and net profit $HK456 million.

Your firm adopts the flowing rule of thumb materiality levels:

5–10% of net profit

0.5–1% of revenue
0.5–15% of total assets

You have audited the company for the last three years and have not experienced any
major audit complications and have found their system of internal control to be effective.
Additional controls have been implemented to deal with the move to expand into the
international market.

Required:

(a) Based on the above information, identify and explain the factors that would impact
your assessment of risk and determining materiality when planning this year’s audit.

(b) In the past you have used net profit as the base for setting the materiality level for
the audit. Explain why this base has been used and using you firm’s rule of thumb
approach, apply your judgement to establish the performance materiality level at the
financial report level.

QUESTION 2
You are the auditor of MU Ltd, a mining company with mines in various countries. During
the planning of the audit for the current financial year, you have become aware that one
of the mines remains shut down after being closed two months ago due to a breach of
environmental regulations. The company has incurred significant fines, and as the company
has not been able to meet its contractual supply obligations from this mine in recent times,
it is also facing litigation claims.

317

M13_c05.indd 317 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

Your preliminary analytical procedures also indicate that despite the mine being closed
for a period, the revenue streams are greater than expected.

This information impacts the areas involving non-compliance with laws and regulations
and fraud.

Required:

Explain your responsibility as auditor in these two areas.

QUESTION 3
(a) Identify the benefits of audit planning and the broad steps involved in that process.

(b) Identify who should be involved in the planning process.

QUESTION 4
(a) Explain what is meant by the audit strategy and outline the information you would
expect to find in an audit strategy memorandum.

(b) As audit partner, you are undertaking the preliminary planning for a continuing audit
client and have had initial discussions with management and the audit committee and
senior members of the audit team. You are preparing the audit strategy memorandum
to be provided to the members of the audit team. During the discussions, a number of
matters were identified including the following two issues:

• The company has contracted to demolish and replace one of its processing plants
to increase its production capacity. Demolition and site work will commence during
the current financial reporting period.

• The company is in the process of implementing a more advanced IT general ledger

and accounts payable and receivable system. The financial statements for the
current financial reporting period will be prepared using the new system.

Using your understanding of the risk-based audit methodology, develop a narrative

that would be included in your audit memorandum to the audit team for these two
matters. While the wording of the narrative will be a matter of personal style, the
content should be developed to reflect the relevant audit issues to be communicated.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) As For a publicly listed company, materiality should be set at the lower level as the
financial statements will be more broadly distributed to a range of users and subject to
various forms of regulatory requirements affecting its financial reporting. This increases
inherent risk.

The changing domestic market conditions suggest that inventory valuation may be
an issue as well as the decline in profit margins. That, combined with the uncertainty
about the new international market and the specialised nature of the products, also
suggests risks with inventory and profit. This indicates a decrease in materiality and a
higher inherent risk.

318

M13_c05.indd 318 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

Transactions involving foreign currency and exchange rate risks would indicate a
lower materiality level and higher inherent risk.

As the company is seeking to increase its debt levels, this indicates that a lower level
of materiality would be appropriate and increases inherent risk.

Some mitigating factors are the fact there has been a positive experience with
the company over the previous years that supports a higher materiality level and the
absence of any errors reduces inherent risk.

The experienced and respected management indicates that it is likely to be

able to manage the current environment and change and is less likely to make
mistakes, thereby reducing inherent risk. The changes made to the control system for
international transactions also reduces control risk.

The fact that the company has been proactive and been able to expand its market
and to have further finance available to support this suggests that it has a viable
product base with the potential for expansion, which reduces its business and inherent
risks. This supports lower business and inherent risks and higher materiality.

(b) As the company is publicly listed, net profit is likely to be of most interest to financial
statement users as it relates to the compensation to shareholders and is a determinant
of the share price. However, as profit has become less stable due to the increased
competition, the asset base may be more reliable. However, as the company has
considered future profitability as a basis for further lending, that also indicates that a
primary user is interested in that base.

Taking into account both quantitative and qualitative factors, a judgement that
recognises that there are factors that both increase and decrease audit risk would place
the materiality at the middle of the net profit range of 5–10%, i.e. approximately $HK34
million. As audit risk would also be at the middle range, performance materiality could
be set at 70% to give a materiality level of $HK23,800,000.

QUESTION 2
The responsibilities in relation to non-compliance with laws and regulations are dealt with
in HKSA 250. In the absence of identified or suspected non-compliance, the auditor is not
required to perform audit procedures in relation to laws and regulations, other than to
obtain an understanding of the relevant laws and regulations affecting the entity and to
obtain evidence as to compliance with those laws and regulations directly affecting the
financial statements.

However, having become aware of the non-compliance, the auditor should evaluate the
implications for other aspects of the audit, including the risk assessment and the reliability
of representations by management in relation to compliance with laws and regulations.
The auditor should obtain an understanding of the circumstances under which the action
occurred and what actions management has taken to address the situation.

The auditor should review the correspondence between the regulator and the
company as to how long the mine will remain closed and what remedial actions need to be
undertaken to re-open the mine.

319

M13_c05.indd 319 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

Depending on the information provided during discussions with management, the

auditor may need to consult with the company’s in-house legal counsel or external counsel
regarding the application of the laws and regulations.

The effects on the financial statements must be assessed and evidence obtained
as to the completeness and accuracy of the recording of the fines and penalties, and
consideration given to any disclosure of the litigation claims.

During the audit, the auditor must remain alert to the possibility of other
non-compliances. The auditor would request a written representation that all known
instances of non-compliance have been disclosed.

The fraud aspect is covered in HKSA 240 and requires the auditor when performing risk
assessment procedures and obtaining an understanding of the client and its environment,
including internal control, to consider the risk of material misstatement due to fraud. The
standard requires a presumption of fraud risk in relation to revenue and that the auditor
evaluates the types of revenue and revenue transactions and assertions to determine
whether that presumption is applicable.

As the preliminary analytical review indicates an unexpected result, the auditor will
need to address this matter with management by seeking an explanation and undertake
procedures to obtain evidence as to whether revenue assertion for that mine is materially
misstated. For example, it may be that even though the mine is closed, there was a stockpile
of mine output that could be used to meet supply commitments for part of the period
subject to closure. The auditor would need to document the procedures undertaken and the
reason for the conclusion drawn as to the presumption of fraud.

QUESTION 3
(a) Audit planning facilitates the organisation and management to support the conduct of
an efficient and effective audit. Planning judgements, decisions, and conclusions should
be documented to facilitate the control and review of the audit process through an
audit strategy and audit plan.

Planning directs the auditor to significant areas of the audit to which attention should
be given. It enables potential problems to be identified and resolved on a timely basis.

Understanding the issues to be addressed during the audit forms the basis for
determining the audit resources necessary to conduct the engagement. An engagement
team with the appropriate skills and experience can be identified and audit work
allocated to members of the team appropriate to their competencies and experience.
Planning identifies whether there is a need for experts in particular areas to be involved
or other auditors will be involved where the client has operations in other locations.

Planning provides a framework for the direction and supervision of engagement

team members and the review of their work.

Planning ultimately results in developing an overall audit strategy for the expected
scope and conduct of the audit and from that the development of the audit plan that
contains the specific nature, timing, and extent of audit procedures to be undertaken
during the audit, including determination of materiality levels and management of
audit risk.

320

M13_c05.indd 320 1/26/2021 9:06:08 PM

 Pla nn i ng a n d R isk A ssessment

The planning process involves the following steps:

• Understanding the client and its environment and applicable financial reporting
framework to provide the auditor with information to be able to identify
and evaluate the entity’s business risks that have an affect on the financial
statements and the potential for the risk of material misstatement to the
financial statements.

• Understanding the client’s risk assessment process, internal control and

information systems to assist in identifying the types of potential misstatements
and risk factors, and determining the nature, timing, and extent of further audit
procedures. This includes information relevant to the strategy in terms of the
relative reliance on controls testing and substantive procedures.

• Identifying and assessing the risk of material misstatement whether due to

fraud or error.

• Developing a response to assessed risks through the development of the

audit plan.

(b) Planning involves discussions between the engagement partner and key members of
the engagement team to take advantage of their experience and insights. The outcome
of the planning process is conveyed to any team members not involved in the initial
planning meetings through the audit strategy and plan and communication with the
members involved in the process. The auditor may discuss elements of planning with
management to facilitate the co-ordination of the work of the client and audit staff.

QUESTION 4
(a) The audit strategy defines the scope, timing, and direction of the audit and is the
foundation for the detailed audit plan.

A strategy memorandum would normally cover such matters as:

• Confirmation that the pre-conditions for the audit have been met, including
independence requirements.

• The scope of the audit in terms of the financial reporting requirements

and the financial statement reporting obligations to be met by the client.
This establishes the subject matter and reporting criteria that the auditor is
concerned with and the boundaries of the audit engagement.

• The outcome of meetings with the client’s management and the information
obtained about the client and its environment, including the results of the
preliminary analytical procedures.

• The key judgements made in relation to the significant risks identified that could
result in material misstatements in the financial statements arising from either
fraud or error and how those risks are to be addressed during the audit. The
basis for the initial materiality judgement and management of audit risk.

• The nature of the evidence to be obtained in key areas of the audit.

• The audit methodology to be applied and the decisions made as to the

combination of tests of control and substantive procedures.

321

M13_c05.indd 321 1/26/2021 9:06:08 PM

 BUSINESS ASSURANCE

• The planned use of experts and other auditors where the client has operations
in other locations or a parent/subsidiary structure.

• The relationship with internal audit and the extent of any reliance on the work
of internal audit and the testing of that work.

• The nature and extent of IT resources required in the testing of internal control
and substantive procedures.

• The structure and composition of the engagement team in terms of the

quantity, competencies, and experience and how the work is to be assigned
commensurate with those attributes.

• The timetable for the various phases of the audit being interim testing of
controls, substantive testing, completion, and review.

• The audit budget and fee arrangements and the nature of any other services to
be provided to the client.

(b) The following concepts should be included in the memorandum.

As the demolition and construction is a potentially large and non-routine event,

there is a high risk of material misstatement. The accounting policy applied to the
treatment of the demolition and constructions costs will need to be discussed with
management and assessed as to compliance with the Hong Kong financial reporting
standards. The control system to manage recording of the project and associated costs
will need to be documented and assessed to ensure that all costs are appropriately
recorded and reported in accordance with the accounting policy. The audit programme
should include tests of compliance with the controls implemented. In the absence of
appropriate internal controls over the project, substantive testing will need to be more
substantial at the year end to ensure that the asset recorded for the work undertaken
is appropriate. The audit plan should include substantive testing for any outstanding
liabilities under the contract at the balance sheet date.

The audit plan should include procedures designed to obtain assurance that the
transfer of data from the old system to the new system has been effective and reliable.
The review and testing of internal control on the new system should be as extensive as
would be applied to an initial review of a client’s system. As this system is an advanced
system, our firm’s IT specialist division will need to be involved in the review and testing
phases of the audit and should be contacted to arrange for the appropriate level of
resources and timetable for their involvement. Any issues arising from this review and
assessment should be communicated to management immediately for remedial action.

322

M13_c05.indd 322 1/26/2021 9:06:08 PM

 6
Audit Procedures
and Audit Evidence

CHAPTER TOPIC LIST

6.1 Evidence and Assertions 6.4.2 Tests of Details

6.1.1 Risk 6.4.3 Confirmations
6.1.2 Evidence 6.5 Other Audit Evidence
6.1.3 Assertions 6.5.1 Accounting Estimates
6.2 Tests of Controls 6.5.2 Fair Values
6.2.1 Internal Control Components 6.5.3 Initial Engagements and
6.2.2 Control Activities Opening Balances
6.2.3 Control Tests 6.5.4 Comparative Information
6.2.4 Cycle Approach 6.5.5 Related Party Transactions
6.3 Sampling 6.6 Documentation
6.3.1 Sampling Risk 6.6.1 The Work Papers
6.3.2 Sample Evaluation 6.6.2 Preparation of Working Papers
6.3.3 ‘Big Data’ 6.6.3 Completion of Audit
Documentation
6.4 Substantive Procedures
6.4.1 Analytical Procedures

323

M13_c06.indd 323 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.05: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Documentation
1.05.01 Explain the need for, and importance of, audit documentation
1.05.02 Explain the procedures required to pull together audit files
1.05.03 Prepare the contents of audit work papers on the audit permanent and audit
engagement files
LO1.09: Prepare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit procedures
1.09.01 Define audit sampling
1.09.02 Explain the need for sampling
1.09.03 Apply the basic principles of sampling and explain how the assessed risk and materiality
affect sampling
1.09.04 Analyse and explain the results of sampling
1.09.05 Explain the importance of internal control to an auditor and the execution of tests of control
1.09.06 Apply knowledge to demonstrate how an auditor identifies weaknesses in internal control
systems and how those weaknesses limit the extent of an auditor’s reliance on those systems
1.09.07 Determine the types of substantive procedures used (including big data analytics) and the
issues in evaluating the results obtained
1.09.08 Explain what is meant by analytical review and apply knowledge to demonstrate how
analytical review procedures are used in an audit
1.09.10 Design, in response to the assessed risk, the appropriate procedures and relevant disclosure
requirements for the audit of:
• Accounting estimates
• Fair values
• Opening balances
• Comparatives
• Related party transactions.
LO1.10: Prepare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on: The
confirmation procedures, follow up, or alternative procedures for non-reply confirmation
1.10.01 Apply the confirmation procedures to prepare the external confirmation requests
1.10.02 Apply the follow up procedures on those replied confirmation with disagreements and apply
the alternative procedures for any exceptions or non-reply confirmation

324

M13_c06.indd 324 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

LO1.11: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit evidence
1.11.01 Explain the procedures by which audit evidence may be obtained
1.11.02 Describe the appropriateness and sufficiency (relevance and reliability) of different sources of
audit evidence
1.11.03 Identify the information produced by the client which is used as audit evidence and describe
our work done
1.11.04 Plan an approach to gathering sufficient, appropriate audit evidence
1.11.05 Explain the assertions contained in the financial statements and their use in
obtaining evidence
1.11.06 Explain the need to modify the audit strategy and audit plan following the results of tests
of control
1.11.09 Evaluate whether sufficient audit evidence has been obtained during the audit

325

M13_c06.indd 325 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

OPENING CASE

G&E MUSIC (GEM)

T he GEM case will be used throughout this chapter and Chapter 7 (The Audit Programme) to
illustrate analytical review procedures, and procedures relating to major acquisitions.

GEM is an established electronics retailer. It has two distribution channels: an online store
and 300 retail stores. GEM holds significant market-share in many of its product categories
which include:

• Consumer electronics including televisions, audio equipment, computers, and

telecommunications products;

• Homewares including furniture, kitchen products, small appliances, and heaters and
coolers; and

• Software (CDs, DVDs, and games).

326

M13_c06.indd 326 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

O VERVIE W

The overall objective of an audit of financial statements is to obtain reasonable assurance

about whether the financial statements as a whole are free from material misstatement,
so the auditor can express an opinion on those statements. Financial statements may be
misstated because accounts are under- or over-stated, or because disclosure is inadequate.
Misstatements arise from both error and fraud. Financial statement fraud is typically
distinguished from other forms of fraud associated with theft, though both are motivated by
self-interest, and fraud and theft frequently occur together.

The modern approach to auditing is ‘risk-based’. As was explained in Chapter 5, the auditor
plans the audit by first understanding the entity and its environment, the applicable financial
reporting framework, and system of internal control. This process includes designing and
performing risk assessment procedures to identify inherent risks and control risks which might
contribute to the misstatement of the client’s financial report, and second, by designing an
audit programme to assess these risks.

Section 6.1 of this chapter briefly reviews risk analysis, then introduces the framework
of assertions that comprise the financial statements and the evidence-gathering procedures
used by the auditor to test these assertions. Sections 6.2–6.4 discuss and provide illustrative
examples of the main techniques used by auditors to gather evidence: tests of internal controls,
sampling, and substantive testing.

• The client’s internal control system is tested to confirm the auditor’s assessment of
control risk, and the audit strategy.

• Sampling is used to increase audit efficiency.

• Substantive procedures are audit procedures for detecting material misstatements at

the assertion level. Two main types of substantive procedures are used by auditors:

°° Substantive analytical procedures; and

°° Tests of details.

Section 6.5 of the chapter discusses audit issues where the auditor is required to make
subjective and complex professional judgements. Examples include the audit of fair value
estimates and of related party transactions. Section 6.6 of the chapter discusses the auditor’s
responsibilities regarding documentation of the planning of the audit, the evidence gathered,
and the auditor’s conclusions regarding the financial statements.

327

M13_c06.indd 327 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

6 . 1 EVIDENCE AND ASSERTIONS

6.1.1 Risk
As discussed in Chapter 5, audit risk is the risk that the auditor expresses an inappropriate
audit opinion when the financial statements are materially misstated.

Illustrative Example 1
Assume an audit firm’s policy regarding audit risk is that a 10% audit risk is acceptable
(zero risk, while desirable, is impossible – some ‘acceptable’ level of risk is unavoidable).
Some audit firms set lower levels of audit risk, say 5%, but lower risk entails more
evidence gathering, and more expensive audits. This is a low risk but low profit business
model. In contrast, other audit firms accept a high level of audit risk, say 20%. This
enables a less extensive and less costly audit. This latter business model is profitable
but risky.

Audit risk is a function of inherent risk, control risk, and detection risk as illustrated in the
audit risk model:

AR ~ IR CR DR

• Inherent risk – The susceptibility of an assertion about a class of transaction, account

balance, or disclosure to a material misstatement either individually, or when
aggregated with other misstatements, before considering any internal controls.

• Control risk – The risk that a misstatement that could occur in an assertion and that
could be material will not be prevented, or detected and corrected on a timely basis by
the entity’s control system.

• Detection risk – The risk that the auditor’s procedures will fail to identify a material
misstatement.

HKSA 315 (Revised 2019) indicates that inherent risk arises from the characteristics of the
entity and its environment such as its organisational structure and governance, the entity’s
business model, the accounting policies, and changes thereto, regulatory and industry factors,
and financial reporting measures to assess performance. These factors result in financial
report calculations that are complex, require subjective judgements, or have a degree of
uncertainty because of the nature of the data available on which to base calculations. This
could, for example, create opportunities for error and theft, and management’s bias towards

328

M13_c06.indd 328 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

overstatement of assets, revenues, and profits, and understatement of liabilities and expenses.
Control risk is determined by the quality of the entity’s control system. Detection risk is
controlled by the auditor through the audit plan.

The audit strategy and the audit plan are risk-based. They reflect assessments of inherent
and control risks. Where the auditor’s risk assessment procedures to understand the entity and
its environment and financial reporting requirements indicate inherent risk factors indicative of
susceptibility of assertions to misstatement, the auditor develops the audit strategy and plan
appropriate to obtaining sufficient appropriate audit evidence on which to base an opinion
on the financial statements. The audit strategy depends on the extent to which the system of
internal control addresses the inherent risk which is reflected in an assessment of control risk.
Where control risk is low, a control-based audit strategy will be adopted, and the audit plan will
include extensive testing of key controls. Where control risk is high, an audit strategy based
mainly on substantive procedures will be adopted.

Where the risk of a material misstatement is high, the audit plan will require the auditor
to collect more audit evidence, and better-quality evidence, about the assertions at risk.
Performing more extensive and higher-quality audit procedures lowers detection risk.

In terms of the audit risk model presented above, this is equivalent to saying:

Where inherent and/or control risk are high, detection risk must be low to achieve
the desired level of audit risk.

Illustrative Example 2
Applying the model at the broad level, an audit firm’s policy with regard to audit risk is
10% indicating that the risk of an incorrect opinion is one in ten. A risk analysis of GEM,
their audit client, reveals medium inherent risk (50%) and medium control risk (50%).
Using the equation above to calculate detection risk, we see DR must be 40%. This means
the auditor must plan the audit to reduce detection risk to 40% – a 40% risk that the
auditor’s procedures will fail to detect a material misstatement.

AR IR CR DR 10% = 50% 50% DR

Solving for DR, 0.1 / (0.5 x 0.5) = 0.4 or 40%.

Why 40%? Some audit risk is removed because inherent risk is less than 100%, and
some because control risk is less than 100%. The remaining audit risk is reduced to the
10% target by the auditor’s procedures.

As an alternative example, if inherent risk were 100% because the auditor expected a
material error in the accounts, and control risk were 100% because the control system was
ineffective or non-existent, then detection risk would have to be reduced to 10%.

329

M13_c06.indd 329 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

6.1.2 Evidence
To form an opinion, the auditor must obtain sufficient and appropriate audit evidence by
performing audit procedures that address identified risks. Sufficiency refers to the amount,
quantity, or extent of evidence. Obviously, more evidence is better than less.

The appropriateness or quality of evidence is determined by its relevance and reliability.

HKSA HKSA500 identifies relevance and reliability as the main contributors to the quality of audit
500.A5 evidence.

Relevance – Relevant evidence is that which provides information about the specific
assertion at risk as identified by the auditor. For example, inspection of a building provides
HKSA
500.A27– relevant evidence about its existence, but provides no evidence as to its valuation. The key to
A30 understanding relevance is the type, or the nature, of the evidence.

Procedure Assertion
Inspection of physical objects, e.g. buildings, machinery, and inventory Existence
Inspection of documents and records including contracts, invoices, Various
journals, etc.
Observation of people and activities, e.g. the carrying out of a control Various
activity or the counting of inventory
Inquiry (verbal) or confirmation (documentary) of various internal and Various
external parties about a variety of information.
Re-performance, e.g. of control procedures Various
Re-calculation, e.g. of a bank reconciliation Valuation; accuracy
Analysis and analytical procedures, e.g. analysis of the trade receivables Various
ageing or review of comparative information from prior years
Vouching (back to source documents from the accounting records) Existence; occurrence;
(e.g. vouch sales journal entries back to invoices and then vouch an valuation; accuracy
invoice back to shipping records and approved price lists)
Tracing (from source documents forward to the accounting records) Completeness; valuation;
(e.g. trace shipping records forward to the invoice and the sales journal) accuracy

EXHIBIT 6.1 Types of evidence

HKSA 500
A14-A25
The auditor gathers a range of types of evidence. Many of these are noted in Exhibit 6.1.

Reliability – Reliable evidence is trustworthy, and so is related to its source. For example,
bank statements are provided by a well-informed third party and are considered reliable.
Information provided to the auditor by management is more likely to be biased, and so is less
reliable.

Key sources of evidence include:

• The accounting records of the entity – journals, ledgers, and supporting calculations;
these are termed ‘primary evidence’;

330

M13_c06.indd 330 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

• Other records of the entity – invoices, purchase orders, contracts, etc.; these are termed
secondary sources of evidence.

• Entity employees – who respond to the auditor’s written and oral enquiries.

• Third parties – knowledgeable parties who respond to the auditor’s written and oral
enquiries, and provide documentary evidence such as bank statements and invoices.

• The auditor.

In general:

• Regarding source, evidence obtained by the auditor is more reliable than third party
supplied evidence, which is in turn more reliable than that obtained from management
of the entity; and

• Regarding type, physical evidence is more reliable than documentary evidence, which
is in turn more reliable than oral evidence. Photocopies and digitised records are less
reliable than original documents.

• Both source and type are significantly affected by controls over the preparation and the
storage of the information.

• To achieve reasonable assurance, the auditor should always seek corroborating

evidence, that is seek multiple sources and types of evidence regarding an assertion.

HKSA
• The greater the detection risk associated with an assertion, the higher the quality of
500.A31 evidence required.

To understand reliability better, see Exhibit 6.2.

Type of evidence Reliability

Physical
Documentary
Oral
Source of evidence Management Third parties Auditor

EXHIBIT 6.2 Reliability of evidence

Following these guidelines about source and type of evidence, it should be clear that:

• A test count of inventory performed by the auditor is the most reliable type of audit
evidence – it is physical evidence gathered by the most trusted source (the auditor).

• At the other extreme, oral evidence provided by management of the entity, while
certainly important and useful, is the least reliable type of evidence.

• Documentary evidence provided by management (e.g. the inventory sub-ledger) is of

intermediate quality.

331

M13_c06.indd 331 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

Timing – Timing refers to the date of performance of audit procedures. For items
appearing in the statement of financial position, evidence gathering procedures performed
close to the financial year-end date are most relevant and reliable. For items appearing in the
income statement and for tests of controls, evidence gathering procedures are most relevant
when performed throughout the period.

Evaluation – When evaluating audit evidence consideration should be given to the

following:

• The work has been performed in accordance with the relevant professional standards
and the legal and regulatory requirements of Hong Kong;

• The auditor’s understanding of the entity and its internal control system;

• Experience gained in prior audits;

• Inherent and control risks identified during the audit planning process have been
appropriately addressed throughout the audit;

• Having designed and performed audit procedures to verify assertions in the financial
statements, the nature, timing, and extent of the procedures performed provided
relevant and reliable audit evidence capable of supporting the auditor’s opinion;

• Any significant matters identified (e.g. fraud or error) have been addressed
appropriately and the matter and outcomes have been documented;

• The work performed supports the conclusions reached and has been appropriately
documented;

• Where a reviewer decided that further audit work was required, that the nature
and extent of the further work was documented and subjected to a follow up
review; and

• Appropriate consultations have taken place within the audit team and with
HKSA
management. Appropriate decisions were implemented and are supported by
330.A62 documentation.

See Chapter 9, Section 9.1.1 for further discussion of the adequacy of audit evidence.

6.1.3 Assertions
While the auditor aims to express an opinion on the financial statements as a whole, most
audit procedures are applied at the assertion level. Audit procedures applied at the financial
statement level like the management representation letter and the legal counsel’s letter are
discussed in Chapter 9. These overall procedures are mainly carried out at the concluding stage
of the audit.

332

M13_c06.indd 332 1/26/2021 9:07:23 PM


Exhibit 6.3 lists the assertions about classes of transactions, account balances, and related
disclosures used by the auditors to consider the different types of potential misstatements that
may occur.
Assertions about account balances, and
related disclosures
(assertions about account balances)
Existence: assets, liabilities, and equity interests
exist
Accuracy, valuation, and allocation: assets,
liabilities and equity interests have been included
in the financial statements at appropriate
amounts and any resulting valuation or allocation
adjustments have been appropriately recorded,
and related disclosures have been appropriately
described
Completeness: all assets, liabilities, and equity
interests that should have been recorded have
been recorded, and all related disclosures that
should have been included in the financial
statements have been included
Rights and obligations: the entity holds or
controls the rights to assets, and liabilities are the
obligations of the entity
Presentation: assets, liabilities, and equity
interests are appropriately aggregated or
disaggregated and clearly described, and related
disclosures are relevant and understandable in
the context of the requirements of the applicable
financial reporting framework
Classification: assets, liabilities, and equity
interests have been recorded in the proper
accounts
EXHIBIT 6.3 Assertions
The following illustrative example identifies those assertions that are relevant to the audit
of the inventory account.
333
M13_c06.indd 333
A u d it P ro c ed u r es and A u d it E v i d ence
Assertions about classes of transactions
and events, and related disclosures
(assertions about transactions)
Occurrence: transactions and events that have
been recorded or disclosed, have occurred, and
such transactions and events pertain to the
entity
Accuracy: amounts and other data relating to
recorded transactions and events have been
recorded appropriately, and related disclosures
have been appropriately measured and
described
Completeness: all transactions and events that
should have been recorded have been recorded,
and all related disclosures that should have been
included in the financial statements have been
included
Cut-off: transactions and events have been
recorded in the correct accounting period
Presentation: transactions and events are
appropriately aggregated or disaggregated and
clearly described, and related disclosures are
relevant and understandable in the context of
the requirements of the applicable financial
reporting framework
Classification: transactions and events have been
recorded in the proper accounts
1/26/2021 9:07:23 PM
 BUSINESS ASSURANCE

Illustrative Example 3
GEM’s inventory is high risk because consumer products are frequently stolen, both by
customers and by employees. Stolen consumer products can be easily sold online. When
auditing the inventory account in the statement of financial position at GEM, the auditor’s
procedures will be designed to provide evidence that:

• Existence: inventory exists (it is not fraudulent, and the number of items is not
overstated);

• Accuracy, valuation, and allocation: inventory is properly valued (it is not obsolete,
and valuation is the lower of cost or market rule);

• Completeness: inventory is complete (all inventory items have been brought to

account – none is missing, and the account is not understated);

• Rights and obligations: inventory is owned by the entity (rights);

• Presentation: presentation and disclosure are consistent with the applicable

accounting framework (e.g. Hong Kong Accounting Standard 2 – Inventories);

• Classification: inventory is properly classified as raw materials, work in process, and

finished goods.

It should be noted that the two types of assertions – assertions about balances and
assertions about transactions – in Exhibit 6.3 – are identical, or are very similar.

• Completeness, classification, and presentation appear in both columns of Exhibit 6.3;

and

• While existence in the first column (assertions about account balances) is different from
occurrence in the second column (assertions about transactions), they are similar in
concept. Illustrative Example 4 shows the similarity between the existence of inventory
assertion and the occurrence of purchases assertion.

Illustrative Example 4
An auditor would need to test assertions regarding both the existence of inventory and
the occurrence of purchase transactions. These assertions are clearly linked because
a purchase increases inventory (Dr Inventory, Cr Accounts payable). Evidence of the
occurrence of a purchase is obtained from warehouse receiving reports. The existence of
inventory is verified by an inventory count. The auditor’s conclusion regarding the tests,
assuming the tests are successful, would be:

• Inventory exists at the period end date; and

• Purchase transactions occurred during the period.

Note that the existence and occurrence assertions provide information only about
quantities, not value.

334

M13_c06.indd 334 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Knowledge Check Questions

Question 1
You find your client’s inventory turnover has decreased significantly during the year.
Identify which of the following assertions you would be least concerned with.
A Existence of inventory.
B Presentation of inventory.
C Accuracy, valuation, and allocation of cost of goods sold and inventory.
D Completeness of inventory.

Question 2
In auditing trade payables, identify which of the following assertions that an auditor
considers a potential misstatement would most likely occur.
A Existence of accounts payable.
B Rights and obligations regarding accounts payable.
C Completeness of accounts payable.
D Occurrence of accounts payable.

Question 3
Identify which of the following is the least important objective of the auditor in undertaking
substantive audit procedures for current assets.
A Determine the completeness of the current assets.
B Establish the existence of the current assets.
C Determine the adequacy of internal controls.
D Determine that the entity holds or controls the right to the current asset.

Question 4
Identify which of the following assertions an auditor would most likely address by making
enquiries of production and sales personnel concerning possible obsolete or slow-moving
inventory.
A Accuracy, valuation, and allocation of inventory.
B Rights and obligations regarding inventory.
C Existence of inventory.
D Completeness of inventory.

Question 5
Identify which of the following assertions regarding the cash account when tracing from a
sample of remittance advices in determining whether all remittances are recorded in the
cash receipts journal.
A Completeness of cash.
B Occurrence of cash.
C Rights and obligations of cash.
D Accuracy, valuation, and allocation of cash.

335

M13_c06.indd 335 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 6
Identify which of the following assertions for ending inventory is at risk of material
misstatement if gross profit is higher than last year.
A Existence of ending inventory.
B Completeness of ending inventory.
C Presentation of ending inventory.
D Accuracy of ending inventory.

Question 7
Consider the following three types of evidence collected by an auditor as part of their
examination of trade receivables.
A A schedule prepared by the client showing the ageing of trade receivables.
B Positive confirmations of year-end balances returned by 10% of customers.
C A schedule prepared by the auditor comparing the current allowance for doubtful debts
with the prior year’s audited balance.

For each of the three types of evidence, consider its reliability and relevance in terms of
source, type, timing, and extent.

6 . 2 TESTS OF CONTROLS

Internal control is a huge topic. Whole textbooks are devoted to the subject. Auditors’ internal
control questionnaires for an audit engagement may be as much as 100 pages long! This
section cannot provide a comprehensive description of an internal control system, nor can it
provide a comprehensive list of internal controls and appropriate tests for those controls.

What this section does provide is:

• An introduction to internal control, control system components, and common control

activities;

• A description of some of the key controls which might be included in an organisation’s

sales transaction cycle; and

• Examples of tests that might be applied to those controls by an auditor.

The aim of this section is to familiarise students with the different types of controls
which might exist in the sales transaction cycle, and provide examples of tests of these
controls, so that students can apply this knowledge of controls and tests to other transaction
cycles and accounts. Chapter 7 includes control tests relevant to other accounts.

336

M13_c06.indd 336 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

6.2.1 Internal Control Components

During the planning stage of the audit, the auditor makes a preliminary investigation of the
entity’s internal control system and documents the understanding of the five components
of the system in the audit working papers. Understanding the entity’s system of internal
control is required under HKSA 315 (Revised 2019) as part of the process of performing
risk assessment procedures to identify and assess the risk of material misstatement at the
financial statement and assertion levels. For identified risks of material misstatement at the
assertion level HKSA 315 (Revised 2019) requires a separate assessment of inherent risk and
control risk.

The five components were introduced in Chapter 5, Section 5.2 when the topic
of control risk was discussed. The five components identified in HKSA 315 (Revised),
paragraph 12(m), are:

1. The control environment, for example how management creates and maintains the
entity’s culture, demonstrates its commitment to integrity and ethical values, and
assigns authority and responsibility;

2. The entity’s risk assessment process, for example how the entity’s risk assessment
process identifies and manages new information systems, new products, rapid growth,
and new accounting requirement;

3. The entity’s process to monitor the system of internal control, for example the activities
of an internal audit function;

4. The information system and communication, for example activities and policies and
records to initiate and record transactions and maintain accountability for related
assets and liabilities, and resolve incorrect processing; and

5. Control activities, for example controls over authorisation and approval of transactions,
reconciliations, and verifications.

These components have been addressed in detail in Chapter 5, Section 5.3 and 5.5.

The auditor’s preliminary investigation of the control system enables the auditor to make a
preliminary conclusion about control risk – whether it is high, medium, or low.

CR = High. High control risk means that there is a high risk that the control system will fail
to prevent, or fail to detect and correct on a timely basis, an error. Where control risk is high,
an audit strategy based on substantive procedures will be adopted and no control tests are
required. In the case of small organisations, control systems are often inadequate, and the
auditor can assess control risk as ‘high’ with little investigation and an audit strategy based on
substantive procedures will be adopted.

CR = Low. Where control risk is low, the auditor believes that the control system will, to an
extent, prevent, or detect and correct on a timely basis, an error. The audit plan will include
testing of key controls along with substantive procedures. This audit strategy is often called a
‘lower assessed level of control risk approach’, or more simply a combined approach. This latter
term will be used in what follows.

337

M13_c06.indd 337 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

The auditor is required to test any new or changed controls in the current audit period.
Where controls have been tested in prior years’ audits, and no changes to the control system
HKSA
have taken place in the current year, the auditor is required to test all controls every third year,
330.14(b) with some of the controls being tested in each audit period. If the auditor plans to rely on
controls over a risk the auditor has determined to be a significant risk, the auditor shall test
those controls in the current period.

Most large organisations invest heavily in their control systems, and the auditor is likely to
make a preliminary assessment of control risk as ‘low’. An audit strategy based on both testing
controls and on substantive testing will be adopted.

CR = Medium. In between the extremes of small and large organisations are many
organisations whose control systems are good in some ways, and poor in others, and the
auditor will classify control risk as medium. The auditor is likely to adopt a mixed audit
strategy here. Poorly controlled accounts will be subject solely to substantive testing, and
well-controlled accounts will be subject to a combined approach. Those accounts most likely
to be well controlled are those with a high volume of similar transactions (e.g. Cash, Trade
Receivables, Inventory, Trade Payables, and Payroll). In contrast, accounts with few and
dissimilar transactions (e.g. Property, plant, and equipment) are less likely to be well controlled
and are most efficiently audited with substantive procedures.

Section 2 discusses those aspects of the audit plan unique to a combined approach – the
control tests. The flow of the auditor’s activities should first be to understand the design of
the business process and the relevant controls. Then, the auditor determines whether the
design of the controls is effective by performing a walkthrough test of significant types of
transactions. This walk-through follows key transactions – like a sale – and associated controls,
from initiation to conclusion. If the controls appear effective in reducing control risk, the
auditor will then perform tests to see whether the controls have been performed effectively
throughout the year.

For efficiency, the auditor will most often carry out control tests of an account or a
transaction cycle at the same time as the planned substantive tests. These are called
‘dual-purpose’ tests. For example, an auditor may examine an invoice for evidence of approval
HKSA
(a control) and trace the invoice total to the trade receivables sub-ledger (a substantive test).
330.A23 However, for simplicity, this section will address control tests exclusively.

To validate the preliminary control risk assessment and the anticipated audit strategy,
the auditor must ensure that all five components of the control system are appropriately
designed and are operating effectively. Section 6.2.2 focuses on the ‘control activities’
component because this component includes controls that are designed to ensure the proper
application of policies in all other components and have a direct effect on individual assertions
(e.g. existence of inventory). Control activities are fundamental to the design of the auditor’s
procedures.

HKSA 315 (Revised 2019), paragraph 26, requires that the auditor gains an understanding
of the control activities component of the system of internal control through performing risk
assessment procedures and that the auditor then evaluates whether the controls are effectively
designed to address the risk of material misstatement at the assertion level or to support other
controls and determine whether they have been implemented.

338

M13_c06.indd 338 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

6.2.2 Control Activities

As indicated in Chapter 5, the components of the system of internal control are inter-related.
The control activities component includes controls designed to ensure the proper application of
policies in other components and controls that address the risk of material misstatement at the
assertion level.

The information system and communication components are more directly focused
on activities and policies covering the financial reporting process. The information system
component deals with information processing within the entity.

As noted in HKSA 315 (Revised 2019), the audit focus in the control activities component is
therefore on the identification and evaluation of information processing controls directed at
the integrity of information in terms of the completeness accuracy, and validity of transactions.
In combination these components focus on information processing relevant to preparing the
entity’s financial statements.

Specifically, the auditor’s focus under the control activities component is identified in HKSA
315 (Revised 2019), paragraph 26, as evaluating the design effectiveness and implementation of
controls at the assertion level that:

• Address significant risks.

• Cover journal entries, including non-standard entries and unusual transactions or

adjustments as the primary source of transaction processing into the accounting
records in all audits.

• Represent controls that the auditor plans to test operating effectiveness in determining
the nature, timing, and extent of substantive procedures.

• Deal with the identification and assessment of the risk of material misstatement.

• Relate to assertions covered by IT applications and the risk of the use of IT and the
general IT controls that deal with those risks.

The auditor first evaluates the design of a control by considering whether the control,
individually or in combination with other controls, is capable of preventing, detecting, and
correcting material misstatements. Evaluating implementation involves establishing whether
the control exists and the entity is applying the control. The risk assessment procedures to
obtain evidence on these matters include performing procedures additional to enquiring of
entity personnel, for example inspection of documents and reports, and observation of the
application of controls.

The following are the types of control activities identified in HKSA 315 (Revised 2019),
Appendix 3, para 20:

• Authorisation and approvals. An authorisation affirms that a transaction is valid (i.e. it

represents an actual economic event or is within an entity’s policy). An authorisation
typically takes the form of an approval by a higher level of management or of
verification and a determination if the transaction is valid. For example, a supervisor
approves an expense report after reviewing whether the expenses seem reasonable
and within policy. An example of an automated approval is when an invoice unit

339

M13_c06.indd 339 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

cost is automatically compared with the related purchase order unit cost within a
pre-established tolerance level. Invoices within the tolerance level are automatically
approved for payment. Those invoices outside the tolerance level are flagged for
additional investigation.

• Reconciliations. Reconciliations compare two or more data elements. If differences are

identified, action is taken to bring the data into agreement. Reconciliations generally
address the completeness or accuracy of processing transactions.

• Verifications. Verifications compare two or more items with each other or compare
an item with a policy, and will likely involve a follow-up action when the two items do
not match or the item is not consistent with policy. Verifications generally address the
completeness, accuracy, or validity of processing transactions.

• Physical or logical controls, including those that address the security of assets against
unauthorised access, acquisition, use or disposal. Controls that encompass:

°° The physical security of assets and records.

°° The authorisation for access to computer programs and data files (i.e.
logical access).

°° The periodic counting and comparison with amounts shown on control records
(for example comparing the results of cash, security and inventory counts with
accounting records).

• Segregation of duties. Assigning different people the responsibilities of:

°° Authorising transactions;

°° Recording transactions; and

°° Maintaining custody of assets.

Segregation of duties is intended to reduce the opportunities to allow any person to

be in a position to both perpetrate and conceal errors or fraud in the normal course of the
person’s duties. For example, a manager authorising credit sales should not be responsible
for maintaining accounts receivable records or handling cash receipts. If one person is able to
perform all these activities the person could, for example, create a fictitious sale that could go
undetected.

Apply and Analyse 1

Jones Pty. Ltd (JPL) is a food wholesaler that imports goods from an overseas
manufacturer. The accounts payable clerk handles all purchases of inventory, buying
in bulk to achieve maximum discounts. She updates the stock records and the
accounts payable sub-ledger when goods are delivered and approves the payment of
supplier’s invoices.

1. Identify the main control system weakness evident in this situation. Explain
your choice.

2. Identify four assertions at significant risk and explain your choice.

340

M13_c06.indd 340 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Apply and Analyse 1 (continued)

Analysis:

1. The control issue is segregation of authorisation, recording, and access to assets.

The AP clerk can initiate transactions, post the AP and inventory sub-ledgers, and
make payments. This would enable her to order goods from a fictitious entity,
record the receipt of those fictitious goods, and record and make payments to that
entity (herself).

2. A number of assertions are at significant risk (existence and valuation of inventory;

existence and obligations of accounts payable; accuracy of cost of goods sold):

1. Existence of inventory and payables. The clerk could create a fraudulent

purchase and pay themselves or a related party rather than the named
supplier. Fraudulent invoices and receiving reports would provide evidence for
a fraudulent obligation.

2. Valuation of inventory and payables. The clerk could initiate a legitimate

purchase transaction and alter the supplier’s invoice to indicate excessive
prices. The excess amount could be paid to the clerk or a related party.

3. Accuracy of COGS. The COGS amount would be incorrect if the inventory

account was overstated by the value of any fraudulent purchases.

6.2.3 Control Tests

Risk assessment involves obtaining evidence from a number of different sources and
procedures. As part of the risk assessment process to gain an understanding of the entity
and its environment and system of internal control, a preliminary examination of the control
system is undertaken as input into the development of the audit strategy and audit plan.
The auditor identifies and documents the key controls that they intend to rely on to reduce
control risk. In order to rely on these controls, the effectiveness of each must be tested. Before
performing these control tests the auditor should perform a walkthrough to confirm their
understanding of the entity’s system and key internal controls. A ‘walkthrough’ is the act of
going slowly through the steps of a process in order to learn it.

The testing of controls will vary with the type of transaction, the recording process, and the
design of the control. Differing approaches to testing controls will be taken depending on:

• Whether controls are automated or manual;

• Whether controls pertain to common transactions like sales or purchases, or less

common transactions like adjusting entries and accounting estimates (e.g. depreciation
expense, goodwill, or fair values); and

• The degree of reliance the auditor intends to place on the controls.

The auditor should make inquiries and obtain other evidence about key controls to
determine how the controls are applied, the consistency of application throughout the period,
and the personnel and systems involved. Testing should be performed at a particular time, or
throughout the period depending on the level of reliance anticipated in the audit plan. Where
evidence is obtained at an interim period, further evidence should be obtained regarding any

341

M13_c06.indd 341 1/26/2021 9:07:23 PM

 BUSINESS ASSURANCE

changes to the controls and the effectiveness of their application in the subsequent period. If
controls have not changed since evidence was last obtained about their effectiveness, the time
period before further testing is carried out should take into account:

• The effectiveness of other elements of the entity’s control system including the control
environment, monitoring systems, and risk assessments;

• The effectiveness of general IT controls;

• The nature and extent of control deviations noted in previous audits;

• Personnel changes that might have affected the application of the control;

• Whether controls continue to be relevant in light of changing circumstances; and

HKSA
330.10–13 • The risk of material misstatement and the extent of reliance on the control.

6.2.3.1 Automated Controls

Most accounting systems are computerised to some extent. In accordance with HKSA 315
(Revised 2019), paragraphs 26(a), (b), and (c), the auditor identifies the risks arising from the use
of IT applications and the general IT controls to manage those risks. Understanding the risks
arising from the use of IT is an important input into the auditor’s decision about whether to
test the operating effectiveness of controls to address the risk of material misstatement at the
assertion level.

Even the smallest business is likely to use an accounting package like QuickBooks which
provides controls such as:

• Access controls (e.g. passwords);

• Security controls (e.g. backups);

• Bank reconciliations; and

• Processing controls to ensure that transactions entered into the system are properly
and accurately carried forward to the ledger and the financial report.

Accounting systems designed for larger businesses replace most traditional manual
aspects of accounting and control systems with programmed procedures and controls. While
the control objectives and the auditor’s objectives are the same in manual and computerised
environments, the nature of the control procedures and the audit approach to testing those
controls will differ.

When IT applications relevant to the information system are being used by the entity,
the auditor, in making a decision to rely on automated controls, needs to understand
and evaluate whether the general IT controls (for example controls to prevent or detect
unauthorised program changes or access to IT applications) are effectively designed and
implemented. To the extent that the auditor intends to rely on information produced by IT
applications and system-generated reports, the testing of general and application controls
is a function of the IT risk. Where IT applications include automated controls, those controls
need to be tested.

342

M13_c06.indd 342 1/26/2021 9:07:23 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Audit procedures for automated control activities might include the following:

• Test system processing by submitting test transactions (both normal and with error
conditions) to determine that transactions are processed properly, or, where error
conditions exist, the transactions are rejected and reported (a test data approach).

• Casting (addition) and cross-casting (multiplication) of transactions and sub-ledgers.

• Review exception (error) reports for accuracy and evidence of the follow-up of errors.

• Take a random sample of transactions and examine evidence that key controls are
working as planned (e.g. authorisation controls).

• Search for duplicate entries, whether by transaction number or another identifier.

• Search for accounting entries that were posted at unusual times – like at night or on
weekends, or just before year-end.

• Search for transactions with missing information fields.

• Search for transactions with unusual sources. For example, debits to cash should
normally have a matching credit to trade receivables. Entries to either account without
the expected matching entry should be flagged for examination.

• Search for credit entries in expense accounts.

Audit procedures for manual control activities might include the following:

• Take a random sample of transactions and examine supporting documentary evidence

(e.g. sales orders, shipping documents, invoices, cash receipts listing) that key controls
are working as planned (e.g. authorisation).

• Observe and make enquiries of client personnel about the performance of accounting
and control activities (e.g. observe segregation of duties).

Audit procedures for controls over adjusting entries and accounting estimates:

• View documentation to ensure the reason for the entry is explained and is valid,
that the calculation of the amount is based on reliable sources, and that the entry is
authorised.

Apply and Analyse 2

You are auditing the mortgage revenue account for a large financial institution where the
regular business transactions are initiated, recorded, and processed in a highly automated
IT system with little manual intervention.

What audit issues would arise from the risk assessment process that would impact the
audit of this account?

Answer

Audit evidence may only be available in electronic form and its sufficiency and
appropriateness is generally a function of controls over the accuracy and completeness of
processing.

343

M13_c06.indd 343 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

There is the potential for material misstatement occurring and for it not to be detected
if controls are not operating effectively.

Substantive procedures alone would not be effective as evidence is not in observable

form.

The audit approach would require extensive testing of controls over the accuracy, and
validity of transactions, to ensure that the entity’s information processing system correctly
records the revenue.

6.2.3.2 Degree of Reliance

If the auditor’s planned reliance on a control is low, then a simple test such as inquiry of
personnel or observation of evidence of the performance of the control may be adequate.

If the auditor’s planned reliance is high, a more effective test is required.

Illustrative Example 5
A common key control over the recognition of revenue is the matching of a customer
sales order and shipping document before the revenue is recognised (and a sales invoice
issued). Performance of this control might be indicated by the sales clerk’s initials on the
sales invoice. The auditor might perform a simple test like examining the sales invoices
for the clerk’s initials, or a stronger test like matching the three documents – in effect
re-performing the actions of the clerk. Re-performance is a strong control test.

6.2.4 Cycle Approach

To carry out control tests efficiently, a cycle approach is normally adopted. A transaction cycle
is a chain or sequence of related transactions. For example, a customer order, a shipment,
recording the sale and receivable, and lastly, recording the cash receipt. The transaction cycle
can be extended by including a sales return or allowance, an allowance for bad debts, and a
bad debt write-off.

Accounts within a cycle can be audited together efficiently because the audit evidence
associated with each transaction in the cycle is related and can be accessed through
common identifiers like a sales order number or a purchase order number. Examples of key
cycles include:

• The revenue cycle

°° Accounts affected: sales, trade receivables, cash receipts, sales returns and
allowances, allowance for doubtful debts, and bad debts expense.

344

M13_c06.indd 344 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

• The purchases cycle

°° Accounts affected: inventory, cost of goods sold, manufacturing expenses, prepaid

expenses, selling expenses, administrative expenses, cash payments, accounts
payable, and purchase discounts.

• The payroll and personnel cycle

°° Accounts affected: cash, payroll expenses, payroll withholdings, and

payroll accruals.

Other cycles exist and audit procedures including both control tests and substantive tests
for these are described in Chapter 7. What follows is a description of the first of these cycles,
the revenue cycle. This description reflects a generic type of business much like GEM, the
music retailer introduced at the beginning of the chapter. While all entities have a revenue
cycle, some variety is to be expected depending on the nature and size of the entity, and
its industry.

6.2.4.1 The Revenue Cycle

The key accounts are:

• Sales;

• Trade receivables; and

• Cash.

Other accounts in the revenue cycle are likely to include:

1. Sales returns and allowances;

2. The allowance for doubtful debts;

3. Bad debts expense;

4. Warranty expense;

5. Warranty liability; and

6. Sales commissions expense.

These other accounts may not be material in terms of their value, but they are high risk
because the accounting entries involve subjectivity and estimation. For example, a common
source of overstatement error in trade receivables is the understatement of the allowance for
doubtful debts.

Risk
Sales revenue and the associated trade receivables and cash accounts are highly susceptible
to fraud and the misappropriation of assets, and fraud is common. The revenue area is
one in which the normal expectation that auditors will be unbiased in their investigations is
abandoned, and auditors are required to presume the existence of revenue fraud in designing
their audit plan. A key aspect of the audit plan for revenue is the assumption of a high level of
risk of revenue fraud, which would include the risk of management override of controls in the
revenue cycle.

345

M13_c06.indd 345 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Illustrative Example 6
An analyst says push for structural reforms in the economy appears to have sparked a
backlash in the form of companies inflating their profitability. Some state-owned firms
that were audited have in recent years inflated their revenues by more than RMB 200
billion (US$29 billion) and boosted their profits by RMB 20 billion with faked business and
manipulated books.

Evidence gathering procedures designed to address revenue fraud would include:

• Searching for, and enquiring about, unusual journal entries;

• Reviewing accounting estimates for evidence of bias; and

• Reviewing prior years’ accounting estimates.

While understatement fraud and error may occur in sales, trade receivables, and cash,
fraudulent overstatement is the critical audit risk. There are several common ways that
revenues and trade receivables are misstated. Exhibit 6.4 identifies some of these, explains
the motivation for the fraud or theft, and identifies the assertion at risk of misstatement.

Risk Reason for fraud/theft Assertions at risk

Recording non-existent
(fraudulent) sales
Early recognition of sales (e.g.
before the shipment of goods)
Failing to record sales
Recording sales below
authorised prices
Other inappropriate revenue
recognition (e.g. when the
customer has the right of
return) (see below)
Manipulation of accounting
adjustments/estimates (e.g.
understatement of the sales
returns and allowances account
leads to an overstatement of
sales)
Overstatement of sales/profit/
net assets
Overstatement of sales/profit/
net assets
Theft of sales revenue (cash or
cheques)
Theft of revenue, or receiving
kickbacks from customers
Overstatement of sales/profit/
net assets
Overstatement of sales/profit/
net assets
Existence of Trade receivables;
occurrence of Sales
Cut-off of sales; Existence of
A/R occurrence of sales
Completeness of Trade
receivables and Sales
Valuation and allocation of
Trade receivables; accuracy of
sales
Rights and obligation of trade
receivables; occurrence of sales
Valuation of Trade receivables;
accuracy of sales

EXHIBIT 6.4 Inherent risk in the revenue cycle

Revenue recognition and risk

The initiating transaction in the revenue cycle is the sale. While many retail businesses have
simple and well-controlled sales systems, other businesses’ sales are complex and not easily
controlled.

346

M13_c06.indd 346 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Illustrative Example 7
1. Project businesses. Consider a business that builds urban rail systems. Such
large projects might extend over multiple years, and contracts with government
authorities might include thousands of pages of specifications and legal
documentation. Appropriate recognition of revenue in these circumstances will
involve judgement in interpretation of the contract terms, and uncertainty in
estimates of the appropriate timing and the amounts to be recognised.

2. Online sellers. Another common risk in revenue recognition arises with online
sellers. Companies like Amazon provide a marketplace where buyers and sellers
can transact and provide for a secure payment system. The goods are shipped to
the customer directly from the manufacturer. Amazon does not take title to the
products or handle them. For this service, Amazon takes a commission on the sale.
The revenue recognised by the online seller should be the commission amount,
and not the full sales price.

6.2.4.2 Assertions, Controls, and Tests of Controls

As noted above, internal controls depend on the extent of automation of the accounting system
and the control environment. Before describing common control activities and tests of controls
of the sales transaction cycle, a brief description of the transaction cycle is offered.

In what follows, documents referred to may be either paper or electronic. In the past, a
manual accounting system meant the use of paper documents and the absence of computer
processing. This is no longer the case. Paper-based systems are uncommon. A manual or
traditional system today implies a significant level of intervention in the recording process
by personnel and a moderate level of computer processing. An ‘electronic’ system is highly
automated, with little intervention by personnel.

The common steps in the revenue cycle include:

1. The cycle begins with the receipt of a purchase order (PO) from an authorised
customer (paper or electronic), or the completion of a sales order (SO) by a salesperson
(if the transaction is initiated by the customer PO, a sales order is then generated in
response).The sales orders should:

• Be pre-numbered;

• Provide for evidence of authorisation of the sale and credit approval;

• Describe the item, price, and shipping terms; and

• Provide authorised billing and shipping addresses.

2. A shipping document listing the items to be shipped and showing the customer
identification is generated from the authorised sales order and forwarded to
the warehouse. After packing a completed packing list is forwarded to the billing
department.

347

M13_c06.indd 347 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

3. Invoices are prepared when notification is received that goods are shipped. Invoice
items, quantities, and prices should be agreed to the sales order and shipping
document (manually or electronically).

4. Cash receipts are of four main types: cash, credit card payments, cheques, and
electronic transfers. Each type of receipt has its own control challenges.

I. Cash receipts are deposited daily by stores at a local bank branch. Deposits are
reconciled daily with sales (cash register) listings.

II. Credit card payments are controlled by the card issuer for a fee. Listings of
approved credit card payments are provided to the business daily for reconciliation
with recorded sales.

III. Cheques received are accompanied by a customer remittance advice. Where no

advice is received, one is created. Scanners may read the two documents so that
identified differences can be reconciled and corrected. The cheques and remittance
advices are batched: cheques are deposited, and remittance advices posted to
the trade receivables sub-ledger. Controls include segregation of cheques and
remittance advices for deposit and posting; reconciliation of postings and deposits;
and computer edit tests to identify errors.

IV. Electronic transfers. Detailed remittance advices are forwarded by the bank to the
client daily for posting to trade receivables. Controls include reconciliation of daily
deposits with trade receivables postings, and with sales listings; review by internal
audit or treasury; comparison to the cash budget; and follow-up of discrepancies
reported by customers.

Exhibit 6.5 identifies the key revenue related assertions, controls that may be used to
ensure the accuracy of the assertions, and audit tests of controls that may be carried out to
verify the proper operation of the controls. Exhibits 6.6 and 6.7 provide the same information
for the other key accounts in the revenue cycle – Trade receivables and Cash.

Assertion Control Tests of controls

Occurrence Invoices are prepared and recorded
after evidence of shipment of goods.
Goods shipped are agreed to customer
sales orders.
Sales are made to approved customers.
Accuracy Sales prices are taken from an approved
price list.
Reconciliation of sales journal.
Completeness Pre-numbered invoices and shipping
documents.
Cut-off Revenue recognition policies are
properly established and followed.
Match sales invoices to shipping
documents and customer sales orders.
Examine sales orders for evidence of
approval and note dates to ensure that
invoicing followed shipping.
Agree customers to approved customer
list. Review approval process.
Observe approved price list. Review
approval process.
Inquire about reconciliation.
Review sales journal for missing invoice
numbers.
Trace shipping documents to invoices to
ensure all shipments have been invoiced.
Review revenue recognition policy and
examine revenue transactions and
estimates to test compliance.

EXHIBIT 6.5 Sales – key risk is overstatement (occurrence and accuracy)

348

M13_c06.indd 348 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Assertion Control Tests of controls

Existence Sales are made to approved Review approval process.
customers. Send a confirmation letter to customers in the
trade receivables sub-ledger.
Accuracy, Sales to customers do not exceed Observe customer credit limits.
valuation, and their approved credit limit.
allocation Sales prices are taken from an Observe the approved price list.
approved price list.
New customer approval. Inquire about the customer approval process
Overdue accounts are referred to Inquire about credit policy and role of credit
the credit manager. manager.
Completeness Pre-numbered invoices and Trace invoices to the sales journal checking that
shipping documents. all invoice numbers appear.
Send a confirmation letter to customers in the
trade receivables sub-ledger. Include significant
customers from the prior year who do not
appear in the current sub-ledger.
Rights and Pre-numbered sales orders. Select shipments and review shipping
obligations documents to ensure goods were sent to
customers who submitted a sales order.

EXHIBIT 6.6 Trade receivables – key risk is overstatement (existence and valuation)

Assertion Control Tests of control

Existence Daily banking of cash receipts. Observe bank deposit process.
Bank reconciliation. Observe preparation and review bank
reconciliation.
Accuracy, Agree cash, cheques, electronic Examine evidence of check or observe
Valuation and transfers, and credit card receipts with check.
allocation daily sales listing.
Bank reconciliation. Review bank reconciliation for
completeness and approval.
Completeness Cash register or point-of-sale Observe that equipment is working and
terminals display the sale amount to that operators are using it properly.
the customer and provide a printed Observe customers being given receipts.
receipt for the customer and a listing Inquire about cash management process.
of transactions for the business.
Bank reconciliation. Review bank reconciliation.
Cash receipts are deposited daily. Observe preparation/performance of bank
deposits.
Rights and Bank account. Review bank statement; request bank
obligations confirmation.

EXHIBIT 6.7 Cash – key risk is overstatement (existence and valuation)

349

M13_c06.indd 349 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

6.2.5 Evaluation of Tests of Controls

Where control tests identify control failures or deviations, the auditor compares the actual
deviation rate with the tolerable deviation rate. The tolerable deviation rate for a control is a
similar concept to materiality for an account (see Chapter 5).

To illustrate, where the auditor tests an account for material misstatement and discovers a
total error in excess of performance materiality, the auditor cannot conclude that the account is
free from material misstatement. In a similar way, if the rate of control deviations exceeds the
tolerable deviation rate for that control, the auditor will conclude that the control is ineffective,
and that control risk is higher than originally assessed.

The auditor will determine if alternative controls exist, and if so, test those controls. If no
alternative controls exist:

1. The control risk assessment will be increased to medium or high for the affected
assertions/accounts;

2. The audit strategy will be reassessed; and

3. The audit plan will be revised to include a higher level of substantive testing.

Knowledge Check Questions

Question 8
After assessing control risk of an entity, identify which of the following would most likely
explain why an auditor decided not to perform tests of controls.
A Limited tests of controls with analytical procedures would be more efficient than
detailed substantive testing.
B Control risk should be assessed as low for key financial report assertions.
C The level of detection risk exceeded the level of control risk.
D The evidence that could be obtained through tests of controls would not support an
assessment of control risk as low.

Question 9
Identify which of the following describes what assessing control risk at a level below high
would most likely involve.
A Identifying internal controls relevant to specific assertions.
B Changing the timing of substantive tests by omitting interim testing and performing the
tests at year-end.
C Reducing inherent risk for most of the assertions relevant to significant
account balances.
D Performing more extensive substantive tests with larger sample sizes than
originally planned.

350

M13_c06.indd 350 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Knowledge Check Questions (continued)

Question 10
Identify which of the following is not a key segregation of duties for the revenue process.
A Different parties should prepare shipping orders and prepare bills of landing.
B Different parties should perform the credit and billing functions.
C Different parties should perform the shipping and billing functions.
D Different parties should receive cash and adjust trade receivables.

Question 11
When undertaking tests of controls for revenues, identify which of the following explains
why auditors are more concerned with controls associated with the occurrence assertion
than they are with the completeness assertion.
A Clients are more likely to understate than overstate revenues.
B Clients are more likely to overstate than understate revenues.
C The allowance for doubtful accounts is often understated.
D It is difficult to determine when services have been performed.

Question 12
An auditor selects a sample from the file of shipping documents to determine whether
invoices were prepared. Identify which assertion for revenue this test is used to assess.
A Accuracy, valuation, and allocation.
B Completeness.
C Cut-off.
D Occurrence.

Question 13
Identify what ‘dual-purpose tests’ involve.
A Tests of controls that address both the design of the control procedures and their
operating effectiveness.
B Tests of transactions that include substantive procedures as well as tests of controls.
C Tests that address both balances and transaction classes.
D Tests performed because of client expectations as well as for gathering audit evidence.

Question 14
A company’s payroll is computerised and is handled by one payroll clerk who is responsible
for entering employees’ weekly time reports into the computer system. The payroll
system is password protected so that only the payroll clerk can change pay rates or add/
delete personnel to/from the payroll file. Employees are paid weekly, and the payroll clerk
schedules bank transfers for each employee.
Identify two control weaknesses in the following description of a company’s payroll
procedure. For each weakness identified, propose appropriate controls.

351

M13_c06.indd 351 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 15
Identify which of the following risk assessment procedures HKSA 315 (Revised 2019)
needs to be supported by other procedures to obtain evidence about the design and
implementation of identified controls in the control activities component of an entity’s
system of internal control.
A Inquiry of entity personnel.
B Observation of entity operations.
C Inspection of internal documents and reports.
D Information from external sources.

Question 16
Applying HKSA 315 (Revised 2019), identify which of the following controls an auditor is not
required to identify and evaluate the design and implementation.
A Controls determined to be appropriate to identify and assess the risk of material
misstatement.
B All individual controls that achieve the same risk of material misstatement at the
assertion level.
C Controls that address significant risks and controls over journal entries.
D Controls the auditor plans to test for operational effectiveness.

Question 17
Which controls that address the risks of material misstatement at the assertion level would
be expected to be identified in all audits.

Question 18
HKSA 315 (Revised 2019) requires the auditor to obtain an understanding of the control
activities through performing risk assessment procedures (including identifying risks
arising from the use of IT and the general IT controls implemented to address those risks).
List the audit matters that may be affected as a result of the auditor’s understanding of
these general IT controls.

6 . 3 SAMPLING

Sampling was mentioned in the preceding section on control testing. Sampling is commonly
used for both control tests and substantive tests. All auditors use sampling because the
alternative is the examination of 100% of all transactions. In the past, 100% examination was
impossible given the cost and time constraints of the audit. Today, though, ‘big data’ analysis
techniques have made 100% examination a possibility, and it is becoming more common

352

M13_c06.indd 352 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

(see Section 6.3.3). Sampling is particularly efficient when the number of items in a population
is large because the number of items in a population has little bearing on the size of the sample
required to make meaningful inferences about that population.

Sampling takes place when an auditor applies audit procedures to a subset of a population
to understand the characteristics of that population (e.g. the extent of monetary misstatement
in the inventory account). To make valid inferences about a population, it is important
that the sample characteristics reflect those of the population – that the auditor selects a
‘representative’ sample.

Of course, the auditor is not interested in ‘populations’ in the biological sense, but in
accounts. Populations of interest to the auditor include cash, trade receivables, inventory,
accounts payable, etc. Items making up a population are called ‘sampling units’. For each
relevant population, the auditor chooses a sampling unit that facilitates the desired test.

For example, if the auditor wanted to test a control over the existence of trade
receivables by:

• Vouching all customers to an approved customer list, then the sampling unit would be
defined as the customers comprising the trade receivables sub-ledger.

• Vouching sales invoices to shipping documents, then the sampling unit would be
defined as those invoices outstanding at year-end date.

• Sending confirmation letters to customers, then the sampling unit might be defined
as the dollars in the trade receivables balance (monetary unit sampling or MUS).
An MUS approach would ensure that letters were sent to the customers with the
largest balances. (More on MUS later in this section.)

What is clear in the example above is that a variety of sampling units – customers, invoices,
or dollar units – may define a population. Regardless of how the sampling unit is defined, the
total of all sampling units in the population, whether customer accounts, invoices, or dollar
units, will equal the population total.

6.3.1 Sampling Risk

Sampling risk is the risk that sample characteristics will not represent the population.
Where an auditor’s conclusions about an account or a control are based on testing an
unrepresentative sample, then the auditor might make conclusions adversely affecting the
audit opinion (the risk of incorrect acceptance) that:

• A control is effective when it is not – meaning actual control risk is higher than assessed
control risk; or

• An account is fairly stated when a material error exists – meaning actual inherent risk
exceeds assessed inherent risk.

Alternatively, the auditor might make conclusions adversely affecting audit efficiency (the
risk of incorrect rejection):

• A control is ineffective when it is effective; or

• An account has material errors when it does not.

353

M13_c06.indd 353 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Sampling risk can be reduced by using a higher quality approach to sample selection, or by
increasing sample size (where an entire population is tested, sampling risk is zero).

An important source of sampling risk is inadequate sample size. The result of testing an
inadequate sample may lead the auditor to make the wrong conclusion about the population.

Illustrative Example 8
An auditor tested the controls over issuing invoices by randomly selecting 20 invoices
and found that four invoices (20%) were incorrectly issued. They concluded that the
control was ineffective.

The auditor was concerned about the possibility of incorrect rejection, so selected
a second sample of 1,000 invoices. The auditor again found that four invoices were
incorrectly issued. The error rate in the second sample was just 0.4% and in this second
case the auditor correctly concluded that the control was effective.

6.3.1.1 Sample Quality

HKSA 530. Two approaches may be taken in sampling, statistical sampling and judgemental or
App. 4 non-statistical sampling. Statistical sampling offers key benefits. It allows the auditor to
calculate sampling risk when planning the sample, and again when evaluating the sample.
Non-statistical sampling is not scientific in this sense: sample size is selected and evaluated using
‘professional judgement’, which is highly subjective and differs between auditors. It is not
possible to accurately assess the level of sampling risk provided by non-statistical sampling.

Non-statistical samples may be selected in three ways:

1. Haphazard selection has no obvious rule in sample selection.

2. Block selection focusses on a group of sampling units with a common characteristic

(e.g. all sales in January).

3. Directed selection follows some relevant criterion of interest to the auditor (e.g. all
overdue customer accounts in Trade receivables).

Statistical samples may be selected in two ways, both of which ensure that every sampling
unit in a population has an equal chance of selection:

1. Random selection using a random number generator.

2. Systematic selection using a random start and a calculated sampling interval to select
the sample.

For example, if the trade receivables sub-ledger has 500 customer accounts and
a sample of 25 customers is required, the sampling interval can be calculated as
500/25=20. A random start of 3 might be chosen, so customer numbers 3, 3+20=23, 43,
63, . . . 483 will be selected – achieving a sample of 25 customers for examination.

Monetary unit sampling (MUS) and stratification are sampling techniques which can
be combined with either random or systematic selection. The key characteristic of MUS is the
definition of the sampling unit as $1. For example, if the trade receivables balance is $1M, then
1M sampling units exist.

354

M13_c06.indd 354 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

MUS is particularly useful in substantive testing for overstatement errors because it

increases the probability of selecting high value items in a population – like customer accounts
with a high balance. Accounts most likely to be overstated and subject to MUS are revenues
and assets. For this same reason, MUS is ineffective for understatement tests. Accounts most
likely to be understated are expenses and liabilities.

Stratification is used to increase sampling efficiency. Sampling units are grouped, or

‘stratified’, and separate samples are selected from each stratum (e.g. the trade receivables
sub-ledger could be stratified into small, medium, and large accounts, effectively separating
into three distinct populations before a sample is selected from each. There must be a
characteristic (e.g. size) that differs significantly between the sub-populations for stratification
to be validly used. A smaller overall sample size is achieved because the variance of the items
in each stratum is lower than that of the population, and population variance is one of the main
determinants of sample size. Stratification might reduce overall sample size by 20%, hence
increasing audit efficiency.

An important issue with stratification is in the assessment of sample results. When strata
are sampled and tested, the results of the tests, and the auditor’s conclusions, pertain only to
that stratum. Overall results for the population are obtained by combining the results of the
testing from each stratum. See HKSA 530 (Clarified) Appendix 1 for a discussion of MUS and
stratification.

6.3.1.2 Sample Size

Sampling has a positive effect on audit efficiency because the number of sampling units in
a population has little effect on sample size. Very large populations (e.g. a revenue account
including hundreds of millions of sales transactions might be encountered in the audit of a
supermarket chain) can be effectively tested by examining just a few hundred transactions. In
fact, the effective sample size does not change appreciably for any population with over 5000
sampling units.

Factors that do affect sample size are summarised in Exhibit 6.8. While these factors
are similar for control tests and substantive tests, these two are listed separately
following the approach in HKSA 530 (Clarified) Appendix 2 (Control tests) and Appendix 3
(Substantive tests).

Tests of Controls Substantive Tests

↑ A high level of reliance by the auditor on ↑ A high level of reliance by the auditor on the
controls (a combined audit strategy) substantive tests
↑ The expected error rate in the population ↑ The expected misstatement in the population
(control risk) (inherent risk and control risk)
↓ The tolerable (acceptable) error rate in the ↓ Application of other substantive procedures to that
population population
↓ Performance materiality for the account
↓ Stratification
(↑ indicates a larger sample, ↓ indicates a smaller sample)

EXHIBIT 6.8 Factors that affect sample size

355

M13_c06.indd 355 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

While HKSA 530 (Clarified) discusses factors affecting sample size, as shown above, the
calculation of sample size is not explained or illustrated in the standard, and so is beyond the
scope of this textbook. Students wishing additional information about statistical calculations
should see the American Institute of CPAs Audit Guide: Audit Sampling, 2017.

6.3.2 Sample Evaluation

Control tests provide evidence of ‘deviations’ – the failure of a control to operate effectively.
Substantive tests, in contrast, provide evidence of errors or misstatements. This fundamental
difference leads to different conclusions about the characteristics of the population from which
the sample was drawn.

6.3.2.1 Control Tests

When carrying out control tests, the auditor collects evidence that the control has been carried
out as designed. If deviations are discovered, it does not mean that an error has occurred in the
account, simply that the control has not been performed as designed. The failure of a control
may or may not lead to an error in the account.

HKSA 530 (Clarified) requires the auditor to investigate the nature and cause of any control
deviations and evaluate their possible effect on their assessment of control risk and the audit
plan. Where the auditor considers a sample deviation to be an anomaly (e.g. the absence of the
HKSA person who normally performed the control), the auditor shall obtain evidence that the
530.12–13 deviation is not representative of the population by performing additional audit procedures.

After performing control tests on a sample, the auditor calculates the sample deviation rate
for each control:

Sample deviation rate actual deviations/sample size.

For example: sample size = 100; deviations = 2; sample deviation rate = 2/100 = 2%.

The sample deviation rate is used to estimate the population deviation rate. The estimated
population deviation rate will exceed the sample deviation rate and depends on factors like the
sample size and the quality of the control test employed. In the example above the estimated
population deviation rate chosen might be 3%.

The estimated population deviation rate is then compared with the auditor’s tolerable
deviation rate (a concept similar to account materiality). Where the population deviation
rate is less than the auditor’s tolerable deviation rate, the auditor may conclude the control’s
operation is ‘consistent with their preliminary assessment of control risk for the assertion in
question’ – that is, the control is effective.

Continuing the example above, assume that the control in question is a key control for the
account. In this case, the auditor would set a low tolerable deviation rate, perhaps 1%. As the
estimated population deviation rate is 3%, and this exceeds the tolerable deviation rate, the
auditor would conclude that the control was ineffective, and evaluate the possible effect of this
on their assessment of control risk and the audit plan.

356

M13_c06.indd 356 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Apply and Analyse 3

The auditor designed tests of the following controls. The auditor expected a low failure
rate as each control is important.

# Control Failures Notes

1 Credit approval
2 Sales price from
approved price list
3 A shipping document
for each invoice
1 All new customers; approved by division
sales manager; company profit is down;
bonus implications for manager
2 All approved by one salesperson; all
discounts 10%; bonus implications
1 No shipping documents found

1. Explain how the auditor should follow up on the sample findings.

2. If the follow-up shows a consistent pattern, explain how this will affect the design
of substantive procedures.

3. Describe whether any of the control weaknesses would be considered significant

or material.

Analysis:

1. Deviations from prescribed controls may be caused by such factors as changes in

key personnel, seasonal fluctuations in volume, and human error. The detected
rates of deviation may indicate that the controls cannot be relied on to reduce risk
at the assertion level to that required by the auditor. In such a case the auditor will
reconsider the validity of the tests performed, and whether additional tests of the
controls are necessary.

2. If, in further testing, the deviation rate remains unacceptably high, the auditor will
determine if alternative controls exist, and if so, test those controls. If no suitable
controls exist, substantive testing will be increased.

3. Given the fraud risk factors (see the Notes column in the table – company
profitability down; bonus plans) all deviations are significant, and the auditor’s
assessment of control risk should be reconsidered.

6.3.2.2 Substantive Tests

After performing substantive tests on a sample, the auditor determines the net misstatement
in the sample, that is, the sum of the understatement (negative) and overstatement (positive)
errors. This net error is then projected to the population. The projection procedure differs
between non-statistical and statistical samples.

357

M13_c06.indd 357 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Illustrative Example 9
If the net error discovered in the sample is $5,000, the recorded value of the sample is
$100,000, and the book value of the account is $500,000, then the projected error is:

(sample error /sample total) population total estimated population error

($5, 000/$100,000) $500,000 $25,000

For a statistical sample, the error projection process is more complex, and is beyond
the scope of this module. Briefly, it involves the identification of several variables, including
detection risk, the sample reliability factor, the sampling interval, and the tainting factor. A
series of calculations using these variables is then performed on each identified error, and
the sum of these individual errors is the projected population error. Advanced auditing
texts provide examples of this calculation (see American Institute of CPAs Audit Guide: Audit
Sampling, 2017). Most often, specialised audit software will automatically perform the relevant
calculation.

In either case, non-statistical or statistical, the projected error plus an allowance for
sampling risk will be compared with the account performance materiality. If the projected error
is higher than performance materiality, the auditor might decrease detection risk by:

• Increasing the sample size.

• Performing additional tests on areas of identified concern (a directed sample).

Additionally, the auditor should consider the relevance of the identified errors to:

• The internal control system and the control risk assessment; and

• The inherent risk in related accounts in the transaction cycle (e.g. revenue/receivables/
cash).
And finally, the auditor should ask management to correct the errors.

6.3.3 ‘Big Data’

‘Big data’ is a phrase used for the study of data sets that are so big and complex that traditional
data processing software is unable to deal with them. Such data sets are common in business,
for example, one prominent retailer has more than 1 million customer transactions every hour
and gathers data from them.

Quantities of data available are increasingly large, but that is not the most relevant
characteristic of this big data paradigm. Big data is accompanied by predictive analytics used
to impact decision-making and even to cause automated actions, rather than simply to tabulate
characteristics.

358

M13_c06.indd 358 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Predictive models are models of the relationship between a sampling unit and one or more
known attributes of that unit designed to assess the likelihood that a similar unit will exhibit the
same characteristics. In auditing, these models capture relationships among many factors and
can enable the identification of high-risk transactions.

Predictive modelling can be also used to identify high-risk fraud candidates. For example:

• In the franchisee sales reports of an international fast-food chain, each location is

scored using 10 predictors. The 10 scores are then weighted to give an overall risk score
for each location.

• Internal revenue services in various countries use predictive analytics to ’mine’ tax
returns and identify tax fraud.

6.3.3.1 Issues
Big data analytics results are only as good as the model on which they are predicated. Specific
criticisms of big data applications include:

• Neglecting statistical principles such as choosing a representative sample.

• Big data analysis is often shallow compared to analysis of smaller data sets. In many big
data projects, the main challenge is to extract and transform the data in preparation
for analysis.

• Big data analysis poses the same challenges as those for small data sets; adding more
data does not solve problems of bias.

Regression models are the mainstay of predictive analytics and big data. Regression is a
statistical technique used extensively by auditors. It is discussed further in Section 6.4.1.

Knowledge Check Questions

Question 19
Identify which of the following describes audit sampling.
A Using statistical methods to evaluate the propriety of the account balance.
B Testing less than 100% of the items to evaluate some characteristics of a balance.
C Applied to items selected randomly.
D Done on a test basis.

Question 20
Identify which of the following contributes to sampling risk.
A Choosing a sample size that is too small.
B Choosing an audit procedure inconsistent with the audit objective.
C Failing to detect a deviation on a document that has been inspected by the auditor.
D Failing to undertake an audit procedure in the sampling plan.

359

M13_c06.indd 359 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 21
Identify which of the following best describes statistical sampling.
A It provides a means for measuring the uncertainty that results from examining part of a
population.
B It requires the examination of a smaller number of supporting documents.
C It is evaluated in terms of statistical mean and random selection.
D It reduces the problems associated with the auditor’s judgement of materiality.

Question 22
An auditor tested the valuation of a client’s investments (balance $HK2.5M) using a
non-statistical sampling approach. The sample size was 100 items with a total dollar value
of $HK900,000. Six errors were identified for a total error of $HK93,000. Estimate the error
in the investment account and explain how you would proceed.

6 . 4 SUBSTANTIVE PROCEDURES

Substantive procedures are audit procedures designed to detect material misstatements at

the assertion level. They differ from control tests because a control deviation indicates that
the control has not been performed correctly. Incorrect performance of a control does not
mean that an error exists in the accounts, it simply indicates the failure of the control and the
possibility of an error. In contrast, substantive procedures identify errors directly.

Substantive procedures are carried out in response to inherent risks identified at the
planning stage of the audit. While inherent risk is strongly related to the business strategy of
the entity, certain inherent risks are always relevant:

• Errors often occur in accounts that are poorly controlled, typically those accounts
with large, infrequent, or unusual transactions. The direction of errors, whether
understatement or overstatement, cannot be predicted.

• Misappropriation of assets. Thieves steal cash, inventory, and other assets. Frauds
designed to conceal theft result in the overstatement of those accounts. Assertions at
risk are existence and valuation.

°° A common theft is the ‘kickback’ which occurs where purchasing managers or other
senior managers with purchasing responsibilities purchase inventory or fixed assets
at inflated prices and receive a cash payment (the kickback) from the supplier. The
asset account is likely to be overvalued due to the inflated prices, and valuation is
the key assertion at risk.

°° Another common theft is the payment of fictitious employees – resulting in the

overstatement of wages expense. Occurrence is the assertion at risk.

360

M13_c06.indd 360 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

• Fraudulent financial reporting is intentional misstatement of the financial

statements. Fraudulent reports typically show better financial results than those
achieved in order to facilitate the payment of excessive management bonuses or
conceal breaches of debt covenants. Some entities will understate profits in order to
evade taxation.

Any fraud that will increase net assets or net profit might be encountered. In
general terms, revenues and assets are likely to be overstated, while expenses
and liabilities are likely to be understated. Probably the most common fraud is
overstatement of revenue, and auditors are required to design their audit plan to test
for this possibility. The occurrence of revenue is always considered a high-risk assertion.

Where the risk of misstatement in an account or assertion is high, extensive and high-
quality substantive audit procedures will be necessary. Regardless of the level of assessed risk
however, some substantive procedures are always required for material accounts, and those
substantive procedures must include tests of details: ‘Irrespective of the assessed risks of
HKSA
material misstatement, the auditor shall design and perform substantive procedures for each
330.18 material class of transactions, account balance, and disclosure.’

Two types of substantive procedures exist:

1. Substantive analytical procedures; and

HKSA
330.4 2. Tests of details (of classes of transactions, account balances, and disclosures).

6.4.1 Analytical Procedures

Analytical procedures must be carried out at the planning and completion stages of the audit.
They are not required at the evidence gathering stage but are commonly used. Well-designed
analytical procedures are powerful tests for material misstatement and are relatively efficient.
When auditors use effective analytical procedures, the number and/or quality of substantive
tests of details may be reduced.
Analytical procedures are overall tests rather than tests of details. They compare account
balances, ratios, and other information derived from the financial statements with the auditor’s
expectations. Where analytical procedures indicate a potential misstatement, they must be
followed up by tests of details. Only tests of details can identify and quantify specific errors.

When considering the use of analytical procedures, the auditor should consider:

• Their suitability for the assertion in relation to identified risks;

• The auditor’s substantive tests of details for that same assertion; and

• The reliability of data from which the auditor’s expectations are developed, taking
account its source, comparability, nature, relevance, and controls over its preparation.

Analytical procedures include:

• Simple comparisons;

• Time series (e.g. monthly) or cross sectional (e.g. stores/outlets/restaurants) comparisons;

• Comparisons of financial ratios; and

• Other comparisons, including non-financial measures.

361

M13_c06.indd 361 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

6.4.1.1 Simple Comparisons

At the most basic level, a simple comparison is a reasonableness test which involves calculating
the expected value of an item and comparing that with its actual value. For example, the
current inventory account balance – the balance being audited – should be compared with
the prior year’s audited balance. The assumption being that if the two balances are nearly
the same then the current balance is unlikely to be materially misstated. In contrast, a
significant difference between the two might indicate a material misstatement. Such simple
comparisons are likely to be valid when relevant aspects of the business have not changed in
the two-year period.

If the business has altered in some significant way during the two years, however, a more
sophisticated approach to developing the auditor’s expectations might be required. For
example, where relevant price levels have changed (that is, the value of the monetary unit
has dropped due to inflation), the auditor might take inflation into account in developing their
expectations.

It should be noted that the inflation rate that is commonly discussed and publicised
pertains to household assets and expenses. Other classes of assets inflate at different rates
and these rates may be found on the Hong Kong Census and Statistics Department website.

Other simple comparisons commonly used include comparing the financial statements with
budgeted financial statements and comparing entity statistics with industry statistics.

6.4.1.2 Multi-period Comparisons

Trend analysis and regression analysis are examples of techniques that facilitate multi-period
comparisons. Trend analysis offers the benefit of smoothing yearly or monthly fluctuations to
establish long-term expectations. Any of the simple comparisons mentioned above could be
extended to multi-period comparisons. Caution is advised because comparisons with older
data may not be relevant if the characteristics of the business have changed significantly over
the years. In general, the older the data, the less relevant they will be.
Linear regression analysis is useful for testing the consistency of the relationship between
key variables like sales and cost of goods sold in a time series analysis. Regression of cost of
sales against sales for the past 24 months will quickly identify months where the relationship is
unusual, and where the likelihood of a misstatement in sales or cost of sales is high.

Regression can also be used for cross-sectional analysis (across stores). A cross-sectional
analysis approach would be appropriate for the opening case G&E Music (GEM). With 300
stores, regression analysis of sales revenue against store area for all stores would identify
stores with unusual relationships for investigation. Other useful regressions across all 300
stores might include sales revenue against cost of goods sold or sales revenue against
wages expense.

6.4.1.3 Comparisons of Financial Ratios

Most accounting students will be familiar with the calculation of financial ratios like the gross
profit ratio or the inventory turnover ratio. Substantive testing is an important application of
ratio analysis.

362

M13_c06.indd 362 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

For example, the auditor might calculate the trade receivables turnover:

A /R turnover sales/average receivables

For the current and the prior year, with the expectation that the ratio would be stable.
Significant changes in the ratio might indicate misstatement in sales, trade receivables, or the
allowance for doubtful debts. If the A/R turnover had increased from six times last year to
seven times this year, a misstatement is indicated, for example:

• Overstatement of sales; or

• Understatement of trade receivables.

Ratio analysis can be applied to both simple year-on-year comparisons, as shown in the
turnover example above, and to multi-period analysis. Ratio analysis is a frequently used form
of analytical review.

6.4.1.4 Other Comparisons

Many further analytical procedures might be designed by the auditor. For example,
non-financial measures such as number of employees might be usefully compared with wages
expense to help the auditor judge the potential for misstatement in the wages expense account
at individual stores. Where the number of employees was stable, the auditor would expect that
the wages expense would be stable. If the employee number grew by 10%, the auditor might
expect a matching 10% growth in wages. As noted above, adjustments for inflation, for new
employment contracts, and for other changes affecting the wages account should be included
to help develop the auditor’s expectations.

6.4.1.5 Analytical Procedures in the Revenue Cycle

6.4.1.5.1 Simple Comparisons
Simple comparisons that can be done include:

• The balance of all the accounts in the revenue cycle will be compared with prior years’
audited balances, and with the current budget.

• The ageing of the trade receivables sub-ledger should be compared with the
prior period, or multiple prior periods in order to assess the adequacy of the
allowance account.

• Growth in trade receivables can be compared with the growth in sales.

• Revenue growth and gross margin should be compared with industry statistics.

Illustrative Example 10
Recall the Opening Case G&E Music (GEM) presented at the beginning of this chapter.
Exhibit 6.9 is drawn from the GEM case and shows simple comparisons between the
current and past (audited) financial statements. As can be seen, all revenue and profit
accounts other than A/R are similar in their growth.

363

M13_c06.indd 363 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Illustrative Example 10 (continued)

Trade receivables growth is above expectations. Inquiries of management are
necessary in this case. Perhaps new credit policies have been implemented. On the other
hand, because the increase in the accounts receivable balance is only 0.5% of revenue and
10.7% of net profit, the risk of a material error in A/R is not high. This is a common feature
of retail businesses: few purchases are on store credit and most customers use their own
credit facility (credit cards) to pay at the store or online prior to delivery.

6.4.1.5.2 Comparisons of Financial Ratios

Key financial ratios associated with the revenue cycle should be compared to the prior year.
These include:

• Return on sales.

• Gross profit margin.

• Trade receivables turnover.

• Allowance for doubtful debts, bad debts expense, and sales returns and allowances, all
as a percentage of sales.

Exhibit 6.9 shows simple comparisons of financial ratios for GEM. (Ratio calculations are
assumed knowledge for this module.) The ratio comparisons show a conservative pattern
consistent with the account comparisons as would be expected.

GEM Account Comparisons GEM Ratio Comparisons

(000,000)
Account 20X2 20X1 Growth Ratio 20X2 20X1 Growth
% % % %
Revenue 3950 3650 8.2 Gross profit margin 21.7 21.9 –1
Cost of Sales 3090 2850 8.4 A/R turnover* 39.5 45.6 –6.1
Gross profit 860 800 7.5 Return on Sales 4.7 4.8 –2
ROS
Sales and Mkt 405 375 8 Revenue/store $19.75M $19.2M 2.8
Expense
Net Profit 186 174 6.9 Gross profit/store $4.3M $4.2M 2.4
Receivables 100 80 25
Stores 200 190 5

* Calculated as Sales / A/R due to lack of complete data.

EXHIBIT 6.9 GEM Revenue cycle analytical review

364

M13_c06.indd 364 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

As noted above, the account that stands out is A/R, and this has affected the A/R turnover
ratio. This has decreased by 6.1%. Again, this requires investigation. Factors might include GEM
credit policy or the popularity of sales finance companies like Afterpay.

6.4.1.5.3 Multi-period Comparisons

As GEM has grown substantially over the years both in terms of number of stores and average
sales revenue per store, a multi-year (or monthly) trend analysis might be useful in establishing
expectations. Other independent variables like the strength of the local economy or disposable
incomes might also be used to establish expectations.

6.4.1.5.4 Other Comparisons

Regression analysis of the relationship between sales and store area would identify stores with
unusual sales results for further investigation.

6.4.2 Tests of Details

Recall that substantive procedures are audit procedures to detect material misstatements at
the assertion level. Analytical procedures are one form of substantive procedures and were
discussed in Section 6.4.1. This section deals with the other form of substantive tests, tests of
details. Two main types of tests are identified: tests of details of classes of transactions and
tests of detail of account balances. The first type are tests for revenue and expense accounts,
and the second for asset, liability, and equity accounts. These are introduced Sections 6.4.2.1
and 6.4.2.2.

6.4.2.1 Tests of Details of Classes of Transactions

Transaction-related assertions were introduced in Section 6.1.3 of this chapter. These
assertions include:

• Occurrence;

• Accuracy;
• Completeness;

• Cut-off;

• Presentation; and

• Classification.

Like control tests, tests of details of transactions are performed on transactions throughout
the period, rather than just those transactions that comprise period-end balances.

For efficiency, tests of controls are combined with tests of transactions and tests of
balances (hence the ‘combined’ audit approach). Evidence of controls like authorisation and
segregation (names or initials of the approver) can be found on documents like purchase
orders and sales orders. These same documents also provide monetary evidence regarding
assertions relating to transactions and balances (e.g. existence/occurrence).

365

M13_c06.indd 365 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Illustrative Example 11
Control test. A credit manager will perform a credit check on a customer before
authorising a sale to that customer (a control over occurrence). The credit approval
will be indicated on the sales order. The auditor can test the control by sighting
(examining) the evidence of approval on the sales order document (whether paper
or electronic).

Substantive tests – accuracy and completeness. The sales order will also identify
the goods ordered, the quantity ordered, and the agreed price. The auditor can trace
these details to the sales invoice, and the invoice total to the sales journal, as tests of the
accuracy of the sales transaction and the completeness of the sales journal (substantive
tests of details regarding accuracy and completeness).

Substantive tests – occurrence and cut-off. The auditor would also select a sample
of transactions from the sales journal and vouch the transactions to the three key
supporting documents – the invoice, the sales order, and the shipping document – to test
the occurrence of the sale and the cut-off (additional substantive tests of details regarding
occurrence and cut-off).

6.4.2.2 Tests of Details of Account Balances

Tests of details of balances are tests of the assertions about balances. These assertions
include:

• Existence;

• Valuation and allocation;

• Completeness;

• Rights and obligations;

• Presentation; and

• Classification.

Tests of balances differ from control tests and tests of transactions because they test the
account balance on a unique day – the end of the accounting period. Common tests of balances
are confirmations with third parties (e.g. cash with the bank or trade receivables with the
customer; see Section 6.4.3), counting (e.g. inventory or cash), and inspection (e.g. Property,
plant, and equipment).

Exhibit 6.10 identifies common tests of details for both assertions about balances and
assertions about transactions relevant to the revenue cycle.

366

M13_c06.indd 366 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Assertion Substantive procedures – test of details

(Transaction T; Balance B)
Existence/occurrence T Vouch sales invoice to sales order and shipping document
B Confirm trade receivables balances or outstanding invoices with customers1
T/B Examine subsequent (to balance date) cash receipts2
T Check for duplicate entries in the sales journal
Valuation/accuracy T Verify arithmetic accuracy of sales invoices
T Vouch prices to authorised price list
B Confirm trade receivables balances with customers1
T Trace invoice totals to sales journal
T Cast the sales journal and B trade receivables sub-ledger, and tie to general
ledger accounts
B Review the schedule of the ageing of trade receivables and the adequacy of
the allowance for doubtful debts
T Check year-end sales cut-off (sales invoiced on or after shipment date)
Completeness T/B Trace shipping documents to invoice, sales journal, and trade receivables
sub-ledger
T Check for missing invoices in the sales journal
Rights/obligations B Identify related party transactions and review terms
Cut-off T/B Review sales terms and contracts for appropriate recognition
criteria – normally sales and trade receivables are recognised upon shipment
of goods or the provision of a service
Classification T Review invoice or remittance advice to ensure revenue is properly classified
as operating or other (e.g. interest)
B Review invoice or contract to ensure receivables are properly classified as
current or long-term
Presentation/ T Review revenue recognition criteria
disclosure B Review correct trade receivables classification – current or long-term
Notes

1. Confirmation, as with many other audit procedures, provides evidence about more than one assertion – in this
case existence and valuation of trade receivables.
2. While this is a test of cash, its purpose is to test the existence of trade receivables at the year-end date, and the
occurrence of revenue.

EXHIBIT 6.10 Audit assertions and tests of details for the Revenue cycle

Apply and Analyse 4

The following is a list of procedures performed in the audit of the revenue cycle. For each
procedure indicate the control or substantive testing objective that is accomplished, and
identify the assertion tested.

1. Select a sample of shipping notices and trace to invoices.

2. Select a sample of entries in the sales journal and trace to sales orders and
shipping notices.

367

M13_c06.indd 367 1/26/2021 9:07:24 PM

 BUSINESS ASSURANCE

Apply and Analyse 4 (continued)

3. Recompute the invoice total for a sample of sales invoices.

4. Review client documentation to determine their policy for credit approval.

Analysis:

The objective is to ensure:

1. All shipments are invoiced; completeness of revenue and trade receivables.

2. All entries in the sales journal are real; occurrence of revenue.

3. The invoices are correctly extended and cast; accuracy of revenue.

4. That controls exist over credit approval; occurrence of revenue, existence of trade
receivables.

6.4.3 Confirmations
Confirmations are commonly used substantive procedures. An external confirmation is a
response to an auditor’s request for information directly from a ‘confirming external party’.
Confirmations provide reliable evidence to the auditor because of their source (a third party)
and type (documentary).

For example, if management is under pressure to meet earnings expectations, there may
be a risk that management is inflating sales by recognising sales revenue before goods are
shipped. In these circumstances, the auditor may design external confirmation procedures
not only to confirm outstanding amounts at year-end but also to confirm the terms of sales
agreements, including due date, any rights of return, and delivery terms.

When considering the use of confirmations, the auditor considers:

• The confirming party’s knowledge of the subject matter.

• Issues which may affect the reliability of the confirmation.

Confirmations can take either a positive or a negative form. A positive form request asks
the third party to respond directly to the auditor (not the audit client) regarding a balance, or
regarding their agreement or disagreement with information provided by the auditor in the
request – for example, the amount owing to the client in a debtor’s confirmation. Where the
responder disagrees, details of the difference are requested. Negative form requests ask the
third party to respond only if the confirming party disagrees with the information provided
in the request. Negative confirmations provide a weaker form of audit evidence than positive
confirmations because it must be assumed that a non-response indicates agreement, and this
is a weak assumption.

In determining whether external confirmation procedures are to be performed as

substantive audit procedures, factors that may assist the auditor include:

• Knowledge of the subject matter by the confirming party – the reliability of the
responses is better when provided by a person at the confirming party with the
requisite knowledge about the information being confirmed.

368

M13_c06.indd 368 1/26/2021 9:07:24 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

• The ability or willingness to respond by the intended confirming party – for example,
the confirming party:

°° May have concerns about the potential legal liability resulting from responding;

°° May not accept responsibility for responding to a confirmation request;

°° May consider responding too costly or time consuming;

°° May operate in an environment where responding to confirmation requests is not a

significant aspect of day-to-day operations; or

°° May account for transactions in different currencies.

In such situations, confirming parties may not respond, may respond in a casual
manner, or may attempt to restrict the reliance placed on the response.

• The objectivity of the intended confirming party – responses to confirmation requests

may be less reliable if the confirming party is a related party of the entity as related
parties are not actually independent third parties.

To assure the reliability of external confirmation procedures, the auditor must maintain
control over external confirmation requests including:

• The information content;

• The selection of the confirming parties;

• Verification of the existence and mailing address of the confirming parties;

• The mailing process; and

• The receipt of the responses.

HKSA 505 (Clarified) Appendices 1 and 2 provide local guidance on bank confirmation
requests sent to members of the Hong Kong Association of Banks and other financial
institutions. A sample ‘External Confirmation Request’ for banks is provided in Appendix 2. Bank
confirmations seek information on deposits, loans, and their contractual terms, collateral for
loans, and any contingent liabilities (guarantees).

Accounts commonly confirmed include the current assets and liabilities including
cash, accounts receivable, inventory on consignment, and accounts payable. Accounts, the
confirming external party, and the assertion tested are shown in Exhibit 6.11.

Account Confirming external party Assertions addressed

Cash and bank borrowings Bank or other financial institution Existence, valuation, and rights
Trade receivables Customer (debtor) Existence and valuation
Inventory (at remote locations) Consignee or custodian Existence and rights
Accounts payable Supplier/vendor Occurrence and obligations

EXHIBIT 6.11 Confirmations

369

M13_c06.indd 369 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

When positive confirmation requests sent to customers and suppliers ask respondents
to provide a balance due, in many instances the response will not match the client’s records.
Reasons for discrepancies might include timing issues because goods are in transit, returned
goods, items in dispute, or errors and irregularities. All exceptions need to be followed up by
the auditor, and their resolution documented in the audit working papers.

Where no reply is received by the auditor, alternative procedures must be undertaken.

A simple and effective alternative procedure for trade receivables is the review of cash receipts
subsequent to balance date to ensure that outstanding amounts have been paid. A less
satisfactory alternative is the vouching of outstanding invoices to shipping documents and
sales orders.

Knowledge Check Questions

Question 23
A positive trade receivables confirmation was returned saying the ‘balance owed as of
30 June was paid on 9 July 20X7’. Identify which of the following describes what the auditor
should do.
A Re-confirm the balance as of 9 July 20X7.
B Determine whether there were any changes in the account between 1 July and 9
July 20X7.
C Check subsequent cash receipts to confirm that the amount was received.
D Determine whether a trade discount was taken by the customer.

Question 24
Identify which of the following is the best argument against the use of negative trade
receivables confirmations.
A The inference drawn from receiving no reply may be incorrect.
B There is no way of knowing if they were received.
C Recipients are likely to feel that the confirmation is a request for payment.
D The cost-per-response is high.

Question 25
Identify which of the following analytical procedures should be used for the statement of
profit or loss and other comprehensive income.
A Obtain from the proper client representatives the beginning and ending inventory
amounts that were used to determine costs of sales.
B Select sales and expense items and trace amounts to related supporting documents.
C Compare the actual revenues and expenses with the corresponding figures of the
previous year and investigate significant differences.
D Ascertain that the net income amount in the statement of cash flow agrees with the net
income amount in the statement of profit or loss and other comprehensive income.

370

M13_c06.indd 370 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Knowledge Check Questions (continued)

Question 26
In determining the adequacy of the allowance for doubtful debts, identify which of the
following should be relied on the least.
A Ratios calculated showing the past relationship of trade receivables to net credit sales.
B An ageing schedule of past due accounts.
C Collection experience of the client’s collection agency.
D The credit manager’s opinion.

Question 27
Identify what an aged trial balance of trade receivables is usually used by the auditor to do.
A Evaluate the allowance for doubtful debts.
B Ensure that all trade receivables are recorded.
C Evaluate the results of tests of controls for the revenue cycle.
D Verify the existence of recorded receivables.

Question 28
An auditor proposes that sales be audited by comparing the relationship of sales and cost
of sales with the previous two years of audited figures. Explain whether this would be a
good test of the sales account.

6 . 5 OTHER AUDIT EVIDENCE

Many account balances are based on estimates, appraisals, or management assumptions.

Examples include:

• Warranty liabilities;

• The allowance for doubtful accounts;

• Pension costs;

• Fixed assets; and

• Goodwill.

While these account balances are inherently uncertain, estimates should always be based
on objective and verifiable data. Unfortunately, estimates are often subject to management
bias, earnings management, and fraud, and accounts based on estimates should be considered
to have high inherent risk. Controls over estimates are often deficient or non-existent, and
control risk is likely to be high.

371

M13_c06.indd 371 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

6.5.1 Accounting Estimates

Accounting estimates have always been required in the preparation of accounts. The need
to deal with uncertainty and exercise professional judgement is one of the main ways that
accounting differs from mere bookkeeping. Two main types of accounting estimates are
common. The first concerns a forecast of a future event or the outcome of a transaction. Many
accounts require this type of estimation because they are affected by uncertain future events.
For example:

• The allowance for doubtful debts and trade receivables are affected by future economic
conditions and the actions of customers;

• Depreciation; accumulated depreciation; and property, plant, and equipment accounts

are affected by the useful life and salvage value of the asset; and

• Inventory is subject to obsolescence.

The second type of estimate concerns the fair values of assets or liabilities at the end of an
accounting period. Fair values are discussed in Section 6.5.2.

The auditor’s approach to accounting estimates is well established. Management is

responsible for the financial statements, and it is their responsibility to prepare relevant
estimates and related disclosures. The nature and reliability of the information available to
management to support their accounting estimates varies widely. The degree of estimation
uncertainty may be significant, and this affects the risk of material misstatement of the
financial statements – including their susceptibility to unintentional or intentional management
bias. Account balances comprising accounting estimates are examples of components of a
financial statement that would be high on the spectrum of inherent risk due to factors such as
complexity, subjectivity, and uncertainty associated with their calculation.

The auditor should obtain management’s working papers that identify management’s:

• Method used in making the estimate, and any change in method from prior periods;

• Controls over estimations;

• Use of a management’s expert;

• Assumptions underlying the estimate;

• Sources of data used; and

• Assessments of risk.

In examining management’s estimate, the auditor should consider:

• If the method used by management was appropriate;

• Whether appropriate controls were in place and operating effectively;

• The work of the management’s expert (Chapter 8, Section 8.3.4);

• The reasonableness of management’s assumptions;

• The relevance and reliability of data; and

• The adequacy of management’s risk assessment.

372

M13_c06.indd 372 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Indicators of management bias with respect to accounting estimates may include changes
in the method used, assumptions that are inconsistent with the marketplace, assumptions that
yield an estimate favourable to management’s objectives, unreliable data sources, or failure to
provide a balanced risk assessment.

If, in the auditor’s judgement, management has not adequately addressed the effects of
estimation uncertainty on the accounting estimates, the auditor should consider developing a
point estimate or a range to compare with management’s estimate. In this context the auditor
should consider whether it is necessary to use an auditor’s expert (Chapter 8, Section 8.3.1).
The comparison will enable the auditor to evaluate the degree of uncertainty associated with
management’s estimate and to determine whether estimates that are highly uncertain give rise
to significant risks of material misstatement.

6.5.2 Fair Values

While estimates and associated professional judgements have always been an important
aspect of accounting (Section 8.5.1), measurements and disclosures based on fair value are
becoming increasingly prevalent in financial reporting frameworks. Increasing numbers of
accounts in the statement of financial position are required to be assessed at fair value, and
disclosures need to provide information about these fair value estimates.

Auditing fair valued accounts and disclosures requires auditors to adopt the approach
described above for accounting estimates, an approach based on the auditor’s analysis
of management’s working papers. Management’s estimates will incorporate external and
future-oriented data and assumptions about the market, the industry, future cash flows, and
capital costs. Future-oriented estimates are inherently risky because, as with any prediction
of the future, error is both unavoidable and impossible to accurately quantify – except in
retrospect.

The main criteria related to the audit of fair values can be summarised below.

1. Fair value is the price that would be received to sell an asset, or paid to transfer a
liability, in an orderly transaction between market participants at the measurement
date. It is an exit price.

2. Fair value is a current market-based measurement, not an entity-specific measurement.

3. An entity uses the assumptions that market participants would use when pricing the
asset or liability.

4. An entity’s intention regarding the asset or liability is not relevant.

5. Fair value measurement requires an entity to determine the following:

• The particular asset or liability;

• For a non-financial asset, the best use of the asset;

• The market in which an orderly transaction would take place; and

• The appropriate valuation technique to use when measuring fair value. The
technique used should maximise relevant observable inputs and minimise
unobservable inputs.

Section 6.5.2.1 discusses the audit procedures to be applied to fair value estimates and
disclosures.

373

M13_c06.indd 373 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

6.5.2.1 Audit Procedures for Fair Values

As discussed in Section 6.5.1 above, the auditor’s objective is to make a conclusion about
the reasonableness of management’s fair value estimates and related disclosures. Three
circumstances can be identified that will determine the auditor’s valuation approach.

1. An active market with quoted prices exists (e.g. publicly traded shares or bonds). Here,
determination of a current and accurate fair value is simple, and easily verified by the
auditor. Caution is advised because markets are volatile and temporary changes may
not reflect fair value.

2. While an active market may or may not exist, market information about similar items
is available (e.g. similarly situated buildings in a city). Here estimates of fair value are
possible and detection risk is low to medium. The auditor might consider the use of an
expert (e.g. a real estate valuer) in these circumstances.

3. Markets do not currently exist or are illiquid (e.g. asset and liability values during an
economic recession). In this case fair values estimates must be based on discounted
cash flow or other models. Model-based fair value calculations are highly subjective and
detection risk is high.

In order to assess the reasonableness of management’s fair value estimates, the auditor
must ensure each estimate meets the following criteria:

• It provides an exit price;

• Is market-based;

• Identifies the relevant market;

• Is based on the valuation assumptions used by market participants;

• Is based on reasonable assumptions;

• Is not influenced by managements’ intentions regarding the asset;

• Is specific to a particular asset (or liability);

• Identifies the best use of the asset; and

• Is based on an appropriate valuation model using to the greatest extent possible

observable inputs.

The auditor should also:

• Develop a point estimate or range to assess management’s estimate.

• Obtain written representations from management stating they believe significant

assumptions used in making accounting estimates are reasonable.

374

M13_c06.indd 374 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Illustrative Example 12
When an asset is unique, then no market can be said to exist. Such circumstances might
arise when an entity owns a large percentage of the publicly traded shares of another
company. In these circumstances, the available market price may not be relevant
as it represents the value of the shares in a retail market characterised by a large
number of small transactions. Significant shareholdings confer significant influence or
control over the company, and these benefits increase the fair value of the asset. The
auditor might consider the use of an ‘auditor’s expert’ in these circumstances (e.g. an
investment banker).

In this example, management’s fair value estimate would likely be based on a

discounted cash flow model. Where fair values are based on modelling, it is important
for the auditor to ensure that models are developed in a rigorous fashion so that the
calculations and assumptions underlying the model can be evaluated by the auditor.

Apply and Analyse 5

Holden announced in 2012 that it was closing its assembly plant in Melbourne. The
one-storey plant covered three hectares of commercially zoned property close to freeways
and rail lines.

1. State the fair value classification that is applicable to the plant.

2. Explain management’s responsibility in determining the fair value of the plant.

3. If management is unable to value the plant, identify if this constitutes an internal

control weakness.

4. If management provides an estimate of the fair value of the plant, explain whether
the auditor should test management’s estimate, hire an external valuer, or both.

Analysis:

1. The plant is a level 2 asset. A market for similar assets (commercial property in
Melbourne) will exist and sales information will be available that will permit an
estimate to be made.

2. Management is responsible for making fair value estimates. An appropriate system

should be in place to ensure this is carried out.

3. If no system is in place to estimate the fair value of items and accounts, this is
a control weakness. If management does not have the expertise to make such
valuations, a ‘management’s expert’ should be employed by Holden.

4. The auditor should test management’s estimate (or the estimate of the
management’s expert) using the criteria listed above. The auditor might consider
hiring an auditor’s expert to perform an appraisal if recent sales of equivalent
properties are not readily available.

375

M13_c06.indd 375 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

6.5.2.2 Goodwill

The valuation of goodwill is a major concern for auditors. Goodwill represented 36% of all the
assets of major US corporations in 2008! For example, AOL-Time Warner took a $54 billion
goodwill write-down, and a further $28 billion in 2008.

Goodwill is subject to an annual impairment test. As goodwill is not a marketable asset,

and each entity’s goodwill is unique, valuation of goodwill is reliant on expert valuations and
discounted cash flow models as explained in Section 6.5.2.1. Discounted cash flow models are
based on a number of assumptions about discount rates, future cash flows, and estimates
of future prospects for the economy, the industry, and the business. These assumptions
and estimates are long-term, and as such are highly subjective and impossible to verify. This
account would also be categorised as high on the spectrum of inherent risk.

The first step in valuing goodwill is to determine if the market value of the entity is
less than the carrying value of its assets. Assuming that the assets are properly valued, a
deficiency indicates goodwill impairment. However, assessing the market value of the entity
is problematic. While the share market provides a market value for small share transactions,
this market value does not reflect the value of an entire company, or a significant interest in a
company. Typically, in company take-overs, a significant premium is paid by the acquirer.

A second confounding issue in market valuation is that the goodwill account in a company’s
statement of financial position represents only purchased goodwill – goodwill that has arisen
due to a take-over. If the acquired company remains intact, then its value can be estimated
by expert valuers, most likely by reference to valuation models created at the time of the
take-over. For example, if revenue growth was originally estimated at 10%, and actual growth
has been 12%, this fact will increase the original valuation.

If, however, the acquired company has been integrated with the parent company – which
is common – then no identifiable business unit exists. Goodwill valuations will be based on a
range of assumptions about competitors, the economy, and product life-cycles, assumptions
which will be difficult to verify.
Audit procedures for goodwill valuation and impairment are similar to those concerning
accounting estimates and fair values. Further discussion can be found in Chapter 7, Section 7.6.2.

6.5.3 Initial Engagements and Opening Balances

An initial audit engagement takes place when the prior period financial statements were
not audited, or were audited by a predecessor auditor. The auditor’s objectives in an initial
engagement are to ensure that the opening balances are not misstated in a way that will
materially affect the current financial statements, and accounting policies reflected in the
opening balances have been consistently applied, or changes have been appropriately applied
and disclosed.

In order to achieve these objectives, the auditor should:

1. Obtain and read the prior period’s financial statements and the auditor’s
report thereon;

2. If the predecessor auditor’s report was modified, consider the effect of the modification
on the current financial statements;

3. Ensure the prior year’s closing balances have been brought forward appropriately; and

376

M13_c06.indd 376 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

4. Do one of the following to obtain evidence about the opening balances:

• Review the predecessor auditor’s working papers; or

• Perform procedures to obtain evidence about the opening balances.

°° For current assets and liabilities audit evidence about opening balances may
be obtained as part of the current period’s audit procedures. For example,
the payment of accounts payable or collection of opening trade receivables
during the current period will provide some audit evidence of their existence,
completeness, valuation, and rights and obligations at the beginning of
the period.

°° In the case of inventories, the auditor might observe a physical inventory count
and reconcile it to the opening inventory quantities, test the valuation of the
opening inventory items by comparison with subsequent sales, or perform
analytical procedures on gross profit.

°° For non-current assets and liabilities, such as investments; long-term debt; and
property, plant, and equipment, audit evidence may be obtained by examining
the accounting records and other information underlying the opening balances,
or through confirmation with third parties.

6.5.4 Comparative Information

The terminology relating to comparative information can cause confusion. Make sure
you understand the three key terms which appear in the title of HKSA 710: Comparative
Information – Corresponding Figures and Comparative Financial Statements. It is particularly
important that you follow the definitions in the auditing standards because different
terminology is used in, for example, the Hong Kong Main Board Rules Appendix 16, paragraph
45(1), where ‘comparative figures’ are referred to – a term that does not appear in the auditing
standard. Fortunately, however, this matter is clarified by Lam and Lau (2012), who state that
the requirement for comparative figures in the Main Board Rules is what HKSA 710 refers to
as ‘corresponding figures’. While this distinction may seem trivial, it is important to both the
auditor’s procedures and the content of the audit report.

The following points summarise the key aspects of the definitions found in paragraph 6
of HKSA 710:

• Comparative information refers to amounts and disclosures in respect of prior

periods (normally just one prior period).

There are just two types of comparative information:

1. Corresponding figures;

2. Comparative financial statements.

• Corresponding figures are only relevant as an aid to understanding the current

period’s financial statements. They are not complete financial statements. Typically, but
not always, this means that the prior financial statements are included, but the notes
are excluded – so the prior financial statements are incomplete.

377

M13_c06.indd 377 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

• Comparative financial statements are, or are close to, identical in form to the current
period’s financial statements, and are complete financial statements (including the
notes). If audited, they are referred to in the current auditor’s opinion.

Audit procedures relating to the audit of comparative information require the auditor to
determine whether:

• The financial statements include the appropriate comparative information.

• The comparative information agrees with the amounts and other disclosures presented
in the prior period.

• The accounting policies reflected in the comparative information are consistent with the
current period.

• If the auditor becomes aware of a possible material misstatement in the comparative

information, the auditor shall determine whether a material misstatement exists.

The auditor shall also request written representations from management regarding any
restatement made to correct a material misstatement in prior period financial statements that
affect the comparative information.

See Chapter 10 Section 10.7 for the reporting requirements relating to comparative
information.

6.5.5 Related Party Transactions

Chapter 9, Section 9.4 provides a thorough discussion of related party issues. This section
provides a summary of these matters with an emphasis on audit procedures.

Relevant standards include HKSA 550 (Clarified) Related Parties, and HKAS 24, Related Party
Disclosures. Related parties are frequently involved in fraudulent financial transactions, so both
The Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity
and Its Environment and HKSA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of
Financial Statements are also relevant.

A related party is a person or entity that is related to the entity that is preparing its
financial statements (the reporting entity). Related parties include both relatives of individuals
who have some control or influence over an entity, entities that are members of a company
group, and a variety of parties to other relationships.

A related party transaction is a transfer of resources, services, or obligations between a

reporting entity and a related party, regardless of whether a price is charged.

The objectives of the auditor are to obtain an understanding of related party relationships
and transactions sufficient to be able to recognise fraud risk factors, and to obtain sufficient
appropriate audit evidence about whether related party relationships and transactions
have been appropriately identified, accounted for, and disclosed in the financial statements
in accordance with the HKAS and the HKFRS. Audit procedures should, first, identify and
examine all transactions with disclosed related parties and, second, search for large or unusual
transactions with undisclosed related parties. The existence of undisclosed related parties
should be considered a fraud risk.

378

M13_c06.indd 378 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

The auditor should make enquiries of management regarding:

• The identity of the entity’s related parties;

• The nature of the relationships between the entity and the related parties;

• Whether the entity entered into any transactions with the related parties during the
period, and the purpose of those transactions; and

• Controls management has established to identify related parties and to authorise

related party transactions.

Where management fails to disclose related parties or related party transactions, the
auditor should increase their assessment of inherent risk relating to fraud.

Related party transactions might include:

• Transactions with family members including transactions with accountants or lawyers,

or the rental of business premises;

• Transactions with trusts;

• Non-arm’s-length purchases or sales;

• Unusually low or high interest rate loans, or unsecured loans;

• Purchase of goods and services not clearly required by the entity;

• Poorly documented or overly complex transactions;

• Excessive travel or entertainment expenses;

• Large discounts given or received; or

• Inter-company transfers of funds.

Auditors should search for unidentified related parties and undisclosed related party
transactions by reviewing:

• Bank documents (loans, guarantees);

• Legal confirmations (the legal letter);

• Minutes of board and management meetings;

• Significant contracts, transactions, and journal entries;

• Prior year’s listing of related parties and related party transactions;

• Regulatory returns (tax, stock exchange); and

• Records of the entity’s investments.

Where auditors identify significant transactions outside the entity’s normal course of
business, they should enquire whether related parties are involved. If so, the transactions
should be treated as significant risks.

379

M13_c06.indd 379 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 29
Explain fair value and describe when fair value concepts are applied.

Question 30
Explain how the fair value concept is applicable to the inventory; trade receivables; and
property, plant, and equipment accounts.

Question 31
Three levels of evidence may be used to assess fair value. Briefly describe each of
the three.

Question 32
Explain the process by which an auditor makes judgements about management’s fair value
estimates.

Question 33
Describe the approach the auditor should take to identify and audit related party
transactions.

Question 34
Describe the audit risks associated with related party transactions.

Question 35
An entity’s pension obligations disclosed in the financial statements are based on a
management estimate.
(a) Identify data, assumptions, and risks that would be relevant to calculating the
liability.
(b) Describe audit evidence that should be gathered to assess the accuracy of
the estimate.
(c) If the auditor’s estimate is significantly different from management’s, explain how
the auditor can identify bias in the management’s estimate.

Question 36
The CEO of a large organisation (revenue of HK$36 billion) used corporate funds to
purchase an apartment and make loans to key executives that were subsequently forgiven.
(a) Explain whether the auditor should look for these types of transactions in
every audit.
(b) Describe the audit procedures that might have identified these transactions.

380

M13_c06.indd 380 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

6 . 6 DOCUMENTATION

The requirement to document the planning and conduct of an audit is a fundamental principle
of auditing. HKSA 230 Documentation (June 2017) and Chapter 5, Section 5.2 provided a
comprehensive discussion of audit documentation, with an emphasis on the documentation
of audit planning procedures. This section provides a brief review of this earlier material
and illustrates at greater length the documentation of the evidence gathering procedures
undertaken by an auditor.

Audit documentation is the written record that forms the basis for the auditor’s
conclusions. Also known as work papers or working papers, audit documentation facilitates
the planning, execution, and supervision of the audit, and enables a review of the audit work by
senior auditors and regulators.

6.6.1 The Work Papers

Work papers are typically separated into an engagement (current) file and a permanent file. The
permanent file contains information with ongoing relevance for future audits. The permanent
file would typically contain:

• Accounting policies

• Articles of incorporation

• By-laws

• Chart of accounts

• Director list

• History of the client organisation

• Internal controls documentation

• Organisation chart

• Prior period’s audit reports

• Loan and lease agreements

• Fixed asset register

• Share register.

Work papers record information relevant to the current audit engagement:

• The entity’s trial balance and adjustments thereto;

• Evidence of planning;

381

M13_c06.indd 381 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

• The audit programme;

• The work done including control tests, analytical procedures and tests of details; the
auditor who completed the work; the reviewer; and the dates of the work and review;

• Evidence obtained including copies of key documents;

• The auditor’s analysis of the evidence; and

• Conclusions formed.

Documentation of the audit planning process was covered in Chapter 5, Section 5.2. Audit
planning documentation would include:

• Discussions with senior management.

• Inherent and control risk analyses.

• Initial analytical procedures.

• Identification of accounts and assertions requiring special attention.

• The auditor’s assessment of materiality, the audit strategy, and staffing needs.

The audit programme is the most important item of documentation in the audit
engagement. The audit programme specifies procedures to be performed in gathering
evidence for each account and provides a record of the completion of each procedure. Each
section of the programme will provide a description of the evidence obtained, the auditor’s
analysis of the evidence, judgements made by the auditor in relation to the evidence, and a
conclusion about the account or assertion that is the subject of the work paper. Other items
retained in the work papers include key documents such as:

• Minutes of board meetings

• Responses to confirmation requests

• The management representation letter.

6.6.2 Preparation of Working Papers

Good audit documentation should have the following characteristics:

• A table of contents or index.

• On each work paper, the name of the client, the balance date, and the account.

• Identification of the auditor and the reviewer, and the dates of their work.

• A description of the tests performed and findings.

• A conclusion regarding the possibility of material misstatement.

• Cross-referencing to related documentation.

382

M13_c06.indd 382 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Exhibit 6.12 illustrates an appropriate work paper for testing inventory existence.

Work Paper Inventory extenstion test Preparer BAC

Client Retail Co. Date 20 July 20XX
Balance date 30 June 20XX Reviewer ATV
Date 25 July 20XX

Item # Item name Count Inventory Difference $ Cost/ Extenstion Error

sub-ledger unit
1 stamp machine 3* 3➀ 0 1000 3000➁
11 electric motor 15* 14➀ 1 120 1600➁ 120
21 motor housing 14* 15➀ –1 50 750➁ 50
31 rack 20* 20➀ 0 10 200➁
41 repair kit 10* 10➀ 0 25 250➁
Total tested 6000
Item not tested 50000
Total 56000➀ 170
^ ^
Memo Five items were tested comprising 6000/56000 = 10.7% of the inventory balance.
A total error of $170 was identified. The population error is projected at $170/10.7% = $1589➂.
This is immmaterial and the inventory count is judged accurate.
* test count by auditor
➀ agreed to inventory sub-ledger
➁ tested extension
➂ Note that this error projection is that commonly applied to a judgemental sample.
^ footed

EXHIBIT 6.12 Work paper for inventory existence

6.6.3 Completion of Audit Documentation

The auditor is required to assemble the audit documentation on a timely basis after the date of
the auditor’s report – normally 60 days. The completion does not involve the performance of
any new audit procedures. Changes to documentation may be made if they are of an
HKSA 230.
administrative nature, for example, sorting, collating, and cross-referencing working papers, or
A21–A24 documenting oral audit evidence obtained before the date of the auditor’s report.

After the final audit file has been completed, the auditor must not delete or discard audit
documentation of any nature before the end of its retention period – normally five years.
Where it is necessary to modify or add new audit documentation after the audit file has been
completed, the auditor shall document the reasons for the modifications, the date, and the
HKSA
names of both preparer and reviewer. For example, new documentation may be added to a file
230.14–16 in response to comments received during monitoring inspections.

383

M13_c06.indd 383 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 37
List the main contents of an engagement file.

Question 38
Explain the purpose of audit documentation.

Question 39
List the elements that each audit document should contain.

384

M13_c06.indd 384 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

SUMMARY

• Auditing is a process of objectively gathering and evaluating evidence about management’s

assertions which comprise the financial statements. This process provides a basis for the
auditor’s opinion.

• In planning an audit, the auditor must decide what evidence gathering procedures to perform,
when those procedures should be performed, and how much evidence is needed – the
nature, timing, and extent of procedures.

• Understanding the components of the entity’s system of internal control through performing
risk assessment procedures is part of the process of assessing inherent and control risks and
the risk of material misstatement at the financial statements and assertion levels.

• For identified risks of material misstatement at the assertion level a separate assessment of
inherent risk and control risk is required under HKSA 315 (Revised 2019).

• Control risk is an important part of the audit risk model. The auditor needs to understand the
system of internal control and control risk to plan the substantive audit procedures they will
use to test transactions and balances.

• Auditors are not required to test controls unless they plan to rely on them to reduce the
extent of substantive testing, but if a combined audit strategy is adopted, audit procedures
must include tests of controls that address the risk that internal controls are deficient.

• The auditor cannot test every transaction that occurs in an accounting period. This would be
both pointless and inefficient. Tools to improve audit efficiency include sampling to carry out
tests of controls and tests of details, and analytical review to provide evidence of the overall
reasonableness of account balances.

• Sampling is efficient because sample size is only weakly associated with population size.
This means that millions of transactions can be tested effectively with a sample of perhaps
300 items.

• Much audit work involves objective testing of documents and other evidence relating
to historic transactions; but auditors are also required to make complex and subjective
judgements relating to issues like fair values or related party transactions. Audit procedures
relating to estimated or fair valued accounts involve an examination of management’s
estimates of account balances for compliance with a range of criteria. Fundamentally,
management’s estimates must be based on reasonable assumptions.

• Audit documentation provides evidence that the audit is properly planned and executed,
and that the auditor’s opinion is properly supported by sufficient and appropriate evidence.
Proper documentation will ensure that the work of the audit team can be meaningfully
assessed by senior auditors and by regulators.

385

M13_c06.indd 385 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

MIND MAP

EVIDENCE AND ASSERTIONS SUBSTANTIVE PROCEDURES

Risk Analytical procedures
Evidence Tests of detail
Assertions Confirmations
AUDIT OTHER AUDIT EVIDENCE
TESTS OF CONTROLS
PROCEDURES AND
Internal control components AUDIT EVIDENCE Accounting estimates
Control activities Fair values
Control tests Initial engagements and opening balances
Cycle approach Comparative information
Evaluation of test results Related party transactions

SAMPLING DOCUMENTATION
Sampling risk Permanent file
Sample evaluation Work papers record
Big data Audit planning documentation

L IST O F F O R M U L A S
1. Audit risk (AR) is a function of Inherent risk (IR), Control risk (CR), and Detection risk (DR)

AR ~ IR x CR x DR

2. Sampling

a. Population deviation rate = sample deviation rate + sampling risk adjustment

b. Sample deviation rate = actual deviations / sample size

c. Estimated population error = (sample error / sample total) x population total

3. Trade receivables turnover

A/R TO = sales / average receivables

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect because Existence is a concern as inventory is higher than expected.
Answer B is incorrect because Presentation is not associated with inventory turnover.
Answer C is incorrect because Valuation errors would affect both Inventory and COGS in
the ratio and the auditor would be concerned that if turnover were slower the inventory
could be over-valued.
Answer D is the incorrect answer, because if inventory turnover has decreased, then
inventory is higher than expected. Completeness is associated with an understatement of
the account, so it would be the least likely to be misstated.

386

M13_c06.indd 386 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 2
Answer A is incorrect because if the payables are recorded then they likely exist.
Overstatement of liabilities is unlikely.
Answer B is incorrect because the key risk for liabilities is that they are understated.
A recorded payable implies Obligations is fairly stated.
Answer C is the correct answer because Understatement of liabilities is always a risk.
Answer D is incorrect because Occurrence relates to transactions and not
account balances.

Question 3
Answer A is the correct answer because understatement is a minor risk with
asset accounts.
Answer B is incorrect because existence is the main risk with asset accounts.
Answer C is incorrect because substantive tests are not used as control tests.
Answer D is incorrect because rights are an important assertion relating to current assets.

Question 4
Answer A is the correct answer because Valuation is at risk of overstatement if inventory
is obsolete.
Answer B is incorrect because Rights is not associated with obsolescence.
Answer C is incorrect because Existence is not an issue with obsolescence.
Answer D is incorrect because Completeness is not at issue with obsolescence.

Question 5
Answer A is the correct answer because Tracing is a procedure associated with
completeness tests. It verifies that all cash remittances received ended up recorded in the
cash receipts journal.
Answer B is incorrect because Occurrence would be tested by vouching, that is vouching
entries in the cash receipts journal back to the original remittance advices.
Answer C is incorrect because Rights would be tested by sighting the recipient on the
remittance advice.
Answer D is incorrect because Accuracy would be tested by agreeing the amounts on the
remittance advice with the journal.

Question 6
Answer A is the correct answer because if gross profit is overstated then COGS may be
understated and ending inventory may be overstated, hence breaching Existence.
Answer B is incorrect because Understatement of inventory would lead to an
overstatement of COGS and hence a lower gross profit.
Answer C is incorrect because presentation would not affect the gross profit.
Answer D is incorrect because Accuracy is not an assertion about balances.

387

M13_c06.indd 387 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

Question 7

Evidence A. Ageing B. Confirmation C. Comparison

Criteria
Source Management Third Party Auditor
Nature/Type Document Document Document
Timing Year-end Best if year-end Year-end
Extent Single 10% is reasonable; Single
depends on prior
misstatements (risk)
Relevance Valuation Existence, rights, and Valuation, existence
valuation
Reliability Questions arise as to Follow up of unreturned High as the comparison is
its completeness due items important with an audited balance and it
to its source is prepared by the auditor

Question 8
Answer A is incorrect because this describes a combined audit approach.
Answer B is incorrect because if control risk were low then the auditor would have
proceeded with the control tests.
Answer C is incorrect because the two risk levels are not comparable.
Answer D is the correct answer because the auditor’s preliminary assessment of control
risk must have been high, i.e. controls are not effective, so testing was of no purpose.

Question 9
Answer A is the correct answer because, where control risk is less than high, key controls
are identified for testing.
Answer B is incorrect because year-end substantive tests are performed when the audit
strategy is substantive.
Answer C is incorrect because control risk has no relationship to inherent risk.
Answer D is incorrect because a lower level of control risk would decrease the planned
level of substantive testing.

Question 10
Answer A is the correct answer because these are similar functions.
Answer B is incorrect because credit is approving a transaction and billing is recording a
transaction, and so require segregation.
Answer C is incorrect because shipping is custody of an asset and billing is recording a
transaction, so segregation is required.
Answer D is incorrect because cash is custody of an asset and adjustments are recording a
transaction, so segregation is required.

388

M13_c06.indd 388 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 11
Answer A is incorrect because understatement of revenue is low risk.
Answer B is incorrect because overstatement of revenue is a common misstatement.
Answer C is incorrect because this relates to the assertion of valuation and allocation for
the trade receivables balance.
Answer D is incorrect because it relates to cut-off and not occurrence.

Question 12
Answer A is incorrect because accuracy of the invoices would be tested concurrently.
Answer B is incorrect, because this ensures that for sure each shipment a sales invoice was
prepared to support the recording of the sale.
Answer C is incorrect because Cut-off relates to timing. Any year-end shipments would also
be tested for correct cut off.
Answer D is incorrect because the occurrence test would select a sample of invoices and
vouch them back to the related shipping documents.

Question 13
Answer A is incorrect because this is a two-control test.
Answer B is the correct answer because a dual-purpose test is one that is simultaneously a
test of control and a substantive test of a transaction.
Answer C is incorrect because this type of test is not called a dual-purpose test.
Answer D is incorrect because no tests are completed on behalf of the client.

Question 14
This is a segregation of duties problem. Duties to be segregated include recording,
authorisation, and access to assets.

Weakness 1
The clerk who processes the payroll (recording) should not be able to enter new
employees or change rates of pay (authorisation).

Control 1
A second person with no recording responsibilities should be in control of pay rates
and employee entry (authorisation). Separate passwords should be maintained.

Weakness 2
The bank transfers should not be completed (access to assets) by the payroll clerk,
because they could make payments to themselves or to fraudulent employees and
cover these up with fraudulent entries.

Control 2
A third person (independent) with no payroll responsibilities should process the bank
transfers to employees.

389

M13_c06.indd 389 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

Question 15
Answer A is the correct answer. HKSA 315 (Revised), paragraph 26(d)(ii), indicates that
determining whether a control has been implemented requires procedures in addition to
inquiry of entity personnel. This does not provide visible or observable evidence.
B, C, and D are incorrect as these are identified in HKSA 315 (Revised 2019) as possible
risk assessment procedures. They provide visible and observable evidence that would
supplement inquiry.

Question 16
Answer A is incorrect because the audit objective is to identify and assess the risk of
material misstatement.
Answer B is the correct answer. When multiple controls achieve the same objective, it is
unnecessary to identify each control.
Answer C is incorrect because these controls provide a basis for the auditor determining
the nature, timing, and extent of substantive procedures to the assessed risk of material
misstatement.
Answer D is incorrect because the result of this determines the approach to substantive
testing, including controls that address risks for which substantive tests do not provide
sufficient appropriate audit evidence.

Question 17
Controls over journal entries, whether standard, non-standard, or automated would be
expected to be identified for all audits because of the manner in which entities incorporate
information from transaction processing into the general ledger.

Question 18
As general IT controls support the continued proper operation of the IT environment
and support the continued effective functioning of information processing controls,
understanding these controls facilitates the auditor’s development of an audit strategy for
testing information that involves IT applications and the assessment of inherent risk at the
assertion level. It also impacts the assessment of control risk and in deciding whether to
test the operational effectiveness of controls to address the risk of material misstatement
at the assertion level.

Question 19
Answer A is incorrect because it only refers to statistical sampling.
Answer B is the correct answer because this is the definition of sampling.
Answer C is incorrect because random selection is one type of sample selection.
Answer D is incorrect because this describes all audit procedures.

Question 20
Answer A is the correct answer because if a sample is too small it might not be
representative of the population.
Answer B is incorrect because this is part of detection risk, not sampling risk.
Answer C is incorrect because this is part of detection risk, not sampling risk.
Answer D is incorrect because this is part of detection risk, not sampling risk.

390

M13_c06.indd 390 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 21
Answer A is the correct answer because this is the main benefit of statistical sampling.
Answer B is incorrect because typically non-statistical samples are smaller than statistical
samples, where the number of sampling units examined can be calculated.
Answer C is incorrect because these are not measures of statistical sampling.
Answer D is incorrect because statistical sampling does not reduce the auditor’s judgement
involved in determining materiality.

Question 22
The total misstatement in the sample was 10.33% of the value of items sampled (93,000 /
900,000 = 10.33%). This means that the potential misstatement in the account is 10.33%
x $2.5M = $258,000. This may be considered material. If so, the auditor might extend the
sample, or request the client to review the account for further errors. The auditor should
also request that management adjust the account.

Question 23
Answer A is incorrect because there is no need to reconfirm as the initial confirmation was
correct and can be clarified. A second confirmation is unnecessary and therefore would be
costly and inefficient.
Answer B is incorrect because this time period is not relevant.
Answer C is the correct answer because examining subsequent cash receipts would clarify
the reply and prove the balance.
Answer D is incorrect because trade discounts are not relevant. The objective of
confirmations is to verify an outstanding receivable balance. That balance would already
reflect any discount.

Question 24
Answer A is the correct answer because the auditor does not know the reason for the non-
response. Non-replies might indicate a correct balance, but also they indicate disinterest,
or that the confirmation was not received. Negative confirmations are not a strong form
of evidence.
Answer B is incorrect. While the statement itself may be true, it does not offer the best or
most complete argument, which is given in A above.
Answer C is incorrect. Recipients are not likely to feel that the confirmation is a request
for payment.
Answer D is incorrect because negative confirmations are relatively low cost.

Question 25
Answer A is incorrect because this is a substantive test of details.
Answer B is incorrect because this is a substantive test of details.
Answer C is the correct answer. This simple comparison is a fundamental analytical
procedure for the statement of profit or loss and other comprehensive income.
Answer D is incorrect because this is a substantive test of details.

391

M13_c06.indd 391 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

Question 26
Answer A is incorrect because analytical review of the prior year’s collection experience is a
useful test for doubtful debts.
Answer B is incorrect because the ageing is a useful audit test for doubtful debts.
Answer C is incorrect because evidence from a third party is more reliable than
management opinion.
Answer D is the correct answer because the least reliable source of evidence is
management. The auditor is required to make the determination, not to rely on
management’s opinion.

Question 27
Answer A is the correct answer because the ageing is used to evaluate account
collectability, and hence the valuation of the allowance.
Answer B is incorrect because the aged trial balance provides no evidence as to whether all
receivables have been recorded, i.e. this is not a completeness test.
Answer C is incorrect because the aged trial balance has nothing to do with control tests.
Answer D is incorrect because the aged trial balance provides no evidence as to the
existence of receivables.

Question 28
This test, as with other analytical procedures, assumes little change in client business
operations, industry, or economic conditions. These matters should be established
before proceeding with analytical tests. The test is useful in identifying risks for further
examination. If the ratio has not changed, this provides some assurance that the accounts
are properly stated. Further substantive tests of detail for accuracy, completeness, and
occurrence are still required.
If the ratio has, for example, increased compared to prior years, then there is risk
that either sales is overstated, cost of sales is understated, or both. Increased substantive
testing will be required for the occurrence and accuracy of sales, and the completeness
and accuracy of cost of sales.

Question 29
Fair value is current market value. Fair value concepts are applied when assets or liabilities
are impaired.

Question 30
Inventory is adjusted for obsolescence using the lower of cost or market test. Trade
receivables are adjusted for estimated uncollectible debts. Property, plant, and equipment
is adjusted for impairment.

Question 31
Level 1 is where quoted prices are available on identical items. At level 2, information is
available about similar items. An expert valuer will most likely be consulted. At level 3, no
active market exists, and discounted cash flow models are likely to be used for valuations.

392

M13_c06.indd 392 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 32
In order to assess the reasonableness of management’s fair value estimates, the auditor
must ensure each estimate meets the following criteria:
• It provides an exit price;
• Is market-based;
• Identifies the relevant market;
• Is based on the valuation assumptions used by market participants;
• Is based on reasonable assumptions;
• Is not influenced by management’s intentions regarding the asset;
• Is specific to a particular asset (or liability);
• Identifies the best use of the asset; and
• Is based on an appropriate valuation model using to the greatest extent possible
observable inputs.

Question 33
The auditor should:
• Request management to provide a list of related parties, and transactions with those
related parties.
• Search documents like leases, loan agreements, and board minutes for evidence of
related parties or related party transactions.
• Be alert for unusual transactions – those that appear overly complex, poorly
documented, or inconsistent with the objectives of the client business.

Question 34
The main risks are fraud and theft leading to misstatement of the financial reports. A
secondary risk is failure to comply with accounting standards relating to the full disclosure
of related parties and related party transactions.

Question 35
(a) Data: Number of employees; expected and current age at retirement;
expected income at retirement; pension contract terms; pension legislation;
discount factor.
Assumption: Legislation regarding pensions will not change. The pension contract
with employees will not change. Past experience of retirement age will be relevant.
A discounted cash flow model will be appropriate.
Risk: Legislation regarding pensions may change; the pension contract may change;
employees may retire earlier/later than current experience; interest rates may
change.

(b) Consider the relevance and reliability of the data. All data should be agreed to
source documents (payroll; contracts; legislation; etc.).
Inquire into the use of a management’s expert; consider the use of an auditor’s
expert. In the case of pensions, an actuary might be used.

393

M13_c06.indd 393 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

Inquire about controls over-estimates.

Consider the reasonableness of management’s assumptions and the adequacy of
management’s risk assessment.
(c) Indicators of management bias with respect to accounting estimates may
include changes in the method used from prior periods, interest rates that are
inconsistent with the entity’s cost of capital, assumptions about retirement age,
and future salaries that yield an estimate favourable to management’s objectives of
maximising profits and bonuses, or failure to provide a balanced risk assessment
addressing the risks identified in part (a) above.

Question 36
(a) Related party transactions are often associated with misappropriation of assets
and financial reporting fraud. A search for, and examination of the substance of,
related party transactions is an important part of the auditor’s fraud detection
procedures. Although the transactions noted above are not material (the
materiality level in this company would likely be 0.5 to 1% of revenue, so in
the hundreds of millions), their existence points to inadequacies in the control
environment and an increase in control risk.
(b) Two approaches are taken to the identification of related party transactions.
i. Where appropriate controls exist, management should be asked for a list of
related parties and associated transactions.
ii. Further procedures include the examination of all large or unusual
transactions, and the examination of contracts, minutes of management
meetings, investments, etc. for evidence of related parties and associated
transactions.

Question 37
Audit documentation provides a record of:
• Evidence of audit planning (risk analysis).
• A plan for evidence gathering procedures to be completed (the audit programme).
• Work done, personnel involved, and timing.
• Evidence gathered.
• Audit judgements made.
• Conclusions about assertions, accounts, and the financial statements.

Question 38
The purpose of this documentation is to:
• Provide evidence to senior auditors or regulators that the audit has been properly
completed.
• Demonstrate that the auditor’s conclusions are based on verifiable evidence.

394

M13_c06.indd 394 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 39
Audit documentation should contain:
• Descriptive title.
• Name of client and balance date.
• Name of preparer and reviewer, and the dates of completion of these activities.
• Evidence obtained.
• Copies of key documents.
• Analysis of evidence.
• Conclusion regarding the assertion or account being tested.

EXAM PRACTICE

QUESTION 1
Micro Limited (Micro) is a subsidiary of Giant, a multinational. Micro provides administrative
and finance support to Giant’s subsidiaries in Asia. Micro has three staff including the
general manager, the financial controller, and a clerk. The accounting software used by
Micro for daily book-keeping is Easydone which is a simple software package. All three staff
have editing and posting access in Easydone and they use the same ID and password. All
cash payment vouchers are kept in paper format. Both the preparers and reviewer are
required to sign the paper vouchers.

Required:

As the auditor of Micro:

(a) Identify and explain two likely causes of material misstatements in the financial
statements caused by control weaknesses in segregation of duties and system access.

(b) Explain whether you would adopt a combined audit strategy including substantive
procedures and tests of controls.

QUESTION 2
After forgetting to retrieve his cash from an automatic teller machine (ATM) at a branch of
his bank during a withdrawal, a man returned to the ATM but was not able to find his cash.
As he was anxious to get his money back, he told the bank that no cash came out from the
ATM’s cash dispenser. After investigating the case and reviewing the branch records, the
police arrested a near-by street sweeper on charges of theft.

Required:

For ATM cash withdrawal activities, identify general and application controls, in a
computer-related environment, to protect the bank and customers from the theft of cash.

395

M13_c06.indd 395 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

QUESTION 3
As at 31 December 20X4, you have a client who has significant outstanding trade receivables
due from its customers. As such, you have determined that external confirmation
procedures should be performed. After the audit confirmation results are provided to you
by the audit engagement senior, explain how you would advise and explain the appropriate
follow-up audit procedures in response to each of the following scenarios.

(a) The audit engagement team noted that there was a new customer from India and that
this new customer contributed 10% of the outstanding trade receivables at year-end.
The finance manager refused the auditor’s request to send a confirmation letter to the
new customer.

(b) One of the confirmation replies was mailed directly to the company. The finance
manager transferred it to the auditor without opening the sealed envelope containing
the confirmation.

(c) One of the confirmation replies identified a minor difference and the audit engagement
senior decided no follow-up procedure was required.

QUESTION 4
You have recently been appointed as the auditor of Messy Limited. During the audit, you
note that the prior period comparatives for the year ended 31 December 20X3 were not
audited and no stock take was performed by management at 31 December 20X3.

Below is a summary extract from the financial statements of Messy Limited:

Statement of financial position 31 December 20X4 31 December 20X3

HK$ HK$
(unaudited)
Fixed assets 5,000 –
Inventories 150,000 100,000
Cash at bank 25,000 1,000
180,000 101,000
Trade payables (300,000) (100,000)
(120,000) 1,000
Share capital 1,000 1,000
Retained earnings (121,000) –
(120,000) 1,000
Statement of profit or loss Year ended Year ended
Revenue 500,000 –
Cost of goods sold (508,000) –
Gross loss (8,000) –

396

M13_c06.indd 396 1/26/2021 9:07:25 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Statement of financial position 31 December 20X4 31 December 20X3

HK$ HK$
(unaudited)
Selling expenses (55,000) –
Administrative expenses (47,000) –
Loss before tax (110,000) –
Tax (11,000) –
Loss after tax (121,000) –

Required:

Suggest the audit procedures for Messy Limited’s opening balances as at 1 January 20X4.

QUESTION 5
Trade Co. is a privately owned retailer with sales of $12 million and a year-end trade
receivables balance of $2 million. The trade receivables sub-ledger contains 500 customer
accounts. The auditor is planning the confirmation of trade receivables and will use a sample
size of 40 accounts.

Required:

(a) Explain the use of monetary unit sampling to select customers for confirmation.

(b) List the criteria that should be used to select customers for confirmation using
non-statistical sampling.

QUESTION 6
Queensland Co. is a distributor of hardware. The company has excellent internal controls
over sales and uses an automated system for document control. Pre-numbered shipping
documents are used for every sale. Goods are shipped only upon presentation of an
authorised shipping document. After shipment, a copy of the shipping document is sent
to the accounting department, which prepares an invoice for the customer. The shipping
document number is noted on the invoice. In some instances, more than one shipping
document will be used for a single invoice. In the current year, 20,000 invoices and 25,000
shipping documents were issued.

Required:

(a) Identify an effective sampling procedure for testing whether shipments have been
billed. Identify the sampling unit for this audit procedure.

(b) Identify one other revenue control test that could be performed with the same sample.
Describe the test and its objective.

(c) Explain whether the auditor would be able to test the occurrence of sales using the
same sample.

397

M13_c06.indd 397 1/26/2021 9:07:25 PM

 BUSINESS ASSURANCE

QUESTION 7
An automobile company announced that it was closing its assembly plant. The plant covered
three hectares of commercially zoned property.

Required:

(a) Identify three classes of fair value evidence, and the nature of the audit evidence
gathered for each class.

(b) State which of the fair value classifications is applicable to the plant.

(c) Describe management’s responsibility to determine the fair value of the plant.

(d) If management has an estimate of the fair value of the plant, describe the procedures
the auditor should undertake.

A NS W ERS T O E X A M P R A CTICE

QUESTION 1
(a) Segregation of duties. Micro has only three staff. Such a lean reporting structure may
hinder the company in setting up a proper segregation of duties. There may be a risk
that the same person prepares the data, feeds it into the computer, supervises the
processing, and acts as end user. This leads to enhanced opportunities for fraud.

Access. ‘Easydone’ is readily available to all three staff of Micro and their access to
the system is not well controlled as they share the same user ID and password. This
may increase the opportunity and the risk of accounting records being fraudulently
altered or amended.

(b) In view of the small scale of operation and lean reporting structure of Micro, it is
unlikely that Micro has sufficient controls to reduce the risks of material errors. It is
more cost effective to use substantive procedures. Auditors may use more extensive
physical examination and confirmation of assets, more tests of transactions, larger
sample sizes, etc.

QUESTION 2
General computer controls:

• Testing of ATM hardware and software before deployment.

• Updated user manual and training of staff operating ATMs.

• Physical protection of ATMs.

• CCTV designed to capture activity of ATM machines.

• Firewall or hacker protection measures.

• Controlled cash count and replenishment procedures.

• Indemnity agreement signed by ATM customer.

• Customer access by card and password.

• Data transfers between an ATM and the main computer system are encrypted and
processed through secured communication lines.

398

M13_c06.indd 398 1/26/2021 9:07:26 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Application controls:

• Transaction activity log.

• Computer sensor and programming to forfeit cash left idle in the cash dispenser at
expiry of waiting period.

• ATMs are linked so that a person cannot obtain the maximum cash withdrawal from
multiple machines.

QUESTION 3
(a) The auditor should ask the finance manager for the reasons for the refusal and
consider if there are valid reasons for the request and obtain evidence to support this.
The auditor should consider the integrity of the finance manager and possible reasons
for any concealment, including fraud, given the customer was a new customer who had
just started trading with the company recently, but had a significant balance of trade
receivables at year-end.

(b) Since the confirmation reply was not directly received by the audit engagement team,
the audit engagement team should consider the reliability of the confirmation reply. As
the confirmation reply was sealed, a lower risk of the confirmation being amended is
implied. To verify the reliability of the confirmation reply, the audit engagement team
should consider alternative procedures. For example, the customer can be directly
contacted to confirm if the confirmation originated from the customer with the amount
confirmed or vouch the balance to subsequent receipts.

(c) The auditor should ask management to reconcile the difference between the
customer’s record and the client’s record and obtain evidence to support the reconciling
items identified. This is because an immaterial difference may not necessarily imply
there is no accounting error, or that similar errors do not exist.

QUESTION 4
HKSA 510 states that when the auditor conducts an initial audit engagement the objective
with respect to opening balances is to obtain sufficient appropriate audit evidence
about whether:

(a) Opening balances contain misstatements that materially affect the current period’s
financial statements;

(b) Appropriate accounting policies reflected in the opening balances have been
consistently applied in the current period’s financial statements; and

(c) If changes are made, whether these changes are appropriately accounted for and
adequately presented and disclosed in accordance with the applicable financial
reporting framework.

The suggested audit procedures for Messy Limited’s opening balances are:

Fixed assets

• Vouch the purchases of fixed assets to ensure that fixed assets were recorded in
the proper accounting period (i.e. fixed assets were purchased in the current year
but not in the prior year).

399

M13_c06.indd 399 1/26/2021 9:07:26 PM

 BUSINESS ASSURANCE

• If evidence indicates that purchase of fixed assets should have been recorded in the
prior year, consider whether the depreciation charge might have been understated
and created a consequential impact on the opening balances.

Inventories

• Observe the current physical inventory count and reconcile it back to the opening
inventory quantities.

• Perform audit procedures on the valuation of the opening inventory items.

• Perform audit procedures on gross profit and inventory cut-off (examination of

inventory transactions near balance date to ensure recording in the proper period).

Trade payables

• Trace opening trade payables balances to payments during the current period.

• Review the suppliers’ invoices and/or circularise confirmation to the key suppliers to
confirm the balances as at 1 January 20X4.

Cash at bank

• Obtain a bank statement and/or confirm the balances as at 1 January 20X4 to agree
the balance with the cash ledger.

Revenue and expenses

• Perform the sales and purchases cut-off tests as of 1 January 20X4.

• Review the collection of receivables and payment of expenses in January 20X4 (the
subsequent period) to ensure a proper cut-off had been done as of 1 January 20X4.

Statutory review

• Review of the statutory records of Messy Limited.

• Review the incorporation certificate of Messy Limited.

• Review the minutes of Messy Limited for the prior year.

• Review any material contracts to see if there was any non-disclosure of

contingencies or commitments at the prior year-end date.

QUESTION 5
(a) Monetary unit sampling is based on a sampling unit of $1. Because Trade Co.’s trade
receivable balance is $2 million, the population has 2 million sampling units. A sample
size of 40 implies a sampling interval of 2,000,000 / 40 = $50,000. A random start
between 1 and 50,000 is chosen and the sample selected by adding through the
trade receivable sub-ledger. Each time the addition reaches a multiple of 50,000, that
customer is selected for confirmation. For example, assume a random start of $24,000.
A customer is selected for confirmation at $24,000, $74,000, . . . $1,974,000.

(b) Non-statistical sampling can be based on haphazard, block, or directed selection.

A directed approach enables the auditor to focus on high risk accounts – those with
significant balances, overdue accounts, accounts with error conditions in prior years,
and overseas accounts.

400

M13_c06.indd 400 1/26/2021 9:07:26 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

QUESTION 6
(a) This is a test for the completeness of sales. The auditor’s objective is to ensure that all
shipments are invoiced. The sampling unit is the shipping document. The auditor would
check that those items appearing on the selected shipping document appeared on
an invoice.

