ABFA 3114 Principle of Audit

School of Business Studies

ABFA 3114 PRINCIPLES OF AUDITING

ABFA3114 Principles of Auditing

TABLE OF CONTENT

A Syllabus and Course Strategy

Unit Plan

Assessment Format

B Chapter

1: Introduction to Auditing

2: Regulatory Framework and Professional Ethics

3: Auditor‟s Report

4: Accounting and Internal Control Systems

5: Audit Evidence

6: Audit Procedures

7: Audit Risk and Materiality

8: Audit Planning and Control

9: Auditing Cash & Bank System

10: Auditing Property, Plant & Equipment

11: Computer in Auditing


Course Strategy and Syllabus

Unit title : Principles of Auditing

Unit code : ABFA 3114

Level of study : 3

Credit point : 4

School offering this unit : School of Business Studies

Class contact Hours

Average Weekly : 4

-Lecture : 3

-Tutorial : 1.5

-Practical : none

Semester : 7

Assessment mode : Examination (60%) Coursework (40%)

Pre-requisite unit : none

Co-requisite unit : none

Rationale

The unit introduces students to the role of external audit, a core activity in the

accountancy profession. Accounting students at this level must have an

understanding of the role and responsibility of the external auditor in relation to

an independence audit and the principles that bind the auditor.

Aims

1. To provide students with a basic understanding of the nature, purpose and

scope of a statutory audit


2. To equip students with basic knowledge of an audit process and the

general auditing procedures an external auditor undertakes to achieve the

audit objectives

3. To enable students to apply their knowledge in the audit of Property,

Plant and Equipment (PPE) and Cash and Bank systems.

Anticipated Learning Outcomes

On completion of this unit, students should be able to :

1. Explain the development, nature, purpose and scope of an audit in

relation to the regulatory framework that affects or binds the auditor

2. Demonstrate an understanding of audit risk assessment.

3. Apply the internal control systems in PPE and cash and Bank system

4. Explain the key audit procedures to be performed in relation to a given

audit objective

5. Demonstrate an understanding of the elements and types of audit report.

Syllabus Content

1. Nature, purpose, scope and regulatory framework of auditing (20%)

2. An understanding of audit planning and audit strategy and audit evidence

(25%)

3. Accounting system and internal control (20%)

4. Audit procedures (20%)

5. Audit report (15%)

Skills Integration

Skills developed in the unit include identifying auditing issues in a given

scenario and applying the appropriate auditing procedures


Teaching and Learning Strategy

Topics will be introduced by ways of lectures and developed through tutorials.

During tutorials, Q&A sessions are held to assess students‟ understanding of the

concepts, principles and procedures of auditing. In addition, students are also

grouped into smaller groups of 5-6 students per group where they work together

on a given scenario to identify key auditing issues and apply the appropriate

procedures.

Core text

1. Auditing and Assurance Service in Malaysia, Messier/Glover/Prawitt

Margaret Boh, 3rd

Edition, Mc Graw Hill (ISBN978-983-3850-075) 2007.

Other references

2. Auditing In Malaysia- An Integrated Approach, Alvin A. Arens, 11th Edition.


SCHOOL OF BUSINESS STUDIES

Week Topic Reference

Week 1

Introduction to Auditing AAS-Chapter 1 & 2

Week 2

Regulatory Framework and Professional

Ethics

AAS- Chapter 1,2 & 19

Week 3

Auditor‟s Report AAS- Chapter 18

Week 4

Accounting and Internal Control System AAS- Chapter 6

Week 5

Audit Evidence AAS- Chapter 4

Week 6

Audit Procedures (I) AAS- Chapter 4

Week 7

Audit Procedures (II) AAS- Chapter 4

Week 8

Audit Risk and Materiality AAS-Chapter 3

Week 9

Audit Planning and Control (I) AAS- Chapter 5

Week 10

Audit Planning and Control (II) AAS- Chapter 5

Week 11

Auditing Cash and Bank System AAS-Chapter 16

Week 12

Auditing Property, Plant & Equipment AAS- Chapter 14

Week 13

Computer in Auditing AAS- Chapter 7

Week 14

Computer in Auditing AAS- Chapter 7

Reference

Core text

1. Auditing and Assurance Service (AAS) in Malaysia, Messier/Glover/Prawitt

Margaret Boh, 3rd

Edition, Mc Graw Hill (ISBN978-983-3850-075) 2007.

Other references

2. Auditing In Malaysia- An Integrated Approach, Alvin A. Arens, 11th Edition.


Assessment Format

There are 2 parts of your assessment of the course: group assignment and final

examination.

Component Threshold

Course

work

40% Group Assignment 40 marks

Mid-term Test 60 marks

100 marks x

0.4

50%

Final Exam 60% Written Exam 100 marks x

0.6

40%

Total 100%

Group Assignment

You will be required to form a group and carry out a specific research on the

subject topics.

Format of Final Examination

The final examination will be of THREE (3) hours long and comprise two

parts:

Part A: One Compulsory question (25%). You are given a case study and you

are required to analyse the case and apply the theories to the scenario.

Part B: You are required to answer THREE (3) questions out of FOUR (4)

questions. You are given some short questions to work on. Each question

constitutes 25%.


CHAPTER 1

INTRODUCTION TO AUDITING

________________________________________________________________

Learning Outcomes

When you have completed this lesson you will be able to:

Understand the nature, purpose and scope of audit

Distinguish between accounting and auditing

Understand different types of audits and auditors

Understand the concept of true and fair view

Reference text: Auditing and Assurance Services in Malaysia- Chapter 1 & 2


1,1 Nature, Purpose and Scope of Audit

1.1.1 A statutory audit simply means “a legally required examination of an

organisation‟s annual accounts and financial records”.

1.1.2 The objective/purpose of an audit is to enable the auditor to express an

opinion on whether the financial statements are prepared, in all material

respects, in accordance with an applicable financial reporting framework.

1.1.3 Auditors do not certify or guarantee the correctness of financial

statements; they report whether in their opinion they give a “True and

Fair View” of the financial position. True and Fair View (UK) = Present

Fairly (US). Express opinion is different from guarantee or certification

of 100% correctness. Auditor just obtains reasonable assurance that the

financial statements do not contain material misstatement (serious

mistakes).

1.1.4 Reasonable assurance means the auditor obtains certain degree of

comfort that the financial statements do not contain material

misstatement.

1.1.5 Why reasonable (less than 100%) assurance? Or why not absolute (100%)

assurance? This is because auditing has some inherent limitations.

These inherent limitations are:

Use of sampling testing. Auditors use samples to test the

transactions because it is impossible for auditor to check every

transaction. When applying sampling, there is always a risk of

taking the wrong samples.

Inherent limitations of internal control. There is always

possibility of employee collusion, management override or human

errors.

Audit evidence is persuasive, not conclusive. Persuasive means

giving evidence to believe; whereas, conclusive means 100%

correct or wrong.

Use of auditor’s judgement. Auditors often use professional

judgement to make decision where there is always a risk that the

judgement may be inappropriate.


1.1.6 In Malaysia, external audit of financial statements is mandatory (i.e.

mandatory audit is also known as Statutory Audit) for every company,

regardless of size, that is registered under Malaysia‟s Companies Act

1965.

1.1.7 The concept of agency (Principals and Agents)

Modern auditing has developed since the concept of a company as a

separate legal entity came into existence. It means the separation of

ownership and the management of the company.

For listed companies the owners of company are its shareholders and they

may not be involved in the daily operation of company. The company

will be run by directors, who are elected by shareholders. The

shareholders expect a return on investment, while the directors expect to

be paid for salary.

Thus shareholders need to have confidence that accounts prepared by

directors are accurate and comply with the required standards and

regulations. To ensure that the financial statements are drawn accurately,

they employ auditors to check its financial statements.

The job of external auditors is to report whether the financial statements

show True & Fair view. By having this independence check the

shareholders gain confidence in terms of money is being handled

properly.


Principal provides capital and hires agent to manage it. Agents are hired to manage the

Company on behalf of principals.

Agents are paid for their services

Conflicts of interest lead to

information risk for the

principal

Principals

(Owners)

Agents

(Directors)

Auditor is appointed by principal

to review the performance of

agents Auditor reports the

financial position to

the principal

Agent is accountable to

principals. Agent need to

manage the company as

entrusted.


An overview of the Principal-Agent relationship leading to the demand for

auditing

1.1.8 The concepts of accountability, stewardship and agency.

Accountability means that people in positions of power can be held to

account for their action. For example, they are compelled to explain their

decision/action or be punished if they have misuse their power.

Stewardship is the responsibility to take good care of resources. A

steward is someone employed to manage another person's property.

A fiduciary relationship is a relationship of good faith such as between

directors and shareholders. The directors must take their decisions in the

interests of the shareholders rather than in their own personal interest.

Agents are people employed or used to provide a particular service. In

the case of a company, the people being used to provide the service

managing the business also have the second role of being people in their

own right trying to maximise their personal wealth

Directors’ Accountability and Responsibilities

Directors are accountable to the shareholders for the assets that they

control on their behalf. It means that the directors are responsible for the

preparation of the accounts of the company. If the directors ask

accounting firm to perform its accounting functions, they could not

escape their responsibilities to the shareholders. The directors are

responsible for the proper set up of accounts.