(b) A follow-up test, also for the completeness of sales, would involve tracing the sales
invoice identified in the test above to the sales journal. The objective would be to
determine that all invoices have been recorded in the revenue account.

(c) No. In order to verify the occurrence of sales a sample would be taken from the sales
journal and the sample items vouched to the supporting documents – the invoice
and shipping document. The direction of the test is in the opposite direction to those
described in (a) and (b) where we trace from the source documents to the accounts.

QUESTION 7
(a) The three classes of fair value evidence relate to the market:

1. An active market exists, and market transaction data are publicly available;

2. An active market does not exist but information on comparable transactions can be
sourced; and

3. No relevant market exists for the asset, and estimates must be based on cash flow
or other models.

(b) An active market is likely to exist for commercially zoned property.

(c) In estimating the fair value of the plant, management should meet the following criteria:

• Fair value is the price that would be received to sell an asset in an orderly transaction
between market participants at the measurement date. It is an exit price.

• Fair value is a current market-based measurement, not an entity-specific

measurement.

• An entity uses the assumptions that market participants would use when pricing
the asset.

• An entity’s intention regarding the asset is not relevant.

• Fair value measurement requires an entity to determine the following:

a. The best use of the asset; and

b. The market in which an orderly transaction would take place.

(d) The auditor should obtain management’s working papers that identify management’s:

• Method used in making the estimate;

• Controls over estimations;

• Use of a management’s expert;

• Assumptions underlying the estimate;

• Sources of data used; and

• Assessments of risk.

401

M13_c06.indd 401 1/26/2021 9:07:26 PM

 BUSINESS ASSURANCE

In examining management’s estimate, the auditor should consider:

• If the method used by management was appropriate;

• Whether appropriate controls were in place and operating effectively;

• The work of the management’s expert (Chapter 8, Section 8.3.4);

• The reasonableness of management’s assumptions;

• The relevance and reliability of the data; and

• The adequacy of management’s risk assessment.

402

M13_c06.indd 402 1/26/2021 9:07:26 PM

 7
The Audit Programme

CHAPTER TOPIC LIST

7.1 Revenue Cycle 7.3.5 Audit Assertions and Tests

7.1.1 Key Accounts of Details
7.1.2 Risk 7.4 Bank and Cash
7.1.3 Assertions, Controls and Tests 7.4.1 Key accounts
of Controls 7.4.2 Risk
7.1.4 Analytical Procedures 7.4.3 Assertions, Controls and Tests
7.1.5 Audit Assertions and Tests of Controls
of Details 7.4.4 Analytical Procedures
7.2 Purchases Cycle 7.4.5 Audit Assertions and Tests
7.2.1 Key Accounts of Details
7.2.2 Risks 7.5 Financial Instruments
7.2.3 Assertions, Controls and Tests 7.5.1 Key accounts
of Controls 7.5.2 Risk
7.2.4 Analytical Procedures 7.5.3 Assertions, Controls and Tests
7.2.5 Audit Assertions and Tests of Controls
of Details 7.5.4 Analytical Procedures
7.3 Payroll for Marketable Financial
7.3.1 Key Account Instruments
7.3.2 Risks 7.5.5 Audit Assertions and Tests of
7.3.3 Assertions, Controls and Tests Details for Marketable Financial
of Controls Instruments
7.3.4 Analytical Procedures

403

M13_c07.indd 403 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

7.6 Non-current Assets 7.7 Liabilities and Equity

7.6.1 Property, Plant and
Equipment (PPE)
7.6.2 Goodwill and Other
Intangible Assets
7.6.3 Interests in Other Entities
7.7.1 Debt Securities
7.7.2 Share Capital
7.7.3 Provisions and Contingencies
7.8 Segment Information

404

M13_c07.indd 404 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.09: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit procedures
1.09.09 Design, in response to the assessed risk, the appropriate audit tests for:
• Tangible non-current assets
• Intangible non-current assets
• Inventory
• Receivables
• Bank and cash
• Trade payables and accruals
• Non-current liabilities
• Provisions and contingencies
• Capital and other issues
• Long-term investments
• Segment information
• Revenue
• Purchases
• Wages and salaries
• Financial instruments, e.g. derivative or forward contracts
• Treasury (e.g. bank loan/facility)

405

M13_c07.indd 405 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

OPENING CASE

G&E MUSIC (GEM)

T he GEM case introduced in Chapter 6 will be used in Chapter 7 to illustrate audit

procedures.

Recall that GEM has two distribution channels, 300 retail stores and an online store.

GEM holds significant market share in many of its product categories, which include:

• Consumer electronics including televisions, audio equipment, computers and

telecommunications products;

• Housewares including furniture, cooking products, heating and cooling products and
small appliances; and

• Software including CDs, DVDs and games.

Exhibit 7.1 shows GEM’s 20X1 (audited) and 20X2 (current) statement of profit and loss and
statement of financial position. This information will be used to provide illustrative examples of
analytical procedures in the following sections.

406

M13_c07.indd 406 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

GEM Statement of profit and loss GEM Statement of financial position

20X2 20X1 20X2 20X1
HK$M HK$M HK$M HK$M
Revenue 3950 3650 Current Assets
Cost of Goods Sold 3090 2850 Cash 52 50
Gross Profit 860 800 Trade Receivables 100 80
Sales and Marketing 405 375 Inventory 550 480
Occupancy 175 160 Non-Current Assets
Administration 25 25 Property, Plant and Equipment 185 175
Finance 4 6 Intangibles 85 85
Profit Before Tax 251 234 Total Assets 972 870
Tax 65 60 Current Liabilities
Net Profit 186 174 A/P 385 325
Provisions 45 40
Non-Current Liabilities
Borrowings 110 140
Total Liabilities 540 505
Net Assets 432 365
Equity
Share Capital 50 55
Reserves 57 40
Retained Earnings 325 270
Total Equity 432 365

EXHIBIT 7.1 GEM 20X2 Financial statements

407

M13_c07.indd 407 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

OVERVIEW

The audit programme is fundamental to an audit engagement. An audit programme:

• Identifies the audit procedures to be performed to respond to the assessed risks of

material misstatements in the audit plan.

• Organises and distributes audit work to the audit team.

• Monitors the progress of the audit.

• Records audit work performed and audit evidence gathered.

• Reviews the completeness and persuasiveness of audit evidence.

Chapter 7 is focused on the first of these aspects of the audit programme, the audit
procedures. Procedures that might be used to collect evidence for the audit of the financial
statements of an electronics retailer are identified in this chapter.

Audit procedures are designed to suit the client entity – the entity’s nature, its control
system and the auditor’s risk assessment. Entities are extraordinarily diverse, and audit
programmes reflect this diversity.

Controls and tests of controls described in this chapter are commonly used, but great
variety exists in the design and structure of internal control systems, and controls and control
tests noted here will not be encountered in all audits. Similarly, many evidence-gathering
strategies are available to the auditor, and those substantive procedures noted below may not
be included in every audit programme.

As noted in Chapter 5 Section 5.5.2, the auditor’s control risk assessment determines the
audit strategy. Where control risk is high, a mainly substantive approach is adopted, and when
control risk is low or medium, a combined strategy will be adopted. The audit programme
illustrated in this chapter assumes the adoption of a combined strategy. Two types of audit
procedures are required when a combined audit strategy is adopted, tests of controls and
substantive tests. Tests of controls provide the auditor with evidence about the level of
control risk and substantive procedures provide evidence about the inherent risk of material
misstatements in the financial statements.

Audit programmes often reflect the client entity’s transaction cycles. This approach can
enhance audit efficiency because the accounts in a transaction cycle use the same set of
supporting documents and personnel. For example, the revenue transaction cycle incorporates
the following documents: sales orders, shipping documents, invoices, bank deposits and credit
notes; and these personnel: customer, sales manager, credit manager, warehouse manager
and the trade receivables clerk.

408

M13_c07.indd 408 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

In addition, standard audit procedures like customer confirmations (see Section 6.4.3 of
Chapter 6) provide evidence regarding assertions for multiple accounts in the cycle (e.g. the
existence of trade receivables and the occurrence of sales) and for both control tests and
substantive procedures.

While the transaction cycle audit programmes that follow are not uncommon, other
transaction cycles might be relevant depending on the nature of the client entity and the
auditor’s standard approach.

Students should note that Sections 7.2 through 7.7 of this chapter adopt, as far as is
possible, the same structure and approach as that introduced in Section 7.1. The sections differ
mainly in terms of the transaction cycle, or the group of accounts, addressed.

7 . 1 REVENUE CYCLE

This section is based on information provided in sections 6.2 and 6.4 of Chapter 6. Section 6.2
discussed tests of controls and Section 6.4 discussed substantive tests. Throughout the two
sections, explanations were illustrated by reference to the revenue cycle. The present section
now draws together the content of the two parts of Chapter 6 to illustrate a coherent and
focussed audit programme for the revenue cycle.

The audit programme illustrated here has five parts:

1. The accounts that comprise the cycle and a brief description of the cycle,
2. Key risks affecting the accounts and assertions,

3. Controls and control tests relevant to the accounts and assertions,

4. Commonly used analytical procedures, and

5. Tests of details relevant to the accounts and assertions.

The first two of the five parts listed above are not normally included in an audit programme
but would be documented in the risk analysis section of the permanent and current
engagement files. The information is included here to provide background about the accounts,
accounting activities and risks relevant to the transaction cycle so that students have some
context for understanding the procedures that follow.

Please note that any reference to documents applies equally to physical or

electronic media.

7.1.1 Key Accounts

Key accounts include:

• Sales,

• Trade receivables (A/R), and

• Cash.

409

M13_c07.indd 409 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

Other accounts include:

• Sales returns and allowances,

• The allowance for doubtful debts,

• Bad debts expense,

• Warranty expense,

• Warranty liability and

• Sales commissions expense.

The revenue cycle has five steps:

1. The cycle begins with the receipt of a purchase order from an authorised customer and
the completion of a sales order by a salesperson. The sales orders should:

• Be pre-numbered,

• Provide for evidence of authorisation of the sale and credit approval,

• Describe the item, price and shipping terms, and

• Provide an authorised billing address.

2. Sales approval verifies that:

a. The customer exists, and is approved,

b. The sale does not exceed the customer’s credit limit, and

c. The selling prices agree with an approved price list.

4. A shipping document listing the items to be shipped and showing the customer
identification is prepared from the approved sales order and forwarded to the
warehouse. After packing, a packing list is forwarded to billing.

5. Invoices are prepared when notification is received that goods are shipped. Invoice
items, quantities and prices are agreed to the sales order and shipping document. An
accounting entry to revenue/trade receivables is completed at this point.

6. Receiving cash is the final step of the revenue cycle. The cash receipt relieves the trade
receivables account. Section 4 of this chapter discusses the audit of cash.

7.1.2 Risk
Sales revenue and the associated trade receivables and cash accounts are susceptible to fraud
and misappropriation of assets. Such frauds are common. While understatement error may
occur in sales, trade receivables and cash, fraudulent overstatement is a critical audit risk.
There are several ways that these accounts may be misstated. Exhibit 7.2 identifies some of
these, explains the motivation for the fraud or misappropriation of assets and identifies the
assertion at risk of misstatement.

410

M13_c07.indd 410 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

Risk Reason for fraud/theft Assertions at risk

Recording non-existent (fraudulent) sales Overstatement of sales/profit/ Existence of A/R;
net assets occurrence of sales
Early recognition of sales (e.g. before Overstatement of sales/profit/ Cut-off of sales, existence
the shipment of goods, when goods are net assets of A/R, occurrence of
on consignment, or when bill and hold sales
arrangements are in place)
Failing to record sales Theft of sales revenue (cash Completeness of A/R and
or cheques) sales
Recording sales below (or above) Theft of revenue or receiving Valuation and allocation
authorised prices kickbacks from customers of A/R; accuracy of sales
Other inappropriate revenue recognition Overstatement of sales/profit/ Rights and obligation of
(e.g. when the customer has the right of net assets A/R; occurrence of sales
return)
Manipulation of accounting adjustments/ Overstatement of sales/profit/ Valuation of A/R;
estimates (e.g. understatement of the net assets accuracy of sales
sales returns and allowances account
leads to an overstatement of sales)

EXHIBIT 7.2 Inherent risk in the revenue cycle

7.1.3 Assertions, Controls and Tests of Controls

In Exhibit 7.3, unless otherwise stated, it is assumed that audit tests should be applied to
samples, as discussed in Chapter 6 Section 6.3. Increasingly, however, computerised audit
procedures may enable efficient testing of an entire population.

Sales – key risk is overstatement (occurrence and accuracy)

Assertion Control
Occurrence Invoices are prepared and recorded
after evidence of shipment of
goods.
Goods shipped are agreed to
customer sales orders.
Sales are made to approved
customers.
Accuracy Sales prices are taken from an
approved price list.
Reconciliation of sales journal.
Completeness Pre-numbered invoices and
shipping documents.
Cut-off Revenue recognition policies are
properly established and followed.
Test
Test IT system check of appropriate sequence
of invoice and shipping dates using test data
(inappropriate dates).
Examine sales orders for evidence of approval
and note dates to ensure that invoicing
followed shipping.
Agree customers to approved customer list.
Review approval process.
Obtain approved price list. Review approval
process.
Inquire about reconciliation.
Review sales journal for missing invoice
numbers.
Review shipping documents to ensure each
shipment has been invoiced.
Review policy and examine sales transactions
to test compliance.

EXHIBIT 7.3 Assertions, controls and tests of controls in the revenue cycle

411

M13_c07.indd 411 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

Trade receivables – key risk is overstatement (existence and valuation)

Assertion Control Test
Existence Sales are made to approved Review approval process.
customers. Send a confirmation letter to customers in the
A/R sub-ledger to verify the existence of the
customer.
Accuracy, Sales to customers do not exceed Observe customer credit limits.
valuation and their approved credit limit.
allocation Sales prices are taken from an Observe the approved price list.
approved price list.
New customer approval. Inquire about the customer approval process
Overdue accounts are referred to Inquire about credit policy and role of credit
the credit manager. manager.
Completeness Pre-numbered invoices and Trace invoices to the general ledger checking
shipping documents. that all invoice numbers appear.
Send a confirmation letter to customers in the
A/R sub-ledger. Include significant customers
from the prior year who do not appear in the
current sub-ledger.
Rights and Pre-numbered sales orders. Select shipments and review shipping
obligations documents to ensure they were sent to
customers who submitted a sales order.

EXHIBIT 7.3 (Continued)

7.1.4 Analytical Procedures

Analytical procedures are not required at the evidence gathering stage of the audit but are
commonly used. Well-designed analytical procedures are powerful indicators of material
misstatement and are relatively efficient. Because analytical procedures are based on
comparisons of account balances, financial ratios and other information derived from the
financial statements with the ‘auditor’s expectations’, these tests are not exact measures,
but indicators. When an auditor finds that an analytical procedure indicates the existence
of error, this must be followed up by tests of detail to quantify the error. When auditors use
effective analytical procedures, the number and/or quality of substantive tests of detail may
be reduced.

Illustrative Example 1
The table below shows simple comparisons between the current and past (audited)
financial statements for GEM’s revenue cycle accounts. As can be seen, all revenue and
profit accounts are very similar in their growth. Only Trade receivables growth is above
expectations. Inquiries of management are necessary. Perhaps new credit policies have
been implemented.

412

M13_c07.indd 412 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

Illustrative Example 1 (continued)

The table below also shows comparisons of financial ratios. The ratios show a
conservative pattern consistent with the account comparisons. As noted above, the decline
in the A/R turnover requires investigation.

GEM Revenue cycle analytical review

GEM Account comparisons GEM Ratio comparisons

Account 20X2 20X1 Growth Ratio 20X2 20X1 Growth
% % % %
Revenue 3950 3650 8.2 Gross 21.7 21.9 –1
profit
margin
Cost of sales 3090 2850 8.4 A/R TO* 39.5 45.6 –6.1
Gross profit 860 800 7.5 Return on 4.7 4.8 –2
sales ROS
Sales and 405 375 8 Revenue/ HK$19.75M HK$19.2M 2.8
market expense store
Net profit 186 174 6.9 Gross HK$4.3M HK$4.2M 2.4
profit/
store
Receivables 100 80 25
Stores 200 190 5

* Calculated as sales/A/R due to lack of 20X0 data.

Multi-period comparisons: As GEM has grown substantially over the years, both in
terms of number of stores and average sales revenue per store, a multi-year trend analysis
would be useful in establishing expectations. Other independent variables like the strength
of the local economy or disposable incomes might also be used to establish expectations.

Comparisons of accounts: See the table above. All comparisons are simple
comparisons of current data with the prior year’s audited figures. Operating items
including revenue (+8.2%), revenue per store (+2.8%), gross profit (+7.5%), gross profit per
store (+2.4%) and net profit (+6.9%) are all consistent with each other, and with increases
in key drivers of profitability, which include the number of stores (+5%) and sales and
marketing expenses (+8%).

One item of note is receivables. The increase of 25% is inconsistent with the
profit-related measures, though it should be noted that in the retail industry, most
customers do not use GEM’s credit facility and receivables are relatively low compared
to sales. In any case, inquiries should be made of management as to why the receivables
increase is inconsistent with other data. Overstatement is a possibility. The receivables TO
ratio reflects this anomaly.

Other comparisons: Regression analysis (linear regression) of the relationship

between sales and store area would identify stores with unusual sales results for further
investigation. Regressions are often carried out on monthly data. Months that do not
conform to the regression line (outliers) are indicative of error conditions, which can be
followed up through tests of detail.

413

M13_c07.indd 413 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

7.1.5 Audit Assertions and Tests of Details

In Exhibit 7.4, unless otherwise stated, it is assumed that audit tests should be applied to
samples. In some instances, computerised audit procedures may enable efficient testing of an
entire population.

Assertion Substantive test of detail

Existence of A/R;
occurrence of sales
Valuation of A/R; accuracy
of sales
Completeness of Sales
Rights and obligations
regarding trade
receivables
Cut-off of sales and trade
receivables
Classification and
presentation
Confirm* trade receivables balances or outstanding invoices with
customers by sending confirmations.
Examine subsequent cash receipts.
Vouch sales invoices to sales orders and shipping documents.
Check for duplicate entries in the sales journal.
Verify arithmetical accuracy of sales invoices.
Vouch sales invoices and match the prices to the authorised price list.
Confirm trade receivables balances with customers by sending
confirmations.
Trace sales invoices to the sales journal.
Cast the sales journal and the trade receivables sub-ledger; reconcile both
to the general ledger accounts.
Review the aging of trade receivables and the adequacy of the allowance.
Trace shipping documents to sales invoices and sales journal.
Check for missing invoices in the sales journal.
Identify related party transactions and review terms.
Review sales terms and contracts to ensure revenue recognition criteria are
properly applied and are consistent with the accounting standards.
Check year-end sales cut-off (sales should be invoiced on or after the
shipment date – review shipping documents).
Review revenue recognition criteria.
Review correct classification -–current or long-term, for trade receivables.

*Note. See Chapter 6 Section 6.4.3 for a discussion of confirmations.

EXHIBIT 7.4 Tests of details in the Revenue cycle

7 . 2 PURCHASES CYCLE

7.2.1 Key Accounts

Key accounts include:

• Inventory,

• Cost of goods sold,

• Trade payables, and

• Expenses.

414

M13_c07.indd 414 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

Other accounts include:

• Purchase discounts;

• Purchase returns;

• Purchase allowances;

• Lower of cost and net realisable value provision; and

• Obsolescence provision.

7.2.1.1 Inventory
The diversity of items, volume of activity, risk of obsolescence, frequency of purchase returns
and allowances, and the existence of multiple valuation methods all contribute to the
complexity of accounting for inventory. Additionally, many types of inventory are easily stolen.
For example, GEM is an electronics retailer where inventory theft is a high-level inherent risk.

Inventory may be held at numerous locations including stores, warehouses and increasingly
at retailers’ premises. Difficulties may arise in accounting for inventory in-transit between
locations and in determining ownership rights where inventory is held on consignment or is
subject to repurchase agreements.

Specialised inventories like gems or oil reserves may require the assistance of an expert to
measure quantities or to value the stock.

A perpetual inventory system is an important control as it provides information about

current stock levels, items that require re-ordering, and slow moving and obsolete products.
Control of the perpetual inventory system is achieved through test counts and concurrent
inspection of goods.

Many manufacturers use standard costing systems to value their inventory. The audit of
the raw materials, work-in-process and finished goods inventory accounts of a manufacturing
business is complex. Issues include the accuracy of standard costs, disposition of standard cost
variances and accounting for joint products, by-products, scrap and wastage. Internal inventory
transfer requisitions are an important control.

7.2.1.2 The Purchases Cycle

The purchases cycle is involved in the purchase of inventory and a broad range of expense
items. The traditional approach to purchasing follows these six main steps:

1. A purchase requisition is completed and forwarded to the purchasing department

by user departments. The purchasing department should not be permitted to make
requisitions. User’s budgetary allocations provide approval for purchases.

2. The purchasing department is responsible for identification and approval of vendors

(suppliers). The purchasing department negotiates the price and other terms, and
completes a pre-numbered purchase order (PO), which is submitted to the vendor,
to the accounting department, to the user/initiating department and to the ordering
department. Procedures should be in place to obtain the best price through competitive
tendering.

In some organisations, purchase orders are automatically generated when stock

levels reach an ‘economic order quantity’ or EOQ.

415

M13_c07.indd 415 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

3. The supplier ships the goods and a (pre-numbered) goods received report is generated
when the goods arrive at the client’s warehouse or store. Warehouse/receiving staff
should agree the shipment with the PO.

4. The goods received report, PO and the vendor’s invoice are forwarded to the
accounting department who record the purchase (inventory or expense) and trade
payables. Many organisations employ a voucher system. A voucher is a (pre-numbered)
file established for each invoice received. The voucher contains the invoice, receiving
report and PO. Only completed vouchers should be posted to A/P.

5. The account is paid by credit card, cheque or electronic transfer according to the
purchase terms.

6. A key document for the auditor in the purchases cycle is the supplier statement, which
provides an independent monthly report on transactions and balances. Reconciliation
of the accounts payable balance with supplier statements is a key control.

7.2.1.3 The modern purchasing system

Used by many large organisations, this is part of an automated ‘supply chain management’
process. It is quite different from the traditional purchasing system. Here, repetitive purchases
of raw materials and components for manufacturing businesses, or of stock for retail
businesses, are governed by long-term supply contracts with preferred vendors.

Such systems permit the negotiation of favourable prices and other terms without risk
of interruption to delivery. Deliveries are based on production schedules or on suppliers
delivering quantities of goods based on turnover statistics provided by the purchaser. Suppliers
are paid on the basis of production, or on the basis of recorded sales at the retailer, rather
than for the quantity of goods actually delivered. This approach to purchases management
eliminates the need to account for deliveries.

In some instances, the supplier may be responsible for shelf stocking at the retailer’s
premises, effectively operating their own store within the retailer’s premises. Title to the
goods on the shelves at the retailer will not pass to the retailer until the goods are purchased
by a customer at the checkout. In effect, the retailer will never have rights to the goods and
ownership will pass from the supplier directly to the customer. In this situation, identification
and verification of inventories on consignment is an important audit issue. Very little of the
stock in a retail store may actually belong to the retailer (rights).

Suppliers will typically have monitoring controls for examination of stock at retailer
locations. In the absence of strong supplier controls, the auditor should confirm inventories
with the retailer or examine subsequent payments from retailers.

It is important that the auditor examines the contract between the supplier and retailer to
determine obligations to take delivery of merchandise or any buy-back obligations. Any unusual
circumstances regarding sales or purchases might require additional disclosure.

7.2.2 Risks
7.2.2.1 Materiality
Inventories are often the largest item in the statement of financial position and the cost of
goods sold the second largest item in the statement of profit or loss.

416

M13_c07.indd 416 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

7.2.2.2 Misappropriation of Assets

Some inventory items are portable and can be sold online. Such items are often stolen by both
customers and employees. Large-scale thefts or thefts of large items by employees or others
are common.

Employees may make purchases from fictitious vendors (with payments flowing to
themselves) or collude with vendors to pay inflated prices and receive kickbacks.

Management and employees may pay for personal expenses (e.g. travel and entertainment)
with company funds.

Payments may be made to senior managers in the form of loans that are subsequently
forfeited.

7.2.2.3 Recognition
A key issue in the purchases cycle is appropriate recognition of the transaction – the point at
which the control of the inventory passes to the purchaser, along with the obligation to pay for
that purchase or the point at which the cost of goods sold is recognised for a sale.

7.2.2.4 Fraud
Inventory overstatement, with a matching cost of goods sold understatement, is a common
management fraud designed to overstate assets and profits. This may be achieved by:

• Where standard costing systems are employed, inventory valuations may be affected by
inaccurate overhead allocations or inappropriate adjustments for manufacturing cost
and efficiency variances.

• Another common fraud is the misclassification of expense items as inventory.

• Mislabeled or empty boxes (or even shipping containers) masquerading as

inventory – auditors should look inside the box!
The most common financial statement frauds are overstatement of assets and revenues,
and understatement of liabilities and expenses. Accordingly, the assertions most at risk in the
purchases cycle are the existence of inventory and the completeness of accounts payable,
cost of goods sold and other expenses. (Reminder: vouching tests existence and tracing tests
completeness.)

Fraud indicators include:

• Inventory growing faster than sales.

• Gross margin above the industry average.

• Expenses above or below industry norms.

• Expense accounts with credit entries.

Fraudulent purchases are common, often involving collusion with suppliers.

7.2.2.5 Inventory Valuation Errors

Obsolescence is common, especially with short life-cycle products. The application of the ‘lower
of cost and net realisable value’ rule is subject to error. Indicators that a write-down is required
include a fall in selling prices, slow moving stock or obvious physical deterioration.

417

M13_c07.indd 417 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

Different inventory valuation methods are used and may be misapplied (e.g. FIFO, weighted
average and/or standard costing). Standard costing systems commonly used in manufacturing
organisations are highly complex and subject to error, often because they are not updated in a
timely manner for changes to products or manufacturing processes.

Exhibit 7.5 below summarises the risks identified above, the perpetrator’s motivation and
the financial statement assertion(s) at risk of misstatement.

Risk Reason for fraud/theft Assertions at risk

Recording non-existent (fraudulent)
purchases
Late recognition of purchases
(e.g. after the sale of the goods)
Failing to record purchases
Recording purchases above
authorised prices
Failing to record, or understating,
the cost of goods sold
Recording expenses as inventory or
other assets
Failing to record obsolete inventory
or mark inventory items down to
net realisable value
Inaccurate standard costing
systems or inaccurate application of
FIFO or weighted average valuations
Payments to employees
masquerading as suppliers
Overstatement of sales/
profit/net assets
Theft of inventory
Receiving kickbacks from
suppliers
Overstatement of profit/net
assets
Overstatement of profit/net
assets
Misstatement of inventory
Existence of inventory and trade
payables
Occurrence of purchases
Completeness of trade payables
and inventory
Completeness of inventory and
trade payables
Valuation of inventory and trade
payables
Existence of inventory
Completeness of cost of goods
sold or expense accounts
Valuation of inventory; accuracy
of cost of goods sold
Valuation of inventory; accuracy
of cost of goods sold

EXHIBIT 7.5 Risk in the purchases cycle

7.2.3 Assertions, Controls and Tests of Controls

A useful control over purchasing is the supplier’s statement. Most suppliers submit monthly
statements and these can be used by the auditor to verify the existence and completeness of
trade payables. Segregation of the requisition, purchasing, recording and custody functions is
also an important control.

Where manufacturers use standard costing systems, costs of work-in-process and finished
goods inventories are based on engineering specifications. Auditors need to test controls
designed to ensure that the engineering specifications reflect the realities of the manufacturing
environment and that changes to specifications are approved. Where the standard cost system
generates large variances, controls over standard costs may be inadequate.

Exhibit 7.6 below identifies common controls in the purchases cycle and some of the ways
that the auditor might test those controls.

418

M13_c07.indd 418 1/26/2021 5:21:51 PM


Inventory – key risk is overstatement (existence and valuation)
Assertion Control
Existence Inventory count – cycle count of perpetual
records or a full inventory count at year
end or other time (see Section 7.2.5.1)
Segregation of purchase requisition,
approval, ordering, receiving, recording and
custody of the inventory
Authorised supplier database
Computer generated purchase orders
Matching of invoice, purchase order and
receiving report before recording inventory
(existence of a voucher system)
Valuation Procedures for identification of obsolete or
slow-moving inventory – at count
An aging of inventory items
Voucher system as described above
For manufacturers, the engineering
specifications that determine the cost of
products should be subject to timely review
for relevance and accuracy and be subject
to approval
Completeness Pre-numbered receiving reports, inventory
transfer requisitions, purchase orders and
vouchers
Reconciliation of inventory sub-ledger(s)
with general ledger
Rights Standard purchase terms; long-term supply
contracts
Accounts payable – key risk is understatement (completeness)
Assertion Control
Existence Purchases are made from approved
suppliers
Segregation of ordering, recording,
payment and custody of the asset
The use of competitive tenders
Valuation Price is negotiated or based on long-term
contracts
EXHIBIT 7.6 Assertions, controls and tests of controls in the purchases cycle
419
M13_c07.indd 419
The A u d it Pro g ram me
Test of control
Review count procedures and attend
stock count (see Section 7.2.5.1)
Inquire about appropriate segregation
of duties
Test purchase orders to authorised
supplier listing
Inquire about review by purchasing
department
Test vouchers for completeness to
ensure only good received are recorded
Review procedures and observe
application of these procedures
Test inventory aging and review
procedures for the identification of
obsolete items
Compare subsequent period sales price
with recorded cost
Inquire about regular update of the
specifications and the approval process
Sequence check of receiving reports,
purchase orders and vouchers
Review evidence of reconciliation
Review purchasing policy and examine
transactions or contracts to test
compliance
Test
Review approval process and test
transactions for approved supplier
Review segregation policy and duties
Review purchasing policy
Review negotiation or competitive
bidding process and test transactions
for compliance and approval
Review terms of long-term purchase
contracts
1/26/2021 5:21:51 PM
 BUSINESS ASSURANCE

Accounts payable – key risk is understatement (completeness)

Assertion Control Test
Completeness Pre-numbered receiving reports Sequence check of receiving reports
Reconcile A/P balances to supplier Observe reconciliation of supplier
statements statements to A/P sub-ledger
Obligations Authorisation of purchases Agree supplier invoices to purchase
orders and approved purchase
requisitions
Cost of goods sold – key risk is understatement (completeness)
Controls over purchases were described earlier – segregation, budgetary approval, competitive
tendering, voucher systems, etc. All of these controls are relevant to the cost of goods sold account.
Additionally, where the opening and closing balances of inventory are verified by the auditor, and the
purchase transactions are properly controlled and tested, then the balance of the cost of goods sold
can be directly calculated. Unexpected variations can be assessed through analytical procedures, as
explained in the following section.
In manufacturing organisations, appropriate disposition of material variances should be verified.
Expenses – key risk is understatement (completeness)
Operating expense and other expense items are acquired through the purchases cycle. Controls over
purchases were described earlier – segregation, budgetary approval, competitive tendering, voucher
systems, etc.
Many operating expenses are highly predictable and analytical procedures comparing these expenses
with budgets and with prior periods provide reliable audit evidence. These analytical procedures are
described in the following section.
Some expense categories are less predictable and are high risk. Examples include travel and
entertainment expenses, marketing expenses and research and development expenses. These
expenses may change significantly from year to year depending on the priorities of management and
available resources. The audit approach required here is like that required for management estimates.
Important controls include documentation, approvals and company guidelines on appropriate
expenditure. All of these controls should be tested.
In addition, the auditor should examine all credits to expense accounts. Where material, these entries
should be investigated for theft and fraud.
In manufacturing organisations, many expenses are classified as manufacturing overheads and
allocated to work in process or finished goods inventories per engineering specifications. Where
material, the appropriate classification of overheads and other expenses should be reviewed, and the
reasonableness of the overhead allocation to products should be tested.

EXHIBIT 7.6 (Continued)

7.2.4 Analytical Procedures

Analytical procedures are particularly useful for the cost of goods sold because of the
predictable relationship between the cost of goods sold and sales. The same applies to many
other expense accounts.

Simple comparisons:

• All the accounts in the purchases cycle are compared in dollar and percentage terms
with prior years’ audited balances, with industry norms and with the current budget.

• A common-size statement of profit or loss and other comprehensive income can aid in
identifying the cost of goods sold or other expense accounts that are inconsistent with
the auditor’s expectations.

420

M13_c07.indd 420 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

• Growth in inventory and trade payables can be expected to be consistent. Similarly,

growth in inventory should reflect sales growth.

Multi-period comparisons:

• As GEM has grown substantially over the years, both in terms of number of stores and
sales per store, a multi-year trend analysis might be useful in establishing expectations
for inventory, cost of goods sold, expenses and payables growth. Other independent
variables like the strength of the local economy or household disposable incomes
should be used to establish the auditor’s expectations. Where particular stores fail to fit
the overall trend, further enquiries are necessary to explain deviations.

• Regression analysis over multiple periods is a very useful technique in identification of

errors in these same accounts. Month end inventory and A/P should be regressed on
sales and outliers reviewed for errors.

Comparisons of financial ratios – Key financial ratios associated with the purchases cycle
should be compared to the prior year. These include:

• Gross profit margin,

• Inventory turnover and

• Purchase returns as a percentage of purchases.

Other comparisons: Cross-sectional regression analysis of stores (in contrast to time-series

regression) of the relationship between inventory and cost of goods sold would identify stores
with unusual results (outliers) for further investigation.

Illustrative Example 2
As shown in the table below, trade payables have increased by 18.5%. This is somewhat
consistent with the inventory increase of 14.6 %. Inquiries should be made about the
difference.

While inventory has increased by 14.6%, inventory per store is up by just 8.7% and
inventory turnover has dropped by 5.1%. As noted earlier, where inventory has increased,
a risk of overstatement exists. The reduced turnover is also an indicator of this risk.

Overstatement of inventory is associated with understatement of COGS and a

consequent overstatement of profit. Fraud risk in inventory should be considered, as
should the risk of inventory obsolescence in this short product life-cycle business. If control
risk is medium or high, additional substantive procedures related to inventory existence
and valuation should be undertaken.

The major expense categories in the Statement of Profit and Loss are Sales and
Marketing, Occupancy and Administration. The first two have increased by 8% and 9.4%
respectively. This is consistent with the increase in sales of 8.4% and cost of goods sold of
7.5%. The increase in the number of stores is just 5.3%, however, and inquiries should be
made in this respect. Administration expenses have not changed from the prior year and,
again, inquiries should be made.

421

M13_c07.indd 421 1/26/2021 5:21:51 PM

 BUSINESS ASSURANCE

Illustrative Example 2 (continued)

GEM Purchases cycle analytical review

GEM Account comparisons GEM Ratio comparisons

Accounts 20X2 20X1 Growth Ratios 20X2 20X1 Growth
(HK$,000) (HK$,000) % % % %
Cost of sales 3090 2850 8.4 Gross 21.7 21.9 –0.9
profit
margin
Gross profit 860 800 7.5 Inventory 5.6 5.9 –5.1
TO*
Net Profit 186 174 6.9 Inventory/ 2.75 2.53 8.7
store
Inventory 550 480 14.6
Trade 385 325 18.5
payables
Sales and 405 375 8.0
marketing
Occupancy 175 160 9.4
Admin 25 25 0
Stores 200 190 5.3

* Calculated as (COGS/Ending inventory) due to lack of 20X0 data.

7.2.5 Audit Assertions and Tests of Details

The fifth part of the purchases cycle audit programme identifies common substantive tests of
details for each relevant audit assertion (Exhibit 7.7).

Substantive tests of details for inventory

Assertion Substantive test of detail
Existence Vouch entries from the inventory sub-ledger to vouchers and supporting documents
(invoices, purchase orders and receiving reports)
Examine purchase vouchers to ensure they include all required documentation and
check the voucher sequence for duplicates
Review the inventory count procedures (see Section 7.2.5.1); observe the count; test
inventory count; trace count to inventory sub-ledger
Where material amounts of inventory are held at multiple locations, or held by
others on consignment, consider visiting these locations to perform a test count or
sending confirmation letters to the custodians
Where manufacturers use standard cost systems, management’s estimation of the
stage of completion of the work-in-process inventory is important in determining
existence and completeness. The auditor should make enquiries about this process
and observe selected WIP inventory at the year end to confirm management’s
estimates

EXHIBIT 7.7 Substantive tests of details for the purchases cycle

422

M13_c07.indd 422 1/26/2021 5:21:51 PM

 The A u d it Pro g ram me

Substantive tests of details for inventory

Assertion Substantive test of detail
Valuation and Vouch entries in the inventory sub-ledger to vouchers and supporting purchase
allocation orders, supplier invoices and supplier statements
Review subsequent year sales to ensure recorded inventory cost is below net
realisable value
Review procedures to identify and mark down or write off obsolete inventory. Review
write-off and trace to inventory sub-ledger
Inspect inventory for evidence of age (dust, damage or date labels) during the count
Create, or test, the inventory aging
Where manufacturers use standard cost systems, the auditor must ensure that the
standard costs as detailed in the engineering specifications are updated to reflect
current material, labour and overhead costs, and that overhead allocations are
reasonable
Completeness Select inventory from the floor and trace to the inventory listing
Total inventory sub-ledger and trace to the general ledger
(’Total’ is used in this chapter along with the synonyms ‘cast’, ‘foot’ and ‘add’. All are
common accounting terms. Warning: Auditors must ensure that client software
totals are tested. It should never be assumed that computer generated totals are
accurate. They are completely dependent on the software. A client’s inventory ‘total’
could be the total of the sub-ledger plus an extra HK$5M. The same fraud might exist
in any account.)
Review voucher sequence for missing items. Trace vouchers to sub-ledger
Review receiving report sequence for missing items. Trace receiving reports to
vouchers
Make inquiries about inventories held at other locations and inventory on
consignment. Confirm inventories held remotely
Inquire about expected returns and test significant transactions in the purchase
returns and allowances account
Cut-off Check year-end purchases and sales cut-off. Review especially shipments received or
sent near the year-end
Review purchase and sales terms and contracts
Rights Identify related party transactions and review terms
Review purchase and sales terms and contracts
Inquire about customer’s rights to return merchandise
Presentation/ Review disclosure of the inventory valuation method
disclosure Review correct classification – current or long-term
Substantive tests of detail for accounts payable
Assertion Substantive test of detail
Existence Vouch entries in the accounts payable sub-ledger to vouchers and supporting
documents: supplier invoices, purchase orders and receiving reports
Review the reconciliation, or reconcile, year-end payables balances to supplier
statements
Examine purchase vouchers to ensure they include all required documentation and
check the voucher sequence for duplicates
Examine subsequent cash payments and reconcile to the accounts payable sub-
ledger

EXHIBIT 7.7 (Continued)

423

M13_c07.indd 423 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

Substantive tests of details for inventory

Assertion Substantive test of detail
Valuation Vouch trade payables entries to vouchers and supporting documents: purchase
orders, supplier invoices and supplier statements
Completeness Total trade payables sub-ledgers and trace to the general ledger
Inquire about expected returns and review the purchase returns and allowances
account
Review voucher sequence for missing items. Trace vouchers to the sub-ledger
Review receiving report sequence for missing items. Trace receiving reports to
vouchers
Reconcile supplier balances to supplier statements
Confirm supplier balances from the accounts payable listing with suppliers; include
previously active but currently low or zero balance suppliers (confirmations also
provide evidence of existence, obligations and valuation; see Chapter 6 Section 6.4.3
for a discussion of confirmations)
Cut-off Check year-end purchases cut-off; review especially shipments received prior to the
year-end
Obligations Identify related party transactions and review terms
Review purchase terms and contracts with suppliers
Inquire about rights to return merchandise to suppliers
Presentation/ Review correct classification – current or long-term
disclosure

EXHIBIT 7.7 (Continued)

Apply and Analyse 1

Assume you are an audit senior assigned to the audit of Greenwood Ltd, a clothing retailer.
This is a highly competitive industry sector, but Greenwood’s sales have increased by 20%
in last 12 months because Greenwood opened several new stores.

You have been asked to audit Greenwood’s inventory. The closing balances of the
inventory account at 30 June were:

20X8 20X7 20X6

HK$ 1,256,000 HK$ 1,456,000 HK$ 1,500,000

(a) Identify four substantive tests of details you would use to verify the balance in the
Inventory account as at 30 June 20X8.

(b) For each test that you have identified in part (a), describe the assertion(s) being
tested.

(c) Identify the type of evidence you will gather for each of the tests you identified in
part (a).

424

M13_c07.indd 424 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

Apply and Analyse 1 (continued)

Analysis

Test (a) Assertion (b) Type of Evidence (c)

Observe stock take Existence Physical inventory items
and documented count
procedures
Select some inventory items from Existence Physical inventory items
the sub-ledger, verify the quantity in
the warehouse
Compare cost to current sales price Valuation and allocation Document – recent
sales invoices
Check deliveries around year-end Cut-off (existence and Document – shipping
and trace to posting in the correct completeness) documents (sales); receiving
accounting period reports (purchases)
Check the reconciliation of the Valuation and allocation Document – ledger and
inventory control account to the sub-ledger
sub-ledger
Check the casting of the inventory Valuation and allocation Re-calculation
sub-ledger

7.2.5.1 Inventory Count

HKSA 501 (Clarified) Audit Evidence – Specific Considerations for Selected items states that where
inventory is material, auditors must obtain sufficient appropriate audit evidence regarding its
existence and condition by attending the physical inventory count, unless this is impracticable.
Other audit procedures are also performed by the auditors over the entity’s final inventory
records to determine whether they accurately reflect actual inventory count results.

Depending on the auditor’s risk assessment, audit approach and the other procedures
carried out, procedures performed during the attendance at physical inventory counting can be
tests of control or substantive procedures.

Ensuring that inventory figures in the accounts represent inventory that exists and
inventory that is owned by the entity is always a responsibility of management. Attendance
at an inventory count gives evidence of the existence (though not necessarily ownership) of
inventory and assists in identifying obsolete, damaged or out-of-date stock.

The count may be completed at year-end, at an interim date, or continuously throughout

the year (a perpetual inventory system). Where an interim date is chosen, roll-forward
(or roll-back) procedures are required.

If a perpetual inventory system is used, auditors will verify that management does the
following:

(a) Maintains adequate and up-to-date inventory records.

(b) Counts all inventory items at least once a year and has adequate procedures for
inventory counts and test-counts.

425

M13_c07.indd 425 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

(c) Controls inventory movements during the count.

(d) Investigates and corrects all material differences.

(e) Segregates inventory recording, authorisation of changes and access.

With a perpetual inventory system, the auditor focuses on tests of controls, but will also
attend one or more counts as appropriate.

Planning the Auditor’s Attendance

Before the physical inventory count the auditors should review the permanent file, the prior
year’s audit file and the current file’s inventory risk analysis. Items of interest include:

• The count instructions.

• The nature and volume of the inventory.

• Risks:

°° Inventories at multiple locations,

°° Inventories of small size but high value or that are easily transportable and
otherwise subject to theft,

°° Items with similar appearance,

°° Inventories requiring special storage,

°° Inventories requiring special knowledge to value.

• Method of accounting for inventory:

°° Manufactured goods that require identification of stage of completion for work in

process and allocation of overhead costs to finished goods.

• Internal controls and the inventory accounting system.

• Arrangements to obtain confirmation of inventory held by others.

Attendance procedures

During the count, the auditors should:

• Check the count is being carried out according to instructions,

• Carry out test counts,

• Scan for third party inventory and cut-off problems.

In the case of work-in-progress, its stage of completion should be noted to ensure that it is
later valued appropriately.

When carrying out test counts the auditors should select items from the management’s
count records and from the physical inventory and check one to the other. Tracing and
vouching provide evidence for completeness and existence. The auditors should concentrate
on high value inventory.

The auditor should observe:

• Restriction of inventory movements during the count.

• Identification of damaged, obsolete, slow-moving, third party and returnable inventory.

426

M13_c07.indd 426 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

• Serial numbering, control, approval and return of all inventory count sheets.

• Recording of last numbers of goods inwards and outwards records and of internal
transfers to assist in verifying cut-off.

Documentation of count procedures

The auditor should document details of observations and tests including:

• Details of test counts performed.

• Results of cut-off tests.

• Identification of obsolete or consignment stock.

• The manner in which points that are relevant and material to the inventory being
counted or measured have been dealt with by the entity.

• Observations of the client’s count procedures including instances where the entity’s
procedures have not been satisfactorily carried out.

• Items for subsequent testing.

• The auditors’ conclusions regarding the count.

Follow-up

• Trace items that were test counted to final inventory listing.

• Observe whether all count records including consignment inventories have been
included in the final inventory listing.

• Vouch for the final inventory listing to the count records.

• Ensure that perpetual inventory records have been adjusted to the amounts physically
counted or measured.

• Confirm the cut-off by checking sales invoices and supplier invoices.

• Review replies from third parties about inventory held by, or for, them.

• Confirm that the final valuation of inventory has been calculated correctly.

7 . 3 PAYROLL

7.3.1 Key Account

The key account is payroll expense.

Other accounts include:

• Payroll liability;

• Commissions;

• Bonuses;

427

M13_c07.indd 427 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

• Holiday pay, other leave;

• Pension or medical liabilities.

7.3.1.1 The Payroll Process

The payroll system is similar to the purchases system. Payments are made to authorised
suppliers – the employees – for contracted services. However, it is discussed separately from
purchases both because it is material and because the personnel and payroll systems are
normally separated from the purchases system. In many organisations, payroll is outsourced.

The traditional approach to payroll is based on the following documents:

• Personnel record – personal details of employees;

• Deduction authorisations – pension, union, etc.;

• Time record for hourly employees, output for piece-rate employees;

• Remittance advice;

• Payroll journal – records payroll for each pay period;

• Earnings record – records payroll to date for the entity’s financial year;

• Statement of earnings – taxation year return for the employee; and

• Payroll tax return – entity taxation year return for the Inland Revenue.

7.3.2 Risks
7.3.2.1 Materiality
Payroll is a major expense category for many entities. As payroll is paid frequently, associated
liabilities for wages, salaries and payroll deductions like tax, holiday pay and pensions are less
likely to be material. Key risks are existence – overpayment to fraudulent employees or to
management personnel – and completeness – underpayment of employees (wage theft).

7.3.2.2 Misappropriation of Assets

A common fraud is a ‘horse on the payroll’ – meaning that fraudulent employees will appear
on the payroll master file and will be paid a regular salary. This ‘person’ might be a relative of
the payroll manager or accountant, or an alias used by these individuals to make unauthorised
payments to themselves or accomplices.

Managers may approve excessive payments to employees and demand kickbacks from
those employees.

Underpayment of employees (wage theft) occurs when employees are not paid for
overtime or actual hours worked, or are paid an hourly rate less than that in their employment
agreement.
Another form of misappropriation is unauthorised payments to senior managers including
bonuses, loans that are subsequently forgiven, and travel or entertainment expenses.

428

M13_c07.indd 428 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

7.3.2.3 Fraud
Fraud can take these forms:

• Recording payroll expenses as inventory or other assets with the aim of understating
expenses and overstating profits.

• Fraudulent employees on the payroll.

• Failure to record payroll-related liabilities – pension, etc.

Fraud indicators include:

• Inventory growing faster than sales.

• Gross margin above the industry average (due to understatement of payroll expense).

• Payroll expenses above or below industry norms.

• Payroll expense accounts with credit entries.

Exhibit 7.8 below summarises the risks identified above, the perpetrator’s motivation and
the financial statement assertion(s) at risk of misstatement.

Risk Reason for fraud/theft Assertions at risk

Wage/salary payments to fictitious Misappropriation of assets Occurrence of payroll expense
employees; payment of unauthorised
expenses
Late recognition of payroll expense at Overstatement of sales/ Completeness of payroll; cut-off
year end; recording payroll expenses profit/net assets of payroll expense and liability
as inventory
Underpayment of employees by Wage theft Completeness of payroll
paying a low rate or failing to pay for
all hours worked.

EXHIBIT 7.8 Risk in payroll

7.3.3 Assertions, Controls and Tests of Controls

The main control over payroll transactions is the segregation of duties between the personnel
department (also called Human Resources), the payroll department and accounting. Personnel
is responsible for authorisation of employees and payroll for their payment. Personnel
maintains a ‘personnel master file’. Access to this file should be restricted. Periodic review of
changes to the file should be carried out by a personnel manager with no access privileges. The
segregation between personnel and payroll minimises fraudulent payments to non-existent
employees – though of course collusion is always an issue in fraud and is not easily controlled.

Wages and salaries expenses are normally well controlled. For employees paid hourly
wages, time records are kept through the use of electronic security identification cards and
are approved by supervisors. Approved time records are forwarded to payroll who calculate
wages, appropriate deductions from wages and other payroll-related expenses as specified in
the personnel master file. This calculation process may be automated. For salaried employees,
payments are similarly made by reference to data in the personnel master file.

429

M13_c07.indd 429 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

The payroll is subject to computer edit checks of the employee number and limit checks
on hours and wages. The completed payroll is paid through electronic bank transfers. Bank
transfers should be authorised by a senior finance manager who is not involved in preparing
the payroll. Whether paid by transfer or cheque, a separate bank account should be set up and
all payroll payments made through this to control payments and facilitate reconciliation.

This section does not address control issues that arise when employees are paid in cash.
This procedure introduces many control risks and is seldom used.

7.3.3.1 Outsourcing to a Service Organisation

Many organisations outsource their payroll function to service organisations such as banks.
HKSA 402 (Clarified) Audit Considerations Relating to an Entity Using a Service Organisation
expands on how HKSA 315 (Revised 2019) Identifying and Assessing the Risks of Material
Misstatement is applied in understanding the control risk associated with a service organisation.
The auditor must understand the services provided and how they impact on the client’s internal
controls over transactions and the financial statements. The auditor’s risk assessment activities
are discussed in Chapter 5 Section 5.5 and the use of service organisations in Chapter 8
Section 8.3.4.

Exhibit 7.9 identifies assertions relevant to payroll, relevant controls and tests of controls.

Payroll – key risks are overstatements through misappropriation of assets

(occurrence and accuracy) and fraudulent understatements (completeness)
Assertion Control
Occurrence Segregation of payroll and personnel
functions
Authorisation of entries and changes
to the personnel file – particularly for
starters and leavers
Approval of time cards or piecework
counts
Approval of bank transfers or cheque
payments by senior finance manager
Process to remove ‘leavers’ from
personnel file
Accuracy Segregation of payroll preparation
Appropriate authorisations of salaries/
wages and withholdings including both
supervisory review and independent
reconciliation of the payroll record to the
bank
Comparison of budget to actual payroll
Test
Inquire about segregation
Select active employees from the
personnel file and confirm their existence
Examine time cards for evidence of
approval
Inquire re bank transfer approval
Review ‘leaver’ process
Review payroll preparation to ensure that
the preparer is independent and has no
access to cash or the ability to change the
personnel file
Review authorisation and reconciliation
procedures and test evidence of their
performance
Enquire about comparisons. Review
variances

EXHIBIT 7.9 Assertions, controls and tests of controls in payroll

430

M13_c07.indd 430 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

Payroll – key risks are overstatements through misappropriation of assets

(occurrence and accuracy) and fraudulent understatements (completeness)
Assertion Control Test
Completeness Reconciliation of the HR personnel file Review reconciliation
to the employee earnings record for the
year
Process to record ‘starters’ Review ‘starter’ process. Observe evidence
of approval of starters
Cut-off Process for recording starting and Review process; select starters and leavers
leaving employees from personnel records and vouch their
payroll entries to their personnel records
and salaries or time cards to verify
their pay
Allocation of end of year payroll Inquire about allocation process

EXHIBIT 7.9 (Continued)

7.3.4 Analytical Procedures

Analytical procedures are particularly useful for payroll because of the predictable relationships
that often exist between payroll, personnel numbers and sales.

Simple comparisons – All payroll accounts are compared in dollar and percentage terms
with prior years’ audited balances, with industry norms and with the current budget.

Multi-period comparisons – As GEM has grown substantially over the years both in
terms of number of stores and sales per store, a multi-year trend analysis might be useful in
establishing expectations for payroll. Other independent variables, like the strength of the local
economy, household disposable incomes or the inflation rate, might also be used to establish
expectations.

As payroll is paid bi-weekly or monthly, regression analysis over multiple periods is useful.
Payroll can be compared with the number of employees, production or sales, whichever is most
appropriate. Outliers are often indicative of errors.

Comparisons of financial and other ratios include:

• Wages per employee;

• Hours worked per employee.

7.3.5 Audit Assertions and Tests of Details

The fifth part of the payroll audit programme identifies common substantive tests of details for
each relevant audit assertion (Exhibit 7.10).

431

M13_c07.indd 431 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

Assertion Substantive test of detail

Occurrence To identify leavers who are still being paid, or non-existent employees, vouch wages
and salaries expense to the payroll journal and to the personnel master file
Select leavers from the personnel file and verify their termination date and
termination payment. Review subsequent periods for further payments
Scrutinise payroll and investigate unusual or large entries
Observe time recording procedures; review approval process
Accuracy Vouch senior management salaries and bonuses to board minutes.
Vouch employee pay rates to the personnel file and to the employment agreement,
and hours worked to approved time cards. Recalculate gross pay, withholdings
and net pay. Pay particular attention to periods when the normal payroll clerk
was absent and when pay periods are of unusual lengths (end of month or year,
or public holidays). Analytical review procedures as described above can identify
periods of interest.
Agree the payroll records to information on the annual return to the Inland
Revenue Department.
Completeness Review payroll accruals for other liabilities such as pension obligations Recalculate
the material (normally apply an analytical review). Reconcile the payments in the
payroll journal with the bank statement. Prove the bank reconciliation.
Wage theft is a key issue. Note the ‘recalculation’ procedure listed under accuracy
above – which is also a test for completeness.
Cut-off Ensure the first payroll for the subsequent period is appropriately allocated to the
current period (normally, a bi-weekly payroll will pertain to days in both periods).

EXHIBIT 7.10 Substantive tests for the payroll cycle

7 . 4 BANK AND CASH

7.4.1 Key accounts

Key accounts include:

• Cash

• Marketable securities

Other accounts include:

• Gain or loss on investments

• Dividend income

• Interest income

This section discusses cash and cash equivalents (highly liquid assets). Both are managed
by the treasury function. The objectives of treasury are to ensure cash is available to:

• Pay liabilities as they come due,

• Arrange finance for operations and asset purchases,

432

M13_c07.indd 432 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

• Invest excess cash holdings,

• Reduce financial risk (e.g. through foreign currency hedges), or

• Speculate.

See Section 7.5 below for a discussion of financial instruments other than highly liquid or
cash equivalent instruments.

7.4.1.1 Cash
The cash balance at year end is highly variable and seldom material. In many instances, a credit
balance will exist. The material aspect of cash is the extremely large number and high total
value of cash receipt and payment transactions. These transactions are typically examined in
the audit program for the revenue cycle (Section 1 Receipts) and the purchases cycle (Section 2
Payments). Cash transactions affect all transaction cycles – sales, purchases, payroll, capital
acquisitions, etc.

There are four main types of receipt and payment transactions. Each type of transaction
presents its own control challenges:

1. Cash is counted and deposited daily by stores at a local bank branch. Deposits are
reconciled daily with sales (cash register) listings and postings.

Cash payments are unusual and may be controlled by a ‘petty cash’ system.

2. Credit card receipts are controlled by the card issuer (e.g. Visa) for a fee. Listings of
approved credit card transactions are provided daily for reconciliation with recorded
sales and postings.

Credit card purchases/payments may be made by authorised management employees

in accordance with budget allocations.

3. Cheque receipts are accompanied by a customer remittance advice. Where no advice

is received, one is created by the entity. In automated systems, scanners read the
two documents and differences are reconciled and corrected. The documents are
batched: cheques are deposited in the bank and remittance advices posted to the trade
receivables sub-ledger. Controls include segregation of cheques and remittance advices
for deposit and posting; reconciliation of postings and deposits; and computer edit
tests to identify errors.

Cheque payments are normally controlled with voucher systems as described in

Section 2, the Purchases cycle.

4. Electronic transfers. Listings of remittances and payments are forwarded by the bank
to the client daily for posting to trade receivables and trade payables. Controls include:
reconciliation of cash deposits with postings and/or with sales listings as appropriate;
review by internal audit or treasury; comparison to the cash budget; and the follow-up
of discrepancies reported by customers. It is expected that electronic transfers will
replace most other approaches to cash management in the future.

433

M13_c07.indd 433 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

7.4.2 Risk
While understatement errors may occur in cash, fraudulent overstatement of the asset is a
key audit risk. Another major risk is unauthorised payments, as illustrated below. Valuation is
not an issue – cash is itself a measure of value – unless transactions denominated in a foreign
currency are common.

Illustrative Example 3
A private equity fund company that was involved in the largest sale of shopping centres
in Hong Kong became the city’s biggest victim of email fraud in 2017 after being conned
out of HK$39 million. The Link Reit, the largest real estate investment trust in Asia,
announced the sale of properties including 17 shopping centres in Hong Kong to Gaw
Capital for HK$23 billion. A fraudster – posing as a client – sent a deceptive email to the
manager of a Gaw Capital branch in Causeway Bay, requiring the firm to withdraw HK$5
million from its account and transfer the amount to a local bank account. The firm only
realised it was a scam when the genuine client contacted the company.

Exhibit 7.11 identifies some of the motivations for overstatement and the assertions at risk
of misstatement.

Risk Reason for fraud/theft Assertions at risk

Overstatement of cash
Payment of false invoices or
inflated invoices
Omitting outstanding cheques
from, or under-footing, the
bank reconciliation to hide
misappropriation of assets
Double counting of transfers
between bank accounts (kiting)
Meeting debt covenants;
liquidity
Misappropriation of assets;
kickbacks
Embezzlement
Overstatement of cash to hide
misappropriation of assets or
conceal a negative cash balance
Existence and valuation
Occurrence of payment
transactions; existence of cash
Existence and valuation
Existence and valuation

EXHIBIT 7.11 Inherent risk in cash

7.4.3 Assertions, Controls and Tests of Controls

Most organisations have good controls over cash because it is easily stolen and because
the main cause of business bankruptcy is running out of cash – a liquidity crisis – so that the
business is unable to pay its suppliers and employees. Where controls are good and control
risk is low, the audit of cash will focus on testing controls. The main controls over cash include
the bank reconciliation, segregation of those with access to cash from others who record cash
transactions and from those who authorise deposits, withdrawals and transfers.

434

M13_c07.indd 434 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

Exhibit 7.12 provides descriptions of some key controls over cash payments and receipts,
and tests the auditor might apply to those controls.

Cash receipts – key risk is overstatement (existence and valuation)

Assertion Control Test
Existence Daily banking of cash receipts Observe agreement of bank deposits to
daily sales listing
Bank reconciliation Observe preparation and review of bank
reconciliation
Valuation Agree cash, cheques and credit card Examine evidence of check or observe
receipts with daily sales listing check
Bank reconciliation Observe preparation and review of bank
reconciliation
Foreign exchange translation Review procedures to ensure compliance
procedures and consistency with accounting standard
HKAS 21 The Effects of Changes in Foreign
Exchange Rates
Completeness Cash register or point-of-sale terminals Observe that equipment is working and
display the sale amount to the customer that operators are using them properly.
and provide a printed receipt. They Observe customers being given receipts.
provide a listing of transactions for the Ensure cash is counted and agreed to the
business. daily sales listing.
Bank reconciliation Observe preparation and review of bank
reconciliation
Cash receipts are deposited daily Observe preparation and performance of
bank deposits
Rights Bank account Bank confirmation

Cash payments – key risk is overstatement (existence and valuation)

Assertion Control
Existence Bank reconciliation
Approval. Review of supporting
documentation and approved supplier
list by cheque signers or approver of
bank transfers
Comparisons with cash budgets or with
long-term contracts with suppliers
Cancellation of documents to prevent
duplicate payments
Access controls for approved supplier
database
Independent review of supplier queries
Test
Observe preparation and review of bank
reconciliation
Observe check of supporting
documentation by approvers
Enquire about cash budgets and the
frequency and reporting of variances
Observe cancellation of invoices
Enquire about access controls
Inquire about review

Impress bank accounts for payroll and Bank confirmation; enquiry

dividend payments

EXHIBIT 7.12 Controls and tests for cash receipts and cash payments

435

M13_c07.indd 435 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

Cash payments – key risk is overstatement (existence and valuation)

Assertion Control Test
Valuation Foreign exchange translation Review procedures to ensure compliance
procedures and consistency with accounting standard
HKAS 21 The Effects of Changes in Foreign
Exchange Rates.
Completeness Pre-numbered cheques or bank Perform (re-perform) a sequence check for
transfers missing (or duplicate) payments
Observe preparation and review of bank
Bank reconciliation reconciliation
Rights Bank account Confirm bank account (also provides
evidence for existence and valuation)
Presentation Foreign exchange procedures Ensure consistency with accounting
standard HKAS 21 The Effects of Changes in
Foreign Exchange Rates

EXHIBIT 7.12 (Continued)

7.4.4 Analytical Procedures

Analytical procedures are seldom used in the audit of cash. Cash accounts are highly variable
and the auditor cannot expect consistency from one period to the next. Possible analytical
procedures include:

• Many organisations have high-quality, even daily, cash budgeting procedures.

Comparisons with budgets may provide reliable evidence and

• Multi-period comparison of items on the bank reconciliation (e.g. deposits in transit or

unpresented cheques).

7.4.5 Audit Assertions and Tests of Details

Substantive tests for cash include:

• Confirming balances, loans and terms of agreements with the client’s bank,

• Testing the accuracy and completeness of the bank reconciliation,

• Testing the cut-off with reference to the subsequent bank statement and

• Counting cash on hand.

Each of the tests listed above provides evidence about multiple assertions. For example, all
of the above provide evidence about existence.

Bank confirmations are similar to trade receivable confirmations discussed in Chapter 6.

A letter is sent to all client banks asking for the year-end balance of all accounts and loans,
and the terms of contracts. Bank confirmations are reliable evidence as they are provided by
informed third parties.

The cut-off assertion for cash is tested by reviewing payments and deposits occurring in
the period around the balance date. The confirmed bank balance will most often be different

436

M13_c07.indd 436 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

from the entity balance and the entity’s bank reconciliation will list ‘deposits in transit’ and
‘unpresented cheques’. The auditor should at least ensure that deposits and payments
recorded by the entity on the last day of the financial year appear in the bank statement on
the subsequent business day. Unexpected delays may be indicators of ‘income smoothing’ or
the fraudulent overstatement of cash. Where cash balances on hand at the balance date are
potentially material, the auditor may conduct a cash count. For a retailer like GEM, cash may be
held at a large number of locations, both as petty cash and sales receipts. The count requires a
high level of coordination as the count should be carried out at all locations simultaneously.

Count cash balances held and agree balances to the petty cash book and cash register
receipts. During the count, verify that appropriate security is in place (safes or locked cash
registers) and that access is limited to appropriate personnel. The count should be supervised
by responsible parties like the store accountant or manager. Obtain a certificate of cash-in-
hand from the responsible person. As a follow-up, confirm that bank and cash balances are
reconciled and trace these to the financial statements.

Exhibit 7.13 lists some of the common substantive tests of details for cash.

Assertion Substantive test of details

Existence/occurrence Send bank confirmation
Test bank reconciliation
Examine bank account transfers at year end to ensure transfers are not
included in two accounts (kiting)
Review all large and unusual cash receipts and payments recorded near the
year end
Valuation/accuracy Send bank confirmation
Cash count (see below)
Completeness Send bank confirmation
Trace subsequent cash payment to the final and subsequent bank statements
as appropriate, to ensure payments were recorded in the correct period
Cut-off Cut-off test on cash receipts and payments. The main source of evidence is the
subsequent bank statement
Rights/obligations Send bank confirmation

EXHIBIT 7.13 Substantive tests of details for cash

Apply and Analyse 2

The following are weaknesses in controls over cash. For each weakness, identify the
audit procedure that should be used to determine whether any material misstatements
have occurred.

1. The person who opens the mail prepares the bank deposit.

2. Sometimes the documents supporting cash disbursements are not cancelled.

437

M13_c07.indd 437 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

Analysis

1. As noted in Section 7.4.3, a key control over cash is the segregation of those with
access to cash from others who record cash transactions. In this case, the person
opening the mail should prepare a listing of cheques for forwarding to accounting
and pass the cheques to another individual who then prepares the bank deposit.
The cheque listing should be reconciled with the bank deposit in the accounting
department.

In this case, the person opening the mail AND making the deposit could steal
cheques. The audit procedure that would detect this theft is confirmation of
accounts receivable balances with the customer. The customer balance in the A/R
sub-ledger would be higher than the amount confirmed by the customer.

2. The supplier invoice should be cancelled when paid to ensure that it is not paid
twice. In order to detect this error, the accounts payable balance for the supplier
should be reconciled to the supplier’s statement. If supplier statements are not
available, an alternative procedure is confirmation of the supplier’s accounts
payable balance.

7 . 5 FINANCIAL INSTRUMENTS

Financial instruments include both financial assets and financial liabilities.

Financial assets are liquid assets because the economic resources or ownership can be
converted into something of value such as cash. The value of the asset is determined by
the demand and supply of such assets in the market. These are classified according to the
features of the cash flow associated with them. Examples include Certificates of Deposit (CD),
bonds, shares, cash, bank deposits, loans, receivables and derivatives. Derivatives are financial
assets whose value is derived from other underlying assets.

Financial liabilities are contractual obligations to deliver cash or equity. Examples of

financial liabilities are accounts payable, loans and derivatives. Normally, what is a financial
asset for one party to a transaction will be a financial liability for the counterparty (e.g. a
receivable for a seller and a payable for the buyer).

Accounting and auditing for most classes of financial instruments is straightforward and
has been discussed in other sections of this chapter and in Chapter 6 (e.g. cash, purchases,
payables, receivables, debt securities and equities). However, accounting for derivatives and the
audit of derivative accounts is a complex matter. HKFRS 9 Financial Instruments is a very long and
detailed standard which has been updated in stages over the last decade. Different definitions
of financial instruments continue to exist among financial reporting frameworks. Much of
HKFRS 9 is concerned with definitions of different categories of financial instruments, specific

438

M13_c07.indd 438 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

inclusions and exceptions within each category, and associated accounting requirements for
each category. These specific accounting procedures and the accounting standard are not
assumed knowledge for this subject.

Relevant auditing standards include:

• HKSA 540 (Revised) Auditing Accounting Estimates and Related Disclosures, which is
discussed in Chapter 6 Sections 6.5.1, Accounting Estimates, and 6.5.2, Fair Values, and

• HKSA 620 (Clarified) Using the Work of an Auditor’s Expert, which is discussed in Chapter 8
Section 8.3.

These two standards are supported by professional guidance found in HKAPG 1000 Special
Considerations in Auditing Financial Instruments. HKAPG 1000 does not deal with simpler financial
instruments like cash, loans, trade receivables and payables or insurance contracts.

The complexity of the area, and its inter-relationship with other standards, is demonstrated
in the introduction to HKSA 540 (para 1), which states that the standard ‘includes requirements
and guidance that refer to, or expand on, how HKSA 315 (Revised 2019), HKSA 330, HKSA 450,
HKSA 500 and other relevant HKSAs are to be applied in relation to accounting estimates’. The
professional guidance HKAPG 1000 is similarly complex.

The general audit approach to the audit of financial instruments is explained in HKSA 540.
In brief, valuation is the key risk and the auditor will collect evidence to confirm management’s
estimate or, if that is not possible, will develop their own estimate.

The following is a brief review of the audit of accounting estimates (see also Chapter 6
Section 6.5.1).

The auditor must ensure an estimate:

1. Provides an exit price,
2. Is market-based,

3. Identifies the relevant market,

4. Is based on reasonable assumptions,

5. Is not influenced by managements’ intentions,

6. Identifies the best use of the asset (liability) and

7. Is based on an appropriate valuation model using to the greatest extent possible

observable inputs.

The auditor should also:

8. Develop a point estimate or range to assess management’s estimate.

9. Obtain written representations from management on whether they believe significant

assumptions used in making accounting estimates are reasonable.

7.5.1 Key accounts

Key accounts include:

• Marketable securities

• Derivatives – including both financial assets and liabilities

439

M13_c07.indd 439 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

Other accounts include:

• Gain or loss on investments,

• Dividend income and

• Interest income.

7.5.2 Risk
Risks relating to most established financial instruments like receivables or equity have been
discussed in other sections of this chapter. This section will focus mainly on derivatives that,
in general, have a high inherent risk, especially when used for speculation. Today, literally
hundreds of types of derivatives exist and each has unique features relating to risk, all of which
need to be considered by the auditor in their analysis of inherent risk (credit risk, market risk,
liquidity risk, basis risk, operational risk and legal risk; see HKAPG 1000 Special Considerations
in Auditing Financial Instruments para 18/19). In many cases high interest rates are offered to
compensate for a lack of collateral. Derivatives are described as marketable securities, but
many markets are thin and market quotations may be unreliable. Market values may fluctuate
on a minute-to-minute basis and markets can become illiquid. While issuers of securities may
guarantee to repurchase the security at some future date, this transaction depends on the
liquidity of the issuer, which cannot be guaranteed.

Management’s fair value estimates of these instruments can be highly subjective and risky
and such assets present the auditor with the highest possible level of detection risk, i.e. the
auditor’s procedures will fail to detect a misstatement (see Section 7.5.6 below). Valuations
are risky for many reasons. HKAPG 1000 Special Considerations in Auditing Financial Instruments:
Assessing and Responding to the Risks of Material Misstatement para 85–105 provides useful
guidance. Some key points are noted below:

• Management and those charged with governance may be unfamiliar with derivative
transactions, valuation methods or the requirements of the accounting standards
regarding financial instruments.

• The client’s finance personnel responsible for derivative transactions often

have very significant incentive plans tied to profits on derivative trades and may
overstate profits.

• During difficult financial market conditions, management may engage in fraudulent

financial reporting to hide fraud or error, to hide breaches of regulatory, liquidity or
borrowing limits, or to avoid reporting losses.

• Management may rely on valuations provided by brokers or other dealers

(management’s experts). These brokers may be competent with the valuation of some
classes of derivatives, but not others.

• Brokers may be unable to provide auditors with evidence sufficient to support their
valuations or to identify the assumptions underpinning their models.

• Brokers’ valuations may not be prepared in a timely fashion – reflecting current market
conditions (see Chapter 8 Section 8.3.5, Management’s Experts).

440

M13_c07.indd 440 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

It should be noted that the risk of loss of a financial instrument may exceed the value
recognised on the balance sheet. For example, a sudden fall in the price of a commodity may
force an entity to close a position. The losses may create going concern issues or failure of
the business.

Exhibit 7.14 identifies some of the motivations for misstatement of financial instruments
and related accounts, and the assertions at risk of misstatement.

Risk Motivation for Assertion at risk

Tax and accounting
requirements (regulatory risk)
Lack of corporate policy
and controls regarding the
purpose of the instrument, the
acceptable risks and limits on
investment
The importance of continual
monitoring of market value and
risk
Default risk – continual
monitoring of the counterparty
risk
Collateral risk – procedures
for taking possession of any
associated collateral
Management capacity to
understand, manage and value
financial instruments
Bonus/incentives schemes for
personnel engaged in trading
derivatives
misstatement
Underpayment of tax
Speculation to maximise profits
Non-disclosure of fair values and
losses
Non-disclosure of fair values and
losses
Overvalue financial assets
Unwillingness to hire or contract
for expensive professional
assistance
Maximising incentives
Completeness and accuracy
of tax expense; presentation
and disclosure of financial
instruments
Valuation of financial
instruments
Valuation, existence and
completeness of financial
instruments
Valuation, existence and
completeness of financial
instruments
Existence, valuation and rights
regarding collateral assets
Valuation of financial
instruments
Valuation, existence and
completeness of financial
instruments

EXHIBIT 7.14 Inherent risk in financial instruments

7.5.3 Assertions, Controls and Tests of Controls

While some long-term financial instruments are recorded at amortised cost, those considered
most risky are recorded at fair value. The audit of assets recorded at fair value was discussed
in Chapter 6 Section 6.5.2. As noted in that section, the auditor’s objective with fair values is to
make a conclusion about the reasonableness of management’s fair value estimates and related
disclosures. Two circumstances were identified that determine the auditor’s approach.

1. A relevant and active market with quoted prices exists (e.g. publicly traded shares or
bonds, currency hedges and options). Here, inherent risk is low, and determination
of a current and accurate fair value is simple and easily verified by the auditor. The
auditor proceeds by first examining the controls relating to segregation of duties
and the authorisation of purchase and sale transactions and examining transaction
documentation to ensure that controls are both operating and effective.

441

M13_c07.indd 441 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

2. Where active markets do not exist, or are illiquid, fair values estimates must be
based on the market for similar assets, or discounted cash flow or other models.
Determination of what may be considered a ‘similar’ asset is highly subjective, and fair
values based on models are likely to have high inherent and control risk. Estimation risk
is likely to be high.

Where low volumes of financial instrument transactions are undertaken by the client,
adequate controls are unlikely to exist and a substantive approach will be required.

The Appendix to HKAPG 1000 Examples of Controls Relating to Financial Instruments provides
useful guidance on key controls that may exist in an entity that deals with a high volume of
financial instrument transactions (e.g. banks, finance companies or pension funds). Some of
these are listed here and in Exhibit 7.15.

Marketable securities and financial instruments – key risk is overstatement

(existence and valuation). In some instances, a going concern risk
Assertion Control Test
Existence Approval Review corporate policy. Acquisitions and
disposals should be monitored by the board or
a senior official for compliance with policy
Safekeeping. Share certificates, Review board minutes for evidence of approval
bonds and contracts should be Inspect share certificates, etc. held by entity
kept in a safe
Valuation Management procedures for Inquire about management procedures for
determining fair value identifying fair values
Completeness Purchase approval by CFO or Enquire about purchase approval process
board Review independent market information for
stock splits, stock dividends or rights issues and
trace to investment register
Rights Assets held by trustee or service Confirm title with trustee
organisation

EXHIBIT 7.15 Assertions, controls and tests of controls – marketable securities and financial
instruments

• Relevant expertise or competence within the entity;

• Policies regarding risk appetite and risk management activities including the types of
financial instruments to be used and their purpose, whether hedging or speculation;

• Policies for the valuation of financial instruments and disclosure of related

measurement uncertainty;

• Requirements for key employees to take leave, so as to prevent and detect fraud;

• The use of service organisations (e.g. brokers) for purchasing, selling, recording and
valuing financial instruments. See Chapter 8 Section 8.3 for a discussion of the auditor’s
responsibilities when clients use service organisations;

442

M13_c07.indd 442 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

• Policies to monitor outstanding positions and to reduce risk exposure if necessary,

including timely reporting of these matters;

• Design and approval of information systems are critical. When financial instrument
trades are carried out by a small number of personnel, they may use spreadsheets that
are insecure and include complex models of dubious accuracy;

• Authorisations identifying the amount, nature and purpose of the transaction;

• Segregation of duties including execution of the transaction, payment, recording, and

monitoring positions and valuations;

• Reconciliation of transactions to bank and broker records.

7.5.4 Analytical Procedures for Marketable Financial Instruments

For financial instruments with stable and active markets, analytical procedures are useful.
However, it is difficult to establish expectations for other financial instruments.

Simple comparisons – Compare balances of investment accounts by class of investment

with the prior year. Compare interest and dividend income with the prior year. Note significant
changes in the investment/securities register for follow-up tests of details.

Multi-period comparisons – Interest-bearing securities or dividend-paying shares

often provide consistent payments over many years. Multi-year comparisons may provide
useful evidence.

7.5.5 Audit Assertions and Tests of Details for Marketable Financial

Instruments
A key consideration in audits involving complex financial instruments is the competence of the
auditor. The audit may require the involvement of one or more auditor experts. Auditor experts
may include:

• Accountants, because differing interpretations of the accounting standards exist, the

accounting approach is currently under development, and complexity;

• Legal experts may be required to understand the contractual, regulatory and tax
implications of financial instruments and

• A finance expert may be required to gather evidence to support management’s

estimates, or to develop a point estimate or a range for comparison with management’s
estimates, especially when fair value is determined using a complex model.

Because financial instruments arise from legal contracts, many of the auditor’s procedures
will address a number of assertions. For example, verifying the accuracy of the recording of the
transaction will also test existence, occurrence, rights and obligations, and cut-off.

Exhibit 7.16 identifies substantive tests of details for each assertion relating to the
marketable financial instruments account. These, and many other relevant procedures, can be
found in HKAPG 1000 Examples of Controls Relating to Financial Instruments para 103-137. A large
number of these paragraphs address the important valuation issue.

443

M13_c07.indd 443 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

Assertion Substantive test of detail

Existence/occurrence Investment schedule items are verified by inspection of the securities and
contracts or by confirmation with the trustee or broker.
Review purchase and sale transactions for compliance with the contract terms
and appropriate classification of the instrument.
Review unusual end of period journal entries.
Valuation/accuracy The auditor may test a valuation model by:
• Evaluating the design and operation of the model: 1. Is the model used
by others, and does it operate as intended? 2. Does the model take into
account all relevant forms of risk (e.g. counterparty risk, market risk)?
• Testing the assumptions and data used in the model, and
• Comparing its output to an estimate developed by the auditor.
Original cost and fair value are confirmed by reference to contracts, broker
statements or independent market quotations.
Interest income is re-calculated and dividend income may be confirmed by
reference to press or company announcements.
Disposals and information relevant to the calculation of gains or losses should
appear on broker statements. Recalculate income and gain/loss.
Consider the possibility of impairment.
Consider the use of an auditor’s expert.
Completeness All material purchase and sale transactions other than normal sales or
inventory purchase transactions should be reviewed to see if they should
have been recorded as investments. Performance materiality is likely to be set
at a low level.
Rights/obligations Confirm with a trustee or broker. Review contracts and invoices. Consult
board minutes.

EXHIBIT 7.16 Tests of details for marketable financial instruments

Illustrative Example 4
A common financial instrument is an asset backed security. The familiar ‘home
mortgage’ is an example. These are often valued on the basis of level 1, 2 and 3 inputs
and models as illustrated below. It is necessary for a valuer to understand:

• The nature and value of the security or ‘collateral’ (the value of the home) (level 2);

• The rights of the lender in the event of loan default (level 1);

• The contracted cash flows (the interest rate and the amortisation period, which
together determine the monthly mortgage payment) (level 1);

• Pre-payment risk, which is related to the interest rate risk (home owners are likely
to pre-pay their mortgages if interest rates drop) (level 3) and

• Default risk, which is related to the future value of housing, the future
unemployment rate and the quality of the borrower (level 3).

444

M13_c07.indd 444 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

Apply and Analyse 3

1. Describe the role collateral plays in valuing marketable securities.

2. Explain whether an audit of marketable securities would ever require an audit of

the underlying collateral.

Analysis

1. The role of collateral is to provide security (and reduce risk) for the lender/holder
in the event of the issuer of the security being unable to fulfil the terms of the
instrument – where they are unable to pay the agreed interest or dividends, or
repay the original investment at the termination of the contract.

2. In order for the collateral to be meaningful, the investor must have clearly
established rights to the collateral as determined by the contract with the seller
of the instrument (the borrower). Additionally, it is important that the collateral
offered by the seller of the instrument exists, is properly valued and is owned or
controlled by the seller. The stability and liquidity of the seller are major concerns.

In order to verify these matters, the auditor should review the contract to
test the rights of the purchaser in the result of default, and investigate the seller’s
current ownership rights, and the existence and valuation of the asset. Enquiries
should also be made as to the financial stability of the seller.

7 . 6 NON-CURRENT ASSETS

The three main classes of non-current assets include PPE, goodwill and other intangible assets
and investments (interests in other entities):

• Auditing procedures for PPE are straightforward and little inherent risk exists.

• Auditing intangibles are more challenging because valuations involve fair value
estimates and accounting standards are complex.

• Interests in other entities (also ‘long-term investments’ or ‘variable interest entities’)

include investments in subsidiaries, joint ventures, joint operations, associates,
unconsolidated structured entities, etc. These interests are extraordinarily diverse,
disclosure requirements are extensive and inherent risk is high.

7.6.1 Property, Plant and Equipment (PPE)

Other accounts include:

• Depreciation expense,

• Accumulated depreciation,

445

M13_c07.indd 445 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

• Maintenance and repairs expense,

• Gain or loss on disposal.

PPE are assets that have expected lives of more than one year and are used in the business
(e.g. land, buildings, computers, machinery, furniture or vehicles). The key accounting record
is the asset register. Assets should be purchased through the purchases system and these
purchases will be subject to the same controls, control tests and substantive tests as other
purchase transactions. Large non-routine purchases, especially large capex, should be subject
to separate controls, not those routine controls applied to high-volume routine transactions.
Typically, this involves authorisation/approval at the board level.

Because of the long life of PPE assets and the infrequency and the materiality of asset
purchases and sales, the audit programme is focused on additions and disposals during the
period, and the assessment of impairment as required by HKAS 36 Impairment of Assets.

7.6.1.1 Risk
Exhibit 7.17 identifies some of the risks inherent in the PPE account, motivations for fraudulent
activity and the assertion at risk

Risk Reason for fraud/theft Assertions at risk

Purchase of assets for personal use Misappropriation of assets Existence of PPE
of management.
Understatement of depreciation Overstatement of profit Valuation of PPE
expense
Failure to record asset impairment, Overstatement of profit Existence; valuation of PPE
disposal or discontinued operations,
or to make an accrual for asset
decommissioning costs
Misclassification of maintenance and Overstatement of profit Valuation; existence of PPE;
repairs expense (or other expenses) as completeness of maintenance
property, plant and equipment expense

EXHIBIT 7.17 Inherent risk in PPE

Illustrative Example 5
China Medical was placed into liquidation in 2012 by courts in the Cayman Islands, New
York and Hong Kong following accusations that the NASDAQ-listed firm was a fraud.
Company liquidators presented evidence showing the company’s management had
stolen at least HK$355 million through fraudulent technology acquisitions. KPMG was
China Medical’s auditor between 2005 and 2009 and provided unqualified audit opinions
for the financial statements during that period.

446

M13_c07.indd 446 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

7.6.1.2 Assertions, Controls and Tests of Controls

Key controls over additions and disposals of PPE are approvals and segregation of duties.
Exhibit 7.18 provides descriptions of controls over PPE and tests the auditor might apply to
those controls.

PPE – key risk is overstatement (existence and valuation)

Assertion Control Test
Existence Inspect items in the asset register to confirm Inquire about procedures to maintain
existence and identify obsolete equipment asset register
for write down
Approval procedures for purchases and Review approval process
disposals

Contracts for purchase and sale of assets Review contracts

Valuation Authorisation of purchases by senior Inquire about authorisation
management or board procedures
Competitive tendering Sight evidence of approval and board
minutes
Authorisation and ongoing review of useful Inquire about competitive tendering
life estimate for depreciation calculation policy
Contracts for purchase and sale of assets Review depreciation schedule
and inquire about alterations and
additions
Procedures for estimating asset impairment Review contracts
Review impairment estimation
procedures
Completeness Policy re purchase approval and update of Review minutes for reference to PPE
asset register purchases. Review maintenance
expense account
Rights Purchase contracts Review contracts

EXHIBIT 7.18 Controls and control tests for PPE

7.6.1.3 Analytical Procedures

Simple comparisons: PPE, depreciation, accumulated depreciation and maintenance accounts
should be compared with prior years.

Multi-period comparisons: As PPE are long-lived assets, the depreciation expense and
accumulated depreciation should show a consistent pattern over the asset’s life.

Comparisons of financial ratios – Key financial ratios associated with PPE include:

• Depreciation expense as a proportion of PPE

• Accumulated depreciation as a proportion of PPE

447

M13_c07.indd 447 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

Illustrative Example 6
A simple comparison of GEM’s PPE account with the prior year’s audited figure shows an
increase of 6% (HK$175 m to HK$185 m). This is consistent with the percentage increase
in the number of stores (5%). It is not unreasonable to think that the average price of
establishing a new store would be greater than past costs (due to inflation). Additions
(and deletions) in the asset register should be examined and vouched to supporting
documents and contracts.

7.6.1.4 Audit Assertions and Tests of Details

Exhibit 7.19 identifies some common substantive tests of details relevant to the PPE account.

Assertion Substantive test of detail

Existence/ Obtain the asset register. Verify its accuracy and test additions and disposals to
occurrence contracts, minutes and other approvals.
Tour plant noting new equipment, deleted products and equipment, and idle
equipment. Trace to asset register.
Inspect/observe assets.
Valuation/ Review contracts and board minutes. Verify estimates of useful life and salvage value.
accuracy Recalculate the gain or loss on disposal.
Review cost records for self-constructed assets.
Inquire about asset impairment tests. Review conclusions.
Review management’s fair value estimates.
Recalculate depreciation expense.
Ensure decommissioning costs are accrued over the life of the asset.
Consider the use of an auditor’s expert for complex valuation matters.
Completeness Review repair and maintenance expenditures and lease expenses to identify items
that should be capitalised.
Trace and reconcile the asset register to the general ledger.
Inspect client facilities and trace all significant assets to the asset register.
Rights/ Review contracts and inspect title deeds and land registry certificates.
obligations Inquire about assets pledged as collateral.
Inspect registration documents for vehicles.
Presentation/ Ensure presentation is consistent with HKAS 36 Impairment of Assets.
disclosure Review correct classification – current or long-term.

EXHIBIT 7.19 Substantive tests of details for PPE

448

M13_c07.indd 448 1/26/2021 5:21:52 PM

 The A u d it Pro g ram me

Apply and Analyse 4

The auditor of a manufacturing company has reviewed the prior years’ working papers and
found that:

1. Some items of expenditure were capitalised as Property, Plant and Equipment, and
some PPE expenditures were recorded as Maintenance Expense.

2. Management had no procedures for identifying and writing down impaired assets.

Identify audit procedures for PPE that should be included in the current programme to
deal with these issues.

Analysis

1. Overstatement of PPE is a significant risk as management are likely to capitalise

expense items in order to inflate profits. Alternatively, some entities may expense
PPE transactions in order to reduce their income tax liability.

The auditor should obtain a copy of the client’s asset register and select additions
for examination. These should include material additions and some others. These
additions should be verified as to their existence, valuation and rights by reference
to purchase contracts or invoices, purchase requests and purchase orders, and
by observation. Entries to the maintenance and repair expense account should be
searched for items that should be capitalised.

2. Asset impairment is seen negatively by management as it reduces profit. It is often

ignored unless a new management group wishes to maximise current expenses
with the expectation of improved future profits. It is, however, management’s
responsibility to make impairment estimates and management should be asked
to provide their analyses to the auditor. The auditor should also tour the factory in
order to identify idle equipment. Other indicators of impairment should be sought,
including the competitive environment in the industry and the wider economy.

Impairment estimates are highly subjective as the market for old equipment is
inactive. Property markets tend to be more liquid. Where a market does exist,
some impairment estimate is possible. Where no active market exists for used
equipment, replacement equipment values may be sought and adjusted for the
age of the current equipment. The auditor should consider using an auditor’s
expert.

7.6.2 Goodwill and Other Intangible Assets

Other accounts include:

• Amortisation expense

• Accumulated amortisation

• Revaluation surplus

• Gain or loss on disposal

449

M13_c07.indd 449 1/26/2021 5:21:52 PM

 BUSINESS ASSURANCE

7.6.2.1 Goodwill
Goodwill is the difference between the price paid in a business acquisition and the market
value of the tangible and intangible assets acquired. As such, the initial value may be easily
calculated and audited as long as the auditor can be satisfied as to management’s fair value
estimates of the assets acquired (see Sections 6.5.1 and 6.5.2 of Chapter 6).

Valuation of goodwill may be difficult if the purchase is made via shares rather than cash or
the purchase price is contingent on future outcomes.

Difficulties in goodwill valuation can also arise subsequent to the acquisition because
goodwill must be tested annually for ‘impairment’ or a decline in value (see HKAS 36 Impairment
of Assets). Two main factors affect the impairment test:

1. If the acquired entity continues as a discrete operating unit or, alternatively, is

integrated into the buyer’s operations.

2. If the original purchase was based on a capital budgeting model incorporating

estimates of expected future cash flows.

Where the acquired entity is a discrete unit and the purchase price was based on the
discounted value of future cash flows, then management’s impairment test is relatively
straightforward and can be verified by the auditor. Management simply recalculates the
value of goodwill on the basis of updated estimates. If the value of goodwill is materially
impaired, a write down is indicated. The audit programme for impairment focusses on tests of
management’s estimate – assumptions, data and risk assessment.

Where the conditions noted above do not apply, then management’s impairment estimates
will be highly subjective. This often occurs when the acquired entity is merged with existing
operations and so no longer exists as a discrete operating unit. The difficulties that arise for
the auditor in auditing management’s estimates in these circumstances were discussed in
Chapter 6 Section 6.5.2, Fair Values.

7.6.2.2 Other Intangible Assets

Companies acquire other assets including licenses, intellectual property, market knowledge,
trademarks, brand names and scientific or technical knowledge, and they design and
implement new processes or systems. Some of these acquisitions will qualify as intangible
assets and will be recognised and amortised (or not) in accordance with HKAS 38 Intangible
Assets (Revised January 2017). HKAS 38 is lengthy and deals extensively with issues of
recognition and measurement of different types of intangible assets and expenses, both
purchased and internally created. A number of useful examples are provided in the standard.

As with goodwill, intangible assets must be assessed regularly for impairment (see HKAS
36 Impairment of Assets). In addition, some intangibles will have limited lives and must be
amortised, while others will have unlimited lives and no amortisation is required. Many
subjective judgements must be made by management in dealing with intangibles, and
the auditor’s assessment of management’s valuations will require high-level professional
judgements. The assistance of an auditor’s expert may be required.

The audit programme for other intangible assets first requires the auditor to have a good
understanding of both HKAS 36 and 38, and also HKFRS 13 Fair Value Measurement, and then
to follow the guidelines of HKSA 540 (Revised) Auditing Accounting Estimates, Including Fair

450

M13_c07.indd 450 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Value Accounting Estimates, and Related Disclosures. The audit of management’s estimates was
discussed in Section 6.5.1 of Chapter 6.

7.6.2.3 Risk
A high level of subjectivity is involved in management’s assessment of fair values and in
the recording of both the original cost and the impairment of intangible assets. Because
of the natural bias of management to the overstatement of assets and revenues, and
the understatement of liabilities and expenses, the inherent risk in intangible asset
accounts is high.

Audit risk is further increased because transactions relating to intangibles are diverse,
complex, material, and infrequent, so controls over management’s estimates are seldom of
good quality. In many cases management will not understand what is required and will employ
an expert valuer, most likely at the acquisition stage. For the auditor, detection risk must be set
at a low level and the use of an auditor’s expert is an important option.

A broad range of risk factors should be considered when assessing impairment. These
might include:

• Increased competition,

• Loss of key personnel,

• An expectation of the sale of the operating unit,

• Decline in operations or revenue and

• Decline in the industry or economy.

7.6.2.4 Assertions, Controls and Tests of Controls

Where a client has a number of similar intangible assets, like trademarks or patents, a register
of these assets will be maintained and appropriate controls are likely to exist for the approval
of acquisitions and disposals, and the assessment of impairment. The auditor should review
these controls and in the unlikely event that the volume of transactions is high, testing of
controls should be considered. It is likely, however, that a substantive audit programme will
be adopted.

7.6.2.5 Analytical procedures

Due to the unique nature of many intangible assets and infrequent transactions, analytical
procedures other than simple comparisons are of little relevance in the audit of intangibles.

Simple comparisons: Goodwill, other intangible assets, amortisation expense,

accumulated amortisation and revaluation surplus accounts should be compared with
prior years.

Illustrative Example 7 – GME

According to GEM’s statement of financial position, the intangible assets balance remains
unchanged from the prior year. Inquiries should be made as to additions and disposals,
and as to the fair value of the existing intangibles.

451

M13_c07.indd 451 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

7.6.2.6 Audit Assertions and Tests of Details

Refer to the discussion of accounting estimates and fair values in Sections 6.5.1 and 6.5.2 of
Chapter 6.

Exhibit 7.20 identifies some common substantive tests of details for intangible asset
accounts.

Assertion Substantive test of detail

Existence Obtain the asset register. Verify its accuracy and test additions and disposals to
occurrence contracts or purchase records as appropriate.
Ensure assets satisfy recognition criteria per HKAS 38.
Valuation Review contracts and board minutes. Verify estimates of useful life.
accuracy Recalculate the gain or loss on disposal.
Review cost records for internally developed assets.
Test asset impairment per HKAS 36. (For goodwill this requires testing the fair market
value of all relevant tangible and intangible assets in the operating segment.)
Recalculate the amortisation expense.
Completeness Review minutes for acquisitions.
Rights Review contract terms.
obligations
Presentation Review correct classification – current or long-term.
disclosure Ensure assets satisfy recognition criteria per HKAS 38.
Review disclosure.

EXHIBIT 7.20 Substantive tests of details for intangible assets

Apply and Analyse 5

A start-up pharmaceutical company (SUPC) had a number of drugs in the development
stage. The company was very popular and its share price rose rapidly in its early years.
In 2006, SUPC acquired another pharmaceutical company (PC2) for HK$100 million in order
to acquire its patents. SUPC recorded goodwill on acquisition of HK$28 milion. In the global
recession of 2008, the SUPC’s share price crashed and the goodwill was written off due to
impairment. Subsequently, the SUPC’s share price recovered.

1. Explain how the auditor would have tested for the impairment of goodwill in this
situation.

2. Analyse the method used by the auditor to test goodwill impairment.

Analysis

1. The auditor’s test for goodwill impairment is based on a comparison of the fair
value of the reporting entity with the carrying value of the entity. Because of the
market crash, the fair value (based on the market value) was considered to be
impaired and a write-off was carried out.

452

M13_c07.indd 452 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Apply and Analyse 6 (continued)

2. A problem is indicated with the approach as the market decline was temporary.
While in normal times the share market is an ‘active’ market, during the recession
in 2008, the market was not liquid or sufficiently active to justify using market
values as a basis for fair values in the goodwill impairment test. Of course, the
market decline could have been a long-term event and the impairment test
appropriate.

7.6.3 Interests in Other Entities

Accounting standards relevant to accounting for other entities include:

• HKFRS 10 Consolidated Financial Statements;

• HKFRS 11 Joint Arrangements;

• HKFRS 12 Disclosure of Interests in Other Entities.

7.6.3.1 Other Entities

Other entities, also called ‘variable interest entities’, include subsidiaries, joint ventures, joint
operations, associates and unconsolidated structured entities. Each of these classes of other
entities are carefully defined in the accounting standards, and it is important, but sometimes
difficult, to distinguish between them. Within each class, the variety of different forms is
extreme. The accounting approach required for each type of entity is based on definitions of
control that have changed over the years and are still contentious. See also Chapter 11 on
Group Audits.

7.6.3.2 Risk
Existence, completeness and valuation are significant risks for ‘other entities’. The accounting
standards also point to the importance of disclosure: HKFRS 11 para 20 specifies:

An entity shall disclose information that enables users of its financial statements to
evaluate:

(a) the nature, extent and financial effects of its interests in joint arrangements and
associates, including the nature and effects of its contractual relationship with the other
investors with joint control of, or significant influence over, joint arrangements and
associates; and

(b) the nature of, and changes in, the risks associated with its interests in joint ventures
and associates.

7.6.3.3 Audit Procedures

Given the unique nature of other entities, controls and analytical procedures are seldom
encountered or useful. The auditor should:

• Inquire about the client’s procedures for approving the purchase of an interest in an
‘other entity’. Review worksheets and documentation.

453

M13_c07.indd 453 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

• Inquire about the client’s procedures for identifying other entities and determining the
correct accounting approach and disclosures.

• Obtain the client’s listing of other entities.

• Obtain a listing of all transactions with the other entities, determine the purpose of the
transactions and consider the appropriateness of disclosures.

• See Chapter 6 Section 6.5.5 Related party transactions. Other entities may be, or may
be controlled by, related parties and transactions with other entities may be related
party transactions.

• Test asset impairment per HKAS 36.

• Determine whether transactions, or other entities, were designed to develop fraudulent

financial statements.

Apply and Analyse 6

Companies may have significant relationships with other entities that do not involve
ownership, but may involve control issues.

Explain the nature of these relationships.

Analysis

‘Other entities’ are legal structures designed to provide capital for businesses that lack
equity investors. Financial support, often in the form of loans or loan guarantees, is
provided by other companies. For example, two businesses might form a joint venture to
use technologies of both entities to create new products.

In some instances, other entities may be structured so that they do not have to be
consolidated with the sponsoring business. The sponsoring company is thus able to keep
debt related to the activities of the other entity off its books.

7 . 7 LIABILITIES AND EQUITY

Key accounts include:

• Debt securities

• Share capital

• Provisions and contingencies

454

M13_c07.indd 454 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Other accounts include:

• Reserves

• Interest expense

• Interest payable

• Dividends expense

• Dividends payable

Capital is comprised of loan capital and share capital. Entities have few capital transactions
and most are material. Bonds and shares are the most common type of capital and many
variations exist (e.g. bonds that are convertible to equity or mandatory redeemable preferred
shares). Completeness and classification are the main audit risks.

Illustrative Example 8
During the year, GEM acquired a similar retail chain comprising 100 stores. As part of
the funding of the acquisition, GEM undertook a 1 for 5 pro rata share offer which raised
HK$390 m. Approximately 15,000,000 new shares were issued. GEM also obtained a new
HK$450 million debt facility. GEM’s financial covenants include leverage and fixed charge
cover ratios.

7.7.1 Debt Securities

Debt securities may be called loans, notes, bonds or debentures. The terminology is not clearly
defined and debt agreements can be diverse. Bonds are typically secured, while debentures
have no specific collateral. Debt security transactions are infrequent but material.

Other accounts include interest expense.

7.7.1.1 Risk
Completeness is the main assertion at risk.

Agreements with bondholders are called bond indentures. If the terms of the indenture are
not met (the debt covenants), the bonds are immediately due and payable – in other words,
the bonds no longer exist and the obligation has become current. Covenants might include
restrictions on the payment of dividends, a minimum working capital ratio or a maximum
debt-to-equity ratio. The auditor must ensure the client is in compliance with indenture terms
or that non-compliance is disclosed and debts are correctly classified.

Valuation of a number of other long-term liabilities (e.g. pension obligations or

restructuring reserves) require significant subjective judgements. Chapter 6 Section 6.5.1
Accounting estimates and Section 6.5.2 Fair values provide a discussion of audit issues relating
to these types of accounts.

455

M13_c07.indd 455 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

Payments of interest and dividends, and repayment of debt, are controlled through the
cash payments system. The use of imprest accounts is common.

Exhibit 7.21 identifies some risks associated with the debt securities account, motivations
for fraud and the assertion at risk.

Inherent risk Reason for fraud/theft Assertions at risk

Failure to comply with the terms of
the bond indenture
Liabilities requiring subjective
judgement
Incorrect computation of interest
expense
Accounting for gains and losses on
debt refinancing or conversion
Non-disclosure of the terms
of debt agreements, liabilities,
reserves
Complexity and error
Desire to conceal non-compliance
due to the risk of bankruptcy
Understatement of liabilities
Understatement of expenses
Overstatement of profit
Overstatement of assets and profit
Valuation and disclosure of
liabilities
Valuation; completeness of
liabilities
Accuracy of interest
expense
Accuracy; completeness of
comprehensive income
Completeness of liabilities;
presentation and disclosure
of liabilities

EXHIBIT 7.21 Inherent risk in debt securities

Illustrative Example 9
Xinjiang Production Construction 6th Shi State-owned Assets Management (Xinjiang)
is a company owned by Xinjiang Production and Construction Corps (XPCC) and is an
example of a local government financing vehicle (LGVF). LGVFs are set up by regional
authorities to raise money for infrastructure projects. LGVF and similar bonds with
high yields are favoured by hedge funds, but not by institutions, as they have been the
focus of worries over the amount of debt in China’s financial system and the risk that
they carry.

In 2018, Xinjiang failed to pay a 500 million RMB (US$73 million), 270-day note that
was due. Besides the defaulted note, it had four notes maturing in the following seven
months totalling 2 billion RMB. A result of the default was a sell-off of Xinjiang and XPCC-
related bonds.

7.7.1.2 Assertions, Controls and Tests of Controls

Authorisation of debt issue and repayment transactions is a key control. Authorisation should
be carried out at the board level. A register of debt securities is maintained and periodically
reconciled to the General Ledger. Debt agreements should be securely retained.

Cash payments including interest and repayments are controlled in the same way as other
cash payments – through the cash cycle.

456

M13_c07.indd 456 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Exhibit 7.22 identifies common controls over debt securities and relevant audit tests for
those controls

Debt securities – key risk is understatement (completeness)

Assertion Control Test
Existence Securities register, bond indentures, Review board minutes for evidence of
board minutes. approval of new entries in the securities
register and the related terms as identified
in the indenture agreements.
Valuation Cash payments should be processed Inquire about control over cash payments.
through the cash cycle, or by a
trustee.
Completeness Reconcile securities register with Review reconciliation.
general ledger.
Interest payments are made by a Enquire about payment with trustee; review
trustee or through an imprest bank imprest bank account reconciliation.
account.
Rights and Debt agreements should be securely Sight new debt agreements. Verify
obligations retained. covenants. Retain permanent file copies.

EXHIBIT 7.22 Controls and control tests for debt securities

7.7.1.3 Analytical Procedures

Simple comparisons: Compare the securities register with the prior year. Compare interest
payments with prior years.

Financial ratios: Where indenture agreements specify minimum working capital ratios or
maximum debt/equity ratios, these ratios must be reviewed.

Illustrative Example 10 – GEM

GEM’s statement of profit and loss shows that finance expense is down 50% (HK$6
million to HK$4 million). It should be noted that these costs are not likely to contribute to
a material error in the financial statements as the net profit is HK$186 million. Materiality
is likely to be between HK$9 million and HK$18 million (5% to 10% of net profit).
However, inquiries should be made as to the terms of the loans and the applicable
interest rates.

GEM’s statement of financial position shows that borrowings have declined 21%
(HK$140 million to HK$110 million). To a degree this explains the reduction in the finance
expense. Repayment of these liabilities should be agreed to board minutes, the bank
confirmation and other loan documentation.

A question arises about the accuracy of the finance expense. The interest rate appears
low as the cost is HK$4 million and the average borrowings are HK$110 million + HK$140
million/2 = HK$125 million. The indicated interest rate is HK$4 million/ HK$125 million =
3.2%. Further inquiries are indicated.

457

M13_c07.indd 457 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

7.7.1.4 Audit Assertions and Tests of Details

Exhibit 7.23 identifies substantive tests of details relevant to assertions associated with the
long-term liability accounts.

Assertion Substantive test of detail

Existence Obtain direct confirmation from lenders.
Ensure that instruments are not in default by reviewing management’s working
papers or re-calculating to ensure compliance with debt covenants.
Obtain the securities register and vouch additions to debt agreements to indenture
documents and board minutes.
Valuation/ Vouch entries in the securities register to receipts in the bank statement and the debt
accuracy agreement. Review underwriting agreements.
Recalculate interest expense and trace to the cash payments journal or confirm with
the trustee.
The use of an auditor’s expert may be required (e.g. an actuary for pension
obligations).
Completeness Vouch debt repayments to the bank statement.
Review transactions near the year end for proper cut-off.
Review material cash receipts transactions.
Review board minutes and cash book to confirm that all loans have been recorded.
Trace new debt agreements to the securities register and the general ledger.
Review material cash payment transactions.
Obligations Review debt indentures.
Classification Ensure that instruments are not in default by reviewing management’s working
papers or re-calculating to ensure compliance with debt covenants. If breached, the
instrument may be a current obligation.

EXHIBIT 7.23 Tests of details for debt securities and long-term liabilities

7.7.2 Share Capital

Shareholder’s equity includes both share capital and reserves. A variety of different classes of
preference and ordinary shares may be issued and each should be appropriately disclosed. A
share register and a register of members should be maintained. In many cases, these records
will be retained by third parties (brokers).

Other accounts include:

• Dividends declared

• Dividends payable

• Retained earnings and reserves

458

M13_c07.indd 458 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

7.7.2.1 Risk
There are relatively few share transactions, but these are often very material. Auditors will most
likely verify all transactions. Transactions should be detailed in board minutes. In some cases,
shares will be issued to purchase a subsidiary or other asset and risk exists about the value
of the asset obtained. When shares are issued for cash, controls should be exercised over the
allotment monies until all the conditions of the share issue have been met.

Legal relationships between shareholders and the entity make compliance with regulations
an important consideration for the auditor.

Valuation and disclosure assertions are most at risk. Numerous disclosures are required
for each class of shares, including the number of shares issued, share options and convertible
features. These matters affect the proper calculation and presentation of earnings-per-share
disclosures (see HKAS 33 Earnings per Share).

An entity is only permitted to pay dividends from realised profits less realised losses. A
significant risk in equity is the creation of fraudulent or otherwise inappropriate reserves. Such
reserves have been used to manipulate profit. Reserves must be valid and consistent with the
accounting standards.

In some cases, doubt exists about whether an instrument qualifies as debt of share capital.
Proper classification is important.

Exhibit 7.24 identifies common risks associated with the share capital account.

Inherent risk Reason for fraud/theft Assertions at risk

Payment of share or cash
dividends
Purchase and sale of treasury
stock
Adjustments to retained
earnings
Inappropriate reserves
Dividends can only be paid from
appropriate reserves
Misappropriation of assets
Overstatement of profit
Overstatement of profit
Occurrence of dividends
Existence; completeness of
treasury stock
Existence; valuation of retained
earnings
Existence; valuation of reserves

EXHIBIT 7.24 Inherent risk in share capital

7.7.2.2 Assertions, Controls and Tests of Controls

Authorisation of share issue and repurchase transactions and agreements, including options,
warrants and rights, and of dividend payments, is a key control. Authorisation should be
carried out at the board level. Segregation of duties including authorisation, record-keeping
and custody of cash and share certificates is important. Cash payments including dividends and
repurchases of shares are controlled in the same way as other cash payments – through the
cash cycle. Imprest accounts are often used for dividend payments.

459

M13_c07.indd 459 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

A company search provides information about share movements during the year.

Exhibit 7.25 identifies common controls over share capital and audit tests that might be
applied to those controls.

Share capital – key risks are valuation and disclosure

Assertion Control Test
Existence Approval of new share issues and Sight approval of new entries and other
other share transactions transactions in board minutes and articles
Inquire about new issues
Valuation Cash payments should be processed Inquire about control over cash payments
through the cash cycle or a trustee or
broker
Completeness Reconcile share register with GL Review reconciliation
Rights and Articles of incorporation – provisions Review articles for compliance
obligations for capital

EXHIBIT 7.25 Controls and control tests for share capital

Note: 1. A company search can be obtained from the HK Companies Registry Cyber Search
Centre. Some of the information provided includes:

• Organisation name

• Unique identification number

• Type of company

• Registration date

• Locality of registered office

• Share capital

• Roles and relationships

7.7.2.3 Analytical Procedures

Simple comparisons: Compare share capital, reserves, dividend expense and other relevant
accounts with prior year.

Illustrative Example 11
GEM’s statement of financial position shows that the Share Capital account has declined
by 9% (by HK$5 million). This is unusual and may indicate a share buy-back. Inquiries are
necessary.

The Reserves account shows an increase of 42% (HK$40 million to HK$57 million).
Inquiries are necessary. The increase may be linked to a revaluation of assets.

460

M13_c07.indd 460 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

7.7.2.4 Audit Assertions and Tests of Details

Exhibit 7.26 provides a listing of common substantive tests of details for the share capital
account.

Assertion Substantive test of detail

Existence Obtain a schedule of share transactions for the year (including options, treasury
stock, etc.) and vouch additions to the company search.
Agree new issues to board minutes and articles of incorporation.
Review material cash receipts and payment transactions.
Valuation/ Vouch share issues to receipts in the bank statement.
accuracy Recalculate dividend expense and trace to the cash payments journal, the bank
statement and retained earnings.
Ensure dividend payment does not exceed distributable reserves.
Review all entries to retained earnings for conformity with HKAS.
Completeness Review transactions near the year end for proper cut-off.
Review material cash receipts.
Review dividend payment obligations relating to cumulative preference shares.
Rights and Review statutory books and records. Review compliance with terms of issue for each
obligations class of shares.

EXHIBIT 7.26 Tests of details for share capital

7.7.3 Provisions and Contingencies

This section of Chapter 7 does not mirror the format of those above because provisions and
contingencies are unusual and available audit procedures are limited.

Provisions are liabilities caused by past events where some uncertainty exists at the exact
timing or amount of the liability. Provisions may be recognised in the accounts (see below).
Contingent liabilities and assets are similar, but the outcome is dependent on a future event,
and so they are not recognised in the financial statements, but they are disclosed in the notes.
HKAS 37 Provisions, Contingent Liabilities and Contingent Assets provides the following definitions:

• Provisions are liabilities of uncertain timing or amounts arising from a past event.
Provisions are recognised when an outflow of resources is probable, and a reliable
estimate can be made.

• Contingent liabilities are possible obligations arising from past events that will be
confirmed by an uncertain future event. Contingent liabilities are not recognised (they
do not qualify as provisions) because either the outflow of resources is not probable or
no reliable estimate is possible. Contingent liabilities should be disclosed.

• Contingent assets are possible assets arising from past events that will be confirmed
by an uncertain future event (e.g. a legal claim). Contingent assets are not recognised
and should only be disclosed where an inflow is probable.

Provisions and contingencies typically arise in litigation. Other sources include debt
guarantees, sales or purchase commitments, possible expropriation of assets, or agreements
to repurchase receivables that have been sold.

461

M13_c07.indd 461 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

7.7.3.1 Audit Programme for Provisions and Contingencies

Inquiries of management are the primary source of information about provisions and
contingencies. When required, further information can be sought from the entity’s legal
counsel. For information about procedures required when communicating with the client’s legal
counsel, see HKSA 501(Clarified) Audit Evidence – Specific Considerations for Selected Items.

Audit procedures relevant to provisions and contingencies include:

• Inquire about management’s procedures for identifying provisions and contingencies.

• Review corporate minutes, contracts and bank confirmations.

• Obtain management’s schedule of provisions and contingencies, including legal claims.

• Communicate with the client’s legal counsel(s). The legal counsel should be asked to
comment on the completeness and substance of management’s listing of legal issues.
The counsel should also be asked to describe progress to date and estimate the likely
loss (or benefit).

• Consider the appropriateness of recognition and/or disclosures consistent with HKAS

37 Provisions, Contingent Liabilities and Contingent Assets.

• Examine management’s estimates for provisions. See Chapter 6 Sections 6.5.1 and 6.5.2
for audit procedures related to accounting estimates and fair values.

• Compare the amount provided with any post year-end payments and with any amount
paid in the past for similar items.

Illustrative Example 12
GEM’s statement of financial position shows a provision account that has increased by
13% over the prior year (HK$40 million to HK$45 million). Reference should be made to
the permanent audit file in which the details of the prior year’s provision will be found,
and inquiries should be made of management as to their current estimate. It is possible
that the prior year’s estimate has been revised or that new matters have arisen.

Apply and Analyse 7

An audit client is being sued for HK$5 million. Identify the action the auditor should take
following each of the responses to the auditor’s letter of inquiry received from the client’s
legal counsel.

1. The counsel stated that there is only a remote chance that the client would lose the
case. The client did not accrue any loss or make any disclosures.

2. The counsel stated that the client would probably lose the case and the loss would
be between HK$2.5 million and HK$5 million. The client did not accrue any loss but
did disclose the situation.

3. The counsel stated that the client would probably lose the case and the loss would
be between HK$2.5 million and HK$5 million, but most likely HK$4 million. The
client accrued a contingent loss of HK$2.5 million and made disclosures.

462

M13_c07.indd 462 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Apply and Analyse 7 (continued)

Analysis

1. The existence of the legal case means there is a possible obligation that will be
determined by an uncertain future event. It is not a provision because no reliable
estimate can be made and also because an outflow of resources is not probable. It
is therefore a contingency. Contingencies should be disclosed. The auditor should
ask management to provide the disclosure.

2. The existence of the legal case means there is a possible obligation. While an
outflow is probable, it is not a provision because no reliable estimate can be made.
It is therefore a contingency. Contingencies should be disclosed. The auditor
should review management’s disclosure.

3. The existence of the legal case means there is a possible obligation. An outflow
is probable and a reliable (most likely) estimate can be made, so it is a provision
and should be disclosed. As management’s accrual is less than the legal counsel’s
estimate, the auditor should ask management to adjust the accrual. The auditor
should also review management’s disclosure.

7 . 8 SEGMENT INFORMATION

This section of Chapter 7 does not mirror the format of those above because the auditor is not
required to perform audit procedures that would be necessary to express an opinion on the
segment information and required audit procedures are limited.

HKFRS 8 Operating Segments requires management to report segment financial information

in a manner consistent with the operating segments of the business, and other segment
information as appropriate (e.g. by geographic area or by product line). Segment information
must be reconciled to the financial statements.

HKSA 501 (Clarified) Audit Evidence-Specific Considerations for Selected Items provides brief
guidance for the audit of segment information (para. 13 and A27). The auditor shall obtain
evidence regarding the presentation and disclosure of segment information by understanding
the methods used by management in determining segment information. Where appropriate,
the auditor should test the application of management’s methods.

Audit procedures might include:

• Ensure that segments meet the definition of an operating segment. Generally, financial
information is required to be reported on the same basis as is used internally by the
client for evaluating operating segment performance.

• Ensure appropriate disclosure of the way the operating segments were determined and
the products and services provided by the segments.

463

M13_c07.indd 463 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

• Test reconciliations of amounts disclosed for reportable segments with the entity’s
financial statements. In this context, ensure appropriate elimination of sales, transfers
and charges between segments and elimination of inter-segment amounts.

• Perform analytical procedures appropriate in the circumstances, like comparisons with

budgets or consistency with prior periods.

Knowledge Check Questions

Question 1
To test for unsupported entries in the ledger, identify the starting point for audit testing.
A Select a sample from the journal entries.
B Select a sample from the ledger entries.
C Select a sample from the original source documents.
D Select a sample from externally-generated documents.

Question 2
A bookkeeper recorded the receipt of a long-term bank loan by a debit to cash and a credit
to sales. Identify which of the following is the most effective procedure for detecting this
type of misstatement.
A Analyse bank confirmation information.
B Analyse the notes payable journal.
C Prepare a year-end bank transfer schedule.
D Prepare a year-end bank reconciliation.

Question 3
Identify what an auditor determines by tracing information on inventory count tags to the
physical inventory sheets.
A Inventory sheets do not include untagged inventory items.
B The final inventory is valued at cost.
C The inventory on the inventory sheets is complete.
D All inventory represented by an inventory tag exists.

Question 4
Your client sells a product that is subject to frequent technological improvements. Identify
on which of the following assertions you should concentrate your audit procedures for
inventory.
A Accuracy, valuation and allocation.
B Existence.
C Completeness.
D Rights and obligations.

464

M13_c07.indd 464 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Knowledge Check Questions (continued)

Question 5
When perpetual inventory records are maintained and control risk for inventory is high,
identify what the auditor would do.
A Insist that the client perform physical counts several times during the year.
B Want the client to schedule the inventory count at the end of the year.
C Increase tests of controls around sales and purchases.
D Increase the extent of tests for unrecorded liabilities at the end of the year.

Question 6
A client’s physical count of inventory was higher than the inventory per the perpetual
records. Identify what this situation could be the result of the failure to record.
A Sales discounts.
B Sales.
C Purchase returns.
D Purchases.

Question 7
Identify which of the following assertions is addressed by confirming holdings of
marketable securities.
A Recorded securities are properly classified on the statement of financial position.
B Recorded securities are the property of the client.
C Recorded securities are appropriately valued in accordance with accounting standards.
D The internal control system for recorded securities is functioning effectively for the
period of the audit.

Question 8
Identify what is likely if an auditor discovers significant debits to accumulated depreciation.
A The prior year’s depreciation charges were understated.
B There were numerous fixed asset retirements during the year.
C There were numerous fixed asset purchases during the year.
D A reserve for possible loss on retirement has been recorded.

Question 9
In violation of company policy, your client capitalised the cost of painting its warehouse.
Identify when you would most likely detect this.
A Examining maintenance expense accounts.
B Observing during the inventory observation that the warehouse had been painted.
C Examining the construction work orders supporting items capitalised during the year.
D Discussing the capitalisation policies with the client’s financial controller.

465

M13_c07.indd 465 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 10
Identify what is one of the major reasons for preparing a reconciliation between interest-
bearing obligations outstanding during the year and interest expense.
A Ascertain the reasonableness of accrued interest.
B Detect unrecorded liabilities.
C Determine the validity of prepaid interest expense.
D Assess control risk for securities.

Question 11
When a client does not maintain its own share records, identify which of the following
should the auditor obtain a confirmation.
A Shares subject to agreements to repurchase.
B Guarantees of preferred share liquidation value.
C Restrictions on the payment of dividends.
D The number of shares issued and outstanding.

Question 12
Identify why substantive testing is typically used to audit shareholders’ equity.
A The number of transactions is small.
B Controls over equity transactions are weak.
C A reliance strategy is most efficient.
D The control environment over equity is usually strong.

Question 13
Identify which of the following audit procedures is least likely to detect an unrecorded
liability.
A Re-computation of depreciation expense.
B Re-computation of interest expense.
C Reading of the minutes of meetings of the board of directors.
D A bank confirmation request.

Question 14
Identify which of the following is an audit procedure to test dividend income on
investments in marketable securities.
A Tracing deposits of dividends to the cash receipts book.
B Comparing the amounts received with the preceding year.
C Reconciling amounts received with published dividend records.
D Re-computing dividend schedules and reconciling to the general ledger.

466

M13_c07.indd 466 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Knowledge Check Questions (continued)

Question 15
A manufacturer of building hardware has engaged you to complete an audit of their
financial report. The company maintains a computerised inventory application that is
updated from receiving reports and sales invoices. The company conducts an annual
inventory count.
You note:
1. Some containers in the warehouse are empty.

2. Some items in the warehouse appear to be very old.

3. It is not clear that the stock is correctly valued at the lower or original cost or
market (net realisable) value.

Required: For each of the issues identified above, state the financial report assertion at risk
and identify one substantive test to reduce the risk to an appropriate level.

Question 16
Jones Pty Ltd (JPL) is a food wholesaler that imports goods from an overseas manufacturer.
The accounts payable clerk handles all purchases of inventory, buying in bulk to achieve
maximum discounts. She updates the stock records and the accounts payable sub-ledger
when goods are delivered and approves the payment of supplier’s invoices.
Identify one assertion that is at significant risk. Explain your choice and identify one
substantive test that would provide evidence about this risk.

Question 17
Identify three audit assertions that would apply to the audit of trade receivables. For
each assertion, list two specific types of audit evidence that would address the auditor’s
objective regarding that assertion.

467

M13_c07.indd 467 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

S UMM A R Y

• Audit procedures are used by the auditor to gather and evaluate audit evidence. Together, the
audit procedures used in an audit engagement comprise the audit programme.

• The aim of Chapter 7 was to illustrate an audit programme for a typical audit engagement
and familiarise candidates with established audit procedures used for testing management’s
assertions (e.g. existence, occurrence, accuracy, rights, etc.).

• Each audit is unique and standardised audit programmes are adjusted to reflect the nature of
the client’s business and industry, and the identified inherent and control risks presented by
the client.

• As is common in audit engagements, the audit programme presented in Chapter 7 was

organised around transaction cycles and groups of accounts that use the same documents
and informants. For example, the revenue cycle is based around sales, trade receivables, sales
returns and allowances, the allowance for doubtful debts and other related accounts; revenue
cycle informants include customers, the sales manager, the credit manager and others.

• Each section of Chapter 7, as far as possible, used the same structure and format for each
group of accounts.

°° First, relevant accounts were identified and a brief description of the accounting cycle
is provided.

°° The second part of the section provided a description of common risks that might be
encountered by the auditor in the audit of those accounts.

°° The remaining three parts of the section provided examples of audit procedures for
testing the management’s assertions that comprise the financial statements. Part three
illustrated tests of controls, part four illustrated analytical procedures and part five
illustrated tests of details.

• Tests of controls are designed to provide evidence about the effectiveness of control activities
and control risk. Substantive tests include analytical procedures and tests of details and are
designed to provide evidence of misstatements in the financial statements and inherent risk.

• In selecting audit procedures, the auditor must balance the potential effectiveness, relevance
and reliability of the procedures in meeting the objectives of the audit against the cost
(efficiency) of the procedures. Common procedures include inspection of documents or
physical evidence, tracing, vouching, observation of procedures, written or oral inquiry,
confirmation, re-calculation, re-performance and analytical procedures.

468

M13_c07.indd 468 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

MIND MAP

REVENUE CYCLE FINANCIAL INSTRUMENTS

Risk Risk
Controls and tests of controls Controls and tests of controls
Analytical procedures Analytical procedures
Tests of detail Tests of detail
PURCHASES CYCLE Illiquid financial instruments
Risk NON-CURRENT ASSETS
Controls and tests of controls Risk
Analytical procedures Controls and tests of controls
Tests of detail Analytical procedures
PAYROLL THE AUDIT Tests of detail
Risk PROGRAMME LIABILITIES AND EQUITY
Controls and tests of controls Risk
Analytical procedures Controls and tests of controls
Tests of detail Analytical procedures
BANK AND CASH Tests of detail
Risk SEGMENT INFORMATION
Controls and tests of controls Key audit procedures
Analytical procedures
Tests of detail

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. This is because it would only provide evidence about the journal
entries and not the ledger entries, as specified in the question.
Answer B is correct. To test whether entries in the ledger are supported, the auditor selects
ledger entries and vouches them back to the original source documents. This verifies the
assertion of existence (for the ledger entry) and occurrence for the original transaction.
Answer C is incorrect. It describes tracing, where the direction of testing is opposite to that
required to test whether ledger entries are supporting. By starting with source documents
and tracing to the ledger entries, the auditor verifies the assertion of completeness.
Answer D is incorrect. This is for the same reason explained in C above.

Question 2
Answer A is correct. The bank confirmation would show new bank loans. The auditor would
then be able to identify that it had not been recorded as a loan liability.
Answer B is incorrect. As the credit entry has been incorrectly recorded as a sale, it is likely
the notes payable journal was also in error.
Answer C is incorrect. A schedule of bank transfers for ‘kiting’ would result in an
overstatement of cash. It would not therefore detect the incorrect credit to sales.
Answer D is incorrect. The bank reconciliation focuses on the cash account. The cash
account was not in error as the debit was correctly recorded, so the bank reconciliation
would not pick up this error in sales.

469

M13_c07.indd 469 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

Question 3
Answer A is incorrect. It is describing testing in the opposite direction to that stated in the
question. This option describes a test for existence, which would vouch backwards from
the sheets to the tags.
Answer B is incorrect. This test focuses on inventory quantity and not on dollar value.
Answer C is correct. This is because tracing forward is a common completeness test.
The procedure verifies that all inventory counted and tagged ends up recorded on the
inventory count sheets.
Answer D is incorrect. Although a tag indicates that the inventory physically exists, the
question focused on why the tags were traced to the inventory listing.

Question 4
Answer A is correct. Frequent technological improvements can result in stock becoming
obsolete and obsolete stock is generally overvalued.
Answer B is incorrect. While obsolete stock may exist, the key assertion at risk is valuation.
Changes in technology will not affect the existence of inventory.
Answer C is incorrect. Completeness (or understatement) is a minor risk with inventory.
Answer D is incorrect. This is because obsolescence will not affect ownership rights of
the stock.

Question 5
Answer A is incorrect. Cycle counts are common, but in this case they do not replace the
need for a year-end count.
Answer B is correct. The quality of substantive tests of accounts in the statement of the
financial position is enhanced when tests are carried out at the balance date. The high
control risk indicates the need for more reliable evidence and evidence at the balance date
is the most reliable for testing the year-end balance.
Answer C is incorrect. Although these are related issues, they do not directly address the
inventory risk.
Answer D is incorrect. Although unrecorded liabilities are possibly related to unrecorded
purchases, these tests do not directly address the key risk to the inventory.

Question 6
Answer A is incorrect. The failure to record sales discounts would lead to inventory
valuation being misstated, but would not affect completeness.
Answer B is incorrect. Not recording sales would lead to lower inventory quantities on hand
than those shown in the sub-ledger.
Answer C is incorrect. Not recording purchase returns would lead to lower inventory
quantities on hand than those shown in the sub-ledger.
Answer D is correct. Unrecorded purchases would lead to stock quantities in excess of the
inventory listing.

470

M13_c07.indd 470 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Question 7
Answer A is incorrect. The confirmation does not provide evidence about classification.
Classification of marketable securities is normally as current.
Answer B is correct. The third party will identify only those securities owned by the client.
Answer C is incorrect. The valuation of marketable securities at fair value is obtained from
market quotations and not from confirmations.
Answer D is incorrect. External trustees are an external control mechanism and not part of
the internal control system.

Question 8
Answer A is incorrect. While this is possible, it is not the most likely explanation. If assets
were not disposed of (see answer B) then the auditor should follow up to ensure expenses
are not understated.
Answer B is correct. When assets are disposed of, the related accumulated depreciation
account is debited.
Answer C is incorrect. This is because purchases would lead to credits (increases) to
accumulated depreciation and not debits.
Answer D is possible, but a more appropriate approach would be to increase the
depreciation expense. Follow up is required.

Question 9
Answer A is incorrect. The painting cost would not appear in the maintenance account. This
is the error, as it has been incorrectly capitalised.
Answer B is incorrect. This is because observing the new paint job does not provide
evidence on how it was accounted for.
Answer C is correct. Invoices and work orders would identify the nature of the expenditure
and reveal the error.
Answer D is incorrect. While the matter may be revealed through this conversation, it is
possible that the controller may not be aware of the error.

Question 10
Answer A is incorrect. While the reconciliation may raise issues about the interest expense,
the major objective of the procedure is to test the completeness of the liability.
Answer B is correct. Where the interest expense has increased, new liabilities are
anticipated and should be in the liability listing.
Answer C is incorrect. The question does not involve prepaids.
Answer D is incorrect. While the reconciliation is one type of control procedure, a
combined audit is unlikely for long-term liabilities. The more common strategy is a
substantive audit.

471

M13_c07.indd 471 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

Question 11
Answer A is incorrect. Such share agreements are likely to be internal to the client and
unknown to the registrar.
Answer B is incorrect. These matters are found in the details of the incorporation
documents. A confirmation is not needed as evidence.
Answer C is incorrect. These matters are likely to be found in the details of debt
indentures. An external confirmation is not needed as evidence.
Answer D is correct. The trustee or registrar will have information about shares issued and
outstanding.

Question 12
Answer A is incorrect. This is a supporting reason for the correct answer B.
Answer B is the correct answer, because this is the main reason a substantive approach is
taken to any account.
Answer C is incorrect. An audit strategy is either combined or substantive. A reliance
strategy is not defined.
Answer D is incorrect. A strong control environment is unlikely due to the size, complexity
and infrequency of transactions, and a strong control environment would lead to a
combined not a substantive testing audit strategy.

Question 13
Answer A is correct. Depreciation expense may be related to new assets and new debt, but
this is the most indirect means of identifying new (unrecorded) debt.
Answer B is incorrect. Interest expense is likely to fluctuate with total debt and increases in
the expense indicating new debt.
Answer C is incorrect. Minutes should record intentions/approvals of new debt and hence
could identify unrecorded liabilities.
Answer D is incorrect. Bank confirmations will detail and identify bank-related debts
(liabilities of the client to the bank).

Question 14
Answer A is incorrect. This procedure does not test the completeness of dividend income.
Answer B is incorrect. This analytical review procedure provides some weak evidence but is
not a direct test of existence or completeness in the current year.
Answer C is correct. It is the most reliable procedure, as it relies on third party information.
Answer D is incorrect. Re-computing provides some evidence but does not deal with the
completeness risk.

Question 15
Assertions below are suggestions; other possibilities exist:
• Empty containers: Existence of inventory. Test: Observe inventory count
procedures to ensure the containers are opened and the contents are checked.
• Old items: Valuation of inventory. Test: Inquire about management’s procedures
for identifying obsolete stock.
• Net realisable value: Valuation of inventory. Test: Use sales records to identify stock
items that have a very slow turnover. Test recent sales price against recorded cost.

472

M13_c07.indd 472 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

Question 16
A number of assertions are at risk. Existence of both inventory and accounts payable are
illustrated here. The clerk could create a fraudulent purchase and pay themselves or a
related party on the basis of a fraudulent invoice and receiving report.
• A test for the existence of inventory is to vouch a sample of inventory sub-ledger
entries to the inventory count sheets.
• A test for the existence of accounts payable is to vouch sub-ledger entries to the
supplier’s monthly statements.

Question 17
Three of the following:
• Existence. Select a sample from the inventory records and agree to the physical
inventory. Look for empty containers during the sample count.
• Valuation and allocation. Identify slow-moving stock from the inventory records.
Examine them, and make enquiries, to determine if they are damaged or obsolete.
Alternatively, undertake a general observation of inventory in the warehouse,
looking for obsolete or damaged stock.
• Valuation and allocation. Check subsequent or year-end sales prices and compare
with recorded cost to ascertain whether the correct valuation method (lower of
cost and NRV) has been applied.
• Completeness. Select inventory items from the count sheets, or from receiving
reports, and trace the items to the inventory sub-ledger.
• Rights. Select purchase requisitions or purchase orders and ensure that the
purchaser is the client entity. Trace items to the supplier invoice and ensure that
this is addressed to the client.

EXAM PRACTICE

QUESTION 1
All Best Corporation (ABC) is an online home appliance distributor that offers more than
a million items for sale on its website. You are the auditor of ABC and are now planning
the information technology (IT) audit process. ABC has implemented the following three IT
applications:

1. ‘FIN’ is the accounting system.

2. ‘BUY’ is the sales system that processes the orders placed by the customers.

3. ‘CUS’ is a standalone system that contains all details of ABC’s customers and is used for
marketing.

The following is an excerpt of the documentation prepared by the audit team:

Customer orders: Each customer has a user account in the BUY system. The customer is
required to log on to the BUY system with a passcode before placing an order.

473

M13_c07.indd 473 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

Checking: A customer is required to key in the item code and the requested quantities.
All the goods are stored in ABC’s warehouse. The BUY system checks the inventory list
to ensure there is stock available. If available, the BUY system will confirm the order and
an invoice number with a bar code will be assigned. The customer then pays by credit
card. Once payment is confirmed, the BUY system will arrange delivery of the item to
the customer.

Delivery: Goods are delivered by an external logistics company. For each completed
order, the BUY system sends the logistics company with a delivery note with the same bar
code printed on it. When goods are delivered, the logistics company scans the bar code on
the delivery note to evidence the delivery. Every day, the logistics company sends ABC an
electronic file of all the scanned bar codes.

Posting of sales: The BUY system reconciles the bar codes sent from the logistics company
with its own records. Sales are recognised and posted to FIN when the bar codes sent by the
logistics company are matched to invoices recorded in the BUY system.

Required:

(a) Propose audit procedures to test the effectiveness of the general controls of ABC’s IT
applications.

(b) If the general controls of ABC’s IT application(s) that you advised to test in part (a)
are found to be effective, advise what application controls you will test for the sales
process of ABC.

QUESTION 2
You are the auditor of Think Limited, which is a furniture manufacturer with a factory in
Dongguan, China. An analysis of the company’s control system reveals that controls are
generally good and control risk should be low. During the planning of the audit for the year
ended 31 March 20X4, you obtained the following financial information:

20X4 20X3
HK$ million HK$ million
Revenue 525 285
Cost of goods sold 350 242
Gross profit 175 43
Property, plant and equipment 425 495
Trade receivables 232 75
Trade payables 155 105

Required:

Provide an audit programme for the occurrence of revenue.

474

M13_c07.indd 474 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

QUESTION 3
House Store Limited (‘House’) is a mini-store selling household accessories. As at
31 December 20X5 and 20X4, House had the following key trade payables:

20X5 20X4
Amount Amount
Suppliers Nature of balance HK$ HK$
A Accessories supply 20,000 25,000
B Accessories supply 30,000 35,000
C Accessories supply – 50,000
D Accessories supply 35,000 –
E Construction 13,000 13,000
Other with balance less
than HK$1,000 each 30,000 35,000
Total 128,000 158,000

You are the auditor of House for the year ended 31 December 20X5. The risk of material
misstatement for the completeness of trade payables is high. Your audit strategy will be
based mainly on substantive tests.

Required:

Propose substantive audit procedures to test the completeness of trade payables.

QUESTION 4
Rent Limited (RL) supplies portable restrooms which are widely used at construction sites
and corporate functions. You are the audit engagement senior and have been asked to plan
the year- end audit procedures for the fixed assets of RL.

• Over 70% of RL’s total assets are sanitation equipment.

• RL’s sanitation equipment (i.e. over 300 portable restrooms and pumping systems)
are all rented out most of the time. These items of sanitation equipment are usually
held at the customers’ premises and RL keeps a good record of the locations of
these items of sanitation equipment.

• RL has been very profitable and received very good comments from its customers
on service quality.

• RL’s office and warehouse are located in the New Territories. RL has a team
responsible for equipment cleaning and maintenance.

• During the year, the management of RL purchased 100 more portable restrooms
and spent a significant amount on 100 existing portable restrooms to improve their
facilities and design.

Since most parts of the sanitation equipment are very durable, RL adopts a depreciation
policy that is comparable to other industry players. The sanitation equipment is depreciated
over 10 years.

475

M13_c07.indd 475 1/26/2021 5:21:53 PM

 BUSINESS ASSURANCE

Required:

(a) Assess the risks of material misstatements of fixed assets in terms of the existence and
valuation assertions and explain your views.

(b) Propose the relevant audit procedures in response to the risks identified in part (a) over
the existence assertion.

QUESTION 5
The following issues were discovered during the audit of the cash account.

1. The company had overstated cash by transferring funds at year end to another account,
but failed to record the withdrawal until after the year end (kiting).

2. The controller took cash for personal purposes. The cover-up was executed by
understating outstanding cheques in the monthly bank reconciliation.

3. A check written to a supplier had been recorded twice in the cash payments journal to
cover a cash shortage.

Required:

For each issue,

(a) Identify the audit procedure that most likely would have led to the discovery of the
error.

(b) Identify a control that would have prevented or detected the issue.

QUESTION 6
Lau Co. Ltd Issued HK$100 million of 12% convertible debt instruments on 1 January 20X1.
The debt instruments are registered in Hong Kong. The redemption date is 31 December
2015 and conversion can take place in January of any year.

Required:

Design an audit program for Lau Co.’s securities for the current year ending 31 December
20X1.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) General controls are tested to ensure that controls and procedures are adequate
to provide secure and effective design and operation of the computer facilities. The
auditor may perform the following procedures:

• Verify there is segregation of duties (e.g. computer programming and operating) to

reduce the risk of employee fraud.

• The auditor can inspect the entity’s standards over the system design, programming
and documentation.

476

M13_c07.indd 476 1/26/2021 5:21:53 PM

 The A u d it Pro g ram me

• Verify by inquiry and inspection that there are comprehensive written procedures
for IT operations and that any changes are appropriately documented. The auditor
could inspect program logs.

• Verify the access to computer terminals is properly authorised and controlled by

passwords or scan cards.

(b) If the general controls are effective, the auditor can identify and test the effectiveness
of the application controls. Application controls are particular to an application and
may have a direct impact on the processing of individual transactions. They include
controls that help to ensure the proper authorisation, completeness and accuracy of
transactions. Applications relevant to the audit include FIN and BUY.

• Check for duplicate customer accounts in BUY.

• Check the existence of the transactions by vouching the sales journal in FIN to the
delivery report from the logistics company and to the credit card receipts.

• Check the password control in BUY to confirm secure log-in of customers.

• Check the authorisation of sales transactions in BUY by vouching each sale to the
inventory records and to the credit card payment.

• Check the reconciliation of the bar codes reported by the external logistics
company. Verify that errors or mismatches are followed up.

°° Inspect reports on unprocessed/ uncleared transactions (e.g. unpaid invoices).

QUESTION 2
The audit programme for the occurrence of revenue should be based on the auditor’s
assessment of inherent and control risks affecting that assertion. While no information
regarding control risk is available in the question, a combined audit strategy is initially
assumed here.

The large increase in revenue (84%) and gross profit (307%) compared with the prior
year indicates a risk of overstatement. Audit procedures may include:

Analytical review (see table below)

Perform an analytical review of the fluctuation of revenue and the gross profit margin.

• Ask management for the reasons for the increases in revenue and gross profit margin
with reference to the market situation. For example, has management initiated new
credit policies or cost cutting measures? Have new markets been entered?

• Perform an industry comparison and analysis to document whether the change in gross
profit margin is consistent with current market trends.

20X4 20X3 Increase

Account HK$ million HK$ million %
Revenue 525 285 84
Cost of goods sold 350 242 45
Gross Profit 175 43 307
PPE 425 495 14
Trade receivables 232 75 209
Trade payables 155 105 48

477

M13_c07.indd 477 1/26/2021 5:21:54 PM

 BUSINESS ASSURANCE

Controls. Perform control tests.

• Test for approvals of sales orders.

• Observe whether appropriate segregation of duties exists for custody of inventory and
cash, recording and approval.

• Test for approval of customers and their credit limits.

Where control tests prove unsatisfactory, it will be necessary to alter the audit
programme in order to emphasise substantive tests of details.

Substantive procedures.

• Select a sample from the sales journal and vouch to shipping documents, invoices and
sales orders to test occurrence and cut-off.

• Send confirmations to high-volume customers to confirm the total sales amount

for the year.

• Check sequence of sales journal for duplicate entries.

Presentation and disclosure.

• Review whether the entity has applied accounting standards for revenue recognition
consistently throughout the period.

QUESTION 3
The substantive audit procedures to test the completeness of trade payables include:

• Test the mathematical accuracy of the listing of trade payables and reconcile the total
of HK$128,000 with the general ledger

• Vouch supplier accounts to supplier statements. Reconcile differences.

• Consider whether there could be significant unrecorded liabilities by making inquiries

of management.

• Ask management about balances with significant fluctuations, such as the balance with
Supplier C, which had decreased from the previous year from HK$50,000 to zero at the
current year end.

• Ask management about unusual items, such as the balance due to Supplier E, which is
construction in nature and is not related to House’s business.

• Examine files of unmatched purchase orders and supplier invoices for any unrecorded
liabilities.

• Examine post year-end transactions and subsequent payments and compare the actual
dates with the dates they were recorded in the ledger to check whether the cut-off has
been applied correctly.

• Confirm the balances with Suppliers A, B, D and E, and the balance with Supplier C

(zero balance) and a few suppliers with balances less than HK$1,000.

• Perform confirmations of trade payables. Perform follow-up procedures for those

confirmations that disagree with the information in the request and confirmations
without a reply.

478

M13_c07.indd 478 1/26/2021 5:21:54 PM

 The A u d it Pro g ram me

• Perform comparisons of the following accounts to check for reasonableness:

°° Current year balances for trade payables and accruals with the previous year.

°° The amounts owed to a sample of individual suppliers in the trade payables listing
to amounts owed to these suppliers in the previous year.

°° The payables’ turnover and payables’ days with the previous year and with
industry data.

QUESTION 4
(a) The risk of material misstatement of fixed assets in terms of existence is high because
the carrying value of sanitation equipment represents a significant part of the
company’s total assets and the amount of new additions of fixed assets during the year
is large.

The risk of material misstatement of fixed assets in terms of valuation is low

because the company has been profitable, and its sanitation equipment is rented to
customers most of the time during the year which indicates the fixed asset impairment
risk is low. The company’s depreciation policy is comparable to other industry players.

(b) In response to the risk of material misstatement of fixed assets in terms of existence
assertion identified in part (a), the relevant audit procedures should include:

• Ask the management to confirm whether they have physically inspected all the
sanitation equipment in the fixed asset register each year.

• Review the management’s physical count instructions and attend the

physical count.

• Obtain the fixed asset register from the management and reconcile the opening
and closing balances in terms of number of units and dollar value.

• Perform a physical inspection of a sample of the equipment. Ensure the inspected

items do exist, are in use and good condition and have the correct serial numbers.

• Test the current year’s fixed assets additions by inspecting supporting documents
such as supplier invoices and delivery notes.

• Arrange to obtain from third parties’ confirmations of the sanitation equipment

they hold.

QUESTION 5

Issue a. Audit procedure b. Control

1 To test the cut-off of the bank accounts, the
auditor should examine transfers between
accounts around the end of the year.
2 A sample of cash payments should be
vouched to supplier invoices.
3 Review of cash payments journal for
duplicate entries.
Independent review (e.g. internal audit)
of bank transfers at year end.
Segregation. The bank reconciliation
should be prepared by a person with no
access to cash.
Reconciliation of cash payments to
supplier accounts in the journal.

479

M13_c07.indd 479 1/26/2021 5:21:54 PM

 BUSINESS ASSURANCE

QUESTION 6
Audit programme for debt securities:

• Obtain a continuity schedule listing debt securities’ opening and closing balances and
movements during the period. Cast the listing and trace it to the general ledger. Agree
the opening balance to the prior year’s audited balance.

• Agree details of the securities listing to the bond agreement, minutes of the board and
the registration document. These should be filed in the permanent file. Review the note
disclosure for consistency with documents.

• Vouch the sale of the securities to cash receipts and the bank statement. If a broker
was used, confirm details of the transactions with the broker or agree to the broker’s
statement.

• Re-calculate the interest payable and agree to the cash disbursement.

• Inquire about the conversion of any of the securities and review the registration
document to ensure it reflects the conversion.

480

M13_c07.indd 480 1/26/2021 5:21:54 PM

 8
Using the Work
of Others

CHAPTER TOPIC LIST

8.1 Reliance on the Work of Others 8.3 Experts and Service

Organisations
8.2 Internal Auditors
8.3.1 Determining the Need for
8.2.1 Using the Work of Internal
an Auditor’s Expert
Auditors
8.3.2 Audit Procedures Applied to the
8.2.2 Documentation
Work of an Auditor’s Expert
8.2.3 Recommended Improvements
8.3.3 Evaluating the Adequacy of the
to the Internal Audit
Work of the Auditor’s Expert
8.3.4 Management’s Expert
8.3.5 Service Organisations

481

M13_c08.indd 481 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.07: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Internal Audit
1.07.01 Explain the purpose of an internal audit function and the types of work undertaken
1.07.02 Recommend the relevant work that internal audit could undertake in an entity
1.07.03 Recommend improvements to an entity’s internal audit function
LO1.11: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit Evidence
1.11.07 Illustrate why an auditor may rely on the work of others, including internal audit, experts
(e.g. experts in cyber security) and service entities
1.11.08 Develop procedures to make use of the work of others, including internal audit, experts
and service entities

482

M13_c08.indd 482 1/26/2021 9:09:08 PM

 Using the W ork of Others

OPENING CASE

FLASH LTD

F lash is a jewellery retailer and gemstone wholesaler. The company’s head office is in
Hong Kong and it has a chain of stores in major Asian and European cities from which they
sell jewellery to the public and gemstones to independent jewellers. The company buys their
stock mainly through auction at international trade shows. Their buying group comprises
specialists in diamonds, opals, emeralds, and other precious and semi-precious gems. Given its
inventory and international business, Flash’s functional currency is US dollars. Each of their 50
stores holds a stock of jewellery valued at approximately US$5 million and gemstones valued at
approximately US$3 million. The value of a gemstone is influenced mainly by its weight, shape,
colour, and consistency.

An additional gemstone inventory valued at US$100 million is held by Secure Co, a security
company. Secure Co keeps the inventory in highly secure premises in Zurich and delivers gems
as required to Flash stores throughout Europe and Asia. Secure Co also manages the security at
all of Flash’s stores.

Flash has an internal audit department. The internal audit’s role includes a review of
organisational efficiency, monitoring of the organisation’s control system, and oversight of
the security of the inventory, which comprises 80% of the assets of the company. The internal
audit department employs one gemstone valuation expert and two qualified internal auditors,
together with eight support staff.

483

M13_c08.indd 483 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

OVERVIEW

This chapter deals with four scenarios where the external auditor of an entity relies on the work
of others.

1. The first scenario arises when the external auditor uses the work of the client’s internal
auditor to improve audit efficiency.

2. The second arises when the external auditor uses an auditor’s expert to perform
audit procedures that the auditor is unable to perform for themselves; for example, the
valuation of gemstones.

3. The third scenario arises when management employ or acquire the services of a
management’s expert to provide information that affects their financial statements
(e.g. financial instrument valuers, property valuers, or actuaries).

4. The fourth scenario arises when the client outsources some activities that affect their
financial statements to a service organisation because the service organisation is
able to provide the service at a lower cost than could be obtained by providing the
service in-house.

8 . 1 RELIANCE ON THE WORK OF OTHERS

Three main auditing standards directly address the auditor’s reliance on the work of others:

1. HKSA 610 (Revised 2013) Using the Work of Internal Auditors.

2. HKSA 620 (Clarified) Using the Work of an Auditor’s Expert.

3. HKSA 402 (Clarified) Audit Considerations Relating to an Entity Using a Service Organisation.

Other auditing standards that have an indirect bearing on using the work of others include:

1. HKSA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in
Accordance with Hong Kong Standards on Auditing.

2. HKSA 220 Quality Control for an Audit of Financial Statements.

3. HKSA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement.

4. HKSA 500 Audit Evidence.

The following sections discuss matters specific to each type of ‘other’ party. Using the work
of each of the three types presents the auditor with similar concerns. The main things that
must be kept in mind are that the ‘others’ may lack the objectivity and independence required
of an auditor, and that the auditor remains solely responsible for the audit opinion.

484

M13_c08.indd 484 1/26/2021 9:09:08 PM

 Using the W ork of Others

8 . 2 INTERNAL AUDITORS

An internal audit helps a company ensure that it has the proper controls, governance, and
risk management processes in place. By nature, it is an independent activity carried out by a
person or team that can present objective findings and make recommendations for corrective
measures. Basic internal audit functions include:

• Assess risks and determine how effectively they are managed;

• Evaluate the efficiency and effectiveness of controls;

• Assess the effectiveness and efficiency of operations in achieving organisational

objectives; and

• Promote ethics.

Normally internal auditors have a role in monitoring the quality of an organisation’s internal
control system. HKSA 315.24 (Revised 2019) requires that an auditor understand the nature,
responsibilities and activities of an entity’s internal audit function when performing the assessment
of the risk of material misstatements, Internal control systems can be very broad in their scope, but
the internal controls of interest to external auditors are the controls over financial reporting.

While external auditors have a clearly defined role in providing assurance to third parties,
internal auditors may provide a wide range of services. Where those services overlap with those
of the external auditors, that is where internal auditors monitor internal controls and provide
assurance on financial reporting, then the internal auditor’s work will be relevant to the external
audit. Other internal audit work of interest might include risk analysis and fraud investigation.

Many larger companies have a significant internal audit department. Other companies
outsource their internal audit function wholly or partially to accounting firms. This approach
COE may create a self-review threat if companies outsource their internal audit function to their
S605.1 external audit firm. Small companies may not have an internal audit function.

8.2.1 Using the Work of Internal Auditors

The internal audit function can make two main contributions to the external audit.

1. Internal auditors may provide direct assistance to external auditors in carrying out
audit procedures. Internal auditors are well placed to provide this service because of
their knowledge of the organisation and their familiarity with accounting and auditing.
On the other hand, potential conflicts of interest arise because they lack independence
from the client company that is their employer, and because they may be asked to
review work already performed by the internal audit department (self-review).

2. HKSA 315 (Revised 2019) regards internal audit as a component of the entity’s process for
monitoring the system of internal control to be understood as part of the auditor’s risk
assessment process. Where the internal auditor is judged to provide a reliable service,
then the external auditor’s assessment of control risk can be reduced and audit efficiency
increased. However, tests of controls must still be performed to obtain assurance that
the internal audit function is performing as expected. HKSA 315 Appendix 4 (Revised

485

M13_c08.indd 485 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

2019) identifies considerations for understanding the entity’s internal audit function.
According to Appendix 4, an internal audit function varies depending on the entity’s
size, structure, management, and governance requirements. An internal audit charter
or terms of reference can clarify the objectives and scope of the internal audit function.
Responsibilities may include providing assurance to management by performing
procedures and evaluating results, evaluating the design and effectiveness of risk
management and evaluating internal control and governance processes. Internal auditors
may also monitor the entity’s internal controls. Finally, they may evaluate the economy,
efficiency, and effectiveness of an entity’s operations. The internal auditor may also
consider management’s response to the audit function’s findings and recommendations.

An internal auditor’s inquiries provide deep insight about an entities operations and
risks. Regardless of whether or how the internal auditor expects to use the work of the
internal audit function, such inquiries should be made. An internal auditor may also
read related reports, strategy and planning documents and other reports prepared for
managing and governing bodies that describe the internal audit function’s findings. This
includes regular meetings with other internal audit personnel.

Regardless of the involvement of an internal audit in the external audit engagement, the
auditor’s opinion and report remain the sole responsibility of the external auditor.

8.2.1.1 Determining Whether Internal Auditors Can Be Used

Internal auditors are employees of the entity and so may be subject to management influence
that may impair the objectivity of their reports. Additionally, while the Institute of Internal Auditors
is a respected international professional association, some internal auditors may not have
professional qualifications. Factors that determine whether internal auditors can be used include:

• The internal auditor’s organisational status and policies and procedures that support
the objectivity of the internal auditors;

• The level of competence of the internal audit function; and

• Whether the internal audit function applies a systematic and disciplined approach,
including quality control.

Regarding objectivity, the internal audit function should ideally report to the audit committee,
and not to the CFO or other management personnel. Similarly, the employment or performance
review of internal audit staff should not be subject to management discretion. Where the auditor’s
assessment of the internal audit function reveals shortcomings in objectivity, competence, or
approach, the auditor should consider their ability to rely on the internal auditor’s work.

8.2.1.2 Using the Work of the Internal Audit Function

The external auditor should only use work performed by the internal auditor that is relevant to
the external auditor’s audit strategy and audit plan. The internal auditor’s work should not be
used in high-risk areas, or in areas where significant professional judgement is required.

Normally, the internal audit work of most interest to the external auditor concerns control
risk assessment and the testing of controls. An effective internal audit function in the control
domain can lead the auditor to reduce their control risk assessment and adopt a more efficient
control-based audit strategy. Where the internal auditor’s work also includes substantive
testing of accounts, this work can be relied upon to further increase audit efficiency.

486

M13_c08.indd 486 1/26/2021 9:09:08 PM

 Using the W ork of Others

The external auditor should read the internal audit reports to obtain an understanding
of the nature and extent of audit procedures performed and their findings, then perform
sufficient audit procedures to determine their adequacy. Considerations include whether:

• The work had been properly planned, performed, supervised, reviewed, and documented;

• Sufficient evidence has been obtained;

• Conclusions reached are appropriate; and

• Reports prepared are consistent with the work performed.

HKSA In addition, the external auditor should take a sample of items examined by the internal
610.24 auditor and reperform their procedures in order to corroborate their findings and conclusions.

8.2.1.3 Determining Whether Internal Auditors Can Be Used for Direct Assistance
Direct assistance is the use of internal auditors to perform audit procedures under the
direction, supervision, and review of the external auditor. In order for the external auditor
to use the work of the internal auditor for direct assistance, the external auditor must carry
out a review of the internal audit function. The relevant procedures are detailed in HKSA 610
(Revised 2013) Using the Work of Internal Auditors and Related Conforming Amendments.

Key matters that the external auditor must investigate include:

• The reporting level or organisational status:

°° Ideally, to ensure independence from management and freedom from bias, the
internal auditor should report to the audit committee.

°° Employment decisions regarding the head of internal audit should be made at the
board level.

°° The internal auditor should not report to the CFO.

• The scope of the internal audit function:

°° Must include the monitoring of controls over financial reporting.

°° Other useful functions might include:

• Testing for fraud;

• Testing for compliance with the law and regulations, and with company policy; and

• Performing IT and security audits.

• Technical competence and professional attitude, by considering:

°° Training and qualifications;

°° Periodic evaluations of the internal audit department; and

°° Policies to promote ethical behaviour and prevent conflicts of interest.

• The internal auditor’s working papers ensure that:

°° Procedures are carried out appropriately;

°° Conclusions are consistent with the results of the procedures; and

°° Documentation is complete.

• Reperforming some of the internal auditor’s tests to confirm conclusions.

487

M13_c08.indd 487 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

Apply and Analyse 1

An external auditor is considering relying on the work of an internal auditor. A review of
the internal audit function reveals:

• The internal auditor undergoes periodic external quality reviews and has received
favourable assessments.

• The internal audit function hires high-quality and technologically competent staff.

Based on this information, explain whether the external auditor should rely on the
internal audit function and whether additional information should be sought.

Analysis

The review of the internal audit function is not sufficient to determine the auditor’s
reliance. While the two items mentioned are important in the evaluation of the internal
audit function, a number of other factors must be considered. These include:

• The reporting level.

• The scope of the internal audit function.

• Qualifications.

• Professional attitude (ethics).

• The supervision, review, and documentation of the function.

8.2.1.4 Determining the Nature and Extent of Work of the Internal Audit Function That
Can Be Used
Before using internal auditors for direct assistance, the external auditor should obtain written
assurances from management that the internal auditors are assigned to follow the instructions
of the external auditor without intervention of the company, and that internal auditors will
keep matters confidential as directed by the external auditor.

When the external auditor uses internal auditors to carry out tests of controls or
substantive testing, the internal auditor’s assignment should emphasise areas where testing
is objective (e.g. existence of inventory). The internal auditor’s work should be planned,
supervised, and reviewed by the external auditor, and the review of the internal auditor’s work
should be of a different nature and more extensive than if members of the engagement team
had performed the work.

For accounts where detection risk must be low (i.e. where inherent risk and/or control
risk are high), and where estimates are required, testing should be performed mainly by
the external auditor (e.g. allowance for doubtful accounts). Decisions requiring professional
judgement should be performed solely by the external auditor. Such decisions would include
assessment of the:

• Integrity of management;

• Inherent and control risk;

• Materiality;

• Accounting estimates and fair values;

488

M13_c08.indd 488 1/26/2021 9:09:08 PM

 Using the W ork of Others

• Sufficiency and appropriateness of evidence;

• Adequacy of disclosures;

• Related party transactions;

• Contingencies; and

• Subsequent events.

Apply and Analyse 2

Flash Ltd Part 1 – Internal Audit
As noted in the opening case:

• Each of Flash’s 50 stores holds a stock of jewellery valued at approximately

US$5 million, and gemstones valued at approximately US$3 million. The value of a
gemstone is influenced mainly by its weight, shape, colour, and consistency.

• An additional gemstone inventory valued at approximately US$100 million

is held for Flash by Secure Co. Secure Co also manages the security at all of
Flash’s stores.

• Flash has an internal audit department. The internal audit’s role includes review
of organisational efficiency, monitoring of the organisation’s control system, and
particularly with controls over the existence, valuation, and rights to the inventory,
which comprises 80% of the assets of the company. The internal audit department
employs one gemstone valuation expert and two qualified internal auditors.

As Flash’s external auditor, you are considering using the internal audit function to
provide direct assistance for the inventory audit. Explain (i) whether it would be appropriate
to use internal audit for this purpose and (ii) your own responsibilities should this occur.

Analysis

(i) The key assertions at risk for inventory are existence, rights, and valuation. The first
two are easily audited by a count, and by reference to purchase documentation,
respectively. These procedures require little judgement. The valuation assertion
requires a high level of professional judgement and the inventory account is very
material (80% of assets). It may not be appropriate to use an internal audit for
valuation. If the auditor decides to use an internal audit for valuation, they might
consider using an auditor’s expert to check some of the internal auditor’s work
(see Section 8.3).

(ii) • If the internal auditor is used for valuation, their expertise in valuation should
be confirmed by inquiries about their experience and qualifications.

• The auditor must also review a number of additional issues relating to the
internal auditor’s competence, objectivity, and approach.

• The auditor should seek assurances from management about the internal
auditor’s responsibilities and confidentiality.

• The auditor should consider reperforming the internal auditor’s tests

or performing alternative tests of valuation, to confirm the conclusions
documented by the internal auditor.

489

M13_c08.indd 489 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

8.2.2 Documentation
The external auditor must document their findings as to the internal auditor’s:

• Objectivity

• Competence

• Approach and quality of work.

Other matters to be documented in the engagement file include:

• The nature and extent of work assigned to the internal auditor;

• Procedures performed by the external auditor to evaluate the internal auditor’s work;

• Work papers prepared by the internal auditors; and

• Agreements regarding confidentiality and the reporting of the responsibilities of the

internal auditor.

8.2.3 Recommended Improvements to the Internal Audit

HKSA 265 (Clarified) Communicating Deficiencies in Internal Control to Those Charged with
Governance and Management makes no specific reference to internal audit. However, where an
internal audit function exists, it is likely to be an important part of the internal control system
and it may be a significant contributor to the entity’s control over financial reporting.

A review of the internal audit function should be undertaken by an auditor as part of

their control risk assessment during the planning stage of the audit (see Chapter 5). Where
deficiencies are noted in the internal audit function during the control risk assessment, when
the auditor considers using the internal auditor to reduce their control risk assessment, or to
provide direct assistance in accordance with HKSA 610 (Revised 2013), then the guidance in
HKSA 265 (Clarified) regarding communicating these deficiencies should be followed.

The auditor should communicate deficiencies promptly, and also provide a written
communication to those charged with governance, which would include:

• A description of the deficiency and its potential effects;

• The purpose of the communication – to assist those charged with governance;

• The context in which the deficiency was discovered – an external audit to provide an
opinion on the financial statements; and

• That the deficiency was identified as part of the auditor’s planning activities and not for
the purpose of expressing an opinion on internal control.

Knowledge Check Questions

Question 1
List the factors an external auditor considers when assessing the objectivity of a client’s
internal audit function.

490

M13_c08.indd 490 1/26/2021 9:09:08 PM

 Using the W ork of Others

Knowledge Check Questions (continued)

Question 2
Describe for what types of assertions and accounts it is likely that an external auditor will
rely on the work of an internal auditor. Describe the types of accounts where reliance
is unlikely.

Question 3
Explain whether the internal auditor can achieve the same level of objectivity as an
external auditor.

8 . 3 EXPERTS AND SERVICE ORGANISATIONS

This section deals with two forms of outsourcing relevant to the audit. The first occurs when
an auditor outsources some audit procedure to an auditor’s expert (Sections 8.3.1 to 8.3.3).
The second occurs when the client outsources some accounting information system services
relevant to the audit to a management’s expert (Section 8.3.4) or to a service organisation
(Section 8.3.5).

8.3.1 Determining the Need for an Auditor’s Expert

The auditor does not generally have expertise specific to other professions. In many audits, it
is necessary to employ the services of an auditor’s expert who can provide audit evidence in a
specialised area. Experts may be hired externally or they may be employed by an audit firm (an
external expert).

Accountants and auditors who provide specialised services on audits, for example experts
in consolidation of financial reports, are not considered auditor’s experts and their use is not
governed by HKSA 620 (Clarified) Using the Work of an Auditor’s Expert. Similarly, the standard
does not apply to an expert hired by management (a management’s expert) to assist in
preparing the entity’s financial report.

Experts commonly used by auditors include:

• IT or tax experts;

• Valuers and appraisers to provide evidence about valuation or impairment of

assets, property, plant and equipment, artworks, complex financial instruments, or
precious stones;

• Geologists and engineers to provide information about mineral deposits, oil reserves,
or environmental liabilities (clean-up costs);

• Quantity surveyors to provide information on stockpiles (inventory);

• Actuaries to provide estimates of life insurance or superannuation liabilities; and

• Lawyers to provide estimates of the outcome of litigation or advice on contract terms.

491

M13_c08.indd 491 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

An auditor’s expert may be needed to assist the auditor at the:

• Planning (understanding the entity or risk assessment);

• Performance (testing of controls or substantive tests); or

• Reporting stages of the audit.

Services provided by an auditor’s expert are generally of two types.

1. To assess the assumptions, methods and data used by management or a

management’s expert in preparing an estimate for the financial report.

2. To develop a point estimate or a range for comparison with a management estimate.

8.3.2 Audit Procedures Applied to the Work of an Auditor’s Expert

The engagement partner must be satisfied that the engagement team and any auditor’s
experts have the competence and capability to perform the audit engagement. When engaging
an expert, the auditor should consider:

• Competence: the expert’s professional qualifications, degree of experience regarding

the matter at hand, and professional reputation:

°° Also important is the competence of the auditor’s expert with respect to relevant
accounting and auditing requirements;

• Capability: location, time, and resources;

• Objectivity: any business, personal, or financial relationship with the client that might
cause a conflict of interest;

• Whether the nature, scope, and objectives of the work to be performed are consistent
with the audit strategy and plan; and

• The auditor’s ability to evaluate the adequacy of the expert’s work, which includes:

°° Knowledge of assumptions and models used; and

°° Knowledge of the nature and adequacy of data used.

Information may be obtained from:

• Prior experience of the expert.

• Discussions with the expert or with other auditors.

• Discussions with management about financial interests or personal relationships with

the auditor’s expert:

°° It may be appropriate to obtain a written representation from an auditor’s external

expert about relationships with the entity.

• The expert’s qualifications, areas of specialisation, professional associations, and

publications.

492

M13_c08.indd 492 1/26/2021 9:09:08 PM

 Using the W ork of Others

During the course of the audit, it may be necessary to reconsider the initial evaluation of
the competence, capabilities, and objectivity of the auditor’s expert.

Where threats to the objectivity of the auditor’s expert exist and the expert’s work is
significant to the audit, safeguards may be found in external structures (for example, in the
expert’s profession or in regulation), or in quality control policies and procedures. However,
there may be some circumstances in which safeguards cannot reduce threats to an acceptable
level; for example, if the auditor’s expert is also a management’s expert.

The auditor’s understanding of the expert’s work will be less than that of the expert, but the
auditor may obtain knowledge of the required scope of the work, and the ability to evaluate
it, through:

• Relevant experience in other audits;

• Discussion with other auditors who have relevant experience; or

• Undertaking training related to the expert’s field of work.

The extent of audit procedures performed by the auditor on the work of the auditor’s
expert depends on:

• The degree of risk of material misstatement;

• The auditor’s prior experience of the expert’s work; and

• The degree of subjectivity and judgement required.

Since the auditor has sole responsibility for the audit opinion, the auditor needs to be
satisfied about:

• Reduction of the risks of material misstatement to an acceptable level;

• Sufficiency of the tests performed;

• Significant accounting estimates; and

• Adequacy of disclosures in the financial statements.

The Appendix of HKSA 620 (Clarified) Considerations for Agreement between the Auditor and
an Auditor’s External Expert usefully suggests matters that might be included in an agreement
with an auditor’s expert. These include:

• The nature, scope, and objectives of the expert’s work, including the requirements of
relevant accounting standards (e.g. HKFRS 13 Fair Value Measurement);

• The respective roles and responsibilities of the auditor and expert;

• Communication and reporting: the nature, timing, and extent of communication

between the auditor and that expert, including the form of any report to be provided by
that expert; and

• Confidentiality.

493

M13_c08.indd 493 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

Apply and Analyse 3

Flash Ltd Part 2 – Auditor’s Expert
As noted in the opening case:

• Flash is a jewellery retailer and gemstone wholesaler. The company has a chain
of stores in major Asian and European cities from which they sell jewellery to the
public, and gemstones to independent jewellers. The company buys their stock
mainly through auction at international trade shows. Their buying group comprises
specialists in diamonds, opals, emeralds, and other precious and semi-precious
gems. Each of their 50 stores holds a stock of jewellery valued at approximately
US$5 million, and gemstones valued at approximately US$3 million.

• A gemstone inventory valued at approximately US$100 million is held for Flash by

Secure Co.

(i) Explain whether Flash’s external auditor should hire an auditor’s expert to assist
with the valuation of Flash’s inventory.

(ii) If an auditor’s expert is hired, describe the responsibilities of the external auditor.

Analysis

(i) The external auditor is unlikely to be an expert in the valuation of gemstones. Due to
the materiality of the gemstone inventory, an expert valuer should be hired to either:

• Assess the assumptions, methods, and data used by management in valuing

inventory; or

• Provide an estimate of the inventory value for comparison with the inventory
account balance.

(ii) The external auditor must be satisfied that the expert has the relevant competence
and objectivity to carry out the work. The auditor must also ensure that the scope
of the expert’s work is appropriate, and that they have the expertise to understand
the expert’s report and conclusions. In order to fulfil this last requirement, the
auditor must have some experience in similar gemstone audits, be guided by
another auditor with such experience, or seek training in these matters.

When an auditor’s expert is engaged, the auditor’s responsibilities regarding their

conclusions and the audit report do not change. The auditor should carry out procedures
to corroborate the expert’s valuation. These might include:

• Analytical procedures on the sales account and the gross profit ratio (see Chapter 6,
Section 6.4.1, Analytical Procedures);

• Comparisons with external market information on changes in the price of precious

metals; or

• Comparing the selling price of recently sold items that bear a similarity (e.g. weight
and quality of stone) to those in the inventory to test the ‘lower of cost or market’ rule.

It is important for the auditor to ensure that the expert understands that the auditor’s
objective is to determine the fair value of the gemstones and is familiar with the requirements
of HKFRS 13 Fair Value Measurement (see Chapter 6, Section 6.5.1, Accounting Estimates and
Section 6.5.2, Fair Values).

494

M13_c08.indd 494 1/26/2021 9:09:08 PM

 Using the W ork of Others

8.3.3 Evaluating the Adequacy of the Work of the Auditor’s Expert

In evaluating the adequacy of the expert’s work, the auditor undertakes procedures to
understand the:

• Reasonableness of the expert’s conclusions in the light of any errors discovered;

• Consistency of the expert’s findings with other audit evidence;

• Reasonableness of the expert’s assumptions and methods; and

• Relevance, completeness, and accuracy of the expert’s source data.

Where the expert’s work is considered inadeqsuate, the auditor should indicate agreement
with the expert on the nature and extent of further work to be performed by the expert, or the
auditor should perform additional audit procedures appropriate to the circumstances.

Where the auditor issues an unmodified opinion, no reference to the expert’s work should
be made. Where reference is made to the expert’s work because of legal requirements, or to
HKSA aid in the understanding of a modification to the auditor’s report, the auditor shall indicate that
620.12–15 such reference does not reduce the auditor’s responsibility for that opinion.

8.3.4 Management’s Expert

If management does not possess the necessary expertise to prepare the financial statements, a
management’s expert may be used to provide information relevant to the financial statements.
As a management’s expert is employed or hired by the entity, a threat to objectivity exists.
Where the auditor lacks the expertise to audit the work of the management’s expert, it may
be necessary for the auditor to hire an auditor’s expert to provide this service. In any case, in
reviewing the work of the management’s expert, inherent risk should be evaluated as high and
appropriate high-quality audit procedures applied.

The auditor’s responsibilities regarding the financial statement assertions are not altered
HKSA by the fact that some information in the financial statements has been prepared by a
500.8 management’s expert. As noted in HKSA 500 Audit Evidence, paragraph 8, if information to be
used as audit evidence has been prepared by a management’s expert, the auditor should:

• Evaluate the competence, capabilities, and objectivity of the management’s expert;

• Obtain an understanding of the work of the management’s expert; and

• Evaluate the appropriateness of that expert’s work as audit evidence for the relevant
assertion.

The auditor’s decision on whether to use an auditor’s expert in this case may be
influenced by:

• The nature, complexity, scope, and objectives of the management expert’s work.

• The risk of material misstatement.

• Management’s control over of the work of the management’s expert.

• The objectivity and competence of the management’s expert.

• Whether the management’s expert is subject to safeguards provided by professional or

industry requirements.

495

M13_c08.indd 495 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

8.3.5 Service Organisations

Many entities outsource activities to other organisations possessing expertise that is not
available to the entity or that could only be provided internally at a high cost. For example:

• Many organisations outsource their payroll to banks;

• Many small businesses outsource their entire accounting function;

• The assets of some entities are held by others (e.g. assets held for security); and

• The assets of some entities are managed by others (e.g. investments or rental
properties).

Where outsourced activities like those above are a source of risk of misstatement in the
financial report, the auditor must be satisfied that the risk is reduced to an acceptable level by
performing appropriate audit procedures. Whether the use of a service organisation increases
or decreases the risk of material misstatement depends on the nature of the services provided
and the controls over those services.

HKSA 402 (Clarified) Audit Considerations Relating to an Entity Using a Service Organisation
identifies a user entity as an entity that uses a service organisation, a user auditor as
the external auditor of a user entity, and a service auditor as the auditor of the service
organisation. A service organisation is considered part of the user entity’s information system if
its work affects any of the following:

• Transactions and other events significant to the financial statements.

• Procedures for the initiation, recording, and processing of transactions.

• Accounting records.

• Significant accounting estimates and disclosures.

• Controls over journal entries.

As part of the audit planning process (see Chapter 5), the user auditor must understand
and document the relationship between the service organisation’s work and the user entity’s
information system in order to identify risks of misstatement.

The auditor would first examine the internal controls at the user entity. This examination
would be a part of the auditor’s assessment of control risk for the entity. If the user entity’s
controls over the information provided by the service organisation are deficient the auditor
should acquire additional audit evidence about controls from the service organisation by:

• Obtaining a Type 1 report (on the service organisation’s controls);

• Obtaining a Type 2 report (on the service organisation’s controls and their effectiveness);

• Using another auditor to perform procedures at the service organisation; or

• Visiting the service organisation to perform procedures.

Type 1 and Type 2 reports should include information about:

• The flow of significant transactions through the service organisation to determine

the points in the transaction flow where material misstatements in the user entity’s
financial statements could occur.

496

M13_c08.indd 496 1/26/2021 9:09:08 PM

 Using the W ork of Others

• The controls at the service organisation that may affect the processing of the user
entity’s transactions and that are relevant to the user entity’s financial statement
assertions.

• The design and implementation of controls at the service organisation that act to
prevent or detect errors that could result in material misstatements in the user entity’s
financial statements.

Additionally, both reports should include an assurance report prepared by the service
auditor on the service organisation’s control system.

The two types of reports differ because a Type 1 report does not provide any evidence
of the operating effectiveness of the relevant controls, while a Type 2 report does address
effectiveness.

Key Learning Point

Only a Type 2 report includes information on the service organisation’s control system’s
effectiveness. If a Type 1 report is obtained, then further work to test the effectiveness of
controls is required if the user auditor intends to rely on those controls.

Where the user auditor relies on a Type 1 or 2 report, they should ensure that the report
covers the appropriate time period, and that the report provides sufficient and appropriate
evidence about the service organisation’s controls relevant to the user entity’s identified risks.

Illustrative Example 1
Banks often use a service organisation to respond to confirmation requests. In this
circumstance, the auditor will need to rely on the service organisation’s internal control
process. It is important that the auditor is satisfied with the controls over the information
sent to the service organisation and the controls applied during data processing and
sending the confirmation response to the auditor. A service auditor’s report on the
internal controls at the service organisation would assist the auditor in evaluating the
controls with respect to that process.

After the user auditor has carried out their control risk assessment and tested key
controls as appropriate, further substantive procedures must be performed to address
identified risks. Service organisations provide a diverse range of services, and while specific
procedures cannot be detailed, general procedures might include:

• Inspection of records and documents.

• Obtaining confirmations from the service organisation.

• Performing analytical procedures on reports obtained from the service organisation.

• Performing, or using another auditor to perform, further procedures at the service

organisation.

497

M13_c08.indd 497 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

8.3.5.1 Responding to the Assessed Risk of Material Misstatement

When evaluating a service auditor’s report, questions might arise as to:

1. The time period covered by the tests and the time elapsed since their performance;

2. The scope of the service auditor’s work including:

• The services and processes covered;

• The controls tested, or the tests that were performed; and

• The way in which tested controls relate to the user entity’s controls; and

3. The service auditor’s opinion on the operating effectiveness of the controls.

To address Item 1 above regarding the timing of the service auditor’s report, the user
auditor might respond by carrying out further tests covering the period relevant to the audit of
the user entity, or by requesting others to carry out further testing, as well as making enquiries
about changes to controls outside the period covered by the service auditor’s report. Where
the service entity’s audit period is entirely outside that of the user organisation, that service
auditor’s report cannot be relied upon.

To address Item 2, possible deficiencies in the scope of the service auditor’s work, the
user auditor may supplement their understanding of the service auditor’s procedures and
conclusions by contacting the service organisation, through the user entity, to request a
discussion with the service auditor about the scope and results of the service auditor’s
work. Alternatively, the user auditor might request that the service auditor perform further
procedures at the service organisation.

Finally, where the service auditor’s report is modified or notes significant exceptions, the
user auditor should seek further information from the service auditor regarding the impact of
these matters on the user entity.

The user auditor’s responsibilities regarding the assurance report on an entity using a service
organisation do not differ from those described in Chapter 10, except that the user auditor shall
not refer to the work of the service auditor when providing an unmodified opinion. However,
when the user auditor expresses a modified opinion because of a modified opinion in a service
auditor’s report, the user auditor may refer to the service auditor’s report if this assists in
explaining their modified opinion. The user auditor may need the consent of the service auditor.

Apply and Analyse 4

Flash Ltd Part 3 – Secure Co
As noted in the opening case, a gemstone inventory valued at US$100 million is held for
Flash by Secure Co, a security company. Secure Co keeps the inventory in highly secured
premises in Zurich and transports gems as required by Flash throughout the supply chain.
Secure Co also manages the security of inventory at all of Flash’s stores. Security controls
include vetting of employees, set-up and monitoring of surveillance systems, provision of
safes and other secure facilities, and security patrols.

498

M13_c08.indd 498 1/26/2021 9:09:08 PM

 Using the W ork of Others

Apply and Analyse 4 (continued)

(i) Explain whether Secure Co’s activities have an impact on Flash’s information
system and financial statements.

(ii) Describe the audit procedures that should be carried out by Flash’s external
auditor with regard to Secure Co.

Analysis

(i) Secure Co holds a material portion of Flash’s inventory. In addition, they provide
security over the transport and holding of inventory at all of Flash’s 50 stores and
throughout the supply chain. Any deficiencies in Secure Co’s performance of these
activities are a risk to the existence, rights, and valuation of Flash’s inventory.

(ii) Flash’s external auditor should seek a Type 2 report regarding Secure Co’s controls
over the inventory held in Zurich, the transportation of inventory throughout the
supply chain, and their contribution to the control of inventory at Flash’s stores.
This report would detail the existence, adequacy, and effectiveness of Secure Co’s
controls and provide assurance to that effect. If no Type 2 report is available, the
auditor would consider carrying out, or hiring another auditor to carry out, a review
and test of Secure Co’s control system.

Substantive tests would also be carried out. These might include confirmation
with Secure Co of their holdings of Flash’s inventory or hiring an auditor’s expert to
carry out substantive procedures addressing the risks to existence and valuation of
that inventory.

Knowledge Check Questions

Question 4
Explain when an auditor would use an auditor’s expert.

Question 5
Describe the procedures an auditor should carry out in assessing the objectivity,
competence, and approach of an auditor’s expert.

Question 6
When an entity uses the work of a service organisation the user auditor may obtain a
Type 1 or Type 2 report from the service organisation. Describe the content of a Type 1
report and explain how this differs from a Type 2 report.

499

M13_c08.indd 499 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

SUMMARY

Internal Audit (IA)

• An IA may be used to reduce the auditor’s control risk assessment or for direct assistance.

• Threats in using IA include self-review and self-interest.

• The auditor must evaluate the IA’s objectivity, reporting level, competence, qualifications, and
the scope and quality of their work.

°° The scope of the IA’s work should include the monitoring of internal controls and financial
reporting.

°° The auditor should reperform some of the IA’s procedures in the relevant area.
• When used for direct assistance:

°° The IA should be used for objective procedures and not for procedures involving
professional judgement.

°° A written agreement should be obtained from management about the IA’s assignment to
assist the external auditor and confidentiality.

Auditor’s Expert (AE)

• An AE is a lawyer, geologist, or other specialist employed by the external auditor to

assess a management’s estimate or to provide an estimate for comparison with the
management’s estimate.

• The auditor must evaluate the expert’s competence and objectivity, and the scope of the work
to be performed.

• An agreement with an AE should address the scope and objectives of the work, the roles of
the AE and the auditor, the use of the AE’s work, and confidentiality.

• The external auditor must have or obtain sufficient knowledge of the area to be able to review
the AE’s work.

• Considerations for the review of the AE’s work include the consistency of the AE’s report with
other audit evidence, and its reasonableness, relevance, and completeness.

Service Organisation (SO)

• An SO is used by an entity (the user) to provide accounting or other services that impact on its
financial statements. The SO is part of the user’s information system.

• The user auditor must assess the inherent and control risks associated with the use of the SO,
and obtain audit evidence to reduce these risks to an acceptable level.

500

M13_c08.indd 500 1/26/2021 9:09:08 PM

 Using the W ork of Others

• Procedures include:

°° First, assess user controls. These may be adequate; otherwise

°° Assess SO controls by:

–– Obtaining a Type 1 report (adequacy) or a Type 2 report (adequacy and
effectiveness);

–– Auditing relevant SO controls; and

–– Performing substantive tests of the SO including inquiries, confirmations, analytical

reviews, and tests of detail.

Exhibit 8.1 shows the key concepts of the chapter summary.

Internal audit Auditor’s expert Service organisation

Purpose Reduce control risk Assess management’s estimate Provide info for
Direct assistance financial statements

Threats Self-review
Self-interest
Evaluate Competence Competence Scope
Objectivity Objectivity Quality of work
Scope Scope
Quality of work Quality of work
Agreement Assignment to Scope, data and objectives
external auditor Roles
Confidentiality Use of report
Confidentiality
Auditor Plan Knowledge to review AE’s work Assess risks
Supervise Consistency with other evidence Assess user controls
Review Reasonableness Assess SO controls
Relevance • Type 1 or 2 report
Completeness • Audit controls
• Substantive tests

EXHIBIT 8.1 Using the work of others

501

M13_c08.indd 501 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

MIND MAP

RELIANCE ON THE WORK OF OTHERS EXPERTS AND SERVICE ORGANISATIONS

Main Standards Determining the Need for an Auditor’s Expert
• HKSA 610 (Revised 2013) Audit Procedures Applied to the Work of
• HKSA 620 (Clarified) an Auditor’s Expert
• HKSA 402 (Clarified)
Evaluating the Adequacy of the Auditor’s
Other Standards Expert’s Work
• HKSA 200
Management’s Expert
• HKSA 220
• HKSA 315 (Revised 2019) Service Organisations
• HKSA 500
INTERNAL AUDITORS USING THE WORK
OF OTHERS
Using the work of Internal Auditors
• Determining whether internal auditors
can be used
• Using the work of the internal audit function
• Determining whether internal auditors
can be used for direct assistance
• Determining the nature and extent of work of
the internal audit function that can be used
Documentation
Recommend improvements to internal audit

Answers to Knowledge Check Questions

Question 1
Key considerations in assessing objectivity include:
• The professional qualifications of the internal auditor.
• The reporting level – ideally the audit committee.
• The entity policy regarding the independence of the internal audit function.

Question 2
The auditor is likely to rely on the work of the internal auditor for accounts involving
routine transactions and well-documented controls. These will most likely include Cash,
Trade Receivables, Inventory, and Accounts Payable. Reliance is unlikely for accounts and
assertions that require estimates involving subjectivity and judgement.

Question 3
While the internal auditor is likely to be a member of a professional association and
guided by the ethical and other rules of that association, the internal auditor’s objectivity is
compromised by their relationship to their employer – a self-interest threat.

Question 4
An auditor’s expert would be used when the subject matter of the audit is outside the
auditor’s expertise; that is, when knowledge particular to other professions is required
(e.g. lawyers, investment bankers, geologists, actuaries). Such instances mainly arise in
relation to the valuation of inventories or other assets, or of liabilities, contingencies, and
other matters requiring a high level of judgement.

502

M13_c08.indd 502 1/26/2021 9:09:08 PM

 Using the W ork of Others

Question 5
The auditor should make inquiries of the expert, and of others who are familiar with the
expert’s work. The auditor should review the expert’s qualifications and professional
associations. The auditor should review the ethical policies of the expert’s professional
association and make inquiries about any conflict of interest, whether business, personal,
or financial, that might affect the expert’s work.

Question 6
A Type 1 report provides a description of the service organisation’s controls and includes
an assurance report prepared by the service auditor on the service organisation’s control
system. A Type 2 report is more extensive. In addition to those matters contained in a
Type 1 report, a Type 2 report provides an assessment of the effectiveness of the control
system, and the service auditor’s report provides assurance on effectiveness.

EXAM PRACTICE

QUESTION 1
You are the auditor of Space Limited. As at 31 December 20X4, Space Limited recorded
identifiable intangibles and goodwill of HK$400 million. The intangibles and goodwill arose
this year when Space Limited acquired Star Limited. The management of Space Limited
engaged an external valuer to test for impairment of goodwill and the identifiable intangibles
arising from the acquisition. The external valuer used a discounted cash flow model.

In planning the audit, you plan to use your firm’s valuation expert to assist the audit
team with the valuation of the identifiable intangibles.

Required:

(a) Explain your considerations relating to determining the use of the firm’s valuation
expert in the valuation of identifiable intangibles.

(b) You decided to use the firm’s valuation expert after the assessment in part (a). Explain
your responsibilities relating to the use of the valuation expert.

QUESTION 2
Inter Co’s main activity is selling home improvement products to the public. Products include
building materials, fasteners, paint, tools, garden supplies, and furniture. Products are
purchased from over 300 suppliers and are sold at 100 stores in three countries.

Inter Co has a professional internal audit department that reports regularly to the audit
committee. Internal auditors:

• Attend the year-end inventory count;

• Review internal controls over purchasing; and

• Review the marketing department’s operations.

503

M13_c08.indd 503 1/26/2021 9:09:08 PM

 BUSINESS ASSURANCE

Required:

(a) Describe the ways the external auditor can use the work of the internal auditor.

(b) If the external auditor were to use the internal auditor’s work to reduce control risk,
describe the procedures that should be carried out.

(c) If the external auditor were to use the internal audit department to provide direct
assistance, describe the procedures that should be carried out.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) Issues to be considered:

• The key issue to be considered is the task of assessing the carrying amounts
of identifiable intangibles and goodwill acquired. If this task is an accounting
matter, and the expert is an accounting expert, then they are not an auditor’s
expert as defined in HKSA 620 (Clarified). If, on the other hand, the expert’s area
of specialisation is business valuation, then they may be considered an auditor’s
expert and HKSA 620 (Clarified) applies.

• The competency of the auditor’s expert should be considered including the expert’s
professional certification and experience in the field.

• The capability of the auditor’s expert. Capability is the auditor’s expert’s ability to
exercise competence in the engagement, including their availability.

• The objectivity of the auditor’s expert. The auditor should inquire as to the interests
and relationship that may create a threat to that expert’s objectivity. As the expert is
an employee of the accounting firm, this threat is unlikely.

• The risk of material misstatement in the matter. This is based on the nature and
complexity of the matter.

• The significance and impact of the expert’s work in the audit.

(b) In accordance with HKSA 620 (Clarified) the auditor should obtain sufficient appropriate
audit evidence to conclude whether the accounting estimate of impairment assessment
made by the management is reasonable in the circumstances. In order to do this, the
auditor should:

• Consider their ability to evaluate the adequacy of the expert’s work, which includes
knowledge of assumptions and models used, and knowledge of the nature of
data used.

• In evaluating the expert’s work, the auditor undertakes procedures to

understand the:

° Reasonableness of the expert’s conclusions in light of any errors discovered;

° Consistency of the findings with other audit evidence;

504

M13_c08.indd 504 1/26/2021 9:09:08 PM

 Using the W ork of Others

° Reasonableness of the expert’s assumptions and methods; and

° Relevance, completeness, and accuracy of the source data.

• Where the auditor issues an unmodified opinion, no reference to the expert’s work
should be made.

QUESTION 2
(a) Work of the internal auditor.

The external auditor could use the internal auditor’s work in two ways:

(i) To reduce their control risk assessment regarding inventory and purchasing; and

(ii) To provide direct assistance in the audit of inventory and purchases.

(b) Procedures associated with control risk reduction.

The external auditor must assess the competence, objectivity, and the quality of the
work of the internal audit function; and reperform some of the internal auditor’s work
in order to confirm its reliability. Key issues include:

• The reporting level or organisational status;

• The scope of the internal audit function;

• Technical competence and professional attitude; and

• Adequacy of the internal auditor’s working papers.

(c) Procedures associated with direct assistance.

The external auditor must assess the competence, objectivity, and the quality of
the work of the internal audit function (see b above), make an agreement with
management about the internal auditor’s responsibilities regarding confidentiality and
reporting, and plan, supervise, and review the internal auditor’s work.

505

M13_c08.indd 505 1/26/2021 9:09:08 PM

M13_c08.indd 506 1/26/2021 9:09:08 PM
 9
Major Actions During
the Audit Completion
CHAPTER TOPIC LIST
9.1 Audit Completion
9.1.1 Sufficient Appropriate
Audit Evidence
9.2 Plan the Procedures to Be
Conducted at the Completion
of the Audit
9.3 Explain the Purpose of and
Procedures to be Used During
Audit Completion
9.3.1 A Going Concern Review
9.3.2 A Subsequent Events Review
9.3.3 Obtaining Written
Representations from
Management
9.3.4 Overall Audit of Financial
Statements
9.3.5 Review of Other Published
Information
9.3.6 Evaluation of Misstatements
Identified During the Audit
9.3.7 Communicating with Those
Charged with Governance
507
M13_c09.indd 507
9.4 Related Parties
9.4.1 Auditor’s Objectives
9.4.2 Definition of a Related Party
9.4.3 Risk Assessment Procedures
and Related Activities
9.4.4 Responses to the Risks
of Material Misstatement
Associated with Related Party
Relationships and Transactions
9.4.5 Evaluation of the Accounting
for and Disclosure of Identified
Related Party Relationships and
Transactions
9.4.6 Written Representations and
Documentation
9.4.7 Communication with Those
Charged with Governance
9.5 Discovery of Illegal Acts or Fraud
Discovered During the Audit
9.5.1 The Auditor’s Responsibilities
Relating to Fraud in an Audit of
Financial Statements
9.5.2 Consideration of Laws and
Regulations in an Audit of
Financial Statements
1/28/2021 6:00:11 PM
 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.12: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Completion Procedures
1.12.01 Evaluate whether sufficient appropriate audit evidence has been obtained during the audit
1.12.02 Explain the purpose of and procedures to be used during audit completion:
• A subsequent events review
• A going concern review
• Obtaining written representations from management
• Review of report by component auditors to the group auditor
• Overall review of the financial statements
• Review of other published information
1.12.03 Explain the procedures required to identify and audit related party transactions
1.12.04 Evaluate misstatements identified during the audit
1.12.05 Explain the follow up on illegal act or fraud found while performing an audit especially in the
case of money laundering or corruption
1.12.06 Plan the procedures to be conducted at the completion of the audit
1.12.07 Communicate with those charged with governance
LO1.13: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Reporting
1.13.01 Prepare a management letter to report on internal control weaknesses and to make
recommendations to overcome those weaknesses
1.13.02 Communicate with management or those charged with governance

508

M13_c09.indd 508 1/28/2021 6:00:11 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

OPENING CASE

AUDIT OF HUNG FU BANK INTERNATIONAL

Q uality auditor (‘Quality’) is a firm of certified public accountants (practicing) registered

with the Hong Kong Institute of Certified Practicing Accountants (‘HKICPA’). Quality has
been undertaking the audit of Hung Fu Bank International (‘Hung Fu’), a publicly listed financial
institution on the Hong Kong Stock Exchange (‘HKEx’), for some years.

Hung Fu engages in retail banking, wealth management, commercial banking, and global
banking and is seeking to also move into the insurance sector, as many other banks have done,
in order to obtain lucrative returns on their investments. Hung Fu has invested heavily in its
digital banking platforms to ensure the bank is seen as a market leader in its offerings to its
customers.

In the last couple of years, Hung Fu has incurred collectively assessed impairment charges
against its credit card and personal loan portfolios. Hung Fu’s focus of recent times has been
directed towards the small- to medium-sized enterprises (‘SMEs’) and growing their share
in that market. Hung Fu would have guarantees and irrevocable letters of credit pledged as
collateral security.

Quality recognises the complex environment in which financial institutions operate and has
specialist banking and finance professionals assigned to the audit of Hung Fu to ensure that the
audit risks are identified and that the skills needed to mitigate those risks to an acceptable level
of Quality are applied.

The current year’s audit, for the year ended 31 December 20X1, is coming to its conclusion
and the audit partner Chin Ling has asked her team for a meeting to discuss the audit progress
and how the audit team intends to bring the audit to its completion. (Note that this audit
process does not cover any of the compliance audits required of the banking and insurance
industries in Hong Kong.)

The Agenda for this meeting is set out in Exhibit 9.1.

509

M13_c09.indd 509 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE
AGENDA
Audit Completion Meeting: Hung Fu Bank International
Date: 20 March 20X2 at 10.00 a.m., Hong Kong Office, Queens Road, Central
Present at Meeting: Chin Ling – audit partner; LauLam – audit manager;
Lee Liang – audit manager; Manchu Kang – audit supervisor
Agenda item Issues identified
Outcomes from There have been some significant
the Going Concern compliance issues within Hung
Assessment Fu’s lending departments.
Evaluation of Hung Fu has been very resistant to
adjusted and discussing the errors identified by
non-adjusted the audit team this year.
errors identified
throughout the
audit process
Draft financial The first draft of the financial
statements statements has been received (230
pages in length). Historically, there
have been substantial omissions
and errors in the drafts presented
to Quality.
Contingent liabilities It has been noted in the current
assessment year that the guarantees pledged
by Hung Fu had increased
considerably and that there are
a number of legal matters that at
year end are unresolved.
Other commitments From the review of the minutes
of Board meetings, Quality has
identified that Hung Fu has
committed to constructing a
second building at North Point.
Subsequent events Outstanding. Chin Ling is aware
of a significant development post
year end that she will discuss
further with the audit team when
she finds out the details from
board members of Hung Fu.
Related parties Hung Fu management had
represented to Lau Lam that the
only related party was a broking
business. Lau Lam has determined
that several loans to director-
related entities had been made
during the period.
Fraud and No frauds or illegal acts were
illegal acts noted to date in the audit process.
EXHIBIT 9.1 Agenda for audit completion meeting
510
M13_c09.indd 510
Actions required
Full assessment needed, as part of
the completion stages, by Lau Lam in
conjunction with Chin Ling.
Lee Liang to discuss further with Chin Ling
with the aim of having a further discussion
with those charged with governance about
the likely implications of the errors for
the auditor’s opinion if not adjusted in the
financial statements.
Manchu Kang to do the first review of the
financial statements and then Lau Lam
will complete the second review. The
team needs to determine when the firm’s
technical department should become
involved in the completion process. That
department has assisted on a number of
possible reporting issues during the period.
Lee Liang needs to investigate the areas
identified and determine that all contingent
liabilities have been identified and the
disclosures in the financial statements are
appropriate.
Manchu Kang is to collect audit evidence
for other commitments and ensure that the
appropriate disclosures have been made.
Chin Ling to follow up with the audit team.
Chin Ling to determine with the
engagement managers what the next steps
are, inclusive of re-assessing the level of
audit risks previously identified.
Chin Ling emphasised to team members
that they should stay alert during
completion to the possibility of fraud.
1/28/2021 6:00:12 PM
 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

OVERVIEW

The completion stage of an audit is of crucial importance. It is during this stage that the auditor
stands back and reflects on the status of the audit and aligns the conclusions obtained to date
with thinking about the auditor’s opinion that may be issued. It is also a further opportunity
to ensure that there are no further changes needed to the risk assessment conducted under
HKSA 315, Identifying and Assessing the Risks of Material Misstatement (Revised 2019), and that the
audit response under HKSA 330, The Auditor’s Responses to Assessed Risks, has been appropriate.

Before continuing with this chapter, you are encouraged to reflect on the earlier phases of
the audit process already outlined in Chapters 1 to 8 of this module. The completion phase of
the audit brings together all the learning you have achieved in the previous chapters.

This chapter will introduce you to several HKICPA auditing standards and will return you to
some of the standards you have already covered during this module.

The audit procedures commonly undertaken at the completion stage of the audit include
the following, which will be explored in depth in this chapter:

• Going concern assessment completion.

• Subsequent events.

• The written representations that auditors need to obtain.

• Final overall audit of the financial statements.

• Evaluation of misstatements and the likely impact where the misstatements are
material and management do not want to make the changes.

• Required communications with those charged with governance.

• Identification of related parties.

• Discovery of illegal acts or fraud discovered during the audit.

9 . 1 AUDIT COMPLETION

The auditor is responsible for drawing conclusions based on the audit work completed up to
the completion phase of the audit.

9.1.1 Sufficient Appropriate Audit Evidence

Regulators and other reviewers of auditors’ work look for documentation of the auditor having
gained ‘sufficient appropriate audit evidence’ to form opinions. A common stance of these

511

M13_c09.indd 511 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

parties is that if such evidence was not documented, then it was not obtained. This stance can
lead to severe conclusions about the quality of the audit. We are going to explore the nature of
such evidence here.

In HKSA 500, Audit Evidence, audit evidence is defined as ‘information used by the auditor
in arriving at the conclusions on which the auditor’s opinion is based. Audit evidence includes
HKSA both information contained in the accounting records underlying the financial statements and
500.5(c) information from other sources’. Sufficiency is defined as ‘the measure of the quantity of audit
evidence. The quantity of the audit evidence needed is affected by the auditor’s assessment of
HKSA the risks of material misstatement and also by the quality of such audit evidence’.
500.5(e) Appropriateness is defined as ‘The measure of the quality of audit evidence; that is, its
HKSA relevance and its reliability in providing support for the conclusions on which the auditor’s
500.5(b) opinion is based’.

What does this mean in practice though?

If you consider a bucket as a repository for audit evidence and water represents audit evidence,
how much clean water does an auditor need in the bucket to be happy that for a certain area
and for the appropriate audit assertions (see Chapter 3) there is sufficient appropriate audit
evidence to reduce detection risk (see Chapter 4) to an acceptable level? This is a complex
question and in practice the answer will vary considerably. The overall objective of the auditor
is to be very efficient in obtaining water by obtaining only the audit evidence necessary to be
satisfied that detection risk is at an acceptable level. This process is cumulative in nature over
the entire audit process.

Some of the key elements that will contribute to the sufficiency and quality of audit
evidence are:

• Source of evidence – external. Externally and independently derived audit evidence, in

most cases, has a greater level of credibility and effectiveness than internally generated
evidence. This evidence usually takes the form of confirmations, expert reports,
analyst’s reports, and benchmarking data. These sources will either act as primary
evidence or serve to corroborate management’s assertions. This source of evidence in
most cases would result in a ‘smaller amount of water’ needing to be collected.

• Source of evidence – internal. This is audit evidence derived from the entity’s accounting
records and its controls. Inter-relationships between internally sourced data can
provide a degree of corroboration.

• How the audit evidence was obtained and evaluated. Inspection, observation,
recalculation re-performance, analytical procedures, and inquiry can be applied, as
appropriate, to the circumstances.

• Relevance to the risks and assertions being audited. Logical connection needs to
be achieved between the evidence gathered and the risks and assertions being
considered.

Therefore, as the image above portrays, the auditors at the completion stage of the audit
are determining whether or not they are satisfied that each bucket (aspect of the audit) has the
right quality and level of clean water (sufficient and appropriate audit evidence) in it.

512

M13_c09.indd 512 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Apply and Analyse 1

When Lau Lam, an audit manager of the Hung Fu audit, was discussing with Manchu Kang
the audit evidence he had obtained in relation to the creditor’s balance of HK$40 million at
31 December 20X1 (a material balance, with some significant balances making up the total,
with a medium inherent risk rating over the relevant assertions), Manchu explained the
following:

1. He had completed the lead sheet summarising the balances and had obtained
an explanation from the accountant as to the reasons for the movements in
balances between the years and documented what the accountant had said on the
lead sheet.

2. A copy of the creditor’s reconciliation was obtained and agreed to the subsidiary
ledger and Manchu confirmed it had been reviewed by a more senior accountant.

3. Manchu then conducted audit sampling by randomly choosing ten creditors from
the creditors’ subsidiary ledger totalling HK$ million. He agreed the creditor’s
balances to the original invoices and found no exceptions.

Analysis

Lau Lam would have concluded fairly quickly that Manchu had not obtained sufficient
appropriate audit evidence to reduce the risk of material misstatement. (To simplify the
analysis, the fact that controls in the context of a Bank are critical to achieve audit comfort
has been excluded.) The level of testing is far too low to support a conclusion about the
population from which the sample was drawn. Manchu should have considered non-
statistical sampling of the largest creditor balances with external confirmations as his
first step and then used audit sampling for the rest of the creditor population to a level
appropriate to the level of audit risk remaining. There is no evidence from what Manchu
has said in relation to whether he tested for completeness and whether he had considered
how the cut-off for creditors had been applied.

All audit work should be subject to at least one level of review by a suitably qualified
audit team member. This is the basic quality control requirement of HKSA 220, Quality
Control for an Audit of Financial Statements, and serves to ensure that sufficient appropriate
audit evidence has been obtained in respect of transactions and events, balances, and
disclosures included in the financial statements.

When evaluating audit evidence, consideration should be given to ensure the following:

• The work has been performed in accordance with the relevant professional
standards and the legal and regulatory requirements of Hong Kong;

• The risks identified during the planning process have been appropriately
addressed throughout the audit;

• Having designed and performed audit procedures to verify assertions in the

financial statements, the outcome of the procedures constituted relevant and
reliable audit evidence that is capable of supporting the auditor’s opinion;

• Any significant matters identified have been addressed appropriately and the
matter and outcomes have been documented appropriately;

513

M13_c09.indd 513 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

Apply and Analyse 1 (continued)

• The work performed supports the conclusions reached and has been appropriately
documented;

• Where a reviewer evaluated that further audit, work was needed to be completed,
that the nature and extent of further work was documented and subjected to a
follow-up review; and

• Appropriate consultations have taken place and the outcomes were implemented
and supported by documentation.

During the completion phase of the audit, it is critical that an engagement partner is
satisfied that the accumulation of audit evidence through the audit process supports the
proposed opinion of the auditor.

Ethics in Practice 1
The auditor must always exercise professional competence, due care, and professional
behaviour (Sections 113 and 115 of The Code of Ethics for Professional Accountants
(Revised)). This can be challenging as the audit process comes to completion and
the audit report deadline looms. To ensure that the ethical principles of professional
competence, due care, and professional behaviour are met the auditor must not be
tempted to take ‘short cuts’ in completing the audit in line with the relevant professional
standards and the legal and regulatory requirements of Hong Kong.

Knowledge Check Questions

Question 1
Describe what you believe to be the key factors an auditor should think about when
gathering audit evidence.

9 . 2 PLAN THE PROCEDURES TO BE CONDUCTED

AT THE COMPLETION OF THE AUDIT

When developing the overall audit strategy and audit plan, the auditor should consider what
needs to be done in the completion phase of the audit. As HKSA 300, Planning an Audit of
Financial Statements, outlines, planning should not be seen as a discrete and separate part
of the overall audit, and as the audit progresses could be subject to change dependent on
unforeseen circumstances that may occur.

As has been noted earlier in this module, an initial risk assessment will be completed in
the early phases of the audit, which may highlight matters that are more likely to be subject to

514

M13_c09.indd 514 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

detailed audit procedures towards the completion of the audit. Typically, these risks could be a
going concern, subsequent events, and prior period misstatements (errors).

Factors that can also be planned earlier on in the audit process are the timing of the
auditor’s opinion and timing of communications with those charged with governance, including
the closing report and management letter distribution.

While written representations from management or those charged with governance are
obtained by the auditor as close as possible to the date of the auditor’s report, as the audit
progresses the auditor should be ensuring that any matters that need specific coverage in the
representation letter are identified and kept current.

9.3 EXPLAIN THE PURPOSE OF AND PROCEDURES

TO BE USED DURING AUDIT COMPLETION

9.3.1 A Going Concern Review

Note that the overarching responsibility for the assessment of an entity’s ability to continue as
a going concern is that of management. Specifically, Hong Kong Accounting Standard (HKAS) 1,
HKAS Presentation of Financial Statements, requires management to make an assessment of an entity’s
1.25–26 ability to continue as a going concern. Directors in certain circumstances are required under the
Hong Kong Companies Ordinance (Cap.622) to make a solvency statement (confirming that debts
can be met as and when they fall due).

It should be noted that the going concern assessment undertaken for financial reporting
purposes is not intended to provide a guarantee that the entity will remain a going concern for
12 months from the date of the current financial statements. The assessment is a judgement
based on what is known at the date of the financial statements.

9.3.1.1 Auditor’s Objectives

HKSA 570 (Revised), Going Concern, sets out that under a going concern basis of accounting,
the financial statements are prepared on the assumption that the entity is a going concern
and will be able to pay its debts as and when they fall due. Alternatively, but relatively rarely,
management may state in the financial statements their intention to liquidate the entity or
cease operations. More problematical are the circumstances in which management are hoping
and planning to continue but the risks of this not being so are becoming quite material.

To this end the objectives of the auditor are to:

• Obtain sufficient appropriate audit evidence regarding the appropriateness of the use
of the going concern basis of accounting in management’s preparation of the financial
statements;

• Conclude on whether a material uncertainty exists based on audit evidence obtained

related to events or conditions that may cast significant doubt on the entity’s ability to
continue as a going concern; and

• Draw conclusions and form an opinion on whether the entity is a going concern, based
on the requirements of HKSA 570 (Revised).

515

M13_c09.indd 515 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

9.3.1.2 Requirements
HKSA 570 (Revised) notes that the going concern assessment is made at the date of the
financial statements and takes into account the relevant facts and circumstances known at that
date. Judgements need to be made by both management and the auditor.

HKSA HKSA 570 (Revised) sets out four key aspects for the auditor to consider when undertaking
570.9-16 a going concern assessment. These relate to:

1. Risk assessment procedures and related activities.

2. Evaluating management’s assessment.

3. Considering the period beyond management’s assessment.

4. Designing and implementing additional audit procedures.

9.3.1.3 Risk Assessment Procedures and Related Activities

The auditor needs to consider going concern at the early stages of the audit, in particular when
performing the risk assessment procedures required under HKSA 315 (Revised 2019), Identifying
and Assessing the Risks of Material Misstatement. This assessment should extend to considering
whether there are events or conditions that are in existence that may cast significant doubt on
the going concern basis of accounting. This assessment will normally be based on the auditor’s
knowledge of the industry, the history of the entity itself, a review of draft financial statements
or trial balance, and known events from the current period and the post balance date period.

It is the auditor’s responsibility to discuss concerns with management and determine the
level of risk such that the response to the risk can be planned and performed in line with HKSA
330, The Auditor’s Responses to Assessed Risks.

The auditor will look for relationships between amounts that indicate risk. The auditor will
consider not only the absolute amounts involved but also the trend in those amounts. Some
warning signs that are commonly taken into account by the auditor in the risk assessment of
the going concern assumption include the following.

Financial
• Current liabilities exceed current assets.

• Total liabilities exceed total assets.

• Net cash outflows from operating activities.

• Current and historical operating losses.

• Cash on delivery terms required by creditors.

• Unusual financing arrangements (e.g. unusual amounts sourced from off-shore entities
of questionable repute).

• Significant legal costs and pending cases.

• Bank or other covenant breaches.

• Significant increases in ‘own credit’ risk implied in the value of financial liabilities.

516

M13_c09.indd 516 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Operational
• Long lead times on sales of both current and non-current assets.

• Significant amounts of debt due and payable.

• The number of day’s credit implied in creditor balances is extending or contracting

materially.

• Supply chain issues.

• Increases in competition.

• Loss of major customers.

Other
• Recent economic or environmental trends, events, and disasters.

• Changes in laws and regulation.

• Non-insurable events occurring.

9.3.1.4 Evaluating Managements Assessment

The focus of the auditor’s work should be to obtain sufficient appropriate audit evidence to
evaluate management’s assessment of the entity’s ability to continue as a going concern.

Management should be able to present to the auditor any or all of the following when
the auditor is seeking support for management’s assessment that a going concern basis of
accounting is appropriate (this list is not exhaustive but acts as a guide only):

• Obtain the budgets and forecasts prepared by management and analyse the underlying
assumptions and appropriateness of their use.

• Obtain and inquire of management’s plans and minutes supporting changes to

operating strategies and plans, and evaluate whether the management’s assumptions
are reasonable.

• Consider obtaining written agreement from creditors or financiers stating that they will
not call back what is owed to them for at least 12 months from the date of the financial
statements.

• Obtain proof of support from related parties that they can underwrite any payments
of debts as and when they fall due for 12 months from the date of the financial
statements.

• Determine if management can obtain further funding from creditable financiers.

Management’s assessment should cover at least 12 months from the date of the financial
statements and the auditor’s assessment should cover the same period. The auditor must
ensure that they do not take management’s assessment at face value and that sufficient
appropriate audit evidence is obtained including, where necessary, evidence that support
offered is reasonable given the financial position of the support giver.

9.3.1.5 Period Beyond Management’s Assessment

The auditor shall inquire of management as to its knowledge of events and conditions beyond
the period of management’s assessment, which may cast significant doubt on the entity’s ability
to continue as a going concern.

517

M13_c09.indd 517 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

9.3.1.6 Additional Audit Procedures When Events or Conditions Are Identified

If, after completing the risk assessment at the planning stage and after the evaluation of
management’s assessment, the auditor has identified events or conditions have been identified
that may cast significant doubt on the entity’s ability to continue as a going concern, the auditor
shall obtain sufficient appropriate audit evidence to determine whether or not a material
uncertainty exists related to events or conditions that may cast significant doubt on the entity’s
ability to continue as a going concern (hereinafter referred to as ‘material uncertainty’) through
performing additional audit procedures, including consideration of mitigating factors. These
procedures shall include:

a. Where management has not yet performed an assessment of the entity’s ability to
continue as a going concern, requesting management to make its assessment.

b. Evaluating management’s plans for future actions in relation to its going concern
assessment, whether the outcome of these plans is likely to improve the situation and
whether management’s plans are feasible in the circumstances.

c. Where the entity has prepared a cash flow forecast, and analysis of the forecast is
a significant factor in considering the future outcome of events or conditions in the
evaluation of management’s plans for future actions:

(i) Evaluating the reliability of the underlying data generated to prepare the
forecast and

(ii) (Determining whether there is adequate support for the assumptions underlying
the forecast.

d. Considering whether any additional facts or information have become available since
the date on which management made its assessment.

e. Requesting written representations from management and, where appropriate, those

charged with governance, regarding their plans for future actions and the feasibility of
these plans.

9.3.1.7 Audit Conclusion

Based on the audit evidence obtained, the auditor will conclude whether in the auditor’s
judgement a material uncertainty exists in relation to events or conditions that individually or
collectively may cast significant doubt on the entity’s ability to continue as a going concern.

If a material uncertainty does exist and the auditor determines that management’s use
of the going concern basis of accounting is appropriate, the auditor will determine whether
adequate disclosure has been made by management in the financial statements outlining how
management plans to deal with the events or conditions.

9.3.1.8 Implications for the Auditor’s Report

The auditor has several distinct conclusions that can be reached on a going concern. Those
conclusions determine the type of auditor’s report that could be issued. A detailed assessment
of the auditor’s report options is provided in Chapter 10.

518

M13_c09.indd 518 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

The following outlines the general conclusions as outlined in HKSA 570 (Revised):

1. If the auditor concludes that management’s use of the going concern basis of
accounting is appropriate in the circumstances, but that a material uncertainty exists,
the auditor shall determine whether the financial statements:

a. Adequately disclose the principal events or conditions that may cast significant
doubt on the entity’s ability to continue as a going concern and management’s plans
to deal with these events or conditions and

b. Disclose clearly that there is a material uncertainty related to events or conditions

that may cast significant doubt on the entity’s ability to continue as a going concern
and, therefore, that it may be unable to realise its assets and discharge its liabilities
in the normal course of business.

2. If events or conditions have been identified that may cast significant doubt on the
entity’s ability to continue as a going concern but, based on the audit evidence
obtained the auditor concludes that no material uncertainty exists, the auditor shall
evaluate whether, in view of the requirements of the applicable financial reporting
framework, the financial statements provide adequate disclosures about these events
or conditions.

3. If the financial statements have been prepared using the going concern basis of
accounting but, in the auditor’s judgement, management’s use of the going concern
basis of accounting in the preparation of the financial statements is inappropriate, the
auditor shall express an adverse opinion.

4. If adequate disclosure about the material uncertainty is made in the financial

statements, the auditor shall express an unmodified opinion and the auditor’s report
shall include a separate section under the heading ‘Material Uncertainty Related to
Going Concern’ to:

a. Draw attention to the note in the financial statements that discloses the matters set
out in 1 above and

b. State that these events or conditions indicate that a material uncertainty exists that
may cast significant doubt on the entity’s ability to continue as a going concern and
that the auditor’s opinion is not modified in respect of the matter.

5. If adequate disclosure about the material uncertainty is not made in the financial
statements, the auditor shall:

a. Express a qualified opinion or adverse opinion, as appropriate, in accordance with

HKSA 705 (Revised) and

b. In the Basis for Qualified (Adverse) Opinion section of the auditor’s report, state that
a material uncertainty exists that may cast significant doubt on the entity’s ability
to continue as a going concern and that the financial statements do not adequately
disclose this matter.

6. If management is unwilling to make or extend its assessment when requested to do so

by the auditor, the auditor shall consider the implications for the auditor’s report.

519

M13_c09.indd 519 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

Illustrative Example 1
Three examples are included below with the wording of the relevant paragraphs in the
auditor’s report from the Appendix to HKSA 570 (Revised). There are many different
examples depending on the particular circumstances surrounding a significant
uncertainty and how it has been treated and/or disclosed by those charged with
governance.

Unmodified auditor’s opinion with a material uncertainty paragraph:

Basis for Opinion

We conducted our audit in accordance with Hong Kong Standards on Auditing (HKSAs)
issued by the HKICPA. Our responsibilities under those standards are further described
in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Company in accordance with the HKICPA’s Code of
Ethics for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our opinion.

Material Uncertainty Related to Going Concern

We draw attention to Note XXX in the financial statements, which indicates that the
Company incurred a net loss of ZZZ during the year ended 31 December 20X1 and, as
of that date, the Company’s current liabilities exceeded its total assets by YYY. As stated
in Note ZZ, these events or conditions, along with other matters as set forth in Note
ZZ, indicate that a material uncertainty exists that may cast significant doubt on the
Company’s ability to continue as a going concern. Our opinion is not modified in respect
of this matter.

Qualified Opinion When a Material Uncertainty Exists and the Financial Statements Are
Materially Misstated Due to Inadequate Disclosure

Qualified Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of financial position as at 31 December
20X1, and the statement of profit or loss and other comprehensive income, statement of
changes in equity, and statement of cash flows for the year then ended, and notes to the
financial statements, including a summary of significant accounting policies.

In our opinion, except for the incomplete disclosure of the information referred to in
the Basis for Qualified Opinion section of our report, the financial statements give a true
and fair view of the financial position of the Company as at 31 December 20X1, and of its
financial performance and its cash flows for the year then ended in accordance with Hong
Kong Financial Reporting Standards (HKFRSs) issued by the Hong Kong Institute of Certified
Public Accountants (HKICPA) and have been properly prepared in compliance with the
Hong Kong Companies Ordinance.

Basis for Qualified Opinion

As discussed in Note YY, the Company’s financing arrangements expire and amounts
outstanding are payable on 19 March 20X2. The Company has been unable to conclude

520

M13_c09.indd 520 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Illustrative Example 1 (continued)

re-negotiations or obtain replacement financing. This situation indicates that a material
uncertainty exists that may cast significant doubt on the Company’s ability to continue as
a going concern. The financial statements do not adequately disclose this matter.

We conducted our audit in accordance with Hong Kong Standards on Auditing (HKSAs)
issued by the HKICPA. Our responsibilities under those standards are further described
in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Company in accordance with the HKICPA’s Code of
Ethics for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our qualified opinion.

Adverse Opinion When a Material Uncertainty Exists and Is Not Disclosed in the
Financial Statements

Adverse Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of the financial position as at 31 December
20X1 and the statement of profit or loss and other comprehensive income, the statement
of changes in equity and statement of cash flows for the year then ended, and notes to the
financial statements, including a summary of significant accounting policies.

In our opinion, because of the omission of the information mentioned in the Basis for
Adverse Opinion section of our report, the financial statements do not give a true and fair
view of the financial position of the Company as at 31 December 20X1, and of its financial
performance and its cash flows for the year then ended in accordance with Hong Kong
Financial Reporting Standards (HKFRSs) issued by the Hong Kong Institute of Certified
Public Accountants (HKICPA). In all other respects, in our opinion the financial statements
have been properly prepared in compliance with the Hong Kong Companies Ordinance.

Basis for Adverse Opinion

The Company’s financing arrangements expired and the amount outstanding

was payable on 31 December 20X1. The Company has been unable to conclude
re-negotiations or obtain replacement financing and is considering filing for bankruptcy.
This situation indicates that a material uncertainty exists that may cast significant doubt
on the Company’s ability to continue as a going concern. The financial statements do not
adequately disclose this fact.

We conducted our audit in accordance with Hong Kong Standards on Auditing (HKSAs)
issued by the HKICPA. Our responsibilities under those standards are further described
in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Company in accordance with the HKICPA’s Code of Ethics
for Professional Accountants (‘the Code’) and we have fulfilled our ethical responsibilities
in accordance with the Code. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our adverse opinion.

521

M13_c09.indd 521 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

9.3.1.9 Communication with Those Charged with Governance

It is important for the auditor to communicate with those charged with governance on a timely
basis in circumstances when the auditor determines that there is a significant uncertainty
pertaining to the going concern. This communication is important as the auditor may want to
issue an unmodified auditor’s opinion with a materiality uncertainty related to the going
concern paragraph or a modified opinion. (The different auditor’s opinions are outlined in
detail in Chapter 10). When a material uncertainty relating to the going concern is identified, it
is likely to be the subject of multiple communications between the auditor and those charged
HKSA with governance. These need to be documented. Specifically, HKSA 570 (Revised) requires the
570.25 following communications.

Unless all those charged with governance are involved in managing the entity the auditor
shall communicate with those charged with governance events or conditions identified
that may cast significant doubt on the entity’s ability to continue as a going concern. Such
communication with those charged with governance shall include the following:

a. Whether the events or conditions constitute a material uncertainty;

b. Whether management’s use of the going concern basis of accounting is appropriate in

the preparation of the financial statements;

c. The adequacy of related disclosures in the financial statements; and

d. Where applicable, the implications for the auditor’s report.

Apply and Analyse 2

During the planning phase of the audit of Hung Fu it was discovered by Chin Ling that
the Bank had received a number of warnings from the Hong Kong Monetary Authority
(HKMA) in relation to its compliance with its lending policies and procedures. Lending
constitutes a significant portion of the Bank’s profitability and its receivable balances.
Chin Ling has requested that the board of directors provide information in relation to the
Bank’s responses to the warnings and an assessment of the potential impact if lending
was significantly curtailed for the Bank, and what impact this would have on the Bank’s
ability to continue as a going concern. Chin Ling is most concerned about this situation,
particularly as the lessons from the Global Financial Crisis and the Barings Bank collapse
are at the front of her mind.

Analysis

Chin Ling has conducted all assessments that she should have performed under HKSA 570
(Revised) to this point. Chin Ling will need to receive sufficient appropriate audit evidence
from the HKMA, either addressed to management or directly to the auditor, in relation
to their proposed actions against Hung Fu, if any, and how those actions may impact the
ongoing viability of the Bank. Management should be supplying Chin Ling with budgets
and forecasts based on current levels of Bank business and projected operational changes,
as well as budgets and forecasts should the lending sector of the Bank be limited or
discontinued. Chin Ling and her team would need to be more alert to any other potential
issues with banking compliance throughout the audit process.

522

M13_c09.indd 522 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.3.2 A Subsequent Events Review

The subsequent events review stage of the audit process is vital to ensuring that all items with a
material consequence have been appropriately reflected up to the date of the auditor’s opinion.

9.3.2.1 Objectives of the Auditor

HKSA 560 Subsequent Events requires the auditor to perform audit procedures to obtain
sufficient appropriate audit evidence that all events occurring between the date of the financial
statements and the date of the auditor’s report that require adjustment of, or disclosure in, the
financial statements have been identified and appropriately accounted for and/or disclosed in
the financial statements.

Exhibit 9.2 illustrates when the subsequent events period occurs during the timeline of the
auditor’s report.

Start of Date of financial statements Date of auditor’s

financial period (aka balance date) report

Subsequent-Events
Reporting Period
Period

Cut-Off

EXHIBIT 9.2 Timeline of the auditor’s report

The auditor must also respond to facts that become known after the date of the auditor’s
report and that, if the auditor had known at the time of the auditor’s opinion, would have
amended the opinion, and consider reissuing the audit opinion.

9.3.2.2 Types of Subsequent Events

There are two types of subsequent events:

1. Those that provide further evidence of conditions that existed at the end of the financial
period, known as adjusting or Type 1 subsequent events.

2. Those that provide evidence of conditions that arose after the end of the financial
period, known as non-adjusting or Type 2 subsequent events. Though not adjusted,
they are the subject of disclosure requirements.

The most common disclosure of Type 2 subsequent events in Hong Kong listed entity
financial statements is of a dividend, or special dividends, declared post period end.

523

M13_c09.indd 523 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

Illustrative Example 2
The Board of directors of Ming Wa Company have participated in a number of highly
confidential board meetings during the current accounting period that ended on 31
December 20X0. The basis of discussion was associated with the potential closure of a
major manufacturing plant and terminating the employment of all 500 people employed
at the plant. These discussions followed a review by external consultants late in the
fourth quarter that seriously questioned the viability of the plant and recommended
impairment charges. The discussions of the Board have been minuted.

Scenario 1. The Board makes a final decision on 1 January 20X1 that the manufacturing
plant will be closed and that the contracts of all 500 employees will be terminated, having
already completed a management assessment of the impairments required to assets and
the provisions required for termination payments before 31 December 20X0. In this case,
the circumstances being considered were the result of conditions that existed prior to the
period end, despite the final decision being made on 1 January. In this case the financial
impact of the subsequent (Type 1) event would need to be adjusted in the financial
statements for the period ending 31 December 20X0.

Scenario 2. The Board continues its discussions into 20X1. One week prior to the
signing of the financial statements for 31 December 20X0, a potential purchaser has signed
a deed of intent to conduct due diligence procedures to potentially purchase the plant
and continue to employ the 500 people currently working at the plant. There is no deed
of confidentiality and given the rumours surrounding the plant and its employees, the
Board decided to release what they knew of the potential purchase to the market via an
announcement through the HKEx. Given the potential purchase arose after the year-end,
but the potential outcomes would be material, appropriate disclosures should be made in
the notes to the financial statements explaining to users the facts as they are known at the
date of the financial statements (Type 2 event). Further consideration would need to have
been made by the auditor during the audit process as to the carrying value of assets of
the plant and whether or not the uncertainty as to the future of the plant creates a going
concern issue.

9.3.2.3 Requirements
The auditor shall perform audit procedures designed to obtain sufficient appropriate audit
evidence that all events occurring between the date of the financial statements and the date
of the auditor’s report that require adjustment of, or disclosure in, the financial statements
have been identified. The auditor is not, however, expected to perform additional audit
procedures on matters to which previously applied audit procedures have provided satisfactory
conclusions.

9.3.2.4 Audit Procedures

When looking at the audit procedures that should be conducted to meet the requirements of
HKSA 560, the auditor can divide this work into three key time periods:

1. Events occurring between the date of the financial statements and the date of the
auditor’s report;

524

M13_c09.indd 524 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

2. Facts that become known to the auditor after the date of the auditor’s report but prior
to the date of issue of the financial statements; and

3. Facts that become known to the auditor after the financial statements have
been issued.

Events Occurring Between the Date of the Financial Statements and the Date of the
Auditor’s Report
If the auditor determines that there have been events occurring between the date of the
financial statements and the date of the auditor’s report, the auditor needs to refer to their
initial risk assessment undertaken under the requirements of HKSA 315 (Revised 2019), and
updated as appropriate throughout the audit process, to determine the appropriate extent
of additional audit procedures that need to be undertaken. It is important to note that audit
procedures undertaken should be completed as close to the date of the auditor’s report as
possible. The procedures may include:

• Gaining an understanding of how management has identified and assessed the

subsequent events and the reasonableness of the assumptions used by management
in drawing their conclusions;

• Enquiring of management and potentially the Board to establish if any events or

circumstances have occurred that may have a financial impact on the entity;

• Reading minutes from Board meetings and management meetings to identify any
events that have occurred which may have impact on the entity’s financial statements;

• Reviewing trial balances produced after the period end; and

• Contacting legal counsel to determine whether anything has come to their attention
since sending their written confirmation. (Note that often regulators expect, although
not written in law or the auditing standards, that such a follow-up should be made a
maximum of seven days before the date of the auditor’s opinion.)

If, after having completed the procedures noted above, the auditor becomes aware of a
material subsequent event, the auditor will need to determine whether it is a Type 1 or Type 2
event and ensure the financial statements appropriately include and/or disclose the event.

Facts That Become Known to the Auditor after the Date of the Auditor’s Report but Prior to
the Date of Issue of the Financial Statements
The auditor has no obligation to perform any audit procedures in relation to the financial
statements after the auditor’s report has been signed. However, if the auditor becomes aware
of an event that, if known at the date of the auditor’s report, would have caused the auditor
to amend the opinion, the auditor should determine whether the financial statements should
be amended.

If the financial statements should be amended and management makes the necessary
amendments, then the auditor should perform the appropriate audit procedures over the
amendments and a new auditor’s report issued. The auditor should include an emphasis
of matter paragraph or other matter paragraph (the basis for these types of paragraphs is
outlined in Chapter 10) to draw users’ attention to the change in subsequent events after the
first signing of the auditor’s report.

525

M13_c09.indd 525 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

If management refuses to amend the financial statements and the auditor believes the
financial statements should be amended, the auditor should modify the auditor’s opinion in line
with HKSA 705 (Revised). (More detail is provided on the types of auditor’s reports issued under
HKSA 705 (Revised) in Chapter 10.) The auditor should ensure that those charged with governance
include the revised auditor’s opinion with the financial statements. If the financial statements
are issued with the original auditor’s opinion, the auditor will need to take appropriate action to
prevent reliance on the original auditor’s report, which depends upon the auditor’s legal rights and
obligations. Consequently, the auditor may consider it appropriate to seek legal advice.

Facts that Become Known to the Auditor after the Financial Statements Have
Been Issued
The same procedures for time period 2 would apply. Depending on the timing of the discovery
of the situation, the auditor may determine that the issue would be rightly corrected in the
following year’s financial statements or, for listed entities, in the following interim financial
statements.

Apply and Analyse 3

Chin Ling has called together all those present at the audit completion meeting on 20
March 20X2 to explain what she has discovered subsequent to the period end on which
Quality is reporting, being 31 December 20X1. A material fraud has been discovered in
the loans department, while completing the planned audit procedures, where several
employees have been approving loans to themselves for millions of Hong Kong dollars
over the course of the last financial year and up until the point of discovery, being 28
February 20X2.

Analysis

Chin Ling would instruct one of her managers to undertake audit procedures to determine
the financial impact caused by the fraud. The material nature of the fraud would heighten
the entire risk assessment process for Hung Fu. The risk assessment would need to
be formally reviewed in line with the requirements of HKSA 315 (Revised 2019) and a
determination made as to whether further audit procedures would need to be undertaken,
which would likely be additional tests of detail in the loans department.

For the purposes of determining the appropriate treatment of the subsequent event,
given that the effects of the fraud took place in the current period being audited, it is a
Type 1 subsequent event that would require amendments to the financial statements as
well as further note disclosures about the actions taken by the bank.

9.3.3 Obtaining Written Representations from Management

For the purpose of this section HKSA 580, Written Representations, is the relevant audit standard.
Please note that despite the HKSA reference to written representations, other common
terminology used for the same letter is a management representation letter (or ‘rep’) or a letter
of representation.

526

M13_c09.indd 526 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.3.3.1 Objectives of the Auditor

HKSA 580 requires the auditor to obtain written representations from management and,
where appropriate, those charged with governance. Audit evidence is all the information used
by the auditor to arrive at the conclusion on which the auditor’s report will be based. Written
representations are necessary information required by the auditor in connection with the audit
of the financial statements. Therefore, similar to responses by management to enquiries made
by the auditor, written representations are audit evidence. Although written representations
provide necessary audit evidence, on their own they do not provide sufficient appropriate audit
evidence on the matters covered in the letter. Furthermore, the fact that management has
provided written representations must not affect the nature of other audit evidence the auditor
obtained in relation to management’s obligations.

The objectives of the auditor are:

a. To obtain written representations from management and, where appropriate, those

charged with governance, that they believe that they have fulfilled their responsibility
for the preparation of the financial statements and for the completeness of the
information provided to the auditor;

b. To support other audit evidence relevant to the financial statements or specific

assertions in the financial statements by means of written representations, if
determined by the auditor or required by other HKSA; and

c. To respond appropriately to written representations provided by management and,

where appropriate, those charged with governance, or if management or, where
appropriate, those charged with governance do not provide the written representations
requested by the auditor.

Illustrative Example 3
Quality obtained written representations from those charged with governance of Hung
Fu in relation to the impairment losses against its credit card loan portfolio. This written
representation is not a substitute for other audit evidence that Quality could expect to
be reasonably available. Quality would need to plan for and conduct appropriate audit
procedures to conclude whether the impairment loss recorded in the current period is
sufficient. If Quality is unable to obtain sufficient appropriate audit evidence regarding
the recognition of the impairment loss and believes that the differences identified could
have a material effect on the financial statements, this could result in a modification to
the auditor’s opinion expressed by Quality notwithstanding the written representations
obtained on the matter from those charged with governance of Hung Fu.

9.3.3.2 Written Representations about Management’s Responsibilities

Though the items included in the written representation letter will vary depending on the audit
engagement and the nature and basis of the financial statements, some commonly addressed
items are:

• Management’s acknowledgement of its responsibility for the proper preparation of the

financial statements in accordance with the Hong Kong Financial Reporting Standards.

527

M13_c09.indd 527 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

• The availability of books and records.

• The completeness and availability of all minutes of meetings of directors and associated
board committees.

• Management’s assurance that it has made available all letters from regulatory agencies
concerning non-compliance with, or deficiencies in, financial reporting practices.

• Management’s assurance that there are no unrecorded transactions.

• Management’s acknowledgement of its responsibility for the design and

implementation of controls and for the system of financial controls.

• Management’s assurance that it has disclosed all liens and other encumbrances on
its assets.

• Management’s assurance that all material transactions have been

appropriately recorded.

• That significant assumptions used by us in making accounting estimates, including

those measured at fair value, are reasonable (HKSA 540).

• Related party relationships and transactions have been appropriately accounted for
and disclosed in accordance with the requirements of Hong Kong Financial Reporting
Standards HKSA 550 (Clarified).

• All events subsequent to the date of the financial statements and for which Hong Kong
Financial Reporting Standards require adjustment or disclosure have been adjusted or
disclosed (HKSA 560).

• The effects of uncorrected misstatements are immaterial, both individually and

in the aggregate, to the financial statements as a whole. A list of the uncorrected
misstatements is attached to the representation letter (HKSA 450).

• Any other matters that the auditor may consider appropriate.

The following additional management representations are applicable to audits of

companies incorporated under the Companies Ordinance (‘We’ being management):

1. We acknowledge that Section 380 of the Companies Ordinance requires us to prepare

financial statements that give a true and fair view of the financial position of the
company as at the end of the financial year and of the financial performance of the
company for the financial year.

2. We are responsible for taking all reasonable steps to ensure the company keeps proper
accounting records that are sufficient to show and explain the company’s transactions,
disclose with reasonable accuracy at any time the company’s financial position and
financial performance, and to ensure that the financial statements comply with the
Companies Ordinance.

3. The financial statements comply with Section 383 (Notes to Financial Statements to
Contain Information on Directors’ Emoluments, etc.) of the Companies Ordinance, which
must contain in the notes to the financial statements the information prescribed by
the Companies (Disclosure of Information about Benefits of Directors) Regulation
(Cap. 622G).

528

M13_c09.indd 528 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

4. We are responsible for the preparation of the director’s report that:

a. Complies with Sections 390 (Contents of Directors’ Report: General) and 543(2)
(Disclosure of Management Contract) and Schedule 5 (Contents of Directors’ Report:
Business Review) of the Companies Ordinance;

b. Contains the information prescribed by the regulations made under Section 452(3)
(Financial Secretary May Make Other Regulations) of the Companies Ordinance; and

c. Complies with other requirements prescribed by the regulations made under

Section 452(3) of the Companies Ordinance.

The date of the written representation letter should be as close as possible, but not after
the date of the auditor’s report on the financial statements. In practice, the auditor normally
requests that the directors sign the director’s report and issue the written representation letter
on the same date as the auditor’s report. The written representation letter should be for all
financial statements and period(s) referred to in the auditor’s report.

The auditor should not agree to any changes management may wish to make to the written
representation letter, if the written representation letter is to be accepted as contributing
to audit evidence. Any such changes would undermine the representations made by
management.

9.3.3.3 Written Representations Required by Other HKSAs

HKSA 580 Appendix 1 contains a list of HKSA containing requirements for written
representations, showing their respective additional requirements. That list is outlined below.
However, there may be circumstances over and above those listed below that are relevant
to the circumstances of the audit that the auditor should consider including in the written
representation letter.
HKSA
240.39 HKSA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
The auditor shall obtain written representations from management and, where appropriate,
those charged with governance that:

a. They acknowledge their responsibility for the design, implementation, and maintenance
of internal control to prevent and detect fraud;

b. They have disclosed to the auditor the results of management’s assessment of the risk
that the financial statements may be materially misstated as a result of fraud;

c. They have disclosed to the auditor their knowledge of fraud, or suspected fraud,
affecting the entity involving:

−− Management;

−− Employees who have significant roles in internal control; or

−− Others where the fraud could have a material effect on the financial
statements; and

d. They have disclosed to the auditor their knowledge of any allegations of fraud,
or suspected fraud, affecting the entity’s financial statements communicated by
employees, former employees, analysts, regulators, or others.

529

M13_c09.indd 529 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

HKSA HKSA 250 (Revised) Consideration of Laws and Regulations in an Audit of Financial
250.17 Statements Including Related Conforming Amendments to Other Hong Kong Standards
‘The auditor shall request management and, where appropriate, those charged with
governance, to provide written representations that all known instances of non-
compliance or suspected non-compliance with laws and regulations whose effects should
be considered when preparing financial statements have been disclosed to the auditor’.
HKSA
450.14 HKSA 450 Evaluation of Misstatements Identified During the Audit
‘The auditor shall request a written representation from management and, where
appropriate, those charged with governance whether they believe the effects of
uncorrected misstatements are immaterial, individually and in aggregate, to the financial
statements as a whole. A summary of such items shall be included in or attached to the
written representation’.
HKSA
501.12 HKSA 501 (Clarified) Audit Evidence – Specific Considerations for Selected Items
‘The auditor shall request management and, where appropriate, those charged with
governance to provide written representations that all known actual or possible litigation
and claims whose effects should be considered when preparing the financial statements
have been disclosed to the auditor and accounted for and disclosed in accordance with
the applicable financial reporting framework’.
HKSA
540.22 HKSA 540 (Revised) Auditing Accounting Estimates and Related Disclosures
‘The auditor shall obtain written representations from management and, where
appropriate, those charged with governance whether they believe significant
assumptions used in making accounting estimates are reasonable’.
HKSA
550.26 HKSA 550 (Clarified) Related Parties
‘Where the applicable financial reporting framework establishes related party
requirements, the auditor shall obtain written representations from management and,
where appropriate, those charged with governance that:

(a) They have disclosed to the auditor the identity of the entity’s related parties and all the
related party relationships and transactions of which they are aware; and

(b) They have appropriately accounted for and disclosed such relationships and
transactions in accordance with the requirements of the framework’.
HKSA
560.9 HKSA 560 Subsequent Events
‘The auditor shall request management and, where appropriate, those charged with
governance, to provide a written representation in accordance with HKSA 580 that all
events occurring subsequent to the date of the financial statements and for which the
applicable financial reporting framework requires adjustment or disclosure have been
adjusted or disclosed’.

530

M13_c09.indd 530 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

HKSA HKSA 570 (Revised) Going Concern

570.16(e)
‘Requesting written representations from management and, where appropriate, those
charged with governance, regarding their plans for future actions and the feasibility of
these plans’.

HKSA
HKSA 710 Comparative Information – Corresponding Figures and Comparative Financial
710.9 Statements
‘As required by HKSA 580, the auditor shall request written representations for all periods
referred to in the auditor’s opinion. The auditor shall also obtain a specific written
representation regarding any restatement made to correct a material misstatement in
prior period financial statements that affect the comparative information’.
HKSA
720.13(c) HKSA 720 (Revised) The Auditor’s Responsibilities Relating to Other Information
‘When some or all of the document(s) determined in (a) will not be available until
after the date of the auditor’s report, request management to provide a written
representation that the final version of the document(s) will be provided to the auditor
when available, and prior to its issuance by the entity, such that the auditor can
complete the procedures required by this HKSA’.

9.3.3.4 Written Representations Required by New Companies Ordinance (Cap.622)

Section 436 of the Hong Kong Companies Ordinance (Cap.622), Requirement in connection with
publication of ‘specified financial statements’ and ‘non-statutory accounts’, introduces new
requirements dealing with the publication of a company’s ‘non-statutory accounts.

Section 436 requires that:

(a) When Hong Kong incorporated companies make their ‘specified financial statements’
available to others, they must always ensure that they are accompanied by the auditor’s
report on those financial statements and

(b) When Hong Kong incorporated companies make any ‘non-statutory accounts’ available
to others they must be accompanied by a statement that includes the information
required by Section 436(3) and must not be accompanied by the auditor’s report on its
‘specified financial statements’ for the same financial year.

When an auditor is undertaking an auditor of ‘specified financial statements’ in line with

Section 436, the auditor will need to ensure that the written representations letter from
management includes the requirements of management under Section 436.

9.3.3.5 Form of Written Representations

Written representations are required to be included in a representation letter addressed to
the auditor.

A formal statement of compliance with a law or regulation, or of approval of the financial

statements, would not contain sufficient information for the auditor to be satisfied that all
necessary representations have been consciously made. The expression of management’s
responsibilities in law or regulation is also not a substitute for the requested written
representations.

531

M13_c09.indd 531 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

Illustrative Example 4 – Adapted from HKSA 580 Appendix 2

Below is an example of a form of written representation for the auditor of ABC Company.

(Entity Letterhead)

(To Auditor) (Date)

This representation letter is provided in connection with your audit of the financial
statements of ABC Company for the year ended 31 December 20X2 for the purpose of
expressing an opinion as to whether the financial statements are presented fairly, in all
material respects (or give a true and fair view), in accordance with Hong Kong Financial
Reporting Standards.

We confirm the following, to the best of our knowledge and belief, having made such
inquiries as we considered necessary for appropriately informing ourselves).

Financial Statements

We have fulfilled our responsibilities, as set out in the terms of the audit engagement
dated [insert date], for the preparation of the financial statements in accordance with
Hong Kong Financial Reporting Standards; in particular, the financial statements are fairly
presented (or give a true and fair view) in accordance therewith.

• Significant assumptions used by us in making accounting estimates, including

those measured at fair value, are reasonable (HKSA 540).

• Related party relationships and transactions have been appropriately accounted

for and disclosed in accordance with the requirements of Hong Kong Financial
Reporting Standards HKSA 550 (Clarified).

• All events subsequent to the date of the financial statements and for which Hong
Kong Financial Reporting Standards require adjustment or disclosure have been
adjusted or disclosed (HKSA 560).

• The effects of uncorrected misstatements are immaterial, both individually and

in the aggregate, to the financial statements as a whole. A list of the uncorrected
misstatements is attached to the representation letter (HKSA 450).

• We have provided you with:

°° Access to all information of which we are aware that is relevant to the

preparation of the financial statements, such as records, documentation, and
other matters;

°° Additional information that you have requested from us for the purpose of the
audit; and

°° Unrestricted access to persons within the entity from whom you determined it
necessary to obtain audit evidence.

• All transactions have been recorded in the accounting records and are reflected in
the financial statements.

• We have disclosed to you the results of our assessment of the risk that the financial
statements may be materially misstated as a result of fraud (HKSA 240).

532

M13_c09.indd 532 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Illustrative Example 4 (continued)

• We have disclosed to you all information in relation to fraud or suspected fraud
that we are aware of and that affects the entity and involves:

°° Management;

°° Employees who have significant roles in internal control; or

°° Others where the fraud could have a material effect on the financial statements
(HKSA 240).

• We have disclosed to you all information in relation to allegations of fraud, or

suspected fraud, affecting the entity’s financial statements communicated by
employees, former employees, analysts, regulators, or others (HKSA 240).

• We have disclosed to you all known instances of non-compliance or suspected

non-compliance with laws and regulations whose effects should be considered
when preparing financial statements HKSA 250 (Revised).

• We have disclosed to you the identity of the entity’s related parties and all the
related party relationships and transactions of which we are aware HKSA 550
(Clarified).

• (Insert any other matters that the auditor may consider necessary.)

................................................................ ......................................................................

Management Management

9.3.3.6 Doubt About the Reliability of Written Representations or When not Provided
In the case of identified inconsistencies between one or more written representation and
audit evidence obtained from other sources, the auditor should consider whether the risk
assessment remains appropriate and, if not, revise the risk assessment and determine the
nature, timing, and extent of further audit procedures that might be required to respond to the
assessed risks.

Concerns about the competence, integrity, ethical values or diligence of management, or

about its commitment to or enforcement of these, may cause the auditor to conclude that
the risk of management misrepresentation in the financial statements is such that an audit
cannot be properly conducted. In such a case, the auditor may consider withdrawing from
the engagement, if possible, under an applicable law or regulation, unless those charged with
governance put in place appropriate corrective measures. Such measures, however, may not
be sufficient to enable the auditor to issue an unmodified audit opinion.

HKSA 230, Audit Documentation, requires the auditor to document significant matters arising
during the audit, the conclusions reached thereon, and significant professional judgements
made in reaching those conclusions. The auditor may have identified significant issues
relating to the competence, integrity, ethical values, or diligence of management, or about
its commitment to or enforcement of these, but concluded that the written representations
are nevertheless reliable. In such a case, this significant matter is documented in accordance
with HKSA 230.

533

M13_c09.indd 533 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

9.3.4 Overall Audit of Financial Statements

9.3.4.1 Audit of Financial Statement Disclosures
Auditors are required to express an opinion on the financial statements as a whole. This
includes the notes to the financial statements which, as they provide additional information
on balances and transactions and other relevant information, are an integral part of those
statements.

When the first draft of financial statements are given to the auditor, they normally include
the statement of financial position, the statement of profit and loss, and, when appropriate,
other comprehensive income and the statement of changes in equity and the basic note
disclosures, such as details of cash at Bank, receivables, and property plant and equipment.
They may also include a draft Statement of Cash Flows. The more complex disclosures are
often left until late in the audit cycle. On this basis, the first step should be to ensure the
financial statements replicate the numbers that have been audited and documented on the
audit file. This will normally be, in the first instance, the aggregated quantitative totals and then
the disaggregated quantitative totals. As a base requirement, this involves cross-referencing the
financial statements to the audit file.

Generally speaking, the level of audit procedures that have been applied over financial
statement presentation and disclosures has been the subject of much focus by regulators and
the International Auditing and Assurance Standards Board (IAASB). Both have been concerned
that the level of audit has been inconsistent in relation to whether financial statements always
satisfy accounting standard disclosure requirements. The auditor must carefully review the
financial statement disclosures for completeness and accuracy and ensure compliance with
HKFRS issued by the HKICPA and that they are in compliance with the Hong Kong Companies
Ordinance, where applicable.

The auditor should consider the following key points when auditing financial statement
disclosures:

Disclosures of Amounts (quantitative) disclosures:

• Disaggregated information that has been subject to management judgement, for

example, operating leases, financial instruments, and financial assets designated at
fair value.

• Segment reporting of revenues, profit, and certain other items.

• The amounts of related party transactions.

• Summarised financial information in relation to associates and joint ventures.

Disclosures of related information, including qualitative disclosures:

• Descriptions of significant accounting policies and critical accounting estimates,

including note disclosure when there has been any change in accounting policies or
critical accounting estimates.

• Information about the identity of related parties.

• Description of the basis for impairment losses recognised in the financial statements.

534

M13_c09.indd 534 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

• Information about application of the going concern assumption when appropriate.

• Information about the circumstances leading to contingent liability disclosures.

Judgement is needed to help determine whether qualitative disclosures are material or not.

Auditors should also be focused on instances in which management has proposed

providing excessive disclosure, sometimes of immaterial matters and sometimes covering
matters more appropriately dealt with in the annual report outside of the financial
statements or elsewhere. Undisciplined disclosures can make it difficult for the readers of the
financial statements to focus on the important matters. They can also include matters not
subject to audit.

Auditors should, as part of the planning phase of the audit process, remind management
of their responsibility to make available information related to financial statement disclosures,
as early as possible so that audit procedures can be applied in the same way for classes of
transaction, events, and account balances. Early consideration should also be given to matters
such as significant new or revised disclosures.

9.3.4.2 Compliance with Accounting Regulations

All section references below are to the Hong Kong Companies Ordinance (Cap.622), specifically in
Part 9, Accounts and Audit.
Section 379: A company’s directors must prepare, for each financial year, statements
that comply with Sections 380 and 383.

Section 380: General Requirements for Financial Statements

1. The annual financial statements for a financial year:

a. Must give a true and fair view of the financial position of the company as at the end
of the financial year and

b. Must give a true and fair view of the financial performance of the company for the
financial year.

2. The annual consolidated financial statements for a financial year:

a. Must give a true and fair view of the financial position of the company, and all the
subsidiary undertakings, as a whole as at the end of the financial year and

b. Must give a true and fair view of the financial performance of the company, and all
the subsidiary undertakings, as a whole for the financial year.

3. The financial statements for a financial year must comply with:

a. If the company falls within the reporting exemption for the financial year, Part 1 of
Schedule 4 or

b. If the company does not fall within the reporting exemption for the financial year,
Parts 1 and 2 of Schedule 4.

4. The financial statements for a financial year must also comply with:

a. Any other requirements of this Ordinance in relation to the financial statements and

b. The accounting standards applicable to the financial statements.

535

M13_c09.indd 535 1/28/2021 6:00:12 PM

 BUSINESS ASSURANCE

5. If, in relation to any financial statements, compliance with Subsections 3 and 4 would be
insufficient to give a true and fair view under Subsection 1 or 2, the financial statements
must contain all additional information necessary for that purpose.

6. If, in relation to any financial statements, compliance with Subsection 3 or 4 would be

inconsistent with a requirement to give a true and fair view under Subsection 1 or 2, the
financial statements:

a. Must depart from Subsection 3 or 4 (as the case may be) to the extent necessary for
it to give a true and fair view and

b. Must contain the reasons for, and the particulars and effect of, the departure.

7. Subsections 1, 2, 5, and 6 do not apply if the company falls within the reporting
exemption for the financial year.

8. In this section:

a. Accounting standards means statements of standard accounting practice issued or

specified by a body prescribed by the Regulation and

b. A reference to accounting standards applicable to any financial statements is a

reference to accounting standards as are, in accordance with their terms, relevant
to the company’s circumstances and to the financial statements.
Section 405: Auditor’s Duty to Report
A company’s auditor must prepare a report for the members on any financial statements
prepared by the directors, a copy of which is laid before the company in a general meeting
under Section 429 or is sent to a member under Section 430 or otherwise circulated, published,
or issued by the company, during the auditor’s term of office.

Section 406: Auditor’s Opinion on Financial Statements, Directors’ Report, etc.

1. An auditor’s report must state, in the auditor’s opinion:

a. Whether the financial statements have been properly prepared in compliance with
this Ordinance and

b. In particular, whether the financial statements:

(i) In the case of annual financial statements of a company that does not fall within
the reporting exemption for the financial year, give a true and fair view of the
financial position and financial performance of the company as required by
Section 380 or

(ii) In the case of annual consolidated financial statements of a company that does
not fall within the reporting exemption for the financial year, give a true and fair
view of the financial position and financial performance of the company and all
the subsidiary undertakings as required by Section 380.

2. If a company’s auditor is of the opinion that the information in a directors’ report for
a financial year is not consistent with the financial statements for the financial year,
the auditor

a. Must state that opinion in the auditor’s report and

b. May bring that opinion to the members’ attention at a general meeting.

536

M13_c09.indd 536 1/28/2021 6:00:12 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

As explained in the Preface to Hong Kong Financial Reporting Standards, the term ‘Hong Kong
Financial Reporting Standards’ includes all HKFRS, Hong Kong Accounting Standards (HKAS), and
Interpretations issued by the HKICPA.

HKFRS set out recognition, measurement, presentation, and disclosure requirements

dealing with transactions and events that are important in general purpose financial
statements. HKFRS are based on The Framework for the Preparation and Presentation of Financial
Statements, which addresses the concepts underlying the information presented in general
purpose financial statements.

The appropriate application of HKFRS, with additional disclosure when necessary, results, in
virtually all circumstances, in financial statements that give a true and fair view.

9.3.4.3 Review for Consistency and Reasonableness

During the completion stage of auditing, the financial statements final analytical procedures
should be conducted in line with HKSA 520 (Clarified), Analytical Procedures. One of the
objectives of the auditor in complying with HKSA 520 (Clarified) is to design and perform
analytical procedures near the end of the audit that assist in forming an overall conclusion as
to whether the financial statements as a whole are consistent with the auditor’s understanding
derived from conducting the audit during the current period.

The analytical procedures carried out at this stage of the audit are no different to those
performed at the planning stage (see Chapter 5). The auditor should perform a ratio analysis,
comparisons with the prior period financial statements and look for the trends that are
expected based on the knowledge obtained throughout the audit process and the expectations
built as a result of the economic and business environment the business operates in. These
procedures should be designed to highlight unusual transactions and balances that may
indicate a risk of material misstatement. Taken together, if the auditor is unable to explain any
of the issues that have been highlighted by the analytical procedures, the reasonableness of
the financial statements as a whole should be questioned.

When the analytical procedures performed near the completion of the audit uncover
further previously unrecognised risk/s of a material misstatement, the auditor is required to
revise the previously assessed risk of material misstatement and modify the planned audit
response appropriately. This could result in the auditor having to perform further audit
procedures in relation to matters that have been identified as having a higher risk.

9.3.4.4 Treatment of Errors

The treatment of errors is dependent on the accounting period to which the error relates.
An error is a misstatement in financial statements that should not have occurred based on
information available at the time the misstatement occurred. A change in an accounting
estimate, where more information becomes available, is not an error (HKAS 8, Accounting
Policies, Changes in Accounting Estimates and Errors).

If the error is discovered in the current accounting period subject to audit and is material,
it should be adjusted by management so that the financial statements are free from material
misstatement. If management are unwilling to adjust for the error the auditor would need to
consider the impact this would have on the auditor’s opinion.

If the error discovered relates to prior accounting periods and is material, the comparative
figures for prior periods, or opening balances for the current period, should be restated as

537

M13_c09.indd 537 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

specified in accounting standards. If management are unwilling to adjust for the error the
auditor would need to consider the impact this would have on the auditor’s opinion, in line
with HKAS 8.

Refer to Section 9.3.6 for further details on Evaluation of Misstatements Identified During
the Audit.

Apply and Analyse 4

Manchu Kang has been assigned the first level of review of the financial statements of
Hung Fu for the year ended 31 December 20X1. Manchu is aware of the complexities of
the financial statements of a Bank and the first draft presented to him is lengthy (230
pages). Manchu is also alert to the fact that Quality has a consultation policy that requires
mandatory consultation with the firm’s technical department for financial statements of all
Banks and financial institutions.

Analysis

Manchu would need to start the review process as early as possible. It is still likely that his
role would include referencing what he could from the financial statements back into the
audit file. It would also be likely that he would make sure that the balances add up and
cross reference to the note disclosures. Manchu should involve Lau Lam in line with what
was agreed in the audit completion meeting as early as possible, as the disaggregated
quantitative and qualitative disclosures will be significant. The technical department (the
internal experts that Quality have in the areas of financial reporting and audit methodology
that sit outside the audit division) of Quality will also need to be placed on notice in order
that their review and clearance is given at the appropriate time.

9.3.5 Review of Other Published Information

9.3.5.1 Contingent Liabilities and Commitments
HKSA 540 (Revised), Auditing Accounting Estimates and Related Disclosures (due for
implementation for periods ending on or after 15 December 2019), is the reference standard
when assessing contingent liabilities as, by their nature, contingent liabilities involve an
accounting estimate in most instances. Commitments may be more straightforward for the
auditor to finalise as they are normally based on contractual obligations.

From a definitional perspective, the following helps the understanding of the difference
between a contingent liability and a commitment.

A contingent liability is an existing liability (actual or asserted) for which the general
recognition criteria for liabilities cannot as yet be met. Confirmation of the liability depends
on the outcome of another uncertain future event (e.g. a ruling in a coming court case).
A contingent liability is disclosed in the notes to the financial statements until the recognition
criteria are met; that is, an outflow of assets becomes probable and the amount of the liability
can be reasonably estimated.

538

M13_c09.indd 538 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

A commitment is an agreement that is equally and proportionately unperformed by the

parties to the agreement. It relates to a future transaction such as the acquisition of property,
plant and equipment, and future outlays for infrastructure for a joint venture. Until one of the
parties performs, the commitments do not meet the definition of a liability.

Information about contingent liabilities and commitments informs users about future cash
flows of the entity.

9.3.5.2 Auditor’s Objectives

Contingent Liabilities
The objective of the auditor is to obtain sufficient appropriate audit evidence about whether
accounting estimates associated with contingent liabilities and related disclosures in the
financial statements are reasonable and in line with HKFRS (value). The other principal objective
is to ensure that all material contingent liabilities have been appropriately identified, measured,
and disclosed in the financial statements (completeness).

Commitments
Similarly, the key objective of the auditor for commitments is to ensure that they are supported
by sufficient appropriate audit evidence about their value and completeness, and that they
have been appropriately identified, measured, and disclosed in the financial statements.

9.3.5.3 Requirements and Procedures

The auditor, as part of understanding the entity and its environment as required by HKSA 315
(Revised 2019), should consider knowledge of the industry and historical and current activities
of the entity to determine the likely contingent liabilities and commitments. The auditor should
also obtain an understanding of how the entity applies HKAS 37, Provisions, Contingent Liabilities
and Contingent Assets, in developing its contingent liability and commitment notes.

The following are examples of audit procedures to determine the completeness and
accuracy of contingent liabilities:

• An external confirmation issued in line with HKSA 505 (Clarified), External Confirmations,
to legal counsel and banks. The types of information the auditor might ask for includes:

°° A list and progress report of any pending or imminent litigation to which legal
counsel has given substantial attention.

°° A list of other claims such as warranties and guarantees, including comment from
legal counsel on their opinion of probability and HKD outcome.

°° Bank guarantees.

• Examination of the minutes of the board of directors to determine if, for example, any
guarantees have been approved against loans.

• Examination of any environmental reviews and their likely outcomes for the entity.

• Consider industry practices. For example, for mining companies, it is common that
contracts will include ‘make good’ (restoration) clauses, which, as events occur (e.g. as
damage occurs to the relevant environment), the recognition criteria for liabilities could be
met (as the need to restore an asset could become probable and be reliably estimated).

• Product warranty arrangements to determine whether commitments and contingencies

are appropriately recognised.

539

M13_c09.indd 539 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

The following are examples of audit procedures to determine the completeness and
accuracy of commitments:

• Determine the amounts and time allocations for payments under operating leases.
(HKAS 16, Leases, became effective in 2019, which means that operating leases will
be recognised in the balance sheet and cease to be a commitment requiring note
disclosures. Refer to the financial reporting module for further information.)

• Determine whether there are any commitments for capital expenditure contracted for
future periods through discussion with management and review of minutes.

• Determine whether there are any licensing costs subject to commitment.

Illustrative Example 5
The example below illustrates contingent liabilities disclosed in a set of financial
statements.

32 Contingent liabilities
2018 2017
US$m US$m
Associates and Joint iventures1 1,588 1,784
Subsidiaries and Joint operations 1
1,915 1,825
Total 3,503 3,609
1
 here are a number of matters, for which it is not possible at this time to provide a range of possible
T
outcomes or a reliable estimate of potential future exposures, and for which no amounts have been included
in the table above.

A contingent liability is a possible obligation arising from past events and whose
existence will be confirmed only by occurrence or non-occurrence of one or more
uncertain future events not wholly within the control of the Group. A contingent liability
may also be a present obligation arising from past events but is not recognised on the
basis that an outflow of economic resources to settle the obligation is not viewed as
probable, or the amount of the obligation cannot be reliably measured.

When the Group has a present obligation, an outflow of economic resources is

assessed as probable and the Group can reliably measure the obligation, a provision is
recognised.

The Group has entered into various counter-indemnities of bank and performance
guarantees related to its own future performance, which are in the normal course of
business. The likelihood of these guarantees being called upon is considered remote.

The Group presently has tax matters, litigation and other claims, for which the timing of
resolution and potential economic outflow are uncertain. Obligations assessed as having
probable future economic outflows capable of reliable measurement are provided
at reporting date and matters assessed as having possible future economic outflows
capable of reliable measurement are included in the total amount of contingent liabilities
above. Individually significant matters, including narrative on potential future exposures
incapable of reliable measurement, are disclosed below, to the extent that disclosure
does not prejudice the Group.

540

M13_c09.indd 540 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Illustrative Example 5 (continued)

Uncertain tax and The Group is subject to a range of taxes and royalties across many
royalty matters 
jurisdictions, the application of which is uncertain in some regards.
Changes in tax law, changes in interpretation of tax law, periodic
challenges and disagreements with tax authorities, and legal
proceedings result in uncertainty of the outcome of the application of
taxes and royalties to our business. Areas of uncertainty at reporting
date include the application of taxes and royalties (including transfer
pricing) to the Group’s cross-border operations and transactions.
Details of uncertain tax and royalty matters have been disclosed in
note 5 ‘Income tax expense’. To the extent uncertain tax and royalty
matters give rise to a contingent liability, an estimate of the potential
liability is included within the table above, where it is capable of reliable
measurement.

Semarco contingent The table above includes contingent liabilities related to the Group’s
liabilities 
equity accounting investment in Samarco to the extent they are
capable of reliable measurement. Details of contingent liabilities
related to Samarco are disclosed in note 3 ‘Significant events – Samarco
dam failure’.

Demerger of South32  s part of the demerger of South32 Limited (South32) in May 2015,
A
certain indemnities were agreed under the Separation Deed. Subject
to certain exceptions, BHP Billiton Limited indemnifies South32 against
claims and liabilities relating to the Group Businesses and former Group
Businesses prior to the demerger and South32 indemnifies the Group
against all claims and liabilities relating to the South32 Businesses
and former South32 Businesses. No material claims have been made
pursuant to the Separation Deed as at 30 June 2018.

Source: BHP Annual Report 2018.

Apply and Analyse 5

It was noted through discussions during the audit completion meeting for the audit of
Hung Fu that the engagement team had identified, through the audit process, a number of
areas that in their belief should result in disclosures of both contingent liabilities and other
commitments.

Analysis

The engagement team, having industry expertise in the financial institutions sector,
anticipated that the Bank would have guarantees and irrevocable letters of credit pledged
as collateral security. The engagement would need to audit management’s calculations
of these balances in line with HKSA 330, to ensure that the risks associated with this
contingency has been mitigated.

541

M13_c09.indd 541 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

Apply and Analyse 5 (continued)

The engagement team, knowing that there are a number of legal matters outstanding,
would need to ensure that the confirmations and dialogue with external legal counsel
satisfied them and that they could conclude that the level of disclosure and the estimation
of the likely monetary outcome was reliable.

9.3.6 Evaluation of Misstatements Identified During the Audit

HKSA 450, Evaluation of Misstatements Identified During the Audit, is the reference standard for
this section. The auditor would normally be assessing misstatements throughout the entire
audit process; however, a final evaluation is critical in completing the audit to determine
whether identified misstatements might have an impact on the auditor’s report.

9.3.6.1 Auditor’s Objectives

The auditor should evaluate:

1. The effect of misstatements, both individually or in aggregate, identified during the

audit process, to the financial statements as a whole and

2. The effect of uncorrected misstatements identified on the financial statements

(i.e. misstatements will not be corrected by management).

By way of definition, HKSA 450 states that a misstatement is ‘A difference between the
reported amounts, classification, presentation, or disclosure of a financial statement item
and amount, classification, presentation, or disclosure that is required for the item to be in
accordance with the applicable financial reporting framework. Misstatements can arise from
error or fraud.

When the auditor expresses an opinion on whether the financial statements are presented
fairly, in all material respects, or give a true and fair view, misstatements also include those
adjustments of amounts, classifications, presentation, or disclosures that, in the auditor’s
HKSA judgement, are necessary for the financial statements to be presented fairly, in all material
450.4(a) respects, or to give a true and fair view.

9.3.6.2 Accumulation of Identified Misstatements

Materiality assessed in line with HKSA 320 is key in the consideration of current-year
misstatements. Before concluding on the potential effects of identified misstatements, the
auditor should ensure that the assessment is being completed against the most appropriate
materiality level. The auditor should also be clear on what the clearly trivial level is.

HKSA 450 requires the auditor to accumulate individual misstatements identified during
the audit process, except for amounts that are clearly trivial. The auditor should confirm that all
misstatements have been documented in the ‘one repository’ to ensure completeness for the
evaluation of the misstatements that have been identified.

542

M13_c09.indd 542 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Illustrative Example 6

Summary of Unadjusted Differences

Performance materiality HK$ XX

Clearly, trivial misstatements under HK$ XX will not be recorded.

Description Assets Liabilities Equity Profit & Corrected? W/P ref.

DR/(CR) (DR)/CR (DR)/CR Loss
(DR)/CR
Total corrected
adjusting
journal entries
Unrecorded
misstatements – factual
Unrecorded
misstatements –
projected
Unrecorded
misstatements –
judgemental
Total uncorrected
misstatements
Effect of uncorrected
misstatements from
prior periods
Uncorrected
misstatements to be
carried forward

The summary here alludes to potentially three types of unrecorded misstatements that
the auditor may need to communicate to management throughout the audit process:

Factual misstatements are those about which there is no doubt. The amount or
disclosure is materially incorrect.

Projected misstatements are the auditor’s best estimate of misstatements in

populations, involving the projection of misstatements identified in audit samples to the
entire population from which the samples were drawn.

Judgemental misstatements are those arising from the judgements taken by

management concerning accounting estimates and/or accounting policies that the auditor
disagrees with. These misstatements can in many cases cause some debate between
management and the auditor.

9.3.6.3 Prior-Year Misstatements

Management may have, with the agreement of the auditor, determined not to correct
misstatements that occurred in one or more prior periods because, in the judgement of the
auditor at the time, the financial statements were not materially misstated.

543

M13_c09.indd 543 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

As noted from the above illustration, the auditor needs to ensure that unadjusted prior
year misstatements are carried forward and documented in the current period. Should the
auditor determine that the cumulative effect of prior period unadjusted misstatements
taken with the audited results of the current period, if left unadjusted, result in a material
misstatement to the current period financial statements, the auditor would need to seek to
have the relevant adjustment made.

9.3.6.4 Qualitative and Quantitative Considerations for Misstatements

As noted earlier in this section, the level of assessed materiality is central to the quantitative
consideration for misstatements. The auditor is required to determine whether uncorrected
misstatements are material, individually or in the aggregate.

Some misstatements may be evaluated as material, individually or when considered

together with other misstatements accumulated during the audit, even if they are lower than
materiality because of their qualitative nature. For example:

• Misstatements which might affect compliance with regulatory requirements.

• Misstatements that impact on debt covenants.

• Misstatements that hide a change in earnings or other trends.

• Previous communications about forecast earnings to users of the financial statements.

• Misstatements that affect ratios used to evaluate the entity’s financial position, results,
or cash flows, or

• Classification errors.

9.3.6.5 Evaluating the Effect of Uncorrected Misstatements

If the auditor concludes that uncorrected misstatements either individually or in the aggregate
are material, this should be brought to the attention of management and/or those charged
with governance as soon as possible. The auditor shall request that the material uncorrected
misstatements be corrected. If the financial statements are adjusted for the material
misstatements, then the auditor will normally conclude that the auditor’s opinion will not
need to be modified. If, however, the financial statements are not adjusted for the material
misstatements assessed by the auditor, this may affect the auditor’s opinion. This scenario
will generally result in a form of modified auditor’s opinion. (Refer to Chapter 10 for Auditor’s
Reporting.)

Ethics in Practice 2
Before an auditor concludes that there are uncorrected misstatements that are material
to the financial statements and that a modified auditor’s opinion should be issued, the
auditor will normally enter into significant discussion with management and/or those
charged with governance. It is important that the respective views of management and
the auditor are clearly understood.

This discussion can at times result in pressure being placed on the auditor not to issue
a modified auditor’s opinion (this can be applied to all forms of modified auditor’s opinions).
The auditor must stand their ground in order to meet the requirements of the HKSAs, the

544

M13_c09.indd 544 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Ethics in Practice 2 (continued)

HKFRSs, and the Hong Kong Companies Ordinance, where applicable. It is recognised that
this can sometimes be difficult when a client threatens to engage another firm for a second
opinion or threatens to change the auditor after the current audit is complete.

To also meet the ethical principles of integrity, objectivity, professional competence

and due care, and professional behaviour (Sections 111, 112, 113, and 115 of the Code
of Ethics for Professional Accountants (Revised)), the auditor must not be tempted to issue
an unmodified auditor’s opinion in circumstances where a reasonable third party would
conclude that a modified auditor’s opinion should be issued.

9.3.7 Communicating with Those Charged with Governance

HKSA 260 (Revised), Communication with Those Charged with Governance, requires the auditor
to engage in communications with management and/or those charged with governance, as
appropriate throughout the audit process.

9.3.7.1 Auditor’s Responsibilities

The first consideration is to whom the communication should be directed. HKSA 260 (Revised)
does not specify this exactly, but states that ‘governance is the term used to describe the role
of persons entrusted with the supervision, control and direction of an entity’. This implies that
the communication should be with the highest level of management, including the executive
and non-executive directors, and the audit committee, where relevant. The identity of the
relevant person(s) to whom the communication will be addressed may be clarified in the
engagement letter.

The auditor should aim for an effective two-way communication with those charged with
governance to enable:

• The auditor to communicate clearly with those charged with governance the
responsibilities of the auditor in relation to the audit of the financial statements and
an overview of the planned scope of the audit and the timing of the relevant aspects
of the audit (for example if interim procedures will be undertaken and then when final
procedures will take place).

• The auditor to be assured of obtaining from those charged with governance all the
information relevant to the audit of the financial statements.

• The auditor to provide those charged with governance with timely observations
obtained in relation to the financial statement audit that are significant, including when
a fraud has been uncovered by the auditor.
9.3.7.2 Matters to be Communicated
The auditor should consider the type of issues that should be communicated. HKSA 260
(Revised) provides some guidance as to the matters that ordinarily could be incorporated in the
communication, including:

• The overall approach and scope of the audit, including any limitations on the scope of
the audit.

545

M13_c09.indd 545 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

• The accounting policies, and any changes to them, that could materially affect the
financial statements.

• For listed companies, Key Audit Matters. (Refer to Chapter 10 for further details on Key
Audit Matters.)

• Adjustments arising as a result of audit procedures that could materially impact the
financial statements.

• Material events or uncertainties that could jeopardise the going concern status and that
require disclosure within the financial statements.

• Disagreements with management over accounting treatments or disclosures.

• Any expected modifications to the auditor’s report.

• Material weaknesses discovered in the internal systems and controls.

The communication to those charged with governance should not just contain findings
from the audit but should cover the range of issues related to the audit that the auditor may
want to raise with management. Such matters may include:

• Details of any threats to independence and objectivity, and of any safeguards adopted.

• Explanations of the audit approach used (for example the concept of materiality and its
application to the audit process).

• A summary of business risks identified, including an assessment of the likelihood of the

risks materialising.

• A review of the contents of written representations.

• Recommendations, where relevant, to help improve the entity’s internal systems

and controls.

Apply and Analyse 6

Jiang Ling has noted from the interim audit procedures that Lau Lam documented a
number of issues with one of the digital Banking platforms of Hung Fu. The issues seem to
be a result of the Bank’s strategy to adopt an ‘inside out’ approach, which is not supported
by the internal skills of personnel to support such a strategy. The lack of expertise has
resulted in periods of digital disruption, with customers not being able to access their
financial data.

Analysis

Jiang Ling has determined that the issues noted by Quality in relation to the digital Banking
platforms should be communicated to those charged with governance. Jiang Ling provided
a written report to those charged with governance after the completion of the interim
procedures. Her recommendation was that Hung Fu should consider adopting an ‘outside
in’ approach to digital transformation as digital platforms are constantly changing and the
Bank may be better served with the knowledge and skills of external digital providers to
ensure a reduction in digital disruptions.

546

M13_c09.indd 546 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.3.7.3 The Communication Process

The auditor should communicate matters to those charged with governance on a timely basis,
in order for management to react to the matters raised as soon as possible. Findings from the
audit relevant to the accounting and financial reporting function should be communicated
before the approval of the financial statements by management. This means that material
errors can be corrected by management prior to the audit report being issued, thus avoiding a
possible modification to the auditor’s report. HKSA 260 (Revised) discusses the various forms
that the communication should take. In most cases, the communication will be in writing.
HKSA 260 (Revised) requires a communication to be issued even if there are no matters that the
auditor wishes to bring to the attention of those charged with governance. The communication
would state that there are no significant findings from the audit to be communicated. The
communication could be made orally. In this situation, it is important that the auditor has a
written record within the audit working papers of the discussion of significant matters with
management. Whichever method is used to formally communicate the matters, oral or written,
the process should be seen as a two-way dialogue. Management should have the opportunity
to respond to the auditor regarding the matters raised.

The communication with those charged with governance should be viewed as a crucial
reporting ‘output’ of the audit. It allows management to be informed of significant matters
arising from the audit process, and allows management the chance to respond to the
auditor regarding these matters. In understanding this, learning outcome 1.01.09 will have
been achieved.

Knowledge Check Questions

Question 2
List some aspects of an entity’s financial situation that may alert an auditor that there may
be a significant uncertainty in relation to the use of the going concern basis of accounting.

Question 3
Identify which of the following describes when subsequent event audit procedures should
be carried out by the auditor.
A From the year end date until the date the directors sign the financial statements.
B From the auditor’s report date until the directors sign the financial statements.
C From the year end date until the signing of the auditor’s report.
D From the year end date and for the following months until the end of the following
accounting period.

Question 4
Explain the key difference between types 1 and type 2 subsequent events.

Question 5
Identify the three key objectives of the auditor in obtaining the written representation
letter from those charged with governance.

547

M13_c09.indd 547 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 6
Identify the minimum that management should include in their written
representation letter.

Question 7
Outline what the auditor should do if concerned about the reliability and completeness of
written representations from management.

Question 8
Summarise what financial statement disclosures would normally be deemed to be
qualitative in nature.

Question 9
Summarise what audit procedures an auditor may undertake to determine completeness
and accuracy of contingent liabilities.

Question 10
List the audit procedures an auditor should consider to determine the completeness and
accuracy of commitments.

Question 11
Explain how the auditor should accumulate misstatements throughout the current year’s
audit process.

Question 12
Describe the three types of unrecorded misstatements that the auditor may need to
communicate to management throughout the audit process.

Question 13
Summarise at least five types of issues that an auditor should communicate to those
charges with governance.

9 . 4 RELATED PARTIES

For the purpose of this section, HKSA 550 (Clarified), Related Parties, is the relevant audit
standard. The identification and audit of related party transactions has been an area of focus
by standard setters and regulators for some time, as auditors have been inconsistent when
applying the requirements of HKSA 550 (Clarified). Auditors often leave the consideration of
related party relationships and transactions required by HKAS 24, Related Party Disclosures,
until the end and consider them more a disclosure consideration than responding to the risk of
material misstatement as a result of fraud or error.

548

M13_c09.indd 548 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Related parties can be used to hide transactions, not be at arm’s length, and thus resulting
in fraudulent financial reporting, as highlighted in several major corporate scandals and
collapses, such as Enron. Transactions with related parties can hide the economic substance
of transactions or fraud in companies and the recoverability of related party receivables
or payables.

In any case, the accounting standards require disclosures of related party transactions so
that users can assess whether the entity would be in a comparable and sustainable position
but for their existence.

The audit of related party relationships and transactions can be particularly difficult for
auditors because:

• Related party relationships are not always easy to identify and the auditor has to rely on
management in the identification process.

• Transactions may be hard to find even when the audit testing is targeted.

• The internal controls around related party transactions are often weak, so the auditor is
unlikely to obtain any audit comfort through a test of controls.

Auditors of smaller companies may find it difficult to identify related party relationships
and transactions because management may not understand the significance of related
party transactions to an auditor. This is particularly the case in family run businesses where
transacting with related parties is the norm. It is therefore important for auditors to be
clear about the extent of disclosures required so that they can advise management on their
responsibility to prepare financial statements that comply with HKFRS.

While larger companies and listed companies might have a better understanding of the
importance of disclosing related party relationships and transactions and may have some
relevant controls in place, they may also transact in more complex areas that can be more
difficult for auditors to understand and follow. The structure and transactions between related
entities of Enron is an excellent example of a group structuring itself in such a way that the
auditors could not understand or trace transactions.

9.4.1 Auditor’s Objectives

The objectives of the auditor are:

1. To obtain an understanding of related party relationships and transactions sufficient

to be able:

a. To recognise fraud risk factors, if any, arising from related party relationships and
transactions that are relevant to the identification and assessment of the risks of
material misstatement due to fraud and

b. To conclude, based on the audit evidence obtained, whether the financial

statements, insofar as they are affected by those relationships and transactions:

(i) Achieve fair presentation (for fair presentation frameworks) or

(ii) Are not misleading (for compliance frameworks).

3. To obtain sufficient appropriate audit evidence about whether related party

relationships and transactions have been appropriately identified, accounted for and
disclosed in the financial statements in accordance with HKFRS.

549

M13_c09.indd 549 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

9.4.2 Definition of a Related Party

A related party is a person or entity that is related to the entity that is preparing its financial
statements (referred to here as the ‘reporting entity’).

1. A person or a close member of that person’s family is related to a reporting entity if

that person:

a. Has control or joint control of the reporting entity;

b. Has significant influence over the reporting entity; or

c. Is a member of the key management personnel of the reporting entity or of a

parent of the reporting entity.

2. An entity is related to a reporting entity if any of the following conditions applies:

a. The entity and the reporting entity are members of the same group (which means
that each parent, subsidiary, and fellow subsidiary is related to the others).

b. One entity is an associate or joint venture of the other entity (or an associate or
joint venture of a member of a group of which the other entity is a member).

c. Both entities are joint ventures of the same third party.

d. One entity is a joint venture of a third entity and the other entity is an associate of
the third entity.

e. The entity is a post-employment benefit plan for the benefit of employees of either
the reporting entity or an entity related to the reporting entity. If the reporting
entity is itself such a plan, the sponsoring employers are also related to the
reporting entity.

f. The entity is controlled or jointly controlled by a person identified in 1.

g. A person identified in 1a has significant influence over the entity or is a member of

the key management personnel of the entity (or of a parent of the entity).

h. The entity, or any member of a group of which it is a part, provides key

management personnel services to the reporting entity or to the parent of the
reporting entity.

A related party transaction is a transfer of resources, services, or obligations between a

reporting entity and a related party, regardless of whether a price is charged.

Close members of the family of a person are those family members who may be expected
to influence, or be influenced by, that person in their dealings with the entity and include:

1. That person’s children and spouse or domestic partner;

2. Children of that person’s spouse or domestic partner; and

HKAS
24.9 3. Dependants of that person or that person’s spouse or domestic partner.

9.4.3 Risk Assessment Procedures and Related Activities

HKSA 315 (Revised 2019) and HKSA 240, The Auditors Responsibilities Relating to Fraud in an Audit
of Financial Statements, set out the framework that the auditor should adopt when obtaining

550

M13_c09.indd 550 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

information relevant to identifying the risk of material misstatements associated with related
party relationships and transactions.

The audit team discussion that HKSA 315 (Revised 2019) and HKSA 240 require shall include
specific consideration of the susceptibility of the financial statements to material misstatement
due to fraud or error that could result from the entity’s related party transactions. All members
of the audit team must be made aware of the identity of related parties.

The auditor should make enquires with management regarding:

• The identity of the entity’s related parties. Note that related parties can change from
period to period so no assumptions should be made in relation to the identity of related
parties from prior periods;

• The nature of the relationships between the entity and the related parties; and

• Whether the entity entered into any transactions with the related parties during the
period and, if so, the type and purpose of the transactions.

The auditor should also enquire of management and others within the entity to obtain
an understanding of the controls if any management has established to manage the risks
associated with the identity and transactions of related parties.

The auditor shall remain alert during the audit process when inspecting books, records, and
documents that may indicate the existence of related party relationships or transactions that
management had not previously disclosed to the auditor. If management had not previously
disclosed to the auditor the existence of a related party, the auditor will need to consider what
impact if any such an identification may have on the overall risk assessment undertaken in line
with HKSA 315 (Revised 2019) and HKSA 240 and the planned responses to the risks identified.

Exhibits 9.3 and 9.4 provide some examples of indicators of the existence of related parties
and difficulties in identifying them.

Characteristics of entities Indicators of the existence of related parties

Owner dominance
Involvement of family members in
the business
Trading with other family businesses
Use of family contacts in accounting, legal, or
other advisors
Owners with other business interests
Owner can override controls
and transactions
Involvement of family members – identification can be
difficult if family names are not the same.
Under Trust arrangements, Trustees or beneficiaries
may not be identified and transactions with them may
not be identified.
There is usually sensitivity around disclosure of the
identity of other businesses that are trading with the
company when they are related, or disclosure of loans
by or to the company.
Purchase or sale of assets or goods that are not at
arm’s length.
Services rendered by family members such as
consultancy, design, office lease.
Purchase of assets or goods surplus to the needs of
the entity.
Loans at nil or significantly reduced rates of interest.
Provision of unsecured loans.

EXHIBIT 9.3 Characteristics and indicators for smaller and/or owner-managed entities

551

M13_c09.indd 551 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

Characteristics of entities Indicators of the existence of related parties

Owner dominance
Involvement of family members in
the business
Trading with other family businesses
Use of family contacts in accounting, legal, or
other advisors
Owners with other business interests
Owner can override controls
and transactions
Continuous roll-over of loans with no repayment.
Lack of documentation supporting loans.
Significant cash outflows that have been expensed in an
unusual manner.
Overly complex joint venture arrangements, where
terms do not make commercial sense.
Unexplained movement of funds around a group.
Fictitious employees.
Management charges between companies that do not
make sense.
Credit card bills used to support purchases without
description.
High levels of entertainment expenses.
Change of major suppliers with no tender sought and
informal documentation.
Large unexplained discounts being given or received.
Limited documentation supporting major transactions
such as purchase or sale of assets, lease agreements,
plant, and equipment.
The existence of suspense accounts and
contra accounts.
Difficulty in reconciling intercompany balances.

EXHIBIT 9.4 Characteristics and indicators for larger or more complex entities

HKSA 550 (Clarified) requires auditors to obtain an understanding of related party

relationships and transactions sufficient to be able to recognise and assess the risks of material
misstatement due to fraud.

HKSA 550 (Clarified) also requires that all members of the Engagement team understand
who the related parties are at any one client. This knowledge should then be linked to the fraud
risks identified at the client

Auditors are more exposed by fraud risks relating to undisclosed related party transactions
than by minor disclosure errors in known transactions. All audit engagement staff should
remain alert throughout the audit to this possibility that there are related party transactions
that have not been disclosed by management. If undisclosed related parties are identified on
further investigation, auditors should reconsider their overall risk assessment, update their
audit strategy, and amend their audit procedures accordingly.

9.4.4 Responses to the Risks of Material Misstatement Associated with

Related Party Relationships and Transactions
It is important for auditors to understand and evaluate the procedures management has
in place for identifying, properly accounting for, and disclosing related party transactions. If
the auditor has audited the company for a number of years it is likely that understanding in
this area would have accumulated. The risks in a first-year audit would be higher, which may
require a greater level of audit procedures to reduce the risk of material misstatement to an
acceptable level.

552

M13_c09.indd 552 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

HKSA 550 (Clarified) requires that auditors ask management and others in the entity, and
perform other risk assessment procedures as appropriate, to obtain an understanding of the
controls, if any, in place to:

• Identify, account for, and disclose related party relationships and transactions;

• Authorise and approve significant related party transactions and arrangements; and

• Authorise and approve significant transactions and arrangements outside the normal
course of business.

Testing for completeness and existence of related party relationships and transactions
can be difficult, especially when it is discovered that management has not identified
such transactions. HKSA 550 (Clarified) requires that auditors search for unidentified and
undisclosed related party relationships and transactions by, for example:

• Inspecting Bank documents;

• Obtaining legal confirmations;

• Reviewing minutes of shareholder and management meetings;

• Reviewing regulatory returns; or

• Reviewing records of the company’s investments, particularly ones that are overseas.

If auditors identify issues suggesting the existence of related party relationships or

transactions that management has not previously identified or disclosed, they need to
investigate these. HKSA 550 (Clarified) specifically requires the auditors to:

• Promptly communicate the information to team members;

• Request that management identify all transactions with the newly identified
related parties;

• Enquire as to why the entity’s controls over related party relationships and transactions
failed to enable the identification or disclosure of the related party relationships or
transactions;

• Perform appropriate substantive audit procedures relating to such newly identified

related parties or significant related party transactions;

• Reconsider the risk that other related parties or significant related party transactions
may exist that management has not previously identified or disclosed to the auditor,
and perform additional audit procedures as necessary; and

• If the non-disclosure by management appears intentional (and therefore indicative of a

risk of material misstatement due to fraud), evaluate the implications for the audit.

These procedures should be performed at both the planning stage and during the
course of the audit and reassessed at the conclusion of the audit. It is important to ask
the right questions, of the right people, and be professionally skeptical at all times. The
term ‘related parties’ is an accounting technical term and may need to be explained to less
experienced clients.

An arm’s-length transaction is an agreement made by two parties freely and independently

of each other, and without some special relationship, such as being a relative, having another
deal on the side, or one party having complete control of the other. It becomes important to

553

M13_c09.indd 553 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

determine if an agreement was freely entered into to show that the price, requirements, and
other conditions were fair and real. It can often be difficult to determine whether transactions
are conducted at arm’s length. Auditors need to consider the bargaining power of each party
and use their judgement, by considering similar transactions or the market price of similar
goods or services. Professional skepticism is a key behavioural trait that is required throughout
the audit process by the entire audit team, but arguably should be heightened in the area of
auditing related parties and related party transactions.

Where auditors identify significant transactions outside the entity’s normal course of
business, they should establish by inquiry whether related parties could be involved. Some
examples might be geologists working to find deposits for the company, external payroll
services owned by persons related to senior people in the company, foreign investment
vehicles, or investment in property not aligned with the core business.

If such significant related party transactions outside the normal course of business
are identified, they should be treated as significant risks. For such transactions, auditors
should inspect the underlying contracts or agreements and evaluate whether there is a true
commercial basis for the transactions (which may otherwise suggest fraud or misappropriation
of assets), understand and document the controls surrounding these transactions, and validate
the accounting treatment of the transactions.

Factors affecting an auditors’ independent assessment of the commercial basis of a

transaction include the complexity of the transaction, whether it has unusual terms, whether
its processing involved a limited number of senior personnel, or whether it involves previously
unidentified related parties. At all times the auditor should be cognisant of the risk of fraud.

Apply and Analyse 7

Hung Fu management had represented to Lau Lam of Quality that the only related party
was a broking business, which had been disclosed in prior period financial statements. Lau
Lam has determined that Hung Fu had made a number of loans to director related entities
during the period subject to audit. Explain what Lau Lam should do.

Analysis

Lau Lam would need to revisit the overall risk assessment process to determine whether
this discovery of information heightens the risk of material misstatement in the financial
statements as a whole. Lau Lam asked management why the related parties and related
party transactions had not been identified to Quality.

• Management represented that they had not considered the effect of the loans as
they had not previously made such loans.

• No further loans have been made other than the ones identified by Quality.

Lau Lam should ask to see the loan agreements to make a determination on whether
the transactions were made at arms-length.

Lau Lam should further determine whether Quality is satisfied that no further related
parties have been identified and that there are no further transactions.

Financial statement disclosures should also be considered by the Quality audit team to
ensure completeness and accuracy.

554

M13_c09.indd 554 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.4.5 Evaluation of the Accounting for and Disclosure of Identified

Related Party Relationships and Transactions
The auditor shall conclude on the appropriateness of the accounting for related party
transactions. The identity and transactions should be disclosed in line with HKAS 24 (Revised),
Related Party Disclosures. If the auditor is not satisfied that all related parties have been
identified or that not all related party transactions have been identified, then the auditor will
need to assess the likely impact this may have on the auditor’s report.

9.4.6 Written Representations and Documentation

In the auditor’s letter of representation, the auditor shall obtain specific representation that:

1. Management has disclosed to the auditor the identity of the entity’s related parties and
all the related party relationships and transactions of which they are aware and

2. Management has appropriately accounted for and disclosed such relationships and
transactions in accordance with the requirements of the framework.

Auditors are required to document the names of identified related parties and the nature
of the related party relationships in their working papers. This documentation, while required,
is a helpful platform for subsequent audits.

9.4.7 Communication with Those Charged with Governance

It is important for auditors to communicate to management and, where different, those
charged with governance, significant matters relating to related parties that they have identified
during the course of an audit. This might include undisclosed related parties or related party
transactions or disagreements with management over the disclosure of significant related party
transactions.

Unless all of those charged with governance are involved in managing the entity, auditors
should communicate significant matters arising during the audit with those charged with
governance.

Knowledge Check Questions

Question 14
Describe at least six indicators of the existence of related parties and transactions for a
larger entity or group.

Question 15
Identify and explain what substantive audit procedures are to be performed over the
identity of related parties and related party transactions.

555

M13_c09.indd 555 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

9 . 5 DISCOVERY OF ILLEGAL ACTS OR FRAUD

DISCOVERED DURING THE AUDIT

9.5.1 The Auditor’s Responsibilities Relating to Fraud in an Audit of

Financial Statements
As described in earlier chapters of this module, the auditor has a number of responsibilities
that pertain to the audit in relation to fraud. The reference standard relating to fraud is
HKSA 240, The Auditors Responsibilities Relating to Fraud in the Audit of Financial Statements.

If the auditor identifies a misstatement, the auditor shall evaluate whether such a
misstatement is indicative of fraud. If there is such an indication, the auditor shall evaluate
the implications of the misstatement in relation to other aspects of the audit, particularly the
reliability of management representations, recognising that an instance of fraud is unlikely to
be an isolated occurrence.

If the auditor identifies a misstatement, whether material or not, and the auditor has
reason to believe that it is or may be the result of fraud and that management (in particular,
senior management) is involved, the auditor shall re-evaluate the assessment of the risks of
material misstatement due to fraud and its resulting impact on the nature, timing, and extent
of audit procedures to respond to the assessed risks. The auditor shall also consider whether
circumstances or conditions indicate possible collusion involving employees, management, or
third parties when reconsidering the reliability of evidence previously obtained.

If the auditor has identified a fraud or has obtained information that indicates that a fraud
may exist, the auditor shall communicate these matters on a timely basis to the appropriate
level of management in order to inform those with primary responsibility for the prevention
and detection of fraud of matters relevant to their responsibilities.

Unless all of those charged with governance are involved in managing the entity, if the
auditor has identified or suspect’s fraud involving:

a. Management,

b. Employees who have significant roles in internal control, or

c. Others where the fraud results in a material misstatement in the financial statements,

The auditor shall communicate these matters to those charged with governance on a timely
basis. If the auditor suspects fraud involving management, the auditor shall communicate these
suspicions to those charged with governance and discuss with them the nature, timing, and
extent of audit procedures necessary to complete the audit.

The auditor shall communicate with those charged with governance any other matters
related to fraud or illegal acts that are, in the auditor’s judgement, relevant to their
responsibilities.

If the auditor confirms that, or is unable to conclude whether, the financial statements are
materially misstated as a result of fraud, the auditor shall evaluate the implications for the
audit and the potential auditor’s report that should be issued.

556

M13_c09.indd 556 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.5.2 Consideration of Laws and Regulations in an Audit of Financial

Statements
With the changes to the Code of Ethics for Professional Accountants (COE) issued by HKICPA, the
auditor’s responsibilities in relation to the identification and reporting against non-compliance
with laws and regulations (NOCLAR) have changed. Previously the overarching responsibility
in relation to confidentiality made it very difficult for auditors to determine whether or not to
report NOCLAR to a relevant authority.

Section 260 of COE sets out the following responsibilities of auditors:

• If an auditor of financial statements becomes aware of information concerning NOCLAR

or suspected NOCLAR, the auditor shall obtain an understanding of the matter. This
understanding shall include the nature of the NOCLAR or suspected NOCLAR and the
circumstances in which it has occurred or might occur.

• In discussing a NOCLAR or suspected NOCLAR with management and, where

appropriate, those charged with governance, the auditor shall advise them to take
appropriate and timely actions, if they have not already done so, to:

a. Rectify, remediate, or mitigate the consequences of the NOCLAR;

b. Deter the commission of the NOCLAR where it has not yet occurred; or

c. Disclose the matter to an appropriate authority where required by law or regulation

or where considered necessary in the public interest.

• The auditor shall consider whether management and those charged with governance
understand their legal or regulatory responsibilities with respect to the NOCLAR or
suspected NOCLAR.

• The auditor shall comply with applicable:

a. Laws and regulations, including legal or regulatory provisions governing the

reporting of NOCLAR or suspected NOCLAR to an appropriate authority and

b. Requirements under Auditing and Assurance Standards, including those relating to:

(i) Identifying and responding to NOCLAR, including fraud.

(ii) Communicating with those charged with governance.

(iii) Considering the implications of the NOCLAR or suspected NOCLAR for the
auditor’s report.

• The auditor shall assess the appropriateness of the response of management and,
where applicable, those charged with governance.

• The auditor shall exercise professional judgement in determining the need for, and
nature and extent of, further action. In making this determination, the auditor shall take
into account whether a reasonable and informed third party would be likely to conclude
that the auditor has acted appropriately in the public interest.

• If the auditor determines that disclosure of the NOCLAR or suspected NOCLAR to an

appropriate authority is an appropriate course of action in the circumstances, that
disclosure is permitted. When making such a disclosure, the auditor shall act in good

557

M13_c09.indd 557 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

faith and exercise caution when making statements and assertions. The auditor shall
also consider whether it is appropriate to inform the client of their intentions before
disclosing the matter.

Having met all of the responsibilities outlined above the auditor will need to determine
what the impact of a NOCLAR or suspected NOCLAR might have on the auditor’s opinion, and
whether they should continue as the auditor of the company or group.

It should be noted that it is likely that the obvious NOCLAR or suspected NOCLAR will relate
to laws and regulations more observable to an auditor when undertaking a financial statement
audit. It is not expected that an auditor will search outside undertaking the financial statement
audit for NOCLAR.

Knowledge Check Questions

Question 16
Explain what you would recommend the auditor to do when conducting the audit of the
financial statements of a major retailer and discovering that a service assistant had stolen
HK$1,000 from the cash takings, which is immaterial for the financial statements.

558

M13_c09.indd 558 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

SUMMARY

This chapter has set out various requirements of auditors during the completion phase of the
audit. The completion phase should be viewed as bringing all previous activities of the auditors
to a conclusion with the ultimate output being the auditor’s report.

Taking a step back and taking a final overall look at what has been collected in terms of
sufficient appropriate audit evidence to support an auditor’s opinion is critical. In this chapter
the following headlines have been explored in detail.

• Audit Completion

• Going Concern

• Subsequent Events

• Written Representations

• Overall Audit of the Financial Statements

• Evaluation of Misstatements Identified During the Audit

• Communicating with Those Charged with Governance

• Related Parties

The auditor must be satisfied that the risk that a material misstatement exists after audit
completion has been minimised to an acceptable level.

As has been demonstrated in this chapter, what happens with an auditee can extend
past the period and date and even after an auditor’s opinion has been signed. Professional
scepticism on the part of the auditor never really ceases.

559

M13_c09.indd 559 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

MIND MAP
AUDIT COMPLETION RALATED PARTIES
Sufficient Appropriate Audit Evidence Auditor’s objectives
• How much is enough Definition of a Related Party
• Quality of evidence obtained
Risk Assessment procedures and Related
PLAN THE PROCEDURES TO BE CONDUCTED Activities
AT THE COMPLETION OF THE AUDIT Responses to the Risks of Material
Misstatement Associated with Related Party
Not a discrete and separate part of the
Relationships and Transactions
overall audit
Evaluation of the Accounting for and
Subject to change dependent on unforeseen
Disclosure of identified Related Party
circumstances
Relationships and Transactions
EXPLAIN THE PURPOSE OF AND PROCEDURES Written Representations and Documentation
TO BE USED DURING AUDIT COMPLETION MAJOR ACTIONS
Communication with Those Charged with
DURING THE
A Going Concern review Governance
AUDIT COMPLETION
• Factors that may indicate going concern issue
• How management assessed going concern
• Implication for auditor’s report
A Subsequent Events Review
• Two types
• Three key phases
Obtaining Written Representations for
Management
• Requirements of representation letter
Overall Audit of Financial Statements
• Completeness of disclosures
• Accuracy of disclosures
• Final analytical procedures
Review of other published information
• Contingent Liabilities and Commitments
- Identification of factors
- Values attributable
- Adequate disclosures
Evaluation of Misstatement Identified during DISCOVERY OF ILLEGAL ACTS OR FRAUD
the Audit DISCOVERED DURING THE AUDIT
• Current year misstatements
The Auditor’s Responsibilities Relating to
• Summary of misstatements
Fraud in an Audit of Financial Statements
• Impact of uncorrected misstatements
Consideration of Laws and Regulations in
Communicating with Those Charged with
an Audit of Financial Statements
Governance
• Audit matters of governance interest
• Communication mechanisms

Answers to Knowledge Check Questions

Question 1
The answer should cover:
Source of evidence – external. Externally and independently derived audit evidence, in
most cases, has a greater level of credibility and effectiveness than internally generated
evidence. This evidence usually takes the form of confirmations, expert reports, analyst’s
reports, and benchmarking data. These sources will either act as primary evidence or serve
to corroborate management’s assertions.
Source of evidence – internal. Audit evidence derived from the entity’s accounting
records and its controls. Inter-relationships between internally sourced data can provide a
degree of corroboration.
How the audit evidence was obtained and evaluated – inspection, observation,
recalculation re-performance, analytical procedures, and inquiry can be applied, as
appropriate, to the circumstances.
Relevance to the risks and assertions being audited – logical connection needs to be
achieved between the evidence gathered and the risks and assertions being considered.

560

M13_c09.indd 560 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Question 2
Factors include:
Financial:
• Current liabilities exceed current assets.
• Total liabilities exceeding total assets.
• Total cash-outflows from operating activities.
• Current and historical operating losses.
• Cash on delivery terms commenced by creditors.
• Unusual financing arrangements (usually sourced from offshore countries that have
questionable tax regimes).
• Significant legal costs and pending cases.
• Bank covenant breaches.
Operational:
• Long lead times on sales of both current and non-current assets.
• Significant amount of debt due and payable.
• Creditor’s days extending dramatically.
• Supply chain issues.
• Increase in competition.
• Loss of major customers.
Other:
• Recent economic or environmental disasters.
• Changes in laws and regulation.
• Non-insurable events occur.

Question 3
Answer A is incorrect. The auditor’s responsibility in terms of audit procedures only
extends to the date of the auditor’s report for the current accounting period.
Answer B is incorrect. The auditor’s responsibility in terms of audit procedures only
extends to the date of the auditor’s report for the current accounting period.
Answer C is correct. The auditor’s responsibility in terms of audit procedures only extends
to the date of the auditor’s report for the current accounting period.
Answer D is incorrect. The auditor’s responsibility in terms of audit procedures only
extends to the date of the auditor’s report for the current accounting period.

Question 4
Type 1 are those that provide further evidence of conditions that existed at the end of the
financial period and require the financial statements to be adjusted and
Type 2 are those that provide evidence of conditions that arose after the end of the financial
period, while not adjusted are acknowledged by way of note disclosure.

561

M13_c09.indd 561 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

Question 5
The three key objectives are:
• To obtain written representations from management and, where appropriate, those
charged with governance that they believe that they have fulfilled their responsibility
for the preparation of the financial statements and for the completeness of the
information provided to the auditor.
• To support other audit evidence relevant to the financial statements or specific
assertions in the financial statements by means of written representations, if
determined by the auditor or required by other HKSA.
• To respond appropriately to written representations provided by management
and, where appropriate, those charged with governance or, if management, or
where appropriate, those charged with governance do not provide the written
representations requested by the auditor.

Question 6
At a minimum the following should be included in the written representation letter:
• Management’s acknowledgment of its responsibility for the proper preparation
of the financial statements in accordance with the Hong Kong Financial Reporting
Standards.
• The availability of books and records.
• The completeness and availability of all minutes of meetings of directors and
associated board committees.
• Management assurance that it has made available all letters from regulatory
agencies concerning non-compliance with, or deficiencies in, financial reporting
practices.
• Management’s assurance that there are no unrecorded transactions.
• Management’s acknowledgement of its responsibility for the design and
implementation of controls and for the system of financial controls.
• Management assurance that it has disclosed all liens and other encumbrances on
its assets.
• Management’s assurance that all material transactions have been
appropriately recorded.
• Significant assumptions used by us in making accounting estimates, including those
measured at fair value, are reasonable HKSA 540 (Revised).
• Related party relationships and transactions have been appropriately accounted for
and disclosed in accordance with the requirements of Hong Kong Financial Reporting
Standards HKSA 550 (Clarified).
• All events subsequent to the date of the financial statements and for which Hong
Kong Financial Reporting Standards require adjustment or disclosure have been
adjusted or disclosed (HKSA 560).
• The effects of uncorrected misstatements are immaterial, both individually and
in the aggregate, to the financial statements as a whole. A list of the uncorrected
misstatements is attached to the representation letter (HKSA 450).
• Any other matters that the auditor may consider appropriate.

562

M13_c09.indd 562 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Question 7
Answer should include discussion on:
In the case of identified inconsistencies between one or more written representation and
audit evidence obtained from other sources, the auditor should consider whether the risk
assessment remains appropriate and, if not, revise the risk assessment and determine the
nature, timing, and extent of further audit procedures that might be required to respond
to the assessed risks.
Concerns about the competence, integrity, ethical values, or diligence of management,
or about its commitment to or enforcement of these, may cause the auditor to conclude
that the risk of management misrepresentation in the financial statements is such that an
audit cannot be conducted. In such a case, the auditor may consider withdrawing from the
engagement, where withdrawal is possible under applicable law or regulation, unless those
charged with governance put in place appropriate corrective measures. Such measures,
however, may not be sufficient to enable the auditor to issue an unmodified audit opinion.

Question 8
Disclosures of information that would be deemed qualitative in nature are:
• Descriptions of significant accounting policies and critical accounting estimates,
including note disclosure when there has been any change in accounting policies or
critical accounting estimates.
• Information about the identity of related parties.
• Description of the basis for impairment losses recognised in the financial statements.
• Information about application of the going concern assumption when appropriate.
• Information about the circumstances leading to contingent liability disclosures.
Judgement is needed to help determine whether qualitative disclosures are material
or not.

Question 9
The audit procedures to determine completeness and accuracy of contingent liabilities
should include the following:
• An external confirmation issued in line with HKSA 505 (Clarified), External
Confirmations, to legal counsel and Banks. The types of information the auditor might
ask for includes:
°° A list and progress report of any pending or imminent litigation to which legal
counsel has given substantial attention.

°° A list of other claims such as warranties and guarantees including comment

from legal counsel on their opinion of probability and HK$ outcome.

°° Bank guarantees.

• Examination of the minutes of the board of directors to determine if, for example,
any guarantees have been approved against loans.
• Examination of any environmental reviews and their likely outcomes for the entity.
• Consider industry practices. For example, for mining companies, it is common that
contracts will include ‘make good’ (restoration) clauses, which, as events occur

563

M13_c09.indd 563 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

(e.g. as damage occurs to the relevant environment), the recognition criteria for
liabilities could be met (as the need to restore an asset could become probable and
be reliably estimated).
• Product warranty arrangements to determine whether commitments and
contingencies are appropriately recognised.