1.1.9 Advantages of a statutory audit

a. Dispute between management may be more easily settled

b. Major changes in ownership may be facilitated if the past accounts

contain an unqualified audit report

c. To enhance the loan application

d. To improve efficiency of the business operation by improving internal

control system or control procedures

e. To serve as a basis for preparation of tax returns


1.1.10 Disadvantages of an Audit

a. Audit fee is incurred

b. Disruption of work to the client‟s staff

1.2 Distinction between Auditing and Accounting

1.2.1 These activities are closely related but separated activities. It is very

common that some companies engage the same accountant from the same

accounting and audit firm to prepare the accounts. It should make clear

that the directors are still responsible for the preparation of accounts.

1.2.2 A………………… is the recording, classifying and summarising of

transactions in a systematic manner for the purpose of providing financial

information for decision making.

1.2.3 A……………… is a process of reviewing the transactions and balances

of accounting records to project a true and fair view of the financial

position of the company.

1.3 Different types of audits and auditors

1.3.1 Types of audit

a. F…………………………… Audit. It is conducted to determine

whether the overall financial statements are prepared according to the

acceptable accounting principles. The financial statement audit covers

the audit on Statement of Financial Position, Statement of

Comprehensive Income, statement of changes in shareholders‟ equity

and cash flow statement together with the accounting policies and

explanatory notes to the financial statements.

b. O………………….. Audit. It is conducted on the operating

procedures and process of the organisation to determine whether it is

operating in effective and efficient manner. At the end of the

operational audit, auditor will recommend how to improve

effectiveness and efficiency of the whole organisation‟s operation

system.


c. C……………… Audit. It involves checking whether the organisation

follows the specific laws, regulations, specific procedures set by the

authority. For example, a compliance audit for a listed company may

focus on whether the company follows the stock market ruling and

pays the appropriate taxes.

d. F………………. Audit. It is a special investigation audit that mainly

focuses on fraud, criminal cases, shareholders dispute or negligence. It

requires high investigation skills, knowledge and experience to obtain

and develop information as legal evidence or for use by expert

witnesses in the court of law.

1.3.2 Types of auditors

a. I………………… Auditors. They are employees of organisation

whose activity set by management to examine and evaluate the

organisation‟s risk management processes and systems of control, and

to make recommendations for the achievement of company objectives.

The focus of internal audit now is on adding value to an organisation

through improvements in controlling risk and looking at all types of

risk and control. It functions by, amongst other things, examining,

evaluating and reporting to management and the directors on the

adequacy and effectiveness of components of the accounting and

internal control systems.

The Roles of Internal Audit (IA)

IA is part of the organisational control of a business; it is one of the

methods used to ensure the orderly and efficient running of the

business.

A properly function of IA is part of a good corporate governance,

as recognised by national and international codes on corporate

governance

IA procedures meet the needs of good corporate governance of

meeting the needs of all stakeholders.

IA enable management exercises proper risk management


b. E……………….. Auditors (or Public Accounting Firm). They are

external parties who conduct auditing services for both public and

private companies. For example, Ernst & Young, KPMG,

PriceWaterhouseCoopers, Delloite, Crowe Horwarth and so on. It is

an exercise whose objective is to express an opinion whether the

financial statements give a true and fair view of the organisation 's

activities have been properly prepared in accordance with the

applicable reporting framework.

c. G……………….. Auditors (also known as Auditor General) are

responsible for auditing all the Federal government, State government,

public authorities and the statutory bodies‟ accounts. At the Federal

level, the Auditor General reports to the King (Yang Di-Pertuan

Agong) and presents his audit reports to the House of Parliament.

d. F………………….. Auditors. They are specially trained to detect,

investigate and deter fraud and crime.

e. Inland Revenue Assessment Auditor. These auditors are responsible

for enforcing the Income Tax Act. They audit tax payers‟ returns to

determine whether the computation of taxes is complied with the laws.

1.3.3 Difference between internal audit and external audit (SAROL)

Internal Audit External Audit

Scope (S) Cover all areas

including operation and

finance

Financial focus

Approach (A) Risk based, assess risk,

evaluation on control

system, test on

operations of system,

and make

recommendations for

improvement.

Risk based, test on

transactions that form

the basis of the final

financial statement


Responsibility ( R) Advise and make

recommendations on

internal control and

corporate governance.

Form opinion on

financial statements.

Objectives (O) Advise to protect

organisation against

loss due to weak

internal control

Provide opinion on

financial statement

whether provide True &

Fair view

Legal (L) Not legal requirement.

But recommended to

have internal audit dept

for good corporate

governance practice

Legal requirement to

have an audit on their

financial statement

1.4 The concept of true and fair view

1.4.1 External auditors give an opinion on the truth and fairness of financial

statements. It does not mean that the financial statements are free from

error.

1.4.2 It is generally understood that the presentation of accounts are drawn up

according to accepted accounting principles using accurate figures as far

as possible and reasonable estimates and arranging them so as to show a

true picture of accounts that free from material bias, distortion,

manipulation or concealment of material facts.

1.4.3 True - Information is factual and conforms to the reality, not false. In

addition the information must conform to the required standards and

laws. And, the accounts have also been correctly extracted from the

books and records.


1.4.4 Fair - Information is free from discrimination and bias and in

compliance with expected standards and rules. The accounts should

reflect the commercial substance of the company's underlying

transactions. Fairness depends on the following factors:

Relevance of the information to the user‟s needs

Free from bias

Facts can be verified by evidence

Materiality of item. A transaction is material if its disclosure would

change the user‟s view on the accounts.

1.4.5 Why the concept of true and fair is important to auditor? This is

because:

Auditor certainly cannot certify/guarantee the accounts are 100%

accurate and free from mistakes. This is because auditor uses

sampling method to draw audit evidence to support the opinion.

Moreover, there many different accounting interpretations and

presentation such as depreciation, goodwill, inventory etc.

The concept of truth and fairness is more important than 100%

accurate.

In reaching his opinion whether accounts show true and fair view,

the auditor is required to exercise his skills and judgment.

1.5 The Chronology of an audit

Determine audit approach

Stage 1. Determine the ..................... of the audit and the auditors' approach.

For statutory audits the scope is laid down by legislation and

expanded by Auditing Standards. The auditors should prepare an

audit plan, which should be placed on file.

Ascertain the system and controls

Stage 2. Determine the flow of ....................... and extent of .................... in

existence in the client's system.


This is a fact finding exercise which is achieved by discussing the

accounting system and document flow with all the relevant

departments (for example, sales, purchases, cash, inventory and

accounts personnel).

It is good practice to make a rough record of the system during this

fact finding stage which will be converted to a formal record at

Stage 3.

Stage 3. Prepare a comprehensive record of the system to facilitate

evaluation of the systems. The records may be in various formats

(for example, charts, narrative notes, internal control

questionnaires and flowcharts).

Stage 4. Confirm that the system recorded is the same as that in operation.

This is achieved by performing walk-through tests. These involve

tracing a handful of transactions through the system and observing

the operation of controls over them.

This check is useful because sometimes client staff will tell the

auditors what they should be doing rather than what is actually

done.

Assess the system and internal controls

Stage 5. Evaluate the .................. to determine their reliability and

formulate a basis for testing their effectiveness in practice.

Test the system and internal controls

Stage 6. (This should only be carried out if the controls are evaluated as

effective at Stage 5. If not, Steps 6 and 7 should be omitted.)

If controls are effective, tests should are designed to establish

compliance with the system should be selected and performed.

Tests of controls, which cover a larger number of items than

walkthrough tests and cover a more representative sample of

transactions through the period, should be carried out.

If controls are strong, the records should be reliable and the

amount of detailed testing can be reduced. If controls are

ineffective in practice, more extensive substantive procedures will

be required.


Stage 7. After evaluating the systems and testing controls, auditors normally

send an interim report to management identifying weaknesses

and recommending improvements.

Test the financial statements

Stages These tests are concerned with substantiating the figures given in the

final financial statements

8 and 9. Substantive tests also serve to assess the effect of errors, should

errors exist.

Before designing a substantive procedure it is essential to consider

whether any errors produced could be significant. If the answer is

no, there is no point in performing a test.

Review the financial statements

Stage 10. The financial statements should be reviewed to determine the

overall reliability of the account by making a critical analysis of

content and presentation.

Express an opinion

Stage 11. The auditors evaluate the evidence that they have obtained and

they express their .............................. to members in the form of

an audit report.

Stage 12. The final report to .................................... is an important end

product of the audit. The purpose of it is to make further

suggestions for improvements in the systems and to place on

record specific points in connection with the audit and the

accounts.


CHAPTER 2

REGULATORY FRAMEWORK AND PROFESSIONAL ETHICS

________________________________________________________________

Learning Outcomes


Understand the provision of Companies Act in audit

Explain the duties, power and responsibility of auditor

Explain the responsibility of auditor in detecting fraud and errors and

illegal activities

Understand the professional ethics.

Reference text: Auditing & Assurance Services in Malaysia- Chapter 1,2 & 19


2.1 Understand the provision of Companies Act in audit

2.1.1 Section 169 of the Companies Act 1965 requires the directors of every

company to present the audited financial statements that give true and fair

view of the activities of the company in its annual general meeting.

2.1.2 Under Section 174 of the Companies Act, 1965, there are two main

requirements relating to the auditor‟s reporting duties:

The auditor must state, whether in his opinion, the financial statements

have been properly drawn up in accordance with the provisions of the Act

and applicable approved accounting standards, so as to give a true and

fair view of the company‟s state of affairs and result of operations; and

matters required by section 169 to be dealt with in the financial

statements; and

The auditor must state, whether in his opinion, the accounting and other

records and the registers required by the Act to be kept by the

company, have been properly kept in accordance with the Act.

2.1.3 Under the Companies Act, 1965, the statutory duties of company directors

in relation to accounting functions are:

Ensuring proper accounting records are kept. Directors are

required to design the accounting system and keep all the accounting

records of the companies in a proper manner.

Taking reasonable steps to safeguard the assets of the company

and prevent and detect fraud and errors. Directors are responsible

for designing an effective internal control system to protect the

companies‟ assets from any possibility of fraud and error.

Preparing financial statements that give true and fair view.

Though, directors may delegate the preparation of financial

statements to accountant, they are still responsible for ensuring the

financial statements are drawn up in accordance with the standards

and regulation.

Adopting good accounting policies and establish adequate

internal control. Directors are responsible for compliance to the

best practice of accounting standards and effective internal control

system.


File in annual return of the company to Companies Commission

of Malaysia (CCM). Directors are responsible for preparing an

annual return to the regulators.

2.1.4 Appointment of Auditors.

Appointed by When

Members

(Shareholders)

Shareholders can appoint the first auditors of the

company or to fill a casual vacancy and the auditor will

hold office until the end of first annual general meeting.

In an Annual General Meeting (AGM), shareholders can

reappoint retiring auditor, appoint a new auditor or

appoint an auditor who has been appointed by directors

previously.

Directors Directors can appoint the company‟s first auditor between

the date of incorporation (establishment) and the first

AGM. Directors can also appoint an auditor to fill in a

causal vacancy.

Companies

Commission of

Malaysia (CCM)

If a company does not appoint an auditor as requested by

Companies Act-section 172, the CCM can appoint an

auditor.

2.1.5 Disqualification of Auditors. Under section 9(1) of the Companies Act, a

person is prohibited from acting or accepting an appointment as the auditor

of company if he is:

Indebted to the company or its related company in an amount

exceeding RM2,500.

An officer of the company.

A partner, employer or employee of an officer of the company.

A partner, employee of an employee of an officer of the company.

A shareholder of the company whose employee is an officer of the

company or

Responsible for or if he is the partner, employer or employee of a

person responsible for keeping company‟s assets or the register of

debenture holders of the company


2.1.5 Departure from auditor’s office. Auditors can leave office by one of the

following reasons:-

Resignation

Not seeking reappointment

Being removed at a general meeting before their term of office is

expired.

Being removed at a general meeting at which their term of office is

expired.

2.1.6 Resignation usually requires written notice by the auditor to the company

and to the CCM. It also requires a statement of circumstances. The auditor

concerned is permitted to speak and communicate in writing with shareholders

and other stakeholders.

RESIGNATION OF AUDITORS

1 Resignation procedures Auditors deposit written notice together with

statement of circumstances or statement

that no circumstances exist relevant to

members/creditors

2 Notice of resignation Sent by company to regulatory authority

3 Statement of

circumstances

Sent by:

(a) Auditors to regulatory authority

(b) Company to everyone entitled to receive a

copy of accounts

4 Convening of general

meeting

Auditors can require directors to call

extraordinary general meeting to discuss

circumstances of resignation

Directors must send out notice for meeting

within 21 days of having received requisition

by auditors

5 Statement prior to

general meeting

Auditors may require company to circulate

(different) statement of circumstances to

everyone entitled to notice of meeting

6 Other rights of auditors Auditors can receive all notices that relate to:

(a) A general meeting at which their term of

office would have expired


RESIGNATION OF AUDITORS

(b) A general meeting where casual vacancy

caused by their resignation to be filled

(c) Auditors can speak at these meetings on

any matter which concerns them as auditors

2.1.7 Removal of auditor

Any removal or resignation of auditor before end of the audit contract

implies serious disagreement b/w auditor and client. If auditors disagree

with the fee or accounting practices, they simply do not offer themselves

to be reappointment. Removal must usually be notified to regulatory

authority. 2/3 majority resolution is required to remove an auditor. The

concerned auditor is given the right to make written representations

and speak at the meeting or AGM.

Removal procedures. The reasons to have removal procedures are to

ensure that the auditors are not removed for improper reasons without the

knowledge of the shareholders and auditors do not seek to avoid their

responsibility by going quietly.

Removal

Procedure

Description

1 Notice of removal Either special notice (28 days) with copy sent to

auditor

Or if elective resolution in place, written

resolution to terminate auditors' appointment

Directors must convene meeting to take place

within reasonable time.

2 Representations Auditors can make representations on why they

ought to stay in office, and may require company to

state in notice representations have been made and

send copy to members.

3 If resolution is

passed (a) Company must notify regulatory authority

(b) Auditors must deposit statement of

circumstances at company's registered office


Removal

Procedure

Description

within 14 days of ceasing to hold office. Statement

must be sent to regulatory authority.

4 Auditor rights Auditor can receive notice of and speak at:

(a) General meeting at which their term of office

would have expired

(b) General meeting where casual vacancy caused

by their removal to be filled

The auditor will have to issue a written statement either:

(i) Statement of ............................ (Some disagreement issues need to be

highlighted to the attention of the shareholders. E.g. Fraud, severe disagreement

over accounting practice)

OR

(ii) Statement of ............................. (No issues need to be brought to the

attention of the shareholders. E.g. Disagreement over auditor fee)

2.2 Explain the duties, power and responsibility of auditor

2.2.1 Auditor’s rights and duties

The audit is primarily a statutory concept, and eligibility to conduct an audit is

often set down in statute. Similarly, the rights and duties of auditors can be set

down in law, to ensure that the auditors have sufficient power to carry out an

effective audit.

Auditor’s Duties

The duties of the auditors are:-

(a) To report the shareholders/directors on whether the financial statements

show true and fair view and have been properly prepared, in all material

respect, in accordance with legislation and applicable accounting standards.

(b) To consider whether the information in the management report is

consistent with the audited financial statement


(c) To give various details required by legislation in their report. Common

details are directors‟ transactions & emoluments.

(d) To form opinion on the financial statements whether they are presented in

true and fair view.

(e) To report on any violation of law or the company‟s constitution.

(f) To make a “statement of circumstance” when they cease to hold office for

any reason.

Auditor’s Rights

The principal rights auditors should have, excepting those dealing with

resignation or removal, are set out in the table below, and the following are

notes on more detailed points.

Access to records A right of access at all times to the books,

accounts and vouchers of the company

Information and

explanations

A right to require from the company's

officers such information and explanations

as they think necessary for the performance

of their duties as auditors

Attendance at/notices of

general meetings

A right to attend any general meetings of

the company and to receive all notices of

and communications relating to such

meetings which any member of the

company is entitled to receive

Right to speak at general

meetings

A right to be heard at general meetings

which they attend on any part of the

business that concerns them as auditors

Rights in relation to

written resolutions

A right to receive a copy of any written

resolution proposed

Right to require laying of

accounts

A right to give notice in writing requiring

that a general meeting be held for the

purpose of laying the accounts and reports

before the company (if elective resolution

dispensing with laying of accounts in force)


2.3 Explain the responsibility of auditor in detecting fraud and errors and

illegal activities

2.3.1 Auditors’ Responsibility for the Prevention & Detection of Fraud &

Error

ISA 240 The Auditor’s Responsibility to Consider Fraud in an Audit of

Financial Statements states that:-

Fraud is to intentional acts which may involve the falsification of documents

or misappropriation of assets.

Error is the unintentional misappropriation of accounting policies,

oversights or misinterpretations of facts.

In the new audit engagement, auditors should be very careful to avoid accepting

responsibility for detection of fraud that they cannot discharge.

2.3.1 Management responsibility in preventing fraud & error

Management is responsible for the prevention and detection of fraud. They

should implement and operate adequate internal control system to safeguard the

assets.

2.3.2 Internal Auditor’s responsibility in preventing fraud and error.

Internal auditor is to REVIEW the measures that designed by management to

ensure adequate control is in place.

Internal auditor can help management manage risks in relation to fraud and

error by

1. commenting on the process used by management to identify fraud and error

risks.

2. commenting on the appropriateness and effectiveness of actions taken by

management to manage the risks identified

3. periodically auditing or reviewing systems or operations to determine

whether the risks of fraud and error are being effectively managed;


4. monitoring the incidence of fraud and error, investigating serious cases and

making recommendations for appropriate management responses

2.3.3 External Auditor’s responsibility in preventing and detecting fraud

and error.