Question 10
The following are examples of audit procedures to determine the completeness and
accuracy of commitments:
Determine the amounts and time allocations for payments under operating leases. (HKAS
16, Leases, becomes effective in 2019, which means that operating leases will be recognised
in the balance sheet and cease to be a commitment requiring note disclosures. Refer to
the financial reporting module for further information.)
Determine whether there are any commitments for capital expenditure contracted for
future periods through discussion with management and review of minutes.
Determine whether there are any licensing costs subject to commitment.

Question 11
The auditor should do the following:
• Reference materiality levels.
• Misstatements should be accumulated by each member of the audit team that
identifies a misstatement to a central repository, unless clearly trivial.
• Reviewers of working papers should ensure that if a misstatement has been
identified that it has been cleared to a central repository.
• Any such misstatements should be accumulated up until the date of the
auditor’s report.

Question 12
The three types of unrecorded misstatements that the auditor may need to communicate
to management throughout the audit process:
Factual misstatements are those about which there is no doubt. The amount or
disclosure is materially incorrect.
Projected misstatements are the auditor’s best estimate of misstatements in
populations, involving the projection of misstatements identified in audit samples to
the entire population from which the samples were drawn.
Judgemental misstatements are those arising from the judgements taken by
management concerning accounting estimates and/or accounting policies that the
auditor disagrees with. These misstatements can in many cases cause some debate
between management and the auditor.

Question 13
Any five of the following would be an appropriate answer:
• The overall approach and scope of the audit, including any limitations on the scope
of the audit.
• The accounting policies, and any changes to them, that could materially affect the
financial statements.

564

M13_c09.indd 564 1/28/2021 6:00:13 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

• For listed companies, Key Audit Matters. (Refer to Chapter 10 for further details on
Key Audit Matters.)
• Adjustments arising as a result of audit procedures that could materially impact the
financial statements.
• Material events or uncertainties that could jeopardise the going concern status and
that require disclosure within the financial statements.
• Disagreements with management over accounting treatments or disclosures.
• Any expected modifications to the auditor’s report.
• Material weaknesses discovered in the internal systems and controls.

Question 14
The answer should include any six of the following:
• Continuous roll-over of loans with no repayment.
• Lack of documentation supporting loans.
• Significant cash outflows that have been expensed in an unusual manner.
• Overly complex joint venture arrangements, where terms do not make
commercial sense.
• Unexplained movement of funds around a group.
• Fictitious employees.
• Management charges between companies that do not make sense.
• Credit card bills used to support purchases without description.
• High levels of entertainment expenses.
• Change of major suppliers with no tender sought and informal documentation.
• Large unexplained discounts being given or received.
• Limited documentation supporting major transactions such as the purchase or sale
of assets, lease agreements, plant, and equipment.
• The existence of suspense accounts, contra accounts.
• Difficulty in reconciling inter-company balances.

Question 15
Perform appropriate substantive audit procedures, such as:
• Ask about the entity’s relationships with identified related parties, including, where
appropriate, inquiring of parties outside the entity, such as solicitors, agents and
representatives, guarantors, or other close business partners;
• Analysing accounting records for transactions with identified related parties;
• Verifying the terms and conditions of the identified transactions and evaluating
whether they have been appropriately accounted for and disclosed; and
• Reconsider the risk that further unidentified or undisclosed relationships or
transactions exist and, if the non-disclosure appears intentional, evaluate the
implications for the audit.

565

M13_c09.indd 565 1/28/2021 6:00:13 PM

 BUSINESS ASSURANCE

Question 16
The auditor should:
• Discuss the matter with an appropriate level of management of the entity.
• Determine why the controls of the entity failed.
• Consider the implications of the defalcation for other aspects of the audit or be
satisfied that, in view of the perpetrator of the fraud, there are no implications for
other areas of the audit.
• Ensure that the matter is reported to those charged with governance.

EXAM PRACTICE

QUESTION 1
Market Limited is a non-listed company that runs a daytime market every day of the week,
except during the Lunar New Year, on Hong Kong Island. During the current year’s audit you
have become aware that store holders have not been declaring sales at the appropriate level
for the purpose of paying rent and you have also discovered that Market Limited have been
illegally dumping huge amounts of waste into the harbour.

(a) Identify what the audit engagement team needs to focus their audit effort on with the
potential under receipt of rent.

(b) Explain what responsibilities the audit team have in relation to the illegal activities of
the audit client.

QUESTION 2
Events Company has for many years been the pre-eminent events management company
in Hong Kong, Macau, and Singapore. Its name has been behind all of the top events and
also has been the company used by all of the wealthy families. The Company has a large
distribution centre where all its events furniture and equipment and trucks are housed.
Next to the distribution centre is the catering facility. The Company also has its own jet to
ensure clients demands are met on a timely basis. With its rapid growth over the last three
years and heavy investment into infrastructure, the Events Company has a large outstanding
debt with a major bank. During the planning phase of the current periods audit, the audit
team becomes aware of a scandal where the events company has disclosed confidential
client information, which has resulted in future clients cancelling major events. As the audit
proceeds the auditor becomes aware of the increasing number of cancellations. Explain
what steps the auditor should take in determining whether there is a going concern issue.

QUESTION 3
Describe at least eight matters that may be of interest to those charged with governance
and therefore should be communicated during the audit process.

QUESTION 4
Aussie Limited is a 100% owned significant subsidiary of Hong Kong Fruits. Hong Kong Fruits
has a year end of 31 December. Hong Kong Fruits sources all of its tomatoes and bananas
from Aussie Limited and has invested heavily in infrastructure. On 15 January after the

566

M13_c09.indd 566 1/28/2021 6:00:14 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

current year end, Aussie Limited’s stock and infrastructure was completely destroyed by
terrible bushfires. Given this event, what should the auditor of Hong Kong Fruits consider?

QUESTION 5
The following procedures have been carried out by an engagement senior with regards
to the audit of the obsolescence provision of an electronics retailer, which sources all its
inventory from external suppliers and has 8,000 different stock keeping units (SKUs). The
amount of obsolescence provision is material to the Statement of Financial Position.

Evaluate whether the senior has obtained sufficient appropriate audit evidence in line
with the requirements of HKSA to form a conclusion and, if you do not believe that sufficient
appropriate audit evidence has been obtained, recommend what other further procedures
should be conducted before the completion of the audit.

2020 2019
HK$ HK$
Inventory – Finished goods 222,000,000 170,000,000
Inventory – Goods in transit 15,000,000 5,000,000
Provision for obsolescence 5,200,000 6,500,000
Carrying value of inventory 231,800,000 168,500,000

Overall materiality is set at HK$5,400,000 and performance materiality at HK$3,500,000.

The audit senior has:

(a) Assessed that the risk in relation to valuation of inventory is high.

(b) Determined that a fully substantive audit approach would be adopted.

(c) Conducted a high-level analysis on the movement in inventory levels and the level
of provision and concluded that the movements look to be in line with the general
understanding of the business and the fact that the buyers purchased more inventory
this year because of a likely decline in the HK$ and the need to service expected sales
campaigns.

(d) On the basis of the analysis performed, it was determined that the senior would
conduct tests of detail by doing the following procedures as the inherent risk in his view
had dropped to medium:

(i) Picking a limited random sample of 30 items from the inventory listing and testing
the cost back to the purchase invoice and testing the cost against the sales price
at year end.

(ii) Determining, using the same sample, whether the ageing of the inventory
was correct.

(iii) Conducting a reasonableness analysis by applying the client’s provision percentages

against the age categories to determine if there were any differences.

On the basis of the audit work performed, it was concluded that ‘there were no exceptions
noted’.

(e) This can be interpreted to mean that the obsolescence provision was correctly stated.

(f) The view was formed that no further audit procedure is required to deal with inventory
obsolescence.

567

M13_c09.indd 567 1/28/2021 6:00:14 PM

 BUSINESS ASSURANCE

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) The auditor shall evaluate whether such a misstatement is indicative of fraud. If there
is such an indication, the auditor shall evaluate the implications of the misstatement
in relation to other aspects of the audit, particularly the reliability of management
representations, recognising that an instance of fraud is unlikely to be an isolated
occurrence.

If the auditor identifies a misstatement, whether material or not, and the auditor
has reason to believe that it is or may be the result of fraud and that management
(in particular, senior management) is involved, the auditor shall re-evaluate the
assessment of the risks of material misstatement due to fraud and its resulting impact
on the nature, timing, and extent of audit procedures to respond to the assessed risks.
The auditor shall also consider whether circumstances or conditions indicate possible
collusion involving employees, management, or third parties when reconsidering the
reliability of evidence previously obtained. This is unlikely in this case unless given that
the fraud is being perpetrated by the stall holders.

If the auditor has identified a fraud or has obtained information that indicates that
a fraud may exist, the auditor shall communicate these matters on a timely basis to the
appropriate level of management in order to inform those with primary responsibility
for the prevention and detection of fraud of matters relevant to their responsibilities.

Unless all of those charged with governance are involved in managing the
entity, if the auditor has identified or suspect’s fraud involving:

(i) Management,

(ii) Employees who have significant roles in internal control, or

(iii) Others where the fraud results in a material misstatement in the financial
statements,

The auditor shall communicate these matters to those charged with governance
on a timely basis. If the auditor suspects fraud involving management, the auditor shall
communicate these suspicions to those charged with governance and discuss with them
the nature, timing, and extent of audit procedures necessary to complete the audit.

The auditor shall communicate with those charged with governance any other
matters related to fraud or illegal acts that are, in the auditor’s judgement, relevant to
their responsibilities.

If the auditor confirms that, or is unable to conclude whether, the financial

statements are materially misstated as a result of fraud, the auditor shall evaluate the
implications for the audit and the potential auditor’s report that should be issued.

(b) Section 260 of Code of Ethics sets out the following responsibilities of auditors:

• If an auditor of financial statements becomes aware of information concerning non-

compliance with laws and regulations (NOCLAR) or suspected NOCLAR, the auditor
shall obtain an understanding of the matter. This understanding shall include the
nature of the NOCLAR or suspected NOCLAR and the circumstances in which it has
occurred or might occur.

568

M13_c09.indd 568 1/28/2021 6:00:14 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

• In discussing a NOCLAR or suspected NOCLAR with management and, where

appropriate, those charged with governance, the auditor shall advise them to take
appropriate and timely actions, if they have not already done so, to:

(i) Rectify, remediate or mitigate the consequences of the NOCLAR;

(ii) Deter the commission of the NOCLAR where it has not yet occurred; or

(iii) Disclose the matter to an appropriate authority where required by law or

regulation or where considered necessary in the public interest.

• The auditor shall consider whether management and those charged with
governance understand their legal or regulatory responsibilities with respect to the
NOCLAR or suspected NOCLAR.

• The auditor shall comply with applicable:

(i) Laws and regulations, including legal or regulatory provisions governing the
reporting of NOCLAR or suspected NOCLAR to an appropriate authority and

(ii) Requirements under Auditing and Assurance Standards, including those

relating to:

°° Identifying and responding to NOCLAR, including fraud.

°° Communicating with those charged with governance.

°° Considering the implications of the NOCLAR or suspected NOCLAR for the

auditor’s report.

• The auditor shall assess the appropriateness of the response of management and,
where applicable, those charged with governance.

• The auditor shall exercise professional judgement in determining the need for, and
nature and extent of, further action. In making this determination, the auditor shall
take into account whether a reasonable and informed third party would be likely to
conclude that the auditor has acted appropriately in the public interest.

• If the auditor determines that disclosure of the NOCLAR or suspected NOCLAR to an

appropriate authority is an appropriate course of action in the circumstances, that
disclosure is permitted. When making such disclosure, the auditor shall act in good
faith and exercise caution when making statements and assertions. The auditor
shall also consider whether it is appropriate to inform the client of their intentions
before disclosing the matter.

Having met all of the responsibilities outlined above the auditor will need to determine
what the impact of a NOCLAR or suspected NOCLAR might have on the auditor’s opinion and
whether they should continue as the auditor of the company or group.

QUESTION 2
The answer should include the following:

• Audit of budgets and forecasts for sales revenue, expenses, with a detailed analysis of
the underlying assumptions and appropriateness of their use. This should obviously
be a recast of the original budgets and forecasts given the cancellation of many events
by clients.

569

M13_c09.indd 569 1/28/2021 6:00:14 PM

 BUSINESS ASSURANCE

• Understand the plans to minimise the costs until revenue growth can be obtained.

• Management plans and minutes supporting changes to operating strategies and plans
to mitigate the loss of clients.

• Confirm when creditors or financiers give written agreement that they will not call back
what is owed to them for at least 12 months from the date of the financial statements
that this is financially viable.

• Obtain proof of support from related parties that they can underwrite any payments
of debts as and when they fall due for 12 months from the date of the financial
statements.

• Understand what further funding from creditable financiers could be obtained.

• Determine whether there are any implications for the auditor’s report.

QUESTION 3
The eight matters should include the following:

• The overall approach and scope of the audit, including any limitations on the scope of
the audit.

• The accounting policies, and any changes to them, that could materially affect the
financial statements.

• For listed company’s Key Audit Matters.

• Adjustments arising as a result of audit procedures that could materially impact the
financial statements.

• Material events or uncertainties that could jeopardise the going concern status and that
require disclosure within the financial statements.

• Disagreements with management over accounting treatments or disclosures.

• Any expected modifications to the auditor’s report.

• Material weaknesses discovered in the internal systems and controls.

• Details of any threats to independence and objectivity, and of any safeguards adopted.

• Explanations of the audit approach used (for example, the concept of materiality and its
application to the audit process).

• A summary of business risks identified, including an assessment of the likelihood of the

risks materialising.

• A review of the contents of written representations.

• Recommendations, where relevant, to help improve the entity’s internal systems

and controls.

QUESTION 4
This is a subsequent event occurring between the date of the financial statements and the
date of the auditor’s report:

The auditor needs to refer to their initial risk assessment undertaken under the
requirements of HKSA 315 (Revised 2019), and updated as appropriate throughout the audit

570

M13_c09.indd 570 1/28/2021 6:00:14 PM

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

process, to determine the appropriate extent of additional audit procedures that need to be
undertaken. It is important to note that audit procedures undertaken should be completed
as close to the date of the auditor’s report as possible. The procedures may include:

• Gaining an understanding of how management has identified and assessed the

significance of the subsequent events and the reasonableness of the assumptions used
by management in drawing their conclusions;

• Enquiring of management and potentially the Board to establish the extent of the
financial impact on the entity;

• Determining the impact on the entity’s financial statements;

• Reviewing trial balances produced after the period end;

• Contacting legal counsel to determine whether anything has come to their attention
since sending their written confirmation. (Note that often regulators expect, although
this is not written in law or the auditing standards, that such a follow-up should be
made a maximum of seven days before the date of the auditor’s opinion.)

This is definitely a Type 2 event so extensive note disclosures would be required. If such
a note disclosure in the view of the auditor is not sufficient then the auditor would need to
consider the potential impact that fact may have on the auditor’s opinion.

QUESTION 5
Sufficient appropriate audit evidence has not been obtained and nor have the requirements
of auditing standards been followed.

Recommendations should include all of the following:

1. Given that the risk around the obsolescence provision was assessed as high, there are
requirements in HKSA 315 (Revised 2019) and HKSA 330 that the auditor should at the
very least understand the controls management have in place over its obsolescence
provisioning and document those controls. If the controls are to be tested then they
should be tested annually.

2. A high-level fluctuation analysis would not provide any audit comfort, as it is not
analytical by nature and does not meet the requirements of HKSA 520 (Clarified).

3. The limited level of audit sampling and the method for selecting items would appear
to be questionable as there are over 8,000 SKUs and this sample is the sole basis on
which the conclusion is being drawn on whether the inventory obsolescence provision
is materially correct.

4. The auditor should check whether subsequent to year end that the selling prices on
the items that were subject to audit sampling have not decreased (as decreases would
indicate an issue with NRV and thus the level of provision).

The auditor has not looked at the month’s cover of inventory (how many months of
sales could be met by the current levels of inventory by SKU), which is an essential basis
for determining the reasonability of the provision in the retail sector in particular. If, on
average, inventory has in the past been turned over x times per year, the senior should
have checked whether the turnover slowed down in the current period. If so, this might
suggest that the inventory is not realisable at an amount in excess of the carrying

571

M13_c09.indd 571 1/28/2021 6:00:14 PM

 BUSINESS ASSURANCE

amount and that a write-down might be required. This should then be compared
to the management’s assessment of the levels and determine whether a material
difference exists.

5. The auditor has not made any assessment of the reasonability of the management’s
percentages applied as the basis for provision. HKSA 540 (Revised) requires an auditor,
when auditing an accounting estimate, which is what an obsolescence provision
is, to test the underlying assumptions and point estimates by management and to
stand back and conduct sensitivities on those assumptions and estimates to form an
independent view.

6. The auditor has not conducted an actual loss assessment on sales for the current year.
This would involve taking particular items of stock and comparing sales prices achieved
with the carrying amounts at the year end. To undertake this audit procedure would
assist the auditor in determining whether the percentages applied by management as
the basis for provision are appropriate.

7. After having conducted all of the above additional procedures the auditor will need to
consider the results of the testing against the level of performance materiality, whether
an adjustment is needed to the summary of unadjusted differences, any post balance
date events, and any perceived impacts to the auditor’s opinion.

8. Inventory obsolescence would need to be addressed in the management

representation letter.

9. The auditor needs to consider whether any issues should be communicated to those
charged with governance.

572

M13_c09.indd 572 1/28/2021 6:00:14 PM

 10
Auditor’s Reporting
CHAPTER TOPIC LIST
10.1 Auditor’s Objectives
10.1.1 Importance of the
Auditor’s Report
10.1.2 Implications of Materiality for
the Auditor’s Opinion
10.2 Components of an
Auditor’s Report
10.2.1 Title of Auditor’s Report
10.2.2 Addressee
10.2.3 Auditor’s Opinion
10.2.4 Basis for Opinion
10.2.5 Key Audit Matters
10.2.6 Other Information
10.2.7 Responsibilities of Directors
and Those Charged with
Governance
10.2.8 Auditor’s Responsibilities
for the Audit of the Financial
Statements
10.2.9 Report on Other Legal and
Regulatory Requirements
573
M13_c10.indd 573
10.3 Auditor’s Report Requirements
10.4 Form of Opinion
10.4.1 Unmodified Opinion
10.4.2 Modified Opinion
10.5 Modified Opinions
10.5.1 Qualified Opinion
10.5.2 Adverse Opinion
10.5.3 Disclaimer of Opinion
10.6 Additional Communications in
the Auditor’s Report
10.6.1 Key Audit Matters (‘KAMs’)
10.6.2 Other Information
10.6.3 Material Uncertainty Related
to a Going Concern
10.6.4 Emphasis of
Matter Paragraph
10.6.5 Other Matter Paragraph
10.7 Auditor Reporting on
Opening Balances
1/28/2021 3:41:49 PM
 BUSINESS ASSURANCE
10.7.1 First Year Audit for the
Existing Auditor
10.7.2 Prior Period Auditor’s Report
Modifications to Be Assessed
by Existing Auditor
10.8 Review Opinions for Interim
Financial Statements
10.8.1 Reporting the Nature, Extent,
and Results of the Review of
Interim Financial Information
10.8.2 Differences between an
Auditor’s Opinion and an
Auditor’s Conclusion
574
M13_c10.indd 574
10.9 Auditor Reporting on Special
Purpose Frameworks
10.9.1 Auditor’s Report Format in
Line with HKSA 800 (Revised)
10.9.2 Auditor’s Report Format
on Other Than Complete
Financial Statements
10.10 Auditor’s Reporting on Small-
and Medium-sized Entities
10.10.1 Auditor’s Report
1/28/2021 3:41:49 PM
 A u d itor ’ s R eporti ng

L E A R N I NG O U T C O M E S

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.13: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance, and legislation with emphasis on:
Reporting
1.13.03 Analyse the format and content of modified and unmodified auditor’s report
1.13.04 Recommend an appropriate audit opinion based on the audit evidence collected
1.13.05 Prepare final reports for the audit

575

M13_c10.indd 575 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

O P E N I NG C A S E

CWAVES FERRY HOLDING COMPANY LIMITED

T his case study is the basis for illustration in the rest of this chapter.

CWaves Ferry Holding Company Limited (CWaves) is a publicly listed company on the
Hong Kong Stock Exchange (HKEx) and operates ferry services in Hong Kong Harbour, Sok
Kwu Wan, Shenzhen, and Macau. CWaves has a 31 December year end and has 10 wholly
owned subsidiaries, which it must consolidate for the purpose of reporting under Cap.622,
Section 379(2) of the Hong Kong Companies Ordinance and HKFRS 10, Consolidated Financial
Statements. The CWaves group has significant investments in buildings, godowns, port
infrastructure, travel agencies, and hotels.

Chloe Cheng is a newly appointed independent non-executive director of CWaves. She is

concerned about the possible audit reporting outcomes for the coming year end audit cycle.
CWaves must lodge its financial report under its annual filing obligations; however, on top of
this, CWaves must also provide on an annual basis audited financial statements prepared under
the Hong Kong Financial Reporting Standards (HKFRSs) for its eight material subsidiaries for its
off-shore banks by way of the banking agreements. The banking arrangements entered require
audited financial statements to be forwarded to the banks five months after each year end.

Chloe Cheng is concerned about the level of key audit matters that might be disclosed
in the auditor’s report of CWaves’ consolidated financial statements, given the complexity
surrounding the accounting for some of the group’s non-current assets and its share-based
payments to directors. She is also concerned what effect this might have on the share price
of CWaves. She is also concerned about the carry-over effects of prior period qualifications
relating to impairments against goodwill.

The auditor’s reports for some of the material subsidiaries are also concerning Chloe Cheng
for the following key reasons:

1. CWaves Hotels has suffered losses for the last three years and the level of external
debt has increased substantially over the last two years. Also, there have been net
cash outflows from operating activities in those years. There are no cross guarantees
between this company and other companies in the CWaves group.

2. Wonder Travel Company’s revenue recognition policy and accounting have been the
topic of discussion and concerns expressed by the company’s previous external auditor
(Diligent Audit Firm (‘Diligent’)) for a number of years and Quality Audit Firm (‘Quality’),
the new audit firm for the current reporting period, have noted during the planning
phase for the upcoming 31 December 20X2 year end audit at, if there is a material issue

576

M13_c10.indd 576 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

emerging in the current year under the requirements of the new HKFRS 15, Revenue
from Contracts with Customers, a modification to the auditor’s opinion might be required.

Quality was appointed at the previous year’s annual general meeting in line with
Section 396 of the Hong Kong Companies Ordinance.

Chloe Cheng has requested a meeting with the board’s audit committee and Quality to
discuss the transition of Quality as the new group auditor and to determine what view Quality
will have in relation to opening balances. Chloe Cheng would also like to understand the
approach Quality will have to the group’s interim financial statements. Quality’s audit partner
Jianji Ling will lead this audit engagement.

The group structure is as in Exhibit 10.1.

CORPORATE STRUCTURE

CWaves Ferry Holding Company Limited

Material to
the Group 100%

1 2 3 4 5 6 7 8 9 10

1 CWaves Hotels Company 6 CWaves Maintenance Company

2 CWaves Ferry’s Company 7 CWaves Godown Company

3 HKCW Development Holding Company 8 Donghai Company

4 HKCW Investment Limited 9 CWaves Management Company

5 Hai Cruising Company 10 Wonder Travel Company

EXHIBIT 10.1 Corporate structure of CWaves Ferry Holding Company

577

M13_c10.indd 577 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

OVERVIEW

Understanding an auditor’s report and what goes behind it can be a complex task for auditors
as well as stakeholders (i.e. company management and/or those charged with governance), not
to mention auditors themselves. Stakeholders are hereafter referred to simply as Management.
If those charged with governance is the name given instead of a Board of Directors, then use
the term for those charged with governance and management separately.

The final decision as to what the auditor’s report will look like is that of the auditor alone,
but is fundamentally shaped by the requirements of auditing standards, laws, and regulations.
It reflects the independent nature of auditors and their reporting.

This chapter looks at the various steps the auditor must take in determining the
appropriate form of an auditor’s opinion. It also explores the different types of auditor’s
reports from unmodified, to modified, to interim financial statements and special purpose
frameworks and takes into consideration the Hong Kong Companies Ordinance requirements.

It is important for an accountant in public practice or an accountant in business to

understand the auditor’s work as set out in the auditor’s reporting standards suite – HKSA 700
(Revised), Forming an Opinion and Reporting on the Financial Statements. Practice Note 600.1
(Revised), Reports by the Auditor under the Hong Kong Companies Ordinance (Cap.622) issued by
HKICPA, is very helpful in terms of general application for auditor’s reporting.

Hong Kong saw the introduction of the new and revised auditor’s reporting standards (‘the
suite’) for periods ending on or after 15 December 2016, so what you will learn in this chapter,
particularly in relation to HKSA 701, Communicating Key Audit Matters in the Independent Auditor’s
Report, is relatively new in an auditor’s reporting.

1 0 . 1 AUDITOR’S OBJECTIVES

Management is responsible for designing and maintaining an accounting system that

appropriately draws data together from other internal management reporting systems to
capture all business transactions, events, and circumstances needed to compile a set of
financial statements. Those outside the company, such as stakeholders, the Hong Kong Stock
Exchange (HKEx), the Inland Revenue Department (IRD), and the Companies Registry, may be
concerned about whether management has prepared the financial statements in accordance
with HKFRSs, the Hong Kong Companies Ordinance, and other regulations that may be applicable
to the auditee.

578

M13_c10.indd 578 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

The auditor, exercising professional judgement and scepticism, will review the (implicit
and explicit) assertions of management and consider whether management could have
unintentionally or intentionally presented some of the financial information and/or events
more optimistically or pessimistically than required under HKFRSs. Alternatively, could
management have intentionally included fictitious revenues, or omitted expenses, hidden bank
loans, or bolstered inventory numbers so that the financial statements would appear other
than in accordance with the company’s actual financial position?

The objectives of the auditor in forming an auditor’s opinion therefore are:

1. To form an opinion on the financial statements based on an evaluation of the

conclusions drawn from the audit evidence obtained; and

2. To express clearly that opinion through a written report.

10.1.1 Importance of the Auditor’s Report

An independent auditor’s report is designed to significantly reduce the concerns that
unintentional and intentional misstatements may have occurred and to provide assurance that
the financial statements, as a whole, are prepared in accordance with HKFRSs and can be relied
on by all users of the financial statements.

The importance of the independence of the auditor cannot be overestimated as it is

fundamental to the level of confidence that the auditor’s report is appropriate and that
the message of the auditor’s report will be heard in whatever form it takes, unmodified or
modified, reports for special purpose frameworks (the different types of auditor’s reports and
auditor’s review reports will be explored in detail later in this chapter).

Independence is covered in more detail in Chapter 1. However, as a result of a number

of corporate scandals and failures in the USA and elsewhere in the 1990s, and those of
the Global Financial Crisis in 2007–2008, significant focus was placed on the degree of
auditors’ independence. Regulator intervention, new accounting and auditing standards, and
considerable media focus and investor criticisms ensued from those scandals and failures.
These developments, in turn, led to a greater focus by the International Ethical Standards
Board for Accountants (IESBA), and in Hong Kong by the HKICPA, on auditors’ independence
and maintaining confidence in the auditor’s reports.

The importance of the auditor’s eports has been described here to assist understanding of
the fundamental premise of the need for auditor’s reporting.

10.1.2 Implications of Materiality for the Auditor’s Opinion

The overall objectives of the auditor are to obtain and communicate in the auditor’s report
reasonable assurance that the financial statements are free from material misstatement.
Materiality therefore is a crucial concept at all stages of the audit process, from planning
continually through to the point of signing the financial statements. The concept of materiality
was addressed in detail in Chapter 5, so, should you need to, refer back to that chapter or to
HKSA 320, Materiality in Planning and Performing an Audit.

As the auditor moves through the conduct of the auditor’s procedures, in whatever form
the auditor determines is appropriate, to reduce detection risk (see Chapter 6) to an acceptable

579

M13_c10.indd 579 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

level, the auditor must consider the likely implications of any misstatements that are discovered
for the financial statements.

At the end of the audit, when drawing a conclusion on any uncorrected misstatements and
making a final determination on the impact the uncorrected misstatements may have on the
financial statements and ultimately the auditor’s opinion, the auditor should re-evaluate the
level of materiality that has been used during the course of the audit. The auditor must then
determine whether the level of materiality remains appropriate at the time of the preparation
of the financial statements and at the time of the issuance of the auditor’s report.

It is very important in practice to take the time to stand back from the detail of all the
working papers that have been collated throughout the entire audit process, in order to
reflect on the overall materiality levels being applied to the final decisions on the form of the
auditor’s opinion.

Financial statements are prepared by management on the basis that they are in accordance
with HKFRSs, the Hong Kong Companies Ordinance, and other relevant legal and regulatory
requirements so that they are not materially misstated. Management themselves will have made
their own determination as to the level of materiality levels during the preparation of the financial
statements. The auditor, in determining the levels of materiality throughout the audit process,
should come to an independent conclusion on management’s assumptions about materiality.

As materiality is concerned with the level of importance of information provided to users

for making economic decisions, the auditor is required to be mindful of both the quantitative
and qualitative characteristics of the information being considered. For example, provision
for legal costs against the auditee for environmental indiscretions may be quantitatively
immaterial, but the disclosures surrounding the environmental indiscretions may influence
the auditor’s assessment of what users may consider material. Another example might be
a non-arm’s-length transaction initiated by a director of the auditee that is small in terms of
HK$ value but is important to the users’ understanding of the governance of the auditee. Each
individual misstatement should be considered to determine its effects on the relevant classes
of transactions, account balances, or disclosures and whether the materiality level for the
specific class of transactions, account balance, or disclosure has been surpassed. Note that any
misstatements that have arisen due to fraud are always considered to be qualitatively material,
even if they are not quantitatively material.

If a misstatement is determined to be material, care should be taken not to confuse that

assessment by combining it inappropriately with other material misstatements. For example, if
revenue has been materially overstated, the financial statements as a whole will be materially
misstated, even if a cost of sales misstatement offsets the ultimate effect on profit and loss and
other comprehensive income.

The auditor may need to re-evaluate the risks of material misstatement for a specific
account balance or class of transactions upon detection of a number of individually immaterial
misstatements within the particular account balance or class of transactions that, taken
together, might be material.

In determining the final form of the auditor’s opinion, the auditor must be mindful that to
express an unmodified opinion the auditor needs to conclude that the financial statements as
HKSA
a whole are prepared, ‘in all material respects, in accordance with the applicable reporting
700.16 framework’.

580

M13_c10.indd 580 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

If the auditor concludes that the financial statements as a whole are not free from material
misstatement, the auditor’s opinion would need to be modified and reference would need to
be made to HKSA 705 (Revised), Modifications to the Opinion in the Independent Auditor’s Report,
as to the appropriate level of modification.

The concept and application of the independent auditor’s determination of materiality is

one of the central elements in determining the appropriate auditor’s opinion.

Knowledge Check Questions

Question 1
Identify which of the following options best describes the main reason for an independent
auditor’s report on the financial statements.
A To give users of the financial statements assurance that any fraudulent activities will
be detected.
B To identify a poorly designed internal control structure that may produce unreliable
financial statements.
C To provide expertise to the auditee, who may not be totally knowledgeable of
the HKFRSs.
D To provide independent assurance of the relevance and reliability of the auditee’s
financial statements.

Question 2
Identify which of the following best describes the overall objectives of an auditor in relation
to the financial statements.
A Reduce detection risk.
B Unrecorded misstatements should be kept to a minimum.
C Issue an unmodified auditor’s opinion.
D Communicate in the auditor’s report whether the financial statements are free from
material misstatement.

Question 3
Advise why the concept of materiality is so important to the auditor when concluding on
the appropriate auditor’s opinion.

1 0 . 2 COMPONENTS OF AN AUDITOR’S REPORT

An auditor’s report must be in writing in all cases, no matter the basis for opinion. The
components to the auditor’s report will vary depending on the type of report. In Hong Kong,
HKSA 700 (Revised) provides eight illustrations of Independent Auditor’s Reports on Financial
Statements, HKSA 705 (Revised) provides another five illustrations, HKSA 706 (Revised) provides

581

M13_c10.indd 581 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

two illustrations, and HKSA 800 (Revised), Special Considerations – Audits of Financial Statements
Prepared in Accordance with Special Purpose Frameworks, provides three illustrations. Although
the illustrations are appendices to each of the auditing standards, they are relevant guidance
when constructing an appropriate auditor’s report.

10.2.1 Title of Auditor’s Report

The auditor’s report must state clearly that it is an Independent Auditor’s Report. This reaffirms
to financial statement users that the auditor is independent of management and provides
assurance to those that are seeking to place reliance on the opinion.

10.2.2 Addressee
The nature of the audit will determine to whom the auditor’s report should be addressed.
The most common addressee is the party for whom the auditor’s report has been prepared,
normally either the shareholders or for non-listed companies it is common that the auditor’s
report be addressed to those charged with governance.

In Hong Kong it is very common to state in the auditor’s report where the company was
incorporated.

10.2.3 Auditor’s Opinion

As noted earlier in the chapter, one of the most significant changes made to the HKSA 700
(Revised) effective from 15 December 2016 was that the auditor’s opinion moved from
being the last paragraph of the auditor’s report to being the first. This now provides more
prominence to the auditor’s opinion.

As a precursor to the actual opinion, it is common that a sub-title be presented that

sets out which financial statements are being addressed. This will normally be ‘Report on
the Audit of the Financial Statements’ or ‘Report on the Audit of the Consolidated Financial
Statements’.

The first paragraph of the opinion section in all cases:

• States that the financial statements have been audited;

• Identifies the auditee, whether a single company, e.g. CWaves Hotels Company (‘the
company’), for single company financial statements or a group audit, e.g. CWaves Ferry
Holding Company Limited and its subsidiaries (‘the Group’), for a consolidated set of
financial statements;

• Defines the pages of the financial statements that the auditor’s opinion covers;

• States the specific components of the financial statements upon which an auditor’s
opinion is given:

°° Statement of financial position as at a defined point of time, e.g. 31 December 20X1;

°° Statement of profit or loss and other comprehensive income; statement of changes

in equity and statement of cash flows for the year (or, when relevant, the period) then
ended (HKAS 1 (Revised), Presentation of Financial Statements, allows entities to present

582

M13_c10.indd 582 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

comprehensive income using either a one-statement approach or a two-statement

approach, the importance of which is consistency with the titles of the corresponding
statements); and

°° The notes to the financial statements, including the summary of significant

accounting policies.

The second paragraph indicates whether the auditor’s opinion on the financial
statements is:

• Unmodified;

• Unmodified with an emphasis of matter;

• Unmodified with an other matter; or

• Modified:

°° Qualified opinion

°° Adverse opinion

°° Disclaimer of opinion.

The different types of opinion will be explored in detail later in this chapter.

10.2.4 Basis for Opinion

This paragraph follows directly after the opinion paragraph and gives the users of the
financial statements an understanding of the basis used in coming to the auditor’s opinion.
This is relevant to all opinions except when a Disclaimer of Opinion is issued. (The basis for a
Disclaimer of Opinion will be addressed in detail later in this chapter.)

HKSA700 (Revised) requires that the basis for an opinion paragraph states that the
audit was conducted in accordance with HKSAs and that reference is made to the Auditor’s
Responsibilities for the Audit of the Financial Statements section of the auditor’s report, where
the auditor’s responsibilities are set out in more detail.

This paragraph must also state the independence and ethical basis on which the opinion
has been formed. In Hong Kong this is the HKICPA’s Code of Ethics for Professional Accountants
(’the Code’). The Code referenced here is the Revised Code that took effect from June 2019 in
Hong Kong.

Finally, the auditor states whether the auditor believes that the audit evidence obtained
was sufficient and appropriate to provide the basis for the auditor’s opinion.

10.2.5 Key Audit Matters

The Key Audit Matters (’KAMs’) section is included only in the financial statements of a publicly
listed auditee or when the auditee has voluntarily adopted HKSA 701, Communicating Key Audit
Matters in the Independent Auditor’s Report. KAMs are those matters that, in the professional
judgement of the auditor, were of most significance in the audit of the current period’s financial
statements. A note is made of how the matters were addressed through the audit process and
a clear statement is made that a separate auditor’s opinion is not provided on the matters.

583

M13_c10.indd 583 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

10.2.6 Other Information

The auditor must make reference to their responsibilities relating to other information if
relevant. These responsibilities are set out in HKSA 720 (Revised), The Auditor’s Responsibilities
Relating to Other Information, and also extend to the requirements of the Hong Kong Companies
Ordinance. The auditor is required to read ‘other information’ that exists within the financial
report, but outside the financial statements covered by the auditor’s opinion. Some examples
are the chairman’s statement, a summary of highlights, management discussion and analysis,
and the corporate governance report. Further examples can be seen in Appendix 1 in HKSA 720
(Revised). Note that, as with the financial statements themselves, the directors are responsible
for the preparation and presentation of other information.

The auditor must state that no opinion is given on the ‘other information’ and that the
auditor’s responsibility extends only to reading the other information to ensure that it is
materially consistent with the information disclosed as part of the financial statements.

If the auditor concludes that there is a material inconsistency of the ‘other information’, the
auditor is required to report that fact. If no material inconsistencies exist, the auditor simply
states that, based on the audit work completed, nothing has come to their attention that
requires reporting. The auditor cannot provide any assurance on ‘other information’.

10.2.7 Responsibilities of Directors and Those Charged with Governance

The auditor’s report must state that the directors are wholly responsible for the preparation of
the financial statements and that they are responsible for such internal controls that they deem
necessary to enable the preparation of the financial statements that are free from material
misstatement, whether due to fraud or error.

The directors must be satisfied that in their view the financial statements have been
prepared to give a true and fair view in accordance with HKFRSs and the Hong Kong Companies
Ordinance.

There is now in the revised auditor’s reporting standards a statement referring to the
HKSA directors’ specific statement in relation to the ability of the company or the group to continue
700.34(b) as a going concern and, where applicable, appropriate disclosures have been made. This is
replicated by the directors themselves in the body of the financial statements and
financial report.

Finally, a statement is included that the directors are responsible for the oversight of the
financial reporting process.

10.2.8 Auditor’s Responsibilities for the Audit of the Financial

Statements
Under the revised auditor’s reporting suite of HKSAs, the auditor’s responsibilities paragraphs
can be displayed in a number of ways, and various approaches have been employed in practice
(as will be shown later).

The first paragraph describing the auditor’s responsibilities, as set out in HKSA 700
(Revised), must be disclosed in all types of auditor’s reports except where a Disclaimer of
Opinion is issued. (Illustrations 4 and 5 of HKSA 705 (Revised) give the required statements

584

M13_c10.indd 584 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

for Disclaimer of Opinion conclusions). The key point that is made is that the objective of the
auditor is to provide reasonable assurance (not a guarantee) about whether the financial
statements as a whole are free from material misstatement whether due to fraud or error. The
auditor states that misstatements are considered material if individually or in aggregate they
could influence the economic decisions of users of the financial statements.

The requirements of HKSA 700 (Revised) contain a shaded section. The shaded section sets
out matters that can be addressed at the auditor’s discretion:

• Within the body of the auditor’s report;

• As an appendix to the auditor’s report; or

• By reference to the relevant authority or the auditor’s firm website where the exact
description of the auditor’s responsibilities as described in HKSA 700 (Revised) are
documented.

The shaded area of HKSA 700 (Revised) also outlines the following required disclosures.
The auditor states that, as part of an audit conducted in accordance with HKSA, the auditor
maintains professional judgement and scepticism throughout the audit, and specifically:

• Identifies and assesses the risk of material misstatement in the financial statements,
whether due to fraud or error;

• Obtains an understanding of the control environment relevant to the design and

execution of audit procedures;

• Assesses the adequacy of the accounting policies adopted by the directors;

• Concludes on the directors’ declaration associated with the going concern assumption;

• Concludes on whether the financial statements including disclosures appropriately

reflect the underlying transactions and events in the period covered by the
auditor’s report;

• Remains solely responsible for the auditor’s opinion; and

• Communicates with the directors and management throughout the audit process in
line with the requirements of HKSA 260 (Revised), Communication with Those Charged
with Governance.

10.2.9 Report on Other Legal and Regulatory Requirements

The matters addressed in this section are those required outside the requirements of the
HKSA, which would not otherwise be covered in the auditor’s report. The most common
requirements in Hong Kong are those of the Hong Kong Companies Ordinance. For example,
Section 407 requires the auditor to opine on other matters. Section 407(2) (a) requires a
statement where adequate accounting records have not been kept by the company. While
the form of the auditor’s opinion would reflect this in broad terms, the Hong Kong Companies
Ordinance requires an explicit comment from the auditor under the heading ‘Report on Other
Legal and Regulatory Requirements’. Further examples can be found in PN 600.1 (Revised).

The auditor’s report must also include:

• For audits of listed companies, the engagement partner’s name;

• The auditor’s name;

585

M13_c10.indd 585 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

• Whether the auditor is a Certified Public Accountants (Practising) or a Certified Public

Accountants;

• The auditor’s address; and

• The date of the auditor’s report.

The content of the independent auditor’s report can vary quite considerably depending
on the final outcomes of the audit process, and in the later part of this chapter, there is some
complexity in the Opinion and Basis for Opinion paragraphs when a modified auditor’s opinion
is issued. The format of the auditor’s report is consistent.

Knowledge Check Questions

Question 4
Identify which of the following is not an acceptable place for the shaded section of the
auditor’s responsibilities for an audit of the financial statements to be disclosed.
A As an appendix to the auditor’s report.
B HKICPA website.
C Within the body of the auditor’s report.
D Exact reference to the auditor’s firm website.

Question 5
Describe what should be included in the first and second paragraphs of the auditor’s
opinion section of the auditor’s report.

1 0 . 3 AUDITOR’S REPORT REQUIREMENTS

As indicated previously, once the audit procedures have been appropriately carried out, the
auditor must stand back from what has been collected and determine whether detection risk
has been sufficiently minimised across each audit assertion relating to material balances and
disclosures, to form an appropriate view of the form of the auditor’s opinion.

The auditor must also review the unadjusted misstatements that have accumulated during
the course of the audit and evaluate their impact on the auditor’s opinion.

The auditor’s opinion is the direct communication between the auditor and the users of the
financial statements. It provides the auditor with the opportunity to explain how the opinion
has been formed and the basis for the conclusions drawn.

The following are the possible types of auditor’s opinions and the key messages they
communicate to users:

• Unmodified opinion

The financial statements give a true and fair view in accordance with HKFRSs. This is
the best opinion an auditor can deliver. (Unmodified opinions can include an Emphasis
of Matter paragraph or Other Matter paragraph or Material Uncertainty Related to
Going Concern.)

586

M13_c10.indd 586 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

• Modified opinion – qualified

In the auditor’s opinion, except for the effects of the matter described in the Basis for
Qualified Opinion section of the auditor’s report, the financial statements give a true and
fair view in accordance with HKFRSs. This opinion demonstrates some reservation on the
part of the auditor about the financial statements as a whole.

• Modified opinion – adverse

The financial statements as a whole do not give a true and fair view in accordance with
HKFRSs, for the reasons disclosed in the Basis for Adverse Opinion paragraph. This
is a very serious opinion for the auditor to deliver as it is indicating to users that the
financial statements cannot be relied upon.

• Modified opinion – disclaimer of opinion

An opinion is not expressed on the financial statements, with the basis being described
in the Basis for Disclaimer of Opinion paragraph. An auditor makes this conclusion
when the auditor has been unable to obtain sufficient appropriate audit evidence to
conclude. Given the responsibilities upon management to prepare financial statements
in accordance with the applicable financial reporting framework, this too is an
unfortunate form of opinion. The rest of this chapter explains the judgement required
on the part of the auditor to determine what form the final auditor’s opinion will take.

Review opinions issued by an auditor as a result of reviews of interim financial statements

can also take any of the above forms.

1 0 . 4 FORM OF OPINION

The form of the auditor’s opinion can have a serious impact on the decisions made by the users
of the financial statements. There is a continuum in terms of opinions, which will be explored in
more detail in this chapter (Exhibit 10.2).

Modified Opinions

Unmodified Opinion Qualified Disclaimer of Opinion

Adverse
(Three types) (Except for) (No opinion given)

EXHIBIT 10.2 Forms of opinions

10.4.1 Unmodified Opinion

In an unmodified opinion (Exhibit 10.3), the auditor concludes that the financial statements
give a true and fair view in accordance with the applicable financial reporting framework.
Globally and in Hong Kong an unmodified opinion is the most common opinion outcome. This

587

M13_c10.indd 587 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

Clean

Unmodified Opinion
Clean, Clean with an Emphasis Clean with an Emphasis of Matter
of Matter, and Clean
with an Other Matter

Clean with an Other Matter

EXHIBIT 10.3 Unmodified opinion

is to be expected, as a successful audit is one that has detected and corrected any material
misstatements identified by the auditor to a high level of assurance. The resulting audited
financial statements merit an unmodified auditor’s opinion.

There are technically three types of unmodified auditor’s opinions:

1. Completely clean with no further references.

2. The second form of unmodified opinion is where the auditor wants to use an emphasis
of matter paragraph to draw the user’s attention to a matter presented and disclosed
in the financial statements that in the opinion of the auditor is fundamental to the
user’s understanding of the financial statements. (Note historically that the most
common emphasis of matter paragraph was in relation to a material uncertainty
pertaining to a going concern. HK570 (Revised), Going Concern, paragraph 22, now
refers to the section in the auditor’s report as ‘material uncertainty related to a going
concern’; an example of such wording is covered in Chapter 9 of this module.)

3. The third form of unmodified opinion is where the auditor wants to communicate to
users an other matter, other than any of those that are presented or disclosed in the
financial statements. These matters in the auditor’s judgement are relevant to the
user’s understanding of the financial statements, the auditor’s responsibilities, or the
auditor’s report.

Illustrative Example 1 – The First Type of Unmodified Opinion

INDEPENDENT AUDITOR’S REPORT

To the members of CWaves Ferry Holding Company Limited

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Consolidated Financial Statements

Opinion

We have audited the consolidated financial statements of CWaves Ferry Holding Company
Limited and its subsidiaries (‘the Group’) set out on pages x to xx, which comprise the
consolidated statement of financial position as at 31 December 20X2, and the consolidated
statement of profit or loss and other comprehensive income, consolidated statement of
changes in equity, and consolidated statement of cash flows for the year then ended,
and notes to the consolidated financial statements, including a summary of significant
accounting policies.

588

M13_c10.indd 588 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

Illustrative Example 1 (continued)

In our opinion, the consolidated financial statements give a true and fair view of
the consolidated financial position of the Group as at 31 December 20X2, and of its
consolidated financial performance and its consolidated cash flows for the year then ended
in accordance with Hong Kong Financial Reporting Standards (‘HKFRSs’) issued by the Hong
Kong Institute of Certified Public Accountants (‘HKICPA’) and have been properly prepared in
compliance with the Hong Kong Companies Ordinance.

Basis for Opinion

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Consolidated Financial Statements section
of our report. We are independent of the Group in accordance with the HKICPA’s Code
of Ethics for Professional Accountants (‘the Code’), and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our opinion.

Apply and Analyse 1

CWaves Godown Company (‘Godown’) is a material subsidiary of CWaves Ferry Holding
Company Limited and has made a profit for the year ended 31 December 20X2. The
operations for the year have been consistent with prior years and Godown is at near
capacity. It is likely that expansion of this subsidiary will occur over the next couple of years
with investment in the construction of a further Godown to meet the demand for space.
This expansion is planned to be funded by significant external debt. Quality, the company’s
auditor, is completing the current year’s audit and is considering what should be the
appropriate type of auditor’s opinion to issue.

Analysis

Quality would need to reference HKSA 700 (Revised) in the first instance to determine the
likely auditor’s opinion to be issued. From the information given it appears that Quality
would be looking to issue an unmodified opinion. In determining the type of unmodified
opinion to issue, Quality should consider whether there is anything to which they may
need to draw the user’s attention. In this instance, the management’s use of the going
concern basis of accounting in the preparation of the financial statements is appropriate,
so material uncertainty related to the going concern paragraph would not be needed. The
discussion concerning future developments and the funding model would not normally
have an impact on the auditor’s opinion in the current year, not even as an other matter,
as no formal commitments have been made and it could be viewed as a potential strategic
development. Therefore, with these considerations, Quality should conclude that an
unmodified auditor’s opinion should be issued with no further references.

589

M13_c10.indd 589 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

10.4.2 Modified Opinion

Qualified Disclaimer of Opinion

Adverse
(Except for) (No opinion given)

EXHIBIT 10.4 Modified opinion

HKSA 705 (Revised) requires the auditor to modify the opinion in the auditor’s report when the
requirements of HKSA 700 (Revised) cannot be achieved and:

• The auditor concludes that, based on the audit evidence obtained, the financial
statements as a whole are not free from material misstatement; or

• The auditor is unable to obtain sufficient appropriate audit evidence to make a

definitive conclusion on the potential cumulative effects on the financial statements of
uncertainties.

HKSA 705 (Revised), paragraph A.1, describes the types of modified opinions and
circumstances when they are given (Exhibit 10.5). Further detail is given later in this chapter.

Nature of matter giving Auditor’s judgement about the pervasiveness of the

rise to the modification
Financial statements are
materially misstated
Inability to obtain sufficient
appropriate audit evidence
effects or possible effects on the financial statements
Material but not pervasive Material and pervasive
Qualified Opinion Adverse Opinion
Qualified Opinion Disclaimer of Opinion

EXHIBIT 10.5 Types of modified opinions

Knowledge Check Questions

Question 6
Classify the three types of unmodified auditor’s opinions.

Question 7
This question requires you to use the information in the CWaves case. When issuing a
qualified auditor’s opinion in relation to revenue recognition for Wonder Travel Company,
identify which of the following would be the conclusion of the case.
A The financial statements as a whole are materially misstated and that revenue
recognition is pervasive.
B Sufficient appropriate audit evidence on revenue recognition could not be obtained that
was both material and pervasive.
C Revenue recognition was the only audit issue, but because it has been an issue in the
past there should be a qualification.
D There was a material problem with management’s determination for revenue recognition
and for the amount of difference to the HKSA requirements that could be quantified.

590

M13_c10.indd 590 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

1 0 . 5 MODIFIED OPINIONS

10.5.1 Qualified Opinion

A qualified auditor’s opinion is given by the auditor in either of the following two circumstances:

1. When the auditor has evidence that the financial statements are materially misstated
due to misstatement in one particular account balance, class of transactions, or
disclosures that does not have a pervasive effect on the financial statements as
a whole; or

2. When the auditor is unable to obtain sufficient appropriate audit evidence regarding
a particular account balance, class of transactions, or disclosures (often referred to as
a limitation of scope). The auditor concludes that the possible effects on the financial
statements of undetected misstatements, if any, could be material but not pervasive to
the financial statements as a whole.

The wording of the Opinion paragraph of a qualified auditor’s opinion is very similar to that
of an unmodified auditor’s opinion. The Basis for Opinion paragraph that immediately follows
the Opinion paragraph explains the reasons for the qualification and must provide, to the
extent possible, a quantification of the effects of the matter subject to qualification.

Illustrative Example 2
An auditor’s report containing a qualified opinion due to a material misstatement of
the financial statements (only the Opinion paragraph and Basis for Opinion will be
illustrated). For the purpose of this illustration the auditor concluded that creditors
were materially misstated as the company was trying to minimise the level of liabilities
recorded and reduce expenses for the year to maximise reported profit.

INDEPENDENT AUDITOR’S REPORT

To the members of ABC Company

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Financial Statements

Qualified Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of financial position as at 31 December 20X1,
and the statement of profit or loss and other comprehensive income, statement of changes
in equity, and statement of cash flows for the year then ended, and notes to the financial
statements, including a summary of significant accounting policies.

In our opinion, except for the effects of the matter described in the Basis for Qualified
Opinion section of our report, the financial statements give a true and fair view of the financial
position of the Company as at 31 December 20X1, and of its financial performance and its cash

591

M13_c10.indd 591 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

Illustrative Example 2 (continued)

flows for the year then ended in accordance with Hong Kong Financial Reporting Standards
(‘HKFRSs’), issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’), and have
been properly prepared in compliance with the Hong Kong Companies Ordinance.

Basis for Qualified Opinion

The Company’s creditors are carried in the statement of the financial position at xxx. The
directors have not included all creditors that should have been recognised, which constitutes
a departure from HKFRSs. The Company’s records indicate that, had the directors stated the
creditors appropriately, an amount of xxx would have been required to increase the value
of creditors. Accordingly, a number of expense accounts would have been increased by xxx,
and income tax, net income, and shareholders’ equity would have been reduced by xxx, xxx,
and xxx, respectively.

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Financial Statements section of our report.
We are independent of the Company in accordance with the HKICPA’s Code of Ethics for
Professional Accountants (‘the Code’), and we have fulfilled our other ethical responsibilities
in accordance with the Code. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our qualified opinion.

Illustrative Example 3
An auditor’s report contains a qualified opinion due to a material omission in a disclosure
in the financial statements (only the Opinion paragraph and Basis for Opinion will be
illustrated). For the purpose of this illustration the auditor concluded that material related
party transactions had not been disclosed.

You will note that the only difference between Example 1 and this example is how the
basis for qualified opinion is described. It is also important to note that the words used are
generally not generic but should reflect the specific circumstances of the auditor’s decision.

INDEPENDENT AUDITOR’S REPORT

To the members of ABC Company

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Financial Statements

Qualified Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of financial position as at 31 December 20X1,
and the statement of profit or loss and other comprehensive income, statement of changes
in equity and statement of cash flows for the year then ended, and notes to the financial
statements, including a summary of significant accounting policies.

592

M13_c10.indd 592 1/28/2021 3:41:49 PM

 A u d itor ’ s R eporti ng

Illustrative Example 3 (continued)

In our opinion, except for the effects of the matter described in the Basis for Qualified
Opinion section of our report, the financial statements give a true and fair view of the
financial position of the Company as at 31 December 20X1, and of its financial performance
and its cash flows for the year then ended in accordance with Hong Kong Financial
Reporting Standards (‘HKFRSs’) issued by the Hong Kong Institute of Certified Public
Accountants (‘HKICPA’) and have been properly prepared in compliance with the Hong Kong
Companies Ordinance.

Basis for Qualified Opinion

The Company has entered into a number of material related party transactions during the
current year. The directors have not disclosed the relationships or transaction values that
are required by HKAS 24 (Revised), Related Party Disclosures. An engineering contract with
Engineers Company, an entity owned by VV Director, was awarded a consulting contract by
the Company for HKD xx. A further consulting contract was awarded to ZZ Director’s payroll
services company for HKD xx.

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Financial Statements section of our report.
We are independent of the Company in accordance with the HKICPA’s Code of Ethics for
Professional Accountants (‘the Code’), and we have fulfilled our other ethical responsibilities
in accordance with the Code. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our qualified opinion.

Illustrative Example 4
An auditor’s report containing a qualified opinion due to the auditor’s inability to obtain
sufficient appropriate audit evidence (only the Opinion paragraph and Basis for Opinion
will be illustrated). For the purpose of this illustration the auditor was not able to obtain
audit evidence pertaining to the completeness and occurrence of revenue from a contract
with an African Company.

INDEPENDENT AUDITOR’S REPORT

To the members of ABC Company

(incorporated in Zambia with limited liability)

Report on the Audit of the Consolidated Financial Statements

Qualified Opinion

We have audited the consolidated financial statements of ABC Company and its subsidiaries
(‘the Group’) set out on pages . . . to . . ., which comprise the consolidated statement of
financial position as at 31 December 20X1, and the consolidated statement of profit or
loss and other comprehensive income, consolidated statement of changes in equity and
consolidated statement of cash flows for the year then ended, and notes to the consolidated
financial statements, including a summary of significant accounting policies.

593

M13_c10.indd 593 1/28/2021 3:41:49 PM

 BUSINESS ASSURANCE

Illustrative Example 4 (continued)

In our opinion, except for the possible effects of the matter described in the Basis for
Qualified Opinion section of our report, the consolidated financial statements give a true
and fair view of the financial position of the Group as at 31 December 20X1 and of its
consolidated financial performance and its consolidated cash flows for the year then ended
in accordance with Hong Kong Financial Reporting Standards (‘HKFRSs’) issued by the Hong
Kong Institute of Certified Public Accountants (‘HKICPA’) and have been properly prepared in
compliance with the Hong Kong Companies Ordinance. (Note that this is not included where
the company was not incorporated in Hong Kong.)

Basis for Qualified Opinion

The Group has a major contract with an African company to supply and install mining
infrastructure in Zambia over a period of two years. Revenue associated with the first year
of the contract is recognised at xxx in the consolidated statement of profit or loss and other
comprehensive income as at 31 December 20X1. This same amount is also reflected in trade
receivables. We were unable to obtain sufficient appropriate audit evidence about the value
of revenue recognised or the recoverability of the trade receivable for the year ended 31
December 20X1 because the underlying contract could not be found and management could
not provide evidence that payments would be received. Consequently, we were unable to
determine whether any adjustments to revenue or trade receivables was necessary.

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Consolidated Financial Statements section
of our report. We are independent of the Group in accordance with the HKICPA’s Code
of Ethics for Professional Accountants (‘the Code’), and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our qualified opinion.

Apply and Analyse 2

Wonder Travel Company (‘Wonder’) is a material subsidiary of CWaves Ferry Holding Company
Limited and from the case study background the external auditor Quality has expressed
concerns in relation to Wonder’s revenue recognition policy. In the current year, Wonder
has to apply the new HKFRS 15, Revenue from Contracts with Customers, accounting standard.
Quality has concluded that the new accounting standard has not been appropriately applied
by a material amount and will therefore need to issue a modified auditor’s opinion.

Analysis

Quality would need to reference HKSA 705 (Revised) to determine the form of modification.
From the information given, Quality has determined the amount as material, and as it is
quantifiable and contained to specific account balances a qualified auditor’s opinion would
be appropriate. There is no evidence that the issue is pervasive and Quality has been able
to obtain sufficient appropriate audit evidence to draw their conclusion. In this case an
opinion similar to the one illustrated in Illustrative Example 1 would be issued.

594

M13_c10.indd 594 1/28/2021 3:41:50 PM

 A u d itor ’ s R eporti ng

Ethics in Practice
For an auditor to conclude that a qualified auditor’s opinion should be issued can
sometimes entail significant discussion with management and/or those charged with
governance.

This discussion can at times result in pressure being placed on the auditor not to
issue a qualified auditor’s opinion (this can be applied to all forms of modified auditor’s
opinions). The auditor must stand their ground in order to meet the requirements of the
HKSAs, the HKFRSs, and the Hong Kong Companies Ordinance. It is recognised that this can
sometimes be difficult when a client threatens to engage another firm for a second opinion
or threatens to change auditor after the current audit is complete.

To also meet the ethical principles of integrity, objectivity, professional competence

and due care, and professional behaviour (as defined in Sections 111, 112, 113, and 115 of
the Code of Ethics for Professional Accountants (Revised)), the auditor must not be tempted
to issue an unmodified auditor’s opinion in circumstances where a reasonable third party
would conclude that a qualified opinion should be issued.

10.5.2 Adverse Opinion

An auditor should express an adverse opinion when the auditor, having obtained sufficient
appropriate audit evidence, concludes that misstatements, individually or in the aggregate, are
both material and pervasive to the financial statements.

This type of opinion is the signal to stakeholders that the financial statements of the
company may not be reliable enough to make economic decisions. This may also alert
stakeholders to the fact that management and those charged with governance may not be
operating the company appropriately or ethically.
As you will note from the discussion above, the main difference between a qualified
auditor’s opinion and an adverse auditor’s opinion is that an adverse auditor’s opinion is
pervasive to the financial statements as a whole.

Illustrative Example 5 – Adapted from HKSA 705, Appendix

Illustration 2
It is one of the most common reasons for an adverse auditor’s opinion. (Only the Opinion
paragraph and Basis for Opinion will be illustrated.)

For the purpose of this illustration the auditor determined that the consolidated
financial statements were materially misstated due to the non-consolidation of a
subsidiary.

Independent Auditor’s Report

To the members of ABC Company

(incorporated in Hong Kong with limited liability)

595

M13_c10.indd 595 1/28/2021 3:41:50 PM

 BUSINESS ASSURANCE

Illustrative Example 5 (continued)

Report on the Audit of the Consolidated Financial Statements

Adverse Opinion

We have audited the consolidated financial statements of ABC Company and its subsidiaries
(‘the Group’) set out on pages . . . to . . ., which comprise the consolidated statement of
financial position as at 31 December 20X1, and the consolidated statement of profit or
loss and other comprehensive income, consolidated statement of changes in equity and
consolidated statement of cash flows for the year then ended, and notes to the consolidated
financial statements, including a summary of significant accounting policies.

In our opinion, because of the significance of the matter discussed in the Basis for
Adverse Opinion section of our report, the consolidated financial statements do not give a
true and fair view of the consolidated financial position of the Group as at 31 December
20X1, and of its consolidated financial performance and its consolidated cash flows for the
year then ended in accordance with Hong Kong Financial Reporting Standards (‘HKFRSs’)
issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’). In all other
respects, in our opinion the consolidated financial statements have been properly prepared
in compliance with the Hong Kong Companies Ordinance.

Basis for Adverse Opinion

As explained in Note X, the Group has not consolidated subsidiary XYZ Company that the
Group acquired during 20X1 because it has not yet been able to determine the fair values
of certain of the subsidiary’s material assets and liabilities at the acquisition date. This
investment is therefore accounted for on a cost basis. Under HKFRSs, the Company should
have consolidated this subsidiary and accounted for the acquisition based on provisional
amounts. Had XYZ Company been consolidated, many elements in the consolidated
financial statements would have been materially affected. The effects on the consolidated
financial statements of the failure to consolidate have not been determined.

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Consolidated Financial Statements section
of our report. We are independent of the Group in accordance with the HKICPA’s Code
of Ethics for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our adverse opinion.

Apply and Analyse 3

CWaves Hotels is a material subsidiary of CWaves Ferry Holding Company Limited. From
the case study background, they have suffered losses for the last three years and the level
of external debt has increased substantially over the last two years. Let us assume that
CWaves Hotels has to pay back a material portion of the debt two months after the date of

596

M13_c10.indd 596 1/28/2021 3:41:50 PM

 A u d itor ’ s R eporti ng

Apply and Analyse 3 (continued)

the auditor’s report, but has no foreseeable way of funding it. Quality, the external auditor
for the current period, needs to determine what impact this may have on the current year’s
auditor’s opinion.

Analysis

The financial statements have been prepared by the directors on a going concern basis as
the directors believe they will somehow be able to raise the funds to pay back the expiring
debt. Quality has concluded that this is not likely, on the basis that there was no audit
evidence in relation to negotiations for re-financing or new funding to repay the debt.

Because of the nature of the situation, Quality has concluded that it does not believe
that CWaves Hotels is a going concern and as such the values of assets and liabilities at the
year end may be materially misstated. Given that this situation is pervasive to the financial
statements as a whole, Quality should issue an adverse auditor’s opinion on CWaves
Hotels. (Note that the adverse auditor’s opinion would be replicated in the consolidated
financial statements of CWaves Ferry Holding Company Limited.)

10.5.3 Disclaimer of Opinion

The auditor will issue a disclaimer of opinion in circumstances where the auditor is unable to
obtain sufficient appropriate audit evidence on which to base an opinion. The auditor would
also conclude that the possible effects are likely to be material and pervasive to the financial
statements.

Note that essentially this is not an opinion. Instead, it means that the auditor chooses not to
render one.

Auditors may issue a disclaimer of opinion when:

• The auditor’s scope was limited. The auditor was limited in this way, for instance, when
the auditor cannot access particular financial data.

• The auditor has other doubts about the reports. For example:

°° The financial statements may seem to violate accounting principles such as the
matching concept or the conservatism principle.

°° The auditor may question the classification of certain revenue and expense items.

°° Some assets should not have been capitalised.

°° The auditor may question the way the entity applies rules such as the lower of cost
or net realisable value for inventory.

The auditor issues an auditor’s opinion only when they are confident the opinion is supported
by sufficient appropriate audit evidence. Otherwise, a Disclaimer of Opinion should be expressed.

597

M13_c10.indd 597 1/28/2021 3:41:50 PM

 BUSINESS ASSURANCE

Illustrative Example 6
This example is of a Disclaimer of Opinion (only the Opinion paragraph and Basis for
Opinion will be illustrated). For the purpose of this illustration the auditor has not been
able to conclude on revenue and associated balances.

INDEPENDENT AUDITOR’S REPORT

To the members of ABC Company

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Consolidated Financial Statements

Disclaimer of Opinion

We were engaged to audit the consolidated financial statements of Hong Kong Company
and its subsidiaries (‘the Group’) set out on pages . . . to . . ., which comprise the consolidated
statement of financial position as at 31 December 20X1, and the consolidated statement
of profit or loss and other comprehensive income, consolidated statement of changes in
equity and consolidated statement of cash flows for the year then ended, and notes to the
consolidated financial statements, including a summary of significant accounting policies.

We do not express an opinion on the consolidated financial statements of the Group.

Because of the significance of the matter described in the Basis for Disclaimer of Opinion
section of our report, we have not been able to obtain sufficient appropriate audit evidence
to provide a basis for an audit opinion on these consolidated financial statements. In all
other respects, in our opinion the consolidated financial statements have been properly
prepared in compliance with the Hong Kong Companies Ordinance.
Basis for Disclaimer of Opinion

Cash receipts are a significant source of revenue for the Group. The Group has determined
that it is impracticable to establish controls over the collection of cash receipts prior to
their entry into the financial records of the Group. Accordingly, as the evidence available
to us regarding revenue was not sufficient, our audit procedures with respect to cash
receipts had to be restricted to the amounts recorded in the financial statements. We were
therefore unable to determine whether any adjustments might have been necessary in
respect of amounts disclosed in the consolidated statement of profit and loss and other
comprehensive income, the consolidated statement of financial position, consolidated
statement of changes in equity, and consolidated statement of cash flows.

Note that for all modified auditor’s reports the auditor is required to report on other
matters under Sections 407(2) and 407(3) of the Hong Kong Companies Ordinance.

Section 407 of the CO requires the auditor to opine on other matters:

1. In preparing an auditor’s report, the auditor must carry out an investigation that
will enable the auditor to form an opinion as to:

a. Whether adequate accounting records have been kept by the company; and

b. Whether the financial statements are in agreement with the accounting records.

598

M13_c10.indd 598 1/28/2021 3:41:50 PM

 A u d itor ’ s R eporti ng

Illustrative Example 6 (continued)

2. A company’s auditor must state the auditor’s opinion in the auditor’s report if the
auditor is of the opinion that:

a. Adequate accounting records have not been kept by the company; or

b. The financial statements are not in agreement with the accounting records in
any material respect.

3. If a company’s auditor fails to obtain all the information or explanations that, to

the best of the auditor’s knowledge and belief, are necessary and material for the
purpose of the audit, the auditor must state that fact in the auditor’s report.

4. If the financial statements do not comply with Section 383(1), the auditor must
include in the auditor’s report, so far as the auditor is reasonably able to do so,
a statement giving the particulars that are required to be, but have not been,
contained in the financial statements.

Where the opinion on the financial statements has been modified, the auditor needs
to evaluate what the consequences of this modification are on the reporting requirement
under the CO and, if necessary, further modify the report. For the requirements under the
Hong Kong Companies Ordinance, reference may be made to PN 600.1 (Revised), Reports by
the Auditor under the Hong Kong Companies Ordinance (Cap.622).

Knowledge Check Questions

Question 8
The auditor of Tony’s Toy Kingdom has had difficulty in determining whether
management’s assessment of stock obsolescence is adequate and thinks there could
be a material overstatement of inventory but does not have sufficient appropriate audit
evidence to make this conclusion. Assuming all other aspects of the financial statements
are materially stated, describe and explain the auditor’s opinion that should be issued by
the auditor.

Question 9
The auditor of Qualitas Consulting Limited noted an issue with the value and basis of the
work in progress balance in Qualitas’s balance sheet. The auditor’s view is that the amount
involved is material but not pervasive and can quantify the difference. Identify which of the
following is the most likely opinion issued by the auditor.
A Unmodified opinion.
B Qualified opinion.
C Adverse opinion.
D Disclaimer of opinion.

599

M13_c10.indd 599 1/28/2021 3:41:50 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 10
Queen Furniture (the parent entity) is a high-end furniture retailer in Hong Kong which
has a material subsidiary in China that manufactures all of the furniture that Queen sells.
Queen Furniture will not consolidate the Chinese subsidiary in their financial statements.
Identify which of the following audit opinions would be the most appropriate.
A Qualified opinion.
B Unqualified opinion with an Other Matter paragraph.
C Disclaimer of opinion.
D Adverse opinion.

Question 11
Advise what an adverse auditor’s opinion signals to stakeholders.

Question 12
Justify when a Disclaimer of Opinion would be considered by the auditor.

Question 13
For all modified auditor’s reports, state what the auditor is required to report on other
matters under Sections 407(2) and 407(3) of the Hong Kong Companies Ordinance.

1 0 . 6 ADDITIONAL COMMUNICATIONS
IN THE AUDITOR’S REPORT

10.6.1 Key Audit Matters (’KAMs’)

The introduction of KAMs was the most significant change in the new suite of auditors’
reporting standards, HKSA 701, Communicating Key Audit Matters in the Independent Auditor’s
Report, and was effective from 15 December 2016. The objective for the inclusion of KAMs in
the auditor’s opinion is to provide users of the financial statements an insight as to what, in the
auditor’s view, were the most important focus areas for them in the current audit.

Note that KAMs are only required to be included in auditors’ reports for listed entities with
voluntary application to other entities.

HKSA 701 defines KAMs as those matters that, in the auditor’s professional judgement,
were of most significance in the audit of the financial statements of the current period.

10.6.1.1 Determining KAMs

Determining what should be disclosed in the current periods KAMs is a matter of an auditor’s
judgement but would normally take into consideration the factors shown in Exhibit 10.6.

In most instances, KAMs relate to areas of significant management judgements, or

significant events or transactions during the current period. The auditor must then determine
which were the most significant to them during the current audit and communicate them as
KAMs in the auditor’s report.

600

M13_c10.indd 600 1/28/2021 3:41:50 PM

 A u d itor ’ s R eporti ng

Matters Matters
identified communicated
through the to those
audit process charged with The most
governance significant
matters = KAMs
for the current
period

Significant risks or
high inherent risk
factors determined in
line with HKSA 315

EXHIBIT 10.6 Key audit matters

10.6.1.2 Communicating KAMs

KAMs are described in a separate section of the auditor’s report, under the heading ‘Key Audit
Matters’, using appropriate sub-headings for each KAM.

The introductory language must state that:

• KAMs are those matters that, in the auditor’s professional judgement, were of most
significance in the audit of the financial statements of the current period; and

• The matter(s) identified were addressed in the context of the audit of the financial
statements as a whole and in forming the auditor’s opinion thereon, and the auditor
does not provide a separate opinion on the matter(s).

The description of each KAM must include the following:

• The factors supporting why the matter was considered to be one of the most significant
in the audit and therefore a KAM;

• A reference to any disclosures in the financial statements, which would be by way of

referencing to specific notes where users can read management’s disclosures; and

• How the matter was addressed by the auditor; for example, the approach, an overview
of the audit procedures undertaken, and any relevant observations should be described.

Illustrative Example 7 – Adapted from HKSA 700

Below is an illustration of only the Key Audit Matters component of an auditor’s report.

Key Audit Matters

Key audit matters are those matters that, in our professional judgement, were of
most significance in our audit of the financial statements of the current period. These
matters were addressed in the context of our audit of the financial statements as a
whole and in forming our opinion thereon, and we do not provide a separate opinion on
these matters.

601

M13_c10.indd 601 1/28/2021 3:41:50 PM

 BUSINESS ASSURANCE
Illustrative Example 7 (continued)
Key Audit Matter – Assessment of Carrying Value of Goodwill
Area of Focus
Refer also to Notes 1(m), 2(b), and 10
(illustration only)
In the prior years, the company/(group) expanded
its activities through acquisition of businesses. As
a result, the company’s/(groups) net assets include
a significant amount of goodwill. Certain of the
new and established businesses are (i) early in
their life and/or trading cycles, (ii) trading cycle’s
inconsistent, (iii) value of businesses questionable.
(These three areas are where the engagement
team would include the relevant data, so for
the purpose of this illustration various options
have been noted for students.) As such, there is
a risk that they may not trade in line with initial
expectations and forecasts, resulting in the carrying
amount of goodwill exceeding the recoverable
amount and therefore requiring impairment.
The recoverable amount of each cash generating
unit (CGU) has been calculated based on value-in-
use. These recoverable amounts use discounted
cash flow forecasts in which the directors make
judgements over certain key inputs, for example,
but not limited to, revenue growth, discount rates
applied, long-term growth rates, and inflation
rates. Overall, due to the high level of judgement
involved and the significant carrying amounts
involved, we have determined that this is a key
judgemental area that our audit concentrated on.
Key Audit Matter – Business Combination
Area of Focus
Refer also to Notes 1(Z) and 20 (illustration only)
The company/(group) acquired ABC Pty Ltd for
HK$xxx, which was considered a significant
purchase for the company/(group).
Accounting for this transaction is complex and
required significant judgements and estimates by
management:
• To determine the date of acquisition;
• To determine the fair value of assets and
liabilities acquired;
• To determine the tax basis for deferred tax
assets and liabilities;
• To determine the fair value of deferred
consideration;
• To determine the non-controlling
interest; and
• To allocate the purchase consideration
to goodwill and separately identifiable
intangible assets.
602
M13_c10.indd 602
How our audit addressed it
Our audit procedures included:
• A detailed evaluation of the company’s/
(group’s) budgeting procedures (upon
which the forecasts are based) and
testing of the principles and integrity of
the discounted future cash flow models.
• Testing the accuracy of the calculation
derived from each forecast model
and assessing key inputs into the
calculations such as revenue growth,
discount rates, and working capital
assumptions, by reference to the board
approved forecasts, data external to the
company/(group), and our own views.
• Engaging our own valuation specialists
when considering the appropriateness
of the discount rates and the long-term
growth rates.
• Reviewing the historical accuracy by
comparing actual results with the
original forecasts.
We also considered the adequacy of the
company’s/(group’s) disclosures in relation
to the impairment testing.
How our audit addressed it
Our audit procedures included:
• Reading the sale and purchase
agreement to understand the key terms
and conditions of the acquisition.
• Assessing the intangible assets identified
by management for their separability/
contractual basis to allow recognition
and assessing whether the measurement
basis and assumptions underlying the
estimate of fair values were appropriate.
• Testing the group’s determination of
fair values with reference to audited
financial statements/due diligence
reports/work performed by our
Corporate Finance division/work
performed by a valuer.
• Testing the appropriateness of the
deferred consideration.
We assessed the adequacy of the Group’s
disclosures in respect of the acquisition.
1/28/2021 3:41:50 PM
 A u d itor ’ s R eporti ng

Apply and Analyse 4

From the opening case, Chloe Cheng, the independent non-executive director, noted her
concerns about the matters that may be disclosed as Key Audit Matters (‘KAMs’), being
the basis for accounting for some of the groups’ non-current assets and its share-based
payments to directors. Chloe Cheng has called for a meeting with Quality, the external
auditors, to discuss what they believe are the KAMs for the current period.

Analysis

The determination of what should be disclosed as KAMs is that of the auditor alone.
Quality may need to discuss this with Chloe Cheng. The auditor would normally give
management an early insight into the topics that are likely to be included as KAMs.
Evidence from long form auditor’s reports issued by listed companies that include KAMs
demonstrates that KAMs have been well received by users of the financial statements and
have had a positive impact on the way the auditor’s report has been read.

What if there are no KAMs? If the auditor determines, based on the facts and circumstances
of the entity during the audit, that there are no KAMs (this will be rare), then a statement that
there are no Key Audit Matters to communicate should be included under the heading of Key
Audit Matters.

What happens when a modified auditor’s opinion is issued? Any matter that gives rise to a
modified auditor’s opinion or a material uncertainty related to a going concern is disclosed in the
auditor’s report, and is by its very nature a KAM. However, in these circumstances these matters
should not be described separately as KAMs but rather reference should be made to the Opinion
paragraph in the opening paragraph of the KAMs section.

Illustrative Example 8
In this example, the auditor issued a qualified auditor’s opinion in relation to the carrying
value of an investment in a subsidiary and reported a material uncertainty related to a
going concern.

Key Audit Matters

Key audit matters are those matters that, in our professional judgement, were of most
significance in our audit of the financial report of the current period. This matter was
addressed in the context of our audit of the financial statements as a whole, and in
forming our opinion thereon, and we do not provide a separate opinion on this matter.
In addition to the matter described in the Basis for Qualified Opinion and in the Material
Uncertainty related to Going Concern sections, we have determined that the matter
described below to be the key audit matter to be communicated in our report.

Key Audit Matter – Assessment of Carrying Value of Goodwill

Area of Focus How our audit addressed it
Note: Refer also to notes 1(m), 2(b), and
10 (illustration only)

603

M13_c10.indd 603 1/28/2021 3:41:50 PM

 BUSINESS ASSURANCE

Ethics in Practice
For an auditor to conclude that a KAM should be disclosed can sometimes entail significant
discussion with management and/or those charged with governance.

This discussion can at times result in pressure being placed on the auditor not to
include a KAM. Auditors must stand their ground in order to meet the requirements of the
HKSA. It is recognised this can sometimes be difficult when a client threatens, for example,
to change auditor after the current audit is complete.

To also meet the ethical principles of integrity, objectivity, professional competence,

and due care and professional behaviour (as defined by Sections 111, 112, 113, and 115 of
the Code of Ethics for Professional Accountants (Revised)), the auditor must not be tempted
to exclude KAMs that would otherwise be included.

Key Learning Point

KAMS are only required to be included in the auditor’s reports for listed entities with
voluntary application to other entities.

10.6.2 Other Information

HKSA 720 (Revised), The Auditor’s Responsibilities Relating to Other Information, became effective
for audits of financial statements for periods ending on or after 15 December 2016. The revised
standard sees an increase in the expectations of auditors to look at other information. Other
information is the financial or non-financial information (other than the financial statements)
in the annual report. The standard setters needed to address the increasing significance of this
other information.

Annual Reports now include more narrative and qualitative information. Examples are
shown in Exhibit 10.7.

10.6.2.1 Scope of the Standard

HKSA 720 (Revised) is written in the context of an audit of financial statements by an
independent auditor. The auditor’s opinion on the financial statements does not cover the
‘other information’ in the annual report and this auditing standard does not require the auditor
to obtain audit evidence beyond that required to form an opinion on the financial statements.

The standard does, however, require the auditor to obtain in a timely manner the other
information and read and consider it for material inconsistencies with the financial statements
or with the auditor’s knowledge obtained during the course of the audit process. It is important
to note that the auditor does not provide any assurance over other information.

The auditor is expected, for consistency, to consider selected amounts or other items in the
other information where they replicate such amounts or items disclosed in the financial statements.

The auditor must document the procedures they performed and maintain the final version
of the other information on which the auditor has performed the work on the audit file.

604

M13_c10.indd 604 1/28/2021 3:41:50 PM

 A u d itor ’ s R eporti ng

EXHIBIT 10.7 Examples of information found in annual reports. (Sources: HKEx 2017 Annual Reports, Bank
of China, PetroChina Company Limited and Lenovo Hong Kong Limited.)

10.6.2.2 Response If There Is a Material Misstatement of the Other Information

If the auditor concludes after discussing with management that there is a material
misstatement of other information, the other information should be requested to be changed.
If management are unwilling to make the necessary changes as required by the auditor, the
auditor must consider the possible impact that it might have on the auditor’s opinion.

10.6.2.3 Communication in the Auditor’s Report about Other Information

Note that earlier in the chapter there were a number of specific disclosures required in other
information pertaining to the Hong Kong Companies Ordinance that must be considered for
disclosure.

605

M13_c10.indd 605 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

Under the heading Other Information, the following must also be disclosed:

• A statement that management is responsible for the other information;

• Identification of the other information obtained prior to the date of the auditor’s
report (for listed entities the auditor is also required to identify any other information
expected to be obtained after the date of the auditor’s report);

• A statement that the auditor’s opinion does not cover the other information and,
accordingly, the auditor does not express an auditor’s opinion or any other form of
assurance thereon;

• A description of the auditor’s responsibilities relating to reading, considering, and

reporting on other information; and

• When other information has been obtained prior to the date of the auditor’s report
either a statement should be made that the auditor has nothing to report or a
statement should be made that describes the uncorrected material misstatement of
other information.

10.6.3 Material Uncertainty Related to a Going Concern

As described in Chapter 9 of this module, HKSA 570 (Revised), Going Concern, states that the
auditor’s responsibilities are to obtain sufficient appropriate audit evidence regarding and
finding the appropriateness of management’s use of the going concern basis of accounting in the
preparation of the financial statements, making conclusions based on the audit evidence obtained,
and whether a material uncertainty exists about the entity’s ability to continue as a going concern.

In relation to the issue of a going concern, there are varied auditor’s opinion outcomes
that can be achieved. The best way to understand these outcomes is posed now by way of
questions an auditor should ask themselves (Exhibit 10.8).

Apply and Analyse 5

Let us look at CWaves Hotels again, but a little differently this time.

CWaves Hotels is a material subsidiary of CWaves Ferry Holding Company Limited.

From the case study background, they have suffered losses for the last three years and
the level of external debt has increased substantially over the last two years. Quality, the
external auditor, needs to determine what impact this may have on the current year’s
auditor’s opinion.

Analysis

The financial statements have been prepared by the directors on a going concern basis
as the directors believe they will be able to pay their debts as and when they fall due,
through expansion and repricing of their accommodation rates. This has been adequately
disclosed in the financial statements. Quality has concluded that the going concern basis of
accounting is appropriate.

On this basis, Quality should issue an unmodified Opinion with a material uncertainty
related to the going concern paragraph.

606

M13_c10.indd 606 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

Did the risk assessment

procedures undertaken
to meet the requirements
of HKSA 315 (Revised 2019) Likely
Is there anything else that
to identify any events or NO NO Unmodified
comes up during the audit?
conditions that may cast Opinion
significant doubt on the
entity’s ability to continue
as a going concern?

YES

Can the auditor obtain

through additional audit
Can management provide
procedures sufficient Likely
sufficient appropriate audit
appropriate audit evidence NO NO Disclaimer of
evidence to support their
to conclude whether a Opinion
going concern assessments?
material uncertainty
exists?

YES

Has management prepared

Is the use of the going
the financial statements Likely Adverse
concern basis of accounting NO YES
using the going concern Opinion
appropriate?
basis of accounting?

YES

Are appropriate disclosures

made in the financial
NO Likely Qualified Opinion
statements relating to
a material uncertainty?

YES

Likely Unmodified Opinion

with a Material Uncertainty
related to Going Concern
paragraph

EXHIBIT 10.8 Questions auditors should ask themselves regarding

the issue of a going concern

10.6.4 Emphasis of Matter Paragraph

An Emphasis of Matter paragraph, as the name suggests, is a paragraph that is included in the
auditor’s report to direct users of the financial statements to a matter that has been discussed
appropriately in the financial statements. The reasoning for an auditor to draw users’ attention
is that in the auditor’s judgement the matter is of such importance that users should be aware
of it in order to completely understand the financial statements.

HKSA 706 (Revised), Emphasis of Matter Paragraphs and Other Matter Paragraphs in the
Independent Auditor’s Report, defines an Emphasis of Matter paragraph as:

A paragraph included in the auditor’s report that refers to a matter appropriately presented
or disclosed in the financial statements that, in the auditor’s judgement, is of such significance
that it is fundamental to users’ understanding of the financial statements.

607

M13_c10.indd 607 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

What does this mean to the auditor?

• That an Emphasis of Matter paragraph is basically a reference to a matter or a

disclosure in the financial statements;

• By including an additional paragraph, the auditor has highlighted the matter or

disclosure so that it can be applied in the users’ decisions about the financial
statements and the company as a whole; and

• The auditor has decided that to not include the additional paragraph may lead users of
the financial statements to draw incorrect conclusions about the financial statements
and the company as a whole.

The most common reasons for an Emphasis of Matter paragraph to be included in the
auditor’s report are:

• A significant uncertainty surrounding accounting estimates;

• Where a special purpose framework has been used to prepare the financial statements;

• Early application of accounting standards that have a pervasive effect on the financial
statements; or

• Where the prior period’s financial statements have a material error that has been
restated in the current year but did not require a modified opinion to be issued.

Illustrative Example 9
For the purpose of this illustration, reference is made to the opening case study. Hai
Cruising Company has determined that they want to adopt HKFRS 16, Leases, early, given
the number of operating leases they have to finance their cruise ships. The financial
statements clearly disclose the changes, and Quality, the external auditor, has concluded
that an unmodified auditor’s opinion will be issued with the following additional
paragraph.

Emphasis of Matter

We draw attention to Notes X, X, and X (in this case there is likely to be a number of
note disclosures, including the accounting policies note) of the financial statements,
which describe the effects of the early adoption of HKFRS 16, Leases. Our opinion is not
modified in respect of this matter.

10.6.5 Other Matter Paragraph

HKSA 706 (Revised) defines an Other Matter paragraph as:

A paragraph included in the auditor’s report that refers to a matter OTHER than those
presented or disclosed in the financial statements that, in the auditor’s judgement, is relevant
to the users’ understanding of the audit, the auditor’s responsibilities or the auditor’s report.

What does this mean to the auditor?

• The paragraph highlights a matter that has not already been presented in the financial
statements.

608

M13_c10.indd 608 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

• If an Other Matter paragraph is added in an auditor’s report, it will be added after the
opinion paragraph and, if relevant, after an Emphasis of Matter paragraph and Key
Audit Matters. The auditor needs to be wary of the wording when a KAM covers similar
topics. This can usually be achieved by giving more detail in the heading of the Other
Matter paragraph.

The most common reasons for an Other Matter paragraph to be included in the auditor’s
report are:

• A case of non-compliance with laws and regulations identified through the audit
process. These matters, if not resolved, can now be reported under the revised
non-compliance with laws and regulations requirements under the revised Code of
Ethics for Professional Accountants;

• When the comparative information was audited by another auditor, also highlighting
the opinion given; and

• When a new or amended auditor’s report has been issued after the discovery of
material subsequent events, and also if in these cases management has not amended
the financial statements, a statement to that effect should be included.

Knowledge Check Questions

Question 14
Identify which of the following describes when KAMs are required to be included in an
auditor’s report.
A All auditor’s reports required to be issued by the Hong Kong Companies Ordinance.
B All public interest entities.
C All auditor’s reports where the auditor’s opinion has been modified.
D All listed companies.

Question 15
When an adverse auditor’s report is issued for a listed company, advise what effect this has
on the introductory paragraph to Key Audit Matters.

Question 16
Under the heading Other Information, determine what needs to be disclosed in the
auditor’s report.

Question 17
If the auditor deems an Other Matter paragraph is required for a Listed Company, advise
where in the auditor’s report the Other Matter paragraph should be placed.
A After the opinion but before the Key Audit Matters.
B After the auditor’s responsibility paragraphs.
C As part of the other information paragraph.
D After the auditor’s opinion and after the Key Audit Matters.

609

M13_c10.indd 609 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 18
Advise when auditors generally use Emphasis of Matter paragraphs.

Question 19
Describe the key differences between an Other Matter paragraph and an Emphasis of
Matter paragraph.

1 0 . 7 AUDITOR REPORTING ON OPENING

BALANCES

10.7.1 First Year Audit for the Existing Auditor

HKSA 710, Comparative Information – Corresponding Figures and Comparative Financial
Statements, deals with the auditor’s responsibilities relating to comparative information in an
audit of financial statements when the financial statements of the prior year have been audited
by a predecessor auditor or were not audited. Reference will also be made to HKSA 510, Initial
Audit Engagements – Opening Balances.

The nature of the comparative information that is presented in the company’s financial
statements can vary depending on the requirements of the applicable financial reporting
framework. In Hong Kong, however, financial statements of companies incorporated under
the provisions of the Hong Kong Companies Ordinance are required to disclose comparative
amounts as required under the applicable accounting standards.

Appendix 16 to the Main Board Rules and Chapter 18.07(5) of the GEM Rules, Governing
the Listing of Securities on the Stock Exchange of Hong Kong Ltd, require financial statements
of listed issuers to include comparative figures for the balance sheet, income statement,
cash flow statement, and statement of changes in equity for the corresponding previous
period. ‘Comparative figures’ referred to by the Main Board Rules and GEM Rules give the
corresponding figures as described in HKSA 710.

Corresponding figures are defined as comparative information where amounts and other
disclosures for the prior period are included as an integral part of the current period’s financial
statements and are intended to be read only in relation to the amounts and other disclosures
relating to the current period (referred to as ‘current period figures’). The level of detail
presented in the corresponding amounts and disclosures is dictated primarily by its relevance
to the current period figures.

10.7.1.1 Corresponding Figures Not Audited

The auditor shall obtain sufficient appropriate audit evidence about whether the corresponding
figures contain misstatements that materially affect the current period’s financial statements.
In the case where the corresponding figures were not audited, the auditor will need to perform
one or more of the following:

610

M13_c10.indd 610 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

• Evaluate whether audit procedures in the current period provide sufficient appropriate
audit evidence regarding the corresponding figures; or

• Perform specific audit procedures to obtain sufficient appropriate audit evidence

regarding the corresponding figures.

The nature and extent of audit procedures necessary to obtain sufficient and appropriate
audit evidence regarding corresponding figures will vary depending on:

• The nature of the account balances, classes of transactions and disclosures, and where
the risk lies with material misstatements in the current period’s financial statements.

• The significance or materiality of the corresponding figures to the current period’s

financial statements.

• The accounting policies of the auditee.

Exhibit 10.9 shows what should be provided based on the amount of appropriate audit
evidence obtained.

Sufficient appropriate audit evidence obtained that corresponding figures are not materially misstated
→ Unmodified Opinion with an Other Matter paragraph advising that the corresponding figures
were unaudited.
Sufficient appropriate audit evidence was not obtained and corresponding figures are materially
misstated but not pervasive to the financial statements as a whole.
→ Qualified Opinion with an Other Matter paragraph advising that the corresponding figures were
unaudited.
Sufficient appropriate audit evidence was not obtained, and corresponding figures are materially
misstated and pervasive to the financial statements as a whole.
→ Disclaimer of Opinion with an Other Matter paragraph advising that the corresponding figures
were unaudited.

EXHIBIT 10.9 Current period reporting

Illustrative Example 10
Winner Company is a company that has grown significantly due to a new contract
providing support services to the Sha Tin Racing Course. The company must now, under
the provisions of the Hong Kong Companies Ordinance, have its financial statements
audited. The corresponding figures have not previously been subject to audit.

The existing auditor has undertaken audit procedures endeavouring to obtain

sufficient appropriate audit evidence to determine whether the corresponding figures
contain material misstatements. The auditor’s endeavours were unsuccessful and
the auditor is therefore unable to obtain sufficient appropriate audit evidence on the
corresponding figures for either financial performance of the financial position.

The inability to obtain sufficient appropriate audit evidence regarding corresponding

figures is considered by the auditor to be both material and pervasive to the financial
statements. The opinion would therefore look like this.

611

M13_c10.indd 611 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

Illustrative Example 10 (continued)

INDEPENDENT AUDITOR’S REPORT (only illustrating the auditor’s opinion and basis
for opinion)

To the members of Winner Company

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Consolidated Financial Statements

Disclaimer of Opinion

We were engaged to audit the consolidated financial statements of Winner Company and
its subsidiaries (‘the Group’) set out on pages . . . to . . ., which comprise the consolidated
statement of financial position as at 31 December 20X1, and the consolidated statement
of profit or loss and other comprehensive income, consolidated statement of changes in
equity and consolidated statement of cash flows for the year then ended, and notes to the
consolidated financial statements, including a summary of significant accounting policies.

We do not express an opinion on the consolidated financial statements of the Group.

Because of the significance of the matter described in the Basis for Disclaimer of Opinion
section of our report, we have not been able to obtain sufficient appropriate audit evidence
to provide a basis for an audit opinion on these consolidated financial statements. In all
other respects, in our opinion the consolidated financial statements have been properly
prepared in compliance with the Hong Kong Companies Ordinance.

Basis for Disclaimer of Opinion

The previous financial report was not audited. We were unable to satisfy ourselves
by alternative means concerning a number of corresponding figures disclosed in the
consolidated statement of the financial position, the consolidated statement of profit
or loss and other comprehensive income, consolidated statement of changes in equity,
and consolidated statement of cash flows as corresponding figures. Whilst we were
satisfied with the material accuracy of amounts recorded in the consolidated statement
of financial position at 31 December 20X1, the impact of the corresponding figures on the
current period consolidated statement of profit or loss and other comprehensive income,
consolidated statement of changes in equity, and consolidated statement of cash flows
prevents us from forming an opinion on the financial statements as a whole.

10.7.1.2 Corresponding Figures Were Audited by a Predecessor Auditor

In the case where the corresponding figures were audited by a predecessor auditor, the
existing auditor will need to perform one or more of the following:

• Review the predecessor auditor’s working papers to obtain sufficient appropriate audit
evidence regarding the corresponding figures;

• Evaluate whether audit procedures in the current period provide sufficient appropriate
audit evidence regarding the corresponding figures; or

• Perform specific audit procedures to obtain sufficient appropriate audit evidence

regarding the corresponding figures.

612

M13_c10.indd 612 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

Reviewing the predecessor auditor’s audit file can be an effective and efficient way of
obtaining sufficient appropriate audit evidence on opening balances. However, the existing
auditor must make a formal assessment of the professional competence and independence
of the predecessor audit in determining the level of reliance that can be placed on the work
previously performed.

For current period reporting, we will assume that the predecessor auditor issued an
unmodified auditor’s opinion and that was the appropriate opinion in the existing auditor’s
view. Exhibit 10.10 shows what should be provided based on the amount of appropriate audit
evidence obtained.

Sufficient appropriate audit evidence was obtained that found corresponding figures are not materially
misstated.
→ Unmodified Opinion with an Other Matter paragraph advising that the corresponding figures
were audited by a predecessor auditor and an unmodified opinion was issued and on what date.

EXHIBIT 10.10 Current period reporting

10.7.2 Prior Period Auditor’s Report Modifications to Be Assessed by

Existing Auditor
In the case where the corresponding figures were audited by a predecessor auditor and the
predecessor auditor modified their auditor’s opinion, the existing auditor will need to evaluate
the effect of the matter giving rise to the modification in assessing the risks of a material
misstatement in the current period’s financial statements.

• Example 1: Predecessor auditor issued a Qualified auditor’s opinion.

If the matter causing the predecessor auditor to qualify is not resolved and the auditor
determines that the matter affects the current period’s financial performance or
position, the existing auditor will need to determine whether to repeat the qualification
or issue a further basis for qualification depending on the results of the review of the
predecessor’s audit file and audit procedures undertaken by the existing auditor of the
corresponding figures.

If the matter causing the predecessor auditor to qualify is resolved, assuming

no other circumstances have arisen as a result of audit procedures undertaken on
the corresponding figures by the existing auditor, the existing auditor could issue an
unmodified auditor’s opinion. The existing auditor may consider including an Emphasis
of Matter paragraph referencing the note disclosure containing details of how the
matter resulting in the qualified auditor’s opinion has been resolved.

• Example 2: Predecessor auditor issued an Adverse auditor’s opinion.

• Example 3: Predecessor auditor issued a Disclaimer of opinion.

The thought process for the auditor is the same as applied in Example 1.

613

M13_c10.indd 613 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

Apply and Analyse 6

Quality during a meeting with the chief executive officer (CEO) of CWaves wanted to probe
what management’s views were in relation to the qualification by the predecessor auditor
relating to the level of impairment against goodwill in order to determine the potential
impact this may have on the current period’s financial statements.

Analysis

Quality undertook a review of the predecessor auditor’s audit files. The predecessor
auditor was assessed by Quality to be a well-known firm and a member of HKICPA. Quality
assessed the independence of the predecessor auditor and concluded that there were no
impairments to independence. Quality also concluded that they could place reliance on the
predecessor’s audit procedures and conclusions, and documented this assessment and
conclusion in the audit file.

Quality did not identify any further potential areas for misstatement with the
corresponding figures.

During the current period, the basis for the qualification has been resolved in that
a number of uncertainties in the discounted cash flow model adopted by management
to determine whether an impairment existed were appropriate and would remain
appropriate in the current period.

Quality now believes it has sufficient appropriate audit evidence to issue an

unmodified auditor’s opinion. Quality will include an Emphasis of Matter paragraph as the
CEO wishes to disclose the reasons why the issue has been resolved in the notes to the
financial statements. Quality will, in an Other Matter paragraph, state that the financial
statements for the prior period were audited by the predecessor auditor and that the
opinion was qualified and for what reason and state the date of the report.

Knowledge Check Questions

Question 20
Identify which of the following prior period disclosures are classified as in Hong Kong.
A Prior period comparatives.
B Corresponding figures.
C Corresponding numbers.
D Prior period figures.

Question 21
Compare the difference in obtaining sufficient appropriate audit evidence when
corresponding figures have and when they have not been audited.

614

M13_c10.indd 614 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

1 0 . 8 REVIEW OPINIONS FOR INTERIM

FINANCIAL STATEMENTS

HKSRE 2410, Review of Interim Financial Information Performed by the Independent Auditor of the
Entity, is directed towards a review of interim financial information.

The Main Board Listing Rules and GEM Listing Rules require that a listed issuer prepares
a report on interim financial information in respect of the first six months of its financial year
in line with the requirements of HKAS 34, Interim Financial Reporting. The interim financial
information shall include, at a minimum, the following components:

• A balance sheet;

• An income statement;

• A cash flow statement;

• A statement of changes in equity;

• Comparative figures for the statements referred to above; and

• Accounting policies and explanatory notes.

The Listing Rules do not require a report on interim financial information to be reviewed by
the auditor. If an auditor is engaged to conduct a review of the interim financial information,
they should follow the requirements of HKSRE 2410, Review of Interim Financial Information
Performed by the Independent Auditor of the Entity.

Chapter 12, Other Assurance Engagement Requirements, outlines the auditors’

responsibilities when conducting review engagements in line with HKSRE 2410.

10.8.1 Reporting the Nature, Extent, and Results of the Review of Interim
Financial Information
The auditor will issue a written report that contains the following:

1. An appropriate title, for example Report on Review of Interim Financial Information,

Independent Auditor’s Review Report.

2. An addressee as required by the circumstances of the engagement.

3. Identification of the interim financial information reviewed, including identification

of the title of each of the statements contained in the complete or condensed set
of financial statements and the date and period covered by the interim financial
information.

4. If the interim financial information comprises a complete set of general-purpose

financial statements prepared in accordance with a financial reporting framework
designed to achieve fair presentation, a statement that management is responsible for
the preparation and fair presentation of the interim financial information in accordance
with HKFRSs.

615

M13_c10.indd 615 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

5. In other circumstances, a statement that management is responsible for the

preparation and presentation of the interim financial information in accordance
with HKFRSs.

6. A statement that the auditor is responsible for expressing a conclusion on the interim
financial information based on the review.

7. A statement that the review of the interim financial information was conducted in
accordance with HKSRE 2410, Review of Interim Financial Information Performed by the
Independent Auditor of the Entity, and a statement that such a review consists of making
inquiries, primarily of persons responsible for financial and accounting matters, and
applying analytical and other review procedures.

8. A statement that a review is substantially less in scope than an audit conducted in

accordance with HKSAs and consequently does not enable the auditor to obtain
assurance that the auditor would become aware of all significant matters that might be
identified in an audit and that accordingly no auditor’s opinion is expressed.

9. If the interim financial information comprises a complete set of general-purpose

financial statements prepared in accordance with HKFRSs designed to achieve fair
presentation, a conclusion as to whether anything has come to the auditor’s attention
that causes the auditor to believe that the interim financial information does not give a
true and fair view, or does not present fairly, in all material respects, in accordance with
HKFRSs (including a reference to the jurisdiction or country of origin of the financial
reporting framework when the financial reporting framework used is not based on
HKFRSs); or

10. In other circumstances, a conclusion as to whether anything has come to the auditor’s
attention that causes the auditor to believe that the interim financial information is not
prepared, in all material respects, in accordance with HKFRSs (including a reference
to the jurisdiction or country of origin of the financial reporting framework when the
financial reporting framework used is not HKFRSs).

11. The date of the report.

12. The location in the country or jurisdiction where the auditor practises.

13. The auditor’s signature.

It should be noted that the form of the conclusion can be any one of those explored in
Section 10.4, Form of Opinion.

10.8.2 Differences between an Auditor’s Opinion and an Auditor’s

Conclusion
The resulting report from the auditor and level of assurance is driven by the difference
between an audit and a review.

An audit is a detailed process that provides a high level of assurance to the users of
financial reports. The objective of an audit of financial statements is to enable the auditor to
express an opinion whether the financial statements are prepared, in all material respects, in
accordance with HKFRSs. When forming an opinion on the financial statements the auditor
needs to evaluate whether, based on the audit evidence obtained, there is reasonable

616

M13_c10.indd 616 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

assurance about whether the financial statements taken as a whole are free from material
misstatement.

A review, in contrast to an audit, is not designed to obtain reasonable assurance that the
interim financial statements are free from material misstatement.

A review consists of making inquiries, primarily of persons responsible for financial and
accounting matters, and applying analytical and other review procedures. A review may bring
significant matters affecting the interim financial statements to the auditor’s attention, but it
does not provide all of the evidence that would be required in an audit.

The objective of a review of interim financial statements differs significantly from that
of an audit conducted in accordance with Auditing Standards. A review of interim financial
statements does not provide a basis for expressing an opinion whether the financial
statements give a true and fair view, in all material respects, in accordance with HKFRSs.

The objective of an engagement to review interim financial statements is to enable the

auditor to express a conclusion whether, on the basis of the review, anything has come to the
auditor’s attention that causes the auditor to believe that the interim financial statements are
not prepared, in all material respects, in accordance with HKFRSs (Exhibit 10.11).

Level of assurance
Report provided
Nature of procedures
Audit
A reasonable or high level of
assurance is about whether
the financial statements as a
whole are free from material
errors or fraud. Reasonable or
high assurance is not absolute
assurance.
Independent Auditor’s Report
Opinion is expressed in a
positive form, e.g. ‘The financial
statements are free from
material misstatement.’
Procedures normally involve
detailed tests of accounting
records using techniques such
as inspection, observation,
confirmation, recalculation
and re-performance, as well as
inquiry and analytical review.
Review
Limited assurance is about
whether the financial statements
as a whole are free from
material errors or fraud. Limited
assurance is less than reasonable
assurance.
Independent Review Report
Conclusion is expressed in a
negative form, e.g. ‘Nothing
has come to our attention that
causes us to believe that the
financial statements are not free
from material misstatement.’
Procedures are primarily based
on inquiry and analytical review.

EXHIBIT 10.11 Differences between an audit and a review

617

M13_c10.indd 617 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 22
Identify which of the following interim financial information the auditor does not have
to opine on.
A Accounting policy note regarding revenue recognition.
B Statement of financial position.
C A statement in changes in equity.
D Compliance with HKFRSs.

Question 23
Determine what the auditor must state in relation to the scope of work conducted for
interim financial statements.

Question 24
List the key differences between an auditor’s opinion and an auditor’s review report
conclusion.

1 0 . 9 AUDITOR REPORTING ON SPECIAL

PURPOSE FRAMEWORKS

10.9.1 Auditor’s Report Format in Line with HKSA 800 (Revised)

The reference standard is HKSA 800 (Revised), Special Considerations – Audits of Financial
Statements Prepared in Accordance with Special Purpose Frameworks. This HKSA is written in the
context of a complete set of financial statements prepared with a special purpose framework.

When forming an opinion and reporting on special purpose financial statements, the
auditor shall apply the requirements of HKSA 700 (Revised), the main difference comes in the
description of the applicable financial reporting framework.

HKSA 700 (Revised) requires an auditor to refer to or describe the applicable financial
reporting framework. Typically, in Hong Kong examples of special purpose frameworks for the
purpose of application of HKSA 800 would include, but not be limited to, financial reporting
provisions of a contract, provisions established by a regulator such as the Hong Kong Monetary
Authority, or other governance requirements, such as school audits conducted under the
requirements of the Education Ordinance.

HKSA 700 (Revised) as has been described throughout this chapter deals with the form and
content of the auditor’s report, including the specific ordering for certain elements. In the case
of an auditor’s report on special purpose financial statements:

• The auditor’s report shall also describe the purpose for which the financial statements
are prepared and, when deemed appropriate, the intended users. Alternatively, if
a note in the special purpose financial statements describes this, reference to the
applicable note; and

618

M13_c10.indd 618 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

• If management makes a determination as to the appropriate financial reporting

framework, then the responsibilities of management and those charged with the
governance section of the auditor’s report shall make reference to management’s
responsibility for determining the financial reporting framework and its acceptability in
the circumstances.

The auditor’s report shall also include an Emphasis of Matter paragraph alerting the user
of the auditor’s report that the financial statements have been prepared in accordance with a
special purpose framework, and as a result the financial statements may not be suitable for any
other purpose. In the Emphasis of Matter paragraph, the auditor may determine it appropriate
to indicate that the auditor’s report is intended solely for the specific users.

Illustrative Example 11

INDEPENDENT AUDITOR’S REPORT (only Illustrating the Auditor’s Opinion and Basis
for Opinion)

To XX Authority

(incorporated in Hong Kong with limited liability)

Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of financial position as at 31 December
20X1, and the profit and other comprehensive income, statement of changes in equity and
statement of cash flows for the year then ended, and notes to the financial statements,
including a summary of significant accounting policies.

In our opinion, the financial statements give a true and fair view of the financial position
of the Company as at 31 December 20X1 and of its financial performance and its cash flows
for the year then ended in accordance with the financial reporting provisions of Section A of
XX Authority Regulation C.

Basis for Opinion

We conducted our audit in accordance with Hong Kong Standards on Auditing

(‘HKSAs’) issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’).
Our responsibilities under those standards are further described in the Auditor’s
Responsibilities for the Audit of the Financial Statements section of our report. We
are independent of the Company in accordance with the HKICPA’s Code of Ethics
for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our opinion.

Emphasis of Matter – Basis of Accounting

We draw attention to Note X of the financial statements, which describes the basis of
accounting. The financial statements are prepared to assist the Company to meet the
requirements of XX Authority. As a result, the financial statements may not be suitable for
another purpose. Our opinion is not modified in respect of this matter.

619

M13_c10.indd 619 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

10.9.2 Auditor’s Report Format on Other Than Complete Financial

Statements
HKSA 805 (Revised), Special Considerations – Audits of Single Financial Statements and Specific
Elements, Accounts or Items of a Financial Statement, and HKSA 810 (Revised), Engagements to
Report on Summary Financial Statements, are the reference standards.

10.9.2.1 Audits of Single Financial Statements and Specific Elements, Accounts, or Items
of a Financial Statement
HKSA 210, Agreeing the Terms of Audit Engagements, requires that the agreed terms of the audit
engagement include the expected format of any reports to be issued by the auditor. This
extends to the auditor considering whether the expected form of opinion is appropriate in the
circumstances.

When forming an opinion HKSA 700 (Revised) and when applicable HKSA 800 (Revised)
should be adapted and used.

If the auditor undertakes an engagement to report on a single financial statement or on a

specific element of a financial statement in conjunction with an engagement to audit the entire
set of financial statements, the auditor will need to express separate opinions.

The auditor will need to consider the implications if any of the following matters included in
an auditor’s report on the entire set of financial statements, for the audit of the single financial
statement or the specific element of a financial statement:

• A modified auditor’s opinion issued in accordance with HKSA 705 (Revised);

• An emphasis of matter paragraph or an other matter paragraph issued in accordance

with HKSA 706 (Revised);

• A material uncertainty related to a going concern section in accordance with HKSA 570
(Revised);

• Communication of KAMs in accordance with HKSA 701; or

• A statement that describes an uncorrected material misstatement of the other

information in accordance with HKSA 720 (Revised).

It should be noted that the auditor shall not express an unmodified opinion on a single
financial statement or on a specific element of a financial statement of an entire set of financial
statements if the auditor has expressed an adverse opinion or disclaimed an opinion. This is the
case even when the auditor’s report on the single financial statement is not published together.

Illustrative Example 12

INDEPENDENT AUDITOR’S REPORT (Only Illustrating the Auditor’s Opinion and Basis
for Opinion)

To the Shareholders of DEF Company

Opinion

We have audited the accounts receivable schedule of DEF Company (‘the Company’) as at
31 December 20X1 (‘the schedule’).

620

M13_c10.indd 620 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

Illustrative Example 12 (continued)

In our opinion, the financial information in the schedule of the Company as at 31
December 20X1 is prepared, in all material respects, in accordance with the operating
agreement with the Customer Company.

Basis for Opinion

We conducted our audit in accordance with Hong Kong Standards on Auditing

(‘HKSAs’) issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’).
Our responsibilities under those standards are further described in the Auditor’s
Responsibilities for the Audit of the Schedule section of our report. We are independent of
the Company in accordance with the HKICPA’s Code of Ethics for Professional Accountants
(‘the Code’) and we have fulfilled our other ethical responsibilities in accordance with the
Code. We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our opinion.

Emphasis of Matter – Basis of Accounting and Restriction on Distribution

We draw attention to Note X to the schedule, which describes the basis of accounting. The
schedule is prepared to assist the Company to meet the requirements of the operating
agreement with the Customer Company. As a result, the schedule may not be suitable for
another purpose. Our report is intended solely for the Company and Customer Company
and should not be distributed to parties other than the Company or Customer Company.
Our opinion is not modified in respect of this matter.

10.9.2.2 Engagements to Report on Summary Financial Statements

HKSA 810 (Revised) deals with auditor’s responsibilities relating to an engagement to report on
summary financial statements derived from financial statements audited in accordance with
HKSAs by the same auditor.

Hong Kong Companies Ordinance, Section 439, allows the directors of a company to prepare
for a financial year, a financial report, in summary form, derived from the reporting documents
for the financial year. Under Section 441, the summary financial report may be sent to a
member instead of the full set of reporting documents otherwise required under Section 430
and within the same timeframe.

The HKEx main board listing rule 13.46 states that an issuer may send a copy of its
summary financial report to a member and a holder of its listed securities in place of a copy of
its annual report and accounts, provided that it complies with the relevant provisions set out
in Sections 437 to 446 of the Hong Kong Companies Ordinance. The GEM Listing Rules have the
same requirements.

Cap.622E Companies (Summary Financial Reports) Regulation needs to be read in light of

the Hong Kong Companies Ordinance for summary financial statements as this regulation sets
out both the requirements of directors in terms of form and contents of a summary financial
report and auditor’s report and opinion.

621

M13_c10.indd 621 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

Paragraph 4 requires the following to be included in the auditor’s report:

1. A summary financial report for a financial year of a company must:

a. Contain a statement from the company’s auditor as to whether the auditor’s report
for that financial year is qualified or otherwise modified, or includes a reference
to any matter to which the auditor drew attention by way of emphasis without
qualifying the report; and

b. If the auditor’s report is qualified or otherwise modified, set out the full auditor’s
report and any further material necessary for the understanding of the qualification
or other modification.

2. If the auditor’s report of a company contains a statement that, in the auditor’s opinion,
the financial statements for a financial year of the company have not been properly
prepared in compliance with the Ordinance and, in particular:

a. A true and fair view of the financial position and financial performance of the
company in accordance with the reporting framework has not been given; or

b. For a company that is required to prepare annual consolidated financial statements,

a true and fair view of the financial position and financial performance of the
company, and all the subsidiary undertakings, as a whole, in accordance with the
reporting framework, has not been given, a summary financial report for that
financial year must contain that statement.

3. If the auditor’s report of a company contains a statement that, in the auditor’s opinion,
the information in a directors’ report for a financial year is not consistent with the
financial statements for the financial year, a summary financial report for that financial
year must contain that statement.

4. If the auditor’s report for a financial year of a company contains:

a. A statement that, in the auditor’s opinion:

(i) Adequate accounting records have not been kept by the company; or

(ii) The company’s financial statements are not in agreement with its accounting
records in any material respect;

b. A statement that the auditor has failed to obtain all the information or explanations
that, to the best of the auditor’s knowledge and belief, are necessary and material
for the purpose of the audit; and

c. A statement giving the particulars that are required to be, but have not been,
contained in the financial statements, as required by Section 407(4) of the
Ordinance, a summary financial report for that financial year must contain those
statements.

4. A summary financial report of a company must contain an opinion from the company’s
auditor as to whether:

a. The report is consistent with the reporting documents from which the report is
derived; and

b. The report complies with the requirements of this Part.

622

M13_c10.indd 622 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

In addition to these requirements of the auditor’s report HKSA 810 (Revised) requires a
number of further elements to be disclosed:

• A title clearly indicating that it is the report of an independent auditor.

• An addressee.

• Identification of the summary financial statements on which the auditor is reporting,

including the title of each statement included in the summary financial statements.

• Identification of the audited financial statements.

• A clear expression of an opinion (except where an adverse or disclaimer of opinion

has been issued, in these circumstances the auditor would need to state that it is
inappropriate to express an opinion on the summary financial statements).

• A clear statement that the summary financial statements do not contain all the
disclosures required by HKFRSs applied in the preparation of the audited financial
statements and that reading the summary financial statements and the auditor’s
report thereon is not a substitute for reading the audited financial statements and the
auditor’s report thereon.

• Where applicable if the auditor’s opinion on the summary financial statements is issued
after the date of the auditor’s report on the financial statements, the auditor’s report
on the summary financial statements shall state that the summary financial statements
and the financial statements do not reflect the effects of events that occurred
subsequent to the date of the auditor’s report on the audited financial statements.

Apply and Analyse 7

Chloe Cheng, an independent non-executive director of CWaves, has decided that she
wants to provide members of CWaves with summary financial statements in line with
Section 439 of the Companies Ordinance and HKEx listing rule 13.46. Chloe wants the
auditor’s report on the summary financial statements to be signed on the same date as the
auditor’s report on the financial statements. Quality must present a draft of their proposed
report on the summary financial statements.

Analysis

The audit partner provided the following draft to Chloe Cheng based on the illustrations
that he found at the back of HKSA 810 (Revised).

REPORT OF THE INDEPENDENT AUDITOR ON THE SUMMARY FINANCIAL REPORT

To the Members of CWaves Ferry Holding Company Limited

(incorporated in Hong Kong with limited liability)

Opinion

The summary consolidated financial report of CWaves Ferry Holding Company Limited
(‘the Group’), set out on pages . . . to . . ., includes the summary consolidated financial
statements of the Group for the year ended 31 December 20X1. The summary consolidated

623

M13_c10.indd 623 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

Apply and Analyse 7 (continued)

financial statements of the Group, set out on pages . . . to . . ., which comprise the summary
consolidated statement of financial position as at 31 December 20X1, the summary
consolidated statement of comprehensive income and summary consolidated income
statement, consolidated summary statement of changes in equity and consolidated
summary statement of cash flows for the year then ended, and related notes are derived
from the audited consolidated financial statements of the Group for the year ended 31
December 20X1. In our opinion, the summary financial report:

(a) Is consistent with the annual financial statements and the auditor’s report thereon
and the directors’ report of the Company for the year ended 31 December 20X1
from which it is derived; and

(b) Complies with the requirements of Part 2 of the Hong Kong Companies (Summary
Financial Reports) Regulation.

Summary Financial Statements

The summary consolidated financial statements included in the summary consolidated

financial report do not contain all the disclosures required by Hong Kong Financial
Reporting Standards issued by the Hong Kong Institute of Certified Public Accountants.
Reading the summary consolidated financial statements and the auditor’s report on the
summary consolidated financial report, therefore, is not a substitute for reading the audited
consolidated financial statements and the auditor’s report thereon.

The Audited Consolidated Financial Statements and Our Report Thereon

We expressed an unmodified opinion on the audited consolidated financial statements in our

report dated 15 February 20X2. That report also includes the communication of key audit
matters. Key audit matters are those matters that, in our professional judgement, were of
most significance in our audit of the consolidated financial statements of the current period.

Directors’ Responsibility for the Summary Consolidated Financial Report

Under the Hong Kong Companies Ordinance, the directors are responsible for the
preparation of the summary consolidated financial report in accordance with Section 439
of the Hong Kong Companies Ordinance and the Hong Kong Companies (Summary Financial
Reports) Regulation. In preparing the summary consolidated financial report, Sections 3(1)
and (2) of the Hong Kong Companies (Summary Financial Reports) Regulation requires that
the summary consolidated financial report must contain the information derived from the
annual consolidated financial statements and the auditor’s report thereon and the directors’
report for the year ended 31 December 20X1 and contain such information and particulars
set out in Sections 3(3), 5, and 6 of the Hong Kong Companies (Summary Financial Reports)
Regulation and be approved by the board of directors.

Auditor’s Responsibility

Our responsibility is to express an opinion on whether the summary consolidated financial

report is consistent with the annual consolidated financial statements and the auditor’s
report thereon and the directors’ report, and complies with the requirements of Part 2 of the

624

M13_c10.indd 624 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

Apply and Analyse 7 (continued)

Hong Kong Companies (Summary Financial Reports) Regulation, based on our procedures,
which were conducted in accordance with Hong Kong Standard on Auditing 810 (Revised),
Engagements to Report on Summary Financial Statements, issued by the Hong Kong Institute
of Certified Public Accountants. We are also required to state whether the auditor’s report
on the annual consolidated financial statements for the year ended 31 December 20X1 is
qualified or otherwise modified.

The engagement partner on the audit resulting in this independent auditor’s report is
Jianji Ling.

Signature

Quality Auditors

Certified Public Accountants (Practising)

Hong Kong Building, Queens Road, Central

15 February 20X2

Knowledge Check Questions

Question 25
Identify which of the following statements would not be made in the independent auditor’s
report on a special purpose framework for a full set of financial statements.
A The financial statements can be relied upon by all users.
B The audit was conducted in accordance with HKSA.
C The auditor is independent.
D True and fair view.

Question 26
Identify which of the following the auditor must further state if the auditor’s opinion on the
summary financial statements is not signed on the same date as the auditor’s report on
the financial statements:
A No subsequent events are reflected in the summary financial statements that occurred
after the date of the summary financial statements.
B The identity of the summary financial statements.
C No subsequent events are reflected in the summary financial statements that occurred
after the date of the financial statements.
D The date of the auditor’s opinion on the summary financial statements.

625

M13_c10.indd 625 1/28/2021 3:41:51 PM

 BUSINESS ASSURANCE

1 0 . 1 0 AUDITOR’S REPORTING ON
SMALL- AND MEDIUM-SIZED

The Small and Medium-Sized Entity Financial Reporting Framework (‘revised SME-FRF’) and Financial
Reporting Standard (‘revised SME-FRS’) form the accounting standard that is the reference point
for the audit of small- and medium-sized entities. PN 900 (Revised), Audit of Financial Statements
Prepared in Accordance with the Small- and Medium-sized Entity Reporting Framework, is the
auditor’s reference point.

In accordance with the revised SME-FRF:

(a) A company incorporated under the new Hong Kong Companies Ordinance or predecessor
Hong Kong Companies Ordinance (Cap.32) qualifies for reporting under the revised SME-
FRF if it satisfies the criteria set out in Section 359 of the new Hong Kong Companies
Ordinance and the sections and Schedules to which that section refers.

Specifically:

(i) Section 359(1)(b) brings forward the qualifying criteria that were previously found
in Section 141D of the predecessor, the Hong Kong Companies Ordinance, relating
to private companies that do not have subsidiaries and are not a subsidiary of
another company. These companies (unless they fall within the types of companies
listed in Section 359(4)) are eligible for the reporting exemption, provided that each
year they obtain 100% approval in writing from their members.

(ii) The remainder of Section 359 introduces three additional categories of entities
(or groups) that fall within the reporting exemption if they meet certain criteria
relating to the type of entity, the size of the entity, and in certain cases the need for
member approval (15 February 20X2).

(b) An entity that is not a company incorporated under either the new Hong Kong
Companies Ordinance or the predecessor, the Hong Kong Companies Ordinance, subject
to any specific requirements imposed by the law of the entity’s place of incorporation
and subject to its constitution, qualifies for reporting under the revised SME-FRF when
the entity meets the same requirements where a Hong Kong incorporated entity is
required to meet under Section 359 of the new Hong Kong Companies Ordinance.

The new Hong Kong Companies Ordinance permits private companies and companies limited
by guarantee to take advantage of a ‘reporting exemption’ if they meet certain qualifying
criteria set out in Section 359. The reporting exemption takes the form of an exemption from
certain of the requirements for the contents of the directors’ report and financial statements
that would apply if the entities did not qualify for the exemption.

Of these exemptions, the most significant one for the purposes of the revised SME-FRF
and SME-FRS is the exemption from the requirement for the financial statements to give a true
and fair view as set out in Section 380(7) of the new Hong Kong Companies Ordinance. Instead
of preparing financial statements under the fair presentation framework, financial statements
prepared by entities taking advantage of the reporting exemption are required to be properly
prepared in accordance with the revised SME-FRF and SME-FRS as these are the applicable

626

M13_c10.indd 626 1/28/2021 3:41:51 PM

 A u d itor ’ s R eporti ng

accounting standards for such companies for the purposes of complying with Section 380(4)(b).
With reference to paragraph 13(a) of HKSA 200, Overall Objectives of the Independent Auditor and
the Conduct of an Audit, the revised SME-FRF is considered to be a compliance framework.

Regardless of whether a company falls or does not fall within the reporting exemption,
the auditor of the company is required under Section 406 of the new Hong Kong Companies
Ordinance to opine in the auditor’s report on whether the financial statements have been
properly prepared in compliance with the new Hong Kong Companies Ordinance. In accordance
with the Hong Kong Framework for Assurance Engagements, this is a form of ‘reasonable
assurance’ as the auditor is required to express a positive form of conclusion.

10.10.1 Auditor’s Report

HKSA 700 (Revised) applies to the audit of the financial statements prepared in accordance
with the revised SME-FRS. An auditor should also refer to HKSA 705 (Revised) and HKSA 706
(Revised) in the independent auditor’s report if necessary.

In an auditor’s report on the financial statements prepared in accordance with the

revised SME-FRS, the auditor expresses an opinion as to whether the financial statements are
prepared, in all material respects, in accordance with the revised SME-FRS.

In addition, regardless of whether a company falls or does not fall within the reporting
exemption, the auditor of the company is required under Sections 406 and 407 to opine in the
auditor’s report:

(i) If, in the opinion of the auditor, the information in a directors’ report is not consistent
with the financial statements; and

(ii) On certain other matters, as and when necessary. As noted earlier in this chapter,
guidance on these reporting requirements is provided in Practice Note 600.1 (Revised).

Illustrative Example 13

INDEPENDENT AUDITOR’S REPORT (Only Illustrating the Auditor’s Opinion and Basis
for Opinion)

To the Members of SME Limited

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Financial Statements

Opinion

We have audited the financial statements of SME Limited (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of the financial position as at 31 December
20X1, the income statement and cash flow statement for the year then ended, and notes
to the financial statements, including a summary of significant accounting policies.

In our opinion, the financial statements of the Company are prepared, in all material
respects, in accordance with the Hong Kong Small and Medium-Sized Entity Financial Reporting
Standard (‘SME-FRS’) issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’)
and have been properly prepared in compliance with the Hong Kong Companies Ordinance.

627

M13_c10.indd 627 1/28/2021 3:41:52 PM

 BUSINESS ASSURANCE

Illustrative Example 13 (continued)

Basis for Opinion

We conducted our audit in accordance with the Hong Kong Standards on Auditing (‘HKSAs’)
and with reference to Practice Note 900 (Revised), Audit of Financial Statements Prepared
in Accordance with the Small- and Medium-Sized Entity Financial Reporting Standard
issued by the HKICPA. Our responsibilities under those standards are further described
in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Company in accordance with the HKICPA’s Code of
Ethics for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our opinion.

Knowledge Check Questions

Question 27
Identify which of the following is the type of assurance given in an auditor’s report of a
small or medium-sized entity.
A Reasonable assurance.
B Moderate assurance.
C Limited assurance.
D Positive assurance.

628

M13_c10.indd 628 1/28/2021 3:41:52 PM

 A u d itor ’ s R eporti ng

SUMMARY

This chapter has set out the various auditor reporting requirements, which are detailed and
sometimes complex, depending on the situations faced during the audit process.

The format and key elements of the auditor’s reports do not change given differing
opinions, but understanding the different elements for listed companies’ reports and where
other paragraphs are added is essential.

The auditor must carefully consider the circumstances that may lead to a modified
auditor’s opinion.

Decisions pertaining to an auditor’s opinion in relation to the going concern assumption are
important and should be mapped to the particular circumstances of the company.

Key Audit Matters are the newest component added to listed company auditors’ reports
and serve to inform users of the financial statements the matters that were most important to
the auditor during the audit process.

The auditor must also be aware of reporting on other than listed and large non-listed
companies and circumstances that require interim review reporting on listed entities.

629

M13_c10.indd 629 1/28/2021 3:41:52 PM

 BUSINESS ASSURANCE

M I ND M A P

AUDITOR’S OBJECTIVES ADDITIONAL COMMUNICATIONS IN

Importance of the Auditor’s Report
Implications of Materiality to the
Auditor’s Opinion
COMPONENTS OF AN AUDITOR'S REPORT
Title of Auditor’s Report
Addressee
Auditor’s Opinion
Basis for Opinion
Key Audit Matters
Other Information
Responsibilities of Directors and Those
Charged with Governance
Auditor’s Responsibilities for the Audit of
the Financial Statements
Report on Other Legal and Regulatory
Requirements
AUDITOR’S REPORT REQUIREMENTS
What the auditor has accumulated to
reduce detection risk
Forming an auditor’s opinion requires
considerable judgement
FORM OF OPINION
Unmodified Opinion
• Unmodified with Emphasis on Matter
• Unmodified with Other Matter
Modified Opinion
• Qualified
• Adverse
• Disclaimer of Opinion
THE AUDITOR’S REPORT
Key Audit Matters (’KAMs’)
• Determining KAMs
• Communicating KAMs
Other Information
• Scope of the Standard
• Response if there is a material misstatement
of the other information
• Communication in the auditor’s report
about other information
Material Uncertainty Related to Going Concern
Emphasis of Matter Paragraph
Other Matter Paragraph
AUDITOR’S AUDITOR REPORTING ON OPENING BALANCES
REPORTING First Year Audit for the Existing Auditor
Prior Period Auditor’s Report Modifications
to Be Assessed by Existing Auditor
REVIEW OPINIONS FOR INTERIM FINANCIAL
STATEMENTS
Reporting the Nature, Extent, and Results of
the Review of Interim Financial Information
Differences between an Auditor’s Opinion
and an Auditor’s Conclusion
AUDITOR REPORTING ON SPECIAL PURPOSE
FRAMEWORKS
Auditor’s Report Format in Line with HKSA 800
(Revised)
Auditor’s Report Format on Other Than
Complete Financial Statements
AUDITOR REPORTING ON SMALL AND
MEDIUM-SIZED ENTITIES
Revised SME-FRF
Revised SME-FRS
PN 900 (Revised)

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. It is not the role of the auditor to detect any or all fraudulent
activities.
Answer B is incorrect. The auditor does certainly have a responsibility to understand those
internal controls that may be relevant to the audit, but it is not the primary responsibility of
the auditor to identify control weaknesses; the primary responsibility for that comes with
those charged with governance and/or management.
Answer C is incorrect. This situation in most cases would cause a conflict that may result in
an independence issue for the auditor. The auditors can review a company’s conclusion on
an HKFRS issue but not form the audit conclusion.
Answer D is correct. The basic premise of the independent auditor’s report is that it helps
to reduce the concerns users of the financial statements have that there may be company
bias, which could unintentionally or intentionally present financial information more
optimistically than could be argued.

630

M13_c10.indd 630 1/28/2021 3:41:52 PM

 A u d itor ’ s R eporti ng

Question 2
Answer A is incorrect. Objective throughout the audit process.
Answer B is incorrect. This is not an objective of an auditor.
Answer C is incorrect. This is not a direct objective, as this decision is driven by the
circumstances of the particular audit.
Answer D is correct. This is the overall objective for the auditor.

Question 3
In determining the final form of the auditor’s opinion, the auditor must be mindful that to
express an unmodified opinion the auditor needs to conclude that the financial statements
HKSA as a whole are prepared ‘in all material respects, in accordance with the applicable
700.16 reporting framework’.
If the auditor concludes that the financial statements as a whole are not free from
material misstatement the auditor’s opinion would need to be modified and reference
would need to be made to HKSA 705 (Revised), Modifications to the Opinion in the
Independent Auditor’s Report, as to the appropriate level of modification.
The concept and application of the independent auditor’s determination of materiality
is one of the central elements in determining the appropriate auditor’s opinion.

Question 4
Answer A is incorrect. This is an option in HKSA 700.
Answer B is correct. This is not an option in HKSA 700.
Answer C is incorrect. This is an option in HKSA 700.
Answer D is incorrect. This is an option in HKSA 700.

Question 5
The first paragraph of the opinion section in all cases:

• States that the financial statements have been audited;

• Identifies the auditee, whether a single company, e.g. CWaves Hotels Company
(‘the company’) for single company financial statements or a group audit, e.g.
CWaves Ferry Holding Company Limited and its subsidiaries (‘the Group’) for a
consolidated set of financial statements;

• Defines the pages of the financial statements that the auditor’s opinion covers;

• States the specific components of the financial statements upon which an auditor’s
opinion is given:

°° Statement of the financial position as at a defined point of time,

e.g. 31 December 20X1;

°° Statement of profit or loss and other comprehensive income, statement of

changes in equity, and statement of cash flows for the year (or when relevant –
the period) then ended (HKAS 1 (Revised), Presentation of Financial Statements,
allows entities to present comprehensive income using either a one-statement
approach or a two-statement approach. The importance is consistency with the
titles of the corresponding statements.); and

631

M13_c10.indd 631 1/28/2021 3:41:52 PM

 BUSINESS ASSURANCE

°° The notes to the financial statements, including the summary of significant

accounting policies.

The second paragraph indicates whether the auditor’s opinion on the financial
statements is:
• Unmodified;

• Unmodified with an Emphasis of Matter;

• Unmodified with an Other Matter; or

• Modified:

°° Qualified Opinion;

°° Adverse Opinion; or

°° Disclaimer of Opinion.

Question 6
The three types of unmodified auditor’s opinions are:

1. Completely clean with no further references.

2. The second form of an unmodified opinion is where the auditor wants to use an
Emphasis of Matter paragraph to draw users’ attention to a matter presented and
disclosed in the financial statements that in the opinion of the auditor is fundamental
to the users’ understanding of the financial statements. (Note historically the most
common Emphasis of Matter paragraph was in relation to a material uncertainty
pertaining to a going concern. HK570 (Revised), Going Concern, paragraph 22, now
refers to the section in the auditor’s report ‘material uncertainty related to a going
concern’; an example of such wording is covered in Chapter 9 of this module.)
3. The third form of unmodified opinion is where the auditor wants to communicate
to users an Other Matter, other than any of those that are presented or disclosed
in the financial statements. These matters in the auditor’s judgement are
relevant to the user’s understanding of the financial statements, the auditor’s
responsibilities, or the auditor’s report.

Question 7
Answer A is incorrect. The issue is not pervasive to the financial statements as a whole.
Answer B is incorrect. The inability to obtain sufficient appropriate audit evidence on an
issue that is both material and pervasive is a disclaimer of opinion.
Answer C is incorrect. A qualified auditor’s opinion is not simply issued because the
relevant issue has been around for some time. Materiality to the relevant financial
statements is a key determinant.
Answer D is correct. It is considered a material issue that can be quantified and has a
limited effect to revenue.

Question 8
The auditor’s opinion should be qualified on the basis that the auditor believes that
stock could be overvalued by a material amount. Even though the auditor does not have

632

M13_c10.indd 632 1/28/2021 3:41:52 PM

 A u d itor ’ s R eporti ng

sufficient appropriate audit evidence to be able to quantify the amount of underprovision,

the impact is on the stock balance only, and it would be reasonable to conclude that the
issue is not pervasive, and so would not end in the disclaimer of opinion category.

Question 9
Answer A is incorrect. The issue would require a modification to the auditor’s opinion.
Answer B is correct. The material misstatement is suspected to be material but not pervasive.
Answer C is incorrect. The financial statements are true and fair except for an item the
auditor has identified which is not pervasive.
Answer D is incorrect. An opinion can be issued and the suspected material amount is not
pervasive.

Question 10
Answer A is incorrect. The issue is material and pervasive.
Answer B is incorrect. An unmodified auditor’s report is inappropriate.
Answer C is incorrect. They know what the issue is and have been able to obtain sufficient
appropriate audit evidence to draw the conclusion that the issue is material and pervasive.
Answer D is correct. Such departure from HKFRS with a material and pervasive effect on
the financial statements leads to an adverse opinion.

Question 11
This type of opinion is the signal to stakeholders that the financial statements of the
company may not be reliable to make economic decisions. This may also alert stakeholders
to the fact that management and those charged with governance may not be operating the
company appropriately or ethically.

Question 12
Auditors may issue a Disclaimer of Opinion when:
• The auditor’s scope was limited. The auditor was limited in this way, for instance,
when the auditor cannot access particular financial data.

• The auditor has other doubts about the reports. For example:

°° The financial statements may seem to violate accounting principles such as the
matching concept or the conservatism principle.

°° The auditor may question the classification of certain revenue and

expense items.

°° Some assets should not have been capitalised.

°° The auditor may question the way the entity applies rules, such as the lower
cost or net realisable value for the inventory.

The auditor issues an auditor’s opinion only when they are confident the opinion is
supported by sufficient appropriate audit evidence. Otherwise, a Disclaimer of Opinion
should be expressed.

633

M13_c10.indd 633 1/28/2021 3:41:52 PM

 BUSINESS ASSURANCE

Question 13
Section 407 of the Companies Ordinance requires the auditor to opine on other matters:
1. In preparing an auditor’s report, the auditor must carry out an investigation that
will enable the auditor to form an opinion as to:

a. Whether adequate accounting records have been kept by the company; and

b. Whether the financial statements are in agreement with the accounting records.

2. A company’s auditor must state the auditor’s opinion in the auditor’s report if the
auditor is of the opinion that:

a. Adequate accounting records have not been kept by the company; or

b. The financial statements are not in agreement with the accounting records in
any material respect.

Question 14
Answer A is incorrect. ASA 700 specifically states for Listed Companies only.
Answer B is incorrect. ASA 700 specifically states for Listed Companies only.
Answer C is incorrect. ASA 700 specifically states for Listed Companies only.
Answer D is correct. This must be disclosed for listed entities.

Question 15
Reference to the adverse auditor’s opinion must be made as well as the basis for the
adverse opinion as this matter would have otherwise been a KAM. The reason for the
adverse opinion should not be repeated as a separate KAM.

Question 16
Under the heading Other Information, the following must also be disclosed:
• A statement that management is responsible for the other information;
• Identification of the other information obtained prior to the date of the auditor’s
report (for listed entities the auditor is also required to identify any other
information expected to be obtained after the date of the auditor’s report);
• A statement that the auditor’s opinion does not cover the other information and,
accordingly, the auditor does not express an auditor’s opinion or any other form of
assurance thereon;
• A description of the auditor’s responsibilities relating to reading, considering, and
reporting on other information; and
• When other information has been obtained prior to the date of the auditor’s report
either a statement that the auditor has nothing to report or a statement that
describes the uncorrected material misstatement of other information.

Question 17
Answer A is incorrect. This is not the prescribed order under HKSA 706 (Revised).
Answer B is incorrect. This is not the prescribed order under HKSA 706 (Revised).
Answer C is incorrect. This is not the prescribed order under HKSA 706 (Revised).
Answer D is correct. This is the prescribed order under HKSA 706 (Revised).

634

M13_c10.indd 634 1/28/2021 3:41:52 PM

 A u d itor ’ s R eporti ng

Question 18
The most common reasons for an Emphasis of Matter paragraph to be included in the
auditor’s report are:
• A significant uncertainty surrounding accounting estimates;
• Where a special purpose framework has been used to prepare the financial
statements;
• Early application of accounting standards that have a pervasive effect on the financial
statements; or
• Where the prior period’s financial statements have a material error that has been
restated in the current year but did not require a modified opinion to be issued.

Question 19
The major differences between the two paragraphs are:
(a) An Emphasis of Matter paragraph draws users’ attention to matters already
disclosed in the financial statements; and

(b) An Other Matter paragraph draws users’ attention to matters that the auditor
believes the users should be aware of in relation to the financial statements but is
not disclosed in the financial statements.

Question 20
Answer A is incorrect. This is not the terminology used in Hong Kong.
Answer B is correct. This is the terminology used in Hong Kong 710.
Answer C is incorrect. This is not the terminology used in Hong Kong 710.
Answer D is incorrect. This is not the terminology used in Hong Kong 710.

Question 21
The major difference in obtaining sufficient appropriate audit evidence between when
corresponding figures have and have not been audited is the review of the predecessor’s
audit documentation from the prior period and determining to what extent if any the
existing auditor can place reliance on the work completed. The existing auditor also must
assess the capability and independence of the predecessor auditor in determining the
extent of reliance that can be placed on the work completed.

Question 22
Answer A is incorrect. Required by HKSRE 2410.
Answer B is incorrect. Required by HKSRE 2410.
Answer C is incorrect. Required by HKSRE 2410.
Answer D is correct. The auditor only opines when a full set of general-purpose financial
statements has been prepared in accordance with HKFRSs.

Question 23
In line with the requirements of HKSRE 2410, the auditor must state that review of interim
financial statements consists of making inquiries, primarily with persons responsible for
financial and accounting matters, and that such work is based on analytical and other
review procedures. The auditor shall also state that a review is substantially less in scope

635

M13_c10.indd 635 1/28/2021 3:41:52 PM

 BUSINESS ASSURANCE

than an audit conducted in accordance with HKSA. Consequently, the auditor is not
enabled to obtain assurance that all relevant significant matters have been identified and
that accordingly no auditor’s opinion is expressed.

Question 24
The key differences between an auditor’s opinion and an auditor’s review report are:
Auditor’s opinion: A reasonable or high level of assurance is obtained about whether
the financial statements as a whole are free from material errors or fraud. The auditor’s
opinion is expressed in a positive form.
Auditor’s review report: Limited assurance about whether the financial statements as a
whole are free from material errors and fraud. Limited assurance is less than reasonable
assurance. A conclusion not an opinion is expressed in a negative form.

Question 25
Answer A is correct. The financial statements cannot be relied upon by all users as they
have been prepared for certain users.
Answer B is incorrect. Required by HKSA 800 (Revised).
Answer C is incorrect. Required by HKSA 800 (Revised).
Answer D is incorrect. Required by HKSA 800 (Revised).

Question 26
Answer A is incorrect. The requirements of HKSA 810 (Revised) only extend to the date of
the auditor’s opinion on the summary financial statements.
Answer B is incorrect. Required by HKSA 800 (Revised) in all circumstances.
Answer C is correct. This is required by HKSA 810 (Revised) in circumstances where the
dates of the reports are different.
Answer D is incorrect. Required by HKSA 800 (Revised) in all circumstances.

Question 27
Answer A is correct. The level of assurance is reasonable in line with PN 900 (Revised).
Answer B is incorrect. This is not language used in HKSA.
Answer C is incorrect. This is not language used in HKSA.
Answer D is incorrect. This is not language used in HKSA.

EXAM PRACTICE

QUESTION 1
John Chang is a brand new graduate of an Audit Firm. He has been on his first audit job and
has been told by his supervisor that there is a material error in the inventory balance and he
has come to you, the audit manager, with the following requests for help and clarification:

(a) Categorise the different types of possible auditor’s opinions that John should consider
in determining the appropriate auditor’s opinion for this client.

(b) Advise John on the key messages that the different types of auditor’s opinions are likely
to mean to the users of the financial statements.

(c) Advise John what type of auditor’s opinion will likely be issued on this his first audit.

636

M13_c10.indd 636 1/28/2021 3:41:52 PM

 A u d itor ’ s R eporti ng

QUESTION 2
The auditor’s inability to obtain sufficient appropriate audit evidence may arise in three
different areas. Determine what each of the areas is and give examples.

QUESTION 3
Khan Company Limited was incorporated in Hong Kong and is listed on the HKEx and has
several subsidiaries in Hong Kong and China. Over the last three years Khan has expanded
its operations into Malaysia with the purchase of two very large companies with significant
property, plant, and equipment. The auditor of Khan intends to issue an unmodified
auditor’s opinion. The auditor has also assumed that this matter should be described as
a Key Audit Matter. Recommend what you think to be the key elements of this Key Audit
Matter including the type of audit procedures that should be carried out.

QUESTION 4
Great Leap audit firm, having recently been appointed auditor of the Hong Kong Hotel
Group (an unlisted entity), has been advised that the predecessor auditor issued a disclaimer
of opinion on the corresponding figures on the basis that accounting records were lost as
a result of a large typhoon. Great Leap has become aware that Hong Kong Hotel Group has
been able to retrieve back-up data for the period covered by the disclaimer.

(a) Recommend the steps that Great Leap should take in obtaining sufficient appropriate
audit evidence for the corresponding figures.

(b) Evaluate the impact that the retrieval of back-up data might have on the current
period’s auditor’s opinion.

QUESTION 5
Shareholders of River Park Limited, the largest games and water park in Asia and a listed
entity on the HKEx, have requested that they receive summary financial statements in line
with listing rule 13.46 for the current period and moving forward. It is acknowledged that
the full financial report can be accessed on the company’s website and the HKEx. Advise
what the requirements for disclosure are in the auditor’s report under HKSA 810 (Revised),
including disclosure of the fact that the summary financial statements auditor’s report
is issued after the auditor’s report on the financial statements. An unmodified opinion is
expressed on the audited financial statements of River Park Limited.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) The following are the possible types of auditor’s opinions and the key messages they
and (b) communicate to users:

Unmodified Opinion: The financial statements give a true and fair view in accordance
with HKFRSs. This is the best opinion an auditor can deliver. (Unmodified Opinions can
include an Emphasis of Matter paragraph, an Other Matter paragraph, or a Material
Uncertainty related to a Going Concern.)
Modified Opinion – Qualified: In the auditor’s opinion, except for the effects of the
matter described in the Basis for Qualified Opinion section of the auditor’s report,
the financial statements give a true and fair view in accordance with HKFRSs. This opinion

637

M13_c10.indd 637 1/28/2021 3:41:52 PM

 BUSINESS ASSURANCE

demonstrates some reservation on the part of the auditor about the financial
statements as a whole.
Modified Opinion – Adverse: The financial statements as a whole do not give a true and
fair view in accordance with HKFRSs, for the reasons disclosed in the Basis for Adverse
Opinion paragraph. This is a very serious opinion for the auditor to deliver as it is
indicating to users that the financial statements cannot be relied upon.
Modified Opinion – Disclaimer of Opinion: An opinion is not expressed on the financial
statements, with the basis being described in the Basis for Disclaimer of Opinion
paragraph. An auditor makes this conclusion when the auditor has been unable to
obtain sufficient appropriate audit evidence to conclude. Given the responsibilities
upon management to prepare financial statements in accordance with the applicable
financial reporting framework, this too is an unfortunate form of opinion. The rest of
this chapter explains the judgement required on the part of the auditor to determine
what form the final auditor’s opinion will take.
Review opinions issued by an auditor as a result of reviews of interim financial
statements can also take any of the above forms.

(c) The effect of misstatement is material, but, given that it relates to inventory only, it is
unlikely to be pervasive. If management does not adjust based on the issues the auditor
has raised, then a qualified auditor’s opinion will be necessary.

QUESTION 2
(a) Examples of circumstances beyond the control of the entity are:
• The company’s accounting records have been destroyed.

• The accounting records have been seized by a government authority.

(b) Examples of circumstances relating to the nature or timing of the auditor’s work are:

• The auditor cannot obtain sufficient audit evidence from substantive

procedures alone.

• The auditor could not attend the annual inventory count.

• The entity has not been able to obtain information from an equity accounted
investment.

(c) Examples of limitation on the scope of the audit imposed by management include:

• Management prevents the auditor from attending the annual inventory count.

• Management prevents the auditor from conducting third party confirmations.

• Management refuses to provide details supporting material balances.

QUESTION 3
Key Audit Matters

Key audit matters are those matters that, in our professional judgement, were of most
significance in our audit of the financial report of the current period. These matters were
addressed in the context of our audit of the financial statements as a whole, and in forming
our opinion thereon, and we do not provide a separate opinion on this matter.

638

M13_c10.indd 638 1/28/2021 3:41:52 PM

 A u d itor ’ s R eporti ng

Heading – Key Audit Matter: Assessment of Carrying value of property, plant, and
equipment.

Area of focus:

• Reference notes where issue addressed in the financial statements.

Why the assessment of the carrying value of goodwill is a key audit matter:

• The company/(group) has property, plant, and equipment of $XX for XX end date.

• The company/(group) appointed an external independent valuer to value land and

buildings at XX end date.

• The company/(group) reviews the carrying value of plant and equipment at each
reporting period.

There are a number of judgements required in determining the carrying value of plant and
equipment due to the current economic conditions. These judgements include assessing
the remaining useful life of plant and equipment and where appropriate the current
market value.

How the audit addressed the matter:

Our audit procedures included:

• Evaluating the external independent valuations obtained by the company/(group)

regarding the fair value of land and buildings and assessing the key valuation
assumptions for reasonableness.

• Evaluating the qualifications of the valuer.

• Consulting with our own external expert/Corporate Finance division to assess the
underlying assumptions of management’s experts.

• In relation to the company’s valuation of plant and equipment we discussed with

management the estimated useful life of plant and equipment, reviewed utilisation
rates to identify any idle plant and equipment and reviewed management’s
forecasts.

We also assessed the adequacy of the company’s/(group’s) disclosures in respect of

Property, Plant, and Equipment and the basis for a Fair value.

QUESTION 4
(a) The auditor should first review the working papers of the predecessor auditor and
determine the level of reliance that could be placed on the work completed and document
conclusions. The auditor must also assess the capability of the predecessor auditor and
whether they were appropriately independent. The auditor should determine whether,
together with reliance on procedures of the predecessor auditor and the performance of
audit procedures over the retrieval of back-up data, sufficient appropriate audit evidence
has been obtained on corresponding figures. The auditor would need to undertake
a risk assessment under HKSA 315 (Revised 2019) and pay particular attention to the
completeness of the financial information provided by management and that there is
a seamless connection with the data prior to the data loss. Sufficient appropriate audit
evidence is likely to have been obtained through substantive audit procedures.

639

M13_c10.indd 639 1/28/2021 3:41:52 PM

 BUSINESS ASSURANCE

(b) Assuming that the auditor obtains sufficient appropriate audit evidence on opening
balances and the auditor is satisfied that the prior period’s financial books and records
are complete and accurate, the auditor would issue an unmodified auditor’s opinion
in line with the requirements of HKSA 700 (Revised), with an Emphasis of Matter
paragraph in line with HKSA 706 (Revised) to draw attention to the note to the financial
statements where management have described how the matter resulting in the
disclaimer of opinion was resolved.

QUESTION 5
The required components of the auditor’s report on summary financial statements are
as follows:

• Report title indicating independence of the auditor;

• The appropriate addressee;

• Identification of the composition of the summary financial statements;

• Identification of the financial statements from which the summary has been taken;

• The summary financial statements do not contain all the disclosures required by HKFRS;

• A clear expression of opinion, which in this instance would be an unmodified auditor’s

opinion consistent with the financial statements;

• Reading the summarised financial statements and the report thereon is not a substitute
for reading the audited financial statements and the auditor’s report thereon;

• The summary financial statements and the financial statements do not reflect the
effects of events that occurred subsequent to the date of the report on the audited
financial statements;

• A paragraph setting out the audited financial statements and the report thereon,
stating the type of report issued and the date on which the report was issued, and that
key audit matters were communicated;

• Management’s responsibilities;

• Auditor’s responsibilities;

• The name of the auditor;

• The name of the audit firm;

• The auditor’s address; and

• Date of auditor’s report on the summary financial statements.

640

M13_c10.indd 640 1/28/2021 3:41:52 PM

 11
Group Audits
CHAPTER TOPIC LIST
11.1 Audit of Groups
11.1.1 Scope and Terminology
11.1.2 Companies Ordinance
(Cap.622)
11.1.3 Understanding the Group,
Its Components, and Their
Environments
11.1.4 Group-wide Controls
11.1.5 Auditor’s Objectives
11.2 Components Auditors
11.2.1 Characteristics of Components
Auditors
11.2.2 Responsibilities of
Components Auditors
11.2.3 Overview of How
Components auditors Work
Within the Group Audit
11.2.4 Materiality for Components
11.2.5 Communication with
Components Auditors
641
M13_c11.indd 641
11.3 Group Engagement Team
11.3.1 Group Engagement
Partners’ and Staff Members’
Responsibilities
11.3.2 Component Team Members’
Responsibilities
11.4 Audit Planning and Risk
Assessment
11.4.1 Engagement Letter
11.4.2 Control Procedures Review
11.4.3 Risk Assessment: Group
Audit versus Single Company
Audit Risks
11.4.4 Plan of Procedures to Develop
Understanding (Group, Client,
Components Auditors)
11.4.5 Consider Risks of Material
Misstatement
11.4.6 Plan Methods, Timing, and
Content of Communication
with Those Charged with
Governance
1/28/2021 6:23:02 PM
 BUSINESS ASSURANCE
11.4.7 Develop Audit Plan for Work
to be Completed (Group,
Client, Components Auditor)
for Significant and Non-
significant Components
11.4.8 Group Audit Strategy
Memorandum for
Communication to a
Components Auditors
642
M13_c11.indd 642
11.5 Audit Procedures and Reporting
11.5.1 Complete Procedures to
Substantively Test the
Group’s Consolidation
11.5.2 Review of Reports from
Components Auditors to the
Group Auditor
11.5.3 Review of Components
Auditors Work
11.5.4 Group Audit Completion
Documents Preparation
11.5.5 Options for Audit Opinion for
the Group, Parent Company,
and Component Financial
Statements
1/28/2021 6:23:02 PM
 G ro u p Aud its

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.12: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance, and legislation with emphasis on:
Completion Procedures
1.12.02 Explain the purpose of and procedures to be used during audit completion:
• A subsequent events review
• A going concern review
• Obtaining written representations from management
• Review of report by components auditors to the group auditor
• Overall review of the financial statements
• Review of other published information
LO1.14: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audits of Group Financial Statements (including the work of components auditors)
1.14.01 Explain how consolidated financial statements are produced
1.14.02 Evaluate whether a group’s control environment and control systems are effective
1.14.03 Recommend control procedures that a group should implement over its operations and
the preparation of consolidated financial statements
1.14.04 Evaluate a potential group audit engagement for the acceptance risks it presents to the
audit firm
1.14.05 Consider risk of group audit in addition to a single company audit (e.g. different
accounting policies)
1.14.06 Prepare an audit engagement letter for a group
1.14.07 Plan procedures to develop a sufficient understanding of the group, as a client, and a
components auditors for audit purposes
1.14.08 Recommend an appropriate planning materiality to be applied to components
1.14.09 Consider the significant components and evaluate to determine the type of work to be
performed on the financial information of significant components and components that are
not significant
1.14.10 Plan an approach to gathering sufficient appropriate audit evidence from the
components auditors
1.14.11 Evaluate the information collected about a group to identify the significant risks of material
misstatement in the group financial statements

643

M13_c11.indd 643 1/28/2021 6:23:02 PM

 BUSINESS ASSURANCE

1.14.12 Develop the group audit strategy memorandum for communication to a

components auditors
1.14.13 Plan the methods, timing, and content of communication with those charged with
governance and with components auditors during the audit
1.14.14 Design procedures to substantively test the group’s consolidation
1.14.15 Prepare the group audit completion documents
1.14.16 Recommend an appropriate audit opinion for the group, parent company, and component
financial statements based on the audit evidence collected

644

M13_c11.indd 644 1/28/2021 6:23:02 PM

 G ro u p Aud its

OPENING CASE

CWAVES FERRY HOLDING COMPANY LIMITED

T his case study is the basis for illustration in the rest of this chapter.

CWaves Ferry Holding Company Limited (‘CWaves’) is a publicly listed company on the
Hong Kong Stock Exchange (‘HKEx’) and operates ferry services in Victoria Harbour, Sok Kwu
Wan, Shenzhen, and Macau. CWaves has a 31 December year end and has 10 wholly owned
subsidiaries, which it must consolidate for the purpose of reporting under Section 379(2) of
the Hong Kong Companies Ordinance (Cap.622) and HKFRS 10, Consolidated Financial Statements.
The CWaves group has significant investments in buildings, godowns, port infrastructure, travel
agencies, and hotels.

Choxiang Cheng is a newly appointed independent non-executive director of CWaves and

he wants to understand how the group external auditor (Quality Audit Firm (‘Quality’)) manages
the components auditors and how the components auditors were chosen given that Quality is
not part of a global accounting firm.

The group structure is shown in Exhibit 11.1.

CWaves Ferry Holding Company Limited –

Audited by Quality
Material to
the Group 100%

1 2 3 4 5 6 7 8 9 10

CWaves Hotels Company (incorporated

1 6 CWaves Maintenance Company
and based in Malaysia)

2 CWaves Ferries Company 7 CWaves Godown Company

3 HKCW Development Holding Company 8 Donghai Company

4 HKCW Investment Limited 9 CWaves Management Company

Wonder Travel Company

5 Hai Cruising Company 10
(incorporated and based in Singapore)

Audited by: Quality Audited by: Component auditor 1 Audited by: Component auditor 2

Audited by: Component auditor 3 Not subject to audit for group purposes

EXHIBIT 11.1 CWaves’ corporate structure

645

M13_c11.indd 645 1/28/2021 6:23:02 PM

 BUSINESS ASSURANCE

OVERVIEW

The audit of consolidated financial statements can be more complex when components auditors
(i.e. other audit firms, or even affiliates or parts of the same firm) are involved. The work of
these components auditors can influence the group engagement team’s (or the group auditor’s)
processes and the overall audit conclusion at the consolidated financial statements level.

This chapter will explore the concept of group audits, the role of the group auditor, and
the role of the components auditors in drawing conclusions on the consolidated financial
statements. The roles of each of these are critical in ensuring that the consolidated auditor’s
report is reflective of the conclusions reached at each component and group level.

Determining group materiality and auditing the consolidation process can be complex. This
chapter will aim to set out the steps involved in both these processes in some detail.

This chapter is simply an extension, for a group, of all of the fundamental aspects to the
audit process that have been introduced to you in Chapters 1 to 10.

1 1 . 1 AUDIT OF GROUPS

The reference standard for group audits is HKSA 600, Special Considerations – Audits of Group
Financial Statements (Including the Work of Components Auditors). This standard will be referred
to during this chapter.

11.1.1 Scope and Terminology

The HKSAs apply to group audits. HKSA 600 deals with the special considerations that apply to
group audits, in particular those that involve components auditors.

It should be noted that the terminology used under HKSAs for groups does differ from
the terminology used for accounting. Where the auditor is making decisions pertaining
to a business combination or control for consolidation purposes, direct reference should,
respectively, be made to HKFRS 3 (Revised), Business Combinations, and HKFRS 10 (Revised),
Consolidated Financial Statements, respectively.

This chapter reflects the terminology used for Audit of Groups under the HKSAs.

HKSA 220, Quality Control for an Audit of Financial Statements, paragraphs 14 and 15,
requires the group audit partner to be satisfied that those performing the group audit
engagement, including components auditors, collectively have the appropriate competence and
capabilities. The group engagement partner is also responsible for the direction, supervision,
and performance of the group audit engagement.

646

M13_c11.indd 646 1/28/2021 6:23:03 PM

 G ro u p Aud its

The group engagement partner should apply the requirements of HKSA 200 regardless
of whether the group engagement team or the components auditors performs the audit
procedures on the financial information of the component.

HKSA
It is important that consistent terminology is applied when looking at group audits, where
600.9 the following terms have the meanings attributed below:

Component: An entity or business activity for which group or component management

prepares financial information that should be included in the group financial statements.

Components auditors: An auditor who, at the request of the group engagement team,
performs work on financial information related to a component for the group audit.

Component management: Management responsible for the preparation of the financial

information of a component.

Component materiality: The materiality for a component determined by the group

engagement team.

Group: All the components whose financial information is included in the group financial
statements. A group always has more than one component.

Group audit: The audit of group financial statements.

Group audit opinion: The audit opinion on the group financial statements.

Group engagement partner: The partner or other person in the firm who is responsible
for the group audit engagement and its performance and for the auditor’s report on
the group financial statements that is issued on behalf of the firm. Where joint auditors
conduct the group audit, the joint engagement partners and their engagement teams
collectively constitute the group engagement partner and the group engagement team.
This HKSA does not, however, deal with the relationship between joint auditors or the work
that one joint auditor performs in relation to the work of the other joint auditor.
Group engagement team: Partners, including the group engagement partner, and staff
who establish the overall group audit strategy, communicate with components auditors,
perform work on the consolidation process, and evaluate the conclusions drawn from the
audit evidence as the basis for forming an opinion on the group financial statements.

Group financial statements: Financial statements that include the financial information of
more than one component. The term ‘group financial statements’ also refers to combined
financial statements aggregating the financial information prepared by components that
have no parent but are under common control.

Group management: Management responsible for the preparation of the group financial
statements.

Group-wide controls: Controls designed, implemented, and maintained by group

management over group financial reporting.

Significant component: A component identified by the group engagement team (i) that
is of individual financial significance to the group or (ii) that, due to its specific nature or
circumstances, is likely to include significant risks of material misstatement of the group
financial statements.

647

M13_c11.indd 647 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

11.1.2 Companies Ordinance (Cap.622)

On top of the general requirements for financial statements outlined in Section 380 of the
Hong Kong Companies Ordinance (Cap.622), Section 381 outlines the requirements in relation to
consolidated financial statements as follows.

Subsidiary undertakings to be included in annual consolidated financial statements are:

1. Subject to subsections 2 and 3, the annual consolidated financial statements for a

financial year must include all the subsidiary undertakings of the company.

2. Where the company falls within the reporting exemption for the financial year, one or
more subsidiary undertakings may be excluded from the annual consolidated financial
statements in compliance with the accounting standards applicable to the statements.

3. Where the company does not fall within the reporting exemption for the financial year:

(a) One subsidiary undertaking may be excluded from the annual consolidated
financial statements if the inclusion of the subsidiary undertaking is not material
for the purpose of giving a true and fair view of the financial position, and of the
financial performance, mentioned in Section 380(2)(a) and (b); and

(b) More than one subsidiary undertaking may be excluded from the annual
consolidated financial statements if the inclusion of those subsidiary undertakings
taken together is not material for the purpose of giving a true and fair view of the
financial position, and of the financial performance, mentioned in Section 380(2)(a)
and (b).

11.1.3 Understanding the Group, Its Components, and Their Environments

HKSA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement, contains
guidance on matters on which the auditor performs risk assessment procedures to obtain an
understanding of:

(a) the industry, regulatory, and other external factors that affect the group and/or
individual components (including the organizational structure, ownership and
governance, and applicable financial reporting framework),

(b) the nature of the entity,

(c) its business model and strategies and related business risks,

(d) use of IT;

(e) internal and external measurement and review of the entity’s financial
performance.

The auditor is also required to obtain an understanding of the components of the entity’s
system of internal control through performing risk assessment procedures.

The group auditor should also have a detailed understanding of the group instructions
issued by group management to component management. These instructions will often make
clear to the group auditor the accounting policies expected to be applied at the group and
component level, the financial reporting framework to be adopted, segment identification and
reporting, how related party and intra-group transactions are to be treated, and the reporting
timetable.

648

M13_c11.indd 648 1/28/2021 6:23:03 PM

 G ro u p Aud its

The group auditor should assess the quality of the instructions issued by group
management to component management and determine whether, in the case of a lack of
clarity, the risks of material misstatements at the component level are heightened and address
this with the components auditors.

The group auditor should obtain an understanding of the activities for the financial period
being subject to audit and of the internal audit. (Refer back to Chapter 8: Using the Work of
Others for considerations in relation to using the work of internal auditors). This understanding
should extend to the areas of the business that have been the subject of audit and whether the
work conducted by the internal audit can be relied upon at the group and/or component level.

The responsibility for the determination of the significant components of a group is that of
the group auditor. For the purposes of HKSA 600, components fall into one of two categories:
significant and non-significant components (Exhibit 11.2).

Significant components Non-significant components

Significant in financial terms Immaterial to the group as a whole

Significant for the degree of risk they present Low-risk profile

Components

Significant Non-significant
components components

Auditor’s Auditor’s
Approach Approach

Driver is Size: Driver is Risk: • Analytical procedures;

Full audit. • Full audit; • Further procedures determined if
• Audit of risk areas; or a conclusion cannot be reached on
• Specific procedures. ‘non-significant’.

EXHIBIT 11.2 Significant and non-significant components

11.1.3.1 Indicators of ‘Significance’

There is not a singular approach to determine which components should be audited because
they are financially significant. The group auditor needs to be satisfied that sufficient amounts of
work will be performed. Determination of ‘sufficient’ will vary from engagement to engagement,
depending on circumstances and will be determined by professional judgement. What is critical
is that the audit documentation reflects the judgement and explains how it was reached.

A component identified by the group auditor (i) that is of individual financial significance to
HKSA
the group or (ii) that, due to its specific nature or circumstances, is likely to include significant
600.9(m) risks of material misstatement of the group financial statements. As the individual financial
HKSA
significance of a component increases, the risks of material misstatement of the group financial
600 (A5) statements ordinarily increase. Indicators of financial significance (i.e. size) might include the
overall size of the component’s statement of financial position or profit or the relative size of a
component’s contribution to a particular item (e.g. revenue) in the group financial statements.
HKSA 600 indicates that 15% of a chosen benchmark (such as the group assets or profit) might
be chosen by the group auditor as indicative of financial significance, but professional
judgement is still required and higher or lower percentages may be appropriate, depending on

649

M13_c11.indd 649 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

the composition and/or the nature and circumstances of the group. If the group auditor does
apply the 15% as the benchmark, documentation as to its appropriateness is strongly
recommended.

The group auditor may also identify a component as likely to include significant risks of
material misstatements of the group financial statements due to its specific nature or
HKSA 600 circumstances, even though the component is not otherwise of individual financial significance
(A6) to the group. Indicators of non-financial significance (i.e. risk) might include the presence in a
component of particular risks of material misstatement, such as those relating to estimates
associated with impairments, inventory impairments, and taxation provisions. Risks relating to
complex areas such as financial instruments, and other highly subjective areas such as
contingencies and subsequent events, may also determine non-financial significance.

11.1.3.2 Type of Audit Work to be Performed on Components

Determining the coverage of components is resolved in part by the nature of the group,
the quality of its system of internal control, and the quality and sources of the information
and evidence available, such as the effectiveness of group-level analytical procedures. More
coverage will be required where controls are poor and/or the evidence available at a group
level is weak. Group-wide controls will be explored later in this chapter.

The group auditor is required under HKSA 600 to perform, or have components auditors
perform, full audits of all financially significant components.

For a component that is significant because it is likely to include significant risks of material
misstatement of the group financial statements due to its specific nature or circumstances, the
group engagement team, or a components auditors on its behalf, shall perform one or more of
the following:

(a) An audit of the financial information of the component using component materiality
(i.e. at a materiality level lower than the group level).

(b) An audit of one or more account balances, classes of transactions, or disclosures

relating to the likely significant risks of material misstatement of the group financial
statements.

(c) Specified audit procedures relating to the likely significant risks of material
misstatement of the group financial statements.

11.1.3.3 Procedures for Non-significant Components

The group auditor is required to perform analytical procedures at the group level covering
non-significant components to corroborate conclusions that there are no significant risks in
those components. The degree of disaggregation of data used for these procedures may vary
and is impacted by the nature and level of management information available.

When no additional risks are identified as a result of analytical procedure, the group auditor
should document the belief that there is nothing to indicate a need for the performance of
additional procedures on these components. However, if the results of the analytical procedures
indicate that there may be a risk of a material misstatement in one or more components, the
group auditor needs to document the nature, timing, and extent of the procedures that will be
performed to address the identified risks.

650

M13_c11.indd 650 1/28/2021 6:23:03 PM

 G ro u p Aud its

Apply and Analyse 1

Quality determined that both CWaves Maintenance Company and CWaves Management
Company were likely to be immaterial to the CWaves consolidated financial statements
based on the financial results of the two companies in the last three years.

Analysis

During the current year’s audit planning process, Quality needs to determine whether
CWaves Maintenance Company and CWaves Management Company continue to be
immaterial to the group for consolidation purposes. Quality obtains the management
accounts from group management for the two components and undertakes analytical
procedures to confirm whether or not there are significant risks in the components, and
also reviews board minutes. Quality also discusses with group management the activities
and proposed activities of the components. On the basis of the work that has been
completed by Quality, they have concluded that it is unlikely that the financial activities
and results of CWaves Maintenance Company and CWaves Management Company would
create a risk of a material misstatement to the consolidated financial statements and
therefore will not be subject to further audit procedures in the current period. Quality has
documented their assessments and conclusions in the audit file.

11.1.4 Group-wide Controls

Group-wide controls is the responsibility of the group auditors to obtain an understanding of the
group’s system of internal control including:

• The control environment established by those charged with governance that relate to
group-wide controls.

• The level of involvement of those charged with governance at the group level in terms
of how the components develop their business strategies, how they operate, and how
they perform.

• How often interactions occur between the group and component and the degree of
detail obtained.

• How the component management identify and assess risk and the significance of those
risk, specifically including the identification and management of business risks that
might result in a misstatement in the group financial statements.

• How the component management assess the risk of fraud and management of
circumstances when fraud has been identified.

• Controls over intra-group transactions, balances, and profits including taxation

consequences.

• Group-wide monitoring controls.

• The degree of use of shared service centres and component management’s oversight of
shared service centres.

• The extent to which controls operate in the same way across components in the group.

651

M13_c11.indd 651 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

Internal audit may be regarded as part of group-wide monitoring component of the system
of internal control when the role is centralised. HKSA 610 (Revised 2013), Using the Work of
Internal Auditors and Related Conforming Amendments, deals with the group auditor’s evaluation
of the internal audit function and its potential use by the group auditor.

In thinking about group-wide controls the group auditors should:

• Consider the extent to which there are group-wide controls and determine the
appropriate split of work between the group auditors and components auditors for
these controls.

• Request details of internal control weaknesses identified by components auditors, as

HKSA 600 requires the group auditors to make group management aware as soon as
practicable of material weaknesses in the design and operation of group-wide
controls.

For the components auditors, they should:

• Consider the impact of any group-wide controls that the group auditor has told them
about, on the planning of the component audit, including assessing any impact on the
local statutory audit when relevant.

• Consider the appropriate clearances, when the components auditors is being asked to
rely on the testing completed by the group auditor on group-wide controls for group
purposes. Specific reference may need to be made to the fact that no work has been
conducted at the request of the group auditor.

• Consider the level of documentation required in the components auditors audit file
when seeking to place reliance on the group auditor’s testing of group-wide controls for
the purpose of a local statutory opinion.

• Communicate to local management any weaknesses identified as well as

communicating them to the group auditor.

11.1.5 Auditor’s Objectives

The objectives of the auditor in relation to the audit of a group are:

(a) To determine whether they can act as the auditor of the group financial statements.

(b) If acting as the auditor of the group financial statements:

(i) To communicate clearly with components auditors about the scope and timing
of their work on financial information related to the components and their
findings; and
(ii) To obtain sufficient appropriate audit evidence regarding the financial information
of the components and the consolidation process to express an opinion on whether
the group financial statements are prepared, in all material respects, in accordance
with HKFRS.

652

M13_c11.indd 652 1/28/2021 6:23:03 PM

 G ro u p Aud its

Knowledge Check Questions

Question 1
For a component that is deemed significant because it is likely to include significant risks
of material misstatement in the group financial statements due to its specific nature or
circumstances, determine the types of audit procedures the group engagement team, or a
components auditors on its behalf, should consider performing.

Question 2
Identify the responsibilities the group auditor has for assessing group-wide controls.

1 1 . 2 COMPONENTS AUDITORS

11.2.1 Characteristics of Components Auditors

HKSA 600 requires the group auditor, if the intention is to use the work of a components
auditors or components auditors, to obtain an understanding of:

• Whether the components auditors will comply with the ethical and independence
standards set out in the HKICPA Code of Ethics for Professional Accountants. The group
auditor should ensure that, where the components auditors is not based in Hong
Kong, Hong Kong ethical requirements, including being independent, are, nevertheless,
understood. The components auditors should be made aware of the expectations of
the group auditor of the HKICPA ethical requirements for group purposes;

• The professional competence of the components auditors;

• Whether the group auditor will be able to be involved in the work of the components
auditors as necessary to obtain sufficient appropriate audit evidence; and

• Whether components auditors operate in a regulatory environment that actively oversees

auditor quality, and which practically may be difficult to assess if in other jurisdictions.

In assessing the professional competence of a components auditors, the group auditor

needs to be confident that the components auditors can properly fulfil the group audit
responsibilities. If the group auditor fails to make a formal documented assessment of this,
it will be difficult to demonstrate that they have sufficient involvement in, or control over, the
group audit. The quantum of documentation required will depend on the complexity of finding
the required information to conduct the assessment. The group auditor should be satisfied that
components auditors:

• Understand the auditing quality control standards under which they should operate
for group audit purposes, and will comply with those standards. If the components
auditors is in a jurisdiction outside of Hong Kong, but follows international auditing and
quality control standards, the assessment will be aided. If international auditing and
quality control standards are not followed the group auditor will need to determine
whether the proposed components auditors can be used.

653

M13_c11.indd 653 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

• Have the requisite skills and specialist skills where required, such as industry-specific
knowledge, valuation, or taxation specialists, to assist the component audit team for
complex audit issues where there is a risk of a material misstatement.

• Have an understanding of HKFRSs that is sufficient to fulfil group reporting

responsibilities. Again, this will be easier to determine where the components auditors
jurisdiction follows International Financial Reporting Standards (‘IFRS’).

Apply and Analyse 2

Quality had issues in the prior period with the auditors of CWaves Hotels Company, which
is based in Malaysia. The previous components auditors did not meet the deadlines
that Quality established, and it was very difficult to obtain the required information as
instructed in the group audit questionnaire. The situation reached the stage that the
components auditors resigned. CWaves Hotels Company sought Quality’s views on finding
a new auditor. Quality itself did not have a Malaysian presence or a Malaysian affiliate.

Analysis

Quality indicated to CWaves Hotels Company that any new components auditors would
need to be assessed in detail by Quality. Quality indicated that they would expect the new
auditor to be an accredited member firm of the Malaysian Institute of Accountants (which,
like HKICPA, subscribes to the international ethical, auditing, and accounting standards).
Quality also indicated that it would be required to make a detailed assessment of the new
auditor’s independence, competence, willingness to communicate, and ability to meet
group deadlines and with the requisite information being provided to Quality. As the hotel
business requires industry knowledge to audit it appropriately, Quality indicated it would
need to assess whether the components auditors had the necessary skills to undertake the
audit. CWaves Hotels Company reviewed how Quality would assess an incoming auditor
and used that assessment to select a particular audit firm. They chose to make the final
appointment subject to Quality’s detailed assessment.

11.2.2 Responsibilities of Components Auditors

Components auditors report to the group auditors on their work in the form agreed in the
group audit instructions, whether it is an audit report on financial information or certain
account balances or a report on specified procedures.

The components auditors should consider the following when issuing an audit report:

• Whether the introductory paragraph clearly identifies the financial information that is
being reported on.

• Referencing the level of materiality used as instructed by the group auditor.

• Modifications to the auditor’s opinion. This is particularly important, and it is the

responsibility of the components auditors to raise the issue of a potential modification
as soon as possible with the group auditor. A determination will need to be made by
the group auditor whether the modification will also be reflected at the consolidated
financial statement level.

654

M13_c11.indd 654 1/28/2021 6:23:03 PM

 G ro u p Aud its

The components auditors should consider the following when issuing a report on specified
procedures:

• The report provides sufficient clarity on the work performed, which should make clear
what was not performed.

• Generally, not provide assurance on conclusions reached but restate what was
requested by the group auditor and what was completed.

The group auditors generally request that the components auditors either prepares a
summary memorandum of work performed or completes a group audit questionnaire. Either
reporting format usually contains similar information from the components auditors. The
components auditors needs to provide this information to the group auditor in order that the
group auditor has sufficient information to enable them to draw the appropriate conclusions.

Matters that are usually included in the components auditors memorandum or

questionnaire are as follows:

• Reconfirmation that the components auditors have complied with the ethical
requirements of the HKICPA Code of Ethics for Professional Accountants;

• Confirmation that the components auditors has complied with the group auditor’s
requirements;

• The scope of work performed, including explanations for significant changes to the
audit strategy and any variations from group instructions (note that this should be
communicated by the components auditors to the group auditor prior to variation and
the documentation at this stage of the component audit confirms what should already
have been agreed);

• Instances of fraud or non-compliance with laws and regulations, and indicators of

management bias (again, any fraud identified should be communicated immediately to
the group auditor);

• Significant matters arising from the work performed by the components auditors
including details of significant risks that may affect the consolidated financial
statements, including those communicated by the group auditor at the planning stage,
and a summary of responses to those risks;

• In the instance that the parent entity is listed, Key Audit Matters (‘KAMs’) should
either be included in the main body of the audit report or in the memorandum
or questionnaire (for further information on KAMs refer back to Chapter 10 of
this module);

• Details of corrected and uncorrected misstatements, including explanations from

component management why misstatements have remained uncorrected;

• Significant deficiencies in the system of internal control that were identified (again this
should be reported to the group auditor at the point of discovery);

• Details of any related party transactions;

• Subsequent events procedures performed and whether there were any material
matters identified and details of the potential effects of such matters;

• Specific inclusions identified by the components auditors for inclusion in the group
letter of representation;

655

M13_c11.indd 655 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

• Matters that should be communicated to those charged with governance at the

group level;

• Other information, such as contingencies and commitments; and

• The components auditors overall findings, conclusions, or opinion.

In some instances, the group auditor may require that further information be supplied by
the components auditors as follows:

• An analytical review of the component’s financial statements, with explanations for

the trends and movements year on year and reference to actual results in the current
financial period as compared to budget;

• A summary of key estimates and judgements and how management approached their
assessment; and

• Financial reporting issues and how they were addressed.

Ultimately, what needs to be reported by the components auditors will be determined by

the group auditor. If the components auditors does not believe they can carry out what has
been requested of them, then they need to advise the group auditor. The group auditor may
need to consider replacing a components auditors if they cannot meet their responsibilities,
or send members from the group audit team as a short-term measure to ensure that the
component’s financial information has been appropriately audited.

11.2.3 Overview of How Components auditors Work Within

the Group Audit
How components auditors work within the group audit is dependent on the audit firms involved
in the various aspects of the group audit. There are several combinations that could exist.

(a) The group auditors audit the whole group. The group and all components auditors are part
of the same firm or network of firms.
In these circumstances the group auditor should have a good understanding of the
components auditors and they will in most cases be following the same audit methodology.

Communications should be easier for firms with common audit approaches, quality
control procedures and audit software, and partners and staff who undertake common
training programmes. Notwithstanding this, HKSA 600 still requires group auditors to
document their understanding of components auditors and for components auditors to
acknowledge their compliance with group auditor requests. HKSA 600 also requires that
the group auditors determine the extent of involvement at the component level. This is
made easier in the situation where the group auditors audit the whole group.

There will be distinctions between approaches depending on whether there is a

single office group audit, multiple office group audit (same firm), or multiple firm (same
network) group audit.

(b) The group auditors are not auditing the whole group. The group includes multi-network
group audits and group or components auditors that are not members of any network.

While the basic considerations are the same as those where group and components
auditors all belong to the same network, the level of knowledge about the audit
methodology of firms outside the group auditor’s firm is likely to be limited.

656

M13_c11.indd 656 1/28/2021 6:23:03 PM

 G ro u p Aud its

The group auditor cannot simply rely on the components auditors opinion on the
financial statements of the component. If the components auditors has concluded
that the financial statements of the component are free from material misstatement,
the group auditor should not just rely on this opinion and assume that the financial
statements are materially correct. An appropriate level of understanding is required
between the components auditors and the group auditor on the work undertaken
by the components auditors. (Review requirements of the work conducted by the
components auditors will be addressed in Section 11.5.3 later in this chapter.)

Communication between the components auditors and the group auditor is critical
to ensure that definitive conclusions can be drawn at the end of the group audit
process. Successful group audit scenarios are ones where all of the auditors involved in
the group audit consider themselves part of the one audit engagement, which is akin to
a single audit of a company where all members of the audit engagement team are clear
on their responsibilities and communicate freely with others on the audit engagement.

11.2.4 Materiality for Components

There is much to consider when evaluating the allocation of materiality to components auditors
by the group auditor. One of the main complexities lies with the concept of aggregation risk,
which heightens with decentralisation of operations into components. Aggregation risk is
defined as the risk that the aggregate of uncorrected and undetected misstatements in the
financial statements exceeds materiality for the financial statements as a whole.

As a starting point, HKSA 600 requires the group engagement team to determine
HKSA 600. materiality for the group financial statements as a whole, as part of the development of the
A43–A46 group audit strategy.

To reduce to an appropriately low level the probability that the aggregate of uncorrected
and undetected misstatements in the group financial statements exceeds materiality for the
group financial statements as a whole, component materiality is set lower than materiality for
the group financial statements as a whole. Different component materiality may be established
for different components. Component materiality need not be an arithmetical portion of the
materiality for the group financial statements as a whole and, consequently, the aggregate of
component materiality for the different components may exceed the materiality for the group
financial statements as a whole. Component materiality is used when establishing the overall
audit strategy for a component.

Component materiality is determined for those components whose financial information

will be audited or reviewed as part of the group audit. Component materiality is used by the
components auditors to evaluate whether uncorrected detected misstatements are material,
individually or in the aggregate.

In the case of an audit of the financial information of a component, the components auditors
(or group engagement team) determines performance materiality at the component level. This is
necessary to reduce to an appropriately low level the probability that the aggregate of uncorrected
and undetected misstatements in the financial information of the component exceeds component
materiality. In practice, the group engagement team may set component materiality at this
lower level. Where this is the case, the components auditors uses component materiality for
the purposes of assessing the risks of material misstatement of the financial information of the
component and to design further audit procedures in response to assessed risks as well as for
evaluating whether detected misstatements are material, individually or in the aggregate.

657

M13_c11.indd 657 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

Determination of component materiality as noted above requires the exercise of

professional judgement. In Exhibit 11.3 are some factors that the group auditor may take into
consideration when determining materiality levels for components.

Consideration Group auditor Aggregation Component

notes that risk materiality relative
to group materiality
Risk of material Less known Increases Decreases
misstatement
Complexity Increases Increases Decreases
Product lines Number and Increases Decreases
diversity increases
Group-wide controls Fewer Increases Decreases
IT systems and software Decentralised Increases Decreases
Jurisdictions that Differing and growing Increases Decreases
components operate in

EXHIBIT 11.3 Factors determining materiality levels

11.2.5 Communication with Components Auditors

If there is not effective two-way communication between the group auditor and the
components auditors, there is a heightened risk that the group auditor may not obtain
sufficient appropriate audit evidence on which to base their opinion.

The table below illustrates at a high level the nature and timing of effective two-way
communication, but please note this is illustrative and differing circumstances may require
different communications.

Illustrative Example 1
Before work on the financial information commences

The group auditor sends group instructions.

Group Component
auditor The component auditor confirms receipt of the instructions auditor
and agrees with time lines.

Planning the work on the component

Group auditor reviews component auditor’s risk assessment and their proposed
Group responses to significant risks and also advises the component auditor of any Component
auditor significant risks identified at the group level. auditor
The component auditor responds to queries of the group auditor.

Executing the work on the component financial information

Significant matters relevant to the group communicated

Group by the component auditor. Component
auditor auditor
Significant matters to the component communicated by the group auditor.

Reporting of the work performed

Component auditor’s final report to the group auditor documenting

Group all the requests made by the group auditor. Component
auditor auditor
Group auditor’s review of the component auditor’s communication and discusses
significant matters to the group audit and reviews relevant audit documentation.

658

M13_c11.indd 658 1/28/2021 6:23:03 PM

 G ro u p Aud its

The types of detailed communication with the components auditors may include the following:

(a) Work to be performed.

(b) Form and contents of components auditors communication with the group
engagement team.

(c) Confirmation that the components auditors will cooperate with the group
engagement team.

(d) Ethical requirements, particularly independence requirements, regarding both the

group and the component.

(e) The level of component materiality.

(f) Identified significant risks of material misstatement of the group financial statements,
whether due to fraud or error.

(g) Related parties.

(h) Non-compliance with laws and regulations.

(i) Material weaknesses in internal controls that could affect the components auditors.

(j) Relevant accounting, auditing and reporting requirements.

(k) Communications with those charged with governance at the group level and where
necessary at the component level.

Key Learning Point

Get the right components auditors and ensure there is open, two-way communication.

Knowledge Check Questions

Question 3
Advise on the types of detailed communication from the group auditor to the
components auditors.

Question 4
Explain at least five items that a components auditors would normally be expected to
report to the group auditor.

Question 5
Identify which of the following matters described would usually not be included in the
components auditors memorandum or questionnaire.
A Reconfirmation that the components auditors have complied with the ethical
requirements of the HKICPA Code of Ethics for Professional Accountants.
B Results of procedures undertaken by the group auditor.

659

M13_c11.indd 659 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

C Significant deficiencies in internal controls that were identified.
D Details of corrected and uncorrected misstatements, including explanations from
component management why misstatements have remained uncorrected.

Question 6
Advise on what aggregation risk is in the context of setting materiality for a group audit.

Question 7
If you were a group auditor, list five types of communication you would receive from a
components auditors.

1 1 . 3 GROUP ENGAGEMENT TEAM

11.3.1 Group Engagement Partners’ and Staff Members’ Responsibilities

The overall responsibility for a group audit rests with the group engagement partner.
As stipulated in HKSA 220, Quality Control for an Audit of Financial Statements, the group
engagement partner is responsible for the direction, supervision, performance, and review
of the work, the adequacy of the audit documentation, and whether, and how, the group
engagement partner has become satisfied that sufficient appropriate audit evidence has been
obtained to allow the group engagement partner to take responsibility for the consolidated
financial statements and the auditor’s report thereon.
The responsibilities of the group engagement partner and that of the group audit team
are the same as all audits conducted under HKSAs, and this does not change in the audit
of a group.

In general, the following are the key responsibilities of the group engagement partner and
group engagement team:

• Carry out the client acceptance or continuance procedures.

• Issue a group engagement letter.

• Establish the overall audit strategy and audit plan.

• Obtain an understanding of the group components and their environment.

(a) Obtain an understanding of the group, its components, and their environment.

(b) Obtain an understanding of the consolidation process.

(c) Review instructions issued by management to components.

(d) Verify that all components have been included in group financial statements.

(e) Evaluate completeness and accuracy of consolidation adjustments.

660

M13_c11.indd 660 1/28/2021 6:23:03 PM

 G ro u p Aud its

(f) If the component’s accounting policies are different from the group’s policies, verify
that appropriate adjustments have been made for the purposes of group financial
statements.

(g) If the component’s accounting period is different from the group’s accounting
period, verify that appropriate adjustments have been made for the purposes of
group financial statements.

• Obtain an understanding of the components auditors:

(a) Compliance with ethical requirements, particularly independence.

(b) Professional competence.

(c) Regulatory environment (if in another jurisdiction).

(d) In the case where the group engagement partner has concern over (a) to (c) above,
the group engagement team should perform the audit of the components.

• Determine materiality levels:

(a) Materiality to be applied at the component level.

(b) Materiality to be applied at the group level.

• Consolidation process.

• Responding to assessed risks:

(a) For components that are financially significant, arrange full scope audits (for
example, financially significant components are, prima facie, those components
that comprise more that 15% of sales, net income, assets, liabilities, or cash flows of
the group).

(b) For components that are significant, not because of financial benchmarks but
because of excessive risks, either arrange full scope audits or audits of specific
accounts or carry out specified procedures.

(c) For insignificant components carry out analytical procedures.

(d) Involve the group engagement team in the work performed by the components
auditors/s, in the following areas:

(i) Discussing business activities that are significant to the group.

(ii) Identifying aspects of the financial statements of the component that may be
misstated due to frauds and errors.
(iii) Reviewing the components auditors documentation of identified significant
risks of material misstatements.
(iv) Evaluating, when significant risks of material misstatements of the group
financial statements have been identified in a component, what further
audit procedures are required and whether direct involvement of the group
engagement team is necessary.

• Arrange subsequent events reviews. Ensure that subsequent events reviews of

components have been completed up to the date of the auditor’s report on the group
financial statements.

• Consider any significant findings of the components auditors.

661

M13_c11.indd 661 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

11.3.2 Component Team Members’ Responsibilities

A critical responsibility of the components auditors is to follow the instructions set out by the
group auditor.

The components auditors should ensure there is an open line of communication with the
group auditor such that any issues identified at the component level that may have a material
impact on the group financial statements can be addressed on a timely basis.

The component audit team should view themselves as an extension of the group
audit team.

The component audit team should conduct the audit to meet all of the regulatory and legal
requirements as outlined in the group audit instructions and adhere to the deadlines during
the audit process and up to completion.

The component audit team may also have responsibilities for local jurisdiction financial
reporting for which they have sole responsibility.

Apply and Analyse 3

The components auditors of Wonder Travel Company have advised Quality that they are
required to lodge financial statements in Singapore and will be applying a materiality level
at the component level that is lower than group materiality.

Analysis

It is very common for components auditors to conduct an audit for jurisdictional purposes
at the same time as the audit for group reporting purposes. The components auditors of
Wonder Travel Company, however, must still comply with the instructions and reporting
requirements of the CWaves Group. It is likely that group materiality will be greater than
component materiality, so the fact that the components auditors is auditing to a lower
materiality level should not create an issue for Quality. The components auditors is
responsible to report to Quality against the group materiality level.

Knowledge Check Questions

Question 8
Advise on the seven areas that the group engagement partner and group audit team are
responsible for, in relation to obtaining an understanding of the group component and its
environment.

662

M13_c11.indd 662 1/28/2021 6:23:03 PM

 G ro u p Aud its

1 1 . 4 AUDIT PLANNING AND RISK ASSESSMENT

11.4.1 Engagement Letter

The same requirements of HKSA 210, Agreeing the Terms of Audit Engagements, apply in a group
audit situation. These requirements were looked at in detail in Chapter 3 of this module. There
are, however, some additional considerations that need to be given in a group audit situation.

HKSA The terms of engagement should identify the applicable financial reporting framework.
600.A20 Additional matters should be included in the terms of a group audit engagement letter, such as:

• The communication between the group engagement team and the components
auditors should be unrestricted to the extent possible under law or regulation;

• Important communications between the components auditors, those charged

with governance of the component, and component management, including
communications on significant deficiencies in internal control, should be communicated
as well to the group engagement team;

• Important communications between regulatory authorities and components

related to financial reporting matters should be communicated to the group
engagement team; and

• To the extent the group engagement team considers necessary, it should be permitted:

°° Access to component information, those charged with governance of components,

component management, and the components auditors (including relevant audit
documentation sought by the group engagement team); and

°° To perform work or request a components auditors to perform work on the

financial information of the components.

Components auditors will need to consider whether there is a requirement to issue an

engagement letter to those charged with governance at the component level. It is better
practice to issue an engagement letter to ensure the audit scope is understood and agreed with
component management. An engagement letter will be required when there are local statutory
requirements.

11.4.2 Control Procedures Review

One of the key responsibilities of the group auditor is to identify group-wide system of internal
control and also understand the control environments of components through the components
auditors. The understanding and assessment of controls have a direct impact on the overall risk
assessment at the group and component levels.

Group-wide control procedures may be as simple as consistent accounting policies, to

common IT systems that cannot be modified at the component level, to the use of shared
service centres.

663

M13_c11.indd 663 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

The group auditor, through the planning process, needs to establish the responsibilities for
the review of the components of the system of internal control. It is likely in the situation of a
shared service centre that the group auditor would conduct the audit and share the results with
components auditors. This is also likely to be the case where common IT systems exist, but in
this case it is common for the group auditor to request that the components auditors confirm
that the controls are working effectively at the component level.

11.4.3 Risk Assessment: Group Audit versus Single Company Audit Risks
The requirements of HKSA 315 (Revised 2019) become more difficult to apply in a group audit
situation as opposed to the audit of a single company. The more components that a group has,
the more likely is the increase in risk of a material misstatement.

HKSA The group engagement team’s assessment at group level of the risks of material
600.A31 misstatement of the group financial statements is based on information such as:

• Information obtained from the understanding of the group, its components, and their
environments, and of the consolidation process, including audit evidence obtained in
evaluating the design and implementation of group-wide controls and controls that are
relevant to the consolidation.

• Information obtained from components auditors.

The auditor is required to identify and assess the risks of material misstatement of the
financial statements due to fraud or error, and to design and implement appropriate responses
HKSA to the assessed risks. Information used to identify the risks of material misstatement of the
600.A27 group financial statements due to fraud or error may include:

• Group management’s assessment of the risks that the group financial statements may
be materially misstated as a result of fraud or error.

• Group management’s process for identifying and responding to the risks of fraud in the
group, including any specific fraud risks identified by group management, or account
balances, classes of transactions, or disclosures for which a risk of fraud is higher.

• Whether there are particular components for which a risk of fraud is higher.

• How those charged with governance of the group monitor group management’s
processes for identifying and responding to the risks of fraud or error in the group, and
the controls group management has established to mitigate these risks.

• Responses of those charged with governance of the group, group management, internal
audit (and, if considered appropriate, component management, the components
auditors, and others) to the group engagement team’s inquiry whether they have
knowledge of any actual, suspected, or alleged fraud affecting a component or the group.

The key members of the engagement team are required to discuss the susceptibility of an
HKSA entity to material misstatement of the financial statements due to fraud or error, specifically
600.A28 emphasising the risks due to fraud.

In a group audit, these discussions may also include components auditors. The group
engagement partner’s determination of whom to include in the discussions, how and when

664

M13_c11.indd 664 1/28/2021 6:23:03 PM

 G ro u p Aud its

HKSA
they occur, and their extent is affected by factors such as prior experience with the group. The
600.A29 discussions provide an opportunity to:

• Share knowledge of the components and their environments, including group-wide

controls.

• Exchange information about the business risks of the components or the group.

• Exchange ideas about how and where the group financial statements may be
susceptible to material misstatement due to fraud or error, how group management
and component management could perpetrate and conceal fraudulent financial
reporting, and how assets of the components could be misappropriated.

• Identify practices followed by group or component management that may be biased

or designed to manage earnings that could lead to fraudulent financial reporting, for
example, revenue recognition practices that do not comply with HKFRSs.

• Consider known external and internal factors affecting the group that may create an
incentive or pressure for group management, component management, or others to
commit fraud, provide the opportunity for fraud to be perpetrated, or indicate a culture
or environment that enables group management, component management, or others
to rationalise committing fraud.

• Consider the risk that group or component management may override controls.

• Consider whether uniform accounting policies are used to prepare the financial
information of the components for the group financial statements and, where not, how
differences in accounting policies are identified and adjusted.

• Discuss fraud that has been identified in components or information that indicates
existence of a fraud in a component.

• Share information that may indicate non-compliance with national laws or regulations,
for example, payments of bribes and improper transfer pricing practices.

The challenge in a group audit situation is to ensure that the assessment of risk and how
the risks will be mitigated is appropriately updated through the audit process at the group and
at the component level and that this assessment is adequately documented and communicated
between the group auditor and the components auditors on a timely basis.

11.4.4 Plan of Procedures to Develop Understanding (Group, Client,

Components Auditors)
The group auditor needs to dedicate enough time and resources to ensure an adequate depth
of knowledge about the group and the components auditors.

The group engagement team obtains an understanding of a components auditors only

when it plans to request the components auditors to perform work on the financial information
of a component for the group audit. For example, it will not be necessary to obtain an
HKSA understanding of the auditors of those components for which the group engagement team
600.A32 plans to perform analytical procedures at the group level only.

HKSA 315 (Revised 2019) contains guidance on matters the auditor may consider when
obtaining an understanding of the industry, regulatory, and other external factors that affect
the entity, including the applicable financial reporting framework, the nature of the entity,

665

M13_c11.indd 665 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

HKSA objectives and strategies and related business risks, and measurement and review of the
600.A23 entity’s financial performance.
HKSA Examples of Matters about Which the Group Engagement Team Obtains an Understanding:
600.App 2
• Group-wide controls: group-wide controls may include a combination of the following:

°° Regular meetings between group and component management to discuss business

developments and to review performance.

°° Monitoring of components’ operations and their financial results, including regular

reporting routines, which enables group management to monitor components’
performance against budgets and to take appropriate action.

°° Group management’s risk assessment process, that is, the process for identifying,
analysing, and managing business risks, including the risk of fraud, that may result
in material misstatement of the group financial statements.

°° Monitoring, controlling, reconciling, and eliminating intra-group transactions and

unrealised profits, and intra-group account balances at the group level.

°° A process for monitoring the timeliness and assessing the accuracy and
completeness of financial information received from components.

°° A central IT system controlled by the same general IT controls for all or part of
the group.

°° Control activities within an IT system that are common for all or some components.

°° Monitoring of controls, including activities of internal audit and self-assessment

programmes.

°° Consistent policies and procedures, including a group financial reporting

procedures manual.

°° Group-wide programmes, such as codes of conduct and fraud prevention

programmes.

°° Arrangements for assigning authority and responsibility to component management.

• Internal audit may be regarded as part of group-wide controls; for example, when the
internal audit function is centralised. ISA 610, Using the Work of Internal Auditors, deals
with the group engagement team’s evaluation of the competence and objectivity of the
internal auditors where it plans to use their work.

• Consolidation process: the group engagement team’s understanding of the consolidation

process may need to include matters such as the following:

°° The extent to which component management understands the applicable financial

reporting framework.

°° The process for identifying and accounting for components in accordance with the
applicable financial reporting framework.

°° The process for identifying reportable segments for segment reporting in

accordance with the applicable financial reporting framework.

666

M13_c11.indd 666 1/28/2021 6:23:03 PM

 G ro u p Aud its

°° The process for identifying related party relationships and related party
transactions for reporting in accordance with the applicable financial reporting
framework.

°° The accounting policies applied to the group financial statements, changes from
those of the previous financial year, and changes resulting from new or revised
standards under the applicable financial reporting framework.

°° The procedures for dealing with components with financial year ends different from
the group’s year end.

11.4.5 Consider Risks of Material Misstatement

HKSA The following are examples of conditions or events that may indicate risks of material
600.App 3 misstatement of the group financial statements. The examples outlined below cover a broad
range of conditions or events; however, not all conditions or events will be relevant to every
group audit engagement and the list of examples is not necessarily complete:

• A complex group structure, especially where there are frequent acquisitions, disposals,
or reorganisations.

• Poor corporate governance structures, including decision-making processes that are

not transparent.

• Non-existent or ineffective group-wide controls, including inadequate group

management information on monitoring of components’ operations and their results.

• Components operating in foreign jurisdictions that may be exposed to factors such as

unusual government intervention in areas such as trade and fiscal policy, restrictions on
currency and dividend movements, and fluctuations in exchange rates.

• Business activities of components that involve high risk, such as long-term contracts or
trading in innovative or complex financial instruments.
• Uncertainties regarding which component’s financial information require incorporation
in the group financial statements in accordance with the applicable financial reporting
framework, for example, whether any special-purpose entities or non-trading entities
exist and require incorporation.

• Unusual related party relationships and transactions.

• Prior occurrences of intra-group account balances that did not balance or reconcile on
consolidation.

• The existence of complex transactions that are accounted for in more than one
component.

• Components’ application of accounting policies that differ from those applied to the
group financial statements.

• Differences in financial reporting frameworks across the group.

• Components with different financial year ends, which may be utilised to manipulate the
timing of transactions.

667

M13_c11.indd 667 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

• Prior occurrences of unauthorised or incomplete consolidation adjustments.

• Aggressive tax planning within the group or large cash transactions with entities in
tax havens.

• Frequent changes of auditors engaged to audit the financial statements of components.

• Tendency to obtain second opinions from firms other than the audit firm.

11.4.6 Plan Methods, Timing, and Content of Communication with Those

Charged with Governance
Communication with those charged with governance takes on an increased level of complexity
in a group audit situation. It is important that the group auditor determines and communicates
at least the formal reporting points. This is commonly done in the engagement letter.

The group engagement team shall communicate the following matters with those charged
with governance of the group, in addition to those required by HKSA 260, Communication with
Those Charged with Governance, and other HKSAs:

(a) An overview of the type of work to be performed on the financial information of the
components.

(b) An overview of the nature of the group engagement team’s planned involvement in
the work to be performed by the components auditors on the financial information of
significant components.

(c) Instances where the group engagement team’s evaluation of the work of a components
auditors gave rise to a concern about the quality of that auditor’s work.

(d) Any limitations on the group audit, for example, where the group engagement team’s
access to information may have been restricted.

(e) Fraud or suspected fraud involving the system of group management, component
management, employees who have significant roles in group-wide controls, or others
where the fraud resulted in a material misstatement of the group financial statements.

(f) Outcomes from testing of internal control, where significant deficiencies were noted.

(g) Changes to the audit approach as a result of significant issues being identified through
the audit process.

The matters the group engagement team communicates to those charged with governance
of the group may include those brought to the attention of the group engagement team
by components auditors that the group engagement team judges to be significant to the
responsibilities of those charged with governance of the group.

Communication with those charged with governance of the group takes place at various
times during the group audit. For example, the matters referred to in (a) and (b) above may be
communicated after the group engagement team has determined the work to be performed
on the financial information of the components. On the other hand, the matter referred to in
(c) above may be communicated at the end of the audit and the matters referred to in (d) and (e)
above may be communicated when they occur. Some communications could happen multiple
times during the audit process, like the matters described in (f) and (g) above. There are no
specific requirements in terms of when communication should occur, but the group auditor does
have the responsibility for timely communication, which is a matter of professional judgement.

668

M13_c11.indd 668 1/28/2021 6:23:03 PM

 G ro u p Aud its

11.4.7 Develop Audit Plan for Work to be Completed (Group, Client,

Components Auditors) for Significant and Non-significant
Components
The audit plan developed by the group audit engagement team will be multidimensional and
will differ considerably depending on whether components have been assessed as significant
or non-significant. As noted in Section 11.1.3, work on non-significant components would in
most cases be planned to be limited to analytical procedures. For significant components, the
audit plan is normally delivered to components auditors by way of what is commonly referred
to as group audit instructions.

The following represents the topics generally found in the group audit instructions (noting
that audit plans will vary from group audit to group audit):

• An introduction that sets out that the instructions are designed to inform the
components auditors of the scope of the work required for the purpose of the
group audit.

• Group background, including group structures, business overview, significant events

that occurred during the year, and the names of company directors and management
personnel.

• Client expectations.

• Engagement risk, including the identification of significant risks at the group and
component levels.

• Communication timetable, including reporting timetable and communications

protocols.

• Client engagement team.

• Audit and accounting standards, including independence requirements, notice on

the group engagement letter and the requirement for a component level letter, and
significant risks to be specifically addressed.

• Scope of work and materiality, including the procedures to be performed by the

components auditors and the procedures that will be performed by the group
engagement team.

• Reporting requirements, which will include acknowledgement of instructions,

independence declaration, interim reporting of significant matters, clearance reports, a
final summary of significant matters, including a summary of audit differences.

• Specific information required for consolidation purposes and for financial statement
disclosure requirements.

• Key Audit Matters to be reported if the parent entity is listed.

• Structure of management letter to be issued at the component level.

• Management representation letter requirements.

• Outline of the required subsequent events review report.

669

M13_c11.indd 669 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

11.4.8 Group Audit Strategy Memorandum for Communication to a

Components Auditors
The group engagement partner’s review of the overall group audit strategy is an important part
of fulfilling the group engagement partner’s responsibility for the direction of the group audit
engagement. The requirements to be included in the overall audit strategy are often in practice
sent to components auditors in the group audit instructions, as outlined in Section 11.4.7.

Key Learning Point

Planning and open communication are key to helping ensure that the group auditor
is aware of all issues that may have a material effect on the consolidated financial
statements.

Knowledge Check Questions

Question 9
Demonstrate why group audit risk identification is more complex than a single
company audit.

Question 10
Describe five areas group auditors should communicate to those charged with governance.

Question 11
Describe seven key aspects of group audit instructions that should be included by the
group auditor.

1 1 . 5 AUDIT PROCEDURES AND REPORTING

11.5.1 Complete Procedures to Substantively Test the Group’s

Consolidation
The audit of a group’s consolidation process is a key function of the group auditor and can vary
significantly in complexity. In a less complex group, for example, all of the components are
audited by the group auditor in the same country and all of the components are wholly owned
subsidiaries since incorporation of the consolidation entries are easier to identify. In such
cases, the audit of the consolidation is generally fairly uncomplicated and a lower audit risk. In
more complex multinational groups, for example, the group may have both acquired and sold
components in the year and may have impairment issues.

HKSA 600 requires group auditors to obtain an understanding of group-wide controls and
the consolidation process. It also makes specific reference to the consolidation instructions that

670

M13_c11.indd 670 1/28/2021 6:23:03 PM

 G ro u p Aud its

have been issued by group management to components (as illustrated in Section 11.4.7). The
requirements for group-wide controls are the same as for any other type of control – auditors
need to identify the key controls and test them if the group auditors are seeking to place
reliance on them. It is at this point that the group auditor can determine the extent of other
substantive procedures that are required in the audit of the group.

The group is required to present consolidated financial statements incorporating all

components that are material to the group. The group auditor should obtain a listing of all entities
within the group from group management as part of the planning process for the group audit. The
group auditor should verify that all components have been included in the consolidated financial
statements. In respect of ensuring completeness of this information the group auditor should:

• Review work papers from prior years;

• Review the procedures adopted by the parent entity to identify components;

• Review any changes in the level of investment held by the parent during the current
period; and

• Review statutory registers required to be maintained by the Hong Kong Companies

Ordinance (Cap.622).

All of the above should be reviewed in the context of applying HKFRS 3 and HKFRS 10.

There will be some permanent consolidation entries that are normally determined at the
date of a business combination under the requirements of HKFRS 3 and/or when assessing
control as follows:

• Determination and valuation of identifiable assets acquired.

• Determination of the amount of goodwill or gain from a bargain purchase, at the date
of acquisition.

• The determination of the level of non-controlling interests (previously known as

minority interests) at the date of the business combination.

The current period consolidation entries usually include elimination of the following:

• Intra-group interest paid and received and management fees;

• Unrealised profits or losses on assets transferred between components;

• Intra-group debts;

• Adjustments for differing accounting policies or accounting standards;

• Adjustments where reporting dates are different from the parent;

• Determination of movement in equity attributable to non-controlling interests since the

date of acquisition; and

• Impairment losses for goodwill arising on consolidation.

The group auditor needs to ensure that all intra-group transactions and balances have
been eliminated. The group auditor should gain an understanding of the procedures adopted
by group management to make the above-noted adjustments.

671

M13_c11.indd 671 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

At the same time as checking consolidation adjustments, group auditors need to ensure
that the information to be consolidated is complete and reconciles with the information
provided by components auditors in their clearance to the head office auditor.

Group auditors also need to consider how the consolidation process is actually performed.
Most consolidations are undertaken in Excel spreadsheets, which often heightens the risk of
completeness and accuracy. When auditing a consolidation, auditors cannot simply audit the
data that are displayed in the workbook but must ensure that the figures have been derived
from component financial statements and the consolidation adjustments. Auditors also
need to audit the workings of the consolidation spreadsheets themselves to ensure that the
consolidated numbers reflect the complete and accurate picture of the group.

11.5.2 Review of Reports from Components Auditors to the Group Auditor

For the group auditor to be satisfied that their responsibility for the group auditor’s opinion
is achieved, a detailed review needs to be completed for all reports issued by components
auditors. The focus of such reviews would include the following:

• Whether any unadjusted material misstatements have been identified.

• Any fraudulent activity has been identified.

• A going concern issue has been identified.

• Material departures from relevant accounting standards.

• Issues identified with independence of the components auditors.

• Subsequent events identified

It is important that the group auditor understand in detail any likely impact on the group
financial statements from what has been reported from components auditors.

11.5.3 Review of Components Auditors Work

It has already been noted earlier in this chapter that, if group auditors wish to use the work
performed by components auditors, group auditors must be satisfied that components
auditors are sufficiently competent and independent, and that this assessment should be
documented. They must also have in writing from the components auditors that they agree to:

• Conduct their audit as set out in the group instructions; and

• Provide all the information they consider necessary from themselves and component
management to the group auditor.

If the group auditor is not satisfied that the components auditors has conducted the work
in line with the group instructions or provided all information, the group auditor will need to
perform the work necessary for group audit purposes themselves.

Where access to components auditors working papers is agreed to, the group audit
instructions should include a request for confirmation, again in writing, from the components
auditors that they will:

• Provide group auditors with unlimited access to their audit working papers; or

• Provide the group auditor with copies of their working papers, either electronically or in
paper form.

672

M13_c11.indd 672 1/28/2021 6:23:03 PM

 G ro u p Aud its

If the components auditors is unable to provide group auditors with unrestricted access to
their working papers or copies thereof because of legal or regulatory reasons, these reasons
should be detailed by the components auditors early in the process (this can be the case where
components auditors are auditing within the USA, for example).

In addition to arranging access to components auditors work papers, for significant

components the group auditor needs to consider whether they need to visit the
components auditors.

11.5.3.1 Visits to Components Auditors

If the group auditor decides it is appropriate to visit the components auditors, this is usually on
the basis of:

• Where, as noted above, components auditors working papers cannot be moved out of a
jurisdiction for regulatory or legal reasons;

• Because of the size or specific risks associated with the component;

• Because the group auditor believes it appropriate to discuss matters face to face (this
may be the case when there is some doubt about the understanding or performance of
a components auditors);

• Where there is a change of either group or components auditors;

• Where the component has been recently purchased or there is an expected disposal;

• On the basis of work and conclusions reached by internal auditors;

• On the basis of prior period issues at the component;

• On the basis of the audit adjustments that have been noted by the components
auditors; or

• Where there have been changes to local management or the size and scope of the
component.

When visiting components auditors, it is suggested as better practice for:

• An experienced member of the group audit team to conduct the visit. In practice this is
often the partner and/or the engagement manager.

• The group auditor to be clear about the purpose of the visit, including the files to
be reviewed, particular areas of focus, the component audit staff that need to be
interviewed, component management that are to be met, and what documents may be
required to be copied for the group audit file.

• The visit to take place prior to the components auditors close-out meeting with
component management, so that any issues raised by the group auditor can be
factored into the close meeting.

11.5.3.2 Reviewing Components auditors Working Papers

The most common form of audit procedure carried out by the group auditor, over the
work of the components auditors, is the review of working papers prepared by the
components auditors. The basis for selection and the amount of review to be conducted
will vary considerably and will be dependent upon the size of the component, the risks that
the component poses to the group, and the experiences the group auditor has had with
components auditors in the past or with component management.

673

M13_c11.indd 673 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

Set out below are some of the working papers that the group auditor may review in
ensuring that the group auditor has sufficient appropriate audit evidence to support the
auditor’s opinion on the group financial statements. The group auditor will ensure that the
audit evidence obtained confirms their understanding of the activities of the component and
what the components auditors has concluded.

• Component audit planning memorandum

The group auditor will need to see the components auditors audit planning
memorandum as per the group audit instructions, and confirm that it covers:

°° The fact that the system of internal control has been evaluated to identify and
assess any risk of material misstatement at the component level;

°° The risk assessment at the assertion level for all material accounts; and

°° The components auditors documentation of their understanding of:

▪ The component, its control environment, including IT controls, and its

accounting and information systems.

▪ The way in which transactions are processed by the component.

▪ The component’s closing process and the controls applicable to accounting

entries including journal entries.

• Significant risks

The group auditor will review working papers identifying significant risks, confirm that
there are appropriate planned audit responses, and that the audit evidence is sufficient
and appropriate, and assess the implications of those risks for the group financial
statements. For identified fraud risks, confirm that appropriate planned procedures
have been documented and completed.

• Detailed work programmes

The group auditor will review the detailed work programmes and confirm they have
been prepared for all material accounts and disclosures. The group auditor will
also confirm that the nature, timing, and extent of tests of controls and substantive
procedures are appropriate to the component’s characteristics and the risks identified,
as well as confirming that the work programmes have been appropriately reviewed and
approved by the components auditors.

• Specialists

The group auditor will confirm that specialists or experts (such as legal, tax, corporate
advisory, valuation, actuarial, or IT specialists) that have been involved in the audit of
the component, as deemed necessary, have had their competence and capabilities
assessed by the components auditors.

• Materiality thresholds

The group auditor will confirm that audit work has been performed on the basis of the
materiality thresholds allocated by, or approved by, group auditors in advance.

674

M13_c11.indd 674 1/28/2021 6:23:03 PM

 G ro u p Aud its

• Supervision and review

The group auditor will determine that audit work has been carried out as planned and
appropriately supervised and reviewed.

• Tests of controls

The group auditor will confirm that components auditors have tested controls as follows:

°° The controls identified during audit planning and on which a components auditors
wishes to place reliance; and

°° The group-wide controls identified for testing by group auditors and included in the
group audit instructions.

Where components auditors have identified significant control deficiencies, the group
auditor will confirm that there is evidence that:

°° The implications for the changes to the level of substantive procedures have
been assessed;

°° Deficiencies have been discussed with component management; and

°° Deficiencies have been communicated to group auditors and where appropriate

group management.

• Substantive procedures

The group auditor will confirm that conclusions in respect of substantive procedures
are appropriate and have been properly documented.

• Significant accounting judgements, and estimates

The group auditor will confirm that procedures have been performed to ensure that
significant accounting judgements and estimates, and transactions outside the normal
course of business, do not constitute evidence of a risk of management bias on the part
of component management.

• Related parties

The group auditor will confirm that adequate audit procedures have been performed
in respect of the identification of related parties and transactions. The group auditor
will also check that appropriate audit procedures have been undertaken for any related
party transactions undertaken at arm’s length.

• Material contracts

The group auditor will confirm that components auditors obtained appropriate
information in respect of material contracts taking effect during the period.

• Non-compliance with laws and regulations

The group auditor will confirm that components auditors have addressed the risk of
non-compliance with applicable laws and regulations.

• Minutes of meetings

The group auditor will confirm that components auditors have reviewed the minutes
of meetings of component management and component governance bodies, and the
minutes of any other important meetings, and that they have assessed the impact of
decisions taken.

675

M13_c11.indd 675 1/28/2021 6:23:03 PM

 BUSINESS ASSURANCE

• Litigation

The group auditor will confirm that components auditors have performed adequate
audit procedures to identify litigation likely to be material at group level.

• Contingent assets and liabilities

The group auditor will confirm that procedures have been performed to ensure proper
disclosure of material component contingent assets and liabilities.

• Going concern

The group auditor will confirm that appropriate procedures have been performed to
assess the validity of the going concern basis for the component.

• Consolidation package

The group auditor will confirm that components auditors have checked that the
consolidation package has been prepared in accordance with the group’s accounting
policies and that the numbers agree with those audited and documented in the audit
working papers.

• Roll-forward procedures

When audit work has been performed before the year end, the group auditor will confirm
that components auditors have performed appropriate roll-forward procedures.

• Management representation letter

When a component audit has been completed, the group auditor will confirm
that components auditors have obtained an appropriate signed management
representation letter from component management.

• Significant points outstanding

The group auditor will confirm that all significant points outstanding that are relevant to
the components auditors report to the group auditor have been cleared by the time of
the issue of the report.

• Communications with component management

The group auditor will confirm that all significant matters described in the working
papers have been communicated to component management and that this was
communicated before the financial statements were approved by the component.

• Adequacy of audit work performed

Assess whether, for the elements of the file reviewed, the audit work performed is
adequate and complies with the group audit instructions and the applicable auditing
and accounting standards.

• Final analytical procedures

The group auditor will confirm that components auditors have performed final
analytical procedures on any information provided in completed consolidation
packages, corroborating conclusions, and that they have obtained satisfactory
explanations for material or unusual variances.

676

M13_c11.indd 676 1/28/2021 6:23:04 PM

 G ro u p Aud its

• Auditor’s opinion

The group auditor will confirm that any report issued, and auditor’s opinion expressed,
is consistent with the audit conclusions reached and documented, including those on
the list of adjusted and unadjusted misstatements.

• Communications with component management

The group auditor will check that component sauditors communications with
component management do not contain any significant information not already
brought to the group auditor’s attention.

The group auditor’s evaluation of the work of the components auditors must be
documented. As part of the assessment as to the level of documentation, the group auditor
needs to consider the extent to which they should include certain of the components auditors
working papers in the group audit file. This decision will be made on the basis of what is
needed in the group auditor’s file to provide sufficient appropriate audit evidence to support
the auditor’s opinion on the consolidated financial statements.

11.5.4 Group Audit Completion Documents Preparation

The completion stage of the audit must be carefully planned to ensure that the requirements of
the many relevant HKSAs are adhered to. If the completion stage is not adequately performed,
there is a risk that an inappropriate opinion is given on the financial statements. In a group
audit situation, there are effectively documents for each component to be considered and
addressed by the group auditor that increase the complexity significantly for the group auditor.
Chapter 9 of this module presents in detail the processes and documents required in the
completion of the audit. The group audit instructions would normally include reference to each
document and the required timing for them to be sent to the group auditor.

11.5.5 Options for Audit Opinion for the Group, Parent Company, and
Component Financial Statements
The first step for the group auditor is to assess the reports that are received from components
auditors. This may seem obvious, but a thorough review is necessary to ensure that if there
are any modifications these can be discussed and a determination made as to the likely impact
such a modification may have on the consolidated financial statements. If the parent company
is listed, then the group auditor would need to consider any key audit matters that have been
raised by components auditors. Refer back to Chapter 10 for details of the types of auditor
opinions and the circumstances that lead to a modification to an auditor’s opinion.

Key Learning Point

A thorough review is required of the work undertaken by the components auditors to
ensure that all factors are known to the group auditor when finalising the consolidated
financial statements and determining the appropriate auditor’s opinion.

677

M13_c11.indd 677 1/28/2021 6:23:04 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 12
Where access to components auditors working papers is consented to from the
components auditors, the group audit instructions should include a request for
confirmation from the components auditors. List what content should be included in the
confirmation.

Question 13
For the group auditor to be satisfied that their responsibility for the group auditor’s
opinion is achieved, a detailed review needs to be completed for clearance reports issued
by components auditors. Explain what the focus of such review would be.

678

M13_c11.indd 678 1/28/2021 6:23:04 PM

 G ro u p Aud its

SUMMARY

• There are many assessments that need to be made by group auditors. In their role as group
auditors, the key considerations are:

°° Evaluation of the competence of the components auditors;

°° Evaluation of the significance of components within the group;

°° The level of understanding necessary to issue informed instruction to components

auditors; and

°° Evaluation of the work performed by the components auditors.

• At all times, the ultimate responsibility for the audit of the consolidated financial statements
rests with the group auditor, who must be satisfied that sufficient appropriate audit evidence
exists to support the auditor’s opinion on the group financial statements.

679

M13_c11.indd 679 1/28/2021 6:23:04 PM

 BUSINESS ASSURANCE

MIND MAP

AUDIT OF GROUPS AUDIT PLANNING AND RISK ASSESSMENT

Scope and Terminology Engagement Letter
Companies Ordinance (Cap.622) Control Procedures Review
Understanding the Group, Its Components Risk Assessment
and Their Environments Plan of Procedures to Develop Understanding
• Indicators of ‘significance’ (Group, Client, Component Auditor)
• Type of audit work to be performed
Consider Risks of Material Misstatement
on components
• Procedures for non-significant components Plan Methods, Timing, and Content of
Communication with Those Charged with
Group Wide Controls
Governance
Auditor’s Objectives
Develop Audit Plan for Work to be Completed
COMPONENT AUDITORS (Group, Client, Component Auditor) for
GROUP AUDITS significant and Non-significant Components
Characteristics of Component Auditors
Group Audit Strategy Memorandum for
Responsibilities of Component Auditors Communication to a Component Auditor
How Component Auditors Work within
the Group Audit AUDIT PROCEDURES AND REPORTING
Materiality for Components Complete Procedures to Substantively Test
Communication with Component Auditor the Group’s Consolidation
Review of Reports from Component Auditors
GROUP ENGAGEMENT TEAM to the Group Auditor
Group Engagement Partners’ and Staff Review of Component Auditors’ Work
Members’ Responsibilities • Visits to component auditors
Component Team Member’s Responsibilities • Reviewing component auditor working papers
Group Audit Completion Document
Preparation
Options for Audit Opinion for the Group,
Parent Company, and Component Financial
Statements

Answers to Knowledge Check Questions

Question 1
The following should be considered:
(a) An audit of the financial information of the component using component
materiality (i.e. at a materiality level lower than the group level).

(b) An audit of one or more account balances, classes of transactions, or disclosures

relating to the likely significant risks of material misstatement of the group financial
statements.

(c) Specified audit procedures relating to the likely significant risks of material
misstatement of the group financial statements.

Question 2
Consider the extent to which there are group-wide controls and determine the appropriate
split of work between the group auditors and components auditors for these controls.
Request details of internal control weaknesses identified by components auditors,
as HKSA 600 requires group auditors to make group management aware as soon as
practicable of material weaknesses in the design and operation of group-wide controls.

680

M13_c11.indd 680 1/28/2021 6:23:04 PM

 G ro u p Aud its

Question 3
(a) Work to be performed.

(b) Form and contents of components auditors communication with group

engagement team.

(c) Confirmation that the components auditors will cooperate with group
engagement team.

(d) Ethical requirements, particularly independence requirements, regarding both the

group and the component.

(e) The level of component materiality.

(f) Identified significant risks of material misstatement of the group financial

statements, whether due to fraud or error.

(g) Related parties.

(h) Non-compliance with laws and regulations.

(i) Material weaknesses in internal controls that could affect the components auditors.

(j) Relevant accounting, auditing, and reporting requirements.

(k) Communications with those charged with governance at the group level and where
necessary at the component level.

Question 4
Any five of the following would be correct:
• Reconfirmation that the components auditors have complied with the ethical
requirements of the HKICPA Code of Ethics for Professional Accountants;
• Confirmation that the components auditors has complied with the group auditor’s
requirements;
• The scope of work performed, including explanations for significant changes to the
audit strategy and any variations from group instructions (note that this should be
communicated by the components auditors to the group auditor prior to variation;
the documentation at this stage of the component audit is confirming what should
already have been agreed);
• Instances of fraud or non-compliance with laws and regulations, and indicators of
management bias (again, any fraud identified should be communicated immediately
to the group auditor);
• Significant matters arising from the work performed by the components auditors,
including details of significant risks that may affect the consolidated financial
statements including those communicated by the group auditor at the planning
stage, and a summary of responses to those risks;
• In the instance that the parent entity is listed, Key Audit Matters (‘KAMs’) should
either be included in the main body of the audit report or in the memorandum
or questionnaire (for further information on KAMs refer back to Chapter 10 of
this module);

681

M13_c11.indd 681 1/28/2021 6:23:04 PM

 BUSINESS ASSURANCE

• Details of corrected and uncorrected misstatements, including explanations from

component management as to why misstatements have remained uncorrected;
• Significant deficiencies in internal controls that were identified (again, this should be
reported to the group auditor at the point of discovery);
• Details of any related party transactions;
• Subsequent events procedures performed and whether there were any material
matters identified and details of the potential effects of such matters;
• Specific inclusions identified by the components auditors for inclusion in the group
letter of representation;
• Matters that should be communicated to those charged with governance at the
group level;
• Other information, such as contingencies and commitments; and
• The components auditors overall findings, conclusions, or opinion.

Question 5
Answer A is incorrect. This would be something that would be expected to be
communicated.
Answer B is correct. The group auditor is responsible for their own working papers and not
the components auditors.
Answer C is incorrect. This would be something that would be expected to be
communicated.
Answer D is incorrect. This would be something that would be expected to be
communicated.

Question 6
There is much to consider when evaluating the allocation of materiality to components
auditors by the group auditor. One of the main complexities lies with the concept of
aggregation risk, which heightens with the decentralisation of operations into components.
Aggregation risk is defined as the risk that the aggregate of uncorrected and undetected
misstatements in the financial statements exceeds materiality for the financial statements
as a whole.

Question 7
The answer could include any of the following:

(a) Work to be performed.

(b) Form and contents of components auditors communication with group

engagement team.

(c) Confirmation that the components auditors will cooperate with group
engagement team.

(d) Ethical requirements, particularly independence requirements, regarding both the

group and the component.

(e) The level of component materiality.

682

M13_c11.indd 682 1/28/2021 6:23:04 PM

 G ro u p Aud its

(f) Identified significant risks of material misstatement of the group financial

statements, whether due to fraud or error.

(g) Related parties.

(h) Non-compliance with laws and regulations.

(i) Material weaknesses in internal controls that could affect the components auditors.

(j) Relevant accounting, auditing, and reporting requirements.

(k) Communications with those charged with governance at the group level and where
necessary at the component level.

Question 8
The seven areas that the group engagement partner and group audit team are
responsible for:

(a) Obtain an understanding of the group, its components, and their environment.

(b) Obtain an understanding of the consolidation process.

(c) Review instructions issued by management to components.

(d) Verify that all components have been included in group financial statements.

(e) Evaluate the completeness and accuracy of consolidation adjustments.

(f) If the component’s accounting policies are different from the group’s policies, verify
that appropriate adjustments have been made for the purposes of group financial
statements.

(g) If the component’s accounting period is different from the group’s accounting
period, verify that appropriate adjustments have been made for the purposes of
group financial statements.

Question 9
The requirements of HKSA 315 (Revised 2019) become more difficult to apply in a group
audit situation as opposed to the audit of a single company. The more components that a
group has, the more likely the increase in the risk of a material misstatement.
The group engagement team’s assessment at group level of the risks of material
misstatement of the group financial statements is based on information such as:
• Information obtained from the understanding of the group, its components, and
their environments, and of the consolidation process, including audit evidence
obtained in evaluating the design and implementation of group-wide controls and
controls that are relevant to the consolidation.
• Information obtained from components auditors.
• The spread of information and the increased number of places it is coming from
means it is more complex to undertake a risk assessment.

683

M13_c11.indd 683 1/28/2021 6:23:04 PM

 BUSINESS ASSURANCE

Question 10
Any five of the areas addressed below:

(a) An overview of the type of work to be performed on the financial information of

the components.

(b) An overview of the nature of the group engagement team’s planned involvement in
the work to be performed by the components auditors on the financial information
of significant components.

(c) Instances where the group engagement team’s evaluation of the work of a
components auditors gave rise to a concern about the quality of that auditor’s work.

(d) Any limitations on the group audit, for example, where the group engagement
team’s access to information may have been restricted.

(e) Fraud or suspected fraud involving group management, component management,

employees who have significant roles in group-wide controls, or others where the
fraud resulted in a material misstatement of the group financial statements.

(f) Outcomes from testing of internal controls, where significant deficiencies

were noted.

(g) Changes to the audit approach as a result of significant issues being identified
through the audit process.

Question 11
Any seven of the following would be correct:
• An introduction that sets out that the instructions are designed to inform the
components auditors of the scope of the work required for the purpose of the
group audit.
• Group background, including group structures, business overview, significant
events that occurred during the year, and the names of company directors and
management personnel.
• Client expectations.
• Engagement risk, including the identification of significant risks at the group and
component levels.
• Communication timetable, including reporting timetable and communications
protocols.
• Client engagement team.
• Audit and accounting standards, including independence requirements, notice on
the group engagement letter, and the requirement for a component level letter and
significant risks to be specifically addressed.
• Scope of work and materiality, including the procedures to be performed by the
components auditors and the procedures that will be performed by the group
engagement team.
• Reporting requirements, which will include acknowledgement of instructions,
independence declaration, interim reporting of significant matters, clearance reports,
and, final summary of significant matters, including a summary of audit differences.

684

M13_c11.indd 684 1/28/2021 6:23:04 PM

 G ro u p Aud its

• Specific information required for consolidation purposes and for financial statement
disclosure requirements.
• Key audit matters to be reported if the parent entity is listed.
• Structure of management letter to be issued at the component level.
• Management representation letter requirements.
• Outline of the required subsequent events review report.

Question 12
Answer: a request for confirmation from the components auditors that they will:
• Provide group auditors with unrestricted access to their working papers;
• Provide the group auditor with copies of their working papers; or
• Be unable to provide group auditors with unrestricted access to their working papers
or copies thereof because of legal or regulatory reasons, which should be detailed
(this can be the case where components auditors are auditing within the USA,
for example).
In addition to arranging access to components auditors work papers, for significant
components the group auditor needs to consider whether they need to visit the
components auditors.

Question 13
The focus of such reviews would include the following:
• Whether any unadjusted material misstatements have been identified.
• Any fraudulent activity has been identified.
• Going concern issue identified.
• Material departures from relevant accounting standards.
• Issues identified with independence of the components auditors.
• Subsequent events identified.
It is important that the group auditor understands in detail any likely impact on the
group financial statements from what has been reported from components auditors.

EXAM PRACTICE

QUESTION 1
Explain the objectives of the auditor in relation to the audit of a group.

QUESTION 2
May Tong is the group audit partner for Sticky Lollies Hong Kong Group. The audit process
for the group is well advanced with component clearance reports due within the next week.
May Tong has just received an email from a significant components auditors, KCUB & Co, in
Australia, explaining that they have discovered that they have a conflict of interest that no
safeguards could be put in place to minimise the threat to an acceptable level. Advise the
appropriate procedures May Tong should consider to ensure that the Australian significant
component audit is completed by the required date.

685

M13_c11.indd 685 1/28/2021 6:23:04 PM

 BUSINESS ASSURANCE

QUESTION 3
Hai Wah, the group audit partner for Durian Fruits Hong Kong Group, has sent out group
audit questionnaires to each of the components required to undertake audit procedures
for the group. The instructions vary depending on whether the components auditors is
undertaking a full audit or has been requested to look at certain balances and/or risks.

(a) Consider the six key items that Hai Wah would have requested to be detailed in the full
audit questionnaire.

(b) Describe what the group audit partner and engagement team should do to understand
the group’s control environment.

QUESTION 4
Gong Fa Company has a number of components in Hong Kong, China, Malaysia, the United
Kingdom, and the UAE. Recommend the key considerations that need to be made by the
group auditor in determining component materiality.

ANSWERS TO EXAM PRACTICE

QUESTION 1
The objectives of the auditor in relation to the audit of a group are:

(a) To determine whether they can act as the auditor of the group financial statements;
(b) If acting as the auditor of the group financial statements:

(i) To communicate clearly with components auditors about the scope and timing
of their work on financial information related to the components and their
findings; and

(ii) To obtain sufficient appropriate audit evidence regarding the financial information
of the components and the consolidation process to express an opinion on whether
the group financial statements are prepared, in all material respects, in accordance
with HKFRS.

QUESTION 2
May Tong will need to take immediate action if the looming deadline is to be met. As a first
step, he could appraise the working papers prepared by KCUB & Co and determine whether
sufficient appropriate audit evidence has been obtained for the component, to enable
effective clearance of the component’s balances. Given the conflict of interest issue, it is
unlikely that such a conclusion could be reached. If the situation had been identified earlier,
May Tong could have considered an alternative components auditors to complete the audit
work at the component level. It is likely, however, in the circumstances described that May
Tong would be better positioned to send group audit team members to complete the audit
of the significant Australian component this year and consider an alternative components
auditors for future periods.

QUESTION 3
(a) The six key terms could include (from the following):

• Reconfirmation that the components auditors have complied with the ethical
requirements of the HKICPA Code of Ethics for Professional Accountants;

686

M13_c11.indd 686 1/28/2021 6:23:04 PM

 G ro u p Aud its

• Confirmation that the components auditors has complied with the group auditor’s
requirements;

• The scope of work performed, including explanations for significant changes to the
audit strategy and any variations from group instructions (note that this should be
communicated by the components auditors to the group auditor prior to variation
and the documentation at this stage of the component audit is confirming what
should already have been agreed);

• Instances of fraud or non-compliance with laws and regulations, and indicators

of management bias (again, any fraud identified should be communicated
immediately to the group auditor);

• Significant matters arising from the work performed by the components auditors,
including details of significant risks that may affect the consolidated financial
statements, including those communicated by the group auditor at the planning
stage and a summary of responses to those risks;

• In the instance that the parent entity is listed, Key Audit Matters (‘KAMs’) should
either be included in the main body of the audit report or in the memorandum
or questionnaire (for further information on KAMs refer back to Chapter 10 of
this module);

• Details of corrected and uncorrected misstatements, including explanations from

component management as to why misstatements have remained uncorrected;

• Significant deficiencies in internal controls that were identified (again, this should be
reported to the group auditor at the point of discovery);

• Details of any related party transactions;

• Subsequent events procedures performed and whether there were any material
matters identified and details of the potential effects of such matters;

• Specific inclusions identified by the components auditors for inclusion in the group
letter of representation;

• Matters that should be communicated to those charged with governance at the

group level;

• Other information, such as contingencies and commitments; and

• The components auditors opinion.

(b) The group audit partner and engagement team should establish the following:

• The control environment established by those charged with governance that relate
to group-wide controls;

• The level of involvement of those charged with governance at the group level in
terms of how the components develop their business strategies, how they operate,
and how they perform.

• How often interactions occur between the group and component and the degree of
detail obtained;

687

M13_c11.indd 687 1/28/2021 6:23:04 PM

 BUSINESS ASSURANCE

• How the component’s management identify and assess risk, specifically including
the identification and management of business risks that might result in a
misstatement in the group financial statements.

• How component management assesses the risk of fraud and management of

circumstances when fraud has been identified;

• Controls over intra-group transactions, balances, and intra-group profits, including

taxation consequences;

• Group-wide monitoring controls;

• The degree of use of shared service centres and component management’s

management’s oversight of shared service centres; and

• The extent to which controls operate in the same way across components in
the group.

QUESTION 4
As a starting point, HKSA 600 requires the group engagement team to determine materiality
for the group financial statements as a whole, as part of the development of the group audit
strategy, so this would be done on the Hong Kong entity.

To reduce to an appropriately low level the probability that the aggregate of uncorrected
and undetected misstatements in the group financial statements exceeds materiality for the
group financial statements as a whole, component materiality is set lower than materiality
for the group financial statements as a whole. Different component materiality may be
established for different components. Component materiality need not be an arithmetical
portion of the materiality for the group financial statements as a whole, and, consequently,
the aggregate of component materiality for the different components may exceed the
materiality for the group financial statements as a whole. Component materiality is used
when establishing the overall audit strategy for a component.

Component materiality is determined for those components whose financial information

will be audited or reviewed as part of the group audit. Component materiality is used by the
components auditors to evaluate whether uncorrected detected misstatements are material,
individually or in the aggregate.

In the case of an audit of the financial information of a component, the components

auditors (or group engagement team) determines performance materiality at the
component level. This is necessary to reduce to an appropriately low level the probability
that the aggregate of uncorrected and undetected misstatements in the financial
information of the component exceeds component materiality. In practice, the group
engagement team may set component materiality at this lower level. Where this is the case,
the components auditors uses component materiality for the purposes of assessing the
risks of material misstatement of the financial information of the component and to design
further audit procedures in response to assessed risks as well as for evaluating whether
detected misstatements are material, individually or in the aggregate.

688

M13_c11.indd 688 1/28/2021 6:23:04 PM

 12
Other Assurance
Engagement Requirements
CHAPTER TOPIC LIST
12.1 Other Assurance Engagements
Requirements Overview
12.1.1 
Scope and Terminology
12.1.2 
Critical Distinctions Between
Assurance and Non-assurance
Engagements
12.2 Other Assurance Engagements
and Non-Assurance
Engagements Overview
12.2.1 
Reviews Overview
12.2.2 
Assurance Engagements
Other than Reviews or
Audits Overview
12.2.3 
Assurance Reports on
Controls at a Service
Organisation Overview
12.2.4 
Assurance Engagements on
Greenhouse Gas Statements
Overview
12.2.5 
Pro Forma Financial
Information Overview
12.2.6 
Summary of Financial
Statements Overview
689
M13_c12.indd 689
12.2.7 
Investment Circular
Reporting Engagements
Overview
12.2.8 
Agreed-Upon Procedures
Overview
12.2.9 
Preliminary Announcements
of Annual Results Overview
12.2.10 
Continuing Connected
Transactions Overview
12.2.11 
Comfort Letters Overview
12.2.12 
Due Diligence Work
Overview
12.2.13 
Compilation Engagements
Overview
12.3 Engagement Risks for Other
Assurance and Non-assurance
Engagements
12.3.1 
Ethical Requirements of the
Engagement
12.3.2 
Engagement Acceptance and
Continuing the Engagement
12.3.3 
Agreeing on the Terms of
the Engagement
1/26/2021 5:40:53 PM
 BUSINESS ASSURANCE

12.3.4 
Planning and Performing the 12.5.1 
Methods of Communication
Engagement 12.5.2 
Timing of Communication
12.3.5 
Materiality and Assurance 12.5.3 
Content of the Communication
Engagement Risk with Those Charged with
12.3.6 
Quality Control of the Governance
Engagement 12.6 Evidence Analysis Overview
12.4 Obtaining Sufficient Evidence – 12.6.1 
Subsequent Events Review
Overview 12.6.2 
Documentation
12.4.1 
Obtaining an Understanding of
12.7 Preparing the Engagement
the Subject and Engagement Report
12.4.2 
Reasonable Assurance
12.7.1 
Other Assurance Report
Testing
Contents
12.4.3 
Sampling
12.7.2 
Non-assurance Report
12.5 Communication with Those Contents
Charged with Governance

690

M13_c12.indd 690 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.01: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Control,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Other assurance engagement requirements
1.01.01 Explain why users need assurance reports
1.01.02 D
 escribe the level of assurance and the issues relating to other assurance and non-assurance
engagements, including:
• Reviews
• Agreed-upon procedures
• Pro-forma financial information
• Investment circular reporting engagements
• Preliminary announcements of annual results
• Continuing connected transaction
• Comfort letters
• Due diligence work
1.01.03 Analyse the potential engagement for the risks it presents to the auditor
1.01.04 Prepare an engagement letter
1.01.05 Determine an approach to gathering sufficient appropriate evidence
1.01.06 D
 etermine the methods, timing and content of communication with those charged with
governance
1.01.07 Analyse the results of evidence collected
1.01.08 Prepare the engagement report

691

M13_c12.indd 691 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

OPENING CASE

BRIEFING TO AUDIT COMMITTEE OF YAU

MANUFACTURING COMPANY LIMITED, A LISTED
HONG KONG COMPANY ON UNDERSTANDING
OTHER ASSURANCE ENGAGEMENTS

Y our firm (Jay & Co) has been asked to advise the Chief Executive Officer about the
assurance services available to their recently re-organised company, Yau Manufacturing
Company Ltd (Yau). Yau manufacture high-quality chipsets for inclusion in laptops. Yau have
also had a change in senior management with the Chief Financial Officer, Chief Operating
Officer, and the chair of the Audit Committee being recently appointed. Specifically, Yau want to
understand the different types of assurance engagements or any other engagements your firm
has the expertise to perform, given your firm, Jay & Co, is not the auditor of Yau.

On further discussion with the Chief Executive Officer, to better understand their specific
assurance requirements, you find that Yau is contemplating acquiring another Hong Kong
listed entity in the next few years. Also, Yau’s financiers (Dan & Co) have requested further
information on Yau in relation to the recent increase in their secured loan borrowing limits.
That increase was arranged to fund an expansion of Yau’s manufacturing plant located
in Chengdu.

Yau has also heard about non-assurance services such as agreed-upon procedures and
would like to understand the benefits compared to traditional assurance services, particularly
in respect of reporting on the efficiency and effectiveness of internal controls designed to
ensure quality assurance on the various chipsets manufactured. Yau recently put into place
improved internal controls at their manufacturing plant after a spate of quality-related issues
with their chipsets.

692

M13_c12.indd 692 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

OVERVIEW

This chapter focuses on explaining the different types of assurance engagements that can be
performed for an entity by an HKICPA practitioner, why they are needed, key considerations
in performing these engagements, the procedures required to conduct the common types of
assurance engagements, and the reporting outputs. Non-assurance engagements are also
explained.

The intended users of the engagement report determine what type of engagement they
require for their particular information needs and circumstances (assurance or non-assurance)
and in cases where law or regulation do not specify, the type of assurance provided (limited or
reasonable assurance). The intended users may be the entity, regulators, current or potential
investors/shareholders, banks, other financiers, regulators, suppliers, and/or customers.

If independent assurance by an HKICPA practitioner is required on particular entity financial

and/or non-financial information (called subject matter information in this chapter), then an
assurance engagement is appropriate. If independent assurance is not required, but the entity
wishes to have an HKICPA practitioner (who may or may not be independent) perform certain
procedures on the entity’s subject matter information to report factual findings or the results of
compiling information, then a non-assurance engagement is appropriate. For all engagements,
practitioners must possess adequate knowledge in the subject matter information (financial
and non-financial information), act with due care, keep an objective state of mind, and obtain
suitable evidence for their reporting on the entity’s subject matter information.

Assurance and non-assurance engagements are performed at the request of the entity
for a wide variety of reasons and covering a wide variety of subject matters (financial and/or
non-financial information), including:

• Compliance with the requirements of law or regulation, e.g. an entity undertaking debt
or equity securities fundraising.

• Compliance with the terms of bank or financing covenant agreements.

• Compliance with other contractual obligations (e.g. supplier agreement).

• To facilitate prospective mergers and acquisitions.

• To provide management of the entity with independent comfort that a process, control,
or system is working as designed.

Assurance engagements (including review engagements) can provide either limited

or reasonable assurance to intended users. They are designed to enhance the degree of
confidence of intended users of the assurance report about the outcome of the practitioner’s
evaluation or measurement of the subject matter information against applicable criteria.
The type of assurance required again depends on the engagement circumstances and, in

693

M13_c12.indd 693 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

some cases, the requirements of HKICPA standards. The procedures performed are planned,
designed, and performed by the practitioner based on their risk assessment of the subject
matter information and the engagement. The entity, as the responsible party, prepares and
accepts responsibility for the accuracy and completeness of the subject matter information to
which the practitioner assures.

Non-assurance engagements provide no assurance on the specified subject matter

information; instead, the practitioner reports factual findings based on performing procedures
agreed with the entity. Again, the entity, as the responsible party, prepares and accepts
responsibility for the accuracy and completeness of the subject matter information to which
the practitioner does not assure.

This chapter uses the terminology of ‘entity’ throughout to describe an organisation that
has requested the practitioner to perform an assurance or non-assurance engagement, and
who is the responsible party. An entity can be a company (private or public), a sole proprietor,
a partnership, or a foreign company office. The focus in this chapter is on a company structure.
Further, it is assumed that the entity is the responsible party for all engagements discussed in
this chapter.

This chapter also uses the terminology ‘HKICPA standards’ to describe the suite of auditing,
assurance, and non-assurance standards issued by the HKICPA with which the practitioner, as
a professional accountant – as per the HKICPA'S Code of Ethics for Professional Accountants (also
known as Code of Ethics) – must comply.

1 2 . 1 OTHER ASSURANCE ENGAGEMENTS

REQUIREMENTS OVERVIEW

12.1.1 Scope and Terminology

12.1.1.1 Scope
This chapter explains both assurance and non-assurance engagements. It will detail the key
differences between these engagement types, when and how they are used, and provide the
common examples of each type.

The HKICPA Amended Preface to the Hong Kong Quality Control, Auditing, Review, Other
Assurance, and Related Services Pronouncements (July 2012) (the Preface) specifies that the Hong
Kong Standards apply to particular types of assurance and non-assurance engagements.

Engagements Providing Assurance

As noted in Chapter 1, assurance engagements can be undertaken on a broad range of
financial and non-financial information, with an audit being just one form of an assurance
engagement. Other than audits, reviews and any other assurance engagements are also
examples of assurance engagements.

694

M13_c12.indd 694 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

In assurance engagements, the practitioner is engaged by the entity (responsible party) to

independently provide assurance about the entity’s prepared subject matter information, which
will have been prepared for intended users.

A reasonable assurance engagement requires the practitioner to reduce the assurance

engagement risk to an acceptably low level as the basis for a positive conclusion. This type
of engagement consists of the practitioner making inquiries, applying analytical procedures,
and inspecting relevant documentation. The engagement is planned and conducted to obtain
sufficient appropriate evidence on the subject matter information on which to base the
conclusion, with much of that evidence being persuasive rather than conclusive. There are
inherent limitations to a reasonable assurance engagement (it can achieve a high but not
absolute level of assurance). A common example of a reasonable assurance engagement is an
audit. The conclusion is couched in wording such as ‘the practitioner believes that the subject
matter information is presented in accordance with (applicable framework) . . .’

A limited assurance engagement requires the practitioner to reduce the assurance

engagement risk to an acceptably low level as the basis for a negative conclusion. This type of
engagement consists of the practitioner making inquiries and applying analytical procedures
(applying fewer audit type procedures with less emphasis, if any, on tests of controls and
obtaining evidence from external sources than for a reasonable assurance engagement) and
utilises practitioner knowledge gained from any previous engagements with the client entity.
A common example of a limited assurance engagement is a review. The conclusion is couched
in wording such as ‘nothing came to my attention that causes the practitioner to believe that
the subject matter information is not presented in accordance with (applicable framework) . . .’

There are various HKICPA standards that deal with types of assurance engagements. They are:

• Review engagements (Hong Kong Standards on Review Engagements – HKSRE)

1. Limited assurance review of historical financial performance in financial statements.

(HKSRE 2400 (Revised) Engagements to Review Historical Financial Statements)

2. Limited assurance review of interim financial information by the appointed auditor

of the entity.

( HKSRE 2410 Review of Interim Financial Information Performed by the Independent

Auditor of the Entity)

• Assurance engagements (Hong Kong Standards on Assurance

Engagements – HKSAE)

1. An overarching assurance standard applicable for all HKSAE assurance engagements.

( HKSAE 3000 (Revised) Assurance Engagements Other Than Audits or Reviews of

Historical Financial Information) (Note that HKSAE 3000 (Revised) does not apply to
the HKSRE review standards or HKSIR investment circular reporting standards.)

2. Reasonable or limited assurance on specific internal controls at a service organisation.

(HKSAE 3402 Assurance Reports on Controls at a Service Organisation)

3. Reasonable or limited assurance on the entity’s reported greenhouse gas emissions

statement.

(HKSAE 3410 Assurance Engagements on Greenhouse Gas Statements)

695

M13_c12.indd 695 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

4. Reasonable assurance on the entity’s compilation of pro forma financial information

included in a prospectus.

( HKSAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma

Financial Information Included in a Prospectus)

• Investment circular reporting (Hong Kong Standards on Investment

Circulars – HKSIR)

1. Reasonable assurance on the entity’s historical financial information included in

investment circulars (e.g. prospectuses).

( HKSIR 200 Accountants’ Reports on Historical Financial Information in Investment

Circulars)

2. Specific agreed-upon procedures (no assurance) by the appointed auditor of the

entity contained in an auditor’s comfort letter requirements related to the entity’s
due diligence transactions.

(HKSIR 400 (Revised) Comfort Letters and Due Diligence Meetings)

3. Reasonable assurance on the entity’s profit forecast or the statement of sufficiency

of the entity’s working capital or agreed-upon procedures (no assurance) on the
statements of the level of indebtedness.
( HKSIR500 (May 2020) Reporting on Profit Forecasts, Statements of Sufficiency of
Working Capital and Statements of Indebtedness) (Note that The Preface to Hong Kong
Quality Control, Auditing, Review, Other Assurance and Related Services Pronouncements
(The Preface) requires that HKSREs are to be applied in the reviews of historical
financial information.)

• Applicable Practice Notes (PN)

1. Specific agreed-upon procedures (no assurance) by the appointed auditor of the

entity of the preliminary results of the entity for the financial year.

( Practice Note (PN) 730 (Revised) Guidance for Auditors Regarding Preliminary
Announcements of Annual Results read in conjunction with HKSRS 4400 Engagements
to Perform Agreed-upon Procedures Regarding Financial Information)

2. Limited assurance by the appointed auditor of the entity in respect of reporting on

continuing connected transactions.

( Practice Note (PN) 740 Auditor’s Letter on Continuing Connected Transactions Under
the Hong Kong Listing Rules read in conjunction with HKSAE 3000 (Revised) Assurance
Engagements Other Than Audits or Reviews of Historical Financial Information)

• Audit related (Hong Kong Standards on Auditing – HKSA)

Reasonable assurance by the appointed auditor of the entity on the summary financial
statements extracted from the entity’s audited financial statements that have been
audited by the same auditor.

(HKSA 810 (Revised) Engagements to Report on Summary Financial Statements)

696

M13_c12.indd 696 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

• Other types of assurance engagements (not HKICPA Standard specific)

°° Compliance audits. The objectives of the practitioner are to obtain limited or

reasonable assurance on the extent to which the specified requirements have been
complied with. Examples of requirements are compliance with specified policies,
procedures, contracts, laws, or regulations. The practitioner compares/measures
the requirements to suitable criteria, which will vary depending on the nature of the
requirements. These types of audits are often performed by the internal auditor of
the entity.

°° Operational audits. Their scope is more extensive than compliance audits,

for example it may involve the practitioner assessing the effectiveness of the
procedures that are being audited. While an element of assurance is given
(particularly with regard to the compliance elements of the assignment), the audit
is designed with the intention of the internal auditor drawing their own conclusions
about the systems from the work performed. These types of audits are often
performed by the internal auditor of the entity.

°° PN 810.1 (Revised) Insurance Brokers – Compliance with the Minimum Requirements

Specified by the Insurance Authority under Sections 69(2) and 70(2) of the Insurance
Companies Ordinance or review of annual financial reports of a non-governmental
organisation. The engagement may be performed by an external auditor, internal
auditor, or government auditor.

°° Performance audit (value for money (VFM) audits). These audits are conducted in
all sectors by external auditors and internal auditors and cover a broad range of
activities. In a VFM audit, the objectives of a specified activity need to be understood
to properly assess whether value for money has been achieved by that activity.
Objectives may be financial (e.g. maximising profit, minimising cost) or non-financial
(e.g. achieving delivery of certain services to a target population). Practitioners
generally conduct VFM audits by assessing the activity in terms of how it achieved
its economy, efficiency, and/or effectiveness measures. These are explained
as follows:

– Efficiency examines how well the entity’s activity is able to minimise inputs
used to deliver required outputs (being quality, quantity, and timing). These
audit types are investigative, i.e. did the entity make the most of its allocated
resources to deliver what was required for that activity?

– Effectiveness examines the extent to which the entity’s activity achieved its stated
objective(s). These audit types are compliance focused, i.e. did the entity do
what it said it would or it was required to for that activity?

– Economy examines the entity’s ability to minimise the cost of the activity’s
resources, while still meeting its timeliness and availability of required quantity/
quality outputs. These audit types are investigative, i.e. did the entity minimise
costs to achieve the greatest activity benefit? (benefit versus cost).

Examples of VFM audits include:

• In a for-profit entity (non-government or government), internal auditors assessing an

individual profit centre for how efficiently they achieved their profit target for a given

697

M13_c12.indd 697 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

time period. In a not-for-profit, non-government entity, external auditors assessing the

effectiveness of an activity, for a given time period, designed to provide vision impaired
children with access to education support resources to help them learn to read.

• In a not-for-profit, government entity external auditors assessing how effectively a

provincial child immunisation health programme was able to deliver immunisation
services to the target of X% of the population for a time period.

Engagements Not Providing Assurance

Non-assurance engagements provide the intended users with additional, objective information
on certain targeted subject matter information to allow them to form their own opinion
regarding the subject matter information. There are some engagements that a practitioner
conducts that are not assurance engagements as they provide no assurance (i.e. include no
opinion or conclusion) to the intended users of the practitioner’s report. An example is when a
practitioner is requested to report on whether an entity’s implemented internal controls over
the monthly financial reporting close process are operating as designed.

In these engagements, the HKICPA independence requirements are not met as the
practitioner has not independently determined the nature, timing, and extent of procedures
to perform, instead agreeing to perform the entity’s specified procedures. While independence
is not a requirement, HKICPA practitioners always apply objectivity as one of the fundamental
principles in the Code of Ethics. The procedures performed by the practitioner will vary
depending on requirements and needs. They may include procedures such as enquiry and
analysis, re-computation/re-performance, comparison and other clerical accuracy checks,
observation, inspection, and confirmations. If, for example, the practitioner’s report is going
to be used by a party other than the entity, such as their bank, it is up to the entity and the
bank to ensure that the procedures the practitioner will perform are suitable to give them the
additional information they require.

The type of subject matter information (financial or non-financial) and the procedures
performed will vary depending on the individual engagement requirements and needs. The
entity, having received the practitioner’s report, interprets the findings in the context of their
business, draws their own conclusions, and takes any appropriate action(s). Non-assurance
engagements do not require the practitioner to verify the accuracy or completeness of the
information provided by the entity on which the practitioner performs the procedures.

Engagements not providing assurance are performed under HKICPA Standards on Related
Services (HKSRS). There are two HKSRS applicable:

(a) Engagements to provide factual findings on certain financial information.

(HKSRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial

Information)

(b) Engagements to provide factual findings on compiled information.

(HKSRS 4410 (Revised) Compilation Engagements)

12.1.1.2 Terminology
The Glossary of Terms Relating to Hong Kong Standards on Quality Control, Auditing, Review, Other
Assurance and Related Services (February 2015) issued by the HKICPA contains definitions of
key terms that will be used throughout this chapter. In this chapter, the following are key terms.

698

M13_c12.indd 698 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

As explained in Chapter 1, an assurance engagement is defined as ‘an engagement in

which a practitioner aims to obtain sufficient appropriate evidence to express a conclusion
designed to enhance the degree of confidence of the intended users other than the
responsible party about the outcome of the measurement or evaluation of the underlying
subject matter against criteria. The outcome of the measurement or evaluation of the
underlying subject matter is the information that results from applying the criteria to the
underlying subject matter’ (The Hong Kong Framework for Assurance Engagements, March 2014,
issued by the Hong Kong Institute of Certified Public Accountants, paragraphs 10 and 11 – The
Framework). An assurance engagement will be either an attestation engagement or a direct
engagement.

• An attestation engagement is an assurance engagement ‘in which a party other

than the practitioner measures or evaluates the underlying subject matter against the
criteria. The subject matter information may be presented by the practitioner in their
assurance report or in a document prepared by another party’ (e.g. entity). In an
attestation engagement, the practitioner’s conclusion addresses whether the subject
matter information is free from material misstatement. This type of engagement is the
most common and will be the focus of this chapter.

• A direct engagement is an assurance engagement ‘in which the practitioner

measures or evaluates the underlying subject matter against the applicable criteria
and the practitioner presents the resulting subject matter information as part of,
or accompanying, the assurance report. In a direct engagement, the practitioner’s
conclusion addresses the reported outcome of the measurement or evaluation of the
underlying subject matter against the criteria.’

The two types of assurance engagements are a reasonable assurance engagement and a
limited assurance engagement.

• Reasonable assurance engagement: ‘The objective of a reasonable assurance

engagement is a reduction in assurance engagement risk to an acceptably low level in
the circumstances of the engagement as the basis for a positive form of expression of
the practitioner’s conclusion’. It is a high, but not absolute, level of assurance.

• Limited assurance engagement: ‘The objective of a limited assurance engagement

is a reduction in assurance engagement risk to a level that is acceptable in the
circumstances of the engagement, but where that risk is greater than for a reasonable
assurance engagement, as the basis for a negative form of expression of the
practitioner’s conclusion.’

Engagement circumstances: ‘The broad context defining the particular engagement,

which includes: the terms of the engagement; whether it is a reasonable assurance
engagement or a limited assurance engagement, the characteristics of the underlying subject
matter; the measurement or evaluation criteria; the information needs of the intended users;
relevant characteristics of the responsible party, the measurer or evaluator, and the engaging
party and their environment; and other matters, for example events, transactions, conditions
and practices, that may have a significant effect on the engagement.’

Practitioner: A ‘professional accountant’ in public practice, being an individual who is a

member of the Hong Kong Institute of Certified Public Accountants (HKICPA).

699

M13_c12.indd 699 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

Agreed-upon procedures engagement (for the purpose of HKSRS 4400): ‘An engagement
in which an auditor is engaged to carry out those procedures of an audit nature to which
the auditor and the entity and any appropriate third parties have agreed and to report on
factual findings. The recipients of the report form their own conclusions from the report by
the auditor. The report is restricted to those parties that have agreed to the procedures to
be performed since others, unaware of the reasons for the procedures may misinterpret the
results.’ It is a non-assurance engagement.

Compilation engagement: ‘An engagement in which a practitioner applies accounting

and financial reporting expertise to assist management in the preparation and presentation
of financial information of an entity in accordance with an applicable financial reporting
framework, and reports as required by this HKSRS’ (HKSRS 4410 (Revised)). It is a non-assurance
engagement.

Prospective financial information: ‘Financial information based on assumptions about

events that may occur in the future and possible actions by an entity. Prospective financial
information can be in the form of a forecast, a projection or a combination of both.’

Subject matter information is used to mean ‘the outcome of the measurement or

evaluation of an underlying subject matter against the criteria’. It is the subject matter
information about which the practitioner gathers sufficient appropriate evidence as the basis
for the practitioner’s conclusion. It can be financial information or non-financial information.
A service organisation (for the purpose of HKSAE 3402) is an independent third-party
organisation that provides particular services to user entities that are of likely relevance to user
entities’ internal control as it relates to financial reporting. That is, they provide a service to the
entity that the entity relies on as part of its financial reporting process.

A GHG statement (for the purpose of HKSAE 3410) is a statement setting out constituent
elements and quantifying an entity’s greenhouse gas (GHG) emissions for a specific period
(sometimes known as an ‘emissions inventory’) and, where applicable, includes comparative
information and explanatory notes including a summary of significant quantification and
reporting policies. It may also include a categorised listing of removals or emissions deductions.
Greenhouse gases are defined as carbon dioxide and any other any gasses required under the
applicable criteria to be included in the GHG statement.

Pro forma financial information (for the purpose of HKSAE 3420) is financial information,
shown together with adjustments, to illustrate the impact of an event or transaction on
unadjusted financial information as if the event had occurred or the transaction had been
undertaken at an earlier date selected for purposes of the illustration. It is presented in
columnar format showing unadjusted financial information (usually historical), pro forma
adjustments (reflecting the proposed transaction/event), and the resulting pro forma
results column.

Summary financial statements (for the purpose of HKSA 810 (Revised)) are historical
financial information extracted from the audited financial statements. They are
prepared by the entity’s management based on applied criteria set by the entity that the
practitioner audits.

An investment circular is a document issued by an entity (issuer entity) pursuant to

statutory or regulatory requirements relating to securities on which it is intended that a third

700

M13_c12.indd 700 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

party should make an investment decision, including a prospectus, listing particulars, and a
circular to shareholders or a similar document.

Connected transactions (for the purpose of PN 740) are defined by Chapter 14A of the Main
Board Listing Rules. They are transactions ‘with connected persons, and specified categories
of transactions with third parties that may confer benefits on connected persons through
their interests in the entities involved in the transactions. They may be one-off transactions or
continuing transactions.’

Connected persons (for the purpose of PN 740) are essentially particular related parties of
the entity and include, for example, a director, chief executive, or substantial shareholder of the
listed issuer or any of its subsidiaries or their associates and any persons deemed by the Stock
Exchange to be connected.

Analytical procedures are evaluations of financial information through analysis of

plausible relationships among both financial and non-financial data. Analytical procedures
also encompass such investigation as is necessary of identified fluctuations or relationships
that are inconsistent with other relevant information or that differ from expected values by a
significant amount.

12.1.2 Critical Distinctions Between Assurance and Non-assurance

Engagements
As already explained in Chapter 1, Section 1.1.1, there are five elements that must be present
for the engagement to be an assurance engagement. By way of brief reminder, these
elements include:

• A three-party relationship (the practitioner, the responsible party – within the entity –
and intended users);

• Appropriate subject matter (identifiable and capable of consistent evaluation/

measurement against the identified criteria);
• Suitable criteria (depends on engagement circumstances – may need to be specified
by law/regulation or designed to meet the needs of specified intended users. Criteria
provide the definitive reference for evaluating/measuring the subject matter against);

• Sufficient, appropriate evidence to support the assurance conclusion; and

• A conclusion contained within a written report.

As noted in the assurance engagement definition, the practitioner in an assurance

engagement obtains sufficient appropriate evidence on the financial/non-financial information
about the outcome of the measurement or evaluation of the underlying subject matter against
criteria to enable them to express a conclusion, having planned, designed, and performed their
audit procedures to achieve this outcome.

If any of the above assurance elements are missing, then the engagement is not an
assurance engagement. In a non-assurance engagement, the practitioner ordinarily does not
specify the criteria (the entity does), and the level of evidence obtained on the subject matter
information is less than required for an assurance engagement. The factual findings report
issued by the practitioner on the results of the agreed procedures therefore provides the entity
with no independent assurance on the underlying subject matter information and the entity

701

M13_c12.indd 701 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

has to form their own opinion about the outcome of the reported findings. The practitioner
does not verify or express any opinion on the accuracy or completeness of the entity’s
information being reported on.

Key Learning Point

Practitioners can perform a wide variety of assurance engagements (other than audits) on
different subject matter information and also conduct engagements that do not provide
any assurance on the specified subject matter.

Knowledge Check Questions

Question 1
Identify which of the following is not an assurance engagement.
A An engagement to report on whether certain financial internal controls are operating as
designed by the company.
B An engagement to report on the effectiveness of the company’s financial internal
controls related to inventory.
C An engagement to report on the effectiveness of certain company financial internal
controls related to inventory, by performing procedures specified by the entity.
D An engagement to report on whether the company’s financial internal control
environment is operating effectively.

Question 2
Explain whether an HKICPA practitioner is able to perform all types of assurance and
non-assurance engagements.

1 2 . 2 OTHER ASSURANCE ENGAGEMENTS

AND NON-ASSURANCE
ENGAGEMENTS OVERVIEW

Assurance engagements are reviews and any other assurance engagements, other than audits.

12.2.1 Reviews Overview

A review engagement is a particular type of assurance engagement that is designed to provide
a limited assurance conclusion that the financial information subject to review is free from
material misstatement.

702

M13_c12.indd 702 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

The practitioner designs procedures (consisting of making enquiries, performing analytical

procedures and other review procedures – observing, reading, and evaluating) to reduce, to
a moderate level of risk, the possibility of expressing an inappropriate conclusion. A review
may bring significant matters affecting the financial information to the practitioner’s attention,
but it does not provide all of the evidence that would otherwise be required in an audit. It
does not provide the practitioner with a basis for expressing an opinion as to whether the
financial information gives a true and fair view or is presented fairly, in all material respects,
in accordance with an applicable financial reporting framework. Review engagements are by
nature more cost effective than an audit as they are less time consuming and require fewer
procedures to be performed.

The two HKSREs that apply to review engagements are:

• HKSRE 2400 (Revised) Engagements to Review Historical Financial Information (performed

by a practitioner who is not the auditor of the entity).

The objective of this review is to enable a practitioner to state whether, on the

basis of procedures that do not provide all the evidence that would be required in a
review, anything has come to the practitioner’s attention that causes them to believe
that the historical financial information is not prepared, in all material respects, in
accordance with an applicable financial reporting framework (being the applicable
criteria). As the practitioner is not the entity’s auditor, they will not ordinarily have
the same understanding of the entity and its environment, including its internal
controls relevant to financial reporting, and has to therefore perform additional
procedures from that of HKSRE 2410 to gain an understanding sufficient for the
engagement.

• HKSRE 2410 Review of Interim Financial Information Performed by the Independent

Auditor of the Entity (performed by a practitioner who is the auditor of the
reporting entity).

The objective of this review is to enable a practitioner to state whether, on the

basis of procedures that do not provide all the evidence that would be required in a
review, anything has come to the practitioner’s attention that causes the practitioner to
believe that the interim financial information is not prepared, in all material respects,
in accordance with an applicable financial reporting framework (being the applicable
criteria). This engagement is required for listed issuers by the Main Board Listing Rules
and GEM Listing Rules. It can also be applied in circumstances when the practitioner
reviews historical financial information (other than interim financial information).
The practitioner, as the appointed auditor, brings audit-based knowledge to such an
engagement, including having an understanding of the entity and its environment,
including its internal controls relevant to financial reporting.

12.2.2 Assurance Engagements Other than Reviews or Audits Overview

HKSAE 3000 (Revised) Assurance Engagements Other Than Audits or Reviews of Historical Financial
Information (HKSAE 3000 (Revised)) applies to engagements where the practitioner provides
either limited or reasonable assurance as to whether the particular subject matter is free from
material misstatement based on the outcome of the measurement or evaluation (applicable
criteria) of that underlying subject matter information. It is the overarching standard for all

703

M13_c12.indd 703 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

assurance standards and sets out the minimum requirements for all assurance engagements
in terms of their general acceptance and continuance, planning, performing, evaluating, and
minimum reporting requirements and is designed to cover diverse types of subject matter
information (financial or non-financial information) and different levels of assurance. It also
contains relevant ethical and quality control requirements. The subject matter information
specific standards in the HKSAE suite are to be read in conjunction with this standard such that
the assurance practitioner must comply with the requirements of both standards.

It is important to note that the practitioner does not have to be the entity’s auditor to
perform most of these assurance engagements. Where the practitioner must also be the
auditor, this will be noted and explained as to the reasons why this is the case.

The practitioner plans and performs assurance engagements with:

• An attitude of professional scepticism, recognising that circumstances may exist that

cause the subject matter information to be materially misstated;

• Using professional judgement, including in planning, determining the nature, timing

and extent of the procedures, and evaluating the evidence collected; and

• Using assurance skills and techniques as part of an iterative, systematic

engagement process.

12.2.3 Assurance Reports on Controls at a Service Organisation Overview

HKSAE 3402 Assurance Reports on Controls at a Service Organisation (HKSAE 3402) applies
to assertion-based engagements where the practitioner (known as a service auditor) is
engaged by an entity (called a service organisation) to provide reasonable assurance on the
organisation’s suitable design of a particular system’s internal controls related to financial
reporting, as compared to the described and designed control objectives. The standard applies
only when the service organisation is responsible for, or otherwise able to make a statement
about, the suitable design of controls.
The assurance report is used by the entity and its external auditors. The practitioner’s
report is described as either a type 1 or type 2 report. A type 1 report is a report on the
description and design of controls at the service organisation. A type 2 report is a report on
the description, design, and operating effectiveness of controls at the service organisation. The
practitioner does not have to be the entity’s auditor to perform this engagement. HKSAE 3402 is
read in conjunction with HKSAE 3000 (Revised).

Examples of service organisations are superannuation administrators (processing member

benefit payments and contributions received), outsourced payroll providers (processing and
paying employee wages, salaries, and entitlements), outsourced expenditure processors
(processing and paying direct invoices), and IT administrators (maintaining the general controls
of a particular computer system or the entire network).

12.2.4 Assurance Engagements on Greenhouse Gas Statements Overview

HKSAE 3410 Assurance Engagements on Greenhouse Gas Statements (HKSAE 3410) applies
to practitioners providing limited or reasonable assurance on an entity’s greenhouse gas
(GHG) statement. Where the engagement does not cover the entity’s entire GHG statement,
the term ‘GHG statement’ is to be read as that portion that is covered by the engagement.

704

M13_c12.indd 704 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

The practitioner does not have to be the entity’s auditor to perform this engagement. HKSAE
3410 is read in conjunction with HKSAE 3000 (Revised).

HKSAE 3410 sets out practitioners’ responsibilities in identifying, assessing, and responding
to risks of material misstatement when reporting on GHG statements. The statement can be
prepared as part of a regulatory disclosure regime, as part of an emissions trading scheme
(ETS), or to inform investors and others on a voluntary basis. HKSAE 3410 applies to a broad
range of situations, from emissions from electricity used at a single office to emissions
from complex physical or chemical processes at several facilities across a supply chain. The
practitioner’s assurance conclusion is expressed in terms of whether the GHG statement is
prepared in all material respects in accordance with the applicable criteria. Applicable criteria
in the context of HKSAE 3410 are the criteria used by the entity to quantify and report its
emissions in the GHG statement.

HKEX Listing Rules, Appendix 27 Environmental, Social and Governance Reporting Guide
(31 December 2015 onwards) contains environmental, social, and governance reporting
obligations for Hong Kong listed entities (these are couched in terms of those that are ‘comply
or explain’ and disclosures that are simply recommended) that include GHG reporting.

12.2.5 Pro Forma Financial Information Overview

HKSAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma Financial
Information Included in a Prospectus (HKSAE 3420) deals with reasonable assurance
assertion-based engagements undertaken by a practitioner to report on a responsible party’s
compilation of pro forma financial information included in a prospectus. HKSAE 3420 is read in
conjunction with HKSAE 3000 (Revised).

Pro forma financial information reflects a significant event or transaction of the entity and
is ordinarily prepared for inclusion in a fundraising prospectus, pursuant to the Hong Kong
Listing Rules, the Hong Kong Takeover Code, or the Hong Kong Companies (Winding Up and
Miscellaneous Provisions) Ordinance. There are Hong Kong Listing Rules that apply to issuer
prospectuses and where an issuer includes pro forma financial information in any document.

Under HKSAE 3420, the practitioner performs procedures to obtain sufficient appropriate
evidence to enable them to assess whether the applicable criteria used by the entity in the
compilation of the pro forma information provide a reasonable basis for presenting the
effects of the event or transaction (for example an acquisition, disposal, or merger), whether
the adjustments made reflect the proper application of those adjustments to the underlying
financial information and finally that the pro forma financial information has been properly
compiled and has been appropriately presented and disclosed. It also involves evaluating
the overall presentation of the pro forma financial information. Applicable criteria in this
engagement are the criteria used by the entity to compile the pro forma financial information
and may be set by law or regulation or developed by the entity.

12.2.6 Summary of Financial Statements Overview

HKSA 810 (Revised) Engagements to Report on Summary Financial Statements (HKSA 810
(Revised)) deals with reasonable assurance assertion-based engagements undertaken by a
practitioner to report on the entity’s summary financial statements, which have been directly
extracted from the annual financial statements audited by that same practitioner. It is to be
read in conjunction with the requirements of the suite of Hong Kong Standards on Auditing.

705

M13_c12.indd 705 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

This is because the engagement relies on the underlying financial statements, which the
summary financial statements are extracted from, have been audited, and only the auditor can
have the appropriate knowledge of those audited financial statements. HKSA 810 (Revised) is
read in conjunction with applicable HKSA standards. The engagement is treated as separate
to the audit of the financial statements and has separate terms and conditions that may be
separately included in the audit engagement letter or issued as a separate engagement letter.

The practitioner’s objective, as the entity’s auditor, is to ensure that the summary financial
statements are appropriately extracted from the audited financial statements, the applied
criteria used for the extraction are acceptable, and the criteria have been used appropriately
in preparing the summary financial statements, and that the summary financial statement
disclosures contain the information necessary and are not misleading.

Apply and Analyse 1

The Chief Financial Officer of Yau Manufacturing Company Ltd, Ms. Chan, has requested
your firm, Jay & Co, to perform an assurance engagement to provide reasonable assurance
on their compliance with their financiers, Dan & Co, borrowing facility covenants. They
explain that the required covenant calculations are directly derived from their historical
financial information results for the most recent financial year, 31 December 20X8.
The covenants are a mixture of amounts, percentages, and ratios. Dan & Co put these
covenants in place in the current financial year as a result of Yau’s secured loan being
increased to fund their expansion of their manufacturing plant located in Chengdu. Dan &
Co requires a copy of the assurance report. Jay & Co are not the appointed auditor of Yau.

Explain what HKICPA standard this engagement would be conducted under, and why.

Analysis

This reasonable assurance engagement would be conducted under HKSAE 3000 (Revised)
Assurance Engagements Other Than Audits or Reviews of Historical Financial Information. This
is due to the borrowing covenants being directly derived from Yau’s historical financial
information.

12.2.7 Investment Circular Reporting Engagements Overview

Investment circulars are used for issuing a new listing of debt or equity securities or
acquisitions/mergers). There are rules governing the Listing of Securities on the Stock Exchange
of Hong Kong Limited (Listing Rules) and the Rules Governing the Listing of Securities on the
Growth Enterprise Market Operated by the Stock Exchange of Hong Kong Limited (GEM Rules)
that set out the reporting requirements for entities.

An investment circular may contain a profit forecast, must contain statements of sufficiency
of working capital and statements of indebtedness and may include historical financial
information. This historical financial information may have been previously included in audited
financial statements, prepared solely in connection with the investment circular (‘underlying
financial statements’) and/or be other historical financial information that may or may not have
been audited.

706

M13_c12.indd 706 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

12.2.7.1 Historical Financial Information

HKSIR 200 Accountants’ Reports on Historical Financial Information in Investment Circulars (HKSIR
200) applies to engagements where the practitioner, as the reporting accountant, is requested
to prepare a reasonable assurance accountants’ report on the entity’s historical financial
information for inclusion in an investment circular, such as a prospectus in accordance with
the Companies Ordinance (Sections 31–33 of Part II of the Third Schedule). The practitioner’s
engagement objective is to conclude on whether the reported historical financial information
gives a true and fair view for the purposes of the accountant’s report.

12.2.7.2 Profit Forecasts, Statements of Sufficiency of Working Capital and Statements

of Indebtedness
HKSIR500 (May 2020) Reporting on Profit Forecasts, Statements of Sufficiency of Working Capital and
Statements of Indebtedness (HKSIR500 (May 2020)) provides guidance for the practitioner, as the
reporting accountant, is requested to report on these specific types of information included in
an investment circular document and is written in the context of new listings of equity securities.

Profit Forecasts
Entities are not required to include a profit forecast in their investment circular document.
A profit forecast is the entity’s best estimate, using judgement and making certain assumptions
of their future results at a point in time, assuming planned/expected future events and certain
transaction volumes using historical financial information as the base to adjust. The time
period covered by the entity’s profit forecast ordinarily correlates with the financial year end
or sometimes half year end (provided the interim report for that half year is audited). Profit
forecasts must be clear, unambiguous, and presented in an explicit manner. The principal
assumptions on which it is based must be stated and it must be prepared on a basis that is
consistent with the entity’s normal accounting policies.

Where the entities choose to include a profit forecast, they are required to obtain a
reasonable assurance report from a practitioner on the profit forecast being properly complied
by the entity on the basis of the assumptions made (and disclosed). The engagement is
conducted with reference to HKSAE 3000 (Revised) Assurance Engagements Other Than Audits
or Reviews of Historical Financial Information. The practitioner’s objective for this engagement
is to provide a reasonable assurance report on the profit forecast, being prospective financial
information, so far as the accounting policies and calculations are concerned, as to whether it
has been properly complied with by the entity on the basis of the assumptions made.

Profit forecasts by nature are highly subjective, contain inherent uncertainties, and depend
on the nature of the entity’s business (stable or highly volatile results), key assumptions, and
judgements the entity has made about future events and transactions. This is particularly
evident if the forecast reporting period extends beyond a year. Due to these factors, the
practitioner ordinarily restricts reporting on profit forecasts to those that are for periods one
year or less from the date of the last audited financial statements.

Statements of Sufficiency of Working Capital

Listing Rules (Appendix 1A) and GEM Rules (Appendix 1A) require the entity’s investment
circular document for a new listing of equity securities to include a statement of sufficiency of
working capital by the issuer entity’s directors that in their opinion the working capital available
to the entity’s group is sufficient for the group’s present requirements (that is for at least the

707

M13_c12.indd 707 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

next 12 months from the date of publication of the investment circular) or, if not, how the
directors propose to provide that additional working capital required. The entity is required to
obtain an independent assurance report from a practitioner on the statement’s accuracy.

The practitioner’s objective for this engagement is to provide a reasonable assurance

report on the director’s statements of sufficiency of working capital, primarily through making
inquiries of the entity’s management, considering the analyses and assumptions on which the
working capital forecast is based and applying analytical procedures to financial data in the
working capital forecast. The engagement is conducted with reference to HKSAE 3000 (Revised)
Assurance Engagements Other Than Audits or Reviews of Historical Financial Information.

Statement of Indebtedness
The Listing Rules and GEM Rules require a listed issuer’s investment circular document
relating to a new listing of equity securities to include a directors’ statement of indebtedness
as at the most recent practicable date (normally no more than two months before the issue
of the investment circular) of the total amount of all loan capital, borrowings, indebtedness,
mortgages, charges, contingent liabilities, and guarantees. The entity is required to obtain an
independent report from a practitioner on the statement’s accuracy.

The practitioner’s objective for this engagement is to provide agreed-upon procedures

on the director’s statements of the entity’s indebtedness and contingent liabilities and report
factual findings based on the results of those procedures. These procedures include confirming
with external financiers the entity’s financing facilities in place and reviewing the profit
forecast. The engagement is conducted with reference to HKSRS 4400 Engagements to Perform
Agreed-Upon Procedures Regarding Financial Information.

12.2.8 Agreed-Upon Procedures Overview

In an agreed-upon procedures (AUP) engagement on particular financial information the
practitioner is engaged to carry out specified procedures on particular financial information
prepared by the entity and to report factual findings (no assurance is expressed). Financial
information can be an individual item of financial data (e.g. an account balance), a financial
statement, or a complete set of financial statements. Agreed-upon procedures engagements
are performed in accordance with HKSRS 4400 Engagements to Perform Agreed-Upon Procedures
Regarding Financial Information. The standard can also be applied to non-financial information
provided the practitioner has adequate knowledge of the subject matter information and
reasonable criteria exist on which to base findings. The report is restricted for use to those
parties who specified or agreed to the procedures performed by the practitioner, as any other
parties may misinterpret the results reported. Users of the practitioner’s report must form their
own conclusions on the results of the procedures performed.

This type of engagement is useful as it can be targeted to particular financial information,

for example it can cover accounts payable, accounts received, related party transactions, and
purchases/sales.

12.2.9 Preliminary Announcements of Annual Results Overview

The entity’s auditors must approve the publishing of the entity’s preliminary announcement of
annual results for the financial year under the requirements of the Main Board (Appendix 3) or

708

M13_c12.indd 708 1/26/2021 5:40:53 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

GEM Listing Rules (Appendix 4). Preliminary announcements are the first public communication
of the entity’s (as listed issuer) financial year end results, and are relied on by investors and
other interested parties to provide timely, sufficient, and accurate information on the entity’s
results and financial position, and either confirm or update market expectations on the entity’s
results. The engagement is a non-assurance engagement.

The engagement is conducted in accordance with HKSRS 4400 Engagements to Perform

Agreed-Upon Procedures Regarding Financial Information (refer to Section 12.2.8 for more details)
and Practice Note (PN) 730 (Revised) Guidance for Auditors Regarding Preliminary Announcements
of Annual Results. The practice note provides additional guidance for auditors on their specific
responsibilities when reporting on the preliminary announcements of results. The objective of
this engagement is for the practitioner, as auditor, to report factual findings on the preliminary
announcement results to be reported, including that they are consistent with the audited
financial statements. Preliminary results may be based on either audited financial statements
or draft financial statements, depending on the status of the audit process. If they are based
on draft financial statements, the preliminary announcement may need to be revised if such
changes are identified through finalising the audit process.

12.2.10 Continuing Connected Transactions Overview

Practice Note 740 Auditor’s Letter on Continuing Connected Transactions under the Hong Kong
Listing Rules provides guidance to a practitioner when performing limited assurance
engagements on the annual reporting of continuing connected transactions by a listed
issuer in the annual report. This annual reporting is required by Chapter 14A of the Main
Board Listing Rules or Chapter 20 of the GEM Listing Rules issued by the Stock Exchange of
Hong Kong Limited (the ‘Stock Exchange’). The engagement is conducted in conjunction with
HKSAE 3000 (Revised).

The listed issuer is required annually to request its auditor to issue a letter in respect
of continuing connected transactions and is required to state in the annual report whether
its auditor has confirmed the specific matters stated in the Listing Rules. The practitioner is
expected to be the entity’s auditor to perform this assurance engagement.

The types of transactions to be reported on include transactions of a capital or revenue

nature, and whether they are conducted in the ordinary and usual course of business of the
listed issuer’s group. Examples are (non-exhaustive list) acquisitions or disposals of assets,
entering into or terminating finance leases or operating leases or sub-leases, issuing new
securities of the listed issuer or its subsidiaries, and providing, receiving, or sharing services.

It is important to note that this engagement does not provide the practitioner with a basis
for expressing an opinion on whether the continuing connected transactions disclosed in the
listed issuer’s annual report give a true and fair view, or are presented fairly, in all material
respects, in accordance with an applicable financial reporting framework or whether the
listed issuer has complied with all the applicable requirements of the Listing Rules in respect of
continuing connected transactions.

12.2.11 Comfort Letters Overview

HKSIR 400 (Revised) Comfort Letters and Due Diligence Meetings deals with engagements where the
practitioner, as the entity’s auditor, is requested to issue a comfort letter in connection with the

709

M13_c12.indd 709 1/26/2021 5:40:53 PM

 BUSINESS ASSURANCE

entity’s due diligence responsibilities under Hong Kong Listing Rules/GEM Rules. The standard
also applies when the practitioner participates in a due diligence meeting for an offering of
securities in Hong Kong. This is discussed in more detail in Section 12.2.12. A comfort letter is
issued to agreed addressees, usually the issuer entity and the sponsors, being the signatories to
the practitioner’s engagement letter and reports on particular financial information included by
the entity in a securities ofsfering document for issuance to third parties.

The procedures performed in this engagement are conducted in accordance with HKSIR
400 (Revised) and the relevant HKICPA standard for the engagement circumstances. The
engagement can be a combined assurance and non-assurance engagement. Limited assurance
is ordinarily provided on reporting on subsequent changes in historical financial information
included in the investment circular (in accordance with the principles in HKSAE 3000 (Revised)
Assurance Engagements Other Than Audits or Reviews of Historical Financial Information) with
factual findings reporting on the agreed-upon procedures (in accordance with the principles
in HKSRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information)
performed on specific financial and non-financial information included in the comfort letter.
The practitioner is required to have been the entity’s auditor for the time covered by the
comfort letter. This is due to the engagement report (letter) being dependent on in-depth
knowledge of the audited financial statements, which are related to the historical financial
information included in the comfort letter.

The comfort letter is issued to requesting parties in relation to particular financial

information related to, and/or included in, the entity in a securities offering document that will
be issued to third parties. The comfort letter is issued to the agreed addressees, usually the
issuer entity and the sponsors, being the signatories to the practitioner’s engagement letter.
It is prepared based on the practitioner:

• Having performed the requesting parties’ due diligence specified procedures as

measured against applicable criteria with no assurance expressed, the practitioner does
not determine whether the extent of such procedures is sufficient for the purposes
of the requesting parties. Practitioners only comment on matters to which their
professional competence is relevant. Additionally, the practitioner should limit their
comments in the comfort letter to information other than financial information only
when it has been sourced from accounting records that are subject to internal controls,
policies, and procedures of which reporting accountants have knowledge or it has been
the subject of a separate assurance engagement conducted in accordance with the
relevant HKICPA standard.

• If applicable, having provided limited assurance (or if this is inappropriate in the

engagement circumstances, no assurance – factual findings) on the amount of
subsequent changes (increases/decreases) made in particular items in the audited
historical financial information (e.g. net current assets, share capital, long-term debt,
and receivables) that occurred subsequent to the date and period of the historical
financial information, and ending at the cut-off date, the practitioner avoids reporting
on the reasons for such changes. This subsequent changed information should be
prepared on the same basis as the underlying historical financial information.

12.2.12 Due Diligence Work Overview

The entity has particular due diligence responsibilities in respect of issuing securities (debt or
equity) as set out by the Hong Kong Stock Exchange (the Stock Exchange), which a sponsor

710

M13_c12.indd 710 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

assists in performing. A sponsor can be any corporation or authorised financial institution,

licensed or registered under applicable laws to advise on corporate finance matters, approved
by the Stock Exchange and appointed by a new entity applicant under the Listing Rules/GEM
Rules to assist the new entity with its initial application for listing. The sponsor will conduct
reasonable due diligence inquiries, aimed broadly at ensuring that the issuer is suitable to be
listed, that the directors understand their obligations both on initial listing and subsequently,
and that the investment circular complies with the Listing Rules/GEM Rules and is accurate and
complete in all material respects and is not misleading.

HKSIR 400 (Revised) also deals with engagements where the practitioner, as the entity’s
auditor, is requested by the sponsor to attend one or more meetings (due diligence meeting)
with the issuer entity representatives, sponsors, and legal counsel, at which meeting the
respective parties are requested to respond to the sponsor’s specific questions. These
questions, which assist the sponsor fulfil their responsibilities, ordinarily relate to the business
of the issuer entity, information contained in the investment circular, the nature of the
engagement undertaken by the practitioner, financial reporting, corporate governance, and
other matters of interest to the sponsors.

A high-level summary of all these engagements discussed is included in Exhibit 12.1.

Comparison Assurance Review engagement No assurance

engagement
When do you When an When an independent When there is no need for
choose this independent, conclusion on assurance on the subject
engagement reasonable, or historical or interim matter information but requires
type? limited conclusion financial information the practitioner to perform
is required over (particular subject agreed-upon procedures to:
particular subject matter information) is • Provide additional reliable
matter information required, but the entity information that specific
other than audits does not need the cost matters have been done; or
or reviews. and extent of an audit.
• Compile the entity’s financial
A review is a particular information.
type of assurance
engagement.
Is the Yes, the practitioner’s Yes, the practitioner’s No, independence is not
practitioner independence is independence is required for any type of
required to be required for all required for all review non-assurance engagements.
independent? types of assurance engagements.
engagements.
What does the The practitioner The practitioner The practitioner is required to
practitioner do assesses how the assesses how the perform procedures specified by
in this type of entity has prepared entity has prepared its the entity:
engagement? its subject matter historical or interim • These procedures are not
information financial information designed to support an
and provides and provides a opinion but are designed to
an independent report giving a provide a factual report to
practitioner report negative independent the user; or
giving a positive or practitioner opinion.
• The practitioner provides
negative opinion Limited assurance accounting expertise to the
(as appropriate) on provides a lower level entity to compile and present
the subject matter of assurance than their financial information.
information. reasonable assurance.

EXHIBIT 12.1 Overview of other assurance engagements

711

M13_c12.indd 711 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

Key Learning Point

Assurance engagements can be diverse and cover a wide variety of financial and/or
non-financial information. The practitioner needs to have the appropriate expertise in the
subject matter information to perform these types of engagements. A review is a particular
type of assurance engagement, providing limited assurance on financial information that
may be performed by the entity’s auditor or an independent practitioner. Non-assurance
engagements can be diverse and cover a wide variety of financial and/or non-financial
information and are useful in targeting procedures on specific information and their
characteristics. The practitioner needs to have the appropriate expertise in the subject
matter information to perform these types of engagement. The practitioner may or may
not be independent of the entity.

Apply and Analyse 2

The Chief Financial Officer of Yau Manufacturing Company Ltd, Ms. Chan, has asked your
firm Jay & Co to perform an agreed-upon procedures engagement on the effectiveness
of recently implemented internal controls related to maintaining the quality assurance
process for their latest chipset production line at their manufacturing plant located in
Chengdu. Yau have provided you with a complete list of the procedures that they would
like you to perform in order to assess the effectiveness of the relevant internal controls,
and this list looks reasonable. They have asked that you visit the manufacturing plant as
part of the engagement and to perform some of the required procedures in observing the
controls in operation.

Explain what key considerations you should make prior to accepting this engagement if
Jay & Co are not Yau’s appointed auditor.

Analysis

HKSRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information

is the relevant HKICPA standard. It also applies to non-financial information.

Key considerations would include:

• Whether the practitioner can comply with the relevant ethical requirements in
the Code of Ethics and the requirements of HKSQC 1 Quality Control for Firms That
Perform Audits and Reviews of Financial Statements, and Other Assurance and Related
Services Engagements.

° In assessing the ethics, you should first consider if you have the appropriate
expertise and experience in internal controls related to quality assurance to
accept the engagement.

° There is no requirement to be independent in this type of engagement, but this

is not a problem as you are not Yau’s auditor.

• Assess if you can meet any engagement pre-conditions.

There are no specific pre-conditions in HKSRS 4400.

712

M13_c12.indd 712 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

Apply and Analyse 2 (continued)

The one pre-condition that Yau have asked for is that you visit the manufacturing plant
at Chengdu. You would need to assess the logistics of attending the plant, but this request
appears reasonable as it would be appropriate to observe the relevant internal controls.

• Considering any engagement risks of accepting this engagement.

You would need to consider Yau’s reputation (e.g. from any prior experience obtained
in performing different types of engagements for Yau), if you had, or anticipate for
this engagement, any difficulties in accessing or obtaining the required information, or
performing the procedures. Consider if Yau’s procedures are reasonable and complete, or
if there are any significant deficiencies in them that may make the engagement impractical
or an engagement you and your firm do not want to be professionally associated with.

12.2.13 Compilation Engagements Overview

In a compilation engagement, the practitioner is engaged to carry out specified compilation
procedures on particular financial information prepared by the entity and to report factual
findings (no assurance is expressed). Compilation engagements on historical financial information
are conducted in accordance with HKSRS 4410 (Revised) Compilation Engagements. The standard
can also be applied to financial information other than historical financial information, and to
non-financial information. The ‘financial information’ may be an individual item of financial data
(e.g. an account balance), a financial statement, or a complete set of financial statements.

Practitioners are requested to perform such engagements as they have professional

expertise in accounting and financial reporting in compliance with required standards and
can therefore assist management in the preparation and presentation of the entity’s financial
information in accordance with an applicable financial reporting framework (applicable criteria).
Users of the information derive benefit because of the professional competence and due care
with which the work is carried out and because of the ethical and professional standards that
apply to the work HKICPA practitioners perform.

A summary of the key engagement differences between assurance (including limited and
reasonable assurance) and non-assurance engagements is included in Exhibit 12.2.

Engagement type Applicable Assurance Type of No

HKICPA standard provided? assurance assurance?
Review of historical financial HKSRE 2400 (Revised) Yes Limited N/A
information
Review of interim financial HKSRE 2410 Yes Limited N/A
information performed by
the independent auditor
Reporting on summary HKSA 810 (Revised) Yes Reasonable N/A
financial statements
Assurance engagements HKSAE 3000 (Revised) Yes Reasonable N/A
other than reviews or audits or limited

EXHIBIT 12.2 Summary of key engagement differences

713

M13_c12.indd 713 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

Engagement type Applicable Assurance Type of No

HKICPA standard provided? assurance assurance?
Reporting on controls at a HKSAE 3402 Yes Reasonable N/A
service organisation
Reporting on greenhouse HKSAE 3410 Yes Reasonable N/A
gas statement or limited
Reporting on pro forma HKSAE 3420 Yes Reasonable N/A
financial information
Reporting on historical HKSIR 200 Yes Reasonable N/A
financial information in
investment circulars
Providing comfort letters and HKSIR 400 (Revised) No N/A Yes
due diligence meetings
Reporting on profit forecasts HKSIR500 (May 2020) Yes Reasonable N/A
Reporting on the HKSIR500 (May 2020) Yes Reasonable N/A
statements of sufficiency of
working capital
Reporting on the statements HKSIR500 (May 2020) No N/A Yes
of indebtedness
Reporting on the preliminary PN 730 (Revised)/ No N/A Yes
announcement of results HKSRS 4440
Reporting on continuing PN 740/HSAE Yes Limited N/A
connected transactions 3000 (Revised)
Agreed-upon procedures HKSRS 4400 No N/A Yes
on financial information
(or non-financial information)
Compilation engagements of HKSRS 4410 (Revised) No N/A Yes
financial information

EXHIBIT 12.2 (Continued)

Knowledge Check Questions

Question 3
Explain the primary way in which a review of an interim financial statements differs from
an audit of financial statements.

Question 4
Identify which of the following best explains whether you can accept an engagement by an
entity to compile their financial statements when you are their appointed auditor.
A Yes, there is no problem with compiling financial statements that you then audit.
B No, performing both engagements is a clear conflict of independence for the practitioner
as the practitioner cannot audit financial statements they have compiled.
C No, performing both engagements is a clear conflict of the practitioner’s confidentiality
as the practitioner would obtain information on the financial statements that they could
use in planning the audit engagement.
D Yes, HKSRS 4400 specifically allows this.

714

M13_c12.indd 714 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

1 2 . 3 ENGAGEMENT RISKS FOR OTHER

ASSURANCE AND NON-ASSURANCE
ENGAGEMENTS

A practitioner prior to accepting a new engagement considers the risk of accepting the
engagement with that entity (client). Note that this risk is different from the engagement risk
assessment, which is used by the practitioner, post acceptance, to design procedures based on
the entity risks to enable the practitioner to conclude on the subject matter information criteria
and achieve the desired level of assurance (if applicable).

Engagement risk for non-assurance engagements is the risk that the practitioner reports
incorrect factual findings on the financial information.

Engagement risk for assurance engagements is the risk that the practitioner
expresses an inappropriate conclusion when the subject matter information is materially
misstated.

In assessing the specific engagement risk, the risks are very similar to those explained
in Chapter 3. The practitioner’s assessment is made based on the knowledge and
understanding they have obtained of the entity primarily through review of subject matter
information (sourced from a wide range of different reputable sources) and discussions
with relevant persons (for example, the current auditor, if the practitioner is not also the
appointed auditor, entity’s management, and those charged with governance, internal
audit, and key service providers of the entity related to the subject matter information).

For engagements requiring the practitioner’s independence, the outcomes of these

considerations may cause the practitioner to question their ability to accept the engagement on
the basis of threats to independence that they consider cannot be appropriately safeguarded,
or the other fundamental ethical principles contained in the Code of Ethics.

Engagement risks depend on the particular engagement circumstances and the type of
subject matter information and therefore vary from engagement to engagement.

Here are some examples of engagement risks to consider (non-exhaustive) based on the
practitioner’s preliminary understanding of the engagement:

• The nature of the subject matter information.

° Is the information complex or simple and how was it prepared?

–– Is it prepared on a historical basis? (Was this previously audited/reviewed?)

–– Is it prepared on a prospective basis? (This is ordinarily more risky than

historical, given the degree of subjectivity involved in preparation.)

–– Is it adjusted? (Is there an appropriate basis for the adjustments, based on

‘normal’ entity accounting or other policies?)

–– Is it unadjusted? (Is that reasonable in the engagement circumstances?)

715

M13_c12.indd 715 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

° Is there is a relevant HKICPA standard that applies to the subject matter? (This may
reduce risk.)

° Has any part of the subject matter information been previously audited/reviewed/
assured/reported on? If so, what were the report findings? (Previously audited/
reviewed/assured/reported on information may reduce risk, depending on their
findings.)

° What is the degree of subjectivity, estimation, or assumption inherent in the

information? (The more the information is subjective, subject to significant
management estimation, or based on management assumptions, the greater
the risk.)

• The type of assurance (if any) to be provided.

° Is the type of assurance requested reasonable, given the type of subject matter
information, engagement type and purpose, and the needs of the intended
users? (Limited assurance engagements are ordinarily less risky than reasonable
engagements given that they require a lower level of evidence.)

° Is the fact that the entity has requested a non-assurance engagement reasonable
given the subject matter information and engagement circumstances (e.g. consider
the purpose of the information and the needs of intended users).

• The nature of the business.

° Are there any risks inherent in the entity’s industry, business, or regulatory
environment that may impact the engagement?

° Is the entity financially sound? (Do the entity’s most recent financial results indicate
any problems with their profitability, cash flow position, or going concern issues?)

• The organisational and management structure.

° Is the entity’s legal structure suitable for the type of entity or is it overly complex or
simple? (Does it make sense relative to the business type?)

° Is the entity’s organisational structure simple or complex? (Are there clear lines of
accountability?)

° Is the entity within a group? (Are there clear lines of accountability or segregation of
appropriate duties, and are there any related party transactions?)

• Management group’s key characteristics and integrity.

° Who are the key management personnel that may impact the engagement
(consider their cultural, governance, and internal control attitudes and the
perceived ‘tone at the top’)?

° Are they capable and competent to perform their roles?

° Are there any management incentives that may affect the engagement?

° Could management try and impose any restrictions on the engagement scope?

716

M13_c12.indd 716 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

• Business relationships and related parties of the entity.

° Who are the entity’s key relationship stakeholders that may affect the
engagement (for example, suppliers, customers, consultants, experts, and other
interested parties)?

° Are there any known significant transactions or events that may impact the
engagement?

° Who are the entity’s related parties? Will they impact the engagement?

• The IT environment (including cyber security) as it relates to the engagement.

° What is the status of applicable key legacy systems? Have these been maintained,
regularly backed-up, upgraded, and secured? Can the entity consistently produce
reliable, accurate, and complete information?

° Are there any known security vulnerabilities in key systems (e.g. lack of internal
control – particularly IT general controls and application controls, or a lack of timely
patch management to deploy required updates)? Consider how these issues may
affect the integrity, accuracy, or completeness of the subject matter information.

° What is management’s attitude to maintaining appropriate security over key data

and putting systems into place to appropriately safeguard that data?

° Is there appropriate backup and continuity planning, and regular testing of systems
to ensure required controls are operating effectively (e.g. penetration testing)?

• Any prior knowledge and experience for engagements conducted for the entity.

° Has there been any prior disagreements, adverse findings, questionable actions, or
fee difficulties that may impact the engagement?

• Any legal, regulatory, and professional issues.

° Are there any potential impediments to perform the engagement (e.g. independence)?
Refer to Section 12.3.1 for a discussion on relevant ethical requirements that apply
to the engagement.

• The availability of appropriate engagement resources.

° Will the practitioner have access to appropriate and adequate professional

resources?

° Is the proposed fee for the work appropriate and ensure that a quality engagement
is able to be conducted?

° Is the proposed timeframe for the engagement acceptable?

• The availability of required information and persons and quality of evidence to support
the subject matter information and any assurance to be provided.

° Is the practitioner aware of any matter that may call into question their ability to
obtain sufficient evidence to appropriately report on?

717

M13_c12.indd 717 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

Apply and Analyse 3

The Chief Financial Officer of Yau Manufacturing Company Ltd, Ms. Chan, has requested
your firm, Jay & Co, to perform an assurance engagement to provide reasonable assurance
on their compliance with borrowing facility covenants set by their main financiers, Dan & Co.
Ms. Chan explains that the required covenant calculations are directly derived from their
historical financial information results for the most recent financial year, 31 December
20X8. The covenants are a mixture of amounts, percentages, and ratios. Dan & Co put
these covenants in place in the current financial year as a result of Yau’s secured loan being
increased to fund their expansion of their manufacturing plant. Dan & Co also required
that the covenant calculations be independently assured and wish to receive a copy of the
independent assurance report. The 31 December 20X8 financial statements have been
audited by Jin & Co, the external auditor of Yau, and Ms. Chan indicated the audit opinion
was unmodified.

Explain whether or not there are any potential engagement risk(s) in Jay & Co agreeing
to perform this assurance engagement. If there are, explain how the risk(s) can be
appropriately mitigated.

Analysis

Yes, there is an engagement risk as Jay & Co are not the appointed auditor of Yau and
therefore did not audit Yau’s 31 December 20X8 financial statements from which the
covenants are calculated. Consequently, there is the risk that the covenants may be
calculated correctly but based on incorrect information in the financial statements. This
risk can be appropriately mitigated by Jay & Co obtaining a copy of Yau’s 31 December
20X8 audited financial statements, reviewing Jin & Co’s independent auditor’s report, for
any matters disclosed of impact to the covenants, and ensuring all covenant calculations
are based on, or derived from, the appropriate audited financial statements amounts.

12.3.1 Ethical Requirements of the Engagement

Compliance with relevant ethical requirements is a fundamental part of an HKICPA
engagement. All engagements, regardless of whether they are assurance engagement or
non-assurance engagement, require the HKICPA practitioner to comply with the relevant ethical
requirement in their engagements. Relevant ethical requirements are those contained in the
Code of Ethics for Professional Accountants (Code of Ethics) and HKSQC 1 Quality Control for Firms
That Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services
Engagements, or professional requirements or requirements contained in law or regulation
that are at least as demanding as the Code of Ethics and HKSQC 1. This section assumes that
the practitioner is required to comply with the Code of Ethics and HKSQC 1 for all engagements
discussed.

The practitioner is taken to be the engagement partner, with overall responsibility for
the engagement and compliance with required standards, including quality control. They
must ensure that they have sufficient competence to accept this responsibility and that the
engagement team is sufficiently competent and capable. Where law or regulation requires
it, quality control reviews must be conducted. The practitioner is required to remain alert
throughout the engagement to any evidence of non-compliance by engagement team
members with relevant ethical actions and taking appropriate action if such evidence is found.

718

M13_c12.indd 718 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

Relevant ethical requirements are contained in the HKICPA Code of Ethics for Professional
Accountants. The following parts of the Code of Ethics apply to other assurance engagements.

• Part 1 describes the fundamental principles of professional ethics that practitioners

must comply with, being: integrity, objectivity, professional competence and due care,
confidentiality, and professional behaviour. This part was effective from 15 June 2019.