1. External Auditor‟s responsibility is to ASSESS the risk that fraud or error

may cause the financial statements to contain material misstatement.

2. The objective of an audit is to report on the truth and fairness of the

financial information but not purposely to detect fraud and errors. However,

in the course of conducting audit if the auditor discovers the fraud and

material misstatements affecting the financial statements, auditor should

investigate further.

3. Auditor must perform the auditing with an attitude

of......................................... i.e. it requires that the auditor objectively

evaluate audit evidence. This means the auditor should constantly maintain a

critical and questioning mind in assessing the validity of audit evidence he

accumulates during the audit process.

4. An attitude of professional scepticism is necessary for the auditor to identify

circumstances that increase the risk of a material misstatement resulting from

fraud or error, and suspicious circumstances that indicate that the financial

statements are materially misstated. If the auditor suspected that there might

be a material misstatement due to fraud or error, the auditor would be more

sensitive to the selection and type of evidence examined.

2.3.4 Limitation of statutory audits

As per ISA 200, the inherent limitations of statutory audits are:

1. The use of sampling testing. Auditors could not able to conduct 100%

checking on all the transactions. Due to sampling selection, some items may

not be checked if not being selected in a sample. Due to this sampling test

basis, it may happen that misstatement may remain undetected.


2. The inherent limitations of internal control system. Auditor relies on the

internal controls if they are effective. But by nature, internal control of the

company has its inherent limitations such as human error. Therefore, the

auditor cannot give absolute assurance but only reasonable assurance.

3. The fact that most audit evidence is persuasive rather than conclusive.

The auditor‟s opinion is based on the evidence gathered which is not

conclusive to draw a conclusion.

4. Limitations of the reporting framework. The auditor report given is fixed

format which may not be understandable and readable by all the users.

5. Audit does not provide up-to-date position. The financial statements

provide past information. The auditor‟s opinion given on the past

information sometime is not relevant.

2.4 Understand the professional ethics.

2.4.1 Definition of ethics.

Ethics refers to code of conduct based on moral duties and obligations that

indicate how an individual should behave in society. For example, businessman

should be ethical not to produce harmful products for consumers.

2.4.2 Fundamental Principles of Ethics “C.O.B.I.C.”

The Fundamental PrinciplesError! Bookmark not defined.

Integrity (I) Members should behave with integrity in all

professional, business and personal financial

relationships. Integrity implies not merely honesty

but fair dealing and truthfulness.

Objectivity

(0)

Members should strive for objectivity in all

professional and business judgements, (objectivity is

the state of mind which has regard to all

considerations relevant to the task in hand but no

other, it presupposes intellectual honesty).


The Fundamental PrinciplesError! Bookmark not defined.

Professional

Competence

(C)

Members should not accept or perform work which

they are not competent to undertake unless they

obtain such advice and assistance as will enable them

competently to carry out the work.

Confidentiali

ty (C)

Members should carry out their professional work with

confidentiality. Information obtained in a business

relationship should not disclose outside the firm unless

there is a proper and specific authority or duty to

disclose.

Professional

Behaviour

(B)

Members should behave with courtesy and

consideration towards all with whom they come into

contact during the course of performing their work.

2.4.3 Ethical Threats

Threats

The potential threats that may lead to conflict of interest are:

Self- interest threat. It occurs when auditor could benefit from a

financial interest in an audit client. Examples of self interest threats are

- if the auditor has a ownership of shares in client company or any

joint venture with the audit client.

- having personal relationship with senior members of client

company.

- providing loan or guarantee to or from an audit client.

- highly depending on total fees from one audit client

Self- review threat. It occurs when the audit firm or member of audit

team put itself in a position of reviewing the subject that previously the

member is responsible. Examples are:

- Auditor offers accounting services and other non audit services and

auditor audit his own work.

- Custodian for and ownership of assets of audit client.

- Assist /supervise employees of audit client


- Performing valuation / internal audit service for financial

statement

- Recruiting senior management for audit client

- Advise / assist in securing source of finance.

Advocacy threat. It occurs when the audit firm or a member of the audit

team promotes or may be perceived to promote, an audit client‟s position

or opinion. Examples are:

- promoting client‟s shares or IPO

- acting on behalf of client in litigation case or in resolving disputes

with other 3rd

party.

Familiarity threat. It occurs when by virtual of a close relationship with

an audit client. Examples are

- having a close family member who as a director, officer or

employee of the audit client.

- Long outstanding business relationship with the client.

- Become close friend of the audit client

- Acceptance of an expensive gifts

- Auditor is ex-employee of audit client.

Intimidation threat. It occurs when a member of the audit team may be

deterred from acting objectivity and exercising professional judgement

due to pressure given by the audit client to terminate the service,

dominant personality in a senior position at the audit client. Examples

are:

- Disagreement with client, auditor is being threatened to be

removed from service.

- Threat to reduce fees due to pressure applied in order to reduce the

scope of an audit.

- Litigation situation in between auditor and client

2.4.4 Safeguards to Address Threats

Safeguards can be grouped under 3 categories.

Category 1- Safeguarded by …………………

Prohibition of providing non-auditing services by auditors. Auditor

should be prohibited to carry out services such as internal audit,


bookkeeping, management functions, designing control services or

legal advices.

Category 2- Safeguarded by …………………

This safeguard is by preparing its own code of ethics for the entire

audit firm or a specific client/assignment.

Category 3- Safeguarded by ………..

This safeguard is by the client itself. Safeguard could be:

appointment of auditor is by the audit committee; verifying the

qualification of auditor by the client, monitoring auditor‟s work by

audit committee.

2.4.5 Confidentiality of Information.

Information confidential to a client should not be disclosed, except where

consent has been obtained, or where there is a public duty or a legal or

professional right or duty to disclose. Accountant should only act for a client on

the understanding that the client will make full disclosure to them.

There are circumstances in which auditor is free to disclose information

regardless of the client‟s wishes and circumstances in which the auditor has an

obligation to do so.

Auditors have an obligation to disclose:

(1) where the courts order them to do so;

(2) where they suspect their client of offences of terrorism;

(3) they suspect the client to be a drug trafficker;

(4) where under banking, insurance and financial services, they consider the

client is either acting recklessly or is not fit or proper to manage such

business.

2.4.6 Basic principles of independence

a) It states that a member’s objectivity must be beyond question if they are

to report as auditor. The followings are the enforcement mechanisms to

maintain its integrity, objectivity and independence.

(Note: Independence means an attribute of the relationship between 2 parties. It

is said that 2 parties are independent if neither has any obligation to the other)


Guideline 1: Undue dependence on an audit client for dependence on

Income. Recurring fees paid by one client or group of connected clients should

............................... of the gross practice income- (10% for public companies).

Guideline 2: Family and other personal relationship. A family or other close

relationship may pose a threat to independence and safeguards should be in

place to preserve independence. Auditor should ensure personal relationship do

not affect their objectivity

Guideline 3: Beneficial interests in shares and other investment .An auditor

should ensure that it does not have as an audit client a company in which any

partner or anyone closely connected with a partner holds shares or has a

beneficial interest in shares.

Guideline 4: Loans. An auditor or anyone closely connected with it should not

make or accept loans to or guarantee from an audit client. This also applies to

a partner in a practice or spouse or minor child.

Guideline 5: Goods & services- hospitality. Goods and services should not be

accepted by an auditor or by anyone closely connected with it unless the value

of any benefit is modest.

Guideline 6: Provision of other services. There is no objection in practice to

the provision of other services to audit clients, but care must be taken not to

perform management functions or to make management decision.

Guideline 7: Overdue fees. The existence of significant overdue fees can be a

threat to objectivity.

Guideline 8: Litigation. Objectivity may be threatened (or appear to be) where

there is actual or threatened litigation between auditor and clients.

Guideline 9: Associated firm’s influence outside the practice. Pressure may

arise from outside the practice form associated practices or organisation.


Guideline 10: Auditor should not perform management functions or take

executive decision. Auditor‟s involvement is only advisory.


CHAPTER 3

AUDITOR’S REPORT

________________________________________________________________

Learning Outcomes


Understand the standard unqualified audit report

Understand the implication of unqualified audit report

Explain the departure from standard report and deciding appropriate

auditor‟s report.

Reference text: Auditing & Assurance Services in Malaysia- Chapter 18


3.1 The Auditor’s Report

3.1.1 What is an audit report?

Audit report is the principal channel of communication between the

auditor and the user of the financial statements.

Audit report is the review and evaluation report resulted from the test of

control and substantive procedures that auditor has performed. Before

issuing an audit report, auditor should assess the types of audit reports to

be issued.

The two main reporting requirements under the Companies Act are:

The auditor should state in his opinion whether the financial statements

give a true and fair view, and are in compliance with the Act and

applicable approved accounting standards.

Auditor's opinion on whether the accounting and other records and the

registers required by the Act have been properly kept in accordance with

Act.

3.1.2 Users of audit report. The followings are the users of an audit report:-

Potential investors- To evaluate the performance of company before

investing.

Shareholders of a company- To know the profitability of the company

they owned.

Employees of a company- To know the performance of company.

Bankers- To evaluate the credit worthiness of the borrower before

lending.