• Part 3 illustrates how the conceptual framework is to be applied in specific engagement

situations for professional accountants in public practice. This part was effective from
15 June 2019.

• Part 4 includes independence related requirements for:

° Audits and reviews (Part 4A). This part was effective for audits and reviews of
financial statements for periods beginning on or after 15 June 2019.

° Assurance engagements other than audits and reviews (Part 4B). This part will
be effective for periods beginning on or after 15 June 2019; otherwise, it will be
effective as of 15 June 2019.

Due to the variety of engagement types that can be conducted, Part 1 always applies, with
Parts 3 and 4 dependent on the engagement type.

HKSQC 1 deals with ‘a firm’s responsibilities to design, implement and operate a system of
quality management for audits or reviews of financial statements, or other assurance or related
services engagements’.

HKSQC 1 requires the practitioner who is performing an engagement to be a member of

a firm that is subject to HKSQC 1. It sets out detailed requirements for the firm to establish,
monitor, and maintain in respect of independence (for assurance engagements only) and client
engagement and acceptance procedures. These requirements are mainly consistent with those
of audit engagements.

The practitioner is required to implement quality control procedures that are applicable
to the individual engagement. The elements of quality control that are relevant include
governance and leadership, the firm’s risk assessment process, relevant ethical requirements,
acceptance and continuance of client relationships and specific engagements, engagement
performance, resources, information and communication, and monitoring and remediation
processes.

12.3.1.1 Assurance Engagements

As noted above, practitioners performing assurance engagements in the HKSRE, HKSAE, and
HKSIR suites must comply with relevant ethical requirements. The practitioner is required to
be independent of the entity in all assurance engagements, as independence is critical to the
practitioner performing an unbiased, impartial, non-conflicted, and assurance engagement
(independence of mind and in appearance). It also enhances the practitioner’s ability to act
with integrity, to be objective, and to maintain an attitude of professional scepticism. The
practitioner must therefore not accept any assurance engagement where the practitioner
cannot be independent. It is therefore critical for the practitioner to identify any threats to
independence prior to accepting the assurance engagement, evaluate any threats, and apply
appropriate safeguards when necessary to eliminate those threats or at least reduce them to
an acceptable level. Threats can be direct or indirect and be financially based or non-financially

719

M13_c12.indd 719 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

based and be actual or perceived. They include threats that relate to self-interest, self-review,
familiarity, advocacy, or intimidation threats. In some cases, there may be no safeguards that
can be put in place to ensure independence, in which case the practitioner should decline
to accept the appointment, or if already appointed, resigns/withdraws. For more detail on
‘Independence’, refer to Chapter 1, Section 1.2.2.2.

HKSQC 1 requires assurance for engagements, detailed requirements for the firm
to establish, monitor, and maintain in respect of independence, and client engagement
and acceptance procedures. It requires the practitioner to comply with relevant ethical
requirements in conducting their assurance engagement, including independence.

Review Engagements
In addition to the application of Part 1 for all review engagements, the following sections in
Parts 3 and 4A also apply:

• Part 3 ‘Professional Accountants in Public Practice’, Section 320 Professional

appointment (incorporating any changes in appointment); and

• All Part 4A ‘Independence for Audit and Review Engagements’.

Note that Section 320 (previously Sections 210 and 440), Part 4A (previously Section 290)
have already been explained in Chapter 3 and are not repeated here.

All Other Assurance Engagements

In addition to the application of Part 1 for all other assurance engagements, the following
sections in Parts 3 and 4B also apply:

• Part 3 ‘Professional Accountants in Public Practice’, Section 320 ‘Professional

Appointment’ (incorporating any changes in appointment); and

• All Part 4B ‘Independence for Assurance Engagements Other Than Audit and Review
Engagements’.

Refer to Chapter 1, Section 1.2.2.2, for more details on Section 320 ‘Professional
Appointment’ (previously Sections 210 and 440). Part 4B (previously Section 291), like Part 4A
(previously Section 290), requires for all other assurance engagements that the practitioner be
independent of their client.

HKSAE 3410 specifically acknowledges that the practitioner conducting this type of
engagement may not be a professional accountant and bound to follow the Code of Ethics
and HKSQC 1. Therefore, it reminds practitioners to comply with either the Code of Ethics and
HKSQC 1 or professional requirements, or requirements imposed by law or regulation, that
are at least as demanding as Parts 1 (previously Part A), 3 (previously Part B) and 4B (previously
included in Part D) of the Code of Ethics related to assurance engagements and HKSQC 1.

12.3.1.2 Non-Assurance Engagements

As noted above, practitioners performing non-assurance engagements must comply with
relevant ethical requirements, being the Code of Ethics and HKSQC 1. Unlike assurance
engagements, the practitioner is not required to be independent of the entity.

HKSRS 4400 requires, where the practitioner is not independent, that the practitioner’s
factual findings report includes a statement to this effect.

720

M13_c12.indd 720 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

HKSRS 4410 (Revised) contains additional guidance on the practitioner’s association with
the compiled financial information that is the subject of the engagement. It reminds the
practitioner not to be knowingly associated with reports, returns, communications, or other
information where the practitioner believes that the information contains a materially false
or misleading statement, contains statements or information furnished recklessly, or omits or
obscures information required to be included where such omission or obscurity would be
misleading. In circumstances where they become aware of such an association, they are
required to take steps to dissociate themselves from the information.

A summary of the assurance and non-assurance engagement requirements are detailed in

Exhibit 12.3.

Assurance engagements (level of assurance)

HKSRE review engagements
(limited assurance)
HKSA engagement (reasonable
assurance)
HKSAE engagements (limited or
reasonable assurance)
HKSIR engagements (reasonable
assurance)
PN 740 engagement (limited
assurance)
Non-assurance engagements (level of assurance)
HKSRS engagements (no assurance)
HKSIR engagements (no assurance)
PN 730 (Revised) engagement
(no assurance)
HKSRE 2400 (Revised) – Historical financial information
HKSRE 2410 – Interim financial information (must be the auditor
of the entity)
HKSA 810 (Revised) – Summary financial statements
HKSAE 3000 (Revised) – General standard (engagements that
may be reasonable assurance or limited assurance)
HKSAE 3402 – Controls at a service organisation (engagements
that may be reasonable assurance or limited assurance)
HKSAE 3410 – Greenhouse gas statement (engagements that
may be reasonable assurance or limited assurance)
HKSAE 3420 – Pro forma financial information (reasonable
assurance engagement only)
HKSIR 200 – Historical financial information
HKSIR500 (May 2020) – Profit forecasts, statements of
working capital
PN 740 – Continuing connected transactions (must be the
auditor of the entity)
HKSRS 4400 – Agreed-upon procedures
HKSRS 4410 (Revised) – Compilation engagements
HKSIR 400 (Revised) – Comfort letters
HKSIR500 (May 2020) – Statement of indebtedness
PN 730 (Revised) – Preliminary announcements of results (must
be the auditor of the entity)

EXHIBIT 12.3 Summary of assurance and non-assurance engagements

Key Learning Point

All assurance engagements are required to be conducted by independent practitioners.
Non-assurance engagements are not required to be conducted by independent
practitioners.

721

M13_c12.indd 721 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

12.3.2 Engagement Acceptance and Continuing the Engagement

12.3.2.1 Assurance Engagements
The practitioner is required for all potential engagements to consider whether they should
accept or, for continuing engagements, continue to accept the engagement. Refer to Chapter 3
for more detail.

The practitioner must consider engagement risk before accepting or continuing any
engagement. Engagement risk is the risk that the practitioner accepts an engagement that
they should not in the circumstances. The practitioner reduces the risk of this occurring by
performing appropriate pre-engagement acceptance and continuance procedures to ascertain
whether the engagement is the type of engagement the practitioner should accept. The
practitioner remains alert to any changes in the circumstances during the engagement that
may cause them to re-evaluate if they continue the engagement.

The general principles for engagement acceptance and continuance are that the
engagement should only be accepted/continued when:

• The practitioner has no reason to believe that relevant ethical requirements, including
independence (for assurance engagements only), will not be satisfied (refer to
Section 12.3.1).

• The practitioner is satisfied that those persons who are to perform the engagement
collectively have the appropriate competence and capabilities.

• The basis upon which the engagement is to be performed has been agreed, through:

° Establishing that the preconditions for the engagement are present; and

° Confirming that there is a common understanding between the practitioner and

the engaging party of the terms of the engagement, including the practitioner’s
reporting responsibilities.

Preconditions to the Engagement

Preconditions for each engagement are set out in each applicable HKICPA standard, where
applicable, and generally outline factors, agreements, and discussions the practitioner needs
to have prior to accepting or continuing the engagement. The practitioner’s assessment is
based on their preliminary knowledge of the engagement. If any pre-condition is not met,
the practitioner is not able to accept or continue with the engagement unless required by
law or regulation to do so. Any such engagement does not comply with HKICPA standards
and the practitioner is not allowed to include any references to any of the applicable
standards that would have applied in the engagement circumstances in the practitioner’s
report. The practitioner monitors ongoing compliance with the required pre-conditions
throughout the engagement.

If, after accepting the engagement, the practitioner finds the pre-conditions have not
been met (e.g. some of the applicable criteria are unsuitable or some or all of the underlying
subject matter information is not appropriate), they should first discuss this with the
entity’s management/those charged with governance to determine whether the matter can
be resolved, whether it is appropriate to continue with the engagement, and whether to
communicate the matter in the practitioner’s report. Otherwise, the practitioner withdraws
from the engagement (if this is allowed by law or regulation).

722

M13_c12.indd 722 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

Examples of common pre-conditions the practitioner takes a preliminary view on are (non-
exhaustive list):

• The practitioner has the appropriate capabilities and competence to perform the
engagement.

• Understand who the intended users of the practitioner’s report are.

• Assess whether the roles and responsibilities of the appropriate parties to the
engagement are suitable in the circumstances.

• Check whether a rational purpose for the engagement exists, the engagement scope
is adequate, and that the level of assurance to be provided (if any) is expected to be
meaningful to the intended users.

• The engagement exhibits the following characteristics:

° The underlying subject matter information is appropriate.

° The criteria that the practitioner expects to be applied in the preparation of

the subject matter information is acceptable and suitable for the engagement
(e.g. in light of its stated purpose, intended users), including that they exhibit
the characteristics of relevance, completeness, reliability, neutrality, and
understandability (assurance engagements). Also, check that it is unlikely that the
resultant subject matter information will be misleading for the purpose for which it
is intended.

° The applied criteria will be available for the intended users.

° The subject matter information will be adequately described and disclosed by

the entity.

• Where the source of some or all of the subject matter information has been
previously reviewed or audited and a modified audit opinion or review conclusion
and/or an emphasis of matter paragraph has been included in the assurance
practitioner’s report, consider whether an applicable law or regulation allows the
practitioner to include a reference to that modified audit opinion, or review the
conclusion or emphasis of matter paragraph in the practitioner’s report in respect of
such sources.

• If the entity’s subject matter information (particularly historical financial information)

has not been previously audited or reviewed, consider whether the practitioner can
obtain a sufficient understanding of the entity and its processes for preparing and
presenting the subject matter information to perform the engagement.

• Obtain agreement from management as to their key responsibilities:

° For preparation and presentation of the subject matter information in

accordance with the applicable criteria (e.g. the applicable financial reporting
framework);

° If applicable to the engagement circumstances, for such internal control as

management determines is necessary to enable the preparation of subject
matter information that is free from material misstatement, whether due to
fraud or error;

723

M13_c12.indd 723 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

° To provide the practitioner with:

–– Access to all information of which management/those charged with governance

is aware that is relevant to the preparation of the subject matter information,
such as records, documentation, and other matters;

–– Additional information that the practitioner may request from management/

those charged with governance for the purposes of the engagement; and

–– Unrestricted access to persons within the entity (or relevant external entity)
from whom the practitioner determines it is necessary to obtain evidence.

• The practitioner expects to be able to obtain the evidence needed to support the
practitioner’s conclusion (assurance engagements) or factual findings (non-assurance
engagements).

• The practitioner’s findings or assurance conclusion, as appropriate, is to be contained in

a written report.

• If applicable to the engagement circumstances and/or required by law or regulation,

to include the practitioner’s report on the subject matter information in any public
document that contains the subject matter information and that indicates that the
practitioner has reported on them (particularly applicable for historical financial
information prepared in summary financial statements).

• If the proposed wording of the practitioner’s report is prescribed by law or

regulation, to determine that the practitioner would be likely to express the opinion
so prescribed based on performing the procedures specified in the applicable
HKICPA standard.

As each subject matter information is different in terms of the nature, purpose for which
it is prepared, type, and source of the information (financial/non-financial) and time periods
covered, the applicable HKICPA standard contains specific pre-conditions that are relevant
to the particular subject matter information, the applicable criteria to be applied, and the
practitioner’s reporting responsibilities (assurance or factual findings).

Engagement Risks
Engagement risks are assessed by the practitioner prior to acceptance or continuance to
ensure that they are fully informed of, and understand the nature of, the entity and the subject
matter information they are being asked to report on. This allows the practitioner to make a
professional judgement as to whether they wish to be professionally appointed by the entity to
conduct the work (and be associated with the engagement).

The practitioner should ensure for the engagement that intended users of the report have
a good understanding and agreement of the practitioner’s scope of work agreed, procedures to
be performed, and type of report (and level of assurance, if applicable) to be provided.

HKSQC 1 contains numerous requirements for the practitioner’s firm to have in place
to assist the practitioner perform their pre-engagement acceptance procedures. Relevant
requirements are:

• ‘The firm shall establish policies and procedures for the acceptance and continuance
of client relationships and specific engagements, designed to provide the firm with

724

M13_c12.indd 724 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

reasonable assurance that it will only undertake or continue relationships and

engagements where the firm:

(a) Is competent to perform the engagement and has the capabilities, including time
and resources, to do so;

(b) Can comply with relevant ethical requirements; and

HKSQC (c) Has considered the integrity of the client, and does not have information that
1.26 would lead it to conclude that the client lacks integrity.’

• ‘Such policies and procedures shall require:

(a) The firm is to obtain such information as it considers necessary in the

circumstances before accepting an engagement with a new client, when deciding
whether to continue an existing engagement, and when considering acceptance of
a new engagement with an existing client.

(b) If a potential conflict of interest is identified in accepting an engagement from

a new or an existing client, the firm is to determine whether it is appropriate to
accept the engagement.

(c) If issues have been identified and the firm decides to accept or continue the client
HKSQC relationship or a specific engagement, the firm is to document how the issues were
1.27 resolved.’

• ‘The firm shall establish policies and procedures on continuing an engagement and the
client relationship, addressing the circumstances where the firm obtains information
that would have caused it to decline the engagement had that information been
available earlier. Such policies and procedures shall include consideration of:

(a) The professional and legal responsibilities that apply to the circumstances,
including whether there is a requirement for the firm to report to the person
or persons who made the appointment or, in some cases, to regulatory
authorities; and

HKSQC (b) The possibility of withdrawing from the engagement or from both the engagement
1.28 and the client relationship.’

Key Learning Point

All potential assurance engagements must be assessed for any engagement risks prior
to acceptance and continuance processes being finalised to ensure that the practitioner
is not precluded by reason of law or regulation or the requirements of applicable HKICPA
standards or other pronouncements (e.g. Code of Ethics).

12.3.2.2 Non-Assurance Engagements

There are no specific pre-conditions for the non-assurance engagement as the practitioner
and the specified parties to the engagement agree on the procedures to be performed on the
subject matter information to enable the practitioner to report factual findings (HKSRS 4400) or

725

M13_c12.indd 725 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

the compiled financial information (HKSRS 4410 (Revised)) and neither engagement is required
to be conducted by law or regulation. The practitioner, however, practically considers whether
the entity and the type of engagement and subject matter information is acceptable, taking
into account the stated purpose of the engagement, the intended users and their requirements
(if any), the practitioner possesses the relevant expertise and experience to conduct the
engagement, and any conditions imposed by the entity.

12.3.3 Agreeing on the Terms of the Engagement

The practitioner agrees the terms of the engagement with the entity (ordinarily this is
management/those charged with governance at the entity) and evidences those agreed terms
in writing. For continuing engagements, the practitioner has to decide if the circumstances of
the engagement for the current period warrant the issuance of a new letter or whether the
existing letter continues to be appropriate. For all new engagements, an engagement letter
must be issued and agreed prior to the practitioner commencing work.

An engagement letter helps avoid any misunderstandings regarding the nature of their
engagement and, in particular, the objective and scope of the engagement, management’s
responsibilities, the extent of the practitioner’s responsibilities, the level of assurance (if any) to
be provided, and the nature and form of the practitioner’s report. If the engaging party wants
to change the engagement terms, the practitioner should not agree to the change unless there
is a reasonable justification to do so. If the practitioner agrees to the change, they should not
disregard any evidence obtained prior to the change. All relevant parties to the engagement
(at a minimum the entity) should sign the engagement letter as acknowledgement of their
acceptance of the engagement terms.

Typical engagement letter terms are:

• Identification of the subject matter information, the purpose for which it has been
prepared, and the time period it relates to.
• Identification of the applicable financial reporting framework (if any) the subject matter
information is being prepared in accordance with.

• The name, nature, and details of the applicable criteria against which the subject matter
information will be assessed.

• Explanation of the intended use and distribution of the subject matter information and
any restrictions on the use or distribution of the practitioner’s report where applicable.

• The objective and scope of the engagement, including the level of assurance (if any) to
be provided.

• The responsibilities of the practitioner are outlined, including under which HKICPA
standard the engagement is conducted in accordance with, and that they will comply
with the named relevant ethical requirements.

• The responsibilities of the entity’s responsible party:

° For preparing the subject matter information (in accordance with a suitable
criterion that is acceptable in view of the intended use of the subject matter
information by the intended users).

726

M13_c12.indd 726 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

° Including for the subject matter information, for establishing and maintaining
effective internal control relevant to the preparation of subject matter information
(where appropriate).

° For making all requested and relevant information available to the practitioner.

° Management’s agreement to provide written representations to the practitioner to

confirm representations made orally during the review, as well as representations
that the practitioner requests.

• That there are no restrictions on the scope of the practitioner’s work.

• The nature, type, and scope of procedures to be conducted (either specified by the
practitioner or the entity, as appropriate).

• Reference to (or inclusion of) the expected form and content of the report/letter to be
issued by the practitioner and a statement that there may be circumstances in which
the report may differ from its expected form and content.

• Management’s agreement that where any document containing subject matter

information indicates that the subject matter information has been assured or reported
on by factual findings by the practitioner, that the practitioner’s report will also be
included in the document.

• The fees to be charged for the engagement and how they will be billed to the entity’s
responsible party.

For non-assurance engagements, it is important that the letter document includes

the entity management’s acceptance of its responsibility for the underlying accuracy and
completeness of the records, documents, explanations, and other information provided to the
practitioner for the engagement and judgements needed in the preparation and presentation
of the subject matter information, including those for which the practitioner may provide
assistance in the course of the engagement.

12.3.4 Planning and Performing the Engagement

12.3.4.1 Planning the Engagement
The practitioner’s engagement planning depends on the type of engagement (assurance or
non-assurance), type of subject matter information, type of assurance, if applicable (reasonable
or limited), and their understanding of the engagement circumstances. Engagements
should be planned so that they will be performed in an effective manner and will achieve
the practitioner’s overall engagement objectives. This includes the practitioner being able to
exercise professional scepticism and professional judgement throughout the engagement.

Additionally, the level of planning required will depend on whether the practitioner is
already the entity’s auditor – and understands the entity and its environment, including
internal control. For practitioners who are the appointed auditor, they will need to update
their understanding relevant to the engagement circumstances. For those practitioners who
are not the appointed auditor, they will need to plan the engagement to obtain the necessary
understanding for the engagement.

727

M13_c12.indd 727 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

There are two key aspects to planning the engagement:

• First, where the practitioner needs to understand (or update their understanding) of
the entity and its environment (including any relevant internal controls, if applicable)
sufficient for the engagement circumstances; and

• Second, when the practitioner needs to understand the subject matter information to
perform the engagement.

Refer to Section 12.4.1 for a detailed explanation of the steps required to obtain an
understanding of the entity and its environment and the subject matter information.

12.3.4.2 Performing the Engagement

The practitioner uses understanding of the entity and the subject matter information, as well
as professional judgement and expertise to plan the nature, timing, and extent of procedures
appropriate to the engagement. The practitioner chooses a combination of procedures to
obtain sufficient and appropriate evidence on which to form the type of assurance conclusion
or report factual findings, as applicable. Examples of procedures include: inspection,
observation, confirmation, recalculation, re-performance, analytical procedures, and inquiry.

Fewer procedures are required for a limited assurance engagement due to lower levels of
evidence being required for assessed risk areas and the fact that the engagement risk is lower,
and thus fewer procedures are required to be performed. Inquiry and analytical procedures
are planned rather than more detailed substantive testing, such as testing accounting
records through physical inspection, observation, third party confirmation, and little or no
testing of internal control. Practitioners will test populations using smaller sample sizes and
adopt smaller test coverages. At a minimum there should be testing on all material financial
statement items, including disclosures, and focus on addressing the key risk areas within the
subject matter information where, in their professional judgement, material misstatements are
likely to arise. If the subject matter information contains forecast/prospective information, the
degree of work required will in part depend on the reliability of forecasts made in the past and
their materiality to the subject matter information.

For a reasonable assurance engagement more procedures are required to obtain sufficient
and appropriate evidence necessary to provide a reasonable level of assurance – ordinarily
they are a combination of inquiry, inspection, observation, confirmation, re-calculation,
re-performance, and analytical procedures to be performed; the specific combination of
procedures depends on engagement circumstances.

For non-assurance engagements, the procedures may include inquiry and analysis,
re-computation, comparison, and other clerical accuracy checks, observation, inspection, and
obtaining confirmations.

The procedures performed are covered in Section 12.4.2.

Key Learning Point

The practitioner plans the engagement to design and perform procedures efficiently,
taking into account the engagement objectives, circumstances, and the level of assurance
required (if applicable).

728

M13_c12.indd 728 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

12.3.5 Materiality and Assurance Engagement Risk

12.3.5.1 Materiality
Information is considered material if it can reasonably be expected to have the capacity
to influence the decisions of the information’s intended users. Materiality is only relevant
for assurance engagements. It has no relevance for non-assurance engagements as the
practitioner is merely reporting factual findings based on specific agreed-upon procedures
determined by the entity and expresses no assurance on the financial information. The
practitioner does have to consider misstatements in the financial information as all
exceptions or errors are reported in their factual findings report. Misstatements in the
subject matter information may arise from the information being omitted, incorrectly
recorded (amount), classified, presented, or disclosed (e.g. obscured) as compared to the
applicable criteria used (e.g. an applicable reporting framework). Misstatements can also
arise from error or fraud.

Materiality is used to plan and perform procedures on significant items within the subject
matter information and in assessing whether the subject matter information is free from
any material misstatements compared to the applicable criteria. It is not affected by the level
of assurance provided by the engagement because materiality is based on the information
needs of the intended users and uses the same risk assessment basis, meaning that
materiality for a reasonable assurance engagement is the same as for a limited assurance
engagement.

Establishing what is material for an assurance engagement is a matter of the practitioner’s

professional judgement, taking into account the engagement circumstances, understanding
and assessing what factors might influence the decisions of the intended users in using the
subject matter information, and the nature of the subject matter information. Examples
of factors may be the degree of precision and accuracy required in the subject matter
information. If the practitioner is also the auditor of the entity, the same materiality should not
be used as that for the audit for the assurance engagement, as the engagement circumstances
are different.

Materiality is assessed in terms of qualitative (nature) and quantitative (amount)

measures. While materiality is set at the beginning of the engagement (before the
practitioner performs any procedures), it should be re-assessed throughout the engagement
if more information comes to the practitioner’s attention that causes a reassessment or
change to the initial materiality level. HKSA 320 Materiality in Planning and Performing an
Audit (June 2017) can provide helpful guidance on establishing materiality for assurance
engagements.

Key Learning Point

Materiality levels are not prescribed for any other assurance engagement in HKICPA
applicable standards. This is due to the setting of materiality requiring the practitioner’s
professional judgement, taking into account the particular engagement circumstances and
the nature of the subject matter information being reported on.

729

M13_c12.indd 729 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

12.3.5.2 Assurance Engagement Risk

Assurance engagement risk is the risk that the practitioner expresses an inappropriate
(assurance) conclusion when the subject matter information is materially misstated. As
this risk cannot be reduced to nil, assurance is never absolute. The practitioner reduces
this risk by setting materiality at a level appropriate to the nature of the subject matter
information and the individual engagement circumstances such that the risk is reduced
to an acceptably low level to facilitate the level of assurance required. The practitioner
then designs procedures to achieve the level of assurance required for the engagement.
Assurance engagement risk is not relevant for non-assurance engagements, as no assurance
is expressed.

The risk of the subject matter information not being prepared and presented in all material
respects on the basis of the applicable criteria may arise when there is evidence of, for
example, the subject matter information:

• Being sourced inappropriately or incorrectly extracted from underlying records;

• The misapplication of accounting or other policies or inconsistent with the entity’s

relevant policies;

• It is prospective information and has not been based on adjusted historical financial
information;

• A mathematical mistake; or

• Inadequate or incorrect disclosures.

12.3.6 Quality Control of the Engagement

As noted in Section 12.3.1, all practitioners must comply with HKSQC 1, regardless of the
engagement type. The practitioner, as an engagement partner, is leader of the engagement
team and is responsible for ensuring Code of Ethics and HKSQC 1 compliance on individual
engagements and takes responsibility for the overall quality on the engagement.
This means:

• Performing appropriate procedures regarding the acceptance and continuance of client

relationships and engagement.

• Implementing quality control procedures that are applicable to the individual

engagement – including leadership responsibilities for quality on the engagement,
ethical requirements, acceptance and continuance of client relationships and specific
engagements, assignment of engagement teams, engagement performance, and
monitoring.

• Conducting the engagement in accordance with the firm’s quality control policies.
This includes:

° Being satisfied that appropriate procedures for the acceptance and continuance
of client relationships and engagements have been performed and that the
conclusions reached are appropriate. The engagement partner should be
satisfied that such procedures included considering whether there is information
available that would lead them to conclude that the entity’s management lacks
integrity.

730

M13_c12.indd 730 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

° Being satisfied that the engagement team has the appropriate competence and
capabilities (for example, assurance skills and techniques, if required, and expertise
in the subject matter information, including its measurement/evaluation) to:

–– Be able to perform the engagement in compliance with all required professional

standards and applicable laws and regulations; and

–– Accept responsibility for the report issued, including the assurance conclusion
or factual findings (as appropriate) and for it being appropriate to the
engagement circumstances.

° Take responsibility for all engagement documentation (i.e. provides evidence

of achievement of the practitioner’s objectives and that the engagement was
performed in accordance with the relevant HKICPA standard and any relevant legal
and regulatory requirements).

• The direction, supervision, planning, and performance of the engagement in

compliance with professional standards and applicable legal and regulatory requirements.

• Be satisfied that the practitioner will be able to be involved in the work of:

° A practitioner’s expert, where the work of that expert is to be used; and

° Another practitioner, not part of the engagement team, where the work of that
practitioner is to be used to an extent that is sufficient to accept responsibility for
the assurance conclusion, or factual findings, as appropriate, on the subject matter
information.

• Appropriate consultation being undertaken by the engagement team on difficult or

contentious matters.

• Taking into account the results of the firm’s monitoring process and to determine
whether those results affect the engagement.

• File reviews being performed in accordance with the firm’s engagement policies and
procedures, and reviewing the engagement documentation on or before the date of the
assurance report or factual findings report as appropriate.

• Throughout the engagement the practitioner remains alert through observation and
making inquiries as necessary for any evidence of non-compliance with relevant ethical
requirements by members of their engagement team. If any evidence presents, the
engagement partner is required to determine the appropriate action.

• Stating their compliance with HKSQC 1 and the relevant ethical Code of Ethics
requirements within Parts 1, 3, and 4A (audits and reviews) or 4B (all other assurance
engagements) as applicable (or equivalent) in their practitioner report.

• The practitioner’s report is appropriate in the circumstances.

Additionally, for those engagements, if any, for which a quality control is required by an
applicable HKICPA standard law or regulation or for which the firm has determined that an
engagement quality control review is required:

• The engagement partner discusses all significant matters identified arising with the
allocated engagement quality control practitioner, and does not finalise and date their
assurance report until the quality control review has been completed; and

731

M13_c12.indd 731 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

• The engagement quality control practitioner performs an objective evaluation of all

significant judgements reached and conclusions made during the engagement by the
engagement team, and also of the appropriateness of the assurance report conclusion.
This evaluation includes:

° Discussing with the engagement partner all significant matters;

° Reviewing documentation relating to all significant judgements made by the

engagement team and the conclusions reached;

° Reviewing the subject matter information;

° Evaluating the conclusions reached in formulating the assurance report; and

° Reviewing the proposed assurance report and considering whether the

conclusion(s) reached were appropriate to the engagement.

Key Learning Point

The practitioner must comply with applicable quality-control-related requirements,
contained in the Code of Ethics and HKSQC 1, when conducting any type of other assurance
or non-assurance engagements. This ensures the continuing quality of engagements
performed by HKICPA practitioners.

Apply and Analyse 4

The Chief Operating Officer of Yau Manufacturing Company Ltd, Mr. Wong, has requested
you as a partner in your firm, Jay & Co, to perform a reasonable assurance engagement on
their Greenhouse Gas Statement in respect of their manufacturing plant. You previously
met Mr. Wong at a trade show. The relevant regulatory body has requested Yau to prepare
their yearly statement assured as part of the Government’s ongoing push to quantify the
levels of CO2 in key manufacturing hubs. Jay & Co are not the appointed auditor of Yau.
You are keen to accept the engagement as your firm does not have much experience in
performing this type of engagement and is eager to gain the necessary experience as the
firm sees this is a future work growth area. Explain whether there are any potential issues
with you or your firm accepting the engagement.

Analysis

Yes, there is an issue with you accepting the engagement as you and your firm do not
have the necessary competence and capability to oversee, lead, and provide quality
management of this engagement in compliance with the requirements of HKSQC 1 Quality
Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance
and Related Services Engagements or HKSAE 3410 Assurance Engagements on Greenhouse Gas
Statements. You should decline the engagement on this basis. Specifically, HKSAE 3410,
paragraph 16 requires the engagement partner to:

732

M13_c12.indd 732 1/26/2021 5:40:54 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

Apply and Analyse 4 (continued)

(a) Have sufficient assurance skills, knowledge, and experience, and sufficient
competence in the quantification and reporting of emissions, to accept
responsibility for the assurance conclusion; and

(b) Be satisfied that the engagement team and any practitioner’s external experts
collectively possess the necessary professional competencies, including in the
quantification and reporting of emissions and in assurance, to perform the
assurance engagement in accordance with this HKSAE (HKSAE 3410).

Knowledge Check Questions

Question 5
Explain why it is important to perform an assessment of engagement risk prior to
accepting the engagement.

Question 6
Explain why it is important to establish pre-conditions for the engagement prior to
engagement acceptance.

Question 7
You have previously performed an engagement providing reasonable assurance on Yau
Manufacturing Company Ltd’s compliance with its banking covenants for the financial
year, as required under the terms of their loan agreement. The new Chief Financial Officer
of Yau has now requested you to again perform the compliance engagement. Explain
whether you need to re-issue the engagement letter.

1 2 . 4 OBTAINING SUFFICIENT EVIDENCE –

OVERVIEW

12.4.1 Obtaining an Understanding of the Subject and Engagement

12.4.1.1 Understanding the Entity and Its Environment
All engagements require the practitioner to obtain an understanding of the subject matter of
the engagement in order to provide assurance or report factual findings in the practitioner’s
report, as appropriate. In addition to understanding the engagement and the engagement
circumstances, the practitioner obtains an understanding of the entity and its environment,
including its relevant internal controls, sufficient to:

• For assurance engagements – identify and assess the risks of material misstatement of
the subject matter information whether due to fraud or error, and sufficient to design,
and perform further procedures.

733

M13_c12.indd 733 1/26/2021 5:40:54 PM

 BUSINESS ASSURANCE

• For non-assurance engagements – conduct the entity’s agreed-upon procedures on the

subject matter information.

Such an understanding is ordinarily obtained by:

• Meeting the directors and management of the entity to understand matters related to
the engagement, including, for example, obtaining their understanding of the principal
transaction flows, internal controls and reporting arrangements of the business that
relate to the engagement, as well as relevant information and recent reporting results
with management;

• Attending the entity’s premises; and

• Applying analytical procedures to available information.

The practitioner, who is not the appointed auditor of the entity (or only recently appointed
as auditor or who has not previously performed the same type of engagement), performs
planning procedures through inquiry and review to obtain an understanding of the entity and
its environment, including its internal control, as it relates to the preparation of the subject
matter information.

The following planning procedures to obtain an understanding of the engagement are

non-exhaustive and may/may not apply, depending on the engagement circumstances and the
subject matter information:

• Understand the purpose of the engagement.

• Understand the characteristics of the engagement that define its scope – understand
who the interested parties/intended users of the practitioner’s report are, what is the
expected timeline for reporting and any other relevant considerations.

• Identify the intended users of the practitioner’s report, an understanding of their

information needs, and materiality assessment (sensitivity to accuracy of the results),
including their assessed risks that the subject matter information may be materially
misstated.

• If applicable, make inquiries of the predecessor auditor and, where practicable, review
the predecessor auditor’s documentation. The practitioner considers the nature of
any corrected misstatements and any uncorrected misstatements aggregated by the
predecessor auditor, any significant risks, including the risk of management override
of controls, and significant reporting matters that may be of continuing significance
(for example, a material weakness in a relevant internal control).

• Understanding the nature of the entity, its business, key strategies and objectives,
activities, ownership structure, types of investments, how it is financed, and key
related parties. This can be done by reviewing key governance and compliance policies,
reviewing press and public announcements, and in discussions with management/
those charged with governance.

• Understand the relevant time period covered by the engagement and, if applicable to
the engagement, if events occurring after that time period should be considered.

• Understand the relevant industry, regulatory, and other external factors including the
applicable criteria (e.g. the financial reporting framework).

734

M13_c12.indd 734 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

• Understand the entity’s appropriate IT systems and underlying records relevant to the
subject matter information and assess their adequacy for producing information that is
accurate, complete, and valid.

• Review last year’s engagement file, if applicable, to refresh key aspects of the
understanding – including significant risks (such as the risk of management override of
controls), uncorrected misstatements, material misstatements identified and corrected,
and any risks that the subject matter information may be materially misstated.

• Understand if there are any initial going concern issues – e.g. factors that the
practitioner needs to remain alert to, or make/update inquiries regarding those factors.

• Understand any internal controls relevant to the engagement, including if there is an

internal audit function.

• Read the minutes of meetings of management, shareholders, those charged with

governance, and other appropriate committees (e.g. the audit committee) for an
understanding of key issues affecting the entity, and its governance and financial
reporting.

• The expected timing and nature of the practitioner’s communications required by

the entity.

• The extent to which fraud may be relevant to the engagement.

• The nature, timing, and extent of resources required by the practitioner to perform the
engagement, such as personnel and expertise requirements, including the nature and
extent of any expert’s involvement.

For practitioners who are the appointed auditor of the entity (or who have previously
performed the same type of engagement) they ordinarily update their understanding of the
entity by performing the inquiry and review. This would include reviewing prior reporting,
engagement file, and reflecting on any engagement circumstances that are relevant to the
current engagement. These may include considering:

• The prior degree of difficulty in obtaining information.

• The need to engage entity employees or experts.

12.4.1.2 Understand the Subject Matter Information

The practitioner is required to obtain an understanding of the underlying subject matter
information (i.e. understanding its key characteristics) and other engagement circumstances
(e.g. type of assurance, if any is required) sufficient to provide the practitioner with the ability to
report on the subject matter information.

The level of understanding of the subject matter information must be sufficient to:

• Identify and assess any areas of possible material misstatement in the subject matter
information (risk considerations) and how the practitioner plans to respond to those
risks through designing the nature, timing, and extent of certain procedures.

• The relevance and reliability of information to be used as evidence.

• Whether the work of an expert, another practitioner, an entity’s, measurer’s, or

evaluator’s expert, or an internal auditor is expected to be used.

735

M13_c12.indd 735 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

The practitioner, who is the appointed auditor of the entity (or who has previously
performed the same type of engagement) performs planning procedures through inquiry
and review to obtain an understanding of the entity and its environment. The following
planning procedures to obtain an understanding of the engagement are non-exhaustive and
may/may not apply, depending on the engagement circumstances and the subject matter
information:

• Understand the source of the subject matter information:

° If it is new information or extracted from existing historical financial information.

° Understand the basis of preparation, presentation, and the reliability of the

underlying records used to prepare it:

–– If any part of the source has been audited/reviewed.

–– If the subject matter information is prospective (e.g. a forecast) or contains

forecast data, then understand the basis of preparation, reconcile any historical
financial information components to audited/reviewed historical financial
information (if applicable), understand any key underlying adjustments made
(based on assumptions and judgements), what, if any, are the uncertainties in
the information, if the forecast has been compiled based on the adjustments,
and compare for consistency to applicable policies within historical financial
information.
–– If the subject matter information is historical, then understand the basis of
preparation, reconcile any historical financial information components to
audited/reviewed historical financial information (if applicable), and compare
for consistency to applicable policies within historical financial information. If
there is no audit or review report, the practitioner is required to design and
perform procedures to be satisfied that show the source is appropriate.

–– The entity’s selection and application of relevant policies and their

appropriateness.

–– Who reviewed and approved the subject matter information.

Factors that affect the appropriateness of the source include whether there is
an audit or a review report on the source and whether the source is permitted or
specifically prescribed by the relevant law or regulation, is clearly identifiable, and
represents a reasonable starting point, including whether it is consistent with the
entity’s published policies.

° Inquire of management how the subject matter information has been prepared
and the reliability of the entity’s IT systems and accuracy of underlying records from
which the subject matter information has been prepared.

° Identify any internal control relevant to achieve properly prepared subject matter
information and understand how it has been designed, implemented, and is
operating effectively throughout the relevant period (e.g. through performing a
transactional walk-through from start to finish).

• Design appropriate analytical procedures that will identify relationships and unusual
items that may indicate a material misstatement in the subject matter information.

736

M13_c12.indd 736 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

• If applicable, consider the nature of any adjustments to the subject matter information
that the entity represents as necessary (for example, as a result of correction of errors,
achieving consistent entity or group policies, or changing the applicable reporting
framework) and the sources of evidence to support the adjustments.

• Read the minutes of meetings of shareholders, those charged with governance,

and other appropriate committees for any matters that impact the subject matter
information.

• Read the subject matter information and identify anything that suggests that it has not
been prepared in accordance with the applicable criteria.

• Review the applicable criteria and assess whether they are acceptable and suitable for
the engagement, by assessing if those criteria have characteristics of being relevant,
complete, reliable, neutral, and understandable.

• Whether there are significant, unusual, complex, or non-monetary transactions, events,

or matters that have affected or may affect the subject matter information, including as
a result of:

° Significant changes in the entity’s business activities or operations (e.g. acquisitions

and disposals).

° Significant changes to the terms of contracts (e.g. terms of finance and debt
contracts or covenants).

° Significant journal entries posted or other adjustments made to historical financial

information.

° Significant movements in account balances between comparable time periods.

° Significant transactions occurring or recognised near the end of the reporting period.

° Effects or possible implications for the entity of transactions or relationships with its
related parties.

° Significant changes in internal control and the potential effect of any such changes
on the preparation of subject matter information.

• Any material commitments, contractual obligations, or contingencies (assets/

liabilities) including litigation claims that have affected or may affect the subject matter
information, including disclosures.

• If applicable, obtain previous reports regarding the subject matter information and:

° Consider the impact of any corrected or uncorrected misstatements affecting the

subject matter information identified in a prior engagement; and

° Consider the impact of any modifications included in previous reports.

• If applicable, inquire of management as to their assessment of the risk that it might be

affected by actual, suspected, or alleged fraud, or non-compliance with provisions of
applicable laws and regulations.

• Consider the work of the internal audit function, if any, and understand if they have
issued any reports relevant to the subject matter information. Review any such reports

737

M13_c12.indd 737 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

and consider any recommendations and implemented remediation actions taken in

areas relevant to the review.

The practitioner uses understanding of the entity and its environment to set materiality.
Refer to Section 12.3.5 for a further discussion.

Practitioners who are the auditor of the entity ordinarily update their understanding of the
entity and use the prior understanding to assist them plan and conduct the engagement so as
to be able to identify the types of potential material misstatement and consider the likelihood
of their occurrence and be able to select the procedures that will provide them with a basis for
their required reporting.

Key Learning Point

Planning the engagement to obtain a sufficient understanding of the engagement and
the particular subject matter the practitioner has been requested to report on is critical to
ensure that an efficient, targeted engagement is conducted.

12.4.2 Reasonable Assurance Testing

All assurance engagements require the practitioner to obtain an understanding of the subject
matter information of the engagement in order to provide assurance on that subject matter
information.

The practitioner, who is not the appointed auditor of the entity (or who has not previously
performed the same type of engagement), performs procedures appropriate to the
engagement. Refer to Chapters 6 and 7 for more details on procedures that can be performed
in an assurance engagement.
As explained in Section 12.3.4, for a reasonable assurance engagement more procedures
than for a limited assurance engagement are required to obtain necessary sufficient and
appropriate evidence. Ordinarily procedures are a combination of inquiry, inspection,
observation, confirmation, re-calculation and re-performance, However, analytical procedures
need to be performed and the type and combination selected by the practitioner depends on
the engagement circumstances. When designing and performing procedures, the practitioner
is required to consider the relevance and reliability of any information they intend to use
as evidence.

The testing approach for limited assurance engagements, based on identifying the areas
where a material misstatement in the subject matter information is likely to arise, are to:

• Design and perform procedures to address the areas of likely material misstatement,
sufficient to obtain limited assurance. No testing on internal control relevant to the
subject matter information is required.

• If the practitioner becomes aware of matters that cause them to believe the subject
matter information may be materially misstated, they need to design and perform
additional procedures to obtain further evidence to enable the practitioner to conclude
if this is the case or not.

738

M13_c12.indd 738 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

In contrast, the testing approach for reasonable assurance engagements, based

on identifying and assessing the risks of material misstatement in the subject matter
information, are to:

• Design and perform procedures to respond to the assessed risks in the engagement
circumstances, sufficient to obtain reasonable assurance. The procedures are required
to include testing on relevant controls over the subject matter information (which
are assumed to be operating effectively) such that the practitioner obtains sufficient
appropriate information over their operating effectiveness. Note that procedures other
than testing of controls cannot alone provide sufficient appropriate evidence.

• Reassess their risk assessment if additional evidence comes to the practitioner’s

attention and modify the procedures to be performed.

The following examples of reasonable assurance procedures are non-exhaustive and may/
may not apply, depending on engagement circumstances and the subject matter information:

• Perform and document risk assessment procedures to support the engagement.

• Ensure the engagement pre-conditions remain present throughout the engagement.

Refer to Section 12.3.2 for a reminder of the types of pre-conditions to consider.

• If applicable, review prior practitioner reports and consider any implications of these
reports on the current engagement (e.g. modifications, emphasis of matter, other matters).

• If applicable, re-calculate and challenge any significant estimates, judgements, and/or

assumptions used in preparing the subject matter information, ensure they are directly
related to that information, are factually supportable, and assess the extent to which
they are consistent with the entity’s historical financial information or other relevant
entity policies, including assessing the suitability of their recording and/or classification.

• Evaluate whether the subject matter information:

° Is sourced from appropriate information. If the source information is not

appropriate the practitioner must discuss the situation with the entity and consider
what further action to take. This may include withholding the report, withdrawing
from the engagement, and seeking legal advice.

° Is consistent with the practitioner’s understanding of the entity and with the
information provided by the entity.

° Reconciles to underlying records/supporting documentation (e.g. contracts/

agreements, independent reports, published documents such as audited financial
statements) and, if applicable, is consistent with the basis of accounting or other
basis on which the subject matter information has been prepared by the entity.

° Obtain corroborating information and documentation from independent sources.

° If any calculations underlying the subject matter information are mathematically

correct.

° Review any significant transactions and agree to supporting evidence. Assess their
classification and presentation.

° Is prepared in accordance with the applied criteria and adequately refers to, or
describes, the applicable criteria (against which it has been assessed).

739

M13_c12.indd 739 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

° Is appropriately presented and disclosed:

–– Any historical and other financial information is clearly distinguished. Check

that the amounts in the subject matter information have been accurately
extracted from audited, reviewed, or draft financial statements, and reflect the
presentation to be adopted in those financial statements.

–– If applicable, it illustrates the impact of any significant event or transaction in a

manner that is not misleading.

–– Discloses the information necessary, such that intended users understand

the information conveyed, which is presented at an appropriate level of
aggregation, so as not to be misleading in the circumstances (in view of the
purpose of the subject matter information).

• If applicable, review management’s going concern assessment and assess if there are
any events or conditions that appear to cast doubt on the entity’s ability to continue as
a going concern.

• If applicable, review the reports and work of the internal audit function by assessing
and re-performing elements of their work relevant to the engagement. HKSA 610
Using the Work of Internal Auditors and Related Conforming Amendments (May 2013) may
provide helpful guidance on how to place such reliance.

• If applicable, assess placing reliance on the audit work of the entity’s internal auditor, by
considering:

° The professional qualification, experience, integrity, independence, and

professional competence of the auditor and the quality control systems applied by
the audit firm to that engagement;

° If the auditor was required to apply HKSAs or equivalent standards; and

° Whether there is any evidence that the auditor has not complied with applicable
independence requirements.

• If applicable, assess placing reliance on the work of an independent expert engaged by

the practitioner by performing similar procedures to placing reliance on the work of the
internal auditor (above). HKSA 620 (Clarified) Using the Work of an Auditor’s Expert (July
2010) may provide helpful guidance on how to place such reliance.

• If the information contains prospective financial information (e.g. a forecast):

° Compare the forecast with the group’s existing financing facilities and cash
resources or that are to become available to the group;

° Independently obtain direct confirmation from the appropriate third party of the
extent of financing facilities and resources available to the group;

° Consider adjustments for items such as capital expenditure and pre-payments that
exert no impact on the profit forecast but may significantly impact the working
capital forecast; and

° Consider management’ s sensitivity analysis and the extent of any margin

or headroom.

740

M13_c12.indd 740 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

• Test those internal controls relevant to achieve properly prepared subject matter
information to ensure they have been appropriately designed and implemented and
are operating effectively throughout the relevant period. When determining the extent
of tests of controls, consider the characteristics of the population to be tested, which
include the nature of the controls, the frequency of their application (for example,
monthly, daily, several times per day), and the expected rate of deviation.

When designing and performing tests of controls, the practitioner:

° Performs other procedures (e.g. observation, inspection) in conjunction with

observation and inquiry, in order to obtain evidence about how the control was
applied, the consistency with which the control was applied, and by whom or by
what means the control was applied.

° Determines whether controls to be tested depend on other controls (indirect

controls) and, if so, whether it is necessary to obtain evidence supporting the
operating effectiveness of those particular indirect controls.

° Determines means of selecting items for testing that are effective in meeting the
objectives of the procedure.

• Design and perform analytical procedures, based on the practitioner’s understanding to

identify any relationships and unusual items that may indicate a material misstatement
by comparing the subject matter information. Any significant variations, unusual
fluctuations, or inconsistencies should be discussed with the entity. Types of analytical
procedures include:

° Comparing results, percentages, and ratios with those of prior periods and those
expected for the current periods, as well as other sources (e.g. external).

° Comparing the recorded amounts or ratios the practitioner has calculated

from recorded amounts to expectations they developed identifying (e.g. from
comparable entities) and applying relationships between information based on
their understanding of the entity. When significant fluctuations or unexpected
relationships are identified that are inconsistent with other relevant information,
the practitioner investigates and obtains explanations.

• If the subject matter information and the practitioner’s report is contained with
other information, reading that other information ensures that it is not inconsistent
with it.

• Identify any uncorrected misstatements identified during the engagement (other than
those that are clearly trivial) that need to be accumulated for evaluation.

• Obtain engagement appropriate written representations from management of the

entity. Examples may include:

° That it has provided the practitioner with all the information of which the
appropriate party (parties) is (are) aware that is relevant to the engagement.

° Confirming the measurement or evaluation of the underlying subject matter against

the applicable criteria, including that all relevant matters are reflected in the subject
matter information.

741

M13_c12.indd 741 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

° For the preparation and presentation of the subject matter information, in all
material respects, in accordance with the applicable criteria.

° Where relevant, for the design and implementation of internal control.

° Confirmation that the effect of uncorrected misstatements is immaterial

(a summary of these should be attached to the representations).

° All significant facts relating to fraud or non-compliance with the law and regulations
have been disclosed to the practitioner.

° All significant subsequent events have been disclosed to the practitioner. Refer
to Section 12.6.1 for a discussion on subsequent event procedures that may be
applicable to the engagement.

Apply and Analyse 5

The Chief Financial Officer of Yau Manufacturing Company Ltd, Ms. Chan, has requested
you as a partner in your firm, Jay & Co, to perform a reasonable assurance engagement
on pro forma financial information they have prepared for inclusion in their upcoming
prospectus. This is to raise additional funds to finance Yau’s acquisition of another
Chengdu-based chipset manufacturer, Liu Manufacturing Co. You understand that the
pro forma financial information is based on audited financial statements that have been
adjusted to reflect the proposed acquisition. You understand that the acquisition talks are
advanced and Yau and Liu have both agreed on a purchase price and their Chief Executive
Officers have signed a Heads of Agreement. Further, they are waiting on the completion of
all required documentation to finalise the acquisition.

(a) Describe the key type of procedures you would initially plan to perform on Yau’s
pro forma financial information.
(b) Explain what procedure you would always perform on the audited financial statements
used as the underlying basis for making adjustments to reflect the Liu acquisition.

(c) Describe the procedures you plan and design to allow you to assess the pro forma
financial information.

Analysis

(a) Given the engagement is a reasonable assurance engagement, you should plan
on performing a combination of inquiry, inspection, observation, confirmation,
recalculation, re-performance, and analytical procedures. You would need
to undertake detailed planning procedures (considering any pre-conditions,
engagement risks and materiality, understanding the entity, and further
understanding the pro forma financial information) before finalising the exact type
and combination of procedures to design and perform to enable you to obtain
sufficient appropriate evidence to issue a reasonable assurance report.

(b) Given you have been told that Yau’s pro forma financial information is based
on previously audited financial statements, you would always plan to obtain the
audited financial statements and confirm the unadjusted financial information Yau
have used in their pro forma financial information to these statements.

742

M13_c12.indd 742 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

Apply and Analyse 5 (continued)

(c) Those procedures should enable you to assess:

° Whether the applicable criteria used by the responsible party in the

compilation of the pro forma financial information provide a reasonable basis
for presenting the significant effects directly attributable to the transaction
reflecting the intended purchase of Liu Manufacturing Co, and to obtain
sufficient appropriate evidence about whether:

–– The related pro forma adjustments made by Yau give appropriate effect to
those criteria; and

–– The resulting pro forma financial information reflects the proper

application of those adjustments to the underlying audited historical
financial information.

° Be able to evaluate the overall presentation of the pro forma financial information.

12.4.3 Sampling
It is not practical or efficient (time and cost) for the practitioner to test all items within a
population that are part of the subject matter information. Practitioners use sampling mainly
because they are not seeking absolute certainty (they are looking for reasonable assurance),
examining all data may still not provide absolute certainty (completeness assertion), and for
cost–benefit reasons. A population can be in account balance (containing transactions) or a
group of items with homogeneous characteristics.

Sampling can be defined as the process of testing/examining only a part of a data

population, for a particular characteristic (e.g. that all invoices were appropriately approved in
line with delegation authorities), sufficient to extrapolate to the entire population, and to gain
reasonable assurance regarding that population. The extent of testing and the selection of
items for testing is determined by the practitioner using professional judgement.

A key risk with sampling (called sampling risk) is that if the sample chosen is not
representative of the population from which it was drawn the practitioner could reach an
incorrect conclusion. This risk can be reduced if every item in the population is given an equal
chance of selection and/or increasing the sample size.

Appropriately designed sampling tests (where all sampling units have a chance of selection
and are representative of the population) allow the practitioner to draw conclusions, with
a reasonable basis, about an entire population based on testing a sample drawn from it.
Typically, the practitioner is testing for a particular characteristic in the population that is
relevant to the subject matter information.

The practitioner can sample (test check) by:

• Selecting all items (100% examination);

• Selecting specific items; and

• Audit sampling.

743

M13_c12.indd 743 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

The application of any one or combination of these sampling techniques means that it may
be appropriate depending on the engagement, for example the risks of material misstatement
related to the assertion being tested and the practicality and efficiency of the different sampling
techniques.

The practitioner can use statistical or non-statistical sampling (often called judgemental
or random sampling) types. Statistical sampling uses computer-based technology to
mathematically derive the sample size numbers and then to randomly select items from the
population for the practitioner to test. Non-statistical sampling is based on the practitioner’s
judgement and experience to derive the sample size. The practitioner will select which type of
sampling to apply based on the engagement circumstances and the nature and characteristics
of the population to be tested.

Once the sampling type is selected, the practitioner decides the type of methodology to
employ on the sample. As for audit engagements, this depends on the nature of the population
to test – if the practitioner wants to substantively test a population, variable sampling is often
used. This looks for the sample to predict the value of a specific variable within a population,
where each individual item in the population is treated as a sampling unit. For testing of
controls, attributes sampling is usually used, which looks for whether the sample will or will
not possess certain qualities (attributes) by selecting a certain number of records to estimate
how many times a certain feature will show up in a population – each individual item in the
population is treated as a sampling unit.

The practitioner considers:

• When designing the sample, the purpose of the procedure and any particular
population characteristics to take into account.

• What sample size is necessary to reduce sampling risk to an appropriately low level.

• Ensuring all sample units in the population have an equal chance of selection.

• If the designed procedure is not applicable to the selected item, ensuring that a
replacement item is selected and tested using that procedure.

• If the practitioner is unable to apply the designed procedures or suitable alternative

procedures to a selected item, the practitioner treats that item as a deviation from the
prescribed control in the case of tests of controls or a misstatement in the case of tests
of details.

For any deviations identified during sampling on the test of controls, the practitioner must
consider the nature and cause of any deviations identified and whether:

• Identified deviations are within the expected rate of deviation and are acceptable,
thus enabling the practitioner to conclude that the control is operating effectively
throughout the specified testing period;

• Additional testing of the control or of other controls is required, to enable the

practitioner to conclude whether the controls over a particular control objective are
operating effectively throughout the specified testing period; or

• The testing performed enables the practitioner to appropriately conclude whether the
control operates effectively or not throughout the specified testing period.

744

M13_c12.indd 744 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

For any misstatements identified during sampling on the test of details, the practitioner
must consider the nature and cause of any misstatements identified and whether:

• Identified misstatements are within the tolerable misstatement amount (the amount
determined by the practitioner to indicate that the population may be materially
misstated, based on performance materiality) and are acceptable. Therefore, the
testing that has been performed provides an appropriate basis for concluding that the
sampled population is unlikely to be materially misstated;

• Identified misstatements come close to, or exceed, the tolerable misstatement

amount. If the misstatements exceed the tolerable misstatement amount, then the
sampled population’s actual level of material misstatement may be higher. In such
circumstances, the practitioner should perform an additional substantive test of detail
procedures to gain sufficient appropriate evidence on which to conclude the sampling.

HKSA 530 (Clarified) Audit Sampling (July 10) may provide additional helpful guidance in
sampling. Additionally, refer to Chapter 6 for more details on procedures related to sampling.

Key Learning Point

The practitioner determines the appropriate sampling strategy for particular items within
the subject matter information based on their professional judgement, taking into account
what particular population characteristics they want to test for and that are relevant to
their assessed risks and set materiality.

12.4.3.1 Evaluating the Results of Procedures Performed

Assurance Engagements
The practitioner shall evaluate the sufficiency and appropriateness of all evidence obtained
during the engagement. If the practitioner considers that additional information is required
for evaluation of the underlying subject matter, an attempt should be made to obtain
further evidence. The practitioner should consider all relevant evidence obtained during the
engagement, regardless of whether it appears to corroborate or to contradict information
already obtained (e.g. the subject matter information measurement or evaluation as compared
to the applicable criteria). If the practitioner is unable to obtain the required further evidence,
the implications for a conclusion are then considered. The practitioner also evaluates whether
uncorrected misstatements are material, individually or in the aggregate.

The practitioner is then required to form a conclusion about whether the subject matter
information is free from material misstatement. If the practitioner is unable to obtain sufficient
appropriate evidence, a scope limitation exists and the practitioner should express a qualified
opinion, disclaimer, or withdraw from the engagement, where withdrawal is possible under
applicable law or regulation, as appropriate.

The practitioner expresses an unmodified opinion when the practitioner concludes:

(a) For a reasonable assurance engagement, that the subject matter information is
prepared, in all material respects, in accordance with the applicable criteria; or

745

M13_c12.indd 745 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

(b) For a limited assurance engagement, that, based on the procedures performed and
evidence obtained, no matter(s) has come to the attention of the practitioner that
causes the practitioner to believe that the subject matter information is not prepared,
in all material respects, in accordance with the applicable criteria.

The practitioner includes an ‘emphasis of matter’ paragraph in the assurance report when it
is concluded that a matter has been identified that is of such importance that it is fundamental
to intended users’ understanding of the subject matter information. Such a matter must be
presented or disclosed in the subject matter information.

The practitioner includes an ‘other matter’ paragraph in the assurance report when the
practitioner concludes they wish to communicate a matter other than those that are presented
or disclosed in the subject matter information that, in the practitioner’s judgement, is relevant
to intended users’ understanding of the engagement, the practitioner’s responsibilities, or the
assurance report and this is not prohibited by law or regulation.

The practitioner expresses a modified opinion when it was found in conclusion that the
subject matter information was misstated. The type of modified opinion expressed depends
on whether the misstatement is material but not pervasive, material and pervasive, or if
the practitioner is unable to conclude on whether the misstatement(s) is material and/or
pervasive.

• If the misstatement in the subject matter information is material but not pervasive,
then the type of conclusion is a qualified opinion.

• If the misstatement in the subject matter information is material and pervasive, then
the type of conclusion is an adverse opinion.

• If the practitioner is unable to obtain sufficient evidence to conclude that the identified
misstatement in the subject matter information is material and pervasive, but believes
its possible effect on the subject matter information may be both material and
pervasive, then the type of conclusion is a disclaimer of opinion.

For more details, refer to Chapter 10.

Non-assurance Engagements
The practitioner has to consider if, based on the testing performed, any errors or
exceptions that were identified needed to be included in the factual findings report
(non-assurance engagement). In some engagement circumstances, not all such errors may
be included in the report if the entity has requested only errors above a certain dollar value
to be advised.

Key Learning Point

The practitioner considers all information obtained during the assurance engagement that
is intended to be used as evidence and evaluates that information in forming a conclusion
on the procedures performed on the subject matter information.

746

M13_c12.indd 746 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

Knowledge Check Questions

Question 8
Identify which of the following best explains why it is important to spend time to obtain an
understanding of the subject matter information in an assurance engagement.
A It is required by the HKICPA standards.
B Obtaining an understanding of the subject matter information is required so that the
practitioner can identify and assess the risks of material misstatement of the subject
matter information, whether due to fraud or error, and be able to design and perform
further procedures.
C It is not particularly important to the engagement.
D Obtaining an understanding of the subject matter information is required so that the
practitioner can minimise their procedures to only those areas of interest to the subject
matter information.

Question 9
Explain whether a practitioner is required to use sampling for testing components of
subject matter information.

1 2 . 5 COMMUNICATION WITH THOSE CHARGED

WITH GOVERNANCE

12.5.1 Methods of Communication

All HKICPA standards require the practitioner to communicate any significant matter(s)
that comes to the practitioner’s attention during the engagement that in their professional
judgement are of sufficient importance and relevance to merit the attention of management/
those charged with governance. Additionally, the engagement requirements may contain
specific communication requirements including how to communicate, to whom to
communicate, when to communicate, and what to communicate. Communication may be
orally or in writing (preferable). The practitioner’s decision whether to communicate orally or
in writing is affected by factors such as the nature, sensitivity, and significance of the matter to
be communicated and the timing of such communications. Any oral communications will need
to be documented by the practitioner. HKSA 260 (Revised) Communication with Those Charged
with Governance (June 2017) may provide helpful guidance on the types of issues that may be
communicated.

12.5.2 Timing of Communication

The practitioner communicates all significant matters on a timely basis or as soon as practical.
This enables management, those charged with governance, or any other relevant parties
(e.g. audit committees) to clarify facts and issues, and allow them to consider the matters

747

M13_c12.indd 747 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

raised, address them, and advise the practitioner, such that the practitioner can consider their
actions and the impact, if any, on the engagement and ultimately the practitioner’s report.

If management agrees to communicate a matter of governance interest with those charged

with governance, the practitioner may not need to repeat the communications, provided
that the practitioner is satisfied that such communications have effectively and appropriately
been made.

12.5.3 Content of the Communication with Those Charged with

Governance
The practitioner must use professional judgement to assess each matter identified of sufficient
importance as to who is the most appropriate entity representative to advise. If the matter
relates to management, those charged with governance will be more appropriate. If the matter
relates to those charged with governance, it may be that the audit committee or board are
more appropriate.

Examples of matters that may be of sufficient importance for the practitioner to report to
the appropriate entity level, on a timely basis are:

• Any attempted limitations of scope on the practitioner’s work, or difficulties in obtaining

requested information or accessing the appropriate persons.

• Any uncorrected material misstatements required to the subject matter information for
it to be prepared, in all material respects, in accordance with the applicable criteria to
the appropriate level of management on a timely basis, with a request to the entity to
correct those misstatements. Also consider the need to report them to those charged
with governance.

• All corrected misstatements made during the engagement with the appropriate level
within the entity.
• Any misstatements aggregated by the practitioner during the engagement that were
determined by management to be immaterial, both individually and in the aggregate,
and that were determined by management not to constitute non-compliance with
the applicable requirements of the Listing Rules regarding continuing connected
transactions.

• Any identified non-compliance with applicable requirements of the Listing Rules

regarding connected transactions of which the practitioner has become aware.

• Actual, identified, or suspected fraud or non-compliance by the entity with required

laws and regulations (other than when the matters are clearly trivial) and other relevant
matters of governance interest.

• Deficiencies in internal control that, in the practitioner’s professional judgement,

are of sufficient importance to merit attention, together with recommendations for
improvement (where appropriate).

• Matters of governance interest with management, except where those matters relate to
questions of management competence or integrity.

748

M13_c12.indd 748 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

Key Learning Point

It is important that for every engagement type the practitioner communicates as soon as
possible all matters to the entity that is considered of sufficient importance to advise those
charged with governance.

Knowledge Check Questions

Question 10
Explain why it is important to communicate, on a timely basis, any significant matters
identified during the course of the engagement with those charged with governance.

Question 11
Identify which of the following you would ordinarily advise those charged with governance.
A If you have encountered considerable difficulty in obtaining information regarding a
material component of the subject matter information.
B If you had to perform alternate procedures on those you originally planned to conduct
on particular information.
C If you confirmed there had been no non-compliance with applicable laws and regulations
relevant to the engagement.
D Trivial misstatements.

1 2 . 6 EVIDENCE ANALYSIS OVERVIEW

12.6.1 Subsequent Events Review

There are varying requirements in the HKICPA standards for the practitioner to consider events
occurring between the date of the subject matter information and the date of the practitioner’s
report or events after the issuance of the practitioner’s report.

Generally, the key consideration is whether a subsequent event would require adjustment
of, or disclosure in, the subject matter information. In some engagements, subsequent events
may not be relevant because of the nature of the underlying subject matter information. For
example, if the practitioner is concluding on the subject matter information at a point in time
(i.e. up to the practitioner’s report) then subsequent events may be of little consequence unless
they cause the practitioner to re-consider information either used as evidence in forming their
conclusion or included in the report.

Most HKICPA standards do not require the practitioner to perform any procedures to
identify events after the date of the subject matter information that require adjustment of,
or disclosure in, such subject matter information after the date of the practitioner’s report.
Additionally, the engagement terms may determine what obligations the practitioner has to
consider subsequent events. The practitioner may, depending on engagement circumstances,

749

M13_c12.indd 749 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

consider requesting the entity to inform the practitioner of any event occurring subsequent to
the date of the practitioner’s letter that may impact on the subject matter information.

When subsequent events are relevant to the assurance engagement (e.g. the subject
matter information is related to another document that was issued after the subject matter
information), for events the practitioner becomes aware of after completion of the work and
before the issuance of the assurance report, the practitioner is required to consider their effect
on the subject matter information and on the assurance report and is required to respond
appropriately to facts, including considering the impact on the assurance report. Additionally,
if the practitioner becomes aware of a fact after issuing the practitioner’s report that, if it
had been known to the practitioner at the date of the practitioner’s report, may have caused
the practitioner to amend the report, the practitioner needs to discuss the matter with the
entity (management or those charged with governance, as appropriate), determine whether
the subject matter information needs amendment, and inquire how management intends to
address the matter.

If management fails to amend the subject matter information in circumstances where

the practitioner believes it needs to be amended, and the practitioner’s report has already
been provided to the entity, the practitioner notifies management and those charged with
governance not to issue the subject matter information to third parties before the necessary
amendments have been made. If the subject matter information is nevertheless subsequently
issued without the necessary amendments, the practitioner is required to take appropriate
action to seek to prevent reliance on the practitioner’s report.

12.6.2 Documentation
The practitioner’s preparation of documentation provides sufficient and appropriate basis for
the practitioner’s conclusion and to provide evidence that the engagement was performed in
accordance with the applicable HKICPA standard, legal, and regulatory requirements where
relevant and a sufficient and appropriate record of the basis for the practitioner’s report.
The practitioner is generally required to assemble the engagement documentation in
an engagement file and complete the administrative process of assembling the final engagement
file on a timely basis after the date of the practitioner’s report. After the final engagement file has
been assembled and is considered complete, the practitioner is required to retain all engagement
documentation for the duration of its required retention period. If after the assembly of the final
engagement file has been completed the practitioner considers it necessary to amend or add to
the existing file, the practitioner is required to document:

• The specific reasons for making the amendments or including the additions; and

• When, and by whom, the amendments and/or additions were made and reviewed.

The practitioner documents the following aspects of the engagement in a timely manner,
sufficient to enable an experienced practitioner, having no previous connection with the
engagement, to understand:

• Any issues identified with respect to compliance with relevant ethical requirements
(including independence) and how they were resolved, and any relevant discussions
with the firm that support these conclusions.

• All conclusions reached regarding the acceptance and continuance of client

relationships and the engagement.

750

M13_c12.indd 750 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

• The nature, timing, and extent of the procedures performed to comply with the
required HKICPA standard and applicable legal and regulatory requirements.

• Results obtained from the procedures, and the practitioner’s conclusions formed on the
basis of those results.

• If the practitioner used the specific work of the internal auditors, the conclusions
reached regarding the evaluation of the adequacy of the work of the internal auditors
and the procedures performed by the practitioner on that work.

• Significant matters arising during the engagement, including discussions with

management and/or those charged with governance/relevant others, including
the nature of those matters, the disposition of such matters (e.g. inconsistencies
in information), the practitioner’s conclusions reached thereon, and any significant
professional judgements made in reaching those conclusions.

• The record of how the subject matter information reconciles with the underlying
records, documents, explanations, and other information provided by management.

• A copy of the final version of the subject matter information for which management or
those charged with governance, as appropriate, has acknowledged their responsibility
and the practitioner’s report.

• Evidence of who:

° Performed the engagement work and the date such work was completed; and

° Reviewed the work performed for the purposes of quality control for the
engagement and the date and extent of the review.

• The nature and scope of, and conclusions resulting from, any significant consultations
undertaken during the course of the engagement.

Key Learning Point

The engagement file documentation must support the practitioner’s report and stand
alone in terms of another practitioner being able to understand how the engagement was
planned, conducted, and reported, particularly how significant matters to the engagement
were addressed and resolved.

Knowledge Check Questions

Question 12
You recently completed an assurance engagement on Yau’s greenhouse gas (GHG)
statement, dated 31 December 20X9, that was published on their website, in respect of
reported carbon dioxide (CO2) emissions at their manufacturing plant at Chengdu. Based
on the procedures performed, you issued an unmodified assurance conclusion on their
statement. The Chief Operating Officer of Yau Manufacturing Company Ltd, Mr. Wong,
has just made you aware of a subsequent event that may affect the completeness of the
quantification of the reported CO2 emissions in the GHG statement. Explain what the most
appropriate course of action for yourself is.

751

M13_c12.indd 751 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 13
You are assembling the engagement file for a non-assurance engagement involving
compiling historical financial information. The file is going to be reviewed by another
advisory partner in your firm as required under your firm’s quality control management
policy. In reviewing the documentation on the file, you realise some supporting
documentation you received from the client on a material balance is not in the file and is
still contained in an email file you saved in your email system. Explain whether you need to
download and attach the email file to the file or can instead cross-reference to the email.

1 2 . 7 PREPARING THE ENGAGEMENT REPORT

12.7.1 Other Assurance Report Contents

In preparing the assurance report, the practitioner evaluates the results of their procedures
in order to form the conclusions in the report. For example, the practitioner should consider
whether any matters would preclude the practitioner from issuing their assurance report
or whether they may need to modify or qualify the conclusion.

The report form can be a formal report or a letter, depending on engagement

circumstances and the requirements of the applicable assurance standard. All assurance
engagements must have a written assurance report issued by the practitioner. Their form
and content elements will be determined, at a minimum, by the requirements of the relevant
HKICPA standard.

In terms of dating the assurance report, the practitioner is required to date the report no
earlier than the date on which the practitioner has obtained sufficient appropriate evidence
as the basis for the practitioner’s conclusion on the financial statements, including being
satisfied that:

• All the statements that comprise the subject matter information have been prepared
under the applicable criteria, including the related notes where applicable; and

• Those with the recognised authority have asserted that they have taken responsibility
for the subject matter information.

Each applicable HKICPA standard contains minimum requirements for each other
assurance engagement discussed in Section 12.2. The practitioner is able to add additional
content over and above these minimum requirements. Refer the reporting sections within each
standard to understand the minimum requirements applicable to the particular engagement.

12.7.2 Non-assurance Report Content

In preparing the report, the practitioner evaluates the results of the agreed-upon procedures
performed on the financial information or in compiling the financial information. They consider

752

M13_c12.indd 752 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

if all the procedures have been performed and the results of those procedures, including if any
exceptions or errors were identified. They consider, using professional judgement, and taking
into account the engagement circumstances and requested reporting by the entity, whether
to include any or all of these exceptions and errors in the report. Ordinarily all exceptions and
errors are reported.

Each applicable HKICPA standard contains minimum requirements for each non-assurance
engagement discussed in Section 12.2. The practitioner is able to add additional content over
and above these minimum requirements. Refer the reporting sections within each standard to
understand the minimum requirements applicable to the particular engagement.

Key Learning Point

All engagements require the practitioner to produce a written report, and provide it to the
appropriate person, as evidence of the work performed and the results of that work.

Knowledge Check Questions

Question 14
You have recently completed fieldwork on an engagement to assure a company’s pro
forma financial information in connection with the company seeking increased funding
from their financiers. You need to prepare the assurance report and were unsure
whether you needed to include all the requirements contained in HKSAE 3420 Assurance
Engagements to Report on the Compilation of Pro Forma Financial Information Included in a
Prospectus as the requirements do not all seem to apply to your engagement. Evaluate
what the practitioner’s reporting obligations are under the standard.

Question 15
Explain, in reporting on assurance engagements, whether you need to consider HKSAE
3000 (Revised) Assurance Engagements Other Than Audits or Reviews of Historical Financial
Information reporting requirements in preparing the assurance report.

753

M13_c12.indd 753 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

S UMM A R Y

This chapter explained the different types of assurance engagements and non-assurance
engagements an HKICPA practitioner can perform on different subject matter information.
It also explained the key differences of, and key aspects for, both engagement types when
planning, performing, and reporting, including relevant ethical considerations. It covered:

• Assurance engagements:

°° All review engagements (Hong Kong Standards on Review Engagements).

°° Assurance engagements (Hong Kong Standards on Assurance Engagements).

°° Investment circular reporting (Hong Kong Standards on Investment Circulars).

°° Applicable Practice Notes (related to another assurance engagement or non-assurance

engagement).

°° Hong Kong Auditing Standard HKSA 810 (Revised) Engagements to Report on Summary
Financial Statements.

°° Other types of assurance engagements (not HKICPA Standard specific), including

compliance audits, operational audits, and value for money audits.

• Non-assurance engagements

• All non-assurance engagements (Hong Kong Standards on Review Engagements).

754

M13_c12.indd 754 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

MIND MAP

OTHER ASSURANCE ENGAGEMENTS OBTAINING SUFFICIENT EVIDENCE

REQUIREMENTS
Engagements providing assurance
Engagements not providing assurance
Critical distinctions between assurance
and non-assurance engagements
• Three-party relationship
• Appropriate subject matter
• Suitable criteria
• Sufficient, appropriate evidence
• A conclusion
OTHER ASSURANCE ENGAGEMENTS
AND NON-ASSURANCE ENGAGEMENTS
Reviews
Assurance engagements other than
reviews or audits
Assurance reports on controls at
a Service Organisation
Assurance engagements on greenhouse
gas statements
Pro forma financial information
Summary financial statements
Investment Circular Reporting Engagements
Preliminary Announcements of
Annual Results
Continuing connected transactions
Comfort Letters
Due Diligence Work
Agreed-upon procedures
Obtaining and Understanding of the
Subject and Engagement
Reasonable Assurance Testing
Sampling
COMMUNICATION WITH THOSE CHARGED
WITH GOVERNANCE
Methods of Communication
Timing of Communication
Content of the Communication with Those
Charged with Governance
EVIDENCE ANALYSIS
Subsequent Events review
Documentation
OTHER ASSURANCE PREPARING THE ENGAGEMENT REPORT
ENGAGEMENTS
REQUIREMENTS Other Assurance Report Content
Non-Assurance Report Content
ENGAGEMENTS RISK FOR OTHER
ASSURANCE AND NON-ASSURANCE
ENGAGEMENTS
Ethical requirements of the engagement
Engagement Acceptance and Continuing
the Engagement
Agreeing on the Terms of the Engagement
Planning and Performing the Engagement
Materiality and Assurance Engagement Risk
Quality Control of the Engagement

Answers to Knowledge Check Questions

Question 1
Answers A, B, and D are incorrect. They are all assurance engagements as the practitioner
independently designs and specifies the procedures to perform on the internal controls
(not the entity).
Answer C is correct. The entity specifies the procedures to be performed by the
practitioner; therefore, the practitioner does not independently plan, design, and perform
their own procedures to obtain any type of assurance on the internal control.

Question 2
Yes, provided the practitioner has the necessary competencies and skills and is able to
meet the relevant ethical requirements to conduct the particular engagement.

Question 3
The level of assurance provided is different. An engagement to review interim financial
statements is limited assurance (negative conclusion), in contrast to an engagement to
audit financial statements, which is reasonable assurance (positive conclusion).

755

M13_c12.indd 755 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

Question 4
Answer A is incorrect. This is not permitted by the Code of Ethics or HKSQC 1.
Answer B is correct. The practitioner cannot prepare and compile information that is then
subject to audit as this is a clear threat to their independence and is not allowed by the
HKICPA Code of Ethics for Professional Accountants or HKSQC 1 Quality Control for Firms That
Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services
Engagements.
Answer C is incorrect. The conflict is of the practitioner’s independence not the
confidentiality fundamental principle.
Answer D is incorrect. HKSRS 4400 does not specifically allow this situation. It does,
however, contemplate this situation arising. In fact, in the Application and Other
Explanatory Material, paragraph A37 of HKSRS 4400, it notes that in setting the
engagement terms the practitioner should include a specific term outlining the ‘extent of
the practitioner’s responsibilities, including that the practitioner will not express an audit
opinion or a review conclusion on the financial information’.

Question 5
The practitioner performs an assessment of engagement risks prior to acceptance or
continuance to ensure that they are fully informed of, and understand the nature of,
the entity and the subject matter information they are being asked to report on. This
allows the practitioner to make a professional judgement as to whether they wish to be
professionally appointed by the entity to conduct the work (and be associated with the
engagement). The practitioner should ensure for the engagement that intended users
of the report have a good understanding and agreement of the practitioner’s scope of
work agreed, procedures to be performed, and type of report (and level of assurance, if
applicable) to be provided.

Question 6
Each engagement conducted by HKICPA standards sets out pre-conditions that must
exist/be met prior to accepting or continuing an engagement. Additionally, there may be
applicable laws, regulations, or proposed engagement terms (specified by the practitioner
and/or the entity) that specify pre-conditions. Pre-conditions are established essentially
to ensure that similar engagements are performed consistently in accordance with
requirements, in particular agreements between the practitioner and the entity, for how
the engagement will be conducted and the requirements are all met. Generally, if any
such pre-conditions are not met, the practitioner does not accept or continue with the
engagement unless required by law or regulation to do so.

Question 7
Yes, Yau have a new management team and it is appropriate to issue a new
engagement letter so that you receive their acknowledgement and acceptance of the
engagement terms.
As noted in the opening case, Yau have a new Chief Financial Officer, Chief Operating
Officer, and Chair of the Audit Committee, and therefore it is appropriate to issue an
engagement letter for them to give them the opportunity to review the engagement
terms contained in the engagement letter and to sign the letter as evidence of their
acknowledgement and acceptance of its engagement terms.

756

M13_c12.indd 756 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

Question 8
Answer A is correct but is not the best answer. It does not explain why obtaining an
understanding is important.
Answer B is correct. The practitioner obtains an understanding of the subject matter
information so that they can design an efficient audit that targets their procedures and
work effort to those areas within the subject matter information that are material or they
understand may have risks of material misstatement.
Answer C is incorrect. Obtaining an understanding of the subject matter information is
critical to planning and performing a risk-based assurance engagement.
Answer D is incorrect. This is not the purpose of obtaining an understanding of the
subject matter.

Question 9
No, a practitioner is not required to use sampling if it is not efficient to do so, taking into
consideration the characteristics of the population within the subject matter information,
e.g. the number of transactions included in the population and its materiality.

Question 10
Communicating with those charged with governance on a timely basis allows them the
opportunity of investigating the matter raised and to respond appropriately (e.g. provide
additional information).

Question 11
Answer A is correct. The practitioner should always advise significant difficulties they
experienced during the engagement in obtaining sufficient appropriate evidence on which
to form a conclusion on individual material components of the subject matter information.
Answer B is incorrect. This is part of the engagement and the fact that the practitioner
had to design and perform alternate procedures from those planned does not ordinarily
warrant those charged with the governance’s attention.
Answer C is incorrect. The practitioner does not ordinarily need to inform those charged
with governance of this. An exception to this is if under the terms of engagement those
charged with governance had specifically requested the practitioner to advise on their
entity’s compliance with applicable laws and regulations related to the engagement.
Answer D is incorrect. The practitioner is not required to report clearly trivial misstatements.
An exception to this is if under the terms of engagement those charged with governance
had specifically requested the practitioner to advise these types of misstatements.

Question 12
You should meet with the Chief Operating Officer of Yau (Mr. Wong) as soon as practical to
understand the details of the subsequent event they have made you aware of and review
any relevant documents connected to the subsequent event. Based on this additional
information, you should assess its impact, if any, on the issued assurance report on the
greenhouse gas statement. Its impact will depend on the nature of the event and whether
it has the potential to change the assessment of evidence obtained during the engagement
and ultimately if it could impact your conclusion on the GHG statement.

757

M13_c12.indd 757 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

If based on further procedures you designed and performed, and additional evidence
obtained, you assess the subsequent event to change your issued assurance report,
then you would update the engagement file for the information, work performed, and
conclusion formed and then update and re-issue the assurance report to explain the
impact of the subsequent event. If the subsequent event is not disclosed in the GHG
statement or accompanying notes, the practitioner could consider that a different
assurance conclusion (e.g. modified opinion) is appropriate or could include an emphasis
of matter paragraph or another matter paragraph.
If based on further procedures you designed and performed, and additional evidence
obtained, you assess the subsequent event does not change your issued assurance report,
then you would file the additional information, together with your conclusion on that
information, and finalise the engagement file.

Question 13
The most appropriate course of action is to download the file and attach it to the
engagement file so that the file is a standalone and the quality control reviewer can review
the complete engagement file. Cross-referencing is not appropriate as that reviewer
must be able to review all documentation used as evidence in the engagement within the
engagement file.

Question 14
The minimum reporting requirements within HKSAE 3420 Assurance Engagements to
Report on the Compilation of Pro Forma Financial Information Included in a Prospectus
must be complied with. The practitioner is not able to exclude any information required
to be included in the assurance report. If they do, the report is not in compliance
with HKSAE 3420 and they would be unable to assert in the assurance report that the
engagement had been conducted in accordance with HKSAE 3420.

Question 15
Yes, the practitioner is required to consider, and comply with, the minimum requirements
in HKSAE 3000 (Revised) in addition to the particular HKICPA standard relevant to the
engagement.

EXAM PRACTICE

QUESTION 1
The Chief Financial Officer, Ms. Chan, of Yau Manufacturing Company Ltd would like to
understand the key differences between an assurance engagement and a non-assurance
engagement. Yau are contemplating requesting a number of engagements covering their
diverse manufacturing business and would like to understand the benefits and costs of
each option.

Required:

Explain to Ms. Chan what the key differences are between an assurance engagement and
a non-assurance engagement. Be sure to include in your explanation their relative benefits
and costs in conducting the respective engagement.

758

M13_c12.indd 758 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

QUESTION 2
You are the assurance partner of Chow & Co CPAs and have just received a request from the
Very Best Lighting Company (Very Best) based in Hong Kong to review their 31 December
20X8 financial statements. You understand that they have never had an audit or review
conducted before (they commenced trading in March 20X6) and have recently obtained
financing from Standard Chartered Bank (Hong Kong) to fund their expansion into wholesale
selling of small electrical appliances. As part of the new financing arrangement, the bank
has required Very Best to have their most recent 31 December 20X8 financial statements
reviewed by an independent HKICPA practitioner.

Required:

(a) Explain your key considerations in accepting this engagement.

(b) Describe what type of assurance procedures you would plan to perform.

ANSWERS TO EXAM PRACTICE

QUESTION 1
Assurance Engagements

An assurance engagement is conducted when the entity requires independent assurance on

financial or non-financial information. It is designed to enhance the degree of confidence of
intended users (of the assurance report) about the outcome of the practitioner’s evaluation/
measurement of that financial or non-financial information against acceptable applicable
criteria (e.g. the requirements of the applicable financial or other reporting framework). This
outcome is expressed in terms of a positive (reasonable) or negative (limited) assurance
conclusion included in the practitioner’s report. The practitioner obtains sufficient
appropriate evidence on the financial or non-financial information, as measured against
applicable criteria, to enable them to express a conclusion, having planned, designed,
and performed their audit procedures to achieve this outcome. In some cases, the type of
assurance possible depends on the requirements of applicable HKICPA standards.

The practitioner is required to be independent of the entity for all assurance

engagements and performs procedures that are planned, designed, and performed by them,
based on their own risk assessment of the subject matter information and the engagement.
The entity, as the responsible party, prepares and accepts responsibility for the accuracy and
completeness of the subject matter information to which the practitioner assures.

An assurance engagement is more time consuming and costly than a non-assurance

engagement due to the increased work performed by the practitioner and the fact that the
practitioner expresses a conclusion on the work performed. If the intended users of the
practitioner’s report are external to the entity, they will often see more value in assurance
engagements than non-assurance engagements as the HKICPA practitioner expresses an
opinion on the work performed.

Non-assurance Engagements

In contrast, a non-assurance engagement is conducted when the entity does not require
independent assurance on specified financial or non-financial information (specified
information), but instead requests the practitioner (who may or may not be independent
of the entity) to perform certain procedures, nominated by the entity, on that specified
information. Often these procedures are designed to meet the needs of intended users

759

M13_c12.indd 759 1/26/2021 5:40:55 PM

 BUSINESS ASSURANCE

(who may be internal or external to the entity). Given the practitioner has not independently
determined the nature, timing, and extent of procedures to perform, instead agreeing to
perform the entity’s specified procedures, they are not able to provide independent assurance.

The practitioner then reports results of performing those procedures in a factual

findings report to the engagement’s nominated intended users (i.e. the practitioner does
not express any opinion or draw any conclusion from the procedures performed on the
specified information). The entity, having received the practitioner’s report, interprets the
findings in the context of their business, draws their own conclusions about the outcome of
the procedures performed as contained in the report, and takes any appropriate action(s).
Again, the entity, as the responsible party, prepares and accepts responsibility for the
accuracy and completeness of the subject matter information to which the practitioner does
not assure (i.e. the practitioner does not verify or express any opinion on the accuracy or
completeness of the entity’s information being reported on).

A non-assurance engagement is less time consuming and costly than an assurance

engagement due to the reduced, more targeted, work performed by the practitioner and
the fact that the practitioner does not express any conclusion on the work performed. If
the intended users of the practitioner’s report are internal to the entity, and the nature
of the information being reported on is focused/targeted, and the entity only needs a
HKICPA practitioner to perform certain agreed procedures on the specified information,
then a non-assurance engagement may offer more value in assurance engagements than
non-assurance engagements.

QUESTION 2
(a) HKSRE 2400 (Revised) Engagements to Review Historical Financial Information is the
applicable HKICPA standard as it applies to a review engagement performed by a
practitioner who is not the auditor of the entity. The objective of this type of review is
to enable Chow & Co CPAs to state, on the basis of procedures performed (primarily
inquiry and analytical procedures), whether the financial statements as a whole are
free from material misstatement, they are able to conclude as to whether anything has
come to their attention that causes them to believe that the 31 December 20X8 financial
statements are not prepared, in all material respects, in accordance with the applicable
financial reporting framework (being the applicable criteria). The review conclusion is
limited assurance.
Key considerations to achieve the engagement objectives are:

• Are there any engagement risks to accepting this new engagement (these
depend on the particular engagement circumstances and the type of subject
matter information and therefore vary from engagement to engagement)?

• Ensure you have the ability to comply with relevant ethical requirements
contained in the Code of Ethics (Parts 1, 3, and Part 4A) and HKSQC 1 Quality
Control for Firms That Perform Audits and Reviews of Financial Statements, and Other
Assurance and Related Services Engagements.

° You need to be independent of Very Best and possess competence in

assurance skills and techniques and competence in financial reporting
appropriate to the engagement circumstances.

° You should be able to plan and perform the review with professional
scepticism and exercising professional judgement.

760

M13_c12.indd 760 1/26/2021 5:40:55 PM

 O ther A ssu rance E ngage m ent R e q u ire ments

• Be alert to any information obtained to assess if anything has come to your

attention that causes you not to accept the engagement.

• Consider if any of the engagement pre-conditions required by HKSRE 2400

(Revised) cannot be met. If so, the engagement should be declined.

• Set materiality for the financial statements as a whole. This materiality can
be used in designing the procedures and in evaluating the results of those
procedures.

• Understand the entity and its environment, through inquiry and inspection
of relevant documents, sufficient to identify and assess the risks of material
misstatement of the subject matter information, whether due to fraud or error,
and also sufficient to design and perform further procedures to respond to
those assessed risks. As you are not the entity’s auditor, you will not ordinarily
have the same understanding of the entity and its environment, unless you have
performed this type of engagement for Very Best before (we are not told in the
question). You therefore have to plan to perform additional procedures to gain
an understanding sufficient for the engagement.

• Understand the subject matter information (in this case, the 31 December 20X8
financial statements) through inquiry and inspection of relevant documents,
sufficient to provide you with the ability to report on the subject matter
information. The level of understanding of the subject matter information must
be sufficient to:

° Identify and assess any areas of possible material misstatement in the

subject matter information (risk considerations) and how you plan to
respond to those risks through designing the nature, timing, and extent of
certain procedures.

° Check the relevance and reliability of information to be used as evidence.

° Check whether the work of an expert, another practitioner, an entity’s or

measurer’s or evaluator’s expert, or an internal auditor is expected to be used.

(b) The types of assurance procedures, sufficient to obtain limited assurance, are designing
and performing inquiry and analytical procedures, based on having previously
identified the areas where a material misstatement in the subject matter information
is likely to arise and to address all material items in the financial statements (including
disclosures). You should remain alert to any related parties, fraud and non-compliance
with laws and regulations, and going concern related issues, and any subsequent events
that occur after the practitioner’s report is issued, as they may impact the review.

• Inquiries are usually of management and other relevant persons within the entity.

• Analytical procedures are performed on historical financial information, once

you have assessed the data obtained from the entity’s IT systems (including
accounting) are adequate.

If you become aware of matters that cause you to believe the subject matter information
may be materially misstated, you would have to design and perform additional procedures
to obtain further evidence to enable you to conclude if this is the case or not.

761

M13_c12.indd 761 1/26/2021 5:40:55 PM

M13_c12.indd 762 1/26/2021 5:40:55 PM
 13
Computerised Business
Systems and Controls
CHAPTER TOPIC LIST
13.1 Overview of Computerised
Business Systems
13.1.1 IT Department Structure
13.1.2 IT Department Functions
13.2 IT Environment
13.2.1 Implementation of New
IT Systems
13.2.2 Financial Reporting Systems
13.2.3 E-commerce Overview and
Importance to Business
13.2.4 Networked Systems
13.2.5 PC Systems
13.3 IT Strategy
13.3.1 The Role of IT Strategy
13.3.2 How Information Technology
Improves Internal Control
13.3.3 Assessing Risks of IT
13.4 Internal Controls Specific to IT
13.4.1 General and Application IT
Controls Relationship
763
M13_c13.indd 763
13.4.2 General Controls
13.4.3 Application IT Controls
13.4.4 Auditing in Computerised
Business Systems and
Controls
13.5 Computer-assisted Auditing
Techniques
13.5.1 Audit Software
13.5.2 Test Data and Testing
Procedures
13.5.3 Documentation
13.5.4 Effectiveness of Cyber-
security Safeguard
13.5.5 Weakness Identification and
Recommendations
13.6 E-commerce Control Issues
13.6.1 Detailed Characteristics of
E-commerce Systems
13.6.2 Internal Controls in
E-commerce
13.6.3 Auditing E-commerce
1/26/2021 9:24:17 PM
 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO4: EVALUATE AND ADVISE ON COMPUTERISED BUSINESS SYSTEMS AND CONTROLS
LO4.01: Evaluate and advise on computerised business systems and controls of an entity
4.01.01 Explain how an effective IT department should be structured
4.01.02 Describe the functions that should be carried out by the IT department
4.01.03 Describe the contents of an IT strategy
4.01.04 Explain the importance of e-commerce to a business
4.01.05 Explain the characteristics of an entity operating a networked computer system
4.01.06 Explain the characteristics of an entity operating with standalone PCs
4.01.07 Describe examples of general and application controls
4.01.08 Prepare documentation of key systems
4.01.09 Analyse an entity’s controls within selected processes
4.01.10 Design appropriate procedures to test the operation of an entity’s control system, including
the IT environment, and the effectiveness of its cyber-security safeguard
4.01.11 Evaluate the outcome of the testing of the control system to address identified weaknesses
4.01.12 Recommend IT controls that are appropriate to the entity
4.01.13 Identify and explain the effect of e-commerce on the auditor’s risk assessment and
audit approach
4.01.14 Identify the knowledge and skills required to audit an entity’s e-commerce activities
4.01.15 Design effective business processes including key controls activities
4.01.16 Advise on the risks relating to particular business processes

764

M13_c13.indd 764 1/26/2021 9:24:17 PM

 Computerised Business S ystems and C ontrols

OPENING CASE

CWAVES FERRY HOLDING COMPANY LIMITED

C Waves Ferry Holding Company Limited (CWaves) is a publicly listed company on the Hong
Kong Stock Exchange (HKEx). It operates ferry services in Hong Kong Harbour, Sok Kwu
Wan, Shenzhen, and Macau. CWaves has 10 wholly owned subsidiaries and is a conglomerate
with quite varied interests and investments. The CWaves Group has significant investments in
buildings, godowns, port infrastructure, travel agencies, and hotels.

The Chief Information Officer (CIO) for the CWaves Group is Ka Yut Kwan. Ka Yut was
previously the IT manager at CWaves Hotels Company and was promoted to replace Liao Jing,
who retired at the end of last year. Jing had been CIO for more than 10 years.

As CIO, Ka Yut is responsible for the IT services delivered to this large organisation with
many different parts (Exhibit 13.1). Although Ka Yut likes his job and thinks that CWaves has
many good opportunities, he is at times daunted by the complexity of the organisation.

CORPORATE STRUCTURE

CWaves Ferry Holding Company Limited

Material to
the Group 100%

1 2 3 4 5 6 7 8 9 10

1 CWaves Hotels Company 6 CWaves Maintenance Company

2 CWaves Ferries Company 7 CWaves Godown Company

3 HKCW Development Holding Company 8 Donghai Company

4 HKCW Investment Limited 9 CWaves Management Company

5 Hai Cruising Company 10 Wonder Travel Company

EXHIBIT 13.1 Corporate structure of CWaves Ferry Holding Company

Currently, each member of the CWaves Group has its own IT department and its own IT
infrastructure, except for Hai Cruising Company and Wonder Travel Company. Hai Cruising and
Wonder Travel share their IT department with a cloud-based infrastructure. It is CWaves Group
policy that all IT departments throughout the group have a job rotation programme to give
IT staff experience in each member of the group. To date, however, members of the CWaves
Godown IT team have not taken part in the job rotation programme.

Each IT department delivers services to the company in which it is located. There are
nine different data centres (including the Group Data Centre, which hosts all of the group’s

765

M13_c13.indd 765 1/26/2021 9:24:17 PM

 BUSINESS ASSURANCE

electronic commerce solutions) and the Hai Cruising/Wonder Travel cloud-based service
provider. There are 1,000 workstations and laptops used by the CWaves workforce.

The Group Data Centre provides electronic commerce hosting services, principally
for CWaves Hotels, Wonder Travel, and CWaves Godown. This Data Centre uses the latest
technologies and is run by an external service provider. This is HKBuTS – Hong Kong Business
Technology Solutions – and this company manages the Group Data Centre and its IT security
using CWaves’ own infrastructure. The electronic commerce solution for CWaves Hotels and
Wonder Travel is a standard commercial system, but the electronic commerce software for
CWaves Godown is developed by the CWaves Godown software development team using agile
software methods (SCRUM and eXtreme Programming (XP)).

Ka Yut thinks that, although managing the technology is a big task on its own, managing the
people is of great concern to him. For example, the CWaves Godown software development
team is secretive about the software that they have developed for CWaves Godown’s electronic
commerce solution. They are concerned that if they share the source code for the solution that
they have developed, Ka Yut will fire them. The software development team deliberately writes
the software with little documentation and insists on managing the installation of the software
on the CWaves Group Data Centre rather than letting the HKBuTS team have access to the
software. The source code is kept on CWaves Godown’s own IT infrastructure.

Ka Yut has a meeting of the CWaves IT Committee on Monday morning and just reviewed
the agenda. Although the agenda deals with the normal, regular updates on various IT projects,
Ka Yut is curious. Tak Wai Yu, the team leader of the financial audit team, wants to meet with
the IT Committee. Why, exactly, do the financial auditors want to meet with the members of
the CWaves IT Committee? There must be some mistake and they really want to meet with the
CWaves Audit Committee – Ka Yut is responsible for CWaves’ technology infrastructure and
keeping it operational, not the financial accounts.

On the agenda there was a phone number listed for Tak Wai. Ka Yut called her and asked
the question, ‘Why do you need to meet with myself and the IT Committee? Why do you even
care about what we do with IT? You’re about the numbers!’ There was an exasperated sigh at
the other end of the line before Tak Wai Yu spoke. ‘Well, let me tell you – there’s a whole bunch
of reasons I need to talk to you and your team. But mostly, it’s because the auditing standards
require me to do so!’

766

M13_c13.indd 766 1/26/2021 9:24:17 PM

 Computerised Business S ystems and C ontrols

OVERVIEW

The auditor is required to develop a professional opinion as to the risk of material

misstatement in the financial reports whereby a financial report is so inaccurate, incomplete,
or invalid that it could affect the decisions of a user of a financial report.

The information in financial reports is derived from one or more information systems (IS)
in the audited entity. The effectiveness of these systems is therefore a key consideration for the
auditor in developing a professional opinion.

This chapter provides a foundational guide to the auditor in assessing the risk of material
misstatement in the financial reports relating to the audited entity’s IS. The most relevant Hong
Kong Standards on Auditing (HKSA) for this assessment are HKSA 315 (Revised 2019), Identifying
and Assessing the Risks of Material Misstatement, and HKSA 320, Materiality in Planning and Performing
HKSA 320.10
HKSA 320.14 an Audit. The HKSA set out three IS audit-related duties that the financial auditor must fulfil when
auditing the financial reports of an entity. This chapter directly addresses these three duties.

The auditor’s first duty is, in the context of the use of IT in the entity’s business model,
to understand the IT environment and the entity’s system of internal control. Appendix 1
to HKSA 315 (Revised 2019) identifies the considerations for understanding the entity and
its business model. The auditor must understand the structure and operations of the IT
department (Section 13.1: Overview of Computerised Business Systems) and the building of
new systems and how the systems in place affect financial reporting information (Section 13.2:
IT Environment).

The auditor’s second duty is to assess the risks that arise from the use of information
technology (IT). The auditor needs to understand how the strategic use of IT affects internal
control at the entity and the assessment of IT risk (Section 13.3: IT Strategy).

The auditor’s third duty is to develop the audit strategy and approach required to evaluate
the effectiveness of the audit entity’s IT internal controls. The auditor must select audit
procedures that allow the auditor to evaluate the effectiveness of the system of internal control
specific to IT (Section 13.4: Internal Controls Specific to IT).

This chapter concludes by addressing two final issues. The first is the use of
computer-assisted auditing techniques (Section 13.5: Computer-assisted Auditing Techniques).
The second is the selection of audit procedures that address the internal controls of electronic
commerce (e-commerce) IS (Section 13.6: E-commerce Control Issues).

The chapter recognises that the nature and complexity of the entity and its business model
may result in entities using a range of IT systems and infrastructure whose characteristics
impact the matters to be considered by an auditor in addressing their responsibilities. This
chapter covers a range of such IT models and frameworks with differing characteristics
affecting IT matters in an IT environment and the system of internal control.

767

M13_c13.indd 767 1/26/2021 9:24:17 PM

 BUSINESS ASSURANCE

1 3 . 1 OVERVIEW OF COMPUTERISED
BUSINESS SYSTEMS

At the broad level, the auditor obtains an understanding of the entity and its environment,
the application of the applicable financial reporting framework and how inherent risk may
impact assertions to formulate expectations about classes of transactions, account balances
and disclosures. These expectations need to be based on an understanding of the entity’s
information system.
HKSA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in accordance 315.2
with Hong Kong Auditing Standards requires the auditor to obtain sufficient appropriate audit
evidence to reduce audit risk to an acceptably low level. Audit risk, being the risk of the
auditor issuing an unqualified opinion due to the failure to detect material misstatements is
therefore a function of the risk of material misstatement and detection risk. The risk of material
HKSA 200 misstatement exists at the overall financial statement level and the assertion level. indicates
that the risks of material misstatement are assessed at the assertion level to determine the
nature timing and extent of further audit procedures to obtain sufficient appropriate audit
evidence on which to form an opinion.
HKSA 300 Planning the Audit of Financial Statements requires that the auditor develop an audit plan and
strategy that implements the risk identification and assessment process.
HKSA 200 In applying and requires a separate assessment of inherent and control risks for
HKSA identified risks of material misstatement. This requires an understanding of the entity and
300,
HKSA 315 its environment, the applicable financial reporting framework and the entity’s system of
(Revised
2019)
internal control.

HKSA 315 Paragraph 19 identifies a number of aspects of the entity and its environment that the
(Revised
2019) auditor needs to obtain an understanding when performing risk assessment procedures.
One aspect of this requirement is gaining an understanding of the business model, as this
provides information about the business risks facing the entity, which risks may have financial
consequences. One implication of this requirement is that the auditor needs to understand the
extent to which the business model integrates the use of IT.

HKSA 315 As part of the process of gaining that understanding, requires the auditor, when performing
(Revised the risk assessment, to consider the components of the entity’s system of internal control.
2019)
Computerised systems operate within an entity’s overall system of internal control.

HKSA 315
The system of internal control is defined in paragraph 12(m) as:
(Revised
2019) “The system designed, implemented and maintained by those charged with governance,
management and other personnel, to provide reasonable assurance about the achievement of an
entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations.”
HKSA 315
(Revised identifies the following inter-related components of the system of internal control to which
2019)
the auditor needs to apply risk assessment procedures. The discussion that follows addresses
HKSA 315 the components discussed in paragraphs 21-26.
(Revised
2019)

768

M13_c13.indd 768 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Control environment.
This component covers the culture and values applied to governance and oversight
responsibilities by management, or where separate from management, those charged with
governance, and in determining whether the appropriate culture has been created and
maintained. The auditor also considers:

(a) the assignment of authority and responsibilities;

(b) the ability of the entity to attract, develop and obtain competent individuals;

(c) how individuals are held accountable for their responsibilities;

(e) the evaluation of whether the control environment provides an appropriate base for
HKSA other control components given the complexity of the entity; and,
315.21(Revised
2019). (f) how dealing with deficiencies may impact other control components.

In doing so, the auditor evaluates how the entity demonstrates behaviour consistent with
management’s commitment to integrity and ethical values. This evaluation allows the auditor
to determine whether the control environment provides an appropriate foundation for other
components of the system of internal control, and assists in identifying potential issues in other
components and in understanding risks that can impact the assessment of risks of material
misstatement (HKAS 315.21, A99-108).

Risk assessment Process.

HKSA This component involves identifying business risks relevant to financial reporting and assessing
315.22
(Revised
the significance of, and the process for addressing, those risks. Again, the auditor is to evaluate
2019) whether the process is appropriate given the nature and complexity of the entity..

As part of this evaluation the auditor needs to understand the business model as this
provides information about the business risks facing the entity and the role of IT at the
entity. Such risks may have financial consequences, and for this reason the auditor needs to
understand the extent to which the business model integrates the use of IT.
HKSA 315 Appendix 1 to identifies the considerations for understanding the entity and its business
(Revised
2019) model. It notes that the business model includes strategies by which management plans to
achieve its objectives and address the risks and opportunities facing the entity. For example,
the business model could have implications for how IT is used at the entity and its associated
risk. The business operations, nature of products, services, involvement in e-commerce, joint
ventures, geographic dispersion and location of production facilities might all have an impact
on the risk of material misstatement at the assertion level.

The entity’s risk assessment process to identify business risks and their significance.
This assists the auditor’s evaluation of how the entity identifies its business risks and how it
addresses those risks and whether they are appropriate to the nature and complexity of the
entity (HKAS 315.22, A109-113).

Monitoring the System

This component involves the auditor understanding how the entity monitors effectiveness of
controls and remediates deficiencies. This involves understanding the sources of information
HKSA used to monitor the system of internal control and how management determines that
315.24
(Revised
information is reliable for the purpose. The auditor has to evaluate whether the monitoring
2019) process itself is appropriate given the nature and complexity of the entity. The auditor may find

769

M13_c13.indd 769 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

it relevant to consider the design, performance, and frequency of the monitoring activities. The
evaluation of the results of such activities to determine control effectiveness, and the remedial
actions taken to address identified deficiencies, may also be relevant.

For less complex entities, this understanding might focus on how management is directly
involved in IT operations as there may not be other monitoring activities. For example, the
auditor may explore these issues with management at interview, or observe them through
a walkthrough test. For more complex entities, monitoring of the system may include an
understanding of controls to monitor complex IT environments, monitor the permissions
enforcing the segregation of duties through automated information processing controls,
and controls that monitor automated financial reporting processes for errors or control
deficiencies.

Information System and Communication Activities Relevant to the Preparation

of the Financial Statements.
This component focuses on policies that define, for significant account balances and disclosures,
how information flows through the information system, including how transactions are initiated,
recorded and processed, corrected and included in the general ledger. It also covers the entity’s
policies as to how information relevant to the preparation of the financial statements is captured
HKSA and processed, and how information is communicated both internally within the entity and
315.25
(Revised externally. In this context, the auditor needs to evaluate whether the financial statements have
2019) been prepared in accordance with the applicable financial reporting framework..
This aspect focuses on the flow of transactions and other information processing related
to the preparation of the financial statements and whether this component supports the
preparation of the financial statements and auditor’s identification and assessment of the risks
of material misstatement at the assertion level.

If the results of the auditor’s procedures are inconsistent with expectations about the
system of internal control, this may also indicate risks of material misstatement at the financial
statement level. This includes the use of IT applications and other aspects of the IT environment
that may result in IT risks. In addition to understanding the systems and controls as it relates to
information from the entity’s internal processing, it covers information obtained from outside
the general and subsidiary ledgers, for example fair value calculations, estimates and modelling
assumptions for financial statement figures and disclosures (HKAS 315,25, A123-146).

Control Activities
This component involves the auditor gaining an understanding of the controls that address
the risk of material misstatement at the assertion level. It covers understanding controls over
journal entries and controls that the auditor plans to test, for operating effectiveness, when
determining the nature, timing and extent of substantive procedures. Within this component,
the auditor needs to identify the IT applications, and other aspects of the IT environment,
subject to the risks associated with the use of IT. In this regard, the auditor needs to evaluate
HKSA the effectiveness of the design of the controls identified as addressing the risk of material
315.26
(Revised
misstatement, and whether the controls have been implemented, by performing procedures
2019) other than simply by inquiry of entity personnel. .

As indicated, the control activities component includes understanding the IT applications

associated with financial statement assertions subject to the risk of material misstatement and
the risks from using IT, including the general IT controls implemented to address those IT risks.

770

M13_c13.indd 770 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Control activities are controls to ensure the proper application of policies, with the auditor’s
evaluation focused on the processing of information that directly affects risks to the integrity
of information, and particularly so for significant classes of transactions, account balances and
disclosures. Relevant controls here might relate to authorization, approvals, reconciliations,
verification, edit and validation checks, automated transactions, segregation of duties and
physical or logic controls. Understanding management’s approach in this area facilitates the
auditor’s decisions as to the approach to the performance of substantive procedures and
controls testing where substantive procedures do not provide sufficient appropriate audit
HKSA 315 evidence. (HKAS 315.26, A147-174)
(Revised
2019) Risks arising from the use of IT are defined in paragraph 12(i) as:

‘Susceptibility of information processing controls to ineffective design or operation, or risks to

the integrity of information (i.e. completeness, accuracy and validity of transactions and other
information) in the entity’s information system, due to ineffective design or operation of controls in
the entity’s IT processes.’

The IT environment includes:

(a) IT applications/programs used to initiate, process, record and report transactions and
information,

(b) IT infrastructure, comprising the network, operating systems, databases and

associated hardware and software, and,

(c) Management of access to the IT environment, program changes, and IT operations.

The controls in the control environment, risk assessment and monitoring components set
out above are regarded as indirect controls that provide the foundation for the operation of the
HKSA 315 other components of the system of internal control.
(Revised
2019) When an entity’s business systems involve IT systems, meeting the requirements of will
depend on the characteristics of the IT environment, the nature and complexity of the IT
systems and applications and the framework within which IT, as well as how the system of
internal control is designed, is implemented and maintained within an entity.

Key Learning Point

In summary, the above requirements to identify and assess the risks of material
HKSA 315 misstatement, mean that the auditor needs to obtain an understanding of the IT
(Revised
2019) environment, identified in as the IT infrastructure, applications, processes and personnel,
in the context of financial reporting - to the extent that the IT environment is relevant to
the audit.

The Principles – For Auditing of IT Environments

There are two aspects to be addressed as principles in auditing IT environments.

The first aspect requires the auditor to understand the IT function capabilities of
the audited entity. This is facilitated by the auditor understanding and documenting the
organizational structure of the entity. Typically, that structure will include an IT department,

771

M13_c13.indd 771 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

albeit that it varies in sophistication depending on the nature and size of the entity. In some
entities, the IT function may be less formalised and more loosely structured.

The auditor needs to understand the structure of the IT department and how the IT
department ensures that its work addresses the audited entity’s needs. Specifically , and
integral to this, is the need to understand and document the IT applications and controls
relevant to the information system that the entity relies upon to process, and maintain the
integrity of, information used in the financial reporting function. Understanding the flows of
transactions and information processing system assists the auditor understand the nature
and characteristics of the IT applications used and the IT infrastructure supported by the IT
department.

The second aspect requires the auditor to understand and document the technical IT
environment of the audited entity. This second aspect is addressed below in Section 13.2. In
addressing the first aspect, the auditor documents a high-level understanding of the structure
and functions of the IT Department within the overall IT environment. That understanding is
needed to set the audit strategy for the entity.

Maintaining an understanding of the entity and its IT environment and system of internal
control involves obtaining information, updating and assessing that information, throughout
the audit. The auditor’s expectations may change as new information is obtained and systems
are modified, and therefore the audit strategy in relation to IT risks also needs to be kept
current and relevant.

13.1.1 IT Department Structure

The IT department is the area responsible for providing the IT services upon which the entity
depends. An understanding of the structure of the IT department is important in understanding
the entity’s IT and controls environment. The IT department structure determines how decisions
are made regarding the planning, building, running, and management of the entity’s IT.
All entities are different and so the structure used will differ between entities. There is no
single ‘right’ way to structure the IT department. HKSA 265 (Clarified), Communicating Deficiencies
in Internal Control to Those Charged with Governance and Management, requires the auditor to
advise the client of control deficiencies and if the structure of the IT department presents a control
weakness, the auditor may communicate this deficiency to the entity’s senior management. It
is not, though, the financial auditor’s role to advise the entity on how best to structure the IT
department. However, for the auditor to understand the IT environment, the auditor needs to
assess the fit between the structure used in the IT department and the nature of the entity.

There are three common ways of organising the IT function, although most entities will
likely reflect aspects of each model. These are the centralised, decentralised, and federated/
hybrid operating models.

The centralised model has a single central IT services structure that provides all IT services
to the entity’s business units. Decisions are made centrally and resources are allocated to each
business unit of the entity according to those decisions to address their needs. An advantage
of the centralised model is that costs can be more readily controlled and activities directed
according to centrally determined standards. In a centralised operating model, data are often
cohesive and meaningful across the entity. These advantages can be at the cost of flexibility
and agility in responding to the needs of each area of the entity.

772

M13_c13.indd 772 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

In contrast, the decentralised model has an IT service department for each business unit of
the entity to meet its own needs. Resourcing decisions are made according to the needs of the
business unit rather than the needs of the entity as a whole. An advantage of the decentralised
model is that the business unit has access to its own resources and does not need to negotiate
with a central authority for those resources – the business unit makes its own investment
decisions based on its own resources. The work of the IT department is focused on the needs
of the business unit.

However, such an arrangement cannot realise the benefits that arise from economies of
scale and by necessity duplicates many IT services that are common across business units. Data
may also be redundant, inaccurate, or inconsistent. Some specialised services such as those
provided by cyber-security professionals are expensive to provide in each IT department under
the decentralised model. As the business units lack these specialised services, the entity also
lacks such capabilities. Further, a lack of centrally determined standards often means that data
sharing between areas of the entity is difficult, and hardware and software standards will likely
be incompatible.

Between the two extremes of centralised and decentralised operating models, the
federated/hybrid model places fully functioning IT service departments within the different
business units to provide flexibility, but with a strong central department providing common
IT services and direction. This arrangement provides a depth of capabilities centrally, allows
corporate-wide standards to be set that allow economies of scale to be realised, and still allows
some flexibility and agility as needed. The value of this arrangement is that the entity can
realise the benefits of both centralised and decentralised structures.

Key Learning Point

The auditor needs to understand and document the IT environment and related
department structures in place to the extent that they are relevant to the audit.

Illustrative Example 1

Department Structure

At CWaves, Tak Wai wanted to meet with members of the IT Committee to understand
the general IT environment at CWaves. As part of this discussion, Tak Wai spoke at length
with Ka Yut about the way in which the IT department at CWaves was structured. Each
member of the CWaves Group has its own IT department and its own IT infrastructure.
On its own, this would indicate a federated model. However, there is job rotation to
ensure that IT staff have experience with the IT infrastructure in each company. Since
Ka Yut was appointed from the CWaves Hotels Company, it seems that staff are a
shared resource.

Ka Yut, as CIO, is ‘responsible’ for the IT services delivered but he does not have
authority over the CWaves Godown software development team as they do not cooperate
by documenting their software.

773

M13_c13.indd 773 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

Illustrative Example 1 (continued)

The existence of the Group Data Centre that is shared amongst the members of the
group does indicate some central shared resources.

As it displays features of both a federated and a centralised operating model, Tak Wai
concludes that the structure of the CWaves Group is an example of a federated/hybrid
operating model.

13.1.2 IT Department Functions

To obtain an understanding of the IT environment and system of internal control, an
understanding of how the IT department helps the auditor to evaluate how the entity makes
IT-related decisions that ensure the validity of the information reported in the financial reports.
The IT department has many activities that it undertakes, but at the highest level these activities
all relate to the planning, building, running, and management of the IT infrastructure under
their control. The auditor is most concerned with how the IT function develops and operates the
entity’s IS and the provenance – or source – of the information that is reported in the financial
reports. There are several areas that the work of the auditor addresses.

Under HKSA 315 (Revised 2019), the auditor obtains information about the nature and
characteristics of the IT applications used and the IT infrastructure and its complexity.

HKSA 315 (Revised 2019) Appendix 5 ‘Considerations for Understanding Information

Technology (IT)’ identifies, among others, the following typical matters that the auditor may
consider in understanding the IT environment:

• The extent of automation and use of data (for example the extent of automated
procedures and reliance on system-generated reports).

• The IT applications and infrastructure (for example whether applications are

commercially available or are bespoke in-house).

• The IT processes (for example, how skills and numbers of personnel are involved, access
rights and program changes).

To understand the IT environment within the entity’s departmental structure, the auditor
is concerned with how the entity selects, develops, and implements new IT infrastructure
that affects the financial reports. New IT and IS applications bring change and, presumably,
operational improvements, but in such changes there also arise risks for the validity of the
data processed by these systems. The auditor must understand the processes for the selection
and development of new systems and applications and their implications for data validity.
For example, the auditor would be interested in understanding how software was selected or
developed if that software is considered material.

The auditor is interested in how the entity keeps the network accessible to authorised users
and how the network is secured against attempts to gain unauthorised access. The network
administrator role is responsible for ensuring only authenticated users access the network and
the security of all devices on the network.

Another key role is the IT operations team, which is responsible for IS that are part of the
network. The auditor needs to understand the responsibilities and accountabilities of the

774

M13_c13.indd 774 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

members of the operations team for the individual IS and applications. The auditor needs to
understand how the network is kept secure and operational, including the reliance of the entity
on the work of third-party service providers.

The auditor also seeks to understand the integrity of the entity’s operational data. The
database administrator (DBA) role is responsible for ensuring the integrity and security of
the entity’s data stored in databases. As a specialist function, the role of the DBA is usually
undertaken as a shared service in centralised and federated/hybrid operating models. In the
decentralised operating model, the DBA is usually a service dedicated to the relevant business
unit. Another function to consider is the day-to-day processing of the data, which requires the
auditor to know how the data are controlled or entered into systems and whose responsibility
this task is. Further, the entity like has a general computer operations function that maintains IT
infrastructure and possibly a data library function responsible for maintaining and archiving data.

The auditor must understand the entity’s approach to the development, implementation, and
operation of IS and specific IT applications that provide data that affect the financial reports. The
auditor must understand the role of the network administrator and the IT operations team, as
well as how responsibilities and accountabilities for keeping the network secure and operational
are assigned and segregated. Finally, the auditor needs to understand how the IT function
administers the database and processes the entity’s data that affect the financial reports.

Understanding the activities within an IT department and the complexity of its operations
facilitates the auditor’s identification of how the entity uses IT for processing, storing and
communicating financial reporting information and therefore the manner in which the entity’s
system of internal control is designed and implemented.

In the context of determining which IT applications the entity is relying upon to accurately
process financial information for the preparation of the financial statements, understanding
the IT departmental model and environment facilitates the auditors decision as to which IT
applications to test where automated controls address identified risks of material misstatements.

General controls support the continued effective functioning of information processing

and controls and proper operation of the IT environment. At this level, the auditor obtains an
understanding of the general IT controls for IT applications that the auditor has determined
address the risks of using IT. These risks arise when there is ineffective design of, or operation
HKSA 315 of controls over, the entity’s IT processes.
(Revised
2019) Requires that the auditor understands the General IT controls. Appendix 6 to
HKSA 315 “Considerations for Understanding General IT Controls” identifies general IT controls typically
(Revised
2019) implemented for each aspect of the IT environment:

• Applications and the nature and extent of controls commensurate with the functions of
applications and their complexity

• Database, addressing risks relating to unauthorised changes to information and data

base access

• Operating system dealing with administrative access and override of controls

HKSA 315 • Network dealing with network segregation, remote access and authentication.
(Revised
2019)
Appendix 6 of provides several detailed examples of general controls. These examples
illustrate general controls that deal with the processes of access management, management of
programs or other IT environmental changes, and the managing of IT operations.

775

M13_c13.indd 775 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

General controls that support access management processes are necessary. Authentication
controls ensure that the user uses their own log-in credentials to access IT applications or other
aspects of the IT environment, and not the credentials of others. For example, user access may
be authenticated through unique user IDs and passwords to validate the user’s access.

Authorisation controls allow users to access the information they need to undertake
their role and no more, which facilitates the appropriate segregation of duties. For example,
such an authorisation control is the management approval of the nature and extent of user
access privileges. For such controls to be effective, provisioning controls that authorise new
users or change the access rights of existing users are required in addition to ‘deprovisioning’
controls that remove user access when employees change role or leave the organisation. For
example, in addition to controls that approve user access for new users, controls that remove
or modify terminated or transferred users are required. Security over the privileged access
of administrator users ensures that the need for appropriate authorisation and restriction of
privileged access is attended to. Lastly, once granted, user access privileges should be regularly
reviewed in case unauthorised changes are implemented.

Key security configuration controls are needed that help restrict access to the environment.
Controls over physical access to the information technology infrastructure are also required as
physical can be used to override other controls, such as secured and reinforced doors and locks.

General controls that manage changes to programs or other aspects of the IT environment
are also essential. Change management controls are controls that cover the process to design,
program, test and migrate changes to a production (i.e., end user) environment. Segregation of
duties should also be enforced over change migration; these controls segregate the user access
needed to make and migrate changes to a production environment. For example, users with
responsibility for processing financial transactions should not also have responsibility for migrating
program and data changes from the development environment to the production environment as
such users have access to financial application data outside of the application environment.

Likewise, controls over initial IT application development or their implementation are

needed. For example, application changes must be appropriately tested and approved in the
test environment before migration to the production environment. Data conversion controls
during development, implementation, or upgrades to the IT environment are also required. By
way of example, and similar to application changes, database changes should be appropriately
tested and approved before implementation in the production environment.

Finally, general controls over the management of IT operations are vital. Job scheduling
controls over the execution of programs affecting financial reporting should be in place. For
example, the job scheduling software should ensure only authorised users are able to update
batch jobs. The successful execution of these programs should also be overseen through job
monitoring to allow the correction of processing errors to ensure successful completion.

The backup and recovery of financial reporting data also needs to follow a plan, and
this data needs to be recoverably in a timely fashion in the event of an outage or attack.
For example, financial data must be backed up regularly in accordance with an established
schedule. The final general control in the management of IT operations discussed in Appendix
6 are intrusion detection controls that monitor intrusions in the IT environment. An example
of this control is the regular vulnerability scanning of the network perimeter by the network
management team (and, by extension, the follow-up investigation of potential vulnerabilities
discovered through this scanning).

776

M13_c13.indd 776 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

HKSA 315
(Revised
Understanding the IT department’s role and the role of individuals in that department as
2019) indicated above provides the information relevant to the requirement.

The auditor needs to document the understanding of the functions of the IT department as
it relates to understanding the control activities component of the system of internal control.
This documentation should include the risk assessment procedures that identify controls that
address the risk of material misstatement at the relevant financial statement assertion level
and the IT applications and any associated IT risks from using IT, and the general controls that
address such risks.

IT controls are discussed further in Section 13.2.

Key Learning Point

The auditor is most concerned with:

• How the IT function develops and operates the entity’s IT applications and the
source of the information that is reported in the financial reports.

• How the network is made accessible to authorised users and how it is secured
against attempts to gain unauthorised access.

• The responsibilities and accountabilities of the members of the operations team

for the individual IS and applications as well as key third-party service providers.

• The entity’s approach to the development, implementation, and operation of IS and

specific IT applications that provide data affecting the financial reports.

Illustrative Example 2

IT Functions

Tak Wai needs to document how CWaves plans, builds, runs, and manages its IT. She
is very interested in understanding how the IT department functions, but not all IT is
relevant to the financial audit.

Tak Wai knows she will want to understand how the IT strategic plan is developed and
implemented, and how CWaves goes about building new systems. This means both the
selection of software packages from established vendors, but also the building of new
information systems.

At a high level, Tak Wai is also keen to understand the responsibilities of HKBuTS in
operating the CWaves Group Data Centre. She is also looking to understand how CWaves
keeps the network accessible to authorised users and how the network is secured against
attempts to gain unauthorised access. The network administrator will likely be part of the
operations team and so Tak Wai documents the responsibilities and accountabilities of the
key team members. She also documents who fulfils the database administrator role and
how that role is structured in relation to the IT team.

Tak Wai first wants to discuss these issues with Ka Yut so that she understands the
foundation of how the IT function is carried out at CWaves before planning the audit.

777

M13_c13.indd 777 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 1
Identify which of the following describes the requirement that an auditor will need to
obtain an understanding of the IT environment.
A The understanding of the financial reporting systems in place at the audited entity to the
extent that these systems are relevant to the audit.
B Only an understanding of the IT function capabilities of the entity.
C The understanding of IT function capabilities, as well as an understanding of the
structure of the IT department and the technical IT environment for the audited entity.
D The understanding of the IT function capabilities, understanding of the structure of the
IT department and the technical IT environment for the audited entity to the extent that
the IT environment is relevant to the audit and the risk of material misstatement.

Question 2
Identify which of the following lists the three common ways of organising the IT function.
A Star, hierarchical, or network configurations.
B Centralised, decentralised, or federated/hybrid operating models.
C Vertical, flat, or diagonal configurations.
D Consolidated, disaggregated, or hybrid operating models.

Question 3
Identify which of the following describes the overall activities of the IT department.
A Completing, validating, and correcting business data.
B Selecting, developing, and implementing new IT investments.
C Administering the network.
D Planning, building, running, and managing the IT infrastructure under their control.

Question 4
In the context of understanding how the IT department fulfils its functions at a high
level, identify which of the following is not an area that the work of the auditor is most
concerned with.
A How the entity keeps the network accessible to authorised users.
B How the entity secures the network against attempts to gain unauthorised access.
C How the entity maintains compatibility between IT devices with different operating
systems, such as macOS and Windows.
D How the entity selects, develops, and implements new IT infrastructure that affects the
financial reports.

Question 5
Identify which of the following is an advantage of using the decentralised model for
delivering IT services.
A Difficulty in achieving benefits arising from economies of scale.
B Each business unit does not need to negotiate with a central authority for decisions
made relating to the business unit’s IT resources.

778

M13_c13.indd 778 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

C Incompatible hardware and software standards between business units.
D Easier data sharing between different business units.

Question 6
Explain whether it is the role of the auditor to provide advice to their client on the ‘best’
way to structure the IT function.

Question 7
Describe the key differences between the centralised, decentralised, and federated/hybrid
operating models for the IT function in organisations and explain which of these is the
most commonly used.

Question 8
Describe and contrast the role of the network administrator and the role of the database
administrator.

Question 9
Explain why the auditor needs to understand the IT department structure and functions.

1 3 . 2 IT ENVIRONMENT

The auditor’s responsibility is to obtain an understanding of the IT environment in the context of

the financial reports to be audited and to identify the risk of material misstatement arising from
the use of IT. There are two aspects of this duty and the first aspect (to understand the IT function
capabilities of the audited entity) was discussed in the previous section. The second aspect requires
the auditor to understand the technical IT environment. Here, the auditor needs to develop a more
detailed understanding of the processes and systems that are relevant to the audit.

An approach that is often used as an initial step of the audit involves the auditor identifying
the controls in place through a walkthrough test. A walkthrough test is part of the financial audit
and identifies source documents that commence a transaction cycle (e.g. a purchase order).
The auditor then follows the source documents and subsequent transactions through the
process until the process is completed. During the course of this discussion, the auditor makes
inquiries, inspects documents and records, and documents their own observations. In this way
the auditor identifies the internal controls in place and develops their initial understanding of
the IT environment. This information provides the auditor with a foundation for obtaining an
understanding of the components of the system of internal control and designing specific tests of
the internal control system relevant to assertions subject to the risk of material misstatement.

The walkthrough provides context for the auditor in understanding and documenting the
IT environment. The auditor specifically looks to understand and document how the entity
acquires and implements new IS and how the entity’s IS relates to the audited financial reports.
The auditor must also understand and document the entity’s use of e-commerce, if any, as

779

M13_c13.indd 779 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

relevant to the audit. E-commerce activities are an important consideration in assessing IT

risks. The auditor may also need to understand and document whether the Financial Reporting
Systems (FRS) are arranged as networked systems, personal computers (PCs), or some
combination of both.

The auditor documents this detailed understanding of how the entity acquires and
implements new IS, the use of electronic commerce, and how the relevant systems are
arranged. The auditor uses this documentation to inform their decisions in determining the
appropriate audit strategy.

13.2.1 Implementation of New IT Systems

The auditor must understand the approach used in selecting, developing, and implementing
new systems. Entities introduce a new IS with the aim of creating value for the organisation. A
new IS might provide the following:

• Benefits, like being able to support a new business model or new markets.

• Reduction of costs, like fewer processing steps.

• Reduction of uncertainty, like better management information for decision making.

For example, a truck transport company might reduce its costs by implementing a stock
management system that reduces its costs, or it might develop an artificial intelligence agent
that allows it to compete in small package delivery or invest in a data lake to improve the
information the company needs for decision making.

New IS implement new technologies and change business processes. This implementation
is not without its risks. The validity of the system’s data needs to be maintained during and
after the change. New systems can be purchased as Commercial Off-the-shelf (COTS)
solutions from a vendor. This solution might be implemented in its standard form or
customised to meet the entity’s needs. Alternatively, the entity may custom-develop a solution
according to its own specifications. Here, a third-party developer might be engaged or the
system might be developed in-house.

In developing or implementing a new information system, there are many different

approaches that might be adopted by the business. These approaches can be very formal
and highly documented. For example, the traditional (but increasingly uncommon) software
development life cycle (SDLC) approach is highly structured and documented. Alternatively,
approaches can be more flexible, ‘agile’ approaches that do not produce substantial system
documentation. For example, SCRUM and eXtreme Programming are agile approaches that
focus on system outcomes rather than documentation. Organisations can potentially select
many different approaches.

The role of the auditor is to develop an understanding of how the entity approaches the
implementation of new systems and to document the approach used.

Key Learning Point

The auditor needs to understand and document how new systems are selected,
developed, and implemented.

780

M13_c13.indd 780 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Illustrative Example 3

Implementation of New IT Systems

As CWaves has a fairly large e-commerce implementation, Tak Wai wants to know how
these systems are implemented. The CWaves Hotel and Wonder Travel e-commerce
solution is a standard system and so Tak Wai documents how that system works and
how it was selected. However, the CWaves Godown solution is the system of most
concern. It is developed in-house by the software development team and CWaves
Godown is an important part of the CWaves Group.

Tak Wai is interested in understanding the software development methodologies

used at CWaves Godown to develop their e-commerce software, particularly given how
important e-commerce is in terms of commercial activity as well as the potential
cyber-security risks such systems present.

13.2.2 Financial Reporting Systems

The auditor must develop an understanding of the relevant aspects of the IT environment to
inform the assessment of the risk of material misstatement in the financial reports. As part of
developing this understanding, the auditor identifies the IS that provide information to the FRS
that could affect the financial reports. Material misstatements in these systems will flow into
the financial reports.

The relevant IS is part of the entity’s expenditure cycle, conversion cycle, or revenue
cycle. The auditor looks to understand how these systems relate to the financial reports and
IT applications relevant to specific financial report assertions subject to the risk of material
misstatement. Common systems in the expenditure cycle include purchases/accounts payable,
cash disbursements systems, payroll, and fixed assets systems. In the conversion cycle,
common systems are focused on production planning and cost control systems such as cost
management or budgeting systems. In the revenue cycle, the common systems include cash
receipts and sales order systems.

Systems that do not provide information to the FRS are of less interest to the auditor than
those that do. For example, an information system that monitors the temperature of cold
storage rooms or a system that centrally controls the air conditioning of hotel rooms can be
important operational systems. The auditor is, however, less concerned with developing an
understanding of the operation of these IS unless the information in those systems flows to the
financial reports.

The auditor documents the relevant relationships between the entity’s IS and the FRS
that produces the financial reports. This documentation may take various forms, including a
narrative description and systems flowchart.

Key Learning Point

The auditor documents how the IS relate to the FRS and the financial reports.

781

M13_c13.indd 781 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

13.2.3 E-commerce Overview and Importance to Business

The auditor must understand how transactions that take place through e-commerce IS affect
the financial reports and how the IS that support these transactions ensure that complete,
valid, and accurate information flows to the financial reports. E-commerce is the buying
or selling of goods over the Internet with IS. E-commerce takes place in a purely digital
environment. The auditor seeks to understand e-commerce as a potential source of uncertainty
and risk in the financial reports. These concerns also extend to IS that are not e-commerce,
but have a very high volume of transactions and thus – as with e-commerce IS – have a high
reliance on system controls.

E-commerce is common in many businesses. In those businesses it is operationally

important, with more transactions undertaken in the online environment than in the offline
environment. In other businesses, electronic business (e-business) – business conducted
over the Internet – might be very important, but the business might have no Internet-based IS
that record actual financial transactions. Instead, transactions that do occur are recorded using
the same IS as the transactions recorded in the physical store. For example, a company might
advertise its goods to prospective customers over the Internet, but if consequent financial
transactions do take place, they might take place in the store.

There are several key features of e-commerce that are relevant to the auditor’s
understanding of the IT environment. However, other IS that are not e-commerce IS can
demonstrate the same features. For example, an IS that has a high volume of transactions or is
multinational but does not support the online sale of goods or services is not an e-commerce
IS. Nevertheless, in such an instance the same concerns will apply to the auditor’s development
of an understanding of such systems.

E-commerce IS face higher risks and uncertainty than offline and unconnected systems. For
example, the Alibaba Group has over 10 million active sellers on its platform, each with varying
degrees of integration with Alibaba’s systems.
E-commerce IS may also need to address the requirements of the many business
jurisdictions in which they might be used. For example, US entities may have to deal with the
tax regulations of approximately 10,000 different sales tax jurisdictions in the US alone. Entities
regularly dealing with Australia have to collect and forward the Australian Goods and Services
Tax when the customer is not a GST-registered business. With 195 countries in the world,
e-commerce IS can be very complex.

E-commerce systems record transactions in a wholly digital environment and are entirely
reliant on IT controls. E-commerce systems also operate in real time. The transactions occur
at such a pace and volume that manual intervention is impractical and so the controls must
be entirely based in the technology. E-commerce IS face higher risks and uncertainty as these
systems maintain solely electronic audit trails without physical source documentation of
any kind. Further, these systems need to integrate with the many different IS of the entity’s
business partners with consequently higher system complexity. These systems also have a
need for a greater focus on security.

As with the FRSs, the auditor documents the nature of e-commerce at the entity and the
relationship of those systems and the financial reports. In this chapter, Section 13.6 addresses
specific e-commerce control issues and their implications for the financial audit in more detail.

782

M13_c13.indd 782 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Key Learning Point

The auditor documents the e-commerce IS and how those systems relate to the financial
reports.

Illustrative Example 4

E-commerce Overview and Importance to Business

CWaves Hotels provides a hotel room booking system that is available for use 24 hours
a day to prospective users anywhere in the world. All customers book using this system;
some bookings are via third-party websites such as Expedia and Lastminute.com.

Tak Wai is interested in this system as the system records transactions that are
presented in the financial reports, and the system is important as all revenue for a
significant subsidiary occurs in this system. As it is online and available 24 hours a day,
7 days a week, this system is highly reliant on its automated IT controls. As this system is a
commercial off-the-shelf system, it is likely that its development is complete and mature,
but Tak Wai still wants to review the security in place as poor security means the system’s
data may lack integrity.

13.2.4 Networked Systems

The auditor needs to understand how the entity’s IT environment is configured as relevant
to the audit. Technologies can be configured to work together as a network or configured to
work in isolation without dependencies on other technologies. The technologies in place at
most entities for which a financial audit is undertaken will work together rather than work
in isolation. There will likely be some combination of networked systems and PC-based
systems, however.

In understanding networked systems, the auditor has three key aspects to consider.
The auditor must understand the configuration of the hardware and IT infrastructure, the
networked resources that support the financial reports, and the manner in which cloud-based
services, if any, are used at the audited entity.

First, the auditor considers the network configuration of the technology infrastructure.
Most entities have a local area network (LAN) that allows desktop computers, laptop
computers, servers, and printers (among other resources) to share data and work together.
A LAN is usually confined to a single building or area.

At a higher level, a wide area network (WAN) links together the technology in multiple
locations, usually over substantial distances. More simply, a LAN links the IT hardware in
one location together and a WAN links the IT hardware in multiple locations together. Under
this configuration, the networked environment supports the entity’s applications and data
resources. Servers process the financial transactions and the networked environment manages
user access to these networked resources. Networked resources can be linked together on a
WAN using a storage area network (SAN) that pools different storage devices to present as a
single resource.

783

M13_c13.indd 783 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

Second, the configuration of IS that support the financial reports as networked resources
is a consideration. The system may be PC-based, but stores its data on a networked server.
The networked environment determines access to the data and resources of the accounting
information system in addition to the PC-based system’s own security.

Third, the entity’s use of cloud-based services over the Internet is a consideration. These
systems include networked services such as the cloud-based accounting information system
Xero or file storage services such as Alibaba Cloud or Dropbox. Services such as these
are available through applications installed on mobile devices (smartphones, tablets) and
consequently the entity’s data are available anywhere in the world and, usually, on any device
that provides the right authorisation credentials.

The use of cloud-based services creates special issues for the auditor, as set out in HKSA
402 (Clarified), Audit Considerations Relating to an Entity Using a Service Organisation. Often, the
external service provider has many clients. It is impractical for the service provider to allow an
auditor to audit the cloud service for each client. Instead, the cloud service provider engages
their own assurance provider to audit the cloud service and provide an assurance report
upon request.

HKSA 402.10 The auditor then assesses the design and implementation of the controls at the entity
HKSA 402.12 related to the cloud-based service. If the auditor’s understanding of the cloud service remains
insufficient, the auditor may undertake several different audit procedures. These options
include contacting the service provider for more information, performing assurance procedures
on the service provider themselves, or engaging a third-party auditor to perform assurance
procedures on the service. However, the more likely outcome is that the auditor will need to
HKSA rely upon the third-party assurance report provided by the service provider.
402.8
In the latter case, the auditor must consider whether the assurance report is sufficient for
HKSA
402.13 their requirements. Considerations here include the type of report, the professional
HKSA competence and independence of the third-party auditor, and the nature and context of the
402.A21 third-party assurance report. Further, the auditor must consider whether the report relates to
HKSA the relevant accounting period for the audit and whether the evidence provided is sufficient
402.14 and appropriate for adding to the auditor’s understanding of the IT environment.

The auditor documents the networked systems that exist and their relationship to the FRS.

Key Learning Point

The auditor documents the networked systems and their relationship to the FRS.

13.2.5 PC Systems
The auditor must understand how individual PC systems interact with the networked
environment – if they exist – and how the maintenance programme for keeping these PC
systems secure is carried out.

PC systems often work in isolation of other technologies in the environment or with

limited integration. The PC system might be an isolated system that works within a networked
environment but interacts with other IS in a limited way. Alternatively, an entity might have no

784

M13_c13.indd 784 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

networked systems at all and instead use only PC-based systems. Most PC systems are based
on microcomputer systems intended for use by a single individual within the entity. Their focus
is usually on recording transactions or analysing data.

Often PC systems are used in smaller organisations or for specialised software that
is difficult or expensive to use on the network. Often, but not always, the use of such PC
systems is an indicator that the IT environment is not complex or sophisticated. Although a
PC system can have a sophisticated approach to security, the end user often has full access to
the computer and can install their own software or modify data. The end user in such cases
might install unauthorised software or make unauthorised changes to data if the PC is not
appropriately secured. However, an advantage of a PC-based system is that compensating
controls such as physical security can be adopted or close supervision exercised.

Isolated PC-based systems are often more difficult to manage, update, and keep secure
as part of a regular centralised maintenance programme. There is a risk that the PC system is
potentially exposed to viruses, Trojan horse programs, and ransomware attacks. This exposure
can result in loss of data, programs, or breaches of security. PC-based systems need special
consideration in the maintenance programme, including regular data backup, anti-virus
software updates, and regularly updated access control lists.

Key Learning Point

The auditor documents the PC systems that exist and their relationship to the FRS.

Illustrative Example 5

PC Systems

Tak Wai documents several PC systems within the CWaves Group. HKCW Investment
Limited has a PC-based system that operates solely on a PC to do financial modelling of
the Hong Kong Stock Exchange to assist stock analysts with determining their market
position. The system provides a single output file to be imported into separate data
visualisation software. This system is a specialist PC system, but does not directly affect
the financial reports.

At Hai Cruising there is a PC system that supports a point of sale (POS) cash register
at the ticket kiosk, whereas CWaves Management has payroll software that is installed
on a single PC used by the paymaster in his office. These two systems both produce
transactions in a single-user environment that affect the financial reports. As such systems
are difficult to secure, Tak Wai assesses the compensating controls for both systems.
The payroll system is well supervised and in a physically secure environment, but the
POS system is in an open environment and is at greater risk of security breaches and
loss of data.

785

M13_c13.indd 785 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 10
Identify how a new IS can create value for an organisation.
A By providing benefits.
B By reducing costs.
C By reducing uncertainty.
D All of the above.

Question 11
Identify which of the following statements regarding agile software development
methodologies is true.
A They always have inadequate controls for the purposes of the auditor.
B They have formal staged approaches that are very structured.
C They are used in implementing COTS solutions that require no customisation.
D They are often nimbler than software development methodologies based on the SDLC.

Question 12
Identify which of the following IS would the auditor be most concerned with.
A An inventory management system that reports the value of stock for the
financial reports.
B An email management system that allows end users to store and retrieve emails.
C A system that controls the humidity of a storage room that keeps priceless works
of art safe.
D A staff work roster that schedules employee shifts.

Question 13
Identify which of the following statements is true.
A E-commerce IS need less attention on security than offline IS.
B E-commerce IS need more attention on security than offline IS.
C E-commerce IS are usually not complex systems.
D E-commerce IS do not record financial transactions.

Question 14
Identify what the acronym WAN means.
A Wide Area Nodes.
B Wholly Articulated Networking.
C Wide Area Network.
D None of the above.

Question 15
Identify the high level aspects that the auditor considers in developing an understanding of
networked systems.
A The configuration of the access control list, user names, and passwords.
B Configuration of the LAN, WAN, and SAN.

786

M13_c13.indd 786 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

C Configuration of hardware and IT infrastructure, networked resources supporting the
financial reports, and the manner of use of cloud-based services.
D Configuration of hardware and IT infrastructure and networked resources supporting
the financial reports.

Question 16
Identify which of the following best describes PC-based systems.
A Never operate within a networked environment.
B Are tightly integrated with e-commerce IS.
C Have a relatively complex approach to security.
D Work within a networked environment, but interact with other IS in a limited way.

Question 17
Identify five aspects of the IT environment that the auditor must understand and
document. Explain, in your view, whether any aspect of this understanding is more
relevant to the financial audit than the others.

Question 18
Explain why auditors traditionally consider the systems development lifecycle the best
method to address the risks of a new system implementation.

Question 19
Identify the three different cycles that include the systems that relate to the financial
reports. Provide an example of systems that relate to each cycle.

Question 20
Explain why e-commerce IS have a greater need for strong IT controls in comparison with
offline systems.

Question 21
Explain why you agree or disagree with the following statement: ‘It is never appropriate
for a large company to use PC-based systems.’ Explain why you agree or disagree with this
statement.

1 3 . 3 IT STRATEGY

The auditor needs to assess the risk of material misstatement in the financial reports at the
assertion level that is due to incomplete, invalid, and/or inaccurate information provided
from the IS. This assessment is informed by the auditor’s documented understanding of the
IT environment and internal control system in the context of financial reporting. The auditor
considers the role of IT strategy and how IT improves internal controls and assesses the IT
risks from the business processes that affect the financial reports.

787

M13_c13.indd 787 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

The auditor documents their assessment of risk at the entity to inform and develop the
overall audit approach, including the audit procedures used to audit computerised business
systems and controls.

13.3.1 The Role of IT Strategy

Most audited entities use IT to support many, if not all, of their activities and business
processes. These business processes produce the information that flows to the financial
reports. The IT that supports these activities incorporates the entity’s policies, practices, and
procedures to ensure that the information produced by these business processes is complete,
valid, and accurate. IT is therefore an important part of the entity’s internal control environment
and is critical to ensuring the completeness, validity, and accuracy of information in the
financial reports.

Implementing the audited entity’s policies, practices, and procedures through its IS requires
strategic and directed action. These strong internal controls require design and planning, and
so the capability of the entity in developing and implementing this design and planning through
the IT strategy is important for the auditor assessing the risk of material misstatement in the
financial reports.

The auditor’s understanding of the computerised business systems and IT environment

provides the foundation for identifying the entity’s approach to developing the IT strategy. IT
strategy is fairly broad by nature, but at a high level it addresses three areas. First, it sets out
how IS are used to support business strategy. Second, it provides an overall master plan of the
IT function. Third, it documents the shared view of the IT function’s role within the organisation.

Although the process for developing the IT strategy varies between entities, the IT strategic
plan as a general rule defines the IT strategy and the objectives that the investment in IT is
expected to achieve. The business strategy is used as a basis for determining the entity’s
requirements of the IT function. The strategy identifies the gap between those needs and the
current organisational capabilities. It includes a strategic road map that identifies the steps
required to achieve the goals and objectives of the IT strategy, including the requirements for
training, new technologies, and change management approaches if the gap is to be addressed.

The plan groups these actions into programmes and projects that have goals and
deliverables. The plan also identifies – at a high level – the resources the entity needs to embark
on the IT strategy. Finally, the IT strategy recognises the dependencies between programmes
and projects, schedules and prioritises projects, and defines strategic and risk assessment
initiatives.

Taken together, the IT strategy therefore sets out proposed changes to the IS investment
at the entity and how the changes to IT are to be executed. These changes affect the internal
control environment, and the IT strategy should recognise the broad requirements of an
effective internal control environment.

The auditor documents the IT strategy and considers the extent to which the IT strategy
recognises and supports the integration of internal controls into the development and
maintenance of IS.

788

M13_c13.indd 788 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Key Learning Point

The auditor should consider the extent to which the IT strategy recognises and supports
the integration of internal controls in developing and maintaining the IS.

Illustrative Example 6

The Role of IT Strategy

Tak Wai discusses the CWaves IT strategy with Ka Yut. The CWaves Group has a strategic
goal of providing consistent and centralised information for decision making, and the
strategic plan identifies several programmes and projects required to achieve that
strategic goal.

Each project identifies the technologies, processes, and structures needed to close
the gap between CWaves’ needs and current capabilities. Under the strategy, CWaves
establishes a liaison committee between each entity in the group and sets out how the
different but complementary IT departments in each group will be integrated, and the
steps needed to achieve that strategic goal.

Tak Wai documents the changes to be made in the strategy, and in particular
documents the technologies, processes, and structures identified in the IT strategy that
support the CWaves internal control system.

13.3.2 How Information Technology Improves Internal Control

The entity’s internal controls are embedded in the entity’s policies, practices, and procedures
that ensure the reliability of the information contained in the financial reports.

Controls are defined as: ‘Policies or procedures that an entity establishes to achieve the
control objectives of management or those charged with governance….

1. Policies are statements of what should, or should not, be done within the entity
to effect control. Such statements may be documented, explicitly stated in
communications, or implied through actions and decisions.

2. Procedures are actions to implement policies.’ (HKSA Revised 2019) 12(c)

Internal controls can relate to the entire organisation or they might address specific
capabilities and functions. Not all internal controls are reliant on IT. For example, placing
physical controls such as a lock on the door to the business premises is a general internal
control that does not rely on IT. A combination lock on a cabinet that safeguards inventory is a
more specific internal control affecting the inventory function that does not rely on IT.

Internal controls that incorporate IT can be categorised as either IT general controls or

application controls. IT general controls (ITGC) ensure that the IT environment maintains
data integrity, security, and confidentiality. ITGC affect all financial reporting transactions.
Application controls relate to specific applications inside the entity’s ITGC environment.

789

M13_c13.indd 789 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

HKSA 315 (Revised 2019) Appendix 5 identifies the benefits that IT can bring to an entity’s
system of internal control, by enabling the entity to:

• Achieve consistency in the application of business rules and performing complex

calculations in processing large volumes of transactions or data

• Enhance the timeliness, availability and accuracy of information

• Facilitate additional data analysis

• Enhance the monitoring of policies and procedures

• Reduce the risk of control circumvention

• Enhance the ability to achieve effective segregation of duties by implementing security

controls in IT applications, databases and operating systems.

As well, the adoption of IT can compromise internal controls. For example, IT is useful in
achieving efficiencies in operations as it can be used to automate tasks and combine many
activities in a single role, but doing so can compromise internal controls that rely on the
segregation of incompatible duties. Such unintended consequences can apply at either the
ITGC or application level of controls.

IT nevertheless can improve internal controls at the IT general control level as well as
application level controls by embedding the policies, practices, and procedures into the IS.
Three different types of controls may be relied upon. These are automated, semi-automated, or
manual controls.

Automated controls are embedded in the computer system and operate without operator
intervention or possibility of override. Automated controls relate to a process and enforce
the rules of the process in the system. For example, the system might automatically enforce a
credit limit on a customer according to an algorithm specified in the system. Such a credit limit
could not be overridden by the operator.

A semi-automated control might include manual and automated elements. The manual
component might rely heavily on operator skill or judgement. For example, the system might
make a recommendation for a credit limit that can be accepted or modified by the operator.

In contrast, manual controls are enforced by the computer operator as they undertake
process tasks. Such controls do not have IT elements, but are nonetheless potentially effective
controls. For example, a manual control might rely on the computer operator making an
assessment of a credit limit appropriate for the customer without input from the system.

Adding automated and semi-automated controls to IT systems can be more effective and
sustainable than manual controls. Manual controls, although flexible, are reliant upon human
nature. However, automated controls require careful development and implementation.

Automated, semi-automated, or manual internal controls can take one of three forms:
preventive, detective, and corrective (PDC) controls. This arrangement is known as the PDC
model of internal control. IT supports these controls.

Preventive controls are passive techniques designed to reduce – but not eliminate – undesirable
events occurring. Preventive controls prevent most undesirable events from occurring.

Detective controls are more active steps taken to recognise undesirable events not stopped
by preventive controls. Detective controls flag invalid data after the error has occurred,
whereas preventive controls aim to prevent errors before they occur.

790

M13_c13.indd 790 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Corrective controls are actions taken to remedy undesirable events identified by detective
controls. Corrective controls are needed as detective controls by design do not correct the
problem – detective controls detect the problem but do not fix it. As a general rule, detected
problems require the tailored and unique responses to the problems detected that corrective
controls provide. Corrective controls usually cannot be completely automated as the problems
found are usually unforeseen.

These controls can be complex and sophisticated. They can operate to reduce the
likelihood of an error from occurring (preventive), to detect an error if it does occur (detective),
and to correct the initial error and to take steps to reduce the likelihood of a recurrence of the
error (corrective).

A detective control embedded in an IT system might be a routine management report that

identifies invoices with past or future dates. This control ensures that instances of wrongly
dated invoices in the information system are manually reviewed. Having detected the error, the
corrective control seeks to correct the error and implement preventive controls that reduce the
likelihood of the problem recurring. The corrective control can become quite complicated and
is usually unique to the individual problem. For example, the system might have allowed invalid
data to be entered. The correction of the individual error is one corrective control, and the
correction of the system to prevent invalid data from being entered in the future is another.

In this way, IT improves internal controls by embedding and automating the entity’s
practices, policies, and procedures into its IS.

An entity’s IS may include the use of manual and automated elements and how information
is dealt with in specific IT applications. The attributes of automated and manual controls are
relevant to the auditor in relation to the identification and assessment of the risks of material
misstatement at the financial statement and assertion levels, and the nature and extent of
further audit procedures based in internal controls.

Key Learning Point

IT improves internal controls by embedding and automating the entity’s practices, policies,
and procedures into the entity’s IS. Internal controls are preventive controls, detective
controls, and corrective controls.

Illustrative Example 7

How IT Improves Internal Control

In her discussions about the role of IT, Tak Wai asks general questions about the internal
controls in place at CWaves. Tak Wai considers the internal control systems as a whole;
that is, whether controls are manual or reliant on IT, the auditor’s concern is the level
of control afforded over the end-to-end process. Although one control might be weak,
another control in the same process might sufficiently address the auditor’s concern;
that is, the auditor assesses whether the internal controls as a whole provide comfort
that the process demonstrates sufficient control.

791

M13_c13.indd 791 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

Illustrative Example 7 (continued)

Tak Wai discovers that HKCW Investment Limited uses an automated spreadsheet
that allows an end user to request a purchase order and approve it in a single step. The
unintended consequence of this increase in efficiency is that the end user has incompatible
duties – they are requesting and approving the same transaction. As a result, the internal
control system is weakened and HKCW Investment Limited faces a higher risk of fraud due
to violation of the segregation of duties control.

Tak Wai discusses with Ka Yut the implementation of preventive controls that stop
errors from entering the system. Ka Yut provides the example of the CWaves Management
accounting information system. This system has a control that prevents a sales invoice
from being assigned a date that is more than two months old without authorisation. This
control ensures that the information system only records valid dates as invoice dates.

Ka Yut notes that a problem was found in this process and the IT team worked with the
developer to correct this problem. Previously, the system allowed an incorrect date to be
entered if the sales invoice was a cash invoice. This error meant that the invoice could be
allocated to the wrong accounting period. The problem was detected when reconciling the
sales ledger and Tak Wai documented this activity as the preventive control.

The error was corrected by a clerk, but an IT team member liaised with the software
developer to change the system. Tak Wai documents both activities as a corrective control.

Apply and Analyse

Happy Islands provides children’s playground equipment to schools and families for
children to enjoy outside exercise.

You are undertaking your audit as part of the financial audit team. It is your job to review
the IT controls in place and assess. You are charged with identifying the IT in place that
strengthens the system of internal control at Happy Islands.

You have documented the existing computer information systems. The following describes
some of the systems in place and what they do:

• James’ EasyAccount Pro: This is an accounting information system that is

used to record and manage invoices, sales orders, payroll and other accounting
information necessary to run the Happy Islands business. Consequently, the
system is used to record the billable time of Happy Islands consultants, and
from this information the amount that clients are to be invoiced is determined.
This system captures all financial information relating to the business and its
operations.

• UserVerify Protect: This application provides multi-factor authentication for users

when they give their credentials to access Happy Islands corporate information
systems. UserVerify Protect provides an application on users’ phones, and users
use this application to verify that they are authorised users of the network when
they provide their passwords to access all corporate information systems.

792

M13_c13.indd 792 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse (continued)

• Data Supremacy V2: This data analysis tool is used by Happy Islands to analyse
its corporate data. Data Supremecy V2 integrates data from different information
systems to a data warehouse on a daily basis, and then makes that information
available to management for operational as well as strategic decision-making.
For example, as Data Supremacy V2 accesses many systems, it is used to develop
reports of performance and benchmarks across Happy Islands in line with Happy
Islands business expectations.

• Audit Log Scrutineer: This tool that sends email alerts when system access rules
are violated (for example, standard hours of operation or systems are accessed
in violation of access rights). In addition to the email alerts, there is an interactive
dashboard that can be used to answer ad hoc questions regarding system access
and user activity.

• Landscape Ninja 2: This tool is used individually by Happy Islands consultants to

draft and plan playgrounds and landscaping for clients. Happy Islands consultants
use the tool as required in their planning development work. Some consultants
prefer to use the competing product, Yumisoft’s Terrain and Country (Premier
Edition), and such use is not mandated by Happy Islands so long as the consultants
meet client expectations.

Required:

(a) Review this case information and identify the benefits provided by each computer
information system to the Happy Islands system of internal control in accordance with
the benefits identified in Appendix 5 of HKSA 315 (Revised 2019).

Keep in mind that a single computer information system might provide multiple
such benefits, or might provide no such benefits at all.

Analysis:

(a) HKSA 315 (Revised 2019) Appendix 5 identifies several benefits that IT can bring to an
entity’s system of internal control. The table below matches, where possible, the IT
Components identified in the case to each benefit identified in Appendix 5.

Benefit to System of Internal Control IT Component

Achieve consistency in the application of
business rules and performing complex
calculations in processing large volumes of
transactions or data
Enhance the timeliness, availability and
accuracy of information
James’ Easy Account Pro (provides a centralised
transaction processing system that makes it easier
to control operational information).
James’ Easy Account Pro (provides a central
repository of all financial information); Data
Supremacy V2 (provides a data warehouse
and distributes accurate information in a timely
manner to different areas of the business);
Audit Log Scrutineer* (email alerts provide
a timely notification of information relating to
system access).

793

M13_c13.indd 793 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

Apply and Analyse (continued)

Benefit to System of Internal Control
Facilitate additional data analysis
Enhance the monitoring of policies and
procedures
Reduce the risk of control circumvention
Enhance the ability to achieve effective
segregation of duties by implementing
security controls in IT applications, databases
and operating systems.
IT Component
Data Supremacy V2 (provides data analysis that
is in addition to that available at a transactional
level by integrating different information systems);
Audit Log Scrutineer* (allows analysis and review
of user login information).
James’ Easy Account Pro* (provides information
that allows performance to be compared to
established benchmarks); Audit Log Scrutineer
(ensures that user access and authentication is
within Happy Islands policies and procedures).
UserVerify Protect (ensures a second level of
secure authorisation and access to the computer
information systems); Audit Log Scrutineer (used
to alert suspicious or unauthorised access to the
computer information systems).
UserVerify Protect (enforces implementation of
system access rights).

* IT Components marked with an ‘*’ indicate that this is not a primary benefit arising from the use of this
­component.

Note that the Landscape Ninja 2 system is an application used by individuals to deliver Happy Islands services, and on
the basis of the information is not part of the internal controls system.

13.3.3 Assessing Risks of IT

In order to plan their approach to the audit, the auditor must assess the risks that IT does not
prevent, detect, or correct errors that lead to material misstatements in the financial reports.
This assessment is made by considering the IS that support the expenditure cycle, conversion
cycle, or revenue cycle. Information flows into the financial reports through these business
processes, and so the auditor must identify the key business processes and the IS that support
them to assess the risk of IT for material misstatement.

In planning the audit, the auditor is concerned with the risk of assuring that the financial
reports are not materially misstated when in fact they are. This risk is audit risk. The overall
audit risk requires consideration of inherent risk, control risk, and detection risk.

13.3.3.1 Assessing and Advising on the Risks of Business Processes

Having developed an understanding of the computerised business systems and IT
environment, the auditor is well equipped to identify many IT weaknesses or risks at an audited
entity. Not all such weaknesses or risks are the concern of the financial auditor, however. Many
systems will not contribute to an overall risk of material misstatement in the financial reports,
even if they have weaknesses or are risky. IS that are not material, or do not affect the financial
statements, likely do not require documentation or evaluation. Such IS are out of scope. IS
that are in scope are those that contribute to the overall risk of material misstatement in the
financial reports.

794

M13_c13.indd 794 1/26/2021 9:24:18 PM

 Computerised Business S ystems and C ontrols

The financial auditor makes an assessment of materiality by considering the maximum

extent to which financial statements can be misstated and still not affect the decisions of
HKSA
reasonable users of the financial statements. Materiality is assessed according to the specific
320.10 circumstances of the entity and will be set as part of the audit strategy. If the preliminary
assessment of materiality is 5% of revenue, an IS that records transactions to a total value of
less than 5% of revenue would likely be out of scope.

For example, consider a public transport company that has a weakly controlled information
system that manages the cleaning of its buses. This system does not affect the financial reports
and so the weakly controlled system does not contribute to a risk of material misstatement in
the financial reports despite the operational problem that exists.

HKSA
The auditor therefore determines the materiality of the overall audit according to the
320.10 individual entity’s circumstances. The auditor then assesses whether they will rely on IT controls
in undertaking the audit. The auditor then identifies those systems that are in scope – if any
– for the audit according to their contribution to the overall risk of material misstatement in the
financial report.

The entity’s IS all support different business processes. The IS are often grouped together
by a business process according to their role in the expenditure cycle, conversion cycle, or
revenue cycle. Each business process might be supported by several IS. Some of those IS might
be in scope for the audit, whilst some may not be.

Expenditure Cycle
The expenditure cycle focuses upon processes that determine the goods and services to
acquire, the subsequent acquiring and receiving of those goods and services, the approval of
payment, and, finally, the actual payment for the goods and services. These business processes
are important to the auditor as they involve the transfer of resources – usually cash – to
external third parties. Consequently, these business processes are prime targets for fraud and
can be an important source of material misstatement in the financial reports.

The expenditure cycle has several central business processes, such as purchasing and
procurement, salary and wages, and cost planning and monitoring. These business processes
affect accounts in the financial reports, such as the cost of goods sold, inventory, factory
operating overheads, accounts payable, cash, and general expense accounts.

Expenditure cycle IS record transactions relating to the entity’s acquisition of goods and
services that the entity uses. A payroll information system, a purchasing information system,
a cost management system, and a fixed asset management system are all examples of
expenditure cycle IS.

Conversion Cycle
The conversion cycle records transactions relating to the entity’s conversion of goods and
services that the entity uses. Such transactions generally represent the entity’s work-in-progress
in getting products or services ready for sale. In the conversion cycle, common systems are
focused on production planning and cost control systems, such as cost management or
budgeting systems. The conversion cycle records how the entity converts the inputs that it
acquired in the expenditure cycle prior to the final sale of the goods or services (that is, the
revenue cycle).

795

M13_c13.indd 795 1/26/2021 9:24:18 PM

 BUSINESS ASSURANCE

Revenue Cycle
Finally, the revenue cycle focuses upon those processes relating to the sale of goods and
services to the entity’s customers. These business processes are important to the auditor
as incorrect records may overstate or understate revenue and thus misrepresent the
sustainability of the business to prospective investors. As well, sales commissions and bonuses
are often determined by the revenue reported by the entity’s IS, and so again these business
processes and their associated IS are prime candidates for fraudulent activity.

Although other business processes are likely to exist, the central business process in the
revenue cycle is the sales ordering business process. This business process affects accounts
on the financial reports such as accounts receivable, bad debt expense, inventory, sales
commissions, sales revenue, and cash. At a high level, this process commences with the receipt
of a customer’s purchase order, the provision of credit terms if warranted, providing and/or
shipping the goods, invoicing the customer, and, finally, collecting cash from the customer.
In particular, this process should verify that the provision of goods on credit terms does not
exceed the customer’s pre-determined credit limit.

Revenue cycle IS record transactions relating to the entity’s sale of goods and services to
its customers. A sales order processing information system is an example of a revenue cycle
information system. This process is triggered by a sales order received from a customer. Other
systems may be involved, however, such as systems for inventory management, shipping
systems, or accounts receivable systems.

Assessment of Audit Risk

Using their understanding of the computerised business systems in place and the IT
environment, the auditor identifies the business processes and supporting IS from which
information flows to the financial reports. The resulting assessment informs the auditor’s
assessment of audit risk and, ultimately, audit engagement planning in the context of IS.

Key Learning Point

The auditor’s concern is the assessment of IT weaknesses and risks of material
misstatement in the financial reports. The auditor identifies the business processes and
supporting IS from which information flows to the financial reports.

Apply and Analyse 2

Golden OneTwoEight Infrastructure Services (G128) provides equipment maintenance and
engineering consulting services for large public infrastructures throughout Hong Kong.
They service some of the large mechanical equipment at Hong Kong’s ports, railways, and
airports. There is a large workforce of professional engineers and support staff, and a large
inventory of expensive spare parts that is maintained in the G128 warehouse facility in
Kwai Chung.

Golden OneTwoEight Infrastructure Services has revenue of approximately HK$630

million each year and overall expenses are approximately HK$580 million per annum. Most

796

M13_c13.indd 796 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 2 (continued)

of the revenue generated by G128 comes from the maintenance of equipment at G128’s
clients, with about HK$58 million coming from engineering consulting services. G128 has
approximately HK$100 million of fixed assets. The audit team has determined that the
concern of material misstatement of the financial statements for G128 is 5% of revenue.

You are a member of the audit team for G128 this year. After the initial walkthrough
test in the audit, and review of the ITGC in place, the audit team’s conclusion is that the
ITGC are reliable. For this reason, your audit team is now considering whether to rely on
the controls in the IS that support the business.

From the walkthrough tests, the audit team identifies three prominent systems. These
are InStock, MaintainYourPlant, and PeoplePay. InStock manages the large amount of
inventory in the Kwai Chung warehouse. MaintainYourPlant schedules the work orders
for maintaining the equipment at each of G128’s clients. PeoplePay manages the payroll
information for all of G128’s workforce.

InStock manages the inventory of consumables, spare parts, and small equipment that
G128 keeps on hand to service the infrastructure of its clients. G128 purchases and stores
the more valuable spare parts and consumables, and invoices clients for these items as they
are used. Thus, InStock manages a relatively large inventory of approximately HK$35 million
in value and G128 purchases about HK$15 million of replacement inventory each year.

InStock is a commercial off-the-shelf system that is used commonly in the industry. It is in

common use by G128’s competitors in Hong Kong and similar companies in North America,
Europe, and China. G128 is certified according to ISO9001 Inventory Control by a reputable
quality assurance agency. InStock does not have an integration into the financial reporting
system at G128. Instead, an inventory report is printed each month from InStock and an
adjusting journal is prepared to reflect the value of inventory in G128’s financial records.

MaintainYourPlant is software developed in-house by G128. Its purpose is to produce

work schedules that the workforce follows in maintaining the equipment across Hong Kong.
MaintainYourPlant was developed by Ka Wing Siu, the nephew of the G128 CFO, using
Microsoft Access and SQL Server.

MaintainYourPlant contains the records of all G128’s clients and their equipment,
and the maintenance log and the upcoming work schedule for all equipment.
MaintainYourPlant imports customer records from the G128 customer relationship
management. MaintainYourPlant records notes about the work done to customer
equipment. These notes are exported from MaintainYourPlant to the G128 customer
relationship management (CRM) for reference by G128 in dealing with customers.

Engineers manually complete paper-based customer work completion (CWC) forms

when they have maintained client equipment. CWC forms are also completed by engineers
after providing engineering consulting services. These CWC forms are then processed by the
accounts department into the G128 financial reporting system and are used to create client
invoices. The CWC form is not produced or recorded by MaintainYourPlant.

PeoplePay manages the payroll records of all of the G128 workforce. In total, salary
and wages at G128 are approximately HK$475 million each year and PeoplePay records all
of this expenditure.

797

M13_c13.indd 797 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

PeoplePay is commercial off-the-shelf payroll software that is popular in engineering
consulting firms. The software developer is listed as an HR software provider by the
Global Payroll Association. Software is implemented by a local payroll software provider
and the software is maintained by that software provider. Changes to the software
and its configuration are requested by Yu Hin So, G128’s CFO, and implemented by the
software provider.

PeoplePay is used to pay G128’s employees fortnightly. The payroll team in the
accounts department prepares each fortnightly payroll according to the payroll records.
One of the six senior members of the accounts team reviews each fortnightly payroll
according to a fortnightly rotating schedule. Yu Hin So, the CFO, authorises the final
prepared payroll and the payment advice is distributed to G128’s bank for processing.
PeoplePay directly integrates its information to the financial reporting system.

Required

(a) Three systems are identified in this case: InStock, MaintainYourPlant, and
PeoplePay. Considering the facts of the case, evaluate whether each system is in
scope for the financial audit. Provide reasons for your evaluation.

(b) For the three systems identified in the case (InStock, MaintainYourPlant, and
PeoplePay), consider which of the three cycles the system most relates to. Provide
reasons for your consideration.

(c) For the systems you identified as in scope for the financial audit, what is your
initial assessment – based on the available facts – as to whether you will rely on
the IT controls of these systems in undertaking the audit. Provide reasons for your
assessment.

Analysis

(a) To be in scope for the audit, each system would need to be a potential contributor
to the overall risk of material misstatement in the financial statements at G128.

The information maintained by InStock does affect the financial statements, but
not through direct integration to the financial reporting system as its information
is manually integrated. InStock would likely be in scope for the financial audit,
however, as the total managed value of inventory (HK$35 million) exceeds 5% of
total revenues (HK$31.5 million), which has been determined by the audit team as
the relevant level of materiality.

The information maintained by MaintainYourPlant does not affect the financial

statements. MaintainYourPlant schedules work orders but does not maintain financial
records. The value of the information managed by MaintainYourPlant is HK$630
million, which exceeds the assessment of materiality made by the audit team. The
argument can be made that MaintainYourPlant is in scope as it supports all of the
G128 revenue. On the facts provided, however, MaintainYourPlant would likely not be
in scope for the audit as it does not directly affect the financial statements.

798

M13_c13.indd 798 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 2 (continued)

The information maintained by PeoplePay does affect the financial statements
directly as the information is integrated directly into the financial reporting system.
PeoplePay is a material IS, as the value managed (HK$475 million) exceeds 5% of
total revenue (HK$31.5 million). On the facts provided, it is likely that PeoplePay
would be in scope for the audit.

(b) InStock is part of the expenditure cycle as purchases are a G128 expense. Although
MaintainYourPlant does not affect the financial statements, MaintainYourPlant is
part of the conversion cycle as it converts labour input (professional engineering
time) into finalised work orders (value to the client). PeoplePay is part of the
expenditure cycle as salary and wages are a G128 expense.

(c) The initial assessment would likely be that the IT controls of InStock are reliable.
The software is certified to best practice standards. Further, as a commercial
off-the-shelf solution the development and maintenance of the software is
undertaken by a third-party software provider with many different clients.

MaintainYourPlant was not evaluated as in scope for the financial audit. However,
if MaintainYourPlant were judged to be in scope, the initial assessment would likely
be that the IT controls of MaintainYourPlant are not reliable. MaintainYourPlant is
developed in-house using consumer-grade desktop software development tools that
are likely to lack robust security. The developer is also personally related to the G128
CFO, which would likely cause concerns over conflicts of interest and the difficulty of
ensuring a segregation of duties between the CFO and the system developer.

PeoplePay is an in-scope IS for the purpose of the audit. The initial assessment
of PeoplePay would likely be that the IT controls are reliable as the software is
from a reputable provider and is developed and maintained by a separate service
provider. The payroll records also appear to support an audit trail from the final
prepared payroll to the underlying payroll records, and the review by a different
senior member of the accounts team is a strong supervisory control. A possible
concern regarding segregation of duties is that Yu Hin So requests the changes to the
software that are made by the local service provider as well as authorising the final
payment made. It is likely, though, that the initial assessment would consider that the
review by a different senior member of the accounts team is a compensating control
that addresses the weakness in segregation of duties in this instance.

In each case, the initial assessment requires the gathering of further

information regarding the application controls if the application controls are to be
relied upon in the audit. If the application controls are not relied on, then the audit
will need to rely upon substantive testing instead of controls testing.

799

M13_c13.indd 799 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

13.3.3.2 Assessing Audit Risk

Audit risk is a function of the risks of material misstatement at the financial statement or
assertion levels, and detection risk. Risks of material misstatement at the assertion level
comprise inherent and controls risks. Assessing the audit risk in the business processes from
which information flows to the financial report therefore requires the auditor to consider three
components. These three components are inherent risk, control risk, and detection risk.

Audit risk can be calculated by assigning a value to the assessment made of inherent risk,
control risk, and detection risk in the following formula:

Audit Risk Inherent Risk Control Risk Detection Risk

Inherent risk is the first component of audit risk. Inherent risk relates directly to the
nature of the industry in which the entity operates. Inherent risk is the risk that the error
might occur in the first place, irrespective of whether a control protects against it. Inherent
risk acknowledges that some account balance, transaction and disclosure assertions are more
susceptible to misstatement, whether due to fraud or error. This is due to the inherent nature
of the account balances or the client’s business and environment that creates complexity,
subjectivity, uncertainty or changes in events or conditions affecting the entity and before
consideration of any related controls.

Inherent risk can also be impacted because of external factors affecting the entity’s
business risk. Changes in economic conditions that create pressure on the entity’s business
and consequent uncertainty in relation to cash flows and working capital could, for example,
increase the risk of misstatement in order to maintain compliance with debt covenant ratios.
Similarly, the nature of the entity’s business itself may have inherent business risks that affect
inherent risk.

Factors within the entity can impact inherent risk. For example, an entity whose business
operations are highly IT dependent has a higher level of inherent risk than an entity that relies
on IT only for its financial accounting functions.

The greater the level of inherent risk due to complexity, subjectivity, change or uncertainty,
the greater is the susceptibility of the financial statements to misstatement. Depending on the
degree to which inherent risk factors affect the susceptibility of misstatement of an assertion,
the level of inherent risk varies on a scale referred to as the spectrum of inherent risk and can
be measured in quantitative or qualitative terms.

Appendix 2 to HKSA 315 (Revised 2019) contains detailed guidance on understanding

inherent risk factors. Inherent risk factors relating to IT include changes in the IT environment
and the installation of significant new IT systems related to financial reporting.

The actions taken by the auditor do not affect the level of inherent risk, as the risk exists
whether the audit is undertaken or not. However, the auditor’s assessment of inherent
risk does affect the overall assessment of audit risk as part of the formula for audit risk set
out above.

Control risk is the second component of audit risk. Control risk is the risk that a material
misstatement in an assertion about a class of transactions, account balance or disclosure and
that could be material, either individually, or when aggregated with other misstatements, will

800

M13_c13.indd 800 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

not be prevented, detected or corrected on a timely basis by the entity’s internal controls.
That is, control is the risk that an error that does occur might not be prevented, detected
or corrected by the internal controls system. Control risk reflects the adequacy of the
controls in place.

Control risk is a function of the design, implementation, maintenance and monitoring of

internal control by management to address risks that threaten the achievement of the entity’s
objectives relevant to preparation of the entity’s financial statements. In assessing control risk,
the auditor determines whether the controls in place are effective at preventing, detecting, and
correcting errors. There are two aspects to consider.

First, the auditor considers whether the design of the internal control is effective in
reducing the risk of material misstatement. If the design of the control is not effective at finding
the error, then the control is ineffective. The auditor cannot rely on an ineffectively designed
internal control to identify a misstatement.

Second, the auditor considers whether the internal control is actually effective in reducing
the risk of material misstatement. The auditor tests the controls to determine whether the
internal control operates as designed. The auditor can test controls by generating a new
transaction to identify the controls actually used and whether those controls are effective,
observing the business process in action to see controls in practice and examining the entity’s
records for evidence indicating that the controls were in fact performed.

The auditor evaluates the internal controls system as a whole. That is, a single ineffective
control – whether by design or operation – does not indicate that the internal control system
is ineffective. The control may have a relatively small impact or its impact may be offset by a
compensating control. One common compensating control is supervision. Here, a supervisor
works closely with all team members. In such a circumstance, the opportunities for collusion
are less even if the team members’ duties are incompatible.

As with inherent risk, the controls are in place irrespective of whether the audit is
undertaken or not. The auditor’s tests of controls do not change control risk, but they do
increase the reliability of the auditor’s assessment of it. That is, the auditor can reduce the
likelihood that their assessment of control risks is flawed by increasing controls testing. These
tests are therefore incorporated into the auditor’s overall approach to the audit.

Detection risk is the third and final component of audit risk. Detection risk is the risk
that the auditor does not detect errors that the entity’s internal controls also do not detect
and correct.

Detection risk is inversely related to substantive testing. The auditor can reduce detection
risk by increasing the substantive testing performed; conversely, detection risk is increased
by reducing the substantive testing performed. Substantive tests are designed to determine
whether the entity’s electronic records fairly reflect the organisation’s transactions. Substantive
tests often confirm the balances reported in the financial reports with independent third
parties. However, substantive testing also establishes whether the documents contain errors –
that is, that the financial information is complete, valid, and accurate.

The auditor’s assessment can be quite precise (for example, 40% inherent risk) or within
a band (for example, low inherent risk). The auditor determines an acceptable level of audit
risk and designs the audit approach to adjust the reliability of the control risk estimate and
the detection risk with controls testing and substantive testing. The auditor then designs the

801

M13_c13.indd 801 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

audit approach according to their assessment of audit risk. Increasing controls testing reduces
control risk and increasing substantive testing reduces detection risk. In this way, the auditor’s
assessment of audit risk directly informs the audit approach.

Key Learning Point

Audit risk can be calculated by assigning a value to the assessment made of inherent risk,
control risk, and detection risk:

Audit Risk Inherent Risk Control Risk Detection Risk

Inherent risk relates directly to the nature of the entity’s industry. Audit activities do
not affect inherent risk.

Control risk is the risk that the controls in place are inadequate in preventing,
detecting, or correcting errors that materially affect the financial reports. Tests of controls
do not change control risk, but they do increase the reliability of the auditor’s assessment
of control risk.
Detection risk is the risk that the auditor does not detect errors that the entity’s
internal controls also do not detect and correct. Increasing substantive testing reduces
detection risk.

The auditor designs the audit approach according to the assessment of audit risk.

Illustrative Example 8

Assessing Audit Risk

Tak Wai knows that the industry in which CWaves Ferry’s Company operates typically has
a large number of small cash transactions. For this reason, entities within the industry
are more susceptible to fraud or errors, and CWaves Ferry’s Company also faces that
risk. Tak Wai assesses inherent risk as medium for this reason.

Tak Wai also has to assess controls risk. This is the risk that the controls in place do not
prevent, detect, or correct errors that occur. For example, the information system controls
at CWaves Godown may not prevent, detect, or correct a data entry error that mistakenly
represents a HK$100,000 sale as a HK$1,000,000 sale. This risk arises from the inadequate
controls in place. Tak Wai needs to understand the adequacy of the controls in place as
part of her risk assessment and to document those controls.

Finally, Tak Wai needs to consider her own audit efforts. The more substantive testing
undertaken, the more likely any errors not corrected by the internal controls system will
be detected. This is detection risk. For example, if CWaves Godown’s internal controls did
not correct the misrepresentation of a HK$100,000 sale as a HK$1,000,000 sale above, the
detection risk is the risk that the auditor also does not detect this error.

Tak Wai determines the level of substantive testing (and thus the detection risk) by
considering inherent and controls risk. She uses this assessment of audit risk to plan
the audit.

802

M13_c13.indd 802 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

Knowledge Check Questions

Question 22
Identify which of the following are the three areas that IT strategy addresses at a high level.
A How the business strategy supports the IT strategy, provides an overall master plan of
the IT function, and documents the shared view of the IT function’s role.
B How IS are used to support business strategy, provide an overall master plan of the
IT function, and document the shared view of the IT function’s role.
C The detailed IT budget provides a detailed schedule of training requirements and
documents the specifications required of a new IS.
D The documented understanding of the IT environment, the role of IT in improving
internal controls, and the assessment of the IT risks.

Question 23
Identify which of the following is an IT internal control.
A A member of the finance team verifies employee timesheets.
B A knowledgeable expert reviews expenditure reports.
C A supervisor observes data entry tasks.
D An application checks whether the data entered are a valid date.

Question 24
Identify which of the following describes the controls that comprise the PDC model of
internal control.
A Passive, directed, and compensating controls.
B Primary, direct, and co-directed controls.
C Preventive, detective, and corrective controls.
D Pooled, distinct, and combined controls.

Question 25
Identify which of the following describes the active steps taken to recognise undesirable
events that were not stopped from occurring in the system.
A Compensating controls.
B Directed controls.
C Detective controls.
D Preventive controls.

Question 26
Identify which of the following is considered to be a compensating control.
A Segregation of duties.
B Physical security.
C Supervision.
D Reasonableness tests.

803

M13_c13.indd 803 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 27
Identify the source document that triggers a transaction in the revenue cycle.
A The sales order from a customer.
B The purchase order from the audited entity.
C The sales invoice from the audited entity.
D The journal voucher of the audited entity.

Question 28
Discuss whether it is important for the IT strategy to support an effective internal control
environment from the perspective of the auditor.

Question 29
Define preventive controls, detective controls, and corrective controls. For each type of
control, provide an example.

Question 30
For each of the following five information systems, identify whether the system is part of
the expenditure, conversion, or revenue cycles. Identify when a system is not part of any
cycle and explain why.
(a) Sales ordering system.

(b) Closed-circuit security system.

(c) Work-in-progress management system.

(d) Group decision support system.

(e) Procurement system.

1 3 . 4 INTERNAL CONTROLS SPECIFIC TO IT

The auditor uses their documented understanding of the IT environment in the context of
financial reporting and their documented assessment of the risk of material misstatement to
formulate an audit strategy appropriate to the audit engagement.

HKSA 300, Planning an Audit of Financial Statements, requires the auditor to plan the audit
work, and the audit strategy sets out the scope, timing, and direction of the audit. HKSA 315
(Revised 2019) requires that the auditor apply risk assessment procedures to obtain audit
evidence as a basis for identifying and assessing the risk of material misstatement at the
financial statement and assertion levels and to design further audit procedures. Included in this
HKSA process is a requirement to ‘obtain an understanding of the control activities component’ of the
315.26 system of internal control’.

804

M13_c13.indd 804 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

Accordingly, the auditor must obtain an understanding of the ITGC in place. That is, the
auditor seeks an understanding of the ITGC to the extent that the understanding is relevant to
the audit, which is a matter of professional judgement.

The ITGC affect all of the entity’s IS and are pervasive. Effective ITGCs are necessary to
address risks relating to the use of IT applications. As a result, if ITGC are ineffective in design
or operation, application controls cannot be relied upon. If, however, the ITGC are effective in
design and operation, the auditor seeks to understand the application controls of the systems
that affect the financial reports as relevant to the audit. However, the auditor does not seek an
understanding of application controls if the control is not relevant to the audit, the information
maintained by the IS does not materially affect the financial statements, or the ITGC are
ineffective in design and operation.

This understanding and documentation is additional to, and more specific than, the
auditor’s understanding of the IT environment (Section 13.1, Overview of Computerised
Business Systems, and Section 13.2, IT Environment) and their assessment of IT risk
(Section 13.3, IT Strategy), discussed previously.

The audit strategy developed by the auditor is strongly dependent on their assessment
of the internal controls system in place at the audited entity. This system includes internal
controls that are specific to IT. These internal controls specific to IT are either ITGC or
application controls, and these controls have a close relationship. ITGC affect all IT functions,
whereas application controls relate to specific applications inside the entity’s ITGC environment.

The auditor then identifies audit procedures that set out a mix of controls testing and/or
substantive testing to evaluate the risk of material misstatement in the financial reports.

Overall, the audit strategy is a matter of professional judgement informed by

evidence-gathering activities regarding general and application controls as relevant to the audit.
The auditor documents these audit procedures as the audit plan. The audit plan is unique to
each audited entity.

13.4.1 General and Application IT Controls Relationship

The internal controls system consists of ITGC and application controls. ITGC affect all IT
functions. In contrast, application controls affect a single application that operates within the
ITGC environment. The purpose of ITGC is to ensure that the IT environment maintains data
integrity, security, and confidentiality. In contrast, the purpose of application controls is to
maintain the completeness, validity, and accuracy of data in a single application or system.

A key consideration in developing the audit plan is the extent to which the general and
application controls can be relied upon to reduce the risk of material misstatement. To be
effective, controls must be both designed effectively and operate effectively. A control that is
not effectively designed is ineffective and tests of its operation are not required to show that
the control is ineffective.

As application controls operate within the ITGC environment, the effectiveness of

application and ITGC are inter-related. If the ITGC environment is ineffective (whether through
ineffective design or operation), the application controls are similarly ineffective, as any
application controls can be circumvented. As a rule, effective application controls cannot
substitute for ineffective ITGC.

805

M13_c13.indd 805 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

Key Learning Point

ITGC ensure that the IT environment maintains data integrity, security, and confidentiality.
ITGC affect all financial reporting transactions. The auditor documents and assesses each
general control as relevant to the audit.

The application controls of each system maintain the completeness, validity, and
accuracy of data in a single system. These application controls may affect data processing,
and so input controls, processing controls, and output controls may be considered by the
auditor.

If the ITGC environment is ineffective (whether through ineffective design or operation),

the application controls are similarly ineffective as any application controls can be
circumvented.

Illustrative Example 9

General and Application IT Controls Relationship

For example, Tak Wai is assessing the CWaves Godown ITGC environment. She knows
that if, in her assessment, CWaves Godown has an IT environment with ineffective ITGC,
this means that the controls are not in place to prevent unauthorised installations of or
changes to application software or the application’s underlying data.

In such a case, she knows that CWaves Godown users can then update the database
or process transactions without authorisation – or install modified versions of the software
or delete or modify transactions directly. If her assessment is that the ITGC environment is
ineffective, it does not matter how effective the information system’s application controls
are. The ineffective ITGC compromise the application controls and so the CWaves Godown
application controls are also ineffective and unreliable.

13.4.2 General Controls

ITGC ensure that the IT environment maintains data integrity, security, and confidentiality.
ITGC affect all financial reporting transactions. The most important, or key, ITGC relate to the
administration of the IT function, the segregation of duties, the development of new systems,
physical and online security, backup planning, and controls over hardware infrastructure.

The internal controls system incorporates the entity’s ITGC. The ITGC environment uses IT
to embed the entity’s policies, practices, and procedures into the entity’s IS to create a system
of internal controls specific to that entity.

The auditor initially makes inquiries of management and supervisory personnel or reviews
high-level documentation to obtain an understanding of the ITGC in place. The walkthrough
test is one means of obtaining this understanding. The auditor documents their findings and
documents the key ITGC as part of the financial audit.

806

M13_c13.indd 806 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

The auditor does not uncritically document and evaluate all the ITGC at the entity.
Instead, the auditor assesses whether the control is relevant to the audit, which is a matter of
professional judgement.

13.4.2.1 Administration of the IT Function

The first general control to be understood and documented is the administration of the IT
function. The more reliant the entity is upon IT in its business, the more important it is that the
IT function be administered effectively. A central concern in evaluating the design effectiveness
of this general control is the attitude and involvement of senior management and the board of
directors at the entity in IT decisions. The auditor’s evaluation of the design effectiveness
of the administration of the IT function is in part dependent upon the complexity of the
entity’s IT needs.

Complexity is usually related to the number of end users, the use of emerging or advanced
technologies, online transactions, customised software, the reliance of internal controls on IT,
and/or the mix of operating systems and software. Commonly, complexity is assessed on a
scale of low, medium, or high depending on the broad characteristics of the IT environment.

In medium or high complexity IT environments, the entity needs to coordinate and align
the activities of its IT function with the entity’s needs. For administration of the IT function to be
effective in complex IT environments, the entity should have structural, process, and relational
IT governance mechanisms in place.

Structural mechanisms provide formal organisational structures (for example, IT Steering

Committees, IT Project Steering Committees, or a Chief Information Officer role) to support
the IT department in connecting and liaising with the rest of the business and the effectiveness
of that mechanism in fulfilling that role (for example, reporting to the appropriate level in the
organisation or ability to supervise the team).

Process mechanisms provide procedures that support IT decision making and monitoring
(for example, portfolio management, project governance, and management methodologies or
IT budget control and reporting, including charge back arrangements).

Relational IT governance mechanisms support the development of professional

relationships among the entity’s executives, IT management, IT service providers, and business
management (for example, training, job rotation, or IT leadership).

In complex environments, the auditor could make relevant inquiries or seek relevant
documents indicating the existence and design of these or similar mechanisms. For example,
structural mechanisms will likely have a charter document, whereas process mechanisms
should be supported by policy or procedure documentation. Relational mechanisms such as
IT leadership require a shared vision or role of IT at the entity, which is usually supported by
documentation, such as an IT strategic plan or vision statement.

In less-complex environments, these mechanisms may not be formally set out, but informal
equivalents may be apparent.

807

M13_c13.indd 807 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

Illustrative Example 10

CWaves Godown Administration of the IT Function

For example, Tak Wai is looking to understand and document the CWaves Godown
administration of the IT function. She first assesses the complexity of Godown’s IT as low,
medium, or high. She notes that Godown has developed its own electronic commerce
software using its own software development team and this information makes her
assess Godown’s IT environment as highly complex.

She documents any structural mechanisms (e.g. IT Committee at the senior

management level, CIO roles, etc.), process mechanisms (e.g. project governance or project
management methodologies in place), and relational mechanisms (e.g. training and job
rotation with other members of the CWaves Group). In documenting her findings, she
would look for documented evidence indicating the existence of these mechanisms.

In this instance a concern is that Ka Yut is the CIO for the CWaves Group but there is a
poor relationship between the CWaves Godown Group and HKBuTS, who are the external
service provider, and the Godown IT team does not participate in the job rotation programme.

13.4.2.2 Segregation of IT Duties

The general control of the segregation of duties requires that the duties of authorising and
recording transactions are kept separate from each other, as well as from the custody of those
assets, and that incompatible functions are kept separate. For example, it is incompatible for a
purchase to be requested and approved by the same person. As a general principle, no transaction
should be performed in its entirety by a single role, and this principle extends to IT duties.

Achieving the full segregation of duties is difficult or impractical in smaller or less complex
entities, but ideally the roles of IT management, systems development, IT operations, and
maintenance and database management are kept separate from each other.

There are several IT duties of concern that the auditor should understand and document
the role with responsibility for the duty as well as its reporting responsibilities:

• Access to live operational data.

• Change authorisation.

• Data management/database administration.

• Implementation of new software.

• Implementation of updates to existing software.

• Investigations of suspected security breaches.

• Monitoring of access to IT resources.

• Oversight and strategic direction of the IT function.

• Recording and scheduling of IT operational and maintenance tasks through IT helpdesk

and support software.

• Software development.

808

M13_c13.indd 808 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

• Software requirements analysis.

• Software review.

• Systems implementation.

The key concern is that physical and logical access to programmes and data addresses the
requirement for segregation of duties. The auditor reviews these IT duties and considers the
possibility of incompatible duties in the structure of the entity.

Illustrative Example 11

CWaves Godown Segregation of IT Duties

For example, Tak Wai is looking to understand and document the segregation of IT duties
at CWaves Godown. She looks for documentation (e.g. position descriptions, organisation
charts, etc.) and evaluates whether the assignment of the IT duties of concern violates
segregation of duties. For example, the same role should not both develop software and
authorise changes to be made.

In this case, Tak Wai is concerned that the software development team installs the
software that they have written and do not let the HKBuTS team have access to the software.

13.4.2.3 Systems Development

ITGC relating to system development require that the software acquired and implemented at
the entity is properly authorised so that no unauthorised changes to software are made and
that the software developed meets the entity’s requirements.

One of the auditor’s key concerns is that changes to software are properly documented,
approved, and authorised. This requires that the segregation of duties between those that
develop the software (the systems development team) from those that implement the
developed software (the database administrator, the operations team, and/or the software
librarian) is maintained, as discussed in Section 13.4.2.2.

The auditor seeks to understand how the entity maintains its existing IS. The segregation
of duties needs to be maintained when a program change is requested, software is configured
(or re-configured), and how program changes are applied. The general rule of the segregation
of duties applies in this case: the role responsible for requesting program changes is kept
separate from the roles that develop, authorise, and implement program changes. Similarly, a
defined and formalised (and documented) process for changes to the IT infrastructure should
be evident. During emergency changes to the IT environment, it will likely be appropriate to
suspend normal segregation of duties, but this should not be normal practice. These change
management considerations are particularly important in ensuring the integrity of the IS.

Further, however, the auditor must develop an understanding of the entity’s approach to
selecting, developing, and implementing new IS and the extent to which this approach ensures
that the entity’s requirements are met. The entity’s approach may be traditional, agile, or
somewhere in between.

809

M13_c13.indd 809 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

The traditional systems development approaches (for example, the phased approaches
of the SDLC) are quite structured and formal. For example, pilot testing (testing and
implementing the new system in a single part of the organisation) or parallel testing (testing
and implementing the new system whilst continuing to use the old system) are system
implementation strategies that emphasise formal phased stages that are documented.

Agile systems development approaches such as eXtreme Programming or SCRUM

are, however, increasing in popularity in many organisations. Agile approaches emphasise
collaboration between systems developers and end users and multiple rapid releases of
software over structured phases and milestones. eXtreme Programming emphasises taking
best practice programming to the extreme, such as rewriting (refactoring) program code, and
SCRUM adopts best practices for the management of a systems development team. Agile
approaches usually emphasise frequent, rapid, and complete test cycles, and such approaches
can be considered equivalent to formal pilot testing and parallel testing. In contrast with
traditional approaches, agile systems development does not emphasise comprehensive
documentation of the project.

Often, entities use a hybrid approach to developing software. In such cases the auditor
looks for evidence that indicate changes to the software are properly authorised and
documented.

No matter the approach to developing software that is adopted, the auditor looks
for documentation that acts as a source of evidence for developing and adding to their
understanding of the systems development general control.

Illustrative Example 12

CWaves Godown Systems Development

For example, Tak Wai is looking to understand and document the CWaves Godown
approach to systems development. CWaves Godown uses an agile methodology based
on SCRUM and eXtreme Programming. She gathers the documentation relating to the
systems development process.

A key concern she notes is that the system development methodology for the key
electronic commerce system does not seem to require extensive documentation of the
system. This is a concern partly because any change authorisation as part of the system
development lacks the necessary information. It is also a concern because of implications
for Godown’s resilience in the face of disaster.

13.4.2.4 Physical and Online Security

The ITGC regarding physical and online security should ensure the availability of the hardware,
software, and data as well as ensuring that only authorised changes to software programs and
data occur. There are physical real-world ITGC as well as online virtual ITGC.

Physical access controls restrict access to hardware, software, and data – including data
backup storage. Such access controls include doors with keypad entry controls, but may include
more advanced biometric (fingerprint, voiceprint, retina scanning) controls or monitoring
approaches with closed circuit television and security monitoring.

810

M13_c13.indd 810 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

Physical controls can also make hardware ‘software’ and data safe through physical
controls that reduce the likelihood of disasters such as fire or flood from occurring or reduce
their impact. Such physical controls include fire extinguisher equipment and automated fire
prevention systems as well as air conditioning units that control temperature and humidity
in the data centre. The design and location of the data centre should also consider the risk of
flooding and fire.

Other physical controls include independent verification of completed transactions to check

for errors and misrepresentations by an independent third party and accounting records that
support an audit trail.

Online security controls are the virtual counterpart to these physical controls. User
authorisation measures including the need for usernames and passwords to access software
and data files reduce the risk of unauthorised changes to programs and data. These usernames
should have access restrictions that ensure users have access to the software programs and
data required by their role and no more.

A particular concern is the risk of cyber attack. Any network connected to the Internet
has a risk of cyber attack and it is difficult to harden a network against a sophisticated cyber
attack without compromising usability and accessibility. There are essential, and relatively
inexpensive, controls that are commonly recommended as a foundation for any approach
intended to mitigate the impact of a cyber attack.

These controls that mitigate the risk of a cyber attack include application whitelisting,
patching of applications, patching operating systems, restricting administrative privileges,
disabling untrusted Microsoft Office macros, user application hardening (i.e. preventing the use
of tools such as Flash and Java and disabling unneeded features in ubiquitous software such as
Microsoft Office), multi-factor authentication (for example, security tokens for privileged actions
by users), and the daily offline backup of important data. Additionally, regularly updated anti-
virus software serves to limit the impact of virus and ransomware attacks.

Illustrative Example 13

CWaves Godown Physical and Online Security

For example, Tak Wai is looking to understand and document the CWaves Godown
physical and online security. CWaves Godown has its own IT infrastructure for server
software, but the electronic commerce solution is managed on the group data centre.

Tak Wai seeks documentation on the group data centre’s approach to physical security
as well as the Godown IT centre. She does not note any concerns in this regard.

13.4.2.5 Backup and Contingency Planning

The general control of backup and contingency planning is required to mitigate the risk and
impact of disasters occurring that destroy or limit access to the entity’s IT, despite the physical
and online controls in place. Many entities find it difficult to operate if their key IS are not
available.

811

M13_c13.indd 811 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

The auditor should understand how incidents are managed at the entity. Incident
management is how the organisation understands the state of its IT environment. The IT
function identifies potential hazards, analyses the hazards, and takes actions to stop hazards
from occurring in that incident and for future incidents. In this way, incident management can
reduce the risk of disasters occurring.

The auditor must understand the entity’s backup and contingency plans as relevant to the
audit. The plans must outline the actions to take in the event of disaster to restore a normal
state of operations.

Disasters may affect an entity’s IT equipment directly, such as water damage, power failure,
fire, or disruptive cyber attacks that affect the data centre. However, some events can be more
indirect. For example, a gas leak or public safety concerns may result in police incidents. If that
occurs, it can make IT equipment unavailable and the business unable to deliver its services to
customers.

The entity should have backup and contingency plans appropriate to its circumstance. It is
generally accepted that entities require regular (at least daily) backup copies of data in secure
off-site storage facilities. The backup may be offline, continuous, or use a cloud service. The
volume of data held by the business, along with the business’s dependence upon that data, is a
factor in the selection of the backup approach used.

Another concern is contingency planning – how the business keeps key systems operational
in the event of a disaster. Contingency planning aims to ensure that the IT infrastructure
needed to run the entity’s IT – or at least the parts of IT essential for the entity to operate – can
be quickly substituted with operationally equivalent IT infrastructure elsewhere.

The contingency plan sets out the steps needed to keep the entity operational. Temporary
solutions might be specified that allow key transactions to be recorded for later processing
in the restored systems. These temporary solutions might be manual workarounds when the
disaster is relatively short term, but for longer term disasters temporary IT solutions might be
used until the entity’s IT services are restored.

The contingency plan might identify key hardware and the steps required to restore
the backups to new hardware. Alternatively, the entity may contract with third-party service
providers to have a substitute data centre available if required. A hot site is a continuously
available replica of the entity’s own data centre. A business struck by a disaster that makes its
operational site unavailable can quickly use a hot site, but this is an expensive arrangement.
Alternatively, a cold site is cheaper, but this arrangement cannot be made available as quickly
as a hot site.

The final phase of backup and contingency planning is the restoration of IT services to the
entity. A disaster recovery team should be in place with clearly defined and assigned roles.
The plan should outline how the entity is to recover its information and return to normal
operations. The backup plan should allow system records to be restored to the same state as
at the most recent backup before the disaster. The contingency plan then documents how the
entity would restore its records from the most recent backup until the time of the disaster.
The contingency plan also sets out how the transactions that took place using a temporary
manual or IT solutions during the intervening period would be processed to allow the system to
continue on without data loss.

812

M13_c13.indd 812 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

In batch-oriented systems where records are grouped in ‘batches’ of transactions, the

batched transactions data can be re-processed from the time of the most recent backup. For
online real-time systems, batches would likely not exist but the transactions might be able to be
rebuilt using other records (e.g. electronic banking records). In all re-processing, the systems’
normal interface controls – system controls that ensure accurate, complete, and secure
processing of data – should be in place, or reproduced as part of the data restoration process.

Illustrative Example 14

CWaves Godown Backup and Contingency Planning

For example, Tak Wai is looking to understand and document the CWaves Godown
backup and contingency plan. She requests copies of the backup plan and contingency
plan, and looks to see when the plans were last updated.

She also requests evidence of any testing of the backup and contingency plans. A key
concern that she notes is that the software code for the electronic commerce solution is
only stored on Godown’s IT Centre and the software is poorly documented.

One concern she notes is that the software for the electronic commerce solution
might be lost in a disaster and the electronic commerce system might become inoperable.
A further concern is that the software development team might resign or be unable to
undertake their duties in a disaster. If this were to occur, new software developers would
find it difficult to maintain or review the undocumented software.

13.4.2.6 Hardware Controls

The hardware controls embedded in the technologies that support the IT environment are
an important general control. Much IT hardware has controls embedded in it when it is
manufactured.

These controls may monitor and report on hardware failures that occur or they may
be controls that enable the device to operate. For example, a network router may use
cryptographic techniques to support network communications with encryption or decryption
and user authentication, or hard drives may report errors in the server log.

Illustrative Example 15

CWaves Godown Hardware Controls

For example, Tak Wai is looking to understand and document the CWaves Godown
hardware controls embedded into the IT hardware. She notes that none of the IT
hardware is built by Godown. That is, they do not build their own routers or servers –
instead, they are standard IT solutions.

Tak Wai examines the IT procedures manual and IT work schedule to see if the
technologies in place are monitored for error messages and failures. She does not note
any concerns in this regard.

813

M13_c13.indd 813 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

13.4.3 Application IT Controls

Not all applications require documentation of their application controls and evaluation of their
effectiveness in every audit. It is a matter of the auditor’s judgement as to whether a control
individually, or in combination with others, is relevant to the audit because they relate to
significant risks of material misstatement. Aspects of the internal control system not relevant
to the audit in the auditor’s judgement are not documented or evaluated. In particular, if the
ITGC are not effective in their design or operation, then the risks arising from the use of IT
applications has not been controlled by the ITGCs. This would mean that the auditor would
not plan to test the operating effectiveness of the IT application controls as those controls
would not be effective in addressing the risk of identified material misstatement at the financial
statement or assertion levels.

Application IT controls are first considered as part of the initial walkthrough tests of
transactions at the entity. A walkthrough test identifies source documents that commence a
transaction cycle (e.g. a purchase order) and the auditor then follows the document through
the process until the process is completed. During the test, the auditor makes inquiries,
inspects documents, and documents their own observations. In this way the auditor identifies
the internal controls in place and develops their understanding of the IT environment. This
information provides the auditor with a foundation for designing specific tests of the internal
control system, including the application IT controls.

However, the auditor only considers the specific review of application IT controls for those
IS that are in scope. In-scope IS are those IS that are prospective sources of material
misstatement in the financial statements. Applications that are not material, or do not affect
the financial statements, are likely not to require documentation or evaluation; such IS are out
of scope. The financial auditor makes an assessment of materiality by considering the
maximum extent to which financial statements can be misstated and still not affect the
HKSA
decisions of reasonable users of the financial statements. Materiality is assessed according to
320.10 the specific circumstances of the entity and will be set as part of the audit strategy. For
example, if the preliminary assessment of materiality is 5% of revenue, an IS that records
transactions to a total value of less than 5% of revenue would likely be out of scope.

Application controls maintain the completeness, validity, and accuracy of data in a

single system. These application controls may affect data processing, and so input controls,
processing controls, and output controls may be considered by the auditor. Other application
controls maintain the security, integrity, accountability, and recoverability of the master file
and database.

Application controls are also part of the internal controls system. Application controls
are unique to each system operated by the entity. Whereas ITGC are environmental and
affect all systems and all transactions in the financial reports, application controls relate to a
single system. Application controls therefore affect a smaller subset of the transactions in the
financial reports, and an individual IT application can relate to a specific financial statement
assertion or a number of related assertions.

The auditor makes inquiries of management and supervisory personnel, observing the
system in action or reviewing appropriate documentation to obtain an understanding of
the application controls in place for material systems as relevant to the audit. The auditor
documents their understanding of these application controls as relevant to the audit.

814

M13_c13.indd 814 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

The auditor does not uncritically document and evaluate all the application controls of
material systems. Instead, the auditor assesses whether the control is relevant to the audit,
which is a matter of professional judgement in the context of the auditor’s assessment of the
identified risk of material misstatement at the financial statement and assertion levels, and
the IT applications that process information relating to the significant classes of transactions,
account balances and disclosures.

13.4.3.1 Input Controls

Input controls ensure the completeness, accuracy, and authorisation of data input into the
system at the time of data entry. The primary goal of input controls is to minimise the number
of errors occurring during the creation of data. Such errors affect the system’s processing as
well as its output. Input errors are common sources of errors in IS and principally these errors
occur during manual input.

In the IS audit context, input controls primarily relate to computerised systems, although
input controls also exist in manual systems. Nonetheless, IS have unique input controls
integrated into the system that can test data as they are entered for errors. These controls
take effect at the field or record level and the auditor documents their understanding of
these controls.

Field level input controls check the validity of a single data field in a data record. These
controls include checks on data that test data entry for transcription or transposition errors
using check digits, require data in the correct form (for example, alphabetical or numerical
data), meet a pre-determined limit (for example, a control that rejects new employees younger
than 13 years old), or is within an acceptable range (for example, a control that rejects month
data not in the range of 1 to 12). Similar to a range check, a validity check is an input control
that requires data inputs to be selected from a pick-list of possible values.

Record level input controls check the validity of the data record taken as a whole. One
check at the record level is a reasonableness check that compares different fields in the same
record to assess the record’s validity as a whole. The individual fields might hold valid values,
but in combination the record is invalid.

Another record level input check is the sign check that matches a transaction code with the
correct sign. For example, a sign check would ensure that a negative number is associated with
the transaction code for a credit note.

13.4.3.2 Processing Controls

Processing controls prevent, detect, and correct errors during the processing of transactional
input data. The primary goal of processing controls is to verify that the program is working
correctly and as intended. Processing controls can check that the correct data are processed in
the correct order or validate the results of processing.

Checking that the correct data are processed in the correct order is most important in batch
input systems. A batch input system processes data in groups, whereas a real-time system
processes data as the transaction occurs.

An application can include tests that ensure the correct transaction file is processed in the
correct order, such as verifying that the correct transaction file is being processed. Sequence
tests also check that the file is in the correct format and order for processing.

815

M13_c13.indd 815 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

Validation of processing results is important to batch input systems as well as real-time

systems. A control might double-check the results of processing. Such controls are similar
to input controls in that field level or record level data are checked, except that processing
controls check the results of processing input data.

Data reasonableness tests check whether the processed data are reasonable and meets a
set of pre-determined criteria, such as allowable working hours. Similarly, arithmetic accuracy
tests check whether the processed data are accurate by reprocessing the calculations or by
reconciling different calculated amounts. For example, the application might include a test that
checks whether the total payable for a payment run in the accounts payable process equals the
net sum of invoices received less discounts and applicable credit notes.

Completeness tests check whether the records for processing have had all the fields
necessary for processing completed. For example, the application might include a test that
checks whether the record for a new purchase order has a vendor number, the type of items,
and the number of items necessary for processing.

In all cases, the application should halt processing if any tests are not satisfied. Processing
can continue if the data are corrected, or those records that fail the test are flagged for later
manual review and correction. If processing is halted, the control may need to reverse any
already processed transactions.

13.4.3.3 Output Controls

Output controls detect errors and correct them after the completion of transaction
processing and also ensure that the results of processing are not intercepted and corrupted.
The primary goal of output controls is to verify the application’s output and to prevent
unauthorised changes.

The principal output control for the detection and correction of errors is the review of the
final output by a knowledgeable expert for reasonableness. This review might be based on the
expert’s own estimations of acceptable results from the input data or the formal reconciliation
and review of the output data.

The safe keeping of results requires controls that keep the output data secure from
interception and/or corruption. Controls here can focus on hard-copy distribution of output
such as the supervised printing of reports, the secure disposal by shredding of waste printouts,
or the controlled distribution of output reports. Other controls might focus on electronic
distribution of output reports and results through authorised and authenticated users, as well
as the encryption of output data that are distributed.

13.4.3.4 Master File/Database Controls

Application data are stored in a master file or database. Strictly, the master file refers to the
main subjects of interest in the system rather than all the system data, and so the master file
is a subset of the database. The terms are often used interchangeably, however. Database
controls ensure the security, integrity, accountability, and recoverability of the database.

Security requires that an access control list be used in the viewing, updating, or deleting of
data. The access control list is a structured document that sets out those with management’s
authorisation to access the data and is implemented by the DBA. The database management

816

M13_c13.indd 816 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

system (DBMS) itself also must have security features that reflect and support the access
control list, and administration of this access control list is, again, the province of the DBA. The
DBMS is a central software system that allows data records to be managed (created, replaced,
updated, and deleted) and provides applications with access to data.

The general principle of maintaining access control lists be the rule of least access, which
is that users of a system should be granted access privileges on a need-to-know basis. This
principle is often breached, though, as over time users change roles and have new access
privileges granted without having previous privileges revoked. These breaches arise as the
managers with the authority to grant access privileges are frequently busy and often do not
exercise adequate care in revoking permissions or in initially assigning them. Users similarly
will likely not disclose that their system access is broader than required as it does not prevent
them from doing their new tasks. In contrast, users will likely request more access when they
are prevented from fulfilling their roles. Strong policies that require managers to apply due
diligence in assigning permissions to roles are required to avoid violations of the rule of least
access, and encourage users to report access that is no longer required.

Integrity requires that the database design be structured to store data without data loss.
Data loss might occur if a data design is unable to properly model the data required by the
system. For new databases, this means that the system development team should consult
the DBA about the data design and implementation of new systems to ensure data integrity.
For an established database, this means that the DBA should require proper authorisation,
documentation, testing, and review of database modifications before they are implemented.

Accountability requires that the DBMS record user access to the database and, in some
cases, the creation, read, update, or delete of data in an audit log. The audit log records these
events by date, time, and named user. This approach ensures that an audit trail is available for
data changes and promotes personal accountability by end users. Reviews of this audit log and
consequent updates by the DBA are undertaken and documented. Such a review of the audit
log acts as a detective control for unauthorised changes.

Finally, recoverability requires that the DBA ensure the ongoing availability of the database.
The database should be regularly backed up and these backups should be securely stored
off-site. Key databases should be explicitly addressed in the backup plan.

Key Learning Point

Master file/database controls maintain the security, integrity, accountability, and
recoverability of the master file and database.

13.4.3.5 Documentation of Key Systems

Documentation is a written description of how the system works. There are different
approaches to documenting systems, but the key purpose is to communicate the systems’ key
features. The organisation’s existing documentation may be used as a basis, but the auditor
needs to document the internal controls of the system for the purpose of the audit.

817

M13_c13.indd 817 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

Two approaches are usually adopted in documenting key systems. These techniques are to
describe the system using a narrative form and the other is to use a system flowchart.

A narrative description of the system simply documents the internal controls in writing,
although the narrative may also be presented as a table. The description identifies the
documents processed by the system, their source, how they are processed, and the final
location of the source documents when processing is finished. The narrative then sets out
the relevant internal controls in place that affect control risk. Exhibit 13.2 provides a possible
template to use in presenting a narrative description of an information system.

Information System: [Name of System]

Ref. Source document Prep. by Processing Source/ Risk Internal
Step destination controls
P1 [Source Document] Clerk [Description] Created [Risk] [Control]
AP [Description] [Risk] [Control]
PR [Description] L1 [Risk] [Control]
P2 [Source Document] Clerk [Description] L1 [Risk] [Control]
AP [Description] [Risk] [Control]
PR [Description] L2 [Risk] [Control]
Location Roles
L1 [File Location] Clerk Data Entry Clerk
(All Departments)
L2 [File Location] AP Accounts Payable
PR Procurement

EXHIBIT 13.2 A template for the narrative description of an information system and its internal
controls in a table format (note the cross-reference between Location and Roles)

The advantage of the narrative approach is its simplicity and flexibility. However, for
complex systems the narrative approach quickly becomes unwieldy and difficult for later
readers to understand.

The system flowchart is a more visual and condensed representation of the same
information. The flowchart is a graphical diagram that represents the system. As with the
narrative description, a system flowchart identifies the documents processed by the system,
their source, how they are processed, and the final location of the source documents after
processing. Again, the relevant internal controls are identified in the system flowchart.

In contrast with the narrative approach, the system flowchart represents the system
graphically using symbols to represent documents, controls, and the sequential steps that
occur in the flow. Several flowcharts may be constructed, with each flowchart representing the
steps of different processes or transactions through the system. Colour coding is often used to
indicate the controls in place on the system flowchart and the flowchart can be presented as a
process flowchart with swim lanes that indicate role responsibilities. A swimlane diagram divides
the flowchart into different lanes that are similar to the lanes of a swimming pool. Each lane
represents a different role or department and the indicated role or department is responsible for

818

M13_c13.indd 818 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

addressing the activities located in its lane. The swim lane allows the reader to quickly identify the
responsibilities for each task and when information is handed over to other roles and/or systems.

In addition to documentation of the system, the documentation should provide information

as to the discussion among the engagement team and the significant decisions reached in
relation to the system of internal control. This includes documentation of the key elements of
the auditor’s understanding of the IT environment and the sources of information used to
obtain that understanding, the risk assessment procedures used, as well as the basis for the
HKSA
315.38 evaluation of identified controls and whether they have been implemented.
(Revised
2019)

Apply and Analyse 3

Kowloon City Technology Trader (KCTT) uses the commercial off-the-shelf software
PurchasePro to manage store inventory. PurchasePro is an inventory management system.
PurchasePro manages information relating to stock items, vendors, and purchase orders.

You have interviewed key staff and made the following observations about
PurchasePro in relation to its management of inventory for KCTT:

• For new vendors, PurchasePro requires vendor name, address, and banking details
to be entered into the system.

• For new items, PurchasePro requires the item name, its standard price, and stock
reorder points to be entered into the system. The Store Manager reviews all added
items each week and deletes items that have not been linked to an approved
vendor that can supply the item.

• The Stock Clerk, Store Manager, and General Manager can add vendors, but only
the General Manager can approve vendors. All three roles can create items and link
them to pre-approved vendors.

• PurchasePro manages all stock purchases for the store. For this process, when
stock reaches a previously assigned reorder point, the Stock Clerk raises a
purchase order in the system.

• PurchasePro requires that a purchase order can only order items already
registered in the system and only from approved suppliers of that item.

• A purchase order must identify a stock item, order a positive quantity of items
(it is not possible to order a negative quantity or order zero items), and an
approved supplier.

• Optionally, special instructions may be provided with the purchase order; these
instructions cannot exceed 255 characters. An expected delivery date must be
nominated.

• PurchasePro does not allow purchase orders to be back-dated or forward-dated;

they must be dated at the current date. Similarly, the delivery dates of purchase
orders must be no more than 30 days from the date of the purchase order.

• The Stock Clerk, Store Manager, and General Manager are able to create purchase
orders. The Stock Clerk can both create and approve orders up to HK$5,000,
but the Store Manager or the General Manager are required to approve orders

819

M13_c13.indd 819 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

over HK$5,000. Only the General Manager can approve orders over HK$30,000.
The Store Manager and the General Manager can only approve orders that they
created when the order is under HK$5,000.

• Purchase orders without approval are deleted.

Required

(a) Prepare a short narrative description of the processes supported by PurchasePro.

In describing each process, identify the key application controls.

(b) Note that you are not required to evaluate the internal controls system.

Analysis

Although descriptions will vary, the focus of the description is on the processes and
application controls for the purpose of the audit.

PurchasePro supports inventory management. There are three key processes

supported by this system, including New Vendor Data Entry, New Item Data Entry, and
Purchase Order Data Entry.

New Vendor Data Entry has input controls (data completeness checks).

New Item Data Entry has input controls (data completeness checks). New items have
up to one week to be linked to a vendor before being deleted by the Store Manager
(processing control).

New purchase orders require that the stock levels be at or below the reorder point
before being able to be placed (input control) and items can only be ordered from pre-
approved vendors (input control). The purchase order identifies the stock item, must order
a positive number of items, and identifies delivery instructions (input control).

Orders require approval once entered or they will be rejected after 24 hours according
to the following rules.

• The Stock Clerk (SC), Store Manager (SM), and General Manager (GM) can create
orders of any value.

• The SC, SM, and GM can approve orders up to HK$5,000.

• The SM and GM can approve orders between HK$5,000 and HK$30,000.

• The GM can approve orders over HK$5,000 (application processing controls).

• Orders below HK$5,000 can be approved by their creator.

• Unapproved purchase orders are deleted.

Delivery dates must be within 30 days of the purchase order date.

820

M13_c13.indd 820 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

13.4.4 Auditing in Computerised Business Systems and Controls

HKSA 315 (Revised 2019) requires that the auditor perform risk assessment procedures to
understand and document the IT environment and the entity’s system of internal control
relevant to the audit. The preceding discussion identifies the general and application controls
that the auditor documents are relevant to the audit.

The question of whether general and application controls are relevant to the audit is a
matter of professional judgement informed by evidence. HKSA 300 requires the auditor to
develop an audit strategy and plan, and the auditor develops a set of audit procedures that
inform professional opinion regarding the risk of material misstatement in the financial reports.

These audit procedures set out the extent of reliance upon the testing of the operating
effectiveness of controls to evaluate whether the controls operate effectively and according to
the design.

The audit strategy is a structured approach designed to gather the evidence and
information needed to support the auditor in developing their audit opinion as to the risk of
material misstatement of the financial reports.

13.4.4.1 Audit Procedures for Testing Computerised Business Systems and Associated
Controls of the Business Processes of an Entity
The auditor gathers the information and evidence needed to inform and support their
professional opinion regarding the risk of material misstatement in the financial reports. This
HKSA evidence-gathering is done according to an audit strategy and plan that sets out the nature and
300.9 timing of audit procedures.

The auditor develops these audit procedures by first developing an understanding of the IT
environment and then planning the controls testing and substantive testing in accordance with
the auditor’s assessment of the audit risk. The IT audit procedures are then designed in the
light of that assessment.

Initially, the auditor seeks to understand the IT environment by reviewing the organisation’s
controls. These controls include the technologies, processes, and structures in place. This
review is undertaken by the auditor making inquiries of the client regarding IT department
structure, function, and environment. The auditor also reviews the design of the ITGC and
application controls as relevant to the audit. Together, these two reviews address the auditor’s
first duty to obtain an understanding of the IT environment in the context of the financial
reports to be audited.

The extent to which the auditor evaluates the internal controls is a matter of professional
judgement. Such judgement is applied during the auditor’s risk assessment procedures to identify
the risk of material misstatement and their significance, and its exercise requires that the auditor
identify those controls that mitigate the risk (including and where IT is used, controls that address
any risks of material misstatement arising from that use). It is apparent that the audit of entities of
any relative size, riskiness, or complexity usually requires the auditor to obtain an understanding
of the system of internal control and the IT environment. Accordingly, the expectation is that the
auditor will obtain an understanding of the IT control environment (general and IT application
controls) in most audits, at least to a level that is sufficient to plan the audit.

In practice, the auditor obtains an understanding of the ITGC in place unless there are
factors that indicate some ITGC are not relevant to the audit. It is likely, though, that an auditor

821

M13_c13.indd 821 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

will not obtain an understanding of all application controls. Many systems are not material, or
there are compensating controls in place that mean the application controls are not relevant
to the audit. For example, an output control where the output is reviewed by a knowledgeable
expert for reasonableness might compensate or address weak input controls or processing
controls. The controls are assessed holistically.

In that context, the auditor plans their tests of controls and substantive testing according
to their judgement. This planning is informed by the auditor’s assessment of audit risk, which is
made by the auditor addressing the requirement to assess the risks that arise from the use of
IT. Audit risk affects the nature of audit procedures and thus the extent and type of audit work
the auditor performs.

As discussed previously, audit risk is a function of the inherent risk of the client, control risk,
and detection risk. The auditor’s assessment of audit risk informs the audit approach adopted.
The work of the auditor cannot affect the client’s inherent risk or control risk, but the auditor can
undertake work to better understand the control risk. The auditor can also undertake substantive
testing to detect errors, and so the auditor’s own work directly affects the detection risk.

The auditor can use audit procedures to better understand the control risk and evaluate
whether the control risk is low. This work is controls testing. If the control risk is low (that is,
internal controls are effective in preventing, detecting, and correcting errors), the auditor can
place more reliance upon the entity’s internal controls. If the auditor’s reliance on internal
controls is high, the auditor can reduce their own work to detect errors through substantive
testing, as fewer errors exist to be detected.

Controls testing assesses the effectiveness of the design and operation of the entity’s ITGC
and, for areas of significant risk of material misstatement, IT application controls. Substantive
testing, is where the auditor seeks to objectively determine whether the entity’s financial
statements are materially misstated. Such tests do not rely on the effectiveness of controls.
Substantive tests represent the auditor’s work in detecting errors not prevented, detected, or
corrected by the controls.

Controls testing is generally less labour-intensive, less time-consuming, and less expensive
to perform than substantive testing, and detection risk depends on the effectiveness of the
controls that exist. For this reason, the auditor usually conducts controls testing to establish
the extent of reliance on internal controls before undertaking substantive testing. However, in
practice some substantive testing may be undertaken at the same time as controls testing in
some instances.

The planned mix of controls testing and substantive testing is a matter of professional
judgement. Generally, substantive testing will be preferred where controls testing is more
expensive than substantive testing (such as with small or simple audit entities) or where the
controls in place are ineffective in design and/or operation (that is, where the control risk is
high). It is very likely that the audit procedures will consist of a mix of both controls testing and
substantive testing. In large, diverse, and complex audit entities with many material systems,
controls testing will likely be more prominent in the audit procedures.

Controls testing is undertaken through inquiry of entity personnel, examination of

documents and reports, manuals, observation, or re-performing the procedures that are part
of a control (such as a process walkthrough with real or test data). HKSA 315 (Revised 2019)
A177 states that inquiry alone is not sufficient for obtaining evidence about the design and
implementation of identified controls.

822

M13_c13.indd 822 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

Having documented the ITGC in planning the audit, the auditor then evaluates the design
effectiveness of the ITGC. If the design of a general control is ineffective, then the control cannot
be operationally effective and no further evaluation is required. If, however, the general control
is effectively designed, then the operational effectiveness of the general control is evaluated.

If the ITGC, taken as a whole, are effectively designed and operate properly, the auditor
may then evaluate the design and operational effectiveness of the IT application controls in
systems where the risk of material misstatement at the assertion level is significant. Here, the
auditor evaluates input, processing, output, and master file/database controls.

If the design of the application controls as a whole is effective and they operate properly,
then the audit approach may have a high reliance on the internal controls system. In such a
circumstance the substantive testing needed is lessened according to the auditor’s judgement.

The substantive tests to be undertaken include substantive tests of transactions, analytical

procedures, and tests of details of balances. Substantive tests can include physical examination,
confirmation, inspection, client inquiries, re-performance, analytical procedures, or recalculation.

In an audit with a high reliance on controls, substantive testing will be less than if the
reliance on controls was low.

HKSA 315 (Revised 2019) notes that in some circumstances the nature of the risk of material
misstatement is such that the only way to obtain sufficient appropriate audit evidence is to test
the operating effectiveness of internal control. For example, in entities where routine business
transactions are subject to highly automated processing and much of the financial information is
initiated, recorded, processed and reported only in electronic form. Such entities have a high level
of integration across IT applications, for example banks, airlines and telecommunications entities.

Applying HKSA 315 (Revised 2019) in combination with HKSA 330 The Auditor’s Response
to Assessed Risks, the auditor is required to identify such risks. In these cases, audit evidence
is generally only available in electronic form and its sufficiency and appropriateness depends
on the effectiveness of internal controls to ensure its accuracy and completeness. The auditor
assesses such risks in designing and performing audit procedures. Where substantive procedures
alone cannot provide sufficient appropriate audit evidence in relation to the risk of material
misstatement at the assertion level, the auditor is required to design and perform tests of controls.

Overall, the auditor evaluates the results of controls testing and substantive testing
to assess the risk of material misstatement in the financial reports arising from the IT
environment. This assessment is reflected in evaluating the evidence to form the conclusion
expressed in the final audit report.

13.4.4.2 Evaluating the Effectiveness of Computerised Business Systems and Controls

The audit’s control risk is evaluated by controls testing. The auditor’s evaluation of control risk
determines the audit’s reliance on the system of internal controls, which in turn determines the
level and nature of substantive testing needed in the audit. The level of substantive testing in
turn directly affects the detection risk. Together, controls testing and substantive testing affect
the auditor’s assessment of the audit risk.

Controls testing includes client inquiry, examination of documents, observation of the work
being undertaken, or re-performing the procedures that are part of a control (such as a process
walkthrough with real or test data). These tests are increasingly rigorous, and so re-performing a
control is more rigorous than client inquiry, and a process walkthrough is more rigorous again.

823

M13_c13.indd 823 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

In the initial stages of the audit, the auditor reviews the general and application controls
in place that are relevant to the audit. This review seeks to identify the controls that exist
and is often made on the basis of a client inquiry. The auditor then evaluates the design and
operation of the general and then the application controls according to the audit strategy. This
evaluation informs the auditor’s assessment of control risk and this assessment determines
the degree of reliance on internal controls in the audit. The supporting evidence for the
assessment, and the assessment itself, is documented as part of the audit.

The auditor’s assessment of the effectiveness of the internal controls system considers the
system as a whole. Consequently, although some internal controls may be ineffective, other
controls may compensate for this deficiency. The auditor considers the effectiveness of the
internal controls system in total in assessing the overall control risk.

Substantive testing is an important part of evaluating the effectiveness of computerised

business systems and controls. Substantive testing will be high where the degree of reliance on
internal controls in the audit is low and low where the reliance is high.

The nature and extent of the testing undertaken in an audit will vary between
engagements. The discussion that follows considers the testing of ITGC, application controls,
and substantive testing. Audit procedures that the auditor can adopt in evaluating the
effectiveness of computerised business systems and controls are suggested. It is likely that few
audits would use every audit procedure that follows. All tests that are performed should be
documented and assessed by the auditor.

IT General Controls (ITGC)

ITGC ensure that the IT environment maintains data integrity, security, and confidentiality.
There are six key ITGC that the auditor may test. The extent of such testing depends on the
auditor’s evaluation of the control risk of the internal controls system as a whole.

Administration of Function
Overall, in both complex and less-complex environments, the level of importance assigned to
the administration of the IT function at the audited entity is critical. If the administration of the
IT function is delegated to low-level employees or external consultants, the implication is that IT
may not have a high priority.

If the organisation does not give a high priority to the IT function, the IT area will likely be
understaffed and underfunded, with the result that it is poorly controlled. The administration of
the function, and hence the general control, will likely also be poor and ineffective. The auditor
would examine work records and organisation charts to evaluate this control.
Segregation of Duties
Segregation of duties requires that the duties of authorising and recording transactions are
kept separate from each other, as well as from the custody of those assets. Incompatible
functions are kept separate. Segregation of duties is a relevant consideration in any business
process supported by IT as relevant to the control.

Segregation of duties also applies to the IT function. If segregation of IT duties is not

maintained, the IT assets are more easily stolen and/or errors may arise in record keeping.
Segregation of duties can be a very effective control as it requires collusion between two or
more people for assets to be stolen, and such collusion is riskier and likely to be discovered.
However, IS tend to automate and combine many activities into a single role.

824

M13_c13.indd 824 1/26/2021 9:24:19 PM

 Computerised Business S ystems and C ontrols

Two indicators of ineffective segregation of IT duties are that the IT function is often shared
and the records of system changes are inadequate or non-existent. Ineffective segregation
provides opportunities for the theft of the entity’s assets. It is also likely that data can be
changed and consequently the reliability of the general control environment may be poor. In
such cases the auditor must assess whether compensating controls exist to allow the audit to
rely on this aspect of the ITGC environment.

The IT management, systems development, operations, maintenance, and DBA roles are
especially important.

Senior IT managers should provide oversight and strategic direction to the IT function.
Security administrators should monitor access to IT resources and undertake investigations in
cases of suspected security breaches.

In the systems development team, the auditor is concerned that the duties of requirements
analysis, change authorisation, software development, software review, and systems
implementation are kept separate from each other, and particularly from the IT operations
and maintenance team. Formal authorisation should be provided for changes made to the
programs. Systems developers should not work with operational data.

The IT operations and maintenance team should operate at the direction of the IT
management, but according to a recorded and scheduled programme of work, such as that
provided by the IT helpdesk and support software. The implementation of new software and
updates to existing software should be undertaken by the role of the librarian. The librarian
should be located within the IT operations and maintenance team rather than the systems
development team to reduce opportunities for collusion.

The DBA role requires full administrative access to all the entity’s data. To discourage
collusion with other areas of the IT function, such as operations and maintenance and systems
development, the DBA role should have independent personnel who ensure the data quality of
the entity’s data.

The organisation chart, position descriptions, and departmental structures should

document how incompatible IT duties are kept separate at the audited entity. Policy and
procedure documents are another prospective additional evidentiary source.

System Development
The decision to purchase COTS solutions or to develop software in-house should be made in
consultation with IT and non-IT staff and considering the strengths and weaknesses of these
approaches in meeting the entity’s needs.

Overall, if the general control over systems development is poor in ensuring that changes
to systems are adequately documented and authorised, then the ITGC in place can be
compromised. The auditor must evaluate whether the controls are effective in ensuring that
only authorised changes to software are implemented.

Traditional systems development approaches emphasise formal stages and documentation

of the project. This documentation provides considerable evidence to the auditor in evaluating
the control over systems development.

In contrast, it can be difficult for agile system development approaches to meet the needs
of the ITGC environment. Unlike the formal approaches, a key challenge for agile system
development approaches is that the documentation of the changes made to the software is to a

825

M13_c13.indd 825 1/26/2021 9:24:19 PM

 BUSINESS ASSURANCE

sufficient standard, that system changes are properly authorised, and that the implementation
of the operational system is by a team that is separate to the development team.

One way to address this concern is for the agile development project to include an IT auditor
(usually, as part of the internal audit team) in the project. This approach can meet the auditor’s
needs for the documentation of system changes, testing results, authorisation of changes, and
independence without unduly restricting the efficiency and effectiveness of the overall project.

Relevant documents that the auditor may review are policy and procedure documents that
set out the development methodology for new IS. These procedure documents should set out
the manner of consultation with system stakeholders in such projects and the responsibilities
and accountabilities in the project team. Documentation that records the system change, the
results of testing, the authorisation of changes, and, particularly, that the implementation of
the change in live software is by the librarian rather than the system development team is also
an important source of evidence for this general control.

Physical and Online Security

This testing requires consideration of the physical controls over the ITGC environment. For
example, this testing would consider physical access to the IT hardware to be in place.

Overall, if the physical and online security policies are inadequate then the ITGC
environment is compromised. These security policies must be documented to be effective.
Further, the entity should have processes to verify that these policies are followed and the
auditor should assess these physical controls. Over time, it is common for the entity to grow lax
in following the policies, and many cyber attacks succeed through complacency.

Relevant documents that the auditor can examine include policies and procedures that
address physical and online security.

Backup and Contingency Planning

Backup and contingency plans should be regularly tested and updated. The backups should be
tested regularly according to the backup plan. These plans require regular updates as the IT
environment continually changes.

The auditor is concerned that backup and contingency planning is documented in the
entity’s policy and procedures. As with physical and online security controls, the backup
and contingency plans need to be documented by the entity as policies. The policy should
document how, when, and where the backups are executed and stored, and contingency plans
should identify the roles responsible for the incident response actions and communication to
be made in the event of disaster.

Backup and contingency plans should be documented and available for review. The auditor
can observe the backup process or review an audit trail to confirm that backups are carried out.
Tests of the contingency plan should also be documented and available for review. Contingency
plans can also be evaluated through process walkthroughs.

Hardware Controls
Hardware controls embedded in the technologies that support the IT environment are often
embedded in the hardware when it is manufactured. These controls may monitor and report
on hardware failures that occur, or they may be controls that enable the device to operate.
Hardware controls are embedded in the technology.

826

M13_c13.indd 826 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

In most cases, the financial auditor is less concerned with the nature of hardware controls
than with the entity’s response to incidents and problems identified by hardware controls.
Documented policies and procedures that identify how the entity responds to critical hardware
controls should be available for examination by the auditor, along with logs or documentation
relating to any such incidents that have occurred.

Illustrative Example 16

IT General Controls

Tak Wai considers the overall IT function and the way it is administered. She knows that
Ka Yut is the Chief Information Officer and he sits on an IT Committee. This position and
the committee are both structural mechanisms. The work of the IT Committee, however,
is to review the status of projects being managed under different project management
methodologies. The review of project status as well as the different project management
methodologies are both process mechanisms. Meanwhile, Tak Wai notes that there is a
job rotation arrangement for all members of the IT staff. This is a relational mechanism
as it allows IT staff to build informal relationships across the group.

Such arrangements mostly meet Tak Wai’s expectations. CWaves is a large, complex
company. In less complex environments, the expectations might be less. For example, if
Tak Wai were auditing HKCW Investment Limited on its own, her expectations would be
less as the organisation is less complex and less risky. In less complex organisations, the IT
steering committee might be replaced by regular reporting by a senior IT manager to the
senior management group. There are still structural, process, and relational mechanisms
in place, but they are less formal and complex. Whether they would be adequate, though,
would be a matter for Tak Wai’s judgement, having regard to the context of the audit.

In Tak Wai’s discussions with Ka Yut, she has noted several duties and tasks where the
segregation of duties may not be properly enforced. In particular, the CWaves Godown
software development team both writes custom software and installs that software on to
CWaves’ operational systems. This lack of segregation of IT duties concerns Tak Wai, and it is
possible that this compromises the information managed by that information system. Tak Wai
is keen to identify whether there are any compensating controls that relieve her concerns.

Tak Wai’s concerns are not alleviated when she discovers that not only does the CWaves
GoDown software development team implement the software that they develop, the team
also does not document this software. Without documentation, Tak Wai cannot assess how the
system is developed and also cannot determine how – or whether – the software is authorised.

Ka Yut is worried that Tak Wai is concerned because agile software development
methodologies are used by the Godown development team. Tak Wai explains that her
standards are not impossible, but she does need written documentation of some sort to
show and document how the software is developed and what changes are authorised. As
she says, ‘Agile development approaches are just fine, but they need to provide evidence
that they are followed!’

This is a concern for Tak Wai and she is fairly sure she will need to bring this point up
as a point for CWaves’ management team to address.

827

M13_c13.indd 827 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Application Controls
Application controls relate to the processing of information and controls that address the integrity
of information; that is, the completeness, validity, and accuracy of data in a single system. There are
four key types of application controls that the auditor may test. The extent of such testing depends
on the auditor’s understanding of the components of the entity’s system of internal control
identified in Sections 13.1, and 13.4.2.

Review controls are controls whereby management reviews and uses their judgment to
detect and correct controls that are not working as intended. Application controls are not
commonly considered as forms of review controls, as there is no judgment by management
required. Furthermore, the term does not appear in the ISACA IT assurance guide.

Input Controls
Input controls ensure that the data entered into the system are complete, accurate, and
authorised. In addition to observing non-IS controls, such as using only qualified staff to enter
data, the auditor may test field-level input controls and record-level controls.

In testing input controls, the auditor might observe the data entry process and document
the process in detail or perhaps re-perform the data entry procedures (and thus test the
control), using test data to ensure that the field level and record level controls are effective.
For example, the auditor might process a test invoice with deliberate errors introduced at data
entry to evaluate whether the control is effective at capturing these errors.

These tests can also be applied to transactions that occurred during the period under
review. For example, the auditor may use computer-assisted audit techniques (CAATs) to
inspect the records of existing transactions for compliance with the identified input controls.

Processing Controls
Processing controls prevent, detect, and correct errors during the processing of transactional
input data. The auditor may test that the correct data are processed in the correct order or
validate the results of processing.
In testing processing controls, the auditor may observe the processing of data to test whether
label checks or sequence tests are effective. The auditor can re-perform the process with test data
to confirm that label checks and sequence tests occur. Any re-performance of data entry of course
requires the ability to roll back any data entered before processing into the operational database.

The auditor may also observe the processing of data to check the operation of reasonableness
tests, arithmetic accuracy, or completeness. Re-performance of data entry processing can be
performed with test data that violates the rules of reasonableness and completeness to confirm
that these rules are followed. The auditor also uses the re-performance of data entry to confirm the
arithmetic accuracy of the system’s processing with data intentionally selected to test the accuracy
of the system (for example, using large numbers outside of the normal range). The system should
halt processing for data that is unreasonable, incomplete, or produces inaccurate results.

These tests can also be applied to transactions that occurred during the period under
review. For example, the auditor might use CAATs to query the records of existing transactions
to confirm that label checks and sequence controls ensured that data were processed in the
correct order, or apply the reasonableness checks, arithmetic accuracy checks, or completeness
checks to existing transactions. Such tests are inspections of the controls.

828

M13_c13.indd 828 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

Output Controls
Output controls detect errors and correct them after the completion of transaction processing
and also ensure that the results of processing are not intercepted and corrupted. The auditor
may test the effectiveness of reviewing the final output by an expert and the secure distribution
of the application’s output.

In testing output controls, the reviewer would observe the review of the output by an
expert and/or re-perform the data entry process and evaluate the effectiveness of this review.
In evaluating this control, the auditor would ascertain the qualifications of the expert.

The observation or re-performance of the process can extend to tracing the distribution,
storage, and destruction (for example, by secure shredding) of the output from the system
and evaluating the control’s effectiveness in keeping the output secure. Controls might include
supervised printing, secure shredding, or controlled distribution of hard copy output reports.
Electronically, the auditor could consider access by authorised and authenticated users, and the
effectiveness of encryption when output reports are distributed electronically.

These tests can also be applied to transactions that occurred during the period under
review. For example, the auditor might use CAATs to inspect the audit log for transactions
to confirm that label checks and sequence controls ensured that data were processed in the
correct order or apply the reasonableness checks, arithmetic accuracy checks, or completeness
checks to existing transactions. Such tests are inspections of the controls.

Master File/Database Controls

Database controls ensure the security, integrity, accountability, and recoverability of the
database. The auditor may test the effectiveness of database controls by evaluating access
control and security, database creation and modification processes as part of systems
development, audit log creation, and review, and database backups.

In testing database controls, the auditor can review the policy or management documents
that authorise users’ access to the database, and observe the different levels of access available
to end users. The auditor examines and compares the authorisation of access set out in
documents with that provided by the access control lists.

The auditor can observe the process of requests for database modification for new systems
or existing systems. In particular, the auditor is looking for evidence that the DBA authorises,
documents, tests, and reviews database modifications as part of the process.

Similarly, the auditor can observe the control in action by observing the creation of the
audit log and the DBA’s review.

Finally, the auditor can review the backup and contingency plans and observe the backup
process to confirm that the documented process is followed. The backup process can consider
the location and security of the backup data. As part of this controls test, the auditor may test
the DBA’s ability to restore data as needed.

These tests can also be applied to transactions that occurred during the period under review.
For example, the auditor might use CAATs to inspect the audit log for completeness or the access
control list for variations from the authorisations set out in policy or management documents.
This approach can be extended to the other database controls that record transactions. For
example, an electronic log (such as a helpdesk system) might be kept that records the steps in
implementing database modifications. Such tests are inspections of the controls.

829

M13_c13.indd 829 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Illustrative Example 17

Application IT Controls

Tak Wai is reviewing application controls within the CWaves Maintenance Company.
Although she is concerned about the ITGC of some entities within the group, the CWaves
Maintenance Company has generally good controls in place. Tak Wai is reviewing the
CWaves Maintenance systems for their application controls.

Tak Wai documents a control at CWaves Maintenance that ensures only qualified staff
enter data about customer bookings. This control is an input control. Another input control
is the preparation of clear supporting source documents for authorisation by management.

Tak Wai also notes a reasonableness check in the payroll system. This check rejects an
employee record indicating an age of 25 with 30 years of work experience or a janitorial
role that has the salary of a CEO. As this control compares one data field (for example,
salary) with another data field (for example, position), this is a record level check.

However, some checks cannot be made until processing commences. These are processing
controls. For example, Tak Wai notes a processing control in CWaves Maintenance’s payroll
system that checks if a storeman working in multiple departments exceeds the allowable
working hours in a week when the employee submits multiple timesheets for processing.
Each timesheet seems valid on its own, but taken together they are unreasonable. At CWaves
Maintenance, this control alerts the data entry operator that the entry is unreasonable, but the
data entry operator can proceed if they confirm the data as correct.

Tak Wai notes another processing control in which the file label is verified to confirm
that the file is indeed the file required by the program for uploading a maintenance
schedule provided by a property manager. This check would prevent the loading of a
duplicate maintenance schedule. Similarly, another processing control checks that the
maintenance schedule is ordered by the date the maintenance was requested before
processing the file. This allows the system to ensure that maintenance work is carried out
for those properties that have been waiting longest in the queue.

Finally, Tak Wai notes that a supervisor reviews the system reports of work orders
under way each as a check that the system’s records are accurate. This output control
captures errors and data corruption upon processing.

Overall, Tak Wai is reasonably satisfied that the application controls in place at CWaves
Maintenance are adequate. She documents these controls in the audit working papers.

Substantive Testing
Substantive tests include substantive tests of transactions, analytical procedures, and tests
of details of balances. Substantive tests can also include physical examination, confirmation,
inspection, client inquiries, re-performance, analytical procedures, or recalculation.

Substantive tests of transactions test for monetary misstatements – that is, they test for
errors in the financial reports directly. These tests directly examine the assertions made by
management in the financial statement in the context of the entity’s transactions. These
HKSA assertions are considered by the auditor and tested before the auditor can conclude that the
315.A129 transactions in the financial reports are fairly stated. These transaction-related assertions include:

830

M13_c13.indd 830 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

• Occurrence: the equities in the statement of financial position exist and the transactions
in the statement of profit or loss and other comprehensive income actually occurred
and relate to the audited entity.

• Completeness: material assets, equities, or transactions that should have been recorded
have been recorded.

• Accuracy: amounts and other data for recorded transactions are recorded
appropriately.

• Classification: transactions are classified into their appropriate accounts.

• Cut-off: transactions are recorded in the correct accounting period.

• Presentation: transactions are appropriately aggregated or disaggregated and

understandable.

A sample of transaction records is made based on the auditor’s preferred approach. A

purposive sample (i.e. a sample of records not chosen at random, but to test the specific
objective) or a random sample may be used. Statistically, a random sample allows the auditor
to calculate a confidence interval; most CAAT tools provide calculators that give guidance on
determining an appropriate sample. These substantive tests are performed by relying upon
inspection, client inquiry, re-performance of the process, or recalculations.

Analytical procedures compare the recorded amounts against auditor expectations and
may be performed to audit account balances. The auditor develops expectations derived from
their knowledge of the entity and other factors, and if the final account balances are within
expectations, the substantive test is met. The extent of reliance placed on such analytical
procedures by the auditor is a matter of professional judgement.

Tests of details of balances primarily examine the accounts on the statement of financial
position. Here, audit procedures test the balances with external third parties or other
independent sources.

Key Learning Point

The auditor’s evaluation of the effectiveness of the system of internal control consideration
of the components of the system as a whole. Ineffective internal controls may be
compensated for by other controls. The auditor considers the effectiveness of the internal
controls system in totality in assessing the overall control risk.
The auditor plans controls testing and substantive testing in accordance with the
auditor’s assessment of audit risk.
The audit’s control risk is a function of evaluating the system of internal control and
controls testing. Controls testing includes client inquiry, examination of documents and
reports, observation of the work being undertaken, or re-performing the procedures that
are part of a control (such as a process walkthrough with real or test data).
Substantive tests affect detection risk and thus audit risk. Substantive tests of
transactions test for monetary misstatements – that is, they test for errors in the financial
reports directly. These tests directly address issues of: (1) Occurrence; (2) Completeness;
(3) Accuracy; (4) Classification; (5) Timing (Cut-off); and (6) Presentation.

831

M13_c13.indd 831 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Illustrative Example 18

Substantive Testing

Tak Wai is considering her options for testing systems within the CWaves Group. Her
review of the ITGC indicates that, mostly, she cannot rely on the internal controls system.

For this reason, Tak Wai plans to use a substantive testing approach to validate
the information contained within the CWaves Hotels’ inventory management system.
This system is particularly unreliable and furthermore manages all of the stock held by
CWaves Hotels.

Tak Wai is considering confirming the balances reported in the financial reports with
independent third parties (external confirmation) or physically to count the inventory
(physical examination). Either way, Tak Wai knows she will need to use substantive testing
in this issue – she just cannot rely on the controls in place.

Apply and Analyse 4

Drawing on the facts set out in the previous Apply and Analyse case for Kowloon City
Technology Traders, address the following requirements. Identify three improvements to
KCTT’s controls.

Analysis

There are several areas where improvements can be made, including:

• One possibility is to automate several of the manual steps (e.g. the review of items
without preapproved vendors).

• Deletion of purchase orders should not occur – these purchase orders should
instead be archived only. Otherwise, the audit trail of purchase order numbers
is affected.

• Forcing purchase from approved suppliers may result in sub-optimal purchasing

decisions – improving the process for approving suppliers (so that it can be done
on-demand) or allowing ad hoc suppliers to be used might allow KCTT to obtain
better quality goods or better pricing.

• Requiring an expected delivery date is likely to result in unintended consequences

– for example, an expected delivery date might not be accurate but is simply
entered to allow the order to be processed. If the purpose of this control is to
ensure that stock is only ordered as it is required, then undertaking a regular
review of an expected delivery date as a processing control compared to an actual
delivery date might highlight regular ordering of goods before they are required.

• On the current rules, the General Manager and the GM are the same person.

832

M13_c13.indd 832 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 5

Kowloon City Technology Traders has another information system, SalesPro. This system
controls the retail point of sales. From discussions with the client, your file notes reveal the
following points in relation to SalesPro’s sales process.

• Sales can be either for cash or credit. This choice is made at the beginning of the
transaction.

• Cash sales do not need to be recorded against a pre-existing customer, but credit
sales must be recorded against both a pre-existing customer, and the total sale
amount for the invoice cannot exceed the credit limit.

• Credit sales are recorded only against items already recorded in inventory and
can only be sold to customers with an assessed credit limit authorised by the
Finance Manager.

• A credit sale is entered by the sales clerk but requires authorisation by the Store
Manager for approval. The Store Manager approves credit sales once in the
morning and once in the afternoon. An additional credit check is made at the
time of approval (in case the customer has had more items purchased during the
intervening period).

• Large items that are not in stock at the main showroom are kept at the Kowloon
City warehouse and delivered the next day. A daily shipping manifest is sent to
the inventory clerk at the warehouse to schedule these deliveries. This manifest is
automatically sent as an encrypted report via email.

• The database has an audit trail log maintained, which is reviewed monthly by the
internal audit team for unauthorised access.

Required

(a) Identify the apparent application controls of the SalesPro information system.

(b) Based on the information provided, explain whether you will be able to provide an
assessment on the design of the SalesPro information system’s controls.

Analysis

(a) At a high level there are four different types of application controls. The table
below identifies the input, processing, and output controls implied by the
discussion. A further application control to consider is the access to the Master File/
database and controls regarding such access.

Input controls ensure that the data entered into the system is complete, accurate,
and authorised. In addition to observing non-IS controls such as using only
qualified staff to enter data, the auditor may test field-level input controls and
record-level controls.

Processing controls prevent, detect, and correct errors during the processing of
transactional input data. The auditor may test that the correct data are processed
in the correct order or validate the results of processing.

833

M13_c13.indd 833 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Apply and Analyse 5 (continued)

Output controls detect errors and correct them after the completion of
transaction processing, and also ensure that the results of processing are not
intercepted and corrupted. The auditor may test the effectiveness of reviewing the
final output by an expert and the secure distribution of the application’s output.

Database controls ensure the security, integrity, accountability, and

recoverability of the database. The auditor may test the effectiveness of database
controls by evaluating access control and security, database creation, and
modification processes as part of systems development, audit log creation and
review, and database backups.

Control Type of Control

Sales can be either on cash or on credit. This choice is made at the Input Control
beginning of the transaction.
Cash sales do not need to be recorded against a pre-existing customer, Input Control
but credit sales must be recorded against both a pre-existing customer
and the total sale amount, for the invoice cannot exceed the credit limit.
Credit sales are recorded only against items already recorded in the Input Control
inventory and can only be sold to customers with an assessed credit limit
authorised by the Finance Manager.
A credit sale is entered by the sales clerk but requires authorisation by Processing Control
the store manager for approval. The store manager approves credit sales
once in the morning and once in the afternoon. An additional credit check
is made at the time of approval (in case the customer has had more items
purchased during the intervening period).
Large items that are not in stock at the main showroom are kept at the Output Control
Kowloon City warehouse and delivered the next day. A daily shipping
manifest is sent to the inventory clerk at the warehouse to schedule these
deliveries. This manifest is automatically sent as an encrypted report
via email.
The database has an audit trail log maintained, which is reviewed monthly Master File/Database
by the internal audit team for unauthorised access. Control (Access)

(b) It is not possible to make this assessment as there is insufficient information

regarding the IT environment. SalesPro may or may not be well-controlled, but it is
not possible to determine this without an understanding of the ITGC in place.

Apply and Analyse 6

Ai Ma Ke Import/Export (AMKIE) is an importer/exporter company that exports
manufactured goods around the world. Ai Ma Ke Import/Export is privately owned and the
board of directors has retained your firm to conduct the annual audit.

You are undertaking your audit as part of the financial audit team and are charged
with reviewing the internal controls of the IS in place to determine whether the financial
auditors can rely on AMKIE’s IS and controls. Your work is part of the initial audit phase of
the audit at the commencement of the financial year.

834

M13_c13.indd 834 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 6 (continued)

The discussion that follows describes key points about the client’s approach to
managing the IS function.

There are several key IS that are brought together as a best of breed approach. That is,
there is no single enterprise-wide information system, but rather several IS are used and a
single system (SYBIL) integrates the different systems.

Man Hei Yip is the IS Manager for AMKIE. Man Hei was hired in 1994 as the IT Projects
Manager to build this platform of applications. He has continued to develop it on his
promotion to manager, where he is responsible for day-to-day operations as well as the
small development team that keeps their IS operational.

There are 21 people currently employed in the IS department, which consists of a

single team of database administrator, network administrators, technical support, and web
administrator roles. In this team, all team members are agile and flexible and ensure that
the work is done as required. Each role in the IS team reports directly to Man Hei.

This team develops the programming interfaces that make up the integration system
SYBIL. The team develops the interfaces between IS, implements software patches, and
maintains the data as a single team.
Man Hei Yip and Tsz Man Lam first developed the interfaces together back when
Tsz Man was an external developer working on contract. Tsz Man joined AMKIE as an
employee in 2009 and is now the database administrator. Tsz Man and Man Hei are the
people in the IT team who know SYBIL the best.

The computer centre uses traditional blade servers in a data room located in the office
headquarters in Central District. A dedicated server room is maintained in a separate
room on the fourth level of AMKIE’s headquarters. There are UPS (Uninterruptible Power
Supply) units sufficient to power the data centre for three hours in the event of unexpected
power outages.

The room is locked with a keypad entry; all members of the IS team have access to the
server room code. There is a single air conditioning unit that supplements the building’s
main air conditioning out of hours.

An exact replica of the data centre is maintained in the basement of the subsidiary
office in Wan Chai. This replica data centre even uses the same keycode as the main data
centre. It is a hot site data centre with fail-over capability. That is, all data and transactions
from the Central District data centre are immediately replicated in the Wan Chai data
centre. In the event that the Central District data centre is unavailable, all IT infrastructure
switches immediately to the Wan Chai data centre. The end result is that end users do
not notice the interruption (unless it is localised) so long as both data centres remain
operational.

No other backups are made. AMKIE does not use any form of cloud infrastructure.

The disaster recovery plan is maintained by Tsz Man. It was updated last year when the

835

M13_c13.indd 835 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Apply and Analyse 6 (continued)

Wan Chai data centre was implemented.

Required

(a) Identify the ITGC and the physical controls presented in the case. Assess whether
these key controls are effective.

(b) Explain how you would improve the ITGC you identified.

Analysis

(a) There are several aspects to consider here. The table below assesses each aspect
including administration of the IT function (effective), the segregation of IT duties
(ineffective), system development (ineffective), physical and online security
(ineffective), backup and contingency planning (effective), and hardware controls
(not assessable).

Given the overall assessment of each aspect of general control in the table
below, the overall assessment is that the internal control system is not effective.

ITGC
Administration of the IT Function
Man Hei Yip is the IS Manager for AMKIE.
Man Hei has worked on SYBIL since 1994; he
has continued to develop it on his promotion
to manager.
There are 21 people currently employed in
the IS department. There is a ‘One IS’ team
approach. Each role reports directly to Man Hei.
Overall Assessment: Administration of the IT function is generally effective. However, compensating
controls such as supervision are likely to be ineffective.
Segregation of Duties
There is a ‘One IS’ team of database
administrator, network administrators, technical
support, and web administrator roles. There are
no separate teams – all team members ensure
that the work is done as required.
Each role in the IS team reports directly
to Man Hei.
Issues
This is a structural governance mechanism in
the appointment of a management role with
responsibility for IS.
Man Hei has a long association with the firm
and has a deep understanding of the systems.
The IT team is a single team and, with 21
people employed, there are a large number
of people to supervise, probably more than is
appropriate. This is particularly so given the
wide range of tasks undertaken by the team.
There is only one team and so there is no
separation between an operations team and
the development team.
Segregation of duties is not well enforced
within the IT team. The chance of collusion is
somewhat higher. It is likely that compensating
controls of supervision are ineffective given the
span of control of staff.

836

M13_c13.indd 836 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 6 (continued)

ITGC Issues
Tsz Man joined AMKIE as an employee in 2009 As Tsz Man reports to Man Hei, the possibility
and is now the database administrator. for collusion – particularly given their
knowledge of the in-house SYBIL system that
integrates all systems – is increased.
Overall Assessment: Segregation of duties within the IT team is ineffective.
System Development
That is, there is no single enterprise-wide SYBIL maintains information consistency in the
information system but rather several IS are different systems. Data quality problems with
used and a single system (SYBIL) integrates the SYBIL will affect all decision making across the
different systems. enterprise.
Man Hei Yip first developed SYBIL with Tsz Man Man Hei has continued to develop SYBIL even
Lam. Man Hei is now the manager. as manager. This is inappropriate as the duties
are incompatible.
This team develops the programming interfaces It does not seem that documentation,
that make up the integration system SYBIL. approval, and authorisation of software
The team develops the interfaces between IS, development occurs – particularly given that
implements software patches, and maintains Man Hei is developing the system and the team
the data as a single team. implements the software patches.
Tsz Man joined AMKIE as an employee in 2009 Database administrator role should be kept
and is now the database administrator. separate from the development team.
Overall Assessment: System development is not kept separate from operations, management, and
database administration, and the opportunity for collusion is high. Particularly as SYBIL is a central
system, this control is ineffective.
Physical and Online Security
A dedicated server room is maintained in a Central District occasionally suffers from
separate room on the fourth level of AMKIE’s flooding, but this should not affect the data
headquarters. room on the fourth floor greatly.
The room is locked with a keypad entry; all The physical lock is good. Too many people
members of the IS team have access to the have access to the room. No access log seems
server room code. This replica data centre even to be kept. Having the replica centre use the
uses the same keycode as the main data centre. same keycode is a problem as a breach in one
facility could be a breach in another.
Overall Assessment: Overall, the physical and online security is somewhat effective, but given the
common keycode and the number of people with access (and the lack of a log), physical and online
security are ineffective.
Backup and Contingency Planning
There are UPS (Uninterruptible Power Supply) It is positive to see these UPS units in place.
units able to keep the equipment running for There should be evidence of regular testing of
three hours. these units.
There is a single air conditioning unit If the single unit fails, there is no air
that supplements the building’s main air conditioning available out of hours. A second
conditioning out of hours. unit should be in place.
An exact replica of the data centre is maintained A basement is not a good location for a data
in the basement of the subsidiary office in Wan centre. An inspection for possible flooding
Chai. The end result is that end users do not should be considered. Also Wan Chai and Central
notice the interruption (unless it is localised) so District are not far from each other. If Central
long as both data centres remain operational. District is unavailable due to flooding, it is likely
the data centre in Wan Chai will also be affected.

837

M13_c13.indd 837 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Apply and Analyse 6 (continued)

ITGC Issues
This replica data centre even uses the same Having the replica centre use the same keycode
keycode as the main data centre. means a breach in one facility could be a breach
in another.
No other backups are made. This is bad, particularly as the two data centres
are close to each other. The loss of both
facilities would be catastrophic.
The disaster recovery plan is maintained by Tsz It is good that the DR plan was updated.
Man. It was updated last year when the Wan Evidence of regular updates would be better. It
Chai data centre was implemented. seems in this case that the implementation of
the new data centre triggered the update.
Overall Assessment: Overall, the disaster recovery plan appears effective; however, there are several
key weaknesses that should be considered and addressed.
Hardware Controls
No hardware controls identified. No assessment made.
Overall Assessment: No overall assessment made.

(b) Several opportunities exist within the case. Some specific

recommendations include:

• Assess replica data centre for risk of water ingress and seek to mitigate this risk
by relocating or rebuilding the data centre.

• Implement a second air conditioning unit in both the main data centre and the
replica data centre.

• Implement unique keycodes for all staff and limit access to those that need access
to the data rooms. Implement a different keycode at the replica data centre.

• Implement a policy of an annual review and update of the disaster recovery

plan, and document evidence of this review.

• Separate the systems development staff from operations and database

administration. Implement a team leader for each of these teams.

• As a manager, Man Hei should not undertake system development work.

Knowledge Check Questions

Question 31
Identify the purpose of ITGC.
A Ensure that substantive testing is kept to a minimum in the audit.
B Ensure that the application controls maintain completeness, validity, and
accuracy of data.
C Ensure that the IT environment maintains data integrity, security, and confidentiality.
D Ensure that the IT environment maintains data completeness, validity, and accuracy.

838

M13_c13.indd 838 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

Question 32
Identify the purpose of application controls.
A Maintain the completeness, validity, and accuracy of data in a single application
or system.
B Maintain data validity, integrity, and usefulness.
C Ensure that only authorised changes are made to the application software.
D Maintain data integrity, security, and confidentiality.

Question 33
Identify which best describes a project steering committee.
A A process mechanism.
B A relational mechanism.
C A procedural mechanism.
D A structural mechanism.

Question 34
Identify which of the following is the general control that relates to the principle that no
transaction should be performed in its entirety by a single role.
A Input Controls.
B Segregation of IT Duties.
C Hardware Controls.
D Backup and Contingency Planning.

Question 35
Identify which of the following are included under substantive tests.
A Physical examination, confirmation, inspection, client inquiries, re-performance,
analytical procedures, and refactoring.
B Physical examination, collaboration, inspection, client inquiries, re-performance,
analytical procedures, and recalculation.
C Physical examination, confirmation, inspection, client inquiries, re-performance,
analytical procedures, and recalculation.
D None of the above.

Question 36
Identify which of the following is a systems development approach that cannot support the
development of effective internal controls.
A The Systems Development Life Cycle approach.
B The SCRUM systems development methodology.
C Any agile systems development methodology.
D None of the above.

839

M13_c13.indd 839 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 37
Identify which of the following describes the observation of the backup process.
A A test of output controls.
B A test of general controls.
C A test of application controls.
D A substantive test.

Question 38
Identify which of the following is not an output control.
A A data entry range check control.
B Supervisor review of the Accounts Receivable Report.
C Encrypted transmission of system reports.
D Secure disposal of waste printouts.

Question 39
An employee entered ‘40’ in the ‘hours worked per day’ field, which is of course impossible
as there are only 24 hours in each day. Identify the type of application control that would
detect this unintentional data entry error.
A A record level input control.
B A field level input control.
C A processing control.
D An output control

Question 40
Identify a disadvantage of integrated test facilities (ITFs).
A The potential for corrupting the data files of the organisation with test data.
B They reduce the efficiency of the audit and decrease the reliability of the audit
evidence gathered.
C They provide a static picture of application integrity at a single point in time.
D All of the above.

Question 41
Identify which of the following is a general principle of the segregation of duties control.
A The segregation of duties should be such that the authorisation for a transaction is
separate from the processing of the transaction.
B To ensure the validity, completeness, and accuracy of financial transactions.
C To ensure high employee satisfaction in carrying out their duties.
D None of the above is a principle of the segregation of duties control.

840

M13_c13.indd 840 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

Question 42
Identify which of the following situations indicates a violation of the need for the
segregation of duties.
A The Accounts Receivable (AR) clerk issues invoices and authorises the write-off of
bad debts.
B The Record-keeping Clerk maintains both Accounts Receivable and Accounts Payable
subsidiary ledgers.
C The Inventory Control Clerk authorises inventory purchase.
D The Accounts Receivable clerk prepares customer statements.

Question 43
Identify the purpose of output controls.
A Prevent and detect unauthorised and to the firm’s assets.
B Ensure that no single individual or department processes a transaction in its entirety.
C Identify keystroke errors in key fields by testing their internal validity at the time of input.
D Ensure that information is not lost, misdirected, or corrupted and that system processes
function as intended.

Question 44
Identify which of the following is an example of segregation of duties in a computer-based
information system.
A Separating the role of system developer from computer operator.
B Preventing management override.
C Separating the inventory process from the billing process.
D Performing independent verifications by the computer operator.

Question 45
Identify which of the following circumstances is most likely to violate the segregation of
IT duties.
A The software developer implementing software updates.
B Access to live operational data and database administration.
C The request and approval of a purchase order by the same person.
D Software development and software requirements analysis.

Question 46
Identify which best describes the IT Steering Committee.
A Structural governance mechanism.
B Compensating governance mechanism.
C Process governance mechanism.
D Relational governance mechanism.

841

M13_c13.indd 841 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 47
Outline how controls testing and substantive testing are related.

Question 48
Define a field level input control with an example. Contrast a field level input control with a
record level input control.

Question 49
Outline the rule of least access.

Question 50
Consider an organisation where the DBA and the Data Library are both part of the systems
development team. Explain whether this structural arrangement of the IT team increases,
decreases, or has no effect upon the effectiveness of the internal controls system at that
organisation.

Question 51
Identify an effective physical control that reduces the impact of a fire in the data centre.

1 3 . 5 COMPUTER-ASSISTED AUDITING
TECHNIQUES

The auditor exercises professional judgement in addressing the duties set out in the auditing
standards. However, the auditor’s judgement must be exercised diligently and professionally,
HKSA and an assessment is required to be driven by the evidence gathered and evaluated by the
320.14 auditor. The auditor often uses computer-based tools and techniques that give support in
developing and exercising the auditor’s judgement.

The use of computer-based tools and techniques generally provides greater assurance for
the audit. Testing can usually be undertaken against all transactions rather than selecting a
subset of the transactions as a sample for testing. These tools and techniques allow auditors
to focus on important exceptions across all of the entity’s records. These records relate to all
transactions recorded in the IS, including the revenue, payroll, fixed asset, accounts receivable,
accounts payable, general journal, and general ledger systems in place.

Depending on the auditor’s skills and the sophistication of the testing and evidence needed
to inform the audit opinion, auditors may execute these testing procedures themselves or
engage a specialist auditor to undertake the tests.

The auditor uses several different types of software and computer-assisted auditing
techniques (CAATs). Generalised audit software (GAS) is used by the auditor to undertake a
wide range of audit-focused analytical activities. The auditor may also test the application by

842

M13_c13.indd 842 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

auditing around the computer (the black-box approach) or auditing through the computer (the
white-box approach). Although the black-box approach does not rely upon specialised IT tools
or techniques, the white-box approach relies upon several specialised testing techniques that
test the internal logic and controls of the application. The auditor needs to be involved with
both white-box approaches and black-box approaches – at least in terms of specifying the
requirements and scope of the testing.

In addition to the tools that support their analytical work, auditors usually manage the
audit project and documents their findings in software specifically designed to act as a form
of automated working papers. Such systems support the audit team with working papers
specifically designed to support the audit process. Finally, an auditor can and should evaluate
the entity’s approach to addressing its cyber-security needs without specialist skills and tools.

In doing all of this work, the auditor is in a unique place to assist the entity in recognising
and addressing the weaknesses of its internal control system. HKSA 260 (Revised),
Communication with Those Charged with Governance, and HKSA 265 (Clarified), Communicating
Deficiencies in Internal Control to Those Charged with Governance and Management, require
the auditor to communicate significant deficiencies in internal control to the entity and its
management.

Overall, the auditor has many tools available in undertaking the audit. The auditor has
available a portfolio of tools that can be used to support the auditor in developing and
exercising professional judgement. These tools and techniques all provide a means of
supporting the auditor in controls testing – such as client inquiry, examination of documents,
observation, or re-performing the procedures that are part of a control – or substantive testing.
The auditor does not use all these tools and techniques in every engagement, or even in any
engagement, but auditors should be aware of the options available to them.

13.5.1 Audit Software

The auditor is expected to undertake audits of a wide variety of organisations across many
different industry contexts and the auditor is expected to support his or her judgement
with evidence and analysis in each case. It is not feasible for there to be analytical tools that
support all these contexts and, even where tools specific to an industry do exist, it is likely to
be impractical for the auditor to be an expert in the use of the tool unless that industry is his or
her professional focus. The cost of such tools (including training) is a factor in whether to use
such specialised software.

GAS consists of generic analytical tools that the auditor can apply across very different
circumstances. Such software is flexible and adaptable as it allows the auditor to develop and
use tailored computer command scripts or routines that extract, transform, and analyse data.
The advantage of these more generic tools is that the auditor can develop skills knowing that
these skills transfer to many different future audits. However, unlike more specialised audit
software, it is likely that the auditor will need to tailor or configure the GAS to support the
immediate audit need.

These tools allow the auditor to analyse the data sets extracted from the audit entity’s IS.
Usually, the auditor uses these tools to review and summarise the extracted data sets and
to analyse the data statistically. Two popular GAS tools are ACL (Audit Command Language)

843

M13_c13.indd 843 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

and IDEA (Interactive Data Extraction and Analysis). Such tools are designed with the audit
task in mind. However, the auditor often relies on tools that were not designed to support the
audit function but that are useful nonetheless. The auditor often uses spreadsheet and data
visualisation software to provide support in the audit task. These tools are powerful, adaptable,
and, usually, already familiar to the auditor.

Both ACL and IDEA have extensive development histories. ACL is a general-purpose
software designed to access and import data through many different file formats or even
connections to active operational databases. ACL is a widely used data extraction tool and its
history extends back to 1972, when the original Audit Command Language was developed – as
a scripting language. Strictly, ACL is a portfolio of many different products, but the ACL Analytics
application is the member of the portfolio that is the successor to the original product. ACL
Analytics connects to many different sources and supports analysis by the auditor to identify
anomalous patterns and to inform and guide the auditor’s examination. Recently, ACL has
moved to broaden its appeal by incorporating cloud-based automated working papers.

The IDEA (Interactive Data Extraction and Analysis) software is a competitor to ACL as an
analysis tool. IDEA software was developed by the Canadian Institute of Chartered Accountants
and is now owned by and developed by CaseWare International. CaseWare International is a
leading provider of automated working paper software designed to document and guide the
audit process. As with ACL, IDEA is designed to connect to many different sources and provide
support to the auditor in identifying anomalous patterns in the entity’s data as part of their
investigation. As with ACL, IDEA is now part of a portfolio of software that is complementary to
and integrated with an automated working papers package.

Frequently, the audit-focused GAS tools, such as ACL and IDEA, work with standard
software to complement its capabilities. For example, spreadsheet software such as Microsoft’s
Excel is used to load data and transform the data into a form that is ready for analysis in ACL
or IDEA. Although the GAS tools have strong capabilities and the auditor is likely to have a good
understanding of these tools, audited entities rarely have access to such software or people
with the skills to use these tools. Spreadsheet tools such as Microsoft Excel, the open source
Libre Office, and Google Sheets, among others, are common and ubiquitous. Accordingly,
audited entities frequently provide data in the form of a spreadsheet, and the auditor might
manipulate clients’ data using spreadsheeting tools before analysis in the audit-focused GAS
analytical tools.

A newer category of general software that the auditor may find useful is data visualisation
software. There are several tools of note here, including Tableau, Power BI, and QlikView. These
tools allow the auditor to extract and analyse data and then visualise it to better communicate
the findings to less technical audiences. Visualising the data under analysis in this way can also
help the auditor to understand the data and find anomalies.

Key Learning Point

GAS consists of generic analytical tools that the auditor can use in different contexts.

CAATs allow the review and summarisation of the extracted data sets and to analyse
the data statistically. Two popular tools are ACL Analytics and IDEA.

844

M13_c13.indd 844 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

13.5.2 Test Data and Testing Procedures

In auditing an information system, the auditor can use the black-box (‘auditing around the
computer’) or the white-box (‘auditing through the computer’) approaches. The black-box
approach is where the auditor develops an understanding of the functional characteristics of
the application and then uses that understanding to reconcile actual inputs with actual outputs.
Auditing around the computer is less disruptive than auditing through the computer.

In contrast, the white-box approach is where the auditor places test data into the
application to systematically test the application’s logic and controls. The white-box approach
is more detailed, disruptive to the audited entity, and costlier, but is a stronger test of the
application and better able to address the complexity of an application than the black-box
approach. The black-box approach does not allow the auditor to use test data and test the
range of potential input data, whereas the white-box approach does allow the auditor to test a
more varied range of input data.

In applying the white-box approach the auditor has several testing techniques to choose
from. In general, the auditor can use the entity’s technology platform with test data to confirm
that applications work as expected and are understood. These testing techniques include
parallel simulation, the test data method, the base case system evaluation, and integrated test
facilities.

The Parallel Simulation technique requires the auditor to write a simulated version of the
application under review according to the deep understanding acquired by auditing through
the computer, and to then re-process transactions to compare the output of the simulation
with the original application. The simulation mimics the functional steps of the original
application and so does not require a complete re-development of the program. However,
the development of the simulation remains a potentially arduous task. Transactions already
processed by the original application are re-processed in the simulation, and the output of
the original application is compared with the simulation. This approach can be expensive and
difficult, although automated software development tools and rules-based expert systems can
make this task easier.

A further complication is that any differences found between the original application and
the simulation might be due to errors in the simulation rather than the original application.
Nevertheless, parallel simulations remain a technique used by a significant proportion of audit
firms, and this technique provides opportunities for developing and documenting a deep
understanding of the original application.

A different approach is to create a series of test cases designed to test different pathways
through the internal logic of the application. Some test cases are valid, some are invalid, and
some test cases deliberately examine obscure combinations of input data. The test cases are
processed through the operational system using fictional entities and transactions, and the
final results are reviewed and evaluated for consistency with the auditor’s understanding of
the application. This Test Data approach tests the logical pathway of the operational system as
implemented. However, this approach has the disadvantage of creating fictional transactions
that need to be removed from the system or risk corruption of the entity’s data.

An extension of the test data approach is to create a series of test cases that are processed
in the system at the beginning of the period under review. The same test cases (the base
cases) are then re-processed at the end of the period under review. Any differences in the

845

M13_c13.indd 845 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

application’s output highlight changes in the application during the intervening period.
Unexpected changes require further investigation by the auditor. This is the Base Case
Evaluation technique.

Both the Test Data and Base Case Evaluation techniques require considerable reliance on
the IT personnel at the audited entity. These techniques are also resource-intensive, and so it is
not likely that they will be appropriate in all audits and for all systems.

A further complication is that the parallel simulation, test data, and base case evaluation
techniques all examine the application at the time of testing. Potentially, the application may
be altered without authorisation after the tests were run and then returned to the authorised
version upon the auditor’s return. This is a weakness of these techniques as they test the
application at a single point in time. The Integrated Test Facility technique avoids this problem
by embedding a secured audit module in the operational system that can only be modified
by the audit team. The audit module tests transactions in the operational system during its
operation throughout the period.

As long as the audit module and its data remain secure, the auditor can use the integrated
test facility to indicate whether the application is changed without authorisation during the test
period and whether the application operates as expected. However, such a facility necessarily
imposes a processing overhead on the application, and – as with the Test Data technique – the
test data in the application may corrupt the entity’s data if not properly managed.

Key Learning Point

In auditing an information system, the auditor can use the black-box (‘auditing around
the computer’) or the white-box (‘auditing through the computer’) approach. The black-
box approach is less disruptive than the white-box approach, but the black-box approach
allows more fine-grained and controlled testing.

13.5.3 Documentation
A key obligation placed on the auditor by HKSA 230, Audit Documentation, is the need for
adequate documentation to provide evidence of the inquiries undertaken and the auditor’s
HKSA findings. It is important that the auditor document the audit procedures performed, the
230.7 relevant audit evidence obtained, and the conclusions reached.

HKSA 230, Audit Documentation, requires the auditor to:

Prepare the audit documentation so as to enable an experienced auditor, having no previous

connection with the audit, to understand:

(a) The nature, timing and extent of the audit procedures performed to comply with
HKSAs and applicable legal and regulatory requirements;

(b) The results of the audit procedures and the audit evidence obtained; and
HKSA
230.9 (c) Significant matters arising during the audit and the conclusions reached thereon.

The auditor is required to document to a standard such that an experienced auditor, with
no prior connection with the audit, can understand the nature, timing, and extent of the audit

846

M13_c13.indd 846 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

HKSA
procedures, the results of the audit procedures performed (including the audit evidence
230.8 obtained), and conclusions and professional judgements made. These records are usually
referred to as work papers or working papers.

This standard of documentation is required as the audit may be challenged legally or

professionally many years after completion of the audit. After the passage of such time it is
likely that the original auditor will not recall the audit with the necessary detail or is no longer
available to provide the context to working papers that are inadequately documented. An
inadequately documented audit has possible legal ramifications for the auditor – the rule of
thumb observed in the profession is that ‘if it’s not documented, it’s not done’.

Given the importance of documenting the audit, the auditor usually manages the audit
project and documents the findings using software specifically designed to act as a form
of automated working papers. In a sense, such software is a form of specialised document
management system designed to support the audit team. This software is known as
engagement management software. Engagement management software is increasingly
integrated with popular GAS tools, as is the case with both CaseWare (integrated with IDEA)
and ACL GRC (integrated with ACL Analytics). More recently, this software has been based in
the cloud by software vendors and it is much easier for the auditor to use such software when
operating in the field.

The software platform allows the auditor to organise their documentation and their
audit working papers, and to analyse the data and prepare different schedules. As multi-user
software is based on a local area network, groupware such as SharePoint, or in the cloud, the
audit team can track the progress of the engagement no matter the physical location of the
team. All members of the audit team will use engagement management software to document
their assigned tasks.

13.5.4 Effectiveness of Cyber-security Safeguard

An organisation needs to organise and implement the technologies, processes, and structures
needed to keep its IS protected when the system interacts with the Internet. These resources,
processes, and structures are the Cyber-security Safeguard. The emphasis is on the
technologies, processes, and structures used to protect systems that are connected to cyber-
space. More simply, cyber-security is making sure that business data are safe from attack via
the Internet.

As IS become increasingly interconnected, so too does the importance of cyber-security

increase. Although the auditor needs specialist skills and tools to address many of the
challenges presented by the need for cyber-security, the auditor can evaluate the entity’s
overall approach to cyber-security. In doing so, the auditor considers whether the approach
has weaknesses that affect the risk of material misstatement in the financial statements
(for example, the information may be changed by unauthorised parties) and controls that
can be implemented to improve the effectiveness of the entity’s cyber-security safeguard.

The auditor has several key concerns. A hacker might obtain sensitive information from the
entity’s systems such as credit card data or personal, private information relating to customers.
As a consequence, the business may find that the damage from the loss of data is exceeded by
the damage to its reputation. The damage to business reputation and goodwill might be more
crippling than the actual data loss itself.

847

M13_c13.indd 847 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

A different type of problem is presented by ransomware. Ransomware encrypts the

data of infected computers and networks. The user is required to pay a ransom for the
encryption key or else the key will be deleted and the data lost. A prominent example is the
WannaCry ransomware that affected the United Kingdom’s National Health Service (NHS) in
2017. This attack closed at least 16 hospitals in the NHS and cost the NHS at least $US100
million in IT costs to restore NHS systems. WannaCry demanded payment of the ransom
in Bitcoin cryptocurrency to ensure anonymity of the perpetrators. There are many other
examples of ransomware and new variants are created each year. In many ways, ransomware
commercialised computer viruses to allow criminals to hold business data to ransom.

A more indirect risk is that a cyber-security breach may result in legal action. The breach
might affect a third party who then commences legal action for their own losses. There are
several bases for such an action. The Personal Data (Privacy) Ordinance (PDPO) in Hong Kong
restricts the use of personal data by online intermediaries. Common law remedies such as
defamation or copyright actions might also arise as a consequence of a data breach. Further,
cyber risk is a risk that – as with all business risks-needs to be governed by the entity and the
entity has legal obligations if those cyber risks could have a financial impact. Even if a court
action ultimately fails, defending the action is costly and distracting.

Through client inquiry, examination of documents, observation, or re-performing

the control procedures, the auditor can observe the base controls in place to safeguard
against cyber-security attacks. The auditor needs to understand the overall approach to the
governance of cyber risk at the entity. The discussion that follows identifies some of these
controls that, taken together, are effective in safeguarding against cyber-security attacks.

The auditor needs to be aware that the cyber-security landscape is constantly changing and
evolving. The auditor needs to monitor that landscape and understand its implications for client
audits. The auditor should engage specialists in cyber-security when they lack the competency
to adequately understand and address cyber-security risks in the entity.

Key Learning Point

An organisation needs to organise and implement the technologies, processes, and
structures needed to protect IS that are exposed to the Internet. Many of the tasks
required in undertaking a cyber-security audit require specialist skills and tools. However,
a generalist auditor can examine the base controls around cyber-security without using
specialist skills and tools to assess whether a risk arises of material misstatements in the
financial reports.

13.5.4.1 Using Anti-virus Software and Keeping Software Current

The auditor is concerned that the entity implements anti-virus software and only installs
authorised and trustworthy software. Software should be current so that the latest version of
the software is managing business data. Many cyber breaches occur because older software
is being used. In such cases the process for updating software applications is not followed.
Application software (for example, Microsoft Word or Google Chrome) should be kept current
with the latest software as well as the operating system.

848

M13_c13.indd 848 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

For example, ‘Trojan’ malware is software that appears legitimate but actually contains
malicious software (‘malware’). It takes control of the computer using vulnerabilities in the
computer’s operating system and seeks to damage the host’s network or data. The WannaCry
Trojan malware that affected many companies in 2017 exploited a vulnerability in Microsoft
Windows that Microsoft had addressed two months earlier. However, Microsoft only addressed
the problem in supported versions of Windows. Entities using Windows XP were vulnerable
as the Windows XP was no longer supported and updated by Microsoft. Windows XP did not
receive the update to address the vulnerability. This is an explicit risk that arises when out-of-
support and/or out-of-date software continues to be used.

13.5.4.2 Authorised Software

Cyber-security attacks often occur through the installation of unauthorised software. The entity
should ensure that only authorised software is installed. Many popular operating systems allow
the user to install and run almost any application by default. This approach is very convenient
for the end user, who is able to install software virtually unchallenged. However, most users
regularly use only a small set of applications to complete their tasks.

Anti-virus software does prevent some applications from being installed, but many argue
that anti-virus software is insufficient, as it only blacklists applications that are demonstrably
dangerous. In contrast with blacklisting applications, application whitelisting allows only
authorised software applications to run on a computer. No other software is allowed to run.
This approach is restrictive for some intensive users, but for most users a wider selection is
often simply not needed.

This whitelisting approach aims to ensure that only authorised software is on the computer.
In identifying needed software, the entity should adopt the control of application hardening.
Here, popular tools such as Flash or Java are blocked or uninstalled if they are not needed. Such
software often has weaknesses that become an avenue for cyber-security attacks. Increasingly,
these tools are not required or have more secure alternatives.

13.5.4.3 Authorised Users

A second control is to ensure that only authorised users use the computer. A strong password
is an assumed requirement, but as an additional control multi-factor authentication is a
powerful control that requires another factor in addition to the password for users to access
their account. These factors might include, for example, a separate PIN, a physical token, or a
fingerprint scan. Requiring such factor authentication for privileged activities (such as installing
software) is a control that ensures that actions are only undertaken as required.

13.5.4.4 Assigning User Privileges on an ‘As Needed’ Basis

By default, users often have full access to the computer with administrative privileges. Unless
full access is definitely required, users should have the privileges required to fulfil their roles.
Providing administrative privileges to the level needed greatly reduces the opportunity for
cyber-security attacks that compromise these user accounts to create widespread disruption
and damage.

Similarly, Visual Basic applications in Microsoft Office are prone to abuse through cyber-
attacks. At the least, Visual Basic macros should require approval to run on the computer. Often
end users allow these macros to run without user approval for convenience; this approach can
have dangerous consequences.

849

M13_c13.indd 849 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

13.5.4.5 Daily Backup of Important Data

The control of last resort in the event of a cyber attack is the ability to return the systems to
a working state. Frequently, cyber attacks encrypt and corrupt data – particularly so in the
case of ransomware attacks. Having offline, incorruptible, and disconnected backups – that
cannot be encrypted by malware attacks – is a key corrective control that stops the malware
from encrypting the entity’s backed-up data, although the online operational data may still be
encrypted.

Apply and Analyse 7

The auditor has five aspects of the internal control system to consider in evaluating
the effectiveness of cyber-security safeguards. These aspects are the use of anti-virus,
authorised software, user authorisation, user privileges, and daily backups.

Similarly, there are several different means by which these controls can be tested
without using specialised audit software. In increasing order of rigour, these different
tests include client inquiry, examination of documents, observation, or re-performing the
control procedures.

Required

(a) In each cell of the matrix below, identify a specific approach that the auditor might
choose for testing the cyber-security safeguard.

Test control Client inquiry Examination Observation Re-performing

of documents control
procedures
Use of anti-virus
Authorised software
User authorisation
User privileges
Daily backups

(b) For each control, identify which of the approaches is, in your view, the most efficient
and effective. Explain your answer.

Analysis

(a) In every instance, the approach and its results require documentation in a file note.

Test control Client Examination of Observation Re-performing

inquiry documents control
procedures
Use of Interview Review software Observe the Follow instructions
anti-virus client IT team licences; review release of for the setup of
and document software new anti-virus a new computer
responses. installation logs software; review workstation; confirm
and records. a sample of that the new
workstations to workstation includes
confirm operation. anti-virus software.

850

M13_c13.indd 850 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 7 (continued)

Test control Client Examination of Observation Re-performing

inquiry documents control
procedures
Authorised Interview Review authorised Observe the Attempt to install
software client IT team software list; implementation of unauthorised
and document identify process new software on software on
responses. for software workstations and a workstation
authorisation; servers; identify or server.
review software licence checks
licence register; that occur.
compare with a
list of installed
software; identify
implemented
software that is
unauthorised.
User Interview Review user Observe the Attempt to create an
authorisation client IT team authorisation creation of a unauthorised user
and document list and user new user on the on the system.
responses. authorisation system; identify
process; compare checks for
authorisation authorisation.
list to actual
current users.
User privileges Interview Review process Observe the Attempt to assign
client IT team for assigning assignment of unauthorised
and document privileges to users; user privileges privileges to a user
responses. compare actual to a user on on the system.
privileges to the system.
the process.
Daily backups Interview Review backup Observe the Carry out the
client IT team logs; examine daily backup daily backup
and document documentation process; observe process; attempt to
responses. indicating an attempt to restore data from
that tests of restore data. the backups.
the backups
have occurred.

(b) There are five controls to consider. Client inquiry on its own is insufficient; the auditor
needs to consider the control through at least one additional approach. These
approaches are increasingly rigorous and so increase in effectiveness. However, they
are also increasingly costly, and so generally decrease in efficiency.

With this in mind, consider the following response:

• Use of anti-virus: Observation

• Authorised software: Examination of Documents

• User authorisation: Examination of Documents

• User privileges: Examination of Documents

• Daily backups Examination of Documents

851

M13_c13.indd 851 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

13.5.5 Weakness Identification and Recommendations

Under HKSA 315 (Revised 2019) paragraph 27, based on the evaluation of the components of
the system of internal control, the auditor is required to establish whether control deficiencies
have been identified. In terms of the audit process, this requires the auditor to consider the
HKSA 260 effect on the design of further audit procedures.
HKSA 265

In addition, the auditor has a duty to inform the entity’s management of significant
HKSA deficiencies found in the internal control system. The auditor is required to identify deficiencies
265.7
in internal control and assess whether those deficiencies (individually or in combination) are
HKSA
HKSA
265.9 significant deficiencies. The auditor communicates those deficiencies to those charged with
265.8
governance as well as to management.
HKSA
265.10 The auditor should communicate these significant deficiencies in internal control in writing,
and in doing so describe the deficiency, explain their potential effects, and provide context to
HKSA those charged with governance and management to understand the overall context of the
265.11 matter. Specifically, in their written communication the auditor should explain that:

(i) The purpose of the audit was for the auditor to express an opinion on the financial
statements;

(ii) The audit included consideration of internal control relevant to the preparation of the
financial statements in order to design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an opinion on the effectiveness of
internal control; and

(iii) The matters being reported are limited to those deficiencies that the auditor has
HKSA identified during the audit and that the auditor has concluded are of sufficient
265.11 importance to merit being reported to those charged with governance.

The auditor’s role is as a watchdog, but not as a bloodhound. That is, the auditor’s purpose is
not the evaluation of the effectiveness of internal control. The auditor’s purpose is to understand
the risk of material misstatement of the financial statements. However, in addressing the audit
the auditor will potentially identify sufficiently important deficiencies in the internal control
system to warrant reporting of the problem to management. In such a circumstance, it would be
remiss of the auditor not to communicate issues identified in the internal control system.

Importantly, the auditor is not required by HKSA 265 (Clarified) to provide recommendations
that address the deficiencies identified. Rather, the auditor is required to report the problem
where it is sufficiently important. Despite this, the auditor will often inform the client management
of their recommendations for improving the client’s business through a management letter.
Frequently, this management letter is a letter of recommendations that focuses on suggestions for
more efficient operations, and in this letter the auditor often identifies any significant deficiencies
in the internal control system as required by HKSA 265 (Clarified).

However, if the auditor provides recommendations to management, the auditor must be

HKSA careful that their recommendations do not affect their professional independence by appearing
200.14 to influence the operations of the entity or participate in its business or professional activities.

Key Learning Point

If the auditor finds sufficiently important deficiencies in the internal control system
during the audit, the auditor should communicate these deficiencies to those in charge of
governance and management at the audited entity.

852

M13_c13.indd 852 1/26/2021 9:24:20 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 8

Star Sea and Sky Limited is a medium-sized company whose headquarters operate out of
the company’s own premises (‘Star Tower’) in Central and Western District. It is a financial
services firm that facilitates mergers and acquisitions, the raising of capital, and organising
project finance in Hong Kong and, more recently, across the region.

There are approximately 532 staff working for Star Sea and Sky. About 75% of staff
work as consultants whose role it is to build relationships with local firms that are looking
for investment and with venture capital firms and hedge funds looking to invest. The
remaining 25% of staff work in support roles that undertake the day-to-day operations
of the firm.

The consulting staff all travel regularly and often, and so they are frequently out of
the office. Generally, these consulting staff are issued with mobile laptops and tablets. All
support staff use desktop computers. All staff connect to the Star Sea and Sky’s data centre
in Hong Kong via Wi-Fi and mobile hot spots on their mobile phones. The corporate data
centre is located in Star Tower in Hong Kong.

The head office in Hong Kong accommodates most (326) of Star Sea and Sky’s staff.
There are, however, many staff in the subsidiary offices located in Singapore (79 staff),
Hanoi (34 staff), and New Delhi (93 staff).
The Chief Technology Officer at Star Sea and Sky is Po Yi Siu. She is responsible for the
IT facilities and infrastructure at Star Sea and Sky. As part of this role, Po Yi sits on and acts
as the chairperson for the SkyIT Forum. Star Sea and Sky makes all of its decisions about IT
investments through this forum and there are representatives from each office (Singapore,
Hanoi, New Delhi, and Hong Kong) and each of the 12 business lines. On the SkyIT Forum,
the senior management team is represented by both the Chief Technology Officer (Po Yi
Siu) and the Chief Financial Officer. The forum meets monthly, but most meetings are held
using Skype video conferencing. Three face-to-face meetings are held each year.

There is an operations team that keeps the IT infrastructure up to date and working
as well as updating the software – including the in-house developed software Apteryx. The
team is relatively small, and Po Yi likes to keep it that way so that she only has one team to
deal with. She uses her One Team philosophy, which means that all members of the team
report directly to her, and all members of the team can address the needs of end users
when they are asked to do so.

However, Po Yi’s executive assistant is kept busy maintaining these relationships. In

Hong Kong, the IT team consists of three network administrators, four software architects,
four IT engineers, and five help-desk officers. The offices in Singapore, Hanoi, and New
Delhi each have one network administrator, two engineers, and five help-desk officers. At
least once a year at least one Hong Kong-based network administrator and IT engineer visit
each of the subsidiary offices to maintain a good relationship with each office.

The team also includes a database administrator, but this role is based in Hanoi.

Po Yi has an IT manual that documents most of the core tasks that the IT team
performs, but the software architects are generally left to their own devices to create the
Apteryx software as they see fit.

853

M13_c13.indd 853 1/26/2021 9:24:20 PM

 BUSINESS ASSURANCE

Apply and Analyse 8 (continued)

The software architects together design, build, and implement the Star Sea and Sky
Apteryx system. The Apteryx system is the internally developed customer relationship
management database that tracks the firm’s venture capital and hedge fund investors and
prospective investments. Apteryx guides consultants in their investment decision making
and investor matching services. All investment decisions and relationships rely on Apteryx.
This software is critical to the firm’s success with internally developed algorithms and
expert systems that provide advice to Star Sea and Sky’s consultants and financial analysts.
These algorithms are the starting point of all the investment assessments Star Sea and Sky
make, which is several billion dollars’ worth of investments annually.

The current corporate data centre in Hong Kong is four years old and is due for an
upgrade. Currently, the data centre is in the basement of Star Tower. The servers in the
data centre provide data/file services to all employees, including the use of a self-hosted
NextCloud service. Backups are done on a daily basis using the Internet to copy data to a
local data centre approximately one kilometre away.

Star Sea and Sky is profitable and expanding. It is proposed that a new office be
opened in Jakarta with approximately 400 staff. This will require that the IT facilities
provide support to nearly twice as many staff as currently exist. Po Yi Siu is looking for your
advice in building the facilities and infrastructure to ensure it is well controlled.

Required

(a) Evaluate the ITGC in place at Star Sea and Sky and make recommendations to
improve the internal controls systems.

(b) Consider whether, on the basis of your evaluation, a financial auditor can rely on
the internal controls system in place at Star Sea and Sky.

Analysis

(a) Again, there are several aspects to consider here, including administration of the
IT function, the segregation of IT duties, system development, physical and online
security, backup and contingency planning, and hardware controls.

ITGC
Administration of the IT Function
The Chief Technology Officer at Star Sea and Sky is
Po Yi Siu. She is responsible for the IT facilities and
infrastructure at Star Sea and Sky.
As part of this role, Po Yi sits on and acts as the
chairperson for the SkyIT Forum. Star Sea and Sky
makes all of its decisions about IT investments
through this forum, and there are representatives
from each office (Singapore, Hanoi, New Delhi,
and Hong Kong) and each of the 12 business lines.
The forum meets monthly, but most meetings are
held using Skype video conferencing. Three face-
to-face meetings are held each year.
Issues
There is a CTO in place. This indicates a
strong presumption that the role of IT is
valued in this organisation.
The SkyIT forum acts as the forum for
deciding on investment decisions. It may be
a little unwieldy; as a forum it is large. We
would want to review minutes to see exactly
what role is being fulfilled – is it making
decisions?

854

M13_c13.indd 854 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 8 (continued)

ITGC Issues
On the SkyIT Forum, the senior management Indicates a strong interest in the IT
team is represented by both the Chief Technology investment in the organisation.
Officer (Po Yi Siu) and the Chief Financial Officer.
At least once a year at least one Hong Kong- This is a relational governance mechanism.
based network administrator and IT engineer visit This is a positive way of ensuring that end
each of the subsidiary offices to maintain a good user concerns are addressed.
relationship with each office.
Overall Assessment: Overall, the administration of the function is effective. There are links to the
rest of the organisation (job rotation, the SkyIT forum) and the function receives prominence
within the organisation.
Recommendations: Review the SkyIT forum for effectiveness and efficiency.
Segregation of Duties
There is an operations team that keeps the IT It appears that only one team exists – that
infrastructure up to date and working as well as operations and system development (and
updating the software – including the in-house database administration) all take place in the
developed software Apteryx. The team is relatively one team. This is a weakness in segregation
small, and Po Yi likes to keep it that way so that of duties – a possibility of collusion exists.
she only has one team to deal with. She uses
her One Team philosophy, which means that all
members of the team report directly to her, and
all members of the team can address the needs of
end users when they are asked to do so.
The team also includes a database administrator, This is good, as the database administrator
but this role is based in Hanoi. role is physically remote from the
development team. However, they are still
part of one team.
Overall Assessment: Segregation of duties between operations, development, and database
administration is inadequate.
Recommendations: Separate into operations, database administration, and systems development
teams. Ensure that software implementation is separate from systems development. Appoint
different team leaders for each team to ensure appropriate supervision as a prevention of
collusion.
System Development
There is an operations team that keeps the IT System development activities are not kept
infrastructure up to date and working as well as separate from operational or database
updating the software – including the in-house administration tasks.
developed software Apteryx.
Po Yi has an IT manual that documents most of Systems development is not done according
the core tasks that the IT team performs, but to a mature methodology. It is done as an
the software architects are generally left to their overall group task, but it is likely that new
own devices to create the Apteryx software as developers brought into the team take
they see fit. The software architects together time to train and become effective. Lacking
design, build, and implement the Star Sea and Sky documentation is also a problem for the
Apteryx system. effectiveness of the systems development
function. There is no doubt that, given
the importance of the Apteryx software,
documentation needs to be given a
higher priority.

855

M13_c13.indd 855 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

Apply and Analyse 8 (continued)

ITGC Issues
This software is critical to the firm’s success This is an important information system
with internally developed algorithms and that manages high-value investments.
expert systems that provide advice to Star Sea The developments of these algorithms
and Sky’s consultants and financial analysts. – particularly given their role in decision
These algorithms are the starting point of all making – are potentially attractive targets
the investment assessments Star Sea and Sky for fraud and should be understood
make, which is several billion dollars’ worth of well. They need to be documented and
investments annually. developed according to a mature, managed,
methodology.
Overall Assessment: Overall, this control is ineffective with opportunities for collusion in a high-value
information system.
Recommendations: Identify the systems development methodology used (or implement a
recognised methodology if it is not a recognised methodology) and monitor its use. Ensure
documentation as appropriate to the methodology exists. Ensure that the algorithms in particular
are reviewed and developed in transparent collaboration to reduce the risk that a developer can
modify the algorithm to their advantage.
Physical and Online Security
The consulting staff all travel regularly and often, Wi-Fi and Internet connectivity needs to be
and so they are frequently out of the office. secure – there is insufficient information
Generally, these consulting staff are issued with to be sure that this is the case. More
mobile laptops and tablets. All support staff use information is required to make this
desktop computers. All staff connect to the Star assessment. It seems likely that the
Sea and Sky’s data centre in Hong Kong via Wi-Fi NextCloud data service is used to sync files
and mobile hot spots on their mobile phones. from remote users back to the data centre.
The servers in the data centre provide data/file
services to all employees, including the use of a
self-hosted NextCloud service.
The corporate data centre is located in Star Tower Unless the Star Tower is in an area that is
in Hong Kong. The current corporate data centre generally insecure, it is likely that this location
in Hong Kong is four years old and it is due for is appropriate. There is no information
an upgrade. Currently, the data centre is in the regarding air conditioning or physical access
basement of Star Tower. to the data centre.
Backups are done on a daily basis by copying Physical security of the second data
data over the Internet to a local data centre centre needs to be reviewed – along with
approximately one kilometre away. the security of the data transportation
mechanism in place. More information
is required.
Overall Assessment: Overall, this control cannot be assessed without more information.
Recommendations: Review the connective security of mobile devices and data transportation from
the field to the corporate data centre. Review the physical controls in place in the data centre.
Review the connective security of the connection between the corporate data centre and the local
data centre hosting backup information.
Backup and Contingency Planning
The current corporate data centre in Hong Kong is Plans for this upgrade should be identified,
four years old and it is due for an upgrade. as it takes time to update a data centre
and by the time the upgrade is done the
data centre might be using dangerously old
infrastructure. Ageing systems might become
unreliable as well as become obsolete.

856

M13_c13.indd 856 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 8 (continued)

ITGC Issues
Currently, the data centre is in the basement of Being located in the basement of the Star
Star Tower. Tower is problematic – although unlikely,
the basement may flood during a rain event.
A review of possible flooding should be
undertaken here.
Backups are done on a daily basis by copying Much information is lacking on data recovery
data over the Internet to a local data centre possibilities; however, with a backup done
approximately one kilometre away. on a daily basis (rather than, say, hourly) it is
likely to be insufficient. Further, the local data
centre is too local – it is only one kilometre
away. Currently, any disaster that affects
the Star Tower will likely also affect the data
centre that is one kilometre away. Usually,
50–100 kilometres are required.
Overall Assessment: Overall, backup and contingency planning is inadequate.
Recommendations: Commence planning for the data centre upgrade. Include in this plan a review
of the location of the data centre and its risk of flooding – consider moving the data centre to a
higher ground location with more security. Move the local data centre hosting backup information
further away from the Hong Kong location.
Hardware Controls
No hardware controls identified. No assessment made.
Overall Assessment: No overall assessment made.
Recommendations: None.

(b) Overall, the assessment is that the internal controls system is unreliable.

In particular, the violation of segregation of duties for the development team – and
problems with the systems development process, such as a lack of documentation
and an unspecified methodology – means that a high-value information system is
not governed well and may cause loss.

Similarly, the security of data transport between the large number of staff in
the field and the corporate data centre, and between the corporate data centre
and the replicated local data centre, is not certain as more information is required
to make this assessment.

These two issues in particular make it difficult to rely on the internal controls
system to ensure the authenticity, validity, accuracy, completeness, integrity,
reasonableness, security, and confidentiality of Star Sea, and Sky’s information.

Apply and Analyse 9

BA Financial Services Limited (BAFS) provides investor master classes for high-wealth and
institutional investors on how to develop and create their wealth through investment in the
share market. BAFS refers to such clients as BA Winners.

As part of this process, BA Winners are encouraged to apply to undertake the courses
on credit – that is, take the course now and pay for the course out of later profits.

857

M13_c13.indd 857 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

Apply and Analyse 9 (continued)

Some BA Winners are also extended credit in the form of margin loans that they can
invest in the share market through BAFS.

The assessment of each application is managed by an individual assessor from start to

finish using the BAFS InvestorWin information system. InvestorWin is an expert system that
the individual assessor uses to evaluate both credit worthiness and investor worthiness.
BAFS considers credit worthiness to reflect how much of a ‘winner’ the applicant has been
in the past and investor worthiness to reflect how much of a ‘winner’ the applicant will be
in the future.

The whole assessment commences with the BA Winner completing an application

form. The individual assessor is paid HK$1,000 for each application approved by the
area manager.

This application includes the current wealth, statements of profit or loss, and other
comprehensive income from the applicant’s current financial advisors. With the investor’s
permission, further information is obtained through a detailed credit report from CreditGo.
This information is entered into the InvestorWin expert system and used to determine the
BA Winner’s credit worthiness score.

Applicants then take an online personality test (‘investor trait assessment’) and are
interviewed by the assessor using a pre-determined interview protocol. The results of the
personality test and the interview are then entered into InvestorWin. This information is
used to determine the BA Winner’s investor worthiness score.

InvestorWin then uses its own algorithm to automatically develop a report that
assesses whether to extend credit to the applicant. The algorithm for assessing credit
worthiness and investor worthiness is proprietary and commercially sensitive, and is kept
secret by the system developer. The final report is reviewed by the assessor and a final
assessor recommendation is developed. The recommendation is submitted to an area
manager, who then approves or rejects the application based on the assessment.

Required

(a) Outline several risks that exist with this business process for extending credit to
BAFS investor clients.

(b) Identify the risk you consider to be the most important in this context. Explain
your answer.

Analysis

(a) The focus in this case is to identify risks in the credit extension process. There are
several risks that may be considered here.

First, some inherent risk arises due to the very nature of the business. BA Winners
are already high-wealth individuals and will be likely to defend their legal rights
vigorously, and have the ability to do so. This means that BA Winners that
undertake the course on credit on the proviso that they pay for the course out of

858

M13_c13.indd 858 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

Apply and Analyse 9 (continued)

later profits are unlikely to pay if the profits do not arise. Inherent risk also arises
due to margin loans using shares as collateral – a volatile share market can result
in considerable losses, which means that BAFS loans might not be repaid.

Second, the process itself has dangers due to the use of an expert system that
provides an initial assessment. Although the assessor reviews the application, it
is likely that the assessor will anchor on the expert system’s assessment and not
vary too far from the algorithm. This is the anchoring and adjustment effect – in
the absence of information that shows that the initial assessment is materially
incorrect, the assessor will use the assessment made by the algorithm rather than
try to second-guess the expert system. The assessment is likely biased towards
that made by the initial algorithm.

Third, there are risks that arise from the development process. The algorithm
is proprietary and secret. One risk is that the developer will make changes to the
algorithm to their own advantage – for example, to obtain a loan on favourable
terms. The development of the algorithm needs to have integrity and be
trustworthy.