Suppliers- To evaluate the liquidity of the company before supplying

goods.

3.1.3 ISA 700 Forming an Opinion and Reporting on Financial Statements

indicates the basic elements that will ordinarily be included in the

audit report. The basic elements of an auditor‟s report include the

followings:-


No Audit report

element/feature

Reason for that element/feature

1 Title of „independent

auditor”

To identify this as an audit report and

distinguish it from other reports on financial

statements that might be issued by others,

directors, etc

2 Addressee To identify the person(s) who may use or rely

on the report.

3 Introductory paragraph It states that when an audit was conducted and

identifies which financial statements are

covered by the auditor‟s report.

Management‟s

responsibility for the

financial statements

To explain the responsibility of management

for the preparation of financial statements in

accordance with the applicable financial

reporting framework

Auditor‟s

responsibility

To state that the auditor‟s responsibility is to

express an opinion on the financial statements

based on the audit

To explain the scope of the audit so that the

standards of the auditor‟s work is clear and

other factors such as limitation of audit testing

is known

5 Auditor‟s Opinion

paragraph referring to

the financial reporting

framework followed

and expressing the

auditor‟s opinion.

To provide the auditor‟s opinion on the

financial statements in terms of true and fair

view, to assure the reader that the audit has

been carried out in accordance with

established principles and practices

Other reporting

responsibility

Auditor‟s signature This is normally the signature of the audit firm

as the firm assumes responsibility for the

audit, not the individual engagement partner.

Date of the report To inform the reader that the auditor has

considered effects of transactions that the


No Audit report

element/feature

Reason for that element/feature

auditor became aware of on the financial

statements up to that date.

Auditor‟s address This is normally the city where the auditor

responsible for the audit is located so he/she

can be contacted, if necessary.

3.1.4 Types of audit reports. (Exam focus)

Unmodified report. This report is a standard good report that does not

require any change/modification on certain issues. A standard unqualified

auditor's report contains the standard wording in terms of format and

contents in compliance with the requirements under the auditing standard

and the provisions of the Companies Act, 1965 and/or other statutory

requirements

Modified unqualified report. This report has an emphasis of matter

paragraph. A modified unqualified report contains an unqualified opinion

but the wording of the report is modified normally by the inclusion of an

additional explanatory paragraph that highlights or makes reference to a

matter such as going concern uncertainty.

“Except for” report. This report is a qualified audit report with

limitation of scope or disagreement but the effect of misstatement on

financial statement only material but not pervasive.

Adverse report. This report is a qualified audit report with disagreement

and the effect of misstatement on financial statement is material and

pervasive.

Disclaimer of opinion report. This report is a qualified report with

limitation of scope and the effect of misstatement on financial statement

is material and pervasive.


3.1.5 Meaning of terms

a. Unqualified report = ..........................

b. Qualified report = ........................

c. Emphasis of matter means auditor wishes to highlight certain issues to

the user‟s attention provided that the directors have disclosed all the

information.

d. Limitation of scope means auditor does not have full information when

conducting an audit. In other words, auditor faces some limitations to

access all the necessary information (evidence) to support his audit

opinion. For example, lack of accounting records that have been

destroyed or lack of explanation from directors.

e. Except for means “......................” a certain item. Except that particular

item, the rest of the items are true and fair.

f. Disagreement means auditor does not agree with the management about

matters such as accounting treatment or disclosure in the financial

statements such as provision of bad debt, depreciation etc.

g. Adverse opinion means that auditor .................... in the accounting /

disclosure matters because they affect all the areas of financial

statements. The financials as a whole do not give true and fair view.

h. Disclaimer of opinion means the auditor does not provide any opinion

on the financial statements because the financial statements are material

and pervasive misstatement.

i. Material. An item is said material means that omission of it will change

the audit opinion. It can say that the transaction has a significant impact

to the financial statements.

j. Pervasive. An item is said pervasive means that the item seriously affects

ALL the areas of the whole financial statements. The users view on the

financial statements will be affected.

3.1.6 Date of audit report

The date of auditor‟s report should be appropriate because it indicates to

the users the last day of auditor‟s responsibility in reviewing significant

post Statement of Financial Position events.

The date should not be dated before the date of director‟s reports.


3.1.7 Matters that an auditor should report in the auditor’s report on the

accounts presented at the annual general meeting of a company.

i. Whether or not the financial statements are true and fair.

ii. Whether or not the financial statements have been properly

prepared in accordance with the Companies Act 1965.

iii. Whether the financial statements are in accordance with the

applicable accounting standards.

iv. Whether the accounting and other records are properly kept in

accordance with the Companies Act, 1965.

v. Whether the auditor has not received sufficient information or

explanations necessary for his auditing.

3.1.8 Conditions that have to be met before a standard unqualified

auditor’s report can be issued.

i. Auditors has obtained without restriction all information and

explanation he required.

ii. Financial statements have been prepared in accordance with the

approved accounting standard and present a true and fair view.

iii. Adequate disclosure of all matters to present a true and fair view of

the financial statements.

iv. All reporting duties under Companies Act have been satisfied.

v. There are no circumstances requiring additional explanatory or

modification of wording of the annual report.

vi. the importance of auditors adopting a conventional and uniform

wording in auditor‟s report.

3.1.9 Use of standardised wording in audit report

The reason for using standardised wording in audit report is to avoid confusion

to the readers and prevent misunderstanding in the message being

communicated to the users of FS.


3.1.10 Audit Reporting

An overview of audit evidence gathered to form an audit opinion

3.2 Unmodified audit report

An unmodified audit report is a good report that provides true and fair view and

the financial statements have been prepared in accordance with the financial

reporting framework and statutory requirement.

An unqualified audit report should include the following content (as per 3.1.3

above)

A title identifying the person to whom the report is addressed.

An introductory paragraph identifying the financial statements audited

and the respective responsibilities of directors and auditors

Management‟s responsibilities in respect of the financial statements

Audit Report

Disagreement Limitation of scope

Qualified “Except For”


The auditors‟ responsibilities in forming their audit opinion

The scope paragraph detailing the nature of the audit

The auditors‟ opinion on the financial statements

The manuscript or printed signature of the auditors.

The date of the auditors‟ report

The auditors‟ address.

3.3 Modification To The Standard Auditor’s Report

3.3.1 Modified audit reports

Modified audit reports arise when auditors do not believe that they can state

without reservation that the accounts give a true and fair view. ISA 701

Modifications to the independent auditor’s report states that there are 2 types of

modified report

i. Matters that do not affect the auditor’s opinion: “Emphasis

of matter paragraph (just wish to highlight to the attention of

users)

ii. Matters that do affect the auditor’s opinion

Qualified

Disclaimer

Adverse opinion.

3.4 Modified Unqualified Auditors’ Report- Emphasis of Matter

3.4.1 Emphasis of matter paragraph

Emphasis of matter paragraph is used where the auditor wishes to draw

attention to an important item in the financial statements. The

conditions to use this report are the directors must fully disclose all the

information and the item is significant.

An emphasis of matter does not constitute a qualified opinion. It is

usually situated after the opinion paragraph and states that the opinion is

not qualified with regard to that matter.

It is used when there is a significant uncertainty or going concern issue

that has been fully disclosed in the notes to the financial statements and

the outcome of the issue is dependent on events yet to happen.


3.5 Departures From An Unqualified Auditors’ Report

3.5.1 Qualified audit opinion

Qualifications may be material and pervasive. The difference between them is

a matter of degree of effect and materiality. A pervasive qualification (very

serious) is one that affects the view given by the financial statements “AS A

WHOLE”. For example, if the auditors are not able to collect evidence from

whatever sources to form audit opinion, it is said to be pervasive.

Qualified audit opinions arise where there are either

i. disagreement on accounting matters such as accounting treatment

and disclosure. It is used where the auditor disagrees concerning the

accounting treatment, amount or disclosure of an item in the financial

statements.

OR

ii. limitations in the scope of the audit that unable the auditors to carry

out their duties. It is used where the audit cannot obtain sufficient

evidence regarding an item in the financial statements.

Common circumstances that may give rise to a disagreement with the

management of the company are:

Non compliance with Companies Act or other legislations.

No compliance with approved accounting standards.

Disagreement with the facts or amounts included in the Financial

Statements

Inadequate disclosure.


Qualification Matrix (Students should have a clear understanding on this

matrix).

Two levels of

qualified

opinion

Limitation of scope

(auditors could not access

full information in the

respect of the audit)

Disagreement

(auditors disagree with

management on accounting

policies selected, method of

application or disclosure

requirements)

Level 1

MATERIAL

ONLY NOT

pervasive

(less serious &

affect only a

particular

area)

QUALIFIED “EXCEPT

FOR”

(e.g. No inventory count

carried out)

QUALIFIED “EXCEPT FOR”

(e.g. Difference of opinion

between directors and auditor

as to whether to provide for a

doubtful debt.

Level 2

BOTH

MATERIAL

&

PERVASIVE

(Very serious

& affect the

whole

financial

statements)

DISCLAIMER OF

OPINION (e.g.

Destruction of accounting

records)

ADVERSE OPINION

(e.g. Auditors state that the

accounts do not give true and

fair view)

Summary

i. Limitation of scope (material) = Except For

ii. Limitation of scope (material & pervasive) = Disclaimer of opinion

iii. Disagreement (material) = Except For

iv. Disagreement (material & pervasive) = Adverse opinion


3.5.2 A disclaimer of opinion should be expressed when the possible effect of

a limitation of scope is so material and pervasive that the auditor could not able

to obtain appropriate and sufficient evidence to express opinion on the financial

statements. Example of disclaimer of opinion,

Example: “Due to the significant of the matters above, we (auditor) do not

express an opinion on the financial statements.”

3.5.3 An adverse opinion should be expressed when the effect of a

disagreement is so material and pervasive that the auditor concludes a

qualification of the report. Adverse and Disclaimer opinions do not support

credibility of the financial statements. Example,

“In our opinion, because of the effects of the matters above, the financial

statements do not give a true and fair view of the financial position”

3.5.4 Except for opinion is used when the disagreement or limitation of scope

is not so serious or not due to fundamental errors. “Except for” opinions are

generally less extreme because they are positively supporting other matters

other than those matters being highlighted. Example,

“In our opinion, except for the effect of adjustments, we had been able to

satisfy ourselves as to the physical inventory quantities….”

How to decide which modified opinion is appropriate in the exam? Follow these

rules

i. If accounting records have been destroyed or gone missing and affect

the WHOLE financial statements, then “Disclaimer of Opinion” is

appropriate.

ii. If only part of the accounting records have been destroyed or gone

missing such as only receivable records; the rest of the accounting

records are still complete, then “Except for” is appropriate.

iii. If the disagreement is fundamental and affects the WHOLE financial

statement, then “Adverse opinion” is appropriate.

iv. If only a small portion such as depreciation treatment, then use

“Except for”.


Auditors normally would not issue a qualified report unless it is absolutely

necessary to do so. In practice, issuing qualifying report is avoided by

discussion and negotiation with the directors. Management will usually make

whatever changes necessary in order to avoid a qualified report.

3.5.5 Other information disclosed in the annual report

a) Other information disclosed in the annual report includes:

i. Opening balance

ii. Prior year figures

iii. Other information issued with audited financial statements.

b) ISA510 Initial Audit Engagements- Opening Balances requires that an

auditor obtains sufficient appropriate evidence about whether the opening

balances contain misstatements that materially affect the current period‟s

financial statements by:

i. determining whether the prior period‟s opening balances have been

correctly brought forward to the current period, (or restated)

ii. determining whether the opening balances reflect the application of

appropriate accounting policies.

c) ISA710 Comparative Information requires that comparatives comply in all

material respects with the identified financial reporting framework. Two

categories of comparatives exist are:-

i. Corresponding figures.

ii. Comparative financial statements.

d) ISA720 The Auditor’s Responsibility in Relation to Other Information

Documents Containing Audited Financial Statements requires that “the auditor

should read the other information to identify material inconsistencies with the

audited financial statements”. This may include items such as employee reports,

five-year summaries and management commentaries on operations. Thus,

auditors should have full access to other information.


CHAPTER 4

ACCOUNTING AND INTERNAL CONTROL SYSTEM

________________________________________________________________

Learning Outcomes


Define the objective and types of internal control

Understand the limitations of internal control

Ascertain the internal control

Evaluating the internal controls

Understand the audit strategy and internal controls.

Reference Text: Audit & Assurance Services in Malaysia- Chapter 6


“Within an organisation, internal control provides a way to meet

management’s stewardship or agency responsibilities. Management also

needs a sound internal control system that generates reliable information

for decision-making purposes.”

4.1 Accounting Systems

4.1.1 Definition of Accounting System:

It is a series of tasks and records of an entity by which transactions are

processed as a mean of maintaining financial records. Such system identify,

assemble, analyse, calculate, classify, records, summarise and report

transactions and other events.

4.1.2 Management’s/Directors’ responsibility on accounting system

Management/directors of the organisation is/are supposed to:

Set up and maintain an adequate accounting and internal control system

in the company.

Deliver a copy of company audited annual report to Companies

Commission of Malaysia (CCM).

Prepare annual financial statements to show true and fair view of the

company.

Ensure company keeps proper accounting records as required by

Companies Act.

Safeguard the company‟s assets and to prevent fraud and errors in the

company.

4.1.3 Auditor’s responsibility on accounting system

Auditor‟s responsibility is to assess and review the effectiveness of accounting

system to ascertain its adequacy as a basis of preparation of financial

statements.

4.2 Internal Control

4.2.1 Definition of Internal control

It is a process designed and implemented by the management to provide

reasonable assurance about the achievement of the entity's objectives with

regard to reliability of financial reporting, effectiveness and efficiency of

operations and compliance with applicable laws and regulations.

It is also designed and implemented to address identified business risks that

threaten achievement of any of these objectives


4.2.2 Objectives of Internal Control System

Validity. To ensure business is carried out in an orderly, effective and

efficient manner.

Timeliness. To ensure all the transactions are recorded on a timely basis.

Compliance. To ensure compliance with laws and regulations.

Valuation. To ensure assets are properly safeguarded and valued.

Authorisation. To prevent and detect fraud and errors.

Completeness. To secure the completeness an accuracy of the records

and the timely preparation of reliable financial information.

Classification. To ensure all the transactions are classified into the proper

account.

Posting and summarisation. To ensure all transactions are properly

recorded in journals and posted to the General Ledger.

[Note to students: Not all the objectives of internal control mentioned above are

relevant to external audit on financial statements; for example, control over the

product design. Only those items that related to financial statements are likely to

be relevant to external audit such as internal control over compliance with the

laws and regulations because any violating the laws is subject to financial

losses.]

4.2.3 Reasons for understanding the accounting & internal control systems

In a financial statement audit, the auditor should understand the client‟s

accounting and internal control systems in order to:

i. assess their reliability for the presentation of financial statement and

design suitable audit procedures.

ii. identify the types of potential misstatements.

iii. determine the control risk level.

iv. determine the audit strategy and plan audit tests

4.2.4 To gain understanding on the internal control system, auditor will

perform the following:

i. Review the previous audit files for recurring engagement. Auditor can

obtain great deal of information about the client‟s internal controls


developed prior years. Because systems and controls usually don‟t change

frequently; this information can be updated and carried forward to current

year.

ii. Inquiry of the client’s personnel. Interview the key staff to obtain some

information.

iii. Read the relevant documentation of client such as policy, system

manuals, documents, reports and records. By examine the actual,

completed documents and records, auditor can obtain evidence that the

control policies and procedures have been run effectively.

iv. Visit the client’s office to have physical inspection on the existence of

assets. Auditor will gain the information on condition of the physical

assets and control system in safeguarding the physical assets.

v. Observe the client’s activities. Auditor can observe staff to carry out the

process of preparing the documents, records and accounting system. This

observation will enhance the understanding of auditor towards the control

that has been in place.

-The knowledge gained from the above procedures on internal control

system, auditor will use this knowledge to :

Identify the types of potential misstatements.

Determine control risk which in turn affects the detection risk.

Assist in the designing further audit procedures such as substantive

procedures.

- In deciding the nature (types) and extent (depth) of the understanding

of the internal control required to carry out audit engagement, auditor

should consider the following factors:

The materiality level.

Knowledge gained from the previous audit.

Auditor‟s knowledge on the client‟s industry.

The size of entity and the ownership.

The complexity of the client‟s operations and system.


4.2.5.1The relationship between control risk and the client’s internal

control system is that if the internal control system is weak, the control risk is

high. The effectiveness of internal control system will directly influence the

control risk.

4.2.6 The difference between management’s and auditor’s concern on

internal control system.

Management’s concern on internal control system is to ensure the

effectiveness of internal control system so that organisation is able to achieve

the corporate objectives. Management is concerned whether the internal

controls established and implemented are effective enough to provide them with

reasonable assurance that the company would able to achieve its objectives.

Auditor’s concern on internal control is towards the impact of internal control

to the financial reporting and safeguarding of assets. The main reason auditor is

interested in internal control is that reliance on internal control will reduce the

amount of substantive testing of transactions. If auditor is satisfied that the

internal control system is functioning effectively, there is a reduced risk of error

in the accounting records.

4.3 5 Components of an internal control system.

Components

of Internal

Control

1.Control

Environment

2.Control

Procedures

3.Risk

Assessment

5.Monitoring

4.Information &

Communication


4.3.1 Component 1- Control environment. It is concerned an overall attitude

of directors and management towards internal control system. . It is the

framework (background) within which controls operate.

Factors that affect the control environment are:-

Integrity and ethical values. An entity needs to establish ethical and

behavioural standards that are communicated to employees and are

reinforced by daily practice.

Commitment to Competences. Management must specify the

competence level for a particular job and translate it into the required

level of knowledge and skills.

Participation of the Board of Directors or Audit Committee. The

board of directors and its audit committee significantly influence the

control consciousness of the entity. They must take their fiduciary

responsibilities seriously and actively oversee the entity‟s accounting and

reporting policies and procedures.