Fourth, a risk arises with the compensation scheme for the assessor. It is in
the interest of the assessor to approve applications for credit as they receive a
payment for each approved application. An assessor that denies credit receives
no payment.

Fifth, there are data privacy risks with the applicant’s personal information with
a detailed credit report and statements of profit or loss and other comprehensive
income. BAFS needs to be confident in its ability to securely manage this
information.

There are other risks, but these are several key risks that are readily apparent
from the material provided.

(b) Of the five risks identified, one of highest risks to BAFS arises from the
development process. There are three relevant reasons here.

First, the development process is one that has no transparency, and BAFS does not
know how the overall credit worthiness score is calculated.

Second, and by extension, BAFS has no control over the algorithm despite its
importance in the extension of credit.

Third, errors in the algorithm will likely result in large losses due to the likely
size of the investments made by BAFS clients. BAFS will likely be liable for losses
arising from negligence in the algorithm despite BAFS ignorance of its workings.

Other risks can be identified, but this discussion provides some examples
to consider.

859

M13_c13.indd 859 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 52
Identify which of the following the IDEA software package is BEST characterised as an
example of.
A Technique that supports the black-box audit approach.
B Data visualisation tool.
C Automated Working Papers.
D Generalised Audit Software.

Question 53
Identify which of the following techniques are used in auditing through the computer.
A Input controls testing, processing controls testing, and output controls testing.
B Parallel simulation, a base case evaluation, and an integrated test facility.
C Reconciliation, a base case evaluation, and an integrated test facility.
D None of the above techniques is used in auditing through the computer.

Question 54
Identify which of the following offline, incorruptible, and disconnected backups is a key for
corrective control.
A It prevents malware from encrypting backed-up data and allows data to be restored.
B It prevents cyber attacks from occurring.
C It prevents malware from encrypting online operational data.
D It prevents unauthorised software from being installed.

Question 55
Identify which of the following is not a base control that is effective in safeguarding against
cyber-security attacks.
A Using anti-virus software.
B Application whitelisting.
C Daily backup of important data.
D Integrated test facility.

Question 56
Identify which of the following describes the cyber-security safeguard of application
whitelisting.
A It allows only authorised software to run on the computer.
B It prevents demonstrably dangerous applications from running on the computer.
C It automatically implements application software updates as they become available.
D It assigns user privileges on the basis of need.

860

M13_c13.indd 860 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

Question 57
Identify which of the following describe how auditors test computer application controls.
A By assisting in black-box testing but not white-box testing.
B By assisting in white-box testing but not black-box testing.
C By assisting with both white-box and black-box testing.
D By executing all black-box testing procedures.

Question 58
Outline why daily offline backups are an important safeguard against cyber attacks.

Question 59
Explain whether an auditor should communicate any weaknesses in the internal control
system to management.

Question 60
In your view, explain whether an auditor should use a white-box or black-box approach
when auditing a COTS software solution.

Question 61
Outline reasons why specialised auditing software might be inappropriate for a
particular audit.

Question 62
Identify a weakness of testing through the computer at the time of the audit, and illustrate
how this weakness might be addressed.

1 3 . 6 E-COMMERCE CONTROL ISSUES

Increasingly, commercial activities take place in an online environment. In addition to the risks
that accompany transactions in the real world, there are specific risks for transactions that arise
when operating in an online environment. E-commerce activities present control issues that the
auditor must address in the audit plan.

E-commerce has several key characteristics. However, other IS that are not e-commerce
IS can demonstrate the same or similar features (e.g. a high volume of transactions or cross-
border transactions) even though they do not support online transactions. In such cases the
control issues that relate to e-commerce IS may also apply to other IS. These key characteristics
require internal controls that address concerns specific to such IS. Several auditing procedures
exist that solely address the internal controls issues that arise from e-commerce.

Overall, the auditor must consider the impact of e-commerce on the financial audit. The
audit plan should include audit procedures relevant to e-commerce activity.

861

M13_c13.indd 861 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

13.6.1 Detailed Characteristics of E-commerce Systems

E-commerce refers to digitally enabled commercial transactions between a seller and a
purchaser. In the majority of instances, e-commerce transactions are supported by IS that
operate over the Internet, including smartphone applications. E-commerce has become a
common way of doing business. An e-commerce system supports an online marketplace that
enables the sale of a good or service – real or virtual.

E-commerce systems have several characteristics that are unique. Most of these
characteristics derive from the Internet and the low cost of creating, copying, tailoring,
updating, and delivering digital information anywhere in the world at any time. There are eight
unique characteristics of e-commerce.

First, unlike traditional marketplaces constrained by their physical location, e-commerce

systems are supported by IS that allow e-commerce to be ubiquitous. Particularly with the
growth of mobile computing and the use of smartphones, e-commerce can be accessed from
almost all places. For example, a hotel can provide a smartphone application that allows
customers to make bookings whether the customer is at their desk, in a taxi, or travelling
abroad. As long as there is access to the Internet, there is also access to the e-commerce IS.
A successful transaction does not require the consumer to travel to the seller or vice versa.

Second, e-commerce systems have a global reach: that is, such systems operate across
national borders at no, or at least low, cost. Traditionally, a marketplace was restricted to
buyers and sellers inside a defined regulatory zone such as a province or a country. For
example, a store with a physical storefront located in Causeway Bay can attract passing traffic.
With an e-commerce system, however, that store can attract passing traffic throughout the
world. This means that e-commerce systems enable access to a larger market, meaning that a
seller of niche goods or services can access a more sizeable market.

Third, e-commerce IS are built with technologies that use universal standards no matter
the country. Other technologies – for example, radio, television, and the mobile phone – use
national standards that mean a device used in one country may not work in another. This is
not the case with e-commerce IS. These common and universal standards are important in
supporting the global reach and ubiquitous nature of e-commerce.

Fourth, e-commerce IS support a richness of information that is scalable. In a traditional

market, providing such rich information is costly and time-consuming and so the richness of
information is a trade-off against customer reach. However, the information provided by an
e-commerce system can be complex and rich without affecting the reach of the information.
Information about the item can be tailored for the customer or more information can be easily
provided on demand.

Fifth, the sheer density of information supported by e-commerce systems is also unique.
Information density refers to the total amount of, and quality of, information available to sellers
and purchasers in the marketplace. The cost of producing, storing, updating, and accessing
this information is very much lower than in the physical environment, and this increases the
timeliness and accuracy of the information available. The seller and the buyer both benefit
from this characteristic. For example, if a transport company wishes to add a new bus route
or change the price of a bus tour to Repulse Bay and Stanley, this change can be achieved on
a web page for little to no cost. In contrast, changing printed marketing material or catalogues
is expensive and difficult. The purchaser can compare accurate information in the market and

862

M13_c13.indd 862 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

the seller can more quickly adjust their offerings in the market to be competitive. This feature is
what economists refer to as menu cost – the cost to a firm of changing the prices it charges for
the goods and services offered. E-commerce systems reduce menu cost to near-zero.

Sixth, e-commerce IS are also interactive. The buyer and the seller in the marketplace can
interact, ask questions, provide information, or execute the transaction no matter where they
are in the world. In contrast, transactions in the physical world require a face-to-face interaction
or, at the very least, a telephone conversation. An e-commerce IS can dynamically format and
present information depending on the device used to access the system, and it can change
or update information (for example, by magnifying images or adding optional features to the
product or service) as the user interacts with the system. There is also the option of providing
messenger systems so that any user can interact directly with the firm no matter the time or
their location.

Seventh, e-commerce IS also allow personalisation and customisation of the information

provided. An e-commerce IS can tailor its output depending on what information is accessible
regarding the potential customer. The system might provide quite different interfaces,
information, and advertisements depending on the user’s location, browser history, and social
media profile such that no user has exactly the same user experience on the website. Language
need not be a barrier either, with features such as Google Translate in Chrome allowing users
to access websites in languages in which they are not fluent.

Finally, e-commerce systems can leverage social technologies to encourage and support
the global creation and sharing of content relating to their products. Users – in some cases,
fans – of the product can share their stories and create content using social technologies.
For example, the richness of information allows the e-commerce system to link to a YouTube
or Youku Tudou review of a product that the user can then share through their online
social networks.

These eight characteristics are that e-commerce is ubiquitous, has global reach, is built on
universal standards, and supports a richness of information as well as high information density.
E-commerce is also interactive, allows high personalisation/customisation, and can leverage social
technologies. Taken together, these eight characteristics are unique to e-commerce systems.
Some aspects are shared with other types of IS, but only e-commerce systems exhibit all of
these unique features. This mix of unique features means that e-commerce systems require
several internal controls that are unique to those systems and thus require specific and
focused auditing procedures.

Key Learning Point

E-commerce refers to digitally enabled commercial transactions between a seller and a
purchaser. E-commerce has become a common way of doing business.
There are eight unique characteristics of e-commerce: that is, e-commerce is
ubiquitous, has global reach, uses universal standards, and supports a richness of
information as well as high information density. E-commerce is also interactive, allows high
personalisation/customisation, and can leverage social technologies.

863

M13_c13.indd 863 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

13.6.2 Internal Controls in E-commerce

Principally, the fact that e-commerce IS are constantly exposed to the Internet determines
the nature of their internal controls. E-commerce IS are required to ensure integrity,
non-repudiation, authenticity, confidentiality, privacy, and availability.

Integrity requires that data stored or transmitted are unaltered. Non-repudiation means
that the participants in the market cannot challenge (i.e. repudiate) an online transaction, and
authenticity requires that e-commerce IS confirm that market participants are who they claim to
be. Confidentiality is about ensuring data are seen only by those authorised to see it, whereas
privacy provides tools that allow participants to control the use of the information they provide.
Finally, availability requires that the e-commerce IS are available for use. These requirements
have implications for internal controls around security, and especially user authentication.

The security arrangements must consider all of the cyber-security safeguards discussed in
Section 13.5.4: that is, e-commerce systems also require the controls of anti-virus, authorised
software, authorised users, assigned user privileges, and daily backups. However, in addition a
more detailed plan that is focused on the needs of e-commerce IS is required.

The audited entity’s e-commerce security plan starts with an initial risk assessment. This
risk assessment considers the system’s risks and the points of vulnerability. The information
assets are identified and ranked according to the value or impact if that information were to be
compromised, lost, or stolen, and for each information asset estimate the probability that that
loss might be realised.

This list of information assets should then inform the development of a security policy
that identifies the firm’s risk appetite and mechanisms for reducing the risk to this goal. This
requires an understanding of the information asset and the likely cost of protecting that asset
to an acceptable level of risk.

The security plan should next identify the technologies, processes, and the structures and
teams needed to implement the security policy.

The security plan then identifies controls that document the technologies, processes, and
structures and teams relied upon to ensure the security of e-commerce IS. As the system is
almost entirely reliant on its IT controls in a virtual environment, there are few opportunities
for manual controls in an online e-commerce IS. There are no second chances to control for
errant transactions. For that reason, the controls that operate in an offline IS also apply to
e-commerce systems, but even more so as the compensating manual controls do not exist.

The cyber-security safeguard discussed above provides an effective foundation of

mitigation strategies that protect against cyber attacks. Such controls need to be automatic,
dynamic, multi-compensating, and preventive. It is likely that the e-commerce security plan
refers to these controls for offline IS, but it would usually not document them. Additional
controls that more specifically protect online environments are required.

Firewalls and proxy servers should be standard. A firewall is networking hardware that
protects the information assets from unauthorised external access. In addition to standard
firewalls and proxy servers, other relevant internal controls include intrusion detection systems
that use algorithms to indicate patterns of activity that are suspicious or intrusion prevention
systems that not only detect the intrusion but also can terminate suspicious connections.
Neither of these controls adequately defends on their own against common DOS (‘Denial

864

M13_c13.indd 864 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

of Service’) or DDoS (‘Distributed Denial of Service’) attacks that overwhelm the network’s
defences. In these attacks, the e-commerce site is flooded with network data requests so much
that the network infrastructure fails – the website and system become no longer available.

An option to reduce the impact of these attacks includes the use of cloud service providers
(‘DDoS Mitigation Services’). Other enhanced internal controls for e-commerce systems include
the patching of operating systems and software against zero-day exploits and the encryption of
both web traffic and data stored in the cloud.

The e-commerce security plan would identify the access controls to the network (including
biometric controls and/or multi-factor user authentication) and the authorisation management
systems implemented. For example, in an online environment multi-factor authentication
using tokens or biometric devices may be required in addition to the username and strong
passwords expected in an offline environment. Encryption and digital signatures can also be
used to ensure the identity of users of the e-commerce IS.

The e-commerce security plan is not static and the e-commerce plan needs to be monitored.
Security audits that regularly review access logs and monitor the implemented security
plan provide this feedback. This feedback results in adjustment to the e-commerce security
arrangements through ongoing maintenance by those responsible for the e-commerce security
plan. In larger organisations, it is very likely that an organisational team or business unit will be
needed that has carriage of the security function. In smaller organisations operating online, such
roles might be fulfilled by external service providers.

In entities with e-commerce IS, the major internal control is an e-commerce security plan
that documents the technologies, processes, and the structures and teams responsible for
implementing cyber-security controls focused on the e-commerce IS.

Key Learning Point

E-commerce IS are required to ensure integrity, non-repudiation, authenticity, confidentiality,
privacy, and availability. As e-commerce operates in a virtual environment, e-commerce
is almost entirely reliant on IT controls – few controls can be implemented to support
e-commerce that are not virtual.

13.6.3 Auditing E-commerce

Audit procedures for online e-commerce IS use the same framework as the audit procedures
for offline IS. The audit planning approach is adopted as that discussed in Section 13.4.4.1, but
with some changes in emphasis. The auditor still gathers the information and evidence needed
to inform and support their professional opinion regarding the risk of material misstatement
in the financial reports, and this evidence-gathering is done according to an audit strategy and
plan that sets out the nature and timing of audit procedures.

Integrating the audit of e-commerce IS into this plan requires the auditor to obtain
additional understanding during the planning phase, and then to perform additional tests of
controls and substantive tests according to the auditor’s judgement. The auditor’s evaluation of
the results considers the system of controls as a whole.

865

M13_c13.indd 865 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

The audit of e-commerce IS follows the same steps as the audit of other IS. The audit
planning phase requires the auditor to understand the IT environment by reviewing the
organisation’s policies, practices, and structure. This review is undertaken by the auditor
making inquiries of the client regarding IT department structure, function, and environment. As
part of considering the IT environment, the auditor determines whether the organisation relies
upon an e-commerce IS.

As with non-e-commerce IS, there is the likelihood that some IS are provided by third
parties, although this is more likely in the case of e-commerce IS. Often, the auditor will rely
upon third-party assurance reports as the business arrangement will often prevent the auditor
from testing the third-party provider’s environment.

The extent to which the auditor evaluates the internal controls is a matter of professional
judgement, and so the auditor only reviews the ITGC and application controls relating to
the e-commerce IS that in the auditor’s judgement are relevant to the audit based on the
risk assessment procedures applied in understanding the components of the system of
internal control and the risk of material misstatement at the financial statement and relevant
assertion levels.

The relevance of these controls to the audit depends upon the materiality of the
e-commerce IS to the organisation’s financial reports. For an organisation with an e-commerce
IS that is not material to the financial report, the auditor’s judgement may be that the
e-commerce IS are not relevant to the audit and thus the audit plan would make no special
accommodation for e-commerce IS controls. On the other hand, if the e-commerce IS are
material to the organisation’s financial reporting then the audit plan would be likely to consider
the ITGC and application controls relating to that e-commerce IS as relevant to the audit and
plan accordingly. As e-commerce IS rely almost exclusively on the controls embedded in the IT
without manual intervention, the ITGC in place is very important for e-commerce IS.

As part of their review, the auditor documents the general ITGC and application controls
relating to e-commerce IS that are relevant to the audit. These controls include, but are not
limited to, those identified in the e-commerce security plan, and so the e-commerce security
plan is a starting point for this review. The auditor documents the controls identified in the
e-commerce security plan, should it exist. The auditor also documents other relevant controls.
Taken together, the auditor reviews controls including the risk assessment of the e-commerce
IS’s information assets, the e-commerce security policy, and the technologies, processes, and
structures and teams needed to implement the security policy and keep the e-commerce
IS secure.

Technology controls to consider include firewalls and proxy servers. Other technology
controls include intrusion detection systems, intrusion prevention systems, and any
technologies to reduce the impact of Denial of Service attacks (including DDoS Mitigation Cloud
Service Providers). The encryption of both web traffic and data stored in the cloud is another
technology control to consider, as is the use of digital signatures. The auditor should make
inquiries to determine whether other technology controls are in place.

Process controls to consider include the regular patching of operating systems and
software against zero-day exploits, the use of access controls to the network (for example, the
enforcement of strong online passwords and usernames, biometric controls, and/or multi-
factor user authentication), and the use of authorisation management systems. The auditor
should make inquiries to determine whether other process controls are in place.

866

M13_c13.indd 866 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

Structural controls relate to the skilled staff required to implement these technology and
process controls. The auditor should make inquiries to identify the business unit (or service
provider) with responsibility for the e-commerce security function. This unit should monitor
and maintain the technology and process controls, and document their activity appropriately.
The auditor should make inquiries to determine whether other structures and teams that are
part of the e-commerce IS controls are in place.

Having documented the controls in place as they relate to e-commerce, the auditor
then plans the tests of controls and substantive testing procedures. Substantive tests use
records outside of the IS to determine whether the entity’s electronic records fairly reflect the
organisation’s transactions. The confirmation of the balances reported in the financial reports
with independent third parties or observation of the physical inventory count is a common
substantive test. In auditing e-commerce IS, however, such substantive testing may not be
possible where there are many transactions with anonymous parties. Accordingly, the audit
plan for an e-commerce IS emphasises the role of controls testing.

First, the auditor evaluates the design effectiveness of the ITGC as a whole, including the
ITGC of offline IS. Compensating controls are considered in this evaluation. If the design of a
general control is ineffective then the control cannot be operationally effective, and so planning
for further evaluation of that control is not required.

If, however, the general control is effectively designed, then the operational effectiveness
of the general control is evaluated if it is material and relevant to the audit in the auditor’s
judgement.

Some internal controls of e-commerce IS are more general in nature and should be
considered as part of the ITGC system. The e-commerce security plan, with its information
asset risk assessment and security policy, is general in nature, together with the technology and
process controls that are not specific to individual systems and the structures and teams that
support these controls.

Second, the auditor evaluates the design effectiveness of technology and process controls
specific to individual e-commerce IS. These controls will include the technology and process
controls that are specific to individual e-commerce IS. The auditor plans to test the technology
and process controls that are potentially effective, where those controls are material and
relevant to the audit in the auditor’s judgement.

As with the audit of offline IS, the planned mix of controls testing and substantive testing
is a matter of professional judgement informed by factors. It is very likely that the audit
procedures will consist of a mix of both controls testing and substantive testing. In audit
entities with material e-commerce IS, and particularly where the parties to these transactions
cannot be identified or cannot be relied upon as independent third parties, controls testing will
likely be more prominent in the audit procedures.

As with the audit of offline IS, controls testing is undertaken through client inquiry,
examination of documents and reports, observation, or re-performing the procedures that
are part of a control (such as a process walkthrough with real or test data). HKSA 315 (Revised
2019) requires that the auditor uses procedures in addition to client inquiry if the control is
relevant to the audit.

The controls to be tested include the technology and process controls that are specific to
individual e-commerce IS. These controls are broad in range and some are technical. Testing

867

M13_c13.indd 867 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

the controls through examination of documents and records examination, observation, or

re-performance may be sufficient to establish the effective operation of material controls.

As some technology controls are quite technical, it is likely that the auditor will require the
support of specialist auditors in evaluating the effectiveness of these controls. For example, the
auditor can engage a security specialist to review the configuration of the firewalls, routers, and
network infrastructure, or a database specialist might be required to review the access controls
for a particular database management system.

If the design of the application controls as a whole is effective and the controls operate
effectively, then the audit approach may have a high reliance on the internal controls system,
and substantive testing can be lessened. Overall, e-commerce IS have a high dependency on IT
controls and a considerable design effort should be implemented on such systems to ensure
the completeness, validity, and accuracy of the information they contain.

Substantive tests use records outside the IS to determine whether the entity’s electronic
records fairly reflect the organisation’s transactions. Substantive tests can include physical
examination, confirmation, inspection, client inquiries, re-performance, analytical procedures,
or recalculation. Substantive tests can also include tests of transactions, analytical procedures,
and tests of details of balances.

Certain substantive tests may be difficult to perform for e-commerce IS. For example,
the goods shipped may be virtual, or the clients may be anonymous, unreliable, or difficult
and expensive to contact. As a result, it is likely that tests requiring physical examination,
confirmation with clients, or inspection cannot be made or are impractical.

The auditor may nevertheless need to undertake substantive testing of e-commerce IS

where the reliance on controls is low or the controls are ineffective. In such cases the auditor
would be likely to rely upon recalculation or analytical procedures to substantiate the entity’s
electronic records. This assessment is incorporated into the final audit report. In the final
analysis, the auditor’s assessment of whether the financial statements are materially misstated
relies upon their informed judgement.

Key Learning Point

Certain substantive tests may be difficult to perform for e-commerce IS (for example,
where goods are virtual or clients are anonymous).

Audit procedures for online e-commerce IS use the same framework as the audit
procedures for offline IS. Additional tests of controls and substantive tests are required if
the auditor’s risk assessment procedures identify that there is an e-commerce system that
presents a risk of material misstatement in the financial statements.

The auditor documents the controls identified in the e-commerce security plan, should
it exist. The auditor also documents other relevant controls.

868

M13_c13.indd 868 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

Knowledge Check Questions

Question 63
Identify what the characteristic of information density refers to.
A The ability to tailor the output of an e-commerce website to the personal interests of the
prospective customer.
B The complexity and richness of the information.
C The total amount of, and quality of, information available to sellers and purchasers in the
marketplace.
D The ability to access information anywhere in the world.

Question 64
Yunfei is able to access the Hong Kong Harbour Cruises (HKHC) e-commerce website from
Singapore to book and pay for a cruise using the same smartphone she uses in Hong Kong,
where HKHC is based. Identify which of the following characteristics of this capability is
most like the e-commerce IS.
A Personalisation and customisation.
B Ubiquity.
C Interactivity.
D Global reach.

Question 65
Besides being required to ensure integrity, authenticity, and privacy, identify which of the
following the e-commerce IS are supposed to accomplish.
A Non-repudiation, confidentiality, and availability.
B Ubiquity, sensitivity, and availability.
C Timeliness, dependability, and security.
D Faithfulness, secrecy, and reliability.

Question 66
Identify which of the following is the most accurate description of e-commerce security
plan documents.
A They are the foundational cyber-security safeguards used in all of the entity’s IS.
B They consist of the technologies, processes, and the structures and teams responsible
for implementing cyber-security controls focused on the e-commerce IS.
C They contain the configuration settings of firewalls and proxy servers.
D They identify the measures to be taken to ensure the ability of the entity to continue to
operate in the event of a cyber attack.

869

M13_c13.indd 869 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 67
Identify which of the following statements is most correct in relation to the substantive
testing of e-commerce IS.
A It is more difficult to perform than substantive testing of an offline IS.
B It is not possible.
C It is easier to perform than substantive testing of an offline IS.
D It is about the same level of difficulty as the substantive testing of an offline IS.

Question 68
Identify which of the following statements is false regarding an e-commerce audit.
A All substantive tests are considerably easier to perform for e-commerce IS than for
offline IS.
B The auditor reviews the technologies, processes, and the structures and teams needed
to keep the e-commerce IS secure.
C Process controls in e-commerce IS include the regular patching of operating systems and
software against zero-day exploits.
D The e-commerce security plan requires regular refreshment and renewal to remain
relevant in the face of changing security threats.

Question 69
Consider the following statement: ‘E-commerce IS are entirely reliant on their IT controls.’
Explain whether you agree with this view.

Question 70
Describe the high-level steps that should be taken in developing an e-commerce security
plan. If these steps are not taken, explain whether this means that the ITGC around
e-commerce IS are ineffective.

Question 71
Explain whether an auditor without specialist skills in cyber-security is able to assess the
risk of material misstatement in the financial reports without the support of a specialist IT
auditor who has cyber-security skills.

870

M13_c13.indd 870 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

SUMMARY

Summary of Overview of Computerised Business Systems

IT Department Structure

• The IT department is the area responsible for providing the IT services upon which the
entity depends. An understanding of the structure of the IT department is important in
understanding the entity’s IT environment and system of internal control.

• There are three common ways of organising the IT function, although most entities are likely
to reflect aspects of each model. These are the centralised, decentralised, and federated/
hybrid operating models.

• The auditor needs to understand and document the IT department structures in place to the
extent that it addresses the components of the entity’s system of internal control and deals
with the use of IT to support its business model.

IT Department Functions

• IT department functions relate to IT planning, building, running, and management.

• The auditor is most concerned with how the IT function develops and operates the entity’s IS
and the source of the information that is reported in the financial reports.

• The auditor is also concerned with how the network is made accessible to authorised users
and how it is secured against attempts to gain unauthorised access.

• The auditor needs to understand and document the entity’s approach to the developing,
implementing, and operating IS that support the financial reports.

• The auditor needs to understand and document the functions of the IT department to the
extent that they are relevant to the audit.

Summary of IT Environment

The auditor’s understanding of the IT environment often commences with an initial

walkthrough test as part of the financial audit.

• A walkthrough test identifies source documents that commence a transaction cycle (e.g. a
purchase order). The document is followed through the process until the process is
completed. During the test, the auditor makes inquiries, inspects documents and records, and
documents their own observations.

• The auditor obtains an understanding of the components of the system of internal control
and the control activities in developing their understanding of the IT environment.

Implementation of New IT Systems

• The auditor needs to understand and document how new systems are selected, developed,
and implemented.

871

M13_c13.indd 871 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

• New systems can be Commercial Off-the-Shelf (COTS) solutions or custom-developed.

A custom solution needs more auditor attention than a COTS solution.

Financial Reporting Systems

• The auditor identifies the IS that provide information to the FRS. Material misstatements in
these systems will flow into the financial reports.

• The systems are part of the entity’s expenditure, conversion, or revenue cycles.

• Systems that do not provide information to the FRS are of less interest to the auditor.

• The auditor documents how the IS relate to the FRS and the financial reports.

E-commerce Overview and Importance to Business

• The auditor must understand how e-commerce transactions affect the reports.

• E-commerce systems face higher risks and uncertainty than offline systems.

• E-commerce IS can be very complex.

• E-commerce systems record transactions in a wholly digital environment and are entirely
reliant on IT controls that operate in real-time.

• The auditor documents the e-commerce IS and their relationship to the financial reports.

Networked Systems

• The auditor needs to understand the configuration of the hardware and IT infrastructure, the
networked resources that support the financial reports, and the manner in which cloud-based
services, if any, are used at the audited entity.

• The auditor documents the networked systems and their relationship to the FRS.

PC Systems

• The auditor must understand how PC systems are used and how they are kept secure.

• PC systems are often used in smaller organisations or for specialised software.

• PC-based systems are often more difficult to manage, update, and keep secure as part of a
regular centralised maintenance program. They are often riskier.

• The auditor documents the PC systems that exist and their relationship to the FRS.

Summary of IT Strategy

The Role of IT Strategy

• An audited entity needs to undertake strategic and directed action if it wishes to implement its
policies, practices, and procedures through its IS.

• At a high level, IT strategy addresses three areas:

(i) It sets out how IS are used to support business strategy.

(ii) It provides an overall master plan of the IT function.

(iii) It documents the shared view of the IT function’s role within the organisation.

872

M13_c13.indd 872 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

• The IT strategic plan defines the IT strategy and the objectives that the investment in IT is
expected to achieve. It includes a strategic road map that identifies the steps required to
deliver the IT strategy.

• The IT strategy recognises dependencies between programs and projects, schedules and
prioritises projects, and defines strategic and risk assessment initiatives.

• The IT strategy should recognise the importance of the change management approach to
ensuring system integrity before, during, and after changes are made.

• The auditor should consider the extent to which the IT strategy recognises and supports the
integration of internal controls in developing and maintaining the IS.

How Information Technology Improves Internal Controls

• IT improves internal controls by embedding and automating the entity’s practices, policies,
and procedures into the entity’s IS.

• Such internal controls take three forms (the Prevention–Detection–Correction model):

(i) Preventive controls are passive techniques designed to reduce – but not eliminate –
undesirable events occurring.

(ii) Detective controls are more active steps taken to recognise undesirable events that are
not stopped by preventive controls.

(iii) Corrective controls are actions taken to remedy undesirable events identified by
detective controls.

Assessing and Advising on the Risks of Business Processes

• Business processes are often supported by many different IS. In-scope IS are those IS that
are prospective sources of material misstatement in the financial statements. Materiality is
assessed according to the specific circumstances of the entity and will be set as part of the
audit strategy.

• The auditor’s focus is on systems that affect the financial processes and systems in the
expenditure cycle, conversion cycle, or the revenue cycle.

• Expenditure cycle IS record transactions relating to business processes for the entity’s
acquisition of goods and services that the entity uses.

• Conversion cycle IS record how the entity converts the inputs that it acquired in the
expenditure cycle prior to the final sale of the goods or services.

• Revenue cycle IS record transactions relating to the entity’s sale of goods and services to its
customers.

• The auditor identifies the business processes and supporting IS from which information flows
to the financial reports.

Assessing Audit Risk

• The auditor must consider three components when assessing the audit risk in the business
processes from which information flows to the financial report. These three components are
inherent risk, control risk, and detection risk.

873

M13_c13.indd 873 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

• Audit risk can be calculated by assigning a value to the assessment made of inherent risk,
control risk, and detection risk:

Audit Risk Inherent risk Control risk Detection risk

• Inherent risk relates directly to the nature of the industry in which the entity operates and is
the risk that the error might occur in the first place, irrespective of whether a control protects
against it. Audit activities do not affect inherent risk.

• Control risk is the risk that the controls in place are inadequate in preventing, detecting, or
correcting errors that materially affect the financial reports.

• For control risk, the auditor assesses whether the design of the internal control is effective in
reducing the risk of material misstatement. If not, the control is not effective and the auditor
cannot rely on that internal control.

• For control risk, the auditor also assesses whether the internal control is operationally
effective in reducing the risk of material misstatement. To make this assessment, the auditor
undertakes controls testing to determine whether the internal controls operate as designed.

• Tests of controls do not change control risk, but they do increase the reliability of the auditor’s
assessment of control risk.

• Detection risk is the risk that the auditor does not detect errors that the entity’s internal
controls also do not detect and correct. Increasing substantive testing reduces detection risk.

• The auditor designs the audit approach according to their assessment of audit risk.

Summary of Internal Controls Specific to IT

General and Application IT Controls Relationship

• If the ITGC environment is ineffective (whether through ineffective design or operation), the
application controls are similarly ineffective as any application controls can be circumvented.

IT General Controls

• ITGC ensure that the IT environment maintains data integrity, security, and confidentiality.
ITGC affect all financial reporting IT applications. The most important, or key, ITGC relate
to the administration of the IT function, the segregation of duties, the development of
new systems, physical and online security, backup planning, and controls over hardware
infrastructure.

• An important aspect of ITGC during systems development is change management. The

segregation of duties needs to be maintained when a program change is requested, software
is configured (or re-configured), and how program changes are applied. IT changes should
follow a defined and formalised (and documented) process.

• The auditor initially makes inquiries of management and supervisory personnel or reviews
high-level documentation to obtain an understanding of the ITGC in place, and documents
their findings. The auditor documents the key ITGC as part of the financial audit.

• The auditor documents and assesses each general control as relevant to the audit.

874

M13_c13.indd 874 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

Application IT Controls

• The application controls of each system maintain the completeness, validity, and accuracy of
data in a single system. These application controls may affect data processing, and so input
controls, processing controls, and output controls may be considered by the auditor.

• The controls to be tested should be determined through the initial walkthrough test when first
considering the IT environment as part of the financial audit.

• Application IT controls are specifically reviewed for those IS that are in scope. In-scope IS are
those IS that are prospective sources of material misstatement in the financial statement and
assertion levels. Materiality is assessed according to the specific circumstances of the entity
and will be set as part of the audit strategy.

• Master file/database controls maintain the security, integrity, accountability, and recoverability
of the master file and database.

• The auditor is most concerned by those material applications that are prospective sources of
material misstatement in the financial reports.

• The auditor makes inquiries of management and supervisory personnel, observing the
system in action or reviewing appropriate documentation to obtain an understanding of the
application controls in place for material systems.

• The auditor documents and assesses each application control as relevant to the audit. Key
systems are documented as a narrative description or a system flowchart.

Auditing in Computerised Business Systems and Controls

• HKSA 300 requires the auditor to develop an audit strategy and plan, and the auditor develops
a set of audit procedures that inform their professional opinion regarding the risk of material
misstatement in the financial reports.

• If controls testing is used, then the auditor evaluates the effectiveness of the design of these
controls and, if the design is effective, whether the controls operate according to the design.

Audit Procedures for Testing Computerised Business Systems and Associated Controls of the Business
Processes of an Entity

• The auditor develops audit procedures by understanding the IT environment and then
planning the controls testing and substantive testing in accordance with the auditor’s
assessment of audit risk.

• If control risk is low, the auditor can place more reliance on the internal controls.

• Controls testing assesses the effectiveness of the design and operation of the entity’s ITGC
and, for key systems, application controls. Substantive testing is where the auditor seeks to
objectively determine whether the entity’s financial statements are materially misstated.

Evaluating the Effectiveness of Computerised Business Systems and Controls

• The audit’s control risk is evaluated by controls testing.

• Controls testing includes client inquiry, examination of documents, observation of the work
being undertaken, or re-performing the procedures that are part of a control (such as a
process walkthrough with real or test data).

875

M13_c13.indd 875 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

• HKSA 315 (Revised 2019) paragraph 26 (d)(ii) requires that the auditor uses procedures in
addition to client inquiry in determining whether a control has been implemented.

• The auditor’s assessment of the effectiveness of the internal controls system considers the
system as a whole. Ineffective internal controls may be compensated for by other controls.
The auditor considers the effectiveness of the internal controls system in totality in assessing
overall control risk.

Substantive Testing

• Substantive tests affect detection risk and thus audit risk.

• Substantive tests include substantive tests of transactions, analytical procedures, and tests
of details of balances. They also include physical examination, confirmation, inspection, client
inquiries, re-performance, analytical procedures, or recalculation.

• Substantive tests of transactions test for monetary misstatements – that is, they test for
errors in the financial reports directly. These tests directly address the following issues: (1)
Occurrence; (2) Completeness; (3) Accuracy; (4) Classification; (5) Timing (Cut-off); and (6)
Presentation.

Summary of Computer-assisted Auditing Techniques

Audit Software

• GAS consists of generic analytical tools that the auditor can use in different contexts.
• CAATs allow the review and summarisation of the extracted data sets and to analyse the data
statistically. Two popular tools are ACL Analytics and IDEA.

• The auditor may use general tools such as spreadsheets or data visualisation software even
though these tools do not specifically support financial audits.

Test Data and Testing Procedures

• In auditing an information system, the auditor can use the black-box (‘auditing around the
computer’) or the white-box (‘auditing through the computer’) approaches.

• With a black-box approach the auditor determines what the application is supposed to do and
uses that understanding to reconcile actual inputs with actual outputs.

• Under the white-box approach the auditor places test data into the application to
systematically test the application’s logic and controls.

• The black-box approach is less disruptive than the white-box approach, but the black-box
approach allows more fine-grained and controlled testing.

• Auditing through the computer uses techniques such as parallel simulation, the test data
method, the base case system evaluation, and integrated test facilities.

Documentation

• The auditor documents the audit activities undertaken and their findings so that an
experienced auditor, with no prior connection with the audit, can understand the audit
procedures, their results, and the conclusions and professional judgements made.

• The auditor manages and documents the audit using automated working papers.

876

M13_c13.indd 876 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

Effectiveness of Cyber-security Safeguard

• An organisation needs to organise and implement the technologies, processes, and structures
needed to protect IS that are exposed to the Internet.

• Many of the tasks required in undertaking a cyber-security audit require specialist skills
and tools. However, a generalist auditor can examine the base controls around cyber-
security without using specialist skills and tools to assess whether a risk arises of material
misstatements in the financial reports.

• The base controls that a generalist auditor examines include the use of anti-virus software,
keeping software current, ensuring only authorised software is installed by authorised users
with enough user privileges to fulfil their roles.

• It is important that the auditor examine the entity’s approach to offline backups.

Weakness Identification and Recommendations

• The auditor understands and identifies deficiencies in internal control and assesses whether
they are sufficiently important.

• If the auditor finds sufficiently important deficiencies in the internal control system during the
audit, the auditor should communicate these deficiencies to those in charge of governance
and management at the audited entity.

Summary of e-commerce Control Issues

Detailed Characteristics of E-commerce Systems

• E-commerce refers to digitally enabled commercial transactions between a seller and a

purchaser. E-commerce has become a common way of doing business.

• E-commerce has characteristics that are unique. Most of these characteristics derive from
the Internet and the low cost of creating, copying, tailoring, updating, and delivering digital
information anywhere in the world at any time.

• There are eight unique characteristics of e-commerce – that is, e-commerce is ubiquitous, has
global reach, uses universal standards, and supports a richness of information as well as high
information density, and is also interactive, allows high personalisation/customisation, and
can leverage social technologies.

Internal Controls in E-Commerce

• E-commerce IS are required to ensure integrity, non-repudiation, authenticity, confidentiality,

privacy, and availability.

• E-commerce systems also require the controls of anti-virus, authorised software, authorised
users, assigned user privileges, and daily backups.

• As e-commerce operates in a virtual environment, e-commerce is almost entirely reliant on

IT controls.

• In entities with e-commerce IS, the major internal control is an e-commerce security plan
that documents the technologies, processes, and the structures and teams responsible for
implementing controls focused on the e-commerce IS.

877

M13_c13.indd 877 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

• Firewalls and proxy servers should be standard. Other relevant internal controls include
intrusion detection systems and intrusion prevention systems. DDoS Mitigation Services
provided by a cloud service provider may be required.

• The e-commerce security plan requires regular refreshment and renewal to remain relevant in
the face of changing security threats.

Auditing E-commerce

• Audit procedures for online e-commerce IS use the same framework as the audit procedures
for offline IS. Additional tests of controls and substantive tests are required if the e-commerce
system is material in the auditor’s judgement.

• The auditor documents the controls identified in the e-commerce security plan, should it exist.
The auditor also documents other relevant controls.

• Relevant controls include technology controls (for example, firewalls and proxy servers),
process controls (for example, patching of software, access controls), and structural controls
(for example, a committee responsible for e-commerce security).

• The auditor evaluates the design effectiveness of the ITGC as a whole, including the ITGC
of offline IS. The auditor considers any compensating controls that exist in undertaking this
evaluation.

• The auditor evaluates the design effectiveness of technology and process controls specific to
individual e-commerce IS if the design of the ITGC is effective.

• The audit plan will consist of a mix of controls testing and substantive testing. For e-commerce
IS, controls testing is likely to be more prominent in the audit procedures.

• Controls testing is undertaken through client inquiry, examination of documents, observation,

or re-performing the procedures that are part of a control (such as a process walkthrough
with real or test data). HKSA 315 (Revised) requires the auditor to use procedures in addition
to client inquiry if the control is relevant to the audit.

• The auditor may find that testing the controls through document examination, observation,
or re-performance may be sufficient to establish the effective operation of material controls.
Specialist auditors may be needed to evaluate technical controls.

• If the design of the application controls as a whole is effective and the controls operate
effectively, then the audit approach may have a high reliance on the internal controls system,
and substantive testing can be lessened.

• Certain substantive tests may be difficult to perform for e-commerce IS. Recalculation or
analytical procedures may be needed.

878

M13_c13.indd 878 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

MIND MAP

OVERVIEW OF COMPUTERISED INTERNAL CONTROLS SPECIFIC TO IT

BUSINESS SYSTEMS
IT Department Structure
IT Department Functions
IT ENVIRONMENT
Implementation of New IT Systems
Financial Reporting Systems
E-commerce Overview and Importance
to Business
Networked Systems
PC Systems
IT STRATEGY
The Role of IT Strategy
How Information Technology Improves
Internal Control
Assessing Risks of IT
General and Application IT Controls
Relationship
General Controls
Application IT Controls
Auditing in Computerised Business
Systems and Controls
COMPUTERISED COMPUTER-ASSISTED AUDITING TECHNIQUES
BUSINESS SYSTEMS
AND CONTROLS Audit Software
Test Data and Testing Procedures
Documentation
Effectiveness of Cyber-security Safeguard
Weakness Identification and
Recommendations
E-COMMERCE CONTROL ISSUES
Detailed Characteristics of E-commerce
Systems
Internal Controls in E-commerce
Auditing E-commerce

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. It is limited only to financial reporting systems in place, but the
auditor needs to understand the wider IT environment.
Answer B is incorrect. It is not sufficiently broad and does not consider relevance to
the audit.
Answer C is incorrect. It is too broad as it does not consider relevance to the audit.
Answer D is correct. It has the correct scope of understanding required by HKSA 315 (Revised
2019) but requires the scope to be understood only to the extent of relevance to the audit (S1).

Question 2
Answer A is incorrect. It is a combination of the configuration options for the network
model and the database model.
Answer B is correct. This is explicitly discussed in Section 13.1.1.
Answer C is incorrect. Although it is common terminology for describing the organisational
structure of organisations, these terms are not IS audit specific.
Answer D is incorrect. It replaces the specific terms given in Section 13.1.1 with synonyms,
and is partially correct but not complete.

Question 3
Answer A is incorrect. It is not complete, as it is focuses on operational tasks only.
Answer B is incorrect. It focuses only on implementing new software and does not consider
operational tasks.
Answer C is incorrect. It focuses on a single operational task of administering the network.
Answer D is correct. This statement is explicitly provided in Section 13.1.2 and covers the
full range of the IT department’s activities.

879

M13_c13.indd 879 1/26/2021 9:24:21 PM

 BUSINESS ASSURANCE

Question 4
Answer A is incorrect. It is explicitly referenced in Section 13.1.2 as an aspect of the IT
department’s functions that the auditor is concerned with.
Answer B is incorrect. It is explicitly referenced in Section 13.1.2 as an aspect of the IT
department’s functions that the auditor is concerned with.
Answer C is correct. This is because maintaining compatibility between IT devices is a low
level and technical activity rather than a high level one.
Answer D is incorrect. It is explicitly referenced in Section 13.1.2 as an aspect of the IT
department’s functions that the auditor is concerned with.

Question 5
Answer A is incorrect. It is identified as a disadvantage of the decentralised
model in the discussion provided in Section 13.1.1.
Answer B is correct. It is explicitly identified as an advantage of the decentralised model in
the discussion provided in Section 13.1.1.
Answer C is incorrect. It is identified as a disadvantage of the decentralised
model in the discussion provided in Section 13.1.1.
Answer D is incorrect. It is identified as a disadvantage of the decentralised
model in the discussion provided in Section 13.1.1.

Question 6
No, it is not the role of the auditor to provide advice to their client regarding the best way
to structure the IT function. However, if the auditor finds a control deficiency, then the
control weakness should be communicated to the entity’s management.

Question 7
The centralised operating model provides all IT services from a central IT department to
all of the business units of the entity. The decentralised operating model locates an IT
department in each business unit of the entity. The federated/hybrid operating model
locates some components of the IT department in a central IT department, but locates
some IT departments in each business unit of the entity. Most commonly, organisations
use the federated/hybrid operating model.

Question 8
The network administrator ensures that the devices on the entity’s network are secure and
that the network provides access only to authenticated users. The network administrator
maintains and secures the organisational network used to access common IT resources
across the organisation. In contrast, the DBA’s focus is upon the integrity and security of
the data stored in the entity’s databases. These databases are usually focused on meeting
the requirements of individual business units rather than the entity as a whole, and so the
DBA has a more narrow – but deeper – scope of work than the network administrator.

Question 9
HKSA 315 (Revised 2019) requires the auditor to obtain an understanding of the internal
controls relevant to the financial audit and an understanding of the information system.
The structure and function of the IT department are critical controls as the IT department

880

M13_c13.indd 880 1/26/2021 9:24:21 PM

 Computerised Business S ystems and C ontrols

makes many of the decisions in the general control environment and the effectiveness
of the IT department informs the auditor’s assessment of the effectiveness of the ITGC
environment of the entity.

Question 10
Answer A is incorrect. It is a component of value.
Answer B is incorrect. It is a component of value.
Answer C is incorrect. It is a component of value.
Answer D is correct. The value is stated in Section 13.2.1 as consisting of providing benefits,
reducing costs, or reducing uncertainty, which are options A, B, and C.

Question 11
Answer A is incorrect. Equivalent controls to that of the SDLC methodologies can exist
under agile methodologies and can be adequate according to Section 13.2.1.
Answer B is incorrect. Formal staged approaches are a feature of SDLC methodologies, not
agile methodologies, according to Section 13.2.1.
Answer C is incorrect. It describes a circumstance where software development is not required.
Answer D is correct. This aspect is attributed to agile methodologies in Section 13.2.1.

Question 12
Answer A is correct. It is the only system that affects the financial reports.
Answers B, C, and D are incorrect. It is an operational system that does not directly affect
the financial report. Although some of its systems may require review from a business
continuity perspective, the system of most apparent concern in assessing material
misstatement in the financial reports is the inventory management system.

Question 13
Answer A is incorrect. It is the opposite of the discussion in Section 13.2.3.
Answer B is correct. This flows directly from the discussion in Section 13.2.3, where it is
stated that online systems face more security issues and are entirely reliant on IT controls.
Answer C is incorrect. It directly contradicts the discussion given in Section 13.2.3.
Answer D is incorrect. It directly contradicts the discussion given in Section 13.2.3.

Question 14
Answer A is incorrect. It is plausible but incorrect.
Answer B is incorrect. It is plausible but incorrect.
Answer C is correct. This is given in Section 13.2.4.
Answer D is incorrect. It cannot be correct as Answer C is correct.

Question 15
Answer A is incorrect. It is too narrowly focused on access to the networked systems.
Answer B is incorrect. It is too narrowly focused on hardware configurations.
Answer C is correct. It addresses the breadth of the aspects of networked systems that the
auditor must understand, as set out in Section 13.2.4.
Answer D is incorrect. It is partially correct as it excludes cloud-based services.

881

M13_c13.indd 881 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

Question 16
Answer A is incorrect. PC-based systems do work in a networked environment but operate
independently.
Answer B is incorrect. It is partially correct as PC-based systems might be integrated with
an e-commerce IS but would rarely, if ever, be tightly integrated with an e-commerce IS.
Answer C is incorrect. PC-based systems often have simple security that can be bypassed,
as discussed in Section 13.2.5.
Answer D is correct. This is discussed in Section 13.2.5.

Question 17
The five aspects of the IT environment that the auditor must understand are (1) how the
entity implements new systems, (2) the FRSs in place, (3) the e-commerce systems that
exist, (4) the networked systems in place, and (5) the PC-based systems in place. All aspects
of the IT environment are critical, as it is mandatory that the auditor understand the IT
environment as relevant to the financial audit. However, the auditor’s understanding of the
FRSs in place is likely to be the most relevant to the audit as these systems directly affect
the financial report.

Question 18
The SDLC provides formal documentation and formal approval processes that provide
an audit trail that auditors can easily review and assess. For this reason, auditors tend to
prefer the SDLC approach as it allows the auditor to easily assess the risks faced by the
system development project.

Question 19
Expenditure cycle, conversion cycle, and revenue cycle. The payroll system, the cost
management system, and the sales system are, respectively, examples of each cycle.

Question 20
E-commerce IS are entirely reliant on IT controls as the transactions occur at such a pace
and volume that manual intervention is impractical. Accordingly, the IT controls need to be
stronger to ensure that transactions are complete, valid, and accurate.

Question 21
The statement should be disagreed with for two reasons. First, some important software
is only available on stand-alone PC systems as they require a dongle or similar hardware
device to operate or the software is considerably more expensive to operate in a
networked environment. Second, a PC system can rely on compensating physical controls
(such as a locked office) that mitigate concerns around access controls.

Question 22
Answer A is incorrect. The business strategy is supported by the IT strategy, not vice versa.
Answer B is correct. This is set out in Section 13.3.1.
Answer C is incorrect. All three areas are operational in focus and are not strategic.
Answer D is incorrect. It directly addresses the auditor’s duty in undertaking the audit.

882

M13_c13.indd 882 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

Question 23
Answer A is incorrect. It is a physical control outside of the information system and thus is
not an IT internal control.
Answer B is incorrect. It is a physical control outside of the information system and thus is
not an IT internal control.
Answer C is incorrect. It is a physical control outside of the information system and thus is
not an IT internal control.
Answer D is correct. It is the only control that is embedded in an information system.

Question 24
Answer A is incorrect. This is a plausible alternative for the PDC acronyms, but is incorrect.
Answer B is incorrect. This is a plausible alternative for the PDC acronyms, but is incorrect.
Answer C is correct. This is defined in Section 13.3.2.
Answer D is incorrect. This is a plausible alternative for the PDC acronyms, but is incorrect.

Question 25
Answer A is incorrect. It is partially correct, as compensating controls compensate for
deficiencies in other controls including preventive controls, but is not a complete response
as compensating controls can themselves be preventive controls and thus do not actively
focus on identifying events not stopped by preventive controls.
Answer B is incorrect. Directed controls are not a notion addressed in Section 13.3.
Answer C is correct. Detective controls are active steps taken to recognise undesirable
events that are not stopped by preventive controls, as discussed in Section 13.3.2.
Answer D is incorrect. Preventive controls are designed to stop undesirable events from
occurring rather than recognising undesirable events.

Question 26
Answer A is incorrect. It is ITGC, not compensating controls, as described in Section 13.4.2.2.
Answer B is incorrect. It is ITGC, not compensating controls, as described in Section 13.4.2.4.
Answer C is correct. It is identified in Section 13.3.2 as a compensating control.
Answer D is incorrect. It is an application input control, discussed in Section 13.4.3.1.

Question 27
Answer A is correct. The sales order is discussed in Sections 13.2.2 and 13.3.3.1 as a
primary document for revenue cycle transactions.
Answer B is incorrect. The purchase order relates to the expenditure cycle.
Answer C is incorrect. The sales invoice is created after the sales order.
Answer D is incorrect. The journal voucher records the transaction after it happens and is
not the revenue cycle trigger.

Question 28
The discussion will vary, but the IT strategy is the source of changes to the IT environment.
The IT strategy should support an effective internal control environment by ensuring that new
information systems are designed with strong internal controls from the outset. It is critical
that this occurs if the IT systems are to support the organisation and its internal controls.

883

M13_c13.indd 883 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

Question 29
Preventive controls are passive techniques designed to reduce – but not eliminate –
undesirable events occurring. An example of a preventive control is a control that prevents
text being entered into a system instead of a date or the entry of a postal code that does
not exist. Detective controls are more active steps taken to recognise undesirable events
that are not stopped by preventive controls. Detective controls flag data that departs from
the standard after the error has occurred, whereas preventive controls aim to prevent
errors before they occur. An example of a detective control is the monitoring of returned
mail due to wrongly addressed items or the review of system reports for correct date
order. Corrective controls remedy undesirable events identified by detective controls.
Detective controls detect a problem but do not fix it. An example of a corrective control
is where a clerk is directed to correct the problem of an invalid date at data entry and the
systems development/application programmer team is directed to implement a data entry
rule that prevents the problem from recurring.

Question 30
Your answer should reflect the following points:

(a) A sales ordering system is part of the revenue cycle as its transactions affect the
income/sales figures on the financial report.

(b) A closed-circuit security system is not part of any cycle as it does not produce any
transactions.

(c) A work-in-progress management system is part of the conversion cycle as it

records work-in-progress manufacturing items prior to their sale.

(d) A group decision support system is not part of any cycle as it assists with decision
making and does not directly record any transactions.

(e) A procurement system is part of the expenditure cycle as it is used to manage

expenditure on purchase goods and services.

Question 31
Answer A is incorrect. It is partially correct, but indirectly so – well-designed and effective
ITGC minimise substantive testing, but that is a by-product of their purpose.
Answer B is incorrect. ITGC and application controls are separate concepts with different
purposes, as discussed in Section 13.4.1.
Answer C is correct. It is explicitly referred to in Section 13.4.1.
Answer D is incorrect. It ascribes the goals of application controls to ITGC, as discussed in
Section 13.4.1.

Question 32
Answer A is correct. It is explicitly referred to in Section 13.4.1.
Answer B is incorrect. It is a mix of the purpose of ITGC together with a notion of
‘usefulness’ that is not otherwise discussed.
Answer C is incorrect. It is referring to an ITGC activity rather than a purpose.
Answer D is incorrect. It ascribes the purpose of ITGC to application controls.

884

M13_c13.indd 884 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

Question 33
Answer A is incorrect. A process mechanism is a procedure and a steering committee is not
a procedure (although it will be referenced in a procedure).
Answer B is incorrect. It is partially correct as the steering committee allows executives to
develop relationships, but the development of relationships is not its primary purpose and
so this is not a complete answer.
Answer C is incorrect. This response is not discussed in Section 13.4.
Answer D is correct. Section 13.4.2.1 uses a project steering committee as an example of a
structural mechanism.

Question 34
Answer A is incorrect. Input controls are not ITGC.
Answer B is correct. This is the general principle stated in Section 13.4.2.2 in relation to the
control of segregation of duties.
Answer C is incorrect. This is a different aspect of ITGC that is not based on this principle
identified in Section 13.4.2.2.
Answer D is incorrect. This is a different aspect of ITGC that is not based on this principle
identified in Section 13.4.2.2.

Question 35
Answer A is incorrect. Re-factoring is not a substantive test.
Answer B is incorrect. Collaboration is not a substantive test.
Answer C is incorrect. This is a different aspect of ITGC that is not based on this principle
identified in Section 13.4.2.2.
Answer D is incorrect. This is a different aspect of ITGC that is not based on this principle
identified in Section 13.4.2.2.

Question 36
A, B, and C can all support the development of effective internal controls as discussed in
S4.2.3, and so the correct response is D.
Answer D is correct as all of A, B, and C can support the development of effective
internal controls.

Question 37
Answer A is incorrect. It relates to application controls, not ITGC, and the backup process is
a general control.
Answer B is correct. Observation of the general control in action is a test of ITGC, as
discussed in Section 13.4.4.2.
Answer C is incorrect. It relates to application controls, not ITGC, and the backup process is
a general control.
Answer D is incorrect. Observation of a backup process is not a substantive test, as
discussed in Section 13.4.4.2.

885

M13_c13.indd 885 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

Question 38
Answer A is correct. Data entry and specifically a range check control occur at input, as
discussed in Section 13.4.3.1.
Answer B is incorrect. lt is an output control, as discussed in Section 13.4.3.3.
Answer C is incorrect. lt is an output control, as discussed in Section 13.4.3.3.
Answer D is incorrect. lt is an output control, as discussed in Section 13.4.3.3.

Question 39
Answer A is incorrect. A record level input control compares entered data to other values
entered at the same time, as discussed in Section 13.4.3.1.
Answer B is correct. A data entry relates to an input control, and these data are checked
against a possible range of values, and is thus a field control (Section 13.4.3.1).
Answer C is incorrect. Controls consider data after their entry into the system (Sections
13.4.3.2 and 13.4.3.3).
Answer D is incorrect. Controls consider data after their entry into the system (Sections
13.4.3.2 and 13.4.3.3).

Question 40
Answer A is correct. This is discussed as a disadvantage of the ITF in Section 13.5.2.
Answer B is incorrect. ITFs reduce operating efficiency of the entity, not the audit (see
Section 13.5.2).
Answer C is incorrect. Section 13.5.2 identifies ITFs as addressing this weakness of static
testing techniques.
Answer D is incorrect. It is not correct as Answer B is correct.

Question 41
Answer A is correct. This principle is stated in Section 13.4.2.2.
Answer B is incorrect. This is a re-statement of the purpose of application controls given in
Section 13.4.3, not the general control of segregation of duties.
Answer C is incorrect. Employee satisfaction is not a consideration of ITGC.
Answer D is incorrect. It is not correct as Answer A is correct.

Question 42
Answer A is correct. It is a direct violation of the principle given in Section 13.4.2.2 as the
same role creates debt as well as writes it off.
Answer B is incorrect. It is not a violation as these ledgers are separate reporting tools and
are not transactions.
Answer C is incorrect. It is not a violation unless the clerk is also requesting the
inventory purchase.
Answer D is incorrect. It is not a violation as preparing statements is not a transaction.

Question 43
Answer A is incorrect. This is a concern of physical security and is a general control
discussed in Section 13.4.2.4.
Answer B is incorrect. This is a reference to segregation of duties, which is also a general
control and is discussed in Section 13.4.2.2.

886

M13_c13.indd 886 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

Answer C is incorrect. An input control is described in Section 13.4.3.1.

Answer D is correct. This design purpose is explicitly addressed in Section 13.4.3.3.

Question 44
Answer A is correct. This is an explicit example discussed in Sections 13.4.2.2 and 13.4.2.3.
Answer B is incorrect. No control of management override is discussed in the context of
segregation of duties in Section 13.4.2.2.
Answer C is incorrect. It is partially correct as inventory processes and billing processes
may be incompatible duties that require segregation, but is incomplete as this is not a
computer-based duty.
Answer D is incorrect. It is a review of tasks performed, not segregation of the duties as
discussed in Section 13.4.2.4.

Question 45
Answer A is correct. These IT duties and their likely incompatibility are discussed in
Sections 13.4.2.2 and 13.4.2.3.
Answer B is incorrect. These IT duties are discussed in Section 13.4.2.2 but no
incompatibility between these duties is apparent – they are complementary.
Answer C is incorrect. It is partially correct as this is cited in Section 13.4.2.2 as an example
of the general control of segregation of duties, but is not complete as this example does
not relate to IT duties.
Answer D is incorrect. These IT duties are discussed in Section 13.4.2.2 but no incompatibility
between these duties is apparent – rather, these duties are complementary.

Question 46
Answer A is correct. Section 13.4.2.1 cites the IT steering committee as an example of a
structural governance mechanism.
Answer B is incorrect. Compensating governance mechanisms are not discussed in
Section 13.4.2.1.
Answer C is incorrect. It is not correct according to the discussion provided in Section 13.4.2.1.
Answer D is incorrect. It is not correct according to the discussion provided in Section 13.4.2.1.

Question 47
As explained in HKSA 315 (Revised 2019) controls testing increases the auditor’s
understanding of control risk. More controls testing means less substantive testing, all
else equal, as audit risk is reduced. However, if controls testing indicates that controls are
unreliable then more substantive testing is needed.

Question 48
A field-level input control checks the validity of a single data field in a data record. For
example, a control that only allows valid postcodes to be entered is a field level input
control. A field level input control considers the information solely within an individual field
of a record, whereas a record level input control compares between fields in the record to
determine whether to reject or accept the record. A record level input control considers
the combination of different fields in the record.

887

M13_c13.indd 887 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

Question 49
The rule of least access is that users of a system should be granted access privileges
on a need-to-know basis. This principle is often breached though as over time users
change roles and have new access privileges granted without having the old access
privileges revoked. These breaches arise as the managers with the authority to grant
access privileges are frequently busy and often do not exercise adequate care in revoking
permissions or in initially assigning them.

Question 50
This arrangement decreases the effectiveness of the internal controls system as the
arrangement weakens ITGC. The DBA and Data Librarian roles should be kept separate
from the systems development team to reduce the chance of collusion whereby the
systems developer introduces unauthorised code or data structures and colludes with
the DBA and Data Librarian to commit fraud. The three structures (systems development
team, DBA, and Data Librarian) should be kept separate to reduce the chance of
collusion.

Question 51
There are several options, but such a physical control would include fire suppression
systems, building the data centre out of non-flammable materials, or locating the data
centre away from likely fire hazards.

Question 52
Answer A is incorrect as IDEA software is not a technique.
Answer B is incorrect. It is partially correct but not complete as IDEA software can be used
to visualise data.
Answer C is incorrect. It is partially correct as IDEA can be integrated with an automated
working papers package, but this does not make IDEA an automated working paper
support tool.
Answer D is correct. IDEA is identified as generalised audit software in Section 13.5.1.

Question 53
Answer A is incorrect. None of the items listed is a testing technique.
Answer B is correct. Each technique listed is described in Section 13.5.2 as a testing
technique that can be used in applying the white-box approach.
Answer C is incorrect. Reconciliation is a technique used in support of the black-box approach.
Answer D is incorrect. It is not correct as Answer B is correct.

Question 54
Answer A is correct. It is a corrective control (data are restored to their former state), as
described in Section 13.5.4.5.
Answer B is incorrect. Offline backups do not prevent the cyber attack from occurring; they
only correct the problem when it occurs.
Answer C is incorrect. Online operational data can still be encrypted.
Answer D is incorrect. Backups generally have no impact on the implementation of
unauthorised software.

888

M13_c13.indd 888 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

Question 55
Answer A is incorrect. It is explicitly identified in Section 13.5.4 as a base control in
safeguarding against cyber-security attacks.
Answer B is incorrect. It is explicitly identified in Section 13.5.4 as a base control in
safeguarding against cyber-security attacks.
Answer C is incorrect. It is explicitly identified in Section 13.5.4 as a base control in
safeguarding against cyber-security attacks.
Answer D is correct. An integrated test facility is described in Section 13.5.2 as a testing
technique for testing data, not safeguarding cyber-security.

Question 56
Answer A is correct. This explicit definition is provided in Section 13.5.4.2.
Answer B is incorrect. It describes an anti-virus program that blacklists known problem
applications and prevents them from executing.
Answer C is incorrect. This approach ensures software is kept up to date.
Answer D is incorrect. Assigning user privileges on the basis of need is not application
whitelisting, as discussed in Sections 13.5.4.2 and 13.5.4.4.

Question 57
Answer A is incorrect. Section 13.5 discusses auditor involvement in both black-box and
white-box testing.
Answer B is incorrect. Section 13.5 discusses auditor involvement in both black-box and
white-box testing.
Answer C is correct. This is discussed in Sections 13.5 and 13.5.2.
Answer D is incorrect. The auditor does not need to execute all testing (Section 13.5).

Question 58
Offline backups cannot be encrypted by a cyber attack. They are independent of the
networking environment and so a cyber attack that encrypts, deletes, or corrupts business
data cannot affect an offline backup. This means that the network can be cleaned of any
malware and unaffected data can be restored from the backup.

Question 59
HKSA 265 (Clarified) requires the auditor to communicate significant deficiencies to those
charged with governance. The deficiencies do need to be sufficiently important to warrant
reporting the problem to management. The auditor does not need to suggest a solution,
but often does. In doing so, the auditor should be careful not to affect their professional
independence.

Question 60
It is likely that a COTS software solution would not be audited unless it is material and/
or significant customisation has occurred. A COTS solution has already been tested
elsewhere. The opportunity for implementing unauthorised changes in the software is less
than for a custom-built software solution. If the COTS solution were to be audited, the least
disruptive approach would be a black-box approach.

889

M13_c13.indd 889 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

Question 61
First, specialised software might not be relevant to the entity’s industry. Second, the
auditor may not have skills in using the software. Third, the software might be expensive to
buy and training in that software might also be expensive.

Question 62
The tests through the computer are only performed at a particular time. An unauthorised
change to the software might have occurred after the last audit, and the change then
reversed prior to the auditor’s return. An integrated test facility – with access only available
to the audit team – is one way to combat this problem.

Question 63
Answer A is incorrect. It describes personalisation and customisation (Section 13.6.1).
Answer B is incorrect. It describes richness of information (Section 13.6.1).
Answer C is correct. This is the definition of information density provided in Section 13.6.1.
Answer D is incorrect. It describes global reach (Section 13.6.1).

Question 64
Answer A is incorrect. The capability described does not address Yunfei’s ability to
customise the experience.
Answer B is incorrect. It partially corrects but the response is not complete as the focus of
the description is on the ability to access websites across international borders.
Answer C is incorrect. It partially corrects but the response is not complete as the focus of
the description is on the ability to access websites across international borders.
Answer D is correct. The capability described focuses on Yunfei’s capability to access
websites across international borders – the key aspect of global reach (Section 6.1).

Question 65
Answer A is correct. This is explicitly defined in Section 13.6.2.
Answer B is incorrect. The response includes terms not discussed in Section 13.6.
Answer C is incorrect. The response includes terms not discussed in Section 13.6.
Answer D is incorrect. The response includes terms not discussed in Section 13.6.

Question 66
Answer A is incorrect. The scope of the e-commerce security plan is limited to IS that
support e-commerce, not all of the entity’s IS.
Answer B is correct. This is explicitly identified in Section 13.6.3.
Answer C is incorrect. It is partially correct as an e-commerce security plan might
document these configuration settings, but processes, structures, and teams need to be
documented as well (Section 13.6.3).
Answer D is incorrect. This option outlines a business continuity plan, not an e-commerce
security plan.

890

M13_c13.indd 890 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

Question 67
Answer A is correct. This is noted in Section 13.6.3.
Answer B is incorrect. Substantive testing of an e-commerce system is identified in
Section 13.6.3 as an option for auditing e-commerce.
Answer C is incorrect. Section 13.6.3 notes several substantive tests that are more difficult
in the online environment.
Answer D is incorrect. Section 13.6.3 notes several substantive tests that are more difficult
in the online environment.

Question 68
Answer A is correct. It contradicts the statement made in Section 13.6.2 and is thus false.
Answer B is incorrect. The statement is made in Section 13.6.2 and is thus true.
Answer C is incorrect. The statement is made in Section 13.6.2 and is thus true.
Answer D is incorrect. The statement is made in Section 13.6.2 and is thus true.

Question 69
An e-commerce IS operate in a virtual environment and are dependent on IT controls.
However, it is not entirely reliant on its IT controls, as some physical controls remain
relevant and some corrective controls are likely to be needed to manually correct problems
that do arise.

Question 70
The steps are: (1) undertake an initial risk assessment; (2) develop a security policy;
(3) identify the technologies, processes, and the structures and teams needed to
implement the security policy. If these steps are not taken, it means that an explicit
e-commerce security plan does not exist. Although it is a key internal control, it is possible
that other relevant controls are implemented that address the same concerns. This
assessment is a matter of judgement for the auditor.

Question 71
Detailed testing will require extended technical skills. It is possible, however, for the
generalist auditor to establish that the process used in developing these controls
was effective. The generalist auditor can make their assessment in the light of the
risk assessment made and the level of materiality assigned to the e-commerce IS. As
complexity and materiality of the e-commerce IS increases, the more likely it is that the
auditor will require the support of a specialist IT auditor.

EXAM PRACTICE

QUESTION 1
(a) Outline the relationship between Audit Risk, Controls Testing, and Substantive Testing.

(b) During an audit, an auditor compares the prices on supplier invoices to the original
purchase order price. Identify whether this is a substantive test or a controls test and
explain the reason for your answer.

891

M13_c13.indd 891 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

QUESTION 2
(a) Consider the following three application controls implemented in an information
system:

(i) A control that checks whether an entered value in a record is within an acceptable
range.

(ii) A transaction log of all transactions that are entered into the system.

(iii) A control that distributes the sales report to a limited range of recipients in an
encrypted format.

Describe the purpose of each of these controls/tests. For each control/test, identify
its type of application IT control.

Identify whether any of these controls/tests performed a record level input control
and explain the reason for your answer.

(b) Consider the following two ITGC:

(i) A defined software development methodology is used to develop new software.

(ii) The IT operations team installs and implements the software developed by the
system development team.

Identify the type of general control to which each control MOST relates.

QUESTION 3
(a) Describe the ‘rule of least access’ and explain why it is often breached. In your view,
identify whether such violations of the ‘rule of least access’ can be reduced and, if so,
explain how.

(b) Define database security, integrity, accountability, and recoverability as aspects

of database control. In your view, determine whether any one of these aspects of
database control is more important than the others and explain the reason for
your answer.

QUESTION 4
(a) Describe the three transaction cycles that exist in all businesses. In describing each
cycle, provide an example of a related subsystem.

(b) Consider the following statement:

Given the prevalent use of computer-based accounting information systems, all

financial auditors need to have strong skills in IS audit.

Explain whether you agree with this statement and justify your answer.

QUESTION 5
Read the following case material:

Amber Tree Professional Association (ATPA) is a not-for-profit membership organisation for

arborists and landscape gardeners across Hong Kong. ATPA has its offices in Tsuen Wan and
shares the building with many organisations. The building is close to a stormwater drain
known for becoming blocked and flooding the surrounding buildings.

The IT manager reports to the Chief Financial Officer. There are 45 IT staff in two
teams. The IT services team keeps the network running and the hardware working. The IT

892

M13_c13.indd 892 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

development team develops in-house software and implements all application software
including their own. The IT development team also updates and maintains the Council’s
databases. The IT development team has 20 members. A team leader in each team is
responsible for supervising team members. There are no other supervisors.

ATPA runs its own 15-computer server data centre in the basement of the office building
in Tsuen Wan, as do all other businesses in the building. Accessing the data centre requires
a physical key and a common entry keycode. Each member of the IT team, the security, the
cleaning staff, and the members elected to the Board have a copy of the key. These people
also know the keycode for access to the building and the data centre.

No tape backup solution is in place. All data processing is done at ATPA headquarters.
There is a shared cold site data centre at Disaster Recovery Iz Us, a commercial operator
located in Hanoi. Data are transferred weekly. Disaster Recovery Iz Us has been particularly
successful in having all the businesses in ATPA’s building use their services due to an
agreement with the building’s owner.

Key IS used by the Council includes the Human Resources and Payroll System (including
staff rosters and direct integration with the electronic timesheet system for employee
timesheets), the Events System (used to manage and schedule member events and
functions), the Finance and Accounting Information System (used to manage financial data
and reporting), and the Membership Fees System (MFS; this system is used to generate fee
notices to all ATPA members).

The Membership Fees System was developed by the IT Development team, and this
project was overseen by Rudy McGrath, an IT contractor with a strong interest in systems
integration, gambling statistics theory, and the Facebook API. Rudy used an agile software
development methodology of his own design.

During the project, the emphasis was upon quick, cheap development and access and
availability to users using Microsoft Access. However, Rudy has since left ATPA to move
to Las Vegas, Nevada, in the USA, where he is using his analysis skills to gamble in the
casinos. Rudy was the only person who knew how to find the documentation and now that
documentation (and indeed Rudy) cannot be found.

The largest system is the MFS, which stores members’ credit card numbers and
generates a transaction file that is uploaded to AMEX and CardLink websites by Jodie Smith,
the Membership Systems Developer. Jodie has a special arrangement with her boss so that
she can work from Stanley every day – she wants to support her son and husband who are
in the Tung Tau Correctional Institution pending their release from jail later this year for
white collar crimes. Approximately HK$18 million in membership fees are processed by the
system each year. These fees represent 85% of ATPA’s annual revenue.

The MFS also integrates with Facebook and Google Maps using Facebook’s API
(Application Programming Interface) to keep members informed of their Association
obligations. This capability was developed by Jodie Smith. The MFS automatically posts
on members’ Facebook Wall the due dates of their latest membership invoices along with
any reminder notices and the outcomes of any disciplinary hearings for poor professional
landscaping work. These posts are made publicly to ensure transparency.

In this context, Wing Nam Siu, the independent Chair of the ATPA Audit and Risk
Committee, has asked your IS audit team to evaluate this approach to managing operations
and to present recommendations to ATPA to improve current practice.

893

M13_c13.indd 893 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

Required

(a) Explain why ITGCs are relevant to the auditor and identify SIX (6) ITGC outlined in the
preceding case. For each control, evaluate SIX (6) ITGC outlined in the preceding case.
For each control, evaluate whether, on the basis of the evidence, the control is effective
or ineffective.

You may wish to present your evaluation in a table. Use a short label that adequately
identifies the controls in the case.

(b) Outline two key improvements to the ITGC that you consider should be implemented. In
your discussion, explain why you consider each improvement to be a key improvement
in the context of the financial audit.

(c) In your professional judgement, determine whether the financial audit can rely on the
ITGC in planning the audit and justify your answer.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) In planning this answer, note that there are three relationships to consider as there are
three aspects identified. That is, the answer should address the relationship between
audit risk and controls testing, audit risk and substantive testing, and controls testing
and substantive testing. This question draws from Section 13.1 and 13.3.3.2.

The solution provided should address the following:

• Audit risk is the risk that the auditor will provide an assurance that the financial
reports are not materially misstated when in fact they are, and HKSA 200
explains that the risk of material misstatement exists at the financial statement
and assertion levels.

• Audit risk has three component parts and is equal to: Inherent Risk × Controls
Risk × Detection Risk. The component parts of the formula are:

°° Inherent risk is risk that arises directly due to the entity’s industry.

°° Controls risk is that the controls in place are inadequate in preventing,

detecting, or correcting errors that materially affect the financial reports.

°° Detection risk is the risk that the auditor does not detect errors that the
entity’s internal controls also do not detect and correct.

• Audit activities do not affect inherent risk – it is independent of the entity and the
audit. Inherent risk is independent of controls testing and substantive testing.

• Controls testing does not reduce controls risk – the entity’s controls are as
effective or ineffective as designed and implemented by the entity. However,
increased controls testing does increase the reliability of the auditor’s
assessment of control risk. Increased controls testing allows the auditor to have a
more reliable estimate of audit risk but does not reduce controls risk.

• Substantive testing reduces detection risk by reducing the risk the auditor does
not find errors that are also not detected and corrected by the entity’s internal
controls. More substantive testing reduces audit risk.

894

M13_c13.indd 894 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

• The auditor, in planning the audit, has regard to the reliability of their assessment
of audit risk. The auditor plans to ensure that their audit activities reduce audit
risk to an acceptable level.

• Under HKSA 200 the risk of material misstatement is assessed at the assertion
level so as to determine the nature, timing and extent of further audit
procedures. For identified risks of material misstatement at the assertion level
HKSA 315 (Revised 2019) requires a separate assessment of IR and CR. These
assessments impact the audit risk assessment.

• In the case of an unreliable estimate of audit risk, the auditor plans for the higher
estimate of audit risk. For this reason, increased controls testing may result in
reduced substantive testing.

(b) In planning this answer, the test needs to be identified as substantive or controls
testing. The reason for the choice made is then required. This question draws from
Section 13.3.3.2.

The solution provided should address the following:

• Comparing prices on supplier invoices to the original purchase order price

may be argued as either a controls test or a substantive test. It is discussed
in Section 13.3.3.2 as an example of a substantive test, but it can be either,
depending on the context.

• The explanation should consider the nature of controls testing and compare it to
substantive testing. There are two aspects to consider.

• First, a control prevents, detects, or corrects errors that affect the financial
reports. A test of controls therefore considers whether the design of the internal
control is effective or whether the internal control operates as designed.

• Second, substantive tests are designed to determine whether the entity’s

electronic records fairly reflect the organisation’s transactions. Such tests can
confirm transactions with independent third parties or assess whether the
financial records are complete, valid, and accurate.

• Several reasons would be appropriate here, but they must support the
assessment made. It can be argued that the test is substantive, as it aims to
assess validity (for example, was the invoice received actually based on an
authorised purchase order?), accuracy (for example, does the supplier invoice
match that which was ordered?), and completeness (for example, have all
purchases made been recorded?). However, the test may be a test of controls;
for example, the test may be aimed at detecting whether the system’s controls
ensure that the purchase order is accurate, that the purchase order is properly
authorised, or that the vendor is authorised. In the latter case, the test would
be a test of the effectiveness of the control as implemented – and thus a
controls test.

QUESTION 2
(a) In planning this answer, note that the purpose and type of application control is
required for each control identified, and the answer needs to identify and explain why
the controls/tests are, or are not, a record level input control. This question draws from
Section 13.4.3.

895

M13_c13.indd 895 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

The solution provided should address the following:

• There are four broad types of application controls: Input Controls, Processing
Controls, Output Controls, and Master File/Database Controls.

°° Input controls ensure the completeness, accuracy, and authorisation of data

input into the system at the time of data entry.

°° Processing controls prevent, detect, and correct errors during the processing
of transactional input data.

°° Output controls detect errors and correct them after the completion of
transaction processing and also ensure that the results of processing are not
intercepted and corrupted.

°° Database controls ensure the security, integrity, accountability, and

recoverability of the database.

• A record level input control tests the validity of the entire record.

• Range check tests are input controls as they test whether the data entered into a
field are within an acceptable range of values. This tests an individual field and so
is not a record level input control.

• Transaction logs are processing controls that record all transactions for later
review and correction of any processing errors. This test is not an input control
and so is not a record level input control.

• Encrypted report distribution is an output control that tightly controls report

distribution. This test is not an input control and so is not a record level
input control.

(b) In planning this answer, consider the different types of ITGC and classify each control
accordingly. This question draws from Section 13.4.2.

The solution provided should address the following:

• ITGC ensure that the IT environment maintains data integrity, security, and
confidentiality. ITGC affect all financial reporting transactions. The most
important, or key, ITGC relate to the administration of the IT function, the
segregation of duties, the development of new systems, physical and online
security, backup planning, and controls over hardware infrastructure.

• Development methodologies are ITGC for the systems development function.

The methodology for implementing new software needs to be an effective
manner of addressing the entity’s requirements.

• The requirement for the installation and implementation of software developed

by the systems development team to be performed by another team is a
segregation of IT duties general control. Ideally the roles of IT management,
systems development, IT operations and maintenance, and database
management are kept separate from each other. In this case, the control outlined
MOST relates to the segregation of IT duties control as it ensures incompatible IT
duties are kept separate.

896

M13_c13.indd 896 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

QUESTION 3
(a) In planning this answer, note that the description of the rule of least access is required
along with an explanation of why it is breached. An explanation as to how such
violations can be reduced is needed if they can indeed be reduced. This question draws
from Section 13.4.3.4.

The solution provided should address the following:

• The rule of least access is that users of a system should be granted access
privileges on a need-to-know basis.

• The rule is often breached as users change roles and have new access privileges
granted whilst the old access privileges are not revoked. This arises as users will
disclose when they are prevented from doing their assigned tasks, but are likely
not to report the problem if their access is more than they need. A further issue
is that managers are frequently busy and so they often do not exercise adequate
care in revoking permissions or in initially assigning them.

• Violations can be reduced. Strong policies that are monitored are required.
For example, managers must be required to apply due diligence in assigning
permissions to roles to avoid granting excessive access to the system. Similarly,
policies that encourage users to report access that is no longer required
are needed.

(b) In planning this answer, note the need to define the four aspects of database control
and then assess if any of these are more important than the others. An explanation for
this assessment is required. This question draws from Section 13.4.3.4.

The solution provided should address the following:

• Security requires that an access control list is used in the viewing, updating, or
deleting of data. The access control list is a structured document that sets out
those with management’s authorisation to access the data.

• Integrity requires the database design to store data without data loss.

• Accountability requires that the DBMS record user access to the database and, in
some cases, the creation, reading, updating, and deletion of data in an audit log.
The audit log records these events by date, time, and named user.

• Recoverability requires the database’s ongoing availability to be ensured.

• Views will differ. One view is that no one aspect of database control is more
important than the others as all four aspects are essential to database control.
However, a well-argued reason that supports one aspect over another is
also reasonable. For example, it can be argued that the importance of the
database control is that, as an application control, it needs to ensure that data
are complete, valid, and accurate to enable decision making. On that basis,
integrity can be considered as the most important as a secure, accountable,
and recoverable database that does not have integrity is still unable to support
decision making.

897

M13_c13.indd 897 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

QUESTION 4
(a) In planning this answer, note the need to describe the three transaction cycles and
provide an example of a related subsystem for each. This question draws from
Section 13.3.3.1.

The solution provided should address the following:

• The expenditure cycle focuses upon processes that determine the goods and
services to acquire, the subsequent acquiring and receiving of those goods and
services, the approval of payment, and, finally, the actual payment for the goods
and services.

• The conversion cycle records transactions relating to the entity’s conversion of

goods and services that the entity uses. Such transactions generally represent
the entity’s work in progress in getting products or services ready for sale.

• The revenue cycle focuses upon those processes relating to the sale of goods and
services to the entity’s customers.

• Common systems in the expenditure cycle include purchases/accounts payable,

cash disbursements systems, payroll, and fixed assets systems.

• In the conversion cycle, common systems are focused on production planning

and cost control systems such as cost management or budgeting systems.

• Common revenue cycle systems include cash receipts and sales systems.

(b) In planning this answer, note that the question requires the development of a
considered opinion. This question draws from the whole chapter, but primarily is
informed by Section 13.1.

The solution provided should address the following:

• A statement as to whether the statement is agreed with or disagreed with is

required. This statement is then supported by the discussion that follows.

• There are several reasons why this statement is inaccurate.

• For example, there are good reasons for some financial auditors to have good
skills in IS audit, but all financial auditors do not need strong skills in IS audit. For
example, the audit opinion is informed by the team’s audit work and as long as
the auditor can assess that work, strong skills are not required.

• An auditor who invests in strong skills in IS audit is likely to make such an

investment at the expense of other skills that the financial audit team needs. For
example, the presumption of this statement results in a team with strong skills in
the area of IS audit but not in others (e.g. financial statement analysis).

• Requiring all auditors to have strong IS audit skills is likely to result in a less
effective and capable financial audit team.

QUESTION 5
(a) The question requires six ITGC to be identified and assess the effectiveness of its
design, together with a short reason for the assessment. This question draws from
Sections 13.1.2 and 13.4.2.

898

M13_c13.indd 898 1/26/2021 9:24:22 PM

 Computerised Business S ystems and C ontrols

The solution provided should address the following:

• S1.2 explains that ITGCs support the operation of the IT environment and the
effective operation of information processing controls. HKSA 315 (Revised 2019)
requires the auditor to obtain an understanding of the general controls that
address the risk associated with using IT in specific IT applications associated
with controls that address the risk of material misstatement.

• Section 13.4.2 identifies six types of ITGC. These controls relate to administration
of the IT function, the segregation of duties, the development of new systems,
physical and online security, backup planning, and controls over hardware
infrastructure.

• It is possible to identify more than one control for each type of general control.
Several ineffective controls are considered in the points that follow.

• Physical controls are potentially ineffective as the key and keycode for the
computer centre are shared with far too many different people. Having a
common keycode means that access logs cannot record who accesses the centre.

• Administration is ineffective as there are too many people to supervise in

each team.

• Systems Development is potentially ineffective as Jodie Smith may be of poor

character due to her potential criminal associations. She has access to a system
with credit card numbers. Potentially, Jodie’s special arrangement to work near
the Tung Tau Correctional Institution should cause concern given her criminal
associations and that the compensating control of supervision is non-existent.

• Segregation of IT Duties is ineffective as database administration should not be

located with the development team; similarly, systems developers also undertake
network and operational support tasks.

• Systems development is ineffective as documentation for the MFS does not exist.

• Systems development is potentially ineffective as the software development

methodology is of Rudy’s own design rather than using an accepted standard.

• Systems development is potentially ineffective due to Rudy’s gambling. Rudy

might use his knowledge of the system to support his gambling habit.

• Systems development is potentially ineffective as Microsoft Access is not a secure

and recognised development platform.

• Backup and contingency planning is ineffective as the computer centre is in the

basement of a flood-prone area. In particular, as many businesses in the same
building have their computers located in the same basement, and their cold
site is in a shared space in Hanoi, it is likely that during a disaster ATPA will not
be able to access the cold site as its co-tenants will also wish to use the same
cold site.

• Backup and contingency planning is ineffective as backup is not daily.

899

M13_c13.indd 899 1/26/2021 9:24:22 PM

 BUSINESS ASSURANCE

(b) In planning this answer, note that the question requires that improvements to two
ITGC be identified and an explanation as to why it is key. This question draws from
Section 13.4.2.

The solution provided should address the following:

• Any of the ineffective controls set out above can be considered key.

• Two improvements are provided by way of example.

• First, consider as a priority changing the disaster recovery and cold site
arrangement to a different provider (and implementing daily backups), as it is
very likely that a flood will make the systems unavailable and ATPA will be unable
to continue operating (thus, the risk has a high consequence if it occurs). This is a
relatively simple improvement to implement.

• Second, consider the redevelopment of the MFS to a more secure and robust
system. Microsoft Access is an inherently insecure desktop system, but
furthermore the lack of documentation for the key system is a considerable risk
from a security perspective as well as the sustainability of the system in the long
term. As a major system storing credit card numbers it is likely that any data
breach or hack would have a high impact on ATPA due to reputation loss.

(c) In planning this answer, note that the question requires the expression of professional
judgement and a justification for this judgement. This section draws from Section 13.4.2.

The solution provided should address the following:

• The financial audit cannot rely on the design of the ITGC.

• Justification includes the impact and nature of the problems with the ITGC noted
in the discussion above. Several key concerns can be noted as follows, although
any of the examples cited above are also key concerns.

• The software that manages 85% of revenue is developed by a single team with no
separate database administration role.

• The same software has no system documentation.

• The developer of the system, Rudy, may have a gambling problem.

• The data centre is not secure.

900

M13_c13.indd 900 1/26/2021 9:24:22 PM

 F u r t h er R e a d ing

F URTHER READING

A Framework for Audit Quality: Key Elements that Create an Environment for Audit Quality.
IAASB, International Federation of Accountants (IFAC), USA, 2019. https://www.ifac.org/­
system/files/uploads/IAASB/Framework-for-Audit-Quality-Outline.pdf.

Audit reform moves ahead in Hong Kong. The Economist Intelligence Unit, United Kingdom,
2018. http://www.eiu.com/industry/article/876785671/audit-reform-moves-ahead-in-hong-
kong/2018-05-31.

Davis, G.B., Neter, J. and Palmer, R.R. An Experimental Study of Audit Confirmations Journal of
Accountancy, pp. 36–34, June 1967.

Exposure Draft, International Standard on Quality Management 1, Quality Management for

Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or
Related Services Engagements. IAASB, International Federation of Accountants (IFAC), USA,
2019. https://www.iaasb.org/publications-resources/exposure-draft-international-standard-
quality-management-1-quality.

Exposure Draft, International Standard on Quality Management 2, Engagement Quality

Reviews. IAASB, International Federation of Accountants (IFAC), USA, 2019. https://
www.iaasb.org/publications-resources/exposure-draft-international-standard-quality-­
management-2-engagement-0.

Graham, L. Audit Guide: Audit Sampling. New York: American Institute of Certified Professional
Accountants (AICPA), 2019.

Integrity in the Spotlight: The Future of Compliance: 15th Global Fraud Survey. Ernst & Young
Global Limited (EY), United Kingdom, 2018. https://www.ey.com/Publication/vwLUAssets/
EY_Global_Fraud_Survey_2018_report/$FILE/EY%20GLOBAL%20FIDS%20FRAUD%20
SURVEY%202018.pdf.

Lam, N.C.Y. and Lau, P.T.Y. Intermediate Financial Reporting: An IFRS Perspective, 3rd edn.
Singapore: McGraw-Hill Education Asia, 2017.

Proposed International Standard on Auditing 220 (Revised), Quality Management for an Audit
of Financial Statements. IAASB, International Federation of Accountants (IFAC), USA, 2019.
https://www.iaasb.org/publications-resources/exposure-draft-international-standard-­
auditing-220-revised-quality-0.

Rittenberg L., Johnstone, K.M. and Gramling, A. Auditing: A Business Risk Approach, 7th Edn.
Boston: Cengage Learning, 2019.

Survey of Inspection Findings 2018. International Forum of Independent Audit Regulators (IFIAR),
Japan, 2019. https://www.ifiar.org/?wpdmdl=9603.

Yu, B. and Rudge, L. Hong Kong Corporate Governance: A Practical Guide. London, UK: Slaughter
and May/White Page Ltd, 2014.

901

M13_b01.indd 901 1/26/2021 2:35:53 PM

M13_b01.indd 902 1/26/2021 2:35:54 PM

GLOSSARY OF TERMS
Acceptable level A level at which a professional
accountant, using the reasonable and informed
third party test would likely conclude that a
professional accountant complies with the
fundamental ethical principles.
Accountability relationship A relationship where
one party in an entity is responsible for its actions
in relation to a matter and report to another
party, internal or external to the entity, as to its
performance in relation to that matter.
Accounts preparation A responsibility of
management involving an accounting system to
identify, record, and classify all the transactions
and events relating to an entity that occur during
a reporting period. To maintain accountability for
assets, liabilities, revenue and expenditure and to
convert that data into information in the form of
financial statements.
Accounts preparation process A process through
which the company’s accountant, management
and directors prepare the financial statements
from accounting data contained in the underlying
financial records, including judgements and
estimates where necessary.
Accuracy The extent to which the information
managed in an information system is within a
range of tolerance that is sufficiently fit for
purpose for the user’s requirements. The
information represents the real-world concept in
a way that meets the user’s needs.
Adverse opinion An opinion in which the auditor
concludes that misstatements are both material
and pervasive to the financial statements.
Agile Systems Development Agile systems
development is a category of different
approaches to software development that
emphasise collaborative work practices, early
delivery and evolutionary development of
minimum viable products. These approaches
encourage a flexible response to change, and
discourage the use of stable long-term plans and
predictions. SCRUM and eXtreme Programming
are specific approaches to agile systems
development. Agile systems development is
frequently contrasted with the software
development lifecycle (SDLC) or waterfall
approaches to systems development.
903
M13_b02.indd 903
G L O S S A R Y O F T ER M S
Agreed-upon procedures engagement A non-
assurance engagement where the auditor agrees
with the client party to undertake audit
procedures agreed by both parties. The auditor
reports the factual findings arising from applying
those procedures, but no conclusion is expressed,
and no assurance provided. The user draws own
conclusions and derives assurance from the
information provided.
Appropriate in the context of audit evidence,
means its quality (relevance and reliability).
appropriateness The measure of the quality of
audit evidence; that is, its relevance and its
reliability in providing support for the conclusions
on which the auditor’s opinion is based.
Assertions Representations, explicit or otherwise,
with respect to the recognition, measurement,
presentation and disclosure of information in the
financial statements which are inherent in
management representing that the financial
statements are prepared in accordance with the
applicable financial reporting framework.
Assertions are used by the auditor to consider the
different types of potential misstatements that
may occur when identifying, assessing and
responding to the risks of material misstatement.
Assurance An independent professional opinion,
the objective of which is to reduce information
risk (risk from incorrect information) to users of
financial and other information to improve the
reliability and credibility of information so that
users can make more informed decisions.
Assurance engagement An engagement in which
a practitioner aims to obtain sufficient
appropriate evidence to express a conclusion
designed to enhance the degree of confidence of
the intended users other than the responsible
party about the outcome of the measurement or
evaluation of the underlying subject matter
against criteria. The outcome of the measurement
or evaluation of an underlying subject matter is
the information that results from applying the
criteria to the underlying subject matter.
Assurance engagement risk The risk that the
assurance practitioner expresses an
inappropriate conclusion when the subject matter
is materially misstated.
1/26/2021 2:37:58 PM
 BUSINESS ASSURANCE
Attest Engagement a party other than the
assurance provider measures or evaluates the
subject matter against the criteria and then
presents the information in a written report. The
assurance practitioner provides users with an
opinion that enhances the credibility of the
assertion.
Attestation engagement The most common type
of assurance engagement ‘in which a party other
than the practitioner measures or evaluates the
underlying subject matter against the criteria. The
subject matter information may be presented by
the practitioner in their assurance report or in a
document prepared by another party’. (e.g. entity)
In an attestation engagement, the practitioner’s
conclusion addresses whether the subject matter
information is free from material misstatement.
Audit Objective The objective of an audit of
financial statements is to enable the auditor to
express an opinion whether the financial
statements are prepared, in all materials respects,
in accordance with an applicable financial
reporting framework.
Audit committee A sub-committee of the Board
of Directors, composed of a majority of
independent directors, that oversees the financial
reporting and external and internal audit
functions within an entity.
Audit documentation is the written record that
forms the basis for the auditor’s conclusions. Also
known as work papers or working papers.
Audit evidence Information used by the auditor in
arriving at the conclusions on which the auditor’s
opinion is based. Audit evidence includes both
information contained in the accounting records
underlying the financial statements and
information from other sources.
Audit Plan The document that sets out the
planned nature, timing and extent of specific
audit procedures to implement the audit strategy
and obtain the required evidence relating to
specific account balance assertions or classes of
transactions.
Audit procedures Procedures that might be used
to collect evidence for the audit of the financial
statements. Audit procedures are designed to suit
the client entity’s nature, its control system and
the auditor’s risk assessment.
Audit programme is developed in the audit
planning process and lists the audit objectives
and procedures to be followed in gathering
evidence to test the accuracy of account
balances.
904
M13_b02.indd 904
Audit Risk The risk that an auditor will express an
inappropriate opinion when the financial
statement is materially misstated. It is a function
of material misstatement and detection risk.
Audit Strategy The initial audit judgement that
defines the scope and broad approach to be
taken during the audit process based on the
auditor’s understanding of the client and its
environment.
Auditing a systematic process of objectively
obtaining and evaluating evidence regarding
assertions about economic actions and events to
ascertain the degree of correspondence between
those assertions and established criteria and
communicating the results to interested users.
Auditor’s expert A professional other than an
accountant (e.g. a lawyer, a valuer or a geologist)
who has specialist knowledge that enables them to
collect appropriate audit evidence for the auditor
Business Risk The risk that due to significant
conditions, events, circumstances, actions or
inactions the entity may not be able to achieve its
objectives or execute its strategies. A risk that
may impact and be reflected in financial
statement components.
Chief Information Officer (CIO) Most senior
executive of an organisation with responsibility
for devising and delivering the IT strategy that
supports business goals.
Close members of the family Family members
who may be expected to influence, or be
influenced by, that person in their dealings with
the entity.
Cloud A network of remote servers that can store,
manage and process data on IS with virtual
hardware (for example, hard drive space), virtual
servers (for example, applications) or virtual
machines (for example, hosted Windows or Linux
operating system environments). The data is
stored, managed and processed may be
anywhere in the world.
Code of ethics Professional standards that set out
fundamental principles of ethics for professional
accountants, reflecting the profession’s
recognition of its public responsibility. The
principles establish the standards of behaviour
expected of a professional accountant in
business, in public practice and for independence
in audit and other assurance engagements.
Commercial off The Shelf (CoTS) Software
Software that can be purchased and close to
immediate installation with minimal opportunity
for customisation and software development.
1/26/2021 2:37:58 PM

Comparative financial statements are identical
in form to the current period financial statements
and are complete financial statements. If audited,
they are referred to in the current
auditor’s opinion.
Comparative information amounts and
disclosures in respect of prior periods. Includes
both comparative financial statements and
corresponding figures.
Compensating Control A control that
compensates for deficiencies in other controls
implemented in the system. For example, close
supervision is a control that compensates for a
lack of segregation of in small teams where such
controls are impractical.
Completeness The extent to which the
information managed in an information system is
a full and whole representation of the real-world
concepts represented by the system.
Compliance audit An engagement where an
audit is undertaken to determine whether an
entity has complied with specified policies,
procedures, laws and regulations. These
engagements can be undertaken by internal or
external auditors.
Compliance framework Is used to refer to a
financial reporting framework that requires
compliance with the requirements of the
framework, but does not:
(i) acknowledge explicitly or implicitly
that, to achieve fair presentation of the
financial statements, it may be necessary
for management to provide disclosures
beyond those specifically required by the
framework; or
(ii) acknowledges explicitly that it may be
necessary for management to depart from a
requirement of the framework to achieve fair
presentation of the financial statements.
Component An entity or business activity for
which group or component management
prepares financial information that should be
included in the group financial statements.
Component auditor An auditor who, at the
request of the group engagement team, performs
work on financial information related to a
component for the group audit.
Component management Management
responsible for the preparation of the financial
information of a component.
Component materiality The materiality for a
component determined by the group
engagement team.
905
M13_b02.indd 905
G L O S S A R Y O F T ER M S
Conceptual framework The approach that
professional accountants are to apply to identify,
evaluate and address threats to compliance with
the fundamental ethical principles. It involves the
professional accountant identifying any threats
to the fundamental principles, evaluating their
significance, and either applying safeguards to
reduce it to an acceptable level based on a
reasonable and informed third part test or if no
safeguards are available, eliminating the
circumstances or declining or discontinuing an
engagement.
Confirmations a response to an auditor’s request
for information from a confirming external party.
Consultation includes discussion within the
engagement team and with individuals who have
specialized expertise
Control Risk A component of the risk of material
misstatement. The risk that a misstatement could
occur in an assertion about a class of
transactions, account balance or disclosure and
that could be material either individually or when
aggregated with other misstatements, will not be
prevented, detected and corrected on a timely
basis by the entity’s internal control.
Conversion cycle The conversion cycle represents
those activities in the organisation that convert
the inputs received (expenditure cycle) into the
outputs supplied by the organisation (revenue
cycle). Usually, inputs are acquired in the
expenditure cycle, converted as required in the
conversion cycle and delivered to customers in
the revenue cycle.
Corporate Governance the system used by an
entity to direct and control its activities to achieve
its strategic objectives, to be accountable to its
stakeholders, to ensure the rights of those
stakeholders are honoured by those responsible
and to ensure compliance with applicable legal
and social requirements.
Corresponding figures are only relevant as an aid
to understanding the current period financial
statements. They are not complete financial
statements
Criteria The benchmark used to evaluate or
measure the subject matter, including where
relevant, benchmarks for presentation and
disclosure. Suitable criteria are required for
reasonably consistent evaluation or measurement
of a subject matter within the context of a
professional judgement.
Cyber-Attack An attempt by online criminals to
damage, destroy or disable an organisational
1/26/2021 2:37:58 PM
 BUSINESS ASSURANCE
network, IT infrastructure or information system
through the internet.
Cyber-Security The activities needed to protect an
organisational network, IT infrastructure or
information system from cyber-attack.
Database Management System (DBMS) A central
software system that allows data records to be
managed (created, replaced, updated and
deleted) and provides applications with
access to data.
Data Centre A sfacility that groups together IT
hardware in a single location, usually for the
storage, management and processing of data.
Data Lake The storage of a large repository of
untransformed enterprise data from many
different structured and unstructured data
sources as a single virtual data resource. The
data stored in a data lake is consequently
unrelated and, possibly, inconsistent. The data
lake can be supported by a data centre or hosted
in the cloud.
Database A repository of enterprise data, usually in
support of an enterprise activity. Amongst other
design choices, a database can be a navigational
(networked, hierarchical or networked-hierarchical),
relational, object-oriented or NoSQL database.
Database Administrator (DBA) An organisational
role in the IT Team with responsibility for
database planning, design, implementation,
operation, maintenance and future
requirements planning.
Detection Risk The risk that the procedures
performed by the auditor to reduce audit risk to
an acceptably low level will not detect a
misstatement that exists and that could material,
either individually or when aggregated with other
misstatements.
Direct assistance The use of internal auditors to
perform audit procedures under the direction,
supervision and review of the external auditor.
Direct engagement A party other than the auditor
retains responsibility for the subject matter but
does not make a written assertion on the subject
matter. The auditor measures and evaluates the
subject matter and provides that information and
opinion in the auditor’s report.
Disclaimer of opinion It is expressed when the
auditor is unable to obtain sufficient audit
evidence on which to base an opinion and the
auditor concludes that the possible effects of
undetected misstatements could be material and
pervasive to the financial statements.
906
M13_b02.indd 906
Electronic Business (e-business) Business
activities that are done using or with the support
of the internet but not involving the purchase or
sale of goods and services.
Electronic Commerce (e-commerce) E-commerce
is the buying or selling of goods over the
internet with IS.
Emphasis of Matter Matter included in the
auditor’s report to direct users of the financial
statements to a matter that has been discussed
appropriately in the financial statements.
Engagement circumstances the context in which
the engagement is being conducted.
Existing auditor is used to describe the last
appointed auditor (incumbent auditor). Where the
‘existing auditor’ is being replaced with another
auditor, they become the ‘outgoing auditor’.
Expenditure cycle The expenditure cycle
represents those activities in the organisation that
acquire the goods and services needed to deliver
goods and services to customers. Usually, inputs
are acquired in the expenditure cycle, converted
as required in the conversion cycle, and delivered
to customers in the revenue cycle.
External Service Provider A third-party provider
of services used by the organisation; usually these
services are specialised IT services or IT services
that can be provided more effectively and/or
efficiently than if the organisation provided these
services on its own.
eXtreme Programming (XP) An agile system
development methodology that focusses on
frequent releases of software code and aims to
use extreme best practices in programming.
Often used in conjunction with SCRUM.
Fair value is the price that would be received to
sell an asset, or paid to transfer a liability, in an
orderly transaction between market participants
at the measurement date. It is an exit price
Financial Report Formal records of the financial
activities and position of an entity. The records
are prepared according to a set of rules as to how
to account for business activities (International
Financial Reporting Standards) and audited
according to a set of rules as to how to determine
the risk of material misstatement (International
Standards on Auditing).
Financial statement audit An audit undertaken
to provide reasonable assurance that financial
statements prepared by management are in
accordance with the applicable financial
reporting framework, to enhance the degree of
1/26/2021 2:37:58 PM

confidence of intended users in the financial
statements.
Financial statement statutory auditor An
external auditor appointed by a company’s
shareholders under the Companies Ordinance to
undertake an audit of the company’s financial
statements and report to shareholders.
Governance Describes the role of person(s) in
organisations with responsibility for the direction
of the entity and obligations relating to the
accountability of the entity.
Group All the components whose financial
information is included in the group financial
statements. A group always has more than one
component.
Group audit The audit of group financial
statements.
Group audit opinion The audit opinion on the
group financial statements.
Group engagement partner The partner or other
person in the firm who is responsible for the
group audit engagement and its performance,
and for the auditor’s report on the group financial
statements that is issued on behalf of the firm.
Where joint auditors conduct the group audit, the
joint engagement partners and their engagement
teams collectively constitute the group
engagement partner and the group engagement
team. This HKSA does not, however, deal with the
relationship between joint auditors or the work
that one joint auditor performs in relation to the
work of the other joint auditor.
Group engagement team Partners, including the
group engagement partner, and staff who
establish the overall group audit strategy,
communicate with component auditors, perform
work on the consolidation process, and evaluate
the conclusions drawn from the audit evidence as
the basis for forming an opinion on the group
financial statements.
Group financial statements Financial statements
that include the financial information of more
than one component. The term ‘group financial
statements’ also refers to combined financial
statements aggregating the financial information
prepared by components that have no parent but
are under common control.
Group management Management responsible for
the preparation of the group financial statements.
Group-wide controls Controls designed,
implemented and maintained by group
management over group financial reporting.
907
M13_b02.indd 907
G L O S S A R Y O F T ER M S
Historical financial information Information
expressed in financial terms in relation to a
particular entity derived primarily from the
entity’s accounting system, about economic
events occurring in past time periods, or about
economic conditions at points in time in the past.
Hong Kong Standards on Auditing (HKSA) The
Hong Kong version of the International Standards
on Auditing (ISAs) published by the International
Federation of Accountants.
Hosting A third-party service provider of IT
services such as data storage, processing or
management, or virtual services (application
services, website hosting or virtual machines).
Hosting may be provided through the cloud or
through the host’s own data centre.
Incompatible duties Duties that are incompatible
should not be performed by the same role
according to the general control of segregation
of duties.
Incoming auditor is the newly appointed auditor
(i.e. the auditor nominated for the current period
who did not audit the preceding period’s financial
statements). If the person has not been appointed
as auditor yet, but have been invited to become the
new auditor, they are referred to as the ‘prospective
incoming auditor’ until formally appointed.
Independence A state of mind or avoidance of
circumstances that permits an opinion without
being, or being seen to be, affected by influences
that compromise professional judgement,
allowing an individual to act with integrity,
objectivity and professional scepticism.
Information processing controls Controls
relating to the processing of information in IT
applications or manual information processes in
the entity’s information system that directly
addresses risks to the integrity of information
(i.e. the completeness, accuracy and validity of
transactions and other information.
Information risk The risk of making incorrect
decisions because of incorrect or unreliable
information.
Information Systems (IS) An information system
is made up of the technology (hardware and
software), the process (a policy or procedure that
mandates the way in which the system is used)
and the people that use the technology according
to the processes set out.
Information Technology (IT) Technology (including
computing hardware and software) that stores,
retrieves and sends information electronically.
1/26/2021 2:37:58 PM
 BUSINESS ASSURANCE
Infrastructure The basic physical and
organisational structures that provide the
foundation for the operation of an organisation’s
hardware and software platform.
Inherent Risk A component of the risk of material
misstatement. The susceptibility of an assertion
about a class of transactions, account balance or
disclosure to a misstatement that could be
material, either individually or when aggregated
with other misstatements, before consideration of
any related controls.
Inherent risk factors Characteristics of events or
conditions that affect susceptibility to
misstatement, whether due to fraud or error, of
an assertion about a class of transactions, account
balance or disclosure, before considering controls.
Such factors may be qualitative or quantitative,
and include complexity, subjectivity, change,
uncertainty or susceptibility to misstatement due
to management bias or other fraud risk factors
insofar as they affect inherent risk.
Inspection procedures designed to provide
evidence of compliance by engagement teams
with the firm’s quality control policies and
procedures.
Intended users The person, persons or class of
persons for whom the assurance practitioner
prepares the assurance report. The responsible
party can be one of the intended users, but not
the only one.
Internal audit function A function within an
entity that performs assurance and consulting
activities designed to add value to the entity by
evaluating and improving the effectiveness of the
entity’s governance, risk management and
internal control processes.
Internal Control System The system of physical,
general and application controls that provide
assurance that the organisation’s objectives are
addressed efficiently and effectively, reported
reliably and comply with relevant laws,
regulations and policies.
IT Committee An organisational structure that
provides a forum for the IT department provider
of services to meet with business unit recipients
of services and set priorities for the planning,
building, running and managing of the
organisation’s IT infrastructure and IS.
IT environment The IT applications and supporting
IT infrastructure, as well as the IT processes and
personnel involved in those processes, that the
entity uses to support business operations and
achieve busines strategies. An IT application is the
program(s) used to initiate, process, record and
908
M13_b02.indd 908
report transactions or information and include
data warehouses and report writers. IT
infrastructure comprises the network, operating
systems and databases and their related hardware
and software. IT processes to manage access to
the IT environment, manage change and IT
operations.
IT Strategy The IT strategy sets out proposed
changes to the IS investment at the entity, and
how the changes to IT are to be executed in line
with the business strategy.
Key audit matters Those matters that, in the
auditor’s professional judgment, were of most
significance in the audit of the financial statements
and are selected from those communicated with
those charged with governance.
Limited assurance engagement An engagement
where assurance engagement risk is reduced to
an acceptable level in the circumstances of the
engagement, but where the risk is greater than
for a reasonable assurance engagement. Provides
the basis for a negative expression of opinion
generally identified with a review engagement.
Listed issuer means a company listed on the Main
Board or Growth Enterprise Market (GEM)
of the SEHK.
Management Those with executive responsibility
for the conduct of the entity’s operations. For
some entities, management includes some or all
of those charged with governance.
Management’s expert A professional hired or
employed by management to prepare estimates,
valuations and disclosures to be used in the
financial reports
Material Misstatement In the context of a
financial audit, a material misstatement of the
information in a financial report is so inaccurate,
incomplete or invalid that it could affect the
decisions of a user of a financial report.
Modified opinion a qualified opinion, an adverse
opinion or a disclaimer of opinion on the financial
statements.
Monitoring an ongoing consideration and
evaluation of the firm’s system of quality control,
including a periodic inspection of a selection of
completed engagements, designed to provide the
firm with reasonable assurance that its system of
quality control is operating effectively.
Monetary unit sampling the key characteristic
of MUS is the definition of the sampling unit
as $1.
Non-assurance engagements engagements that
provide no assurance on a particular subject
1/26/2021 2:37:58 PM

matter based on the entity’s requested audit
procedures.
Non-statistical samples samples selected by
haphazard, block or directed selection.
Non-statistical sampling samples that are
selected and evaluated using ‘professional
judgement’, which is highly subjective and differs
between auditors
Other information Financial or non-financial
information (other than the financial statements
and the auditor’s report thereon) included in an
entity’s annual report.
Overall audit strategy Sets the scope, timing and
direction of the audit and guides the development
of the more detailed audit plan.
Performance audit An audit of an entity’s
activities and operations to assess economy,
efficiency or effectiveness.
Performance Materiality The amount or
amounts set by the auditor at less than
materiality for the financial report as a whole to
reduce to an acceptably low level the probability
that the aggregate of unrecorded and undetected
misstatements exceeds materiality for the overall
financial statements.
Pervasive A term used, in the context of
misstatements, to describe the effects on the
financial statements of misstatements or the
possible effects on the financial statements of
misstatements, if any, that are undetected due to
an inability to obtain sufficient appropriate audit
evidence. Pervasive effects on the financial
statements are those that, in the
Auditor’s judgment:
1. Are not confined to specific elements,
accounts or items of the financial statements;
2. If so confined, represent or could represent
a substantial proportion of the financial
statements; or
3. In relation to disclosures, are fundamental
to users’ understanding of the financial
statements.
Practice review is a quality assurance programme
that covers the provision of audit and other
related assurance services in Hong Kong by firms,
corporate practices and individual practising
certificate holders (practice units).
Practice unit The term to describe the person or
entities that can be appointed as financial
statement auditors under the Companies
Ordinance. They can be individual CPAS, a
partnership of CPAs or CPAs structured as a
corporate practice.
909
M13_b02.indd 909
G L O S S A R Y O F T ER M S
Practitioner an HKICPA ‘professional accountant’
in public practice.
Preconditions Factors, agreements and
discussions the practitioner needs to have prior to
accepting or continuing the engagement. The
practitioner’s assessment is based on their
preliminary knowledge of the engagement.
Predecessor auditor The auditor from a different
audit firm, who audited the financial statements
of an entity in the prior period and who has been
replaced by the current auditor.
Predictive analytics Analytic models of the
relation between a sampling unit and one or
more known attributes of that unit designed to
assess the likelihood that a similar unit will exhibit
the same characteristics.
Professional scepticism An attitude that includes
a questioning mind, being alert to conditions
which may indicate possible misstatements due
to error or fraud, and a critical assessment of
evidence.
Professional standards Hong Kong Standards on
Auditing (HKSAs) and relevant ethical
requirements.
Qualified opinion An opinion in which the auditor
concludes that misstatements are material, but
not pervasive, to the financial statements.
Quality control a part of quality management
focused on fulfilling quality requirements.
Quality culture includes clear, consistent, and
frequent actions like training seminars, meetings,
dialogue, mission statements and newsletters
that emphasize the firm’s quality control policies
and procedures, and a culture that recognizes
and rewards high-quality work.
Quality management includes quality control,
quality planning, quality assurance and quality
improvement.
Reasonable assurance engagement An
engagement where assurance engagement risk is
reduced to an acceptably low level in the
circumstances of the engagement as the basis for
a positive expression of opinion of the
practitioner’s conclusion. Generally identified as a
high level of assurance and associated with audit
engagements.
Related party A person or entity that is related to
the entity that is preparing its financial statements
(referred to here as the ‘reporting entity’).
Related party transaction A transfer of
resources, services or obligations between a
reporting entity and a related party, regardless of
whether a price is charged.
1/26/2021 2:37:58 PM
 BUSINESS ASSURANCE
Relevant ethical requirements are those to
which the engagement team and engagement
quality control reviewer are subject, and which
comprise Chapters A, C, D, E and F of the HKICPA’s
Code of Ethics for Professional Accountants
(the Code).
Responsible party The person or persons who in
an assertion- based engagement is responsible
for the subject matter information (the assertion)
and may be responsible for the subject matter. In
a direct reporting engagement is responsible for
the subject matter.
Revenue cycle The revenue cycle represents those
activities in the organisation that provide the
goods and services paid for by customers.
Usually, inputs are acquired in the expenditure
cycle, converted as required in the conversion
cycle and delivered to customers in the
revenue cycle.
Review is oversight of the work of less
experienced team members by experienced
members to ensure it has been performed in
accordance with professional standards and
applicable legal and regulatory requirements.
Review engagement See limited assurance
engagement.
Risk assessment procedures The audit
procedures designed and performed to identify
and assess the risk of material misstatement,
whether due to fraud or error, at the financial
statement and assertion levels.
Risk of Material Misstatement The risk that the
financial statement is materially misstated prior
to the audit. At the assertion level It comprises
inherent and control risk.
Safeguards Actions, individually or in combination
that the professional accountant undertakes that
effectively reduce threats to compliance with the
fundamental ethical principles to an
acceptable level.
Sampling risk is the risk that sample
characteristics will not represent the population.
SCRUM An agile system development
methodology that sets out best practices for the
management of a systems development team.
The methodology relies upon a Scrum Master,
and uses short sprints to focus on the delivery of
minimal viable products. SCRUM is often used
with eXtreme Programming.
Segregation of duties Segregation of duties is a
general control, and is intended to reduce the
opportunity for fraudulent collusion or errors by
ensuring that incompatible duties are not
910
M13_b02.indd 910
performed by the same individual. That is,
authorising a transaction is performed by a
different role that processes the transaction,
custody of an asset is by a different role to the
one that keeps records about the asset, and
generally keeping roles separate so that collusion
is required to perpetrate a fraud. Segregation of
duties is relevant in considering both non-IT
controls and controls that rely on IT (ITGC or
application controls)
Self-regulation Activities undertaken by the
HKICPA as a professional organisation to regulate
those who can become Certified Public
Accountants, and to impose requirements that
govern the behaviour of CPAs and impose
sanctions for non-compliance with those
requirements.
Service auditor is the auditor of a service
organisation
Service organisation is an organisation that
provides services to an entity that have an impact
on the entity’s information system and financial
statements
Shared Service A shared service supports several
business units within an organisation. In the
context of IT, a shared service usually relates to
the services required to support an information
system or resource used and paid for by several
business units.
Significant component A component identified
by the group engagement team (i) that is of
individual financial significance to the group, or
(ii) that, due to its specific nature or
circumstances, is likely to include significant risks
of material misstatement of the group financial
statements.
Significant Risk An identified and assessed risk of
material misstatement that in the auditor’s
judgement requires special audit consideration.
Statistical samples samples that are selected
either by random selection or systematic
selection.
Statistical sampling applying statistical methods
to sampling. Allows the auditor to calculate
sampling risk when planning the sample and
again when evaluating the sample
Statutory audit An audit undertaken in
compliance with the requirements of the
Companies Ordinance.
Software Development Life Cycle (SDLC)
Sometimes referred to as the system
development life cycle, the SDLC is an approach
to the development of software that emphasises
1/26/2021 2:37:58 PM

documentation, formal stages and the early
specification of systems requirements. The SDLC
is often contrasted with agile development
methodologies.
Subject matter information The outcome of
the evaluation or measurement of the subject
matter. It is the subject matter information about
which the practitioner gathers sufficient
appropriate evidence to provide a reasonable
basis for expressing a conclusion in an
assurance report.
Special Purpose Framework A financial reporting
framework designed to meet the financial
information needs of specific users. The financial
reporting framework may be a fair presentation
framework or a compliance framework.
Stratification is used to increase sampling
efficiency. Sampling units are grouped, or
‘stratified’, and separate samples are selected
from each stratum.
Substantive Procedures Audit procedures
designed to detect material misstatements at the
assertion level. They comprise tests of detail of
classes of transactions, account balances, and
disclosures and analytical procedures.
Sufficiency The measure of the quantity of audit
evidence. The quantity of the audit evidence
needed is affected by the auditor’s assessment of
the risks of material misstatement and also by the
quality of such audit evidence.
Sufficient appropriate audit evidence Audit
evidence that in quality and quantity is adequate
to support the auditor’s conclusions and opinion.
Summary financial statements Historical
financial information that is derived from financial
statements but that contains less detail than the
financial statements, while still providing a
structured representation consistent with that
provided by the financial statements of the
entity’s economic resources or obligations at a
point in time or the changes therein for a
period of time.
911
M13_b02.indd 911
G L O S S A R Y O F T ER M S
Supervision includes tracking the progress of the
engagement, considering the competence and
capabilities of personnel, addressing matters
arising during the engagement and identifying
matters for consideration by more experienced
engagement team members
Test of Controls An audit procedure designed to
evaluate the operating effectiveness of controls in
preventing or detecting and correcting, material
misstatements at the assertion level.
Tolerable deviation rate a rate of deviation from
prescribed internal control procedures (control
failure) set as acceptable by the auditor. The
auditor seeks evidence by testing controls that
the tolerable rate of deviation is not exceeded by
the actual rate of deviation in the population.
Unmodified opinion an opinion expressed by an
auditor when the auditor concludes that the
financial statements are prepared, in all material
respects, in accordance with the applicable
financial reporting framework.
User auditor is the external auditor of a
user entity.
User entity is an organisation that uses a service
organisation to provide information services
relevant to its financial statements
Using the work of an internal auditor Using
work performed by internal audit during the
course of their work within the entity to reduce
the extent or nature of audit procedures
undertaken by the external auditor. The work is to
be assessed by the external auditor.
Validity The extent to which the information
managed in an information system is a
meaningful representation of the real-world
concept it represents.
Walkthrough The act of going slowly through the
steps of a process in order to learn it.
Work papers or working papers The written
record that forms the basis for the auditor’s
conclusions. Also known as audit
documentation.
1/26/2021 2:37:58 PM
M13_b02.indd 912 1/26/2021 2:37:58 PM
 Ind ex

I NDEX

NOTE: Key Terms and their page references are given in bold

A service organisation outsourcing, 430–431

property, plant and equipment, 447
Acceptable level, 34 purchases cycle, 418–420
Accountability, 15 revenue cycle, 411–412
Accountability relationship, 8, 20 share capital, 459–460
Account balances, 371 Assurance, 6
Accounting, 438 Hong Kong Standards and Guidelines for, 29–55
Accounting estimates, 372–373 levels of, 11–15
Accounts preparation process, 16–17 Assurance engagement risk, 11
Accounts receivable turnover ratio, 263, 264 Assurance engagements, 6, 7, 693
Accuracy of information, 788 acceptance and continuance, 722–725
Adverse opinion, 595–596 contents, 752
Advocacy, 36 critical distinctions, 701–702
Agile systems development, 810 definition, 8
Agreed-upon procedures (AUP), 708 ethical requirements of, 719–720
Agreed-upon-procedures engagement, 13 framework for, 8–9
AML/CFT policies, procedures, and controls, 51, 52 greenhouse gas (GHG) statement, 704–705
Analytical procedures Hong Kong framework for, 30
bank and cash, 436 other than reviews or audits overview, 703–704
debt securities, 457 performing, 728
defined, 259 planning, 727–728
effectiveness of, 260 reasonable, 738–742
for marketable financial instruments, 443 risk, 730
goodwill and intangible assets, 451 sampling, 745–746
payroll, 431 scope, 693–698
property, plant and equipment, 447–448 terminology, 698–701
purchases cycle, 420–422 Assurance report, 704
revenue cycle, 412–413 Assurance services
share capital, 460 demands for, 20–22
Analytical procedures, substantive, 361 objectives of, 7–19
comparisons of financial ratios, 362–363 Attendance procedures, 426–427
multi-period comparisons, 362 Attestation engagement, 699
simple comparisons, 362 Attestation function, 17
Application controls, 828–830 Attest engagement, 10
Appropriate audit evidence, 330 Audit, 7
Appropriateness, 512 attest and direct reporting audits, 10–11
Approvals, 339–340 limitations, 11
Assertions, 12, 332–334 Audit assertions and tests of details
Assertions about balances, 333, 334 bank and cash, 436–438
Assertions about classes of transactions and debt securities, 458
events, 278–279 for marketable financial instruments, 443–445
Assertions about transactions, 333, 334 goodwill and intangible assets, 452–453
Assertions, controls and tests of controls payroll, 431–432
bank and cash, 434–436 property, plant and equipment, 448–449
debt securities, 456–457 purchases cycle, 422–425
financial instruments, 441–443 inventory count, 425–427
goodwill and intangible assets, 451 revenue cycle, 414
payroll, 429–430 share capital, 461

913

M13_bindex.indd 913 1/26/2021 9:26:02 PM

 BUSINESS ASSURANCE
Audit assurance engagement, 9–10
Audit committee, 5, 49, 96, 122–123
Audit completion, purpose and procedures
auditor’s objectives, 515
auditor’s report, 518–521
communication with, governance, 522
evaluating managements assessment, 517
identifying events, 518
period beyond management’s assessment, 517
requirements, 516
risk assessment procedures, 516–517
Audit documentation, 381
completion of, 383
overview, 381–382
preparation of, 382–383
Audit engagement, 408
Audit evidence, 14, 512
appropriateness/quality, 330
sufficiency, 330
Auditing, 61, 438
demands for, 20–22
Hong Kong Standards and Guidelines for, 29–55
objectives of, 7–19
Auditing and Assurance Standards Committee
(AASC), 29
Auditing Guidelines (AGs), 31
Auditing IT environments, 771–772
Audit Log Scrutineer, 793, 794
Audit methodologies, performance of, 304–305
Audit objective, 11, 225
Audit of financial statements
accounting regulations, compliance, 535–537
consistency and reasonableness, 537
disclosures, 534–535
treatment, of errors, 537–538
Auditor appointment requirements
appointed by court, 148
appointment, as joint auditor, 149
auditor unpaid fees, 150
casual vacancy, 150
company acquired, by new company, 150
by the company’s members, 148
by directors of company, 147–148
incoming auditor, 150–151
legislative process of, 148–149
statutory provisions, 151–155
Auditor, change of
announcement, by listed issuer, 162–163
auditor resignation, 157–158
listed issuer, 161–162
Auditor’s attendance planning, 426
Auditor’s experts, 484
evaluating the adequacy of, 495
need for, 491–492
914
M13_bindex.indd 914
work of, 492–493
Auditor’s reliance on the work of others, 484
Auditor’s report
addressee, 582
auditor’s opinion, 582–583
auditor’s responsibilities, 584–585
audits of single financial statements, 620–621
basis for opinion, 583
communication, 605–606
directors responsibilities, 584
format in line, HKSA 800, 618–619
implications, of materiality, 579–581
importance of, 579
KAMs, 583
legal and regulatory requirements, 585–586
material misstatement, 605
material uncertainty, 606
matter paragraph, 607–609
modified opinion, 590
opening balances, 610–614
other information, 584
requirements, 586–587
scope of the standard, 604–605
small-and medium-sized, 626–628
summary financial statements, 621–623
title of, 582
unmodified opinion, 587–589
Audit plan, 237, 238, 240–243
development, 250–251
Audit procedures, 408
other entities, 453–454
Audit procedures for fair values, 374
Audit programme, 336, 408
for accounts payable, 250–251
Audit risk (AR), 237, 270, 328, 800
components, 269–275
defined, 270
Audit risk model, 328
Audit software, 843–844
Audit strategy, 238, 240–243
entity’s business model, 256
overall strategy, 247–251
AUP. See Agreed-upon procedures (AUP)
Authorization, 339
Automated controls, 342–343, 790
B
Balance sheet approach, 302–303
Bank and cash
analytical procedures, 436
assertions, controls and tests of
controls, 434–436
audit assertions and tests of details, 436–438
1/26/2021 9:26:02 PM
 Ind ex

key accounts, 432–433 timing of, 747–748

risk, 434 Comparative financial statements, 378
Big data, 358–359 Comparative information, 377
Block selection of non-statistical samples, 354 Compensating controls, 785
Bond indentures, 455 Compilation engagements, 713–714
Business risks, 252 Completeness of information, 788
Compliance, 225
Compliance audits, 66, 697
C
Compliance Officer (CO), 52
Capital, 455 Component, 647, 661
Cash, 349, 433 Component auditors, 647
cut-off assertion for, 436 characteristics of, 653–654
receipts, 348 materiality for, 657–658
transactions, 433 report review of, 672
Casual vacancy, 150 responsibilities of, 654–656
Certified Public Accountants (CPAs), 25 visits to, 673
Cheque receipts, 433 working papers, 673–677
Cheques, 348 work within the group audit, 656–657
Chief Information Officer (CIO), 765 Component management, 647
China Foods Ltd (CFL), 201 Component materiality, 647
Chloe Cheng, 576–577 Comprehensive audits, 68
Client and engagement acceptance procedures, 191 Computer-assisted auditing techniques, 842–843
acceptance, of engagement, 174 audit software, 843–844
agreed engagement terms, 174–175 cyber-security safeguard, 847–850
assess preconditions, 168 documentation, 846–847
auditor appointment requirements, 146–149 test data and testing procedures, 845–846
Code of Ethics, 166–167 weakness identification and
engagement letter, 176–179 recommendations, 852
engagement risk assessment, 169–173 Computerised business systems
ethical requirements, 173–174 auditing IT environments, 771–772
HKSA 220, 166 control activities, 770–771
HKSQC 1, 165–166 control environment, 769
Cloud, 765 financial statements, 770
Code of ethics, 7 IT department functions, 774–777
Code of Ethics for Professional Accountants (COE), IT department structure, 772–774
31–33, 557 monitoring process, 769–770
Combined approach, 337 risk assessment process, 769
Comfort letters, 709–710 system of internal control, 768
Commercial Off-the-shelf (COTS), 780 Conceptual framework, 32
Commitment, 539 Confirmations, 368–370
Communication Consolidation process, 666–667
with Audit Committee Consultation, 213
incoming auditor’s requirements, 161 Contingencies, 461
professional clearance, 159–161 audit programme for, 462–463
sharing, resignation letter, 159 Contingent assets, 461
charged with governance Contingent fees, 40
auditor’s responsibilities, 545 Contingent liabilities, 461, 538
issues, to communicate, 545–546 Continuing connected transactions, 709
process, 547 Control activities, 339–340
with component auditor, 658–659, 670 Control risk (CR), 270, 328, 329, 800–801
with those charged with governance defined, 271
content, 748 factors affecting the level of, 272
group engagement team, 668 Control tests, 341–344, 356
methods of, 747 Conversion cycle, 781

915

M13_bindex.indd 915 1/26/2021 9:26:02 PM

 BUSINESS ASSURANCE

Corporate governance, 95 Cyber-security safeguard, 847–848

accountability, 101 authorised software, 849
arrangement’s analysis, 129 authorised users, 849
audit committee, 96 daily backups, 850
auditor’s responsibilities in, 126–127 user privileges, 849–850
capital markets and preventing corporate using anti-virus software, 848–849
failure, 98 Cycle approach, 344–349
Companies Ordinance (Cap.622), 115–119
Audit Committee, 122–123
HKEx Listing Rules, 119–121
D
internal control (ISO), 124 Database, 775
management responsibilities within, 121 Database administrator (DBA), 775
Nomination Committee, 121–122 Database management system (DBMS),
Remuneration Committee, 123–124 816–817
external auditors in, 96–97 Data centres, 765
fairness, 99 Data lake, 780
in Hong Kong Data Supremecy V2, 793, 794
Corporate Governance Code, 107–109 Debt securities, 455
Corporate Governance Report (CGR), 109–114 analytical procedures, 457
independence, 99–100 assertions, controls and tests of
integrity, 103 controls, 456–457
judgement, 102 audit assertions and tests of details, 458
managing strategically, 97 risk, 455–456
openness and transparency, 99 Debt to equity ratio, 264
probity and honesty, 100 Detection risk (DR), 270, 273–275, 328, 329
recommendations, 130 auditor, 801
reputation, 102 Detective controls, IT system, 790, 791
responsibility, 100–101 Direct assistance, 19, 485, 487
Sarbanes–Oxley Act, 127–129 Directed selection of non-statistical
serving stakeholders, 95–96 samples, 354
Corporate Governance Report (CGR), 109–114 Direct engagement, 10
Corporate social responsibility audits, 68–69 Directional testing, 304
Corporate structure, 765 Disclosure assertions, 279
Corrective controls, 791 Documentation, 381–383
Corresponding figures, 377 of count procedures, 427
Credibility, 20 defined, 245
Credit card payments, 348 examples of, 246
Credit card receipts, 433 planning activities, 247–251
Criteria, 8 preliminary engagement activities, 246–247
Cross-sectional regression analysis, 421 Due diligence, 710–711
Current period reporting, 611
Current ratio, 263
Customer Due Diligence (CDD), 51–54
E
Customer relationship management (CRM), 797 E-commerce, 782–783
Customer work completion (CWC) forms, 797 E-commerce control issues
CWaves Ferry Holding Company Limited (CWaves), audit procedures, 865–868
576–577, 645, 765–766 characteristics of, 862–863
CWaves Godown Administration, IT function, 808 internal controls in, 864–865
CWaves Godown Company, 589, 766 Economy level, 258–259, 265–266
CWaves Godown ITGC environment, 806 Efficiency auditing, 67–68
CWaves Godown segregation of IT duties, 809 Electronic business (e-business), 782
CWaves Godown software development team, 766 Electronic commerce (e-commerce), 767
CWaves Hotels, 596, 766 Electronic transfers, 348, 433
Cyber attack, 811 Elements, 225
Cyber-security, 848 Emphasis of matter, 588

916

M13_bindex.indd 916 1/26/2021 9:26:02 PM


Engagement. See Assurance engagements;
Non-assurance engagements
circumstances, 699–700
ethical requirements of, 718–719
letter, 663
quality control of, 730–732
terms of, 726–727
Engagement performance, 226
Engagement Quality Control Review (EQCR),
215–216, 221, 226
Engagements not providing assurance, 698
Engagements providing assurance, 694–698
Enhanced CDD (EDD), 52, 53
Entity level, 257–258, 262–265
Entity’s business model
audit strategy, 256
financial performance, 254
financial reporting framework, 254
information sources, 257–260
organizational and external, 253–254
system of internal control, 254–256
Errors, 360
Ethics
and independence, 41–49
for professional accountant
in business, 36–38
in public practice, 38–41
Evaluation of audit evidence, 332
Evidence
sources of, 330–331
types of, 330
Evidence analysis
documentation, 750–751
subsequent events, 749–750
Existing auditor, 147
Expenditure cycle, 781
External auditor, 7, 18–19
External audits, 61–64
External service provider, 766
eXtreme Programming (XP), 766
F
Fair values, 373–374
Familiarity, 36
Financial assets, 438
Financial instruments, 438–439
analytical procedures for marketable, 443
assertions, controls and tests of
controls, 441–443
audit assertions and tests of details for
marketable, 443–445
key accounts, 439–440
risk, 440–441
Financial liabilities, 438
917
M13_bindex.indd 917
Ind ex
Financial ratios, comparisons of
debt securities, 457
payroll, 431
property, plant and equipment, 447
purchases cycle, 421
Financial Reporting Council (FRC), 223
Financial reporting systems (FRS), 780, 781
Financial reports, 767
Financial sanctions, 55
Financial statement audit, 7, 10, 14, 61–64
Financial statement fraud, 327, 417
Financial statements, 705–706
preparation of, 15
users, 22–23
Flash Ltd, 483
Follow-up, 427
Fraud
defined, 287
payroll, 429
purchases cycle, 417
Fraud risk, 289–290
assessment process, 288
factors, 287
Fraudulent financial reporting, 361
Fundamental ethical principles, 33–35
threats to, 35–36
G
G&E MUSIC (GEM), 326, 406–407
Goodwill, 376, 449–451
analytical procedures, 451
assertions, controls and tests of controls, 451
audit assertions and tests of details, 452–453
risk, 451
Governance, 5
Gross profit ratio, 264
Group, 647
Group audit opinion, 647
Group audits, 647
auditor’s objectives, 652
audit procedures and reporting, 670–677
Companies Ordinance, 648
component auditors, 653–659
group engagement team, 660–662
group-wide controls, 651–652
scope and terminology, 646–647
versus single company audit risks, 664–665
understanding of, 648–650
Group Data Centre, 766
Group engagement partner, 647, 670
Group engagement team, 647
component team member’s responsibilities, 662
partner’s and staff member’s
responsibilities, 660–661
1/26/2021 9:26:02 PM
 BUSINESS ASSURANCE

Group financial statements, 647 auditor’s responsibilities, to fraud, 556

Group management, 647 laws and regulations, in audit, 557–558
Group’s consolidation process, 670–672 Incoming auditor, 149
Group-wide controls, 647, 651–652, 663, 666 Incoming auditor responsibility, 159–161
Guidelines for Anti-money Laundering and Counter Incompatible duties, 790
Terrorism Financing, 50–55 Independence, 7
Independence and ethics, 41–49
Independent external auditor, 15, 17
H
Industry level, 258, 265
Hai Cruising Company, 765, 766 Information risk, 6, 7
Haphazard selection of non-statistical Information systems (IS), 767
samples, 354 Information technology (IT), 767, 771
High control risk, 337 application IT controls, 814–815
Historical financial information, 30 auditing, computerised business systems and
HKEx Listing Rules, 119–121 controls, 821–832
HKFRS 8, 463 documentation of, 817–819
HKICPA Standards on Related Services (HKSRS), 698 input controls, 814
HKSA 240, 529 master file/database controls, 816–817
HKSA 250, 530 output controls, 816
HKSA 450, 530 processing controls, 815–816
HKSA 501, 530 definition, 771
HKSA 501 (Clarified), 463 department functions, 774–777
HKSA 540, 530 department structure, 772–774
HKSA 550, 530 environment
HKSA 560, 530 E-commerce, 782–783
HKSA 570, 531 financial reporting systems, 781
HKSA 710, 531 internal control system, 779
HKSA 560 subsequent events, 523 networked systems, 783–784
Hong Kong Auditing Practice Guidance (HKAPG), 31 new systems implementation, 780–781
Hong Kong Business Technology Solutions PC systems, 784–785
(HKBuTS), 766 internal controls specific to
Hong Kong Companies Ordinance (Cap.622), 648 administration of IT function, 807–808
Hong Kong Financial Reporting Standards backup and contingency planning, 811–813
(HKFRS), 26, 521 general and application, 805–806
Hong Kong Institute of Certified Public Accountants hardware controls, 813
(HKICPA), 203–204 physical and online security, 810–811
Hong Kong Monetary Authority (HKMA), 522 segregation of IT duties, 808–809
Hong Kong Standards on Assurance Engagements systems development, 809–810
(HKSAE), 695–696 Infrastructure, 765
Hong Kong Standards on Auditing (HKSA), Inherent risk, 270–271, 328, 800, 801
520, 696, 767 Initial audit engagements, 376
Hong Kong Standards on Investment Circulars Inland Revenue Department (IRD), 578
(HKSIR), 696 Input controls, 814
Hong Kong Standards on Review Engagements Insolvency practitioners, 50
(HKSRE), 695 Inspection, 217
Hong Kong Stock Exchange (HKEx), 509, 576, 765 Intangible assets, 449–451
Hosting, 766 analytical procedures, 451
Human resources, 212–213 assertions, controls and tests of controls, 451
Hung Fu Bank International (Hung Fu), 509, 510 audit assertions and tests of details, 452–453
HWA LTD, 236 risk, 451
Intended users, 8
I Internal Audit Charter, 65
Internal audit function, 7, 18
IAASB, 59 Internal auditors, 7, 18–19
Illegal acts, audit completion documentation, 490

918

M13_bindex.indd 918 1/26/2021 9:26:02 PM

 Ind ex

functions, 485 share capital, 458–461

recommended improvements to, 490 Limited assurance engagement, 9, 11–12, 695
work of, 485–489 Liquidation, 50
Internal audits, 17–18, 64–66, 666 Logical controls, 340
Internal control (ISO), 124 Long-term liabilities, 455
Internal control components, 337–338 Low control risk, 337
Internal control system, 779
International Ethics Standards Board for
M
Accountants (IESBA), 32
International Federation of Accountants Management, 5
(IFAC), 29, 58–59 Management’s expert, 484, 495
International Forum of Independent Audit Manchu Kang, 538
Regulators (IFIAR), 221–222 Manual control activities, audit procedures
International Organisation of Securities for, 343
Commissions (IOSCO), 60 Master file/database controls, 816–817
International Standards on Quality Management Materiality
(ISQM 1 and ISQM 2), 224 assurance engagements, 729
Intimidation, 36 for component auditors, 657–658
Inventory count, purchases cycle, 425–427 defined, 294
Inventory purchases cycle, 415 financial reporting framework, 297–298
Inventory turnover ratio, 264 payroll, 428
Inventory valuation errors, 417–418 purchases cycle, 416
Investment circular reporting engagements, setting limits, 295–297
696, 706–708 Material misstatement, 498, 667–668, 767
IT. See Information technology (IT) Medium control risk, 338
IT Committee, 766 Ming Wa Company, 524
IT general controls (ITGC), 789, 805, 824–827 Misappropriation of assets, 288, 360
IT strategy, 787 payroll, 428
assessing and advising on the risks of purchases cycle, 417
audit risk assessment, 796 Misstatements
conversion cycle, 795 accumulation, 542–543
expenditure cycle, 795 auditor’s objectives, 542
revenue cycle, 796 defined, 297
assessing audit risk, 800–802 prior-year misstatements, 543–544
internal control, 789–792 qualitative and quantitative considerations,
544
uncorrected misstatements, 544
J
Modern purchasing system, 416
James’ EasyAccount Pro, 792, 793 Modified opinion
Judgmental sampling, 354 adverse opinion, 595–596
disclaimer of opinion, 597–599
qualified opinion, 591–594
K
Monetary unit sampling (MUS), 354–355
Keeson Inc, 5 Money Laundering Reporting Officer (MLRO), 52
Key Audit Matters (KAMs), 576, 583, 600 Monitoring, 203, 217, 226
communicating, 601–604 Multi-period comparisons
determining, 600–601 financial instruments, 443
payroll, 431
L property, plant and equipment, 447
purchases cycle, 421
Landscape Ninja 2, 793
Levels of assurance, 11–15
Liabilities and equity, 454–455
N
debt securities, 455–458 Net profit ratio, 264
provisions and contingencies, 461–463 Nomination Committee, 121–122

919

M13_bindex.indd 919 1/26/2021 9:26:02 PM

 BUSINESS ASSURANCE

Non-assurance engagements, 693 Practice unit, 27

acceptance and continuance, 725–726 Practitioner, 699
contents, 752–753 Predecessor auditor, 610
critical distinctions, 701–702 Predictive analytics, 358
ethical requirements of, 720–721 Predictive models, 359
performing, 728 Preliminary analytical procedures, 266
planning, 727–728 Preliminary announcement of annual results, 708–709
sampling, 746 Presentation assertions, 279
Non-compliance with laws and Preventive controls, 790
regulations, 291–293 Preventive, detective, and corrective (PDC)
Non-current assets, 445 controls, 790
goodwill and other intangible assets, 449–453 Procedures planning, 514–515
interests in other entities, 453–454 Processing controls, 815–816
property, plant and equipment, 445–449 Professional accountant
Non-significant components, 649, 650, 669 AML/CFT, Guidelines for, 50–55
Non-statistical samples, 354 ethics for
Non-statistical sampling, 354 in business, 36–38
in public practice, 38–41
fundamental ethical principles, 34–35
O
Professional Accountants Ordinance (PAO), 25
Obsolescence, 417 Professional scepticism, 8
Ongoing Monitoring Implementation, 51, 54 Professional standards, 29–31
Opening balances, 377 Profit forecasts, 707–708
Opening balances, initial engagement Pro forma financial information, 705
procedures, 184–187 Property, plant and equipment (PPE), 445–446
Operational audits, 67–68, 697 analytical procedures, 447–448
Organization for Economic Cooperation and assertions, controls and tests of controls, 447
Development (OECD), 104–106 audit assertions and tests of details, 448–449
Other entities. See Variable interest entities risk, 446
Outgoing auditor, 150 Prospective incoming auditor, 159
Output controls, 816 Provisions, 461
Overall audit strategy, 61 audit programme for, 462–463
PurchasePro, 819
Purchases cycle
P
analytical procedures, 420–422
Parallel Simulation technique, 845 assertions, controls and tests of
Payroll controls, 418–420
analytical procedures, 431 audit assertions and tests of details, 422–425
assertions, controls and tests of inventory count, 425–427
controls, 429–430 key accounts, 414–415
service organisation outsourcing, 430–431 inventory, 415
audit assertions and tests of details, 431–432 modern purchasing system, 416
key account, 427–428 steps in, 415–416
risks risks
fraud, 429 fraud, 417
materiality, 428 inventory valuation errors, 417–418
misappropriation of assets, 428 materiality, 416
Performance audits, 67–68, 697 misappropriation of assets, 417
Period end account balance assertions, 279 recognition, 417
Perpetual inventory system, 415, 425, 426
Personal computers (PCs), 780, 784–785
Q
Physical controls, 340
Politically Exposed Person (PEP), 54 QC. See Quality control (QC)
PPE. See Property, plant and equipment (PPE) Qualified opinion, 591–594
Practice Notes (PNs), 31, 696 Quality auditor, 509
Practice review, 203 Quality audits, 225

920

M13_bindex.indd 920 1/26/2021 9:26:02 PM

 Ind ex

Quality control (QC), 203 Responsible party, 8

documentation of, 220–221 Return on assets ratio, 264
framework of, 218, 219 Revenue cycle, 344, 409, 781
FRC, 223 accounts in, 345
HKICPA, 203–204 analytical procedures in, 363–365, 412–413
IAASB framework for audit quality, 204–206 assertions, controls and tests of
IFIAR, 221–222 controls, 411–412
ISQM 1 and ISQM 2, 224 audit assertions and tests of details,
requirements 366, 367, 414
elements of a system, 209 inherent risk in, 346
engagement performance, 213–216 key accounts, 409–410
engagements acceptance and risk, 410–411
continuance, 211–212 Review, 213
HKSQC 1 and HKSA 220, 208–209 Review engagements, 12, 14, 702–703
human resources, 212–213 Review of published information
leadership responsibilities for, 209–210 contingent liabilities and commitments, 538–539
monitoring quality control policies and requirements and procedures, 539–541
procedures, 217–218 Review opinions, interim financial statements
relevant ethical requirements including auditor’s opinion vs. conclusion, 616–617
independence, 210–211 reporting nature, 615–616
scope, 207 Risk-based auditing, 299–300
terminology, 207 Risk-based audit strategy and plan, 329
Quality culture, 209 Risk of material misstatement, 237, 270, 287
Quality management, 207 at financial statement level, 278
Quick ratio, 263 identifying and assessing, 252
Risks
bank and cash, 434
R
debt securities, 455–456
Random selection of statistical samples, 354 financial instruments, 440–441
Reasonable assurance engagement, 9, 11, 695 goodwill and intangible assets, 451
Reasonable assurance engagements, 738–742 other entities, 453
Recognition, purchases cycle, 417 payroll
Reconciliations, 340 fraud, 429
Record keeping, 55 materiality, 428
Referral fees, 40 misappropriation of assets, 428
Regression models, 359 property, plant and equipment, 446
Regulation, 24–28 purchases cycle
Regulation and oversight, 226 fraud, 417
Regulators, role of, 24–28 inventory valuation errors, 417–418
Regulatory bodies, 25 materiality, 416
Regulatory framework, 225 misappropriation of assets, 417
Related party, 378 recognition, 417
auditor’s objectives, 549 revenue cycle, 410–411
communication, 555 share capital, 459
definition, 550
evaluation of, accounting, 555
S
relationships and transactions, 528
responses to risks, 552–554 Safeguards, 32
risk assessment procedures, 550–552 to threats, 36
written representations and documentation, 555 Sales, 348
Related party transaction, 378–379 Sales revenue, 410
Relevance of evidence, 330 Sample deviation rate, 356
Relevant ethical requirements, 209 Sample evaluation
Reliability of evidence, 330–331 Big data, 358–359
Remuneration Committee, 123–124 control tests, 356
Reporting supply chain, 225 substantive tests, 357–358

921

M13_bindex.indd 921 1/26/2021 9:26:02 PM

 BUSINESS ASSURANCE

Sample quality, 354–355 Stock Exchange of Hong Kong (SEHK), 25, 145
Sample size, 355–356 Stratification, 354, 355
Sampling, 743–746 Subject matter information, 8, 700–701, 734–738
overview, 352–353 Subsequent events, 749–750
units, 353 Subsequent events review
Sampling risk, 353–356 auditor objectives, 523
Sarbanes–Oxley Act (SOX), 127–129 audit procedures, 524–526
SCRUM, 766, 780 requirements, 524
Securities and Futures Commission (SFC), 25, 163 types of, 523–524
Securities and Futures Ordinance (SFO), 25 Substantive procedures, 242, 360
Segment information, 463–464 analytical procedures, 361–365
Segregation of duties, 340, 792 confirmations, 368–370
Self-interest, 35 description, 360
Self-regulation, 24 tests of details, 365–367
Self-review, 35 Substantive tests, 357–358, 830–832
Semi-automated controls, IT systems, 790 Sufficiency, 512
Service auditor, 496 Sufficient appropriate audit evidence, 511–514
Service organisation, 484, 496–498, 704 Sufficient appropriate audit evidence, 10
Serving stakeholders, 95–96 Sufficient audit evidence, 330
Share capital, 458 Summary financial statements, 621
analytical procedures, 460 Supervision, 213
assertions, controls and tests of Suspicious Transaction Report (STR), 54–55
controls, 459–460 Systematic selection of statistical samples,
audit assertions and tests of details, 461 354
risk, 459 System-based auditing, 301
Shared service, 775 System of internal control, 254–256, 768
Shareholder’s equity, 458 control activities, 286–287
Significant component, 647, 649 control environment, 282–283
Significant risks, 248, 287 information processing system, 285–286
defined, 279 monitoring of controls, 284–285
Simplified CDD (SDD), 52, 53 risk assessment process, 283
Small-to medium-sized enterprises (SMEs), 509 Systems audit, 302
Software development life cycle (SDLC), 780
Special purpose frameworks, 578
T
Staff hiring and training, 55
Standards, 226 88 Tandi Company, 94
Standards on Assurance Engagements Terrorist financing, 55
(HKSAEs), 30 Tests of controls, 242
Standards on Auditing (HKSAs), 30 control activities, 339–340
Standards on Investment Circular Reporting control tests, 341–344
Engagements (HKSIRs), 31 cycle approach, 344–349
Standards on Quality Control (HKSQCs), 30 evaluation of, 350
Standards on Related Services (HKSRSs), 31 internal control components, 337–338
Standards on Review Engagements (HKSREs), 30 Tests of details
Statement of financial position approach, 302–303 of account balances, 366, 367
Statement of indebtedness, 707, 708 of classes of transactions, 365
Statistical samples, 354 Threats, to the fundamental principles,
Statistical sampling, 354 35–36
Statutory auditor, 28 Timing, 332
Statutory audits, 21 Tolerable deviation rate, 350
Statutory provisions Top-down auditing, 300–301
auditor cease, 153 Trade receivables, 349
auditor resignation, 151–152 Transaction cycle approach, 303–304
termination, 153–155 ‘Trojan’ malware, 849

922

M13_bindex.indd 922 1/26/2021 9:26:02 PM


U W
Unmodified opinion, 580
User auditor, 496
User entity, 496
UserVerify Protect, 792
V
Validity of information, 788
Value for money audits, 67–68
Variable interest entities
audit procedures, 453–454
risk, 453
Verifications, 340
VFM audits, 697–698
923
M13_bindex.indd 923
Ind ex
Winner Company, 611
Wonder Travel Company, 594, 765, 766
Work papers, 381–383
Written representations, from management
auditor objectives, 527
form of, 531–533
new companies ordinance, 531
by other HKSAs, 529–531
reliability of, 533
responsibilities, 527–529
Y
Yay Manufacturing Company Limited (Yay), 145
1/26/2021 9:26:02 PM
M13_bindex.indd 924 1/26/2021 9:26:02 PM
 QUALIFICATION PROGRAMME QU
PR

HKICPA Qualification: Pr
M
A Pathway to Success
The Qualification Programme (QP) of the Hong Kong Institute of CPAs (HKICPA)
provides a pathway for the development of world-class practicing accountants. The
HKICPA is the only body authorized by law to register and grant practising certificates
to certified public accountants in Hong Kong. Members of the Institute are entitled to
the description ‘certified public accountant’ and to the designation CPA.

Since 1973, the HKICPA (previously known as the Hong Kong Society of Accountants)
has worked to further the public interest by regulating and promoting efficient
accounting practices in Hong Kong. Through its efforts, the Institute has helped
secure Hong Kong’s position as an international financial centre.

The QP aims at providing accountants with the knowledge base they need to meet
future market needs. Successful participants develop skills by completing training
courses, passing examinations and acquiring practical experience.

The QP consists of three levels. At the Associate Level, participants develop a solid
technical foundation. The aim of the Professional Level is to deepen technical
capabilities. The Capstone integrates knowledge, skills and experiences and applies
them to business problems.

The QP provides accountants with relevant and portable skills that enhance their
employability and opens the door to opportunities in Hong Kong and around
the world!

The Hong Kong Institute of Certified Public Accountants

37th Floor, Wu Chung House, 213 Queen’s Road East, Wanchai, Hong Kong
Tel: (852) 2287 7228
Fax: (852) 2137 3293

www.hkicpa.org.hk

M13_bindex.indd 1 2/25/2021 6:47:05 PM