Management’s Philosophy and Operating Style. Establishing,

maintaining and monitoring the entity‟s internal controls are

management‟s responsibility. Management‟s philosophy and operating

style may significantly affect the quality of internal control.

Organizational Structure. The organizational structure defines how

authority and responsibility are delegated and monitored. It provides a

framework for planning, executing, controlling and monitoring

operations.

Assignment of Authority and Responsibility. This factor includes how

authority and responsibility for operating activities are assigned and how

reporting relationships and authorization structure are established.

Human Resource Policies and Procedures. The entity should have

personnel policies for hiring, training, evaluating, counselling and

compensation policies and procedures.


4.3.2 Component 2- Control procedures (Types of control procedures).

Control procedures are the policies and procedures that help to ensure that

necessary actions are taken to address the risks involved in achieving the

entity‟s objectives.

Examples of specific control activities include those relating to the following:

(P2.A.R

2.I.S

2)

• Physical controls. (P)

-The physical security of assets, including adequate safeguards such as secured

facilities over access to assets and records.

-This concerns custody of assets and involves procedures designed to limit

access to authorised personnel only. Controls are important in the case of

valuable and moveable assets. Example: only supervisor can access the

inventory.

• Personnel. (P) Procedures should be designed to ensure that personnel

operating a system are competent and motivated to carry out the tasks assigned

to them, as the proper functioning of a system depends upon the competence

and integrity of the operating personnel. Example: Only authorised person with

competency can perform the task.

• Authorisation & Approval (A).

Seeking a higher authority to approve is one of the control activities. All

transactions should require authorization or approval by an appropriate person.

The limits of approval should be clearly specified. Example: Sales invoices

need to be authorized.

• Performance Reviews. (R)

These control activities include reviews and analyses of actual performance

versus budgets, forecasts, and prior period performance; relating different sets

of data – operating or financial, to one another, together with analyses of the

relationships and investigative and corrective actions; comparing internal data

with external sources of information; and review of functional or activity

performance.


• Recording of transactions (R)

To control the transactions and system, recording must be in placed to ensure

the completeness of all the transactions.

• Information processing. (I)

The two broad groupings of information systems control activities are (i)

application controls, which apply to the processing of individual applications,

and (ii) general IT-controls, which are policies and procedures that relate to

many applications and support the effective functioning of application controls

by helping to ensure the continued proper operation of information systems

• Segregation of duties. (S)

-Assigning different people the responsibilities of authorising transactions,

recording transactions, and maintaining custody of assets. Segregation of duties

is intended to reduce the opportunities to allow any person to be in a position to

both perpetrate and conceal errors or fraud in the normal course of the person‟s

duties.

• Supervision. (S)

All actions by all levels of staff should be supervised. The responsibility for

supervision should be clearly laid down and communicated to the person being

supervised. Example: Bank reconciliation must be checked by supervisor.

4.3.3 Component 3-Risk assessment. It is a process of identifying and

analysing risk factors that affect the business entity and managing the

risks. The client‟s business risks can arise or change as a result of the

following circumstances:

Change in the operating environment

New personnel

Change in information system

Rapid growth including foreign country expansion.

New products or service.

Corporate restructuring.

New or change in accounting standards


4.3.4 Component 4-Information and communication. This is concerning the

understanding of individual role in the internal control system and open

communication channel for reportable events. There are 2 categories of

information systems control procedures:

Category 1-General Controls. They relate to the overall information

processing environment over data maintenance, access security and

hardware protection.

Category 2- Application controls. They relate to software application that

ensure the information processed is complete, accurate and authorised.

4.3.5 Component 5-Monitoring. It involves monitoring and managing the

internal control system to ensure its effectiveness and efficiency in

operation as well as recommendation for improvement. It also involves

appropriate personnel assessing the design and operation of controls on a

timely basis and taking necessary action.

4.4 The effect of entity size on internal control

Small organisation. Due to limited resources, small entity could not able

to implement expensive and complex internal control system. Thus, the

owners are directly involved in day to day monitoring of business. Often,

the owners in small organization override the control procedures. In term

of communication channel, due to fewer levels of management, the

communication channel is effective.

Large organisation. Large organisation may have resources to

implement sophisticated control system and employ professionals to

monitor the operation process. Often the internal control system is formal

and well structured. Due to many levels of management, communication

process may be slower and subject to communication bottleneck problem.


4.5Limitations of Internal Control

4.5.1 Describe four inherent limitations of an internal control system.

i. There is potential for human error due to carelessness, mistakes

of judgment and misinterpretation of instructions.

ii. There is possibility that a person responsible for exercising an

internal control could abuse his power by overriding the internal

control.

iii. Fraudulent collusion to circumvent internal controls can happen

both within the company and outside the company.

iv. Cost and benefit analysis. Internal control system costs money.

To be effective, the benefits should be more than cost of

implementing a control system.

v. Company will give normally give priority to implement internal

controls that are routine and recurring transactions. In fact, more

controls must be in place for non routine transactions that are

normally high risk.

vi. Some of the internal control procedures are inflexible to change

quickly.

4.6 Consideration of Internal Control in Planning and Performing an Audit

ISA 300 Planning states that “the auditor should plan the audit so that the

engagement will be performed in an effective manner”. So, in the planning

stage, auditors need to consider whether they should rely on the client‟s internal

control system or not.

They are 2 audit strategies:

1) Non Reliance Strategy (also known as substantive strategy). If the

internal controls system is weak and poor, definitely the auditors do not

want to rely on them. When the internal control system is weak, the

control risk is said at high level. Therefore, auditors will directly collect

the evidence by themselves. Auditors will carry out a lot of detailed

testing to collect more evidence to support the audit opinion. This

detailed testing is called substantive testing. In short, if the internal

controls system is weak and control risk is assessed as HIGH, substantive

procedures will be used because auditors cannot rely on the system.


2) Reliance Strategy. If the internal control system is strong and effective,

the control risk is assessed as LOW. Then, auditors will rely on the

system by reducing the substantive testing.

Summary:

“WEAK IC HIGH CONTROL RISK NON RELIANCE

MORE SUBSTANTIVE TESTING.”

“STRONG IC LOW CONTROL RISK RELIANCE LESS

SUSBSTANTIVE TESTING”

4.7 Types of procedures used to assess the operation of internal control

system

No Procedures Explanation

1 Examining previous

audit work

Looking at the previous audit records to form an

understanding on the internal control system. If

it is the first audit, a detailed system

examination is carried out.

2 Client‟s own

documentation of the

system

Examine the client‟s manuals of accounting

procedures. These provide a valuable source of

information

3 Interview with

client‟s staff

Interview the staff on how they carried out their

tasks and ascertain that unauthorized personnel

are not allowed to access the records/ system.

4 Walk through test It involves taking a transaction through the

system from original sources of documents (e.g.

sales order) to final destination (e.g. Statement

of Comprehensive Income). Auditors perform

such tests to check their understanding on

internal control and documentation.

5 Examining/Inspecting

client‟s documents.

Examining the client‟s relevant documentations

to ensure they are complete and properly

matched. All the supporting documents must


No Procedures Explanation

Records and reports exist.

6 Re-performance on

client procedures

Auditors follow the client‟s procedures and

determine whether they obtain the same results

as per the client‟s records. For example, auditors

calculate depreciation by using the client‟s

depreciation rate and method to check whether

the results are the same or not.

7 Observation of

client‟s procedures

Just observe how client‟s carrying out

procedures such as how staff segregating their

duties, the ways staff performs duties that do not

have any documentation.

4.8 Documenting System & Control

4.8.1 Types of recording

No Recording Explanation Advantages Disadvantages

1 Narrative

notes

Use

narrative or

descriptive

statements to

record.

-simple & convenient

to record

-fast approach

1) It is

cumbersome &

takes up large

amount of storage;

2) notes may be

difficult to

interpret & review;

3) difficult to

make changes in

the system; 4)

difficult to spot

any omission of

data.

2 Organisati

on chart

Use chart to

present the

relationships

-convenient way of

showing the

relationship

-Do not deal with

informal

relationship



between

individuals

in an

organisation

-Useful to show who

should report to.

-Do not indicate

the reporting

procedure

-Cannot replace

other recording

methods but just

supplement them

3 Internal

control

question

(ICQ) or

checklist

ICQs are

used to ask

whether

controls

exist, which

meet specific

control

objectives.

The major

question

which

internal

control

questionnair

es are

designed to

answer is

'How good is

the system

of controls?'

-A standardised

checklist to record

- Easy to use as cross

reference to other

working paper.

- Questions

formed might be

too standardised

that not taking the

special

environment of a

particular client

4 Flowchart It is a

diagrammati

cal

representatio

n of a

system.

Symbols are

-Provide a clear

diagrammatic picture

-Enable the systems

to be recorded in a

standardized format

which is easily

-time consuming

to draw up



used to show

the flow of

documentati

ons.

understood.

-Highlight

relationships between

different parts of a

system.

- Provide an

overview of a flow of

system and

weaknesses are more

easily identified.

- encourage a

disciplined approach

to the recording of a

system in that the

originator of a

flowchart must have

a good understanding

of the system being

recorded.

4.7.2 Internal Control Questionnaires (ICQs) & Internal Control

Evaluation Questionnaires (ICEQs)

Two types of questionnaire are:-

Internal Control Questionnaires (ICQs) are used to ask whether

controls exist which meet specific control objectives.

Internal Control Evaluation Questionnaires (ICEQs) are used to

determine whether there are controls which prevent or detect specified

errors or omissions.


Internal Control Questionnaires (ICQs)

The major question which internal control questionnaires are designed to

answer is 'How good is the system of controls?'

Where strengths are identified, the auditors will perform work in the

relevant areas. If, however, weaknesses are discovered they should then

ask:

What errors or irregularities could be made possible by these

weaknesses?

Could such errors or irregularities be material to the accounts?

What substantive procedures will enable such errors or irregularities to

be discovered and quantified?

An example would be:

Are purchase invoices checked to goods received

notes before being passed for payment? YES/NO/Comments

A 'NO' answer to that question clearly indicates a weakness in the

company's payment procedures.

The ICQ questions below dealing with goods inward provide additional

illustrations of the ICQ approach.

Goods inward

(a) Are supplies examined on arrival as to quantity and quality?

(b) Is such an examination evidenced in some way?

(c) Is the receipt of supplies recorded, perhaps by means of goods

inwards notes?

(d) Are receipt records prepared by a person independent of those

responsible for:

(i) Ordering functions

(ii) The processing and recording of invoices

ICQs: advantages


(a) If drafted thoroughly, they can ensure all controls are considered.

(b) They are quick to prepare.

(c) They are easy to use and control.

ICQs: disadvantages

(a) The client may be able to overstate controls.

(b) They may contain a large number of irrelevant controls.

(c) They may not include unusual controls, which are nevertheless

effective in particular circumstances.

Internal Control Evaluation Questionnaires (ICEQs)

In recent years many auditing firms have developed and implemented an

evaluation technique more concerned with assessing whether specific

errors (or frauds) are possible rather than establishing whether certain

desirable controls are present.

This is achieved by reducing the control criteria for each transaction stream

down to a handful of key questions (or control questions). The

characteristic of these questions is that they concentrate on the significant

errors or omissions that could occur at each phase of the appropriate cycle

if controls are weak.


Internal control evaluation questionnaire: control questions

The sales (revenue) cycle

Is there reasonable assurance that:

(a) Sales are properly authorised?

(b) Sales are made to reliable payers?

(c) All goods despatched are invoiced?

(d) All invoices are properly prepared?

(e) All invoices are recorded?

(f) Invoices are properly supported?

(g) All credits to customers' accounts are valid?

(h) Cash and cheques received are properly recorded and deposited?

(i) Slow payers will be chased and that bad and doubtful debts will be provided against?

(j) All transactions are properly accounted for?

(k) Cash sales are properly dealt with?

(l) Sundry sales are controlled?

(m) At the period end the system will neither overstate nor understate trade accounts receivable?

The purchases (expenditure) cycle


(a) Goods or services could not be received without a liability being recorded?

(b) Receipt of goods or services is required in order to establish a liability?

(c) A liability will be recorded:

(i) Only for authorised items

(ii) At the proper amount?

(d) All payments are properly authorised?

(e) All credits due from suppliers are received?

(f) All transactions are properly accounted for?

(g) At the period end liabilities are neither overstated nor understated by the system?

(h) The balance at the bank is properly recorded at all times?

(i) Unauthorised cash payments could not be made and that the balance of petty cash is correctly

stated at all times?

Wages and salaries


(a) Employees are only paid for work done?

(b) Employees are paid the correct amount (gross and net)?

(c) The right employees actually receive the right amount?

(d) Accounting for payroll costs and deductions is accurate?

Inventory


(a) Inventory is safeguarded from physical loss (eg fire, theft, deterioration)?

(b) Inventory records are accurate and up to date?

(c) The recorded inventory exists?

(d) The recorded inventory is owned by the company?

(e) The cut off is reliable?

(f) The costing system is reliable?

(g) The inventory sheets are accurately compiled?

(h) The inventory valuation is fair?

Non current tangible assets


(a) Recorded assets actually exist and belong to the company?

(b) Capital expenditure is authorised and reported?

(c) Disposals of non current assets are authorised and reported?

(d) Depreciation is realistic?

(e) Non current assets are correctly accounted for?

(f) Income derived from non current assets is accounted for?

Investment


ICEQs: advantages

(a) Because they are drafted in terms of objectives rather than specific

controls, they are easier to apply to a variety of systems than ICQs.

(b) Answering ICEQs should enable auditors to identify the key controls

which they are most likely to test during control testing.

(c) ICEQs can highlight areas of weakness where extensive substantive

testing will be required.

ICEQs: disadvantage

(a) They can be drafted vaguely, hence misunderstood and important

controls not identified.


CHAPTER 5

AUDIT EVIDENCE

________________________________________________________________

Learning Outcomes


Understand the basic concept of audit evidence

Explain the financial statement assertions



5.1 The Concept of audit evidence

5.1.1 Definition of audit evidence

Audit evidences are information obtained by the auditor in arriving at the

conclusions on which the audit opinion is based. It is any information used by

the auditor to determine whether the information being audited is stated in

accordance with the established criteria.

The concept of audit evidence is influenced by:

The nature of audit evidence

The appropriateness of audit evidence

The sufficiency of audit evidence

The evaluation of audit evidence.

5.1.2 ISA 500 Audit Evidence requires auditors to obtain sufficient

appropriate audit evidence to be able to draw reasonable conclusions on

which to base the audit opinion. Sufficiency means adequacy in term of

quantity of evidence. Appropriateness means the quality or reliability of

audit evidence.

5.1.3 Factors which will influence the auditor’s judgement concerning the

sufficiency of audit evidence obtained.

Factor 1- Assessment of inherent risk

As inherent risk increases, then more audit evidence will be required to reduce

detection risk.

Factor 2- Materiality of the item

An increase in materiality means that more audit evidence will be required to

ensure that no material error has occurred.

Factor 3- Nature of the accounting and control systems

Where the accounting and control systems are poor, then more audit evidence is

necessary as less reliance can be placed on those systems.


Factor 4- Control risk

Determine the extent to which the directors have implemented a sound system

of internal control; poor internal controls increase control risk, decreasing

reliance that can be placed on those controls.

Factor 5- Experience from previous audits

Good experience from previous audits will decrease the amount of evidence

required as the auditor can place reliance on previous review of client‟s

systems.

Factor 6- Result of audit procedures

Where the results of different audit procedures agree with each other, then

overall less evidence is needed – overall the evidence is more persuasive;

however, where results are in conflict then more evidence is required.

Factor 7- Quality of information available

Some sources of audit evidence are more reliable than others – meaning, less

evidence is needed when relying on those sources. For example; documentary

evidence is more reliable than oral evidence.

5.1.4 Four determinants/characteristics of the persuasiveness of evidence.

(Or appropriateness of audit evidence)

1) Relevance. Evidence must pertain to the audit objective that the auditor is

testing before it can be persuasive. If the auditor relies on evidence that is

unrelated to the audit objective, he may reach an incorrect conclusion about a

management assertion.

2) Reliability. Reliability is concerned with worthy of trust. The degree of

reliability depends on the following factors:

Evidence is reliable if the sources are independent such as external third

party‟s evidence or confirmation- e.g. bank confirmation

letter/receivables confirmation letter is more reliable than internal sources

such as bank reconciliation statement/sales invoices.

Evidences collected by auditors themselves are more reliable than

client‟s internally generated reports – e.g. auditors perform their own

bank reconciliation.


Strong internal control system will produce more reliable evidence.

Qualified experts and skilful professionals are able to produce more

reliable evidence than unskilful parties- e.g. qualified engineer‟s advice is

more reliable than non-qualified engineer‟s.

Objective evidence is better than subjective judgement.

Written documentation is more reliable than oral ones.

Original document is more reliable than photocopied ones.

3) Sufficiency of the evidence- sufficiency is referring to quantity of evidence.

4) Timeliness. The timeliness of audit evidence can refer either to when it is

accumulated or to the period covered by the audit.

“Audit evidence is usually persuasive rather than convincing for two reasons.

First, since an audit must be completed in a reasonable amount of time and at a

reasonable cost, the auditor examines only a sample of the transactions that

compose the class of transactions or account balance. Second, due to the nature

of evidence, auditors must often rely on evidence that is not perfectly reliable.

The types of audit evidence examined by the auditor have different degrees of

reliability, and even highly reliable evidence has weaknesses. Therefore, the

evidence obtained by the auditor seldom provides absolutely convincing

evidence about a financial statement assertion.”

5.1.5 Three ways/sources of gathering audit evidence:

1. ................... generated evidences- They are generated inside the company

itself such as purchase orders, payment vouchers, good received notes etc.

Internal generated evidences are less reliable.

2. ................... generated evidences- They are generated outside the

company such as third party confirmation, purchase invoices of suppliers.

Reliability of external evidence is higher.

3. ..................... generated evidences- They are generated by auditors

themselves such as auditors re-performing calculation on depreciation.

Auditor‟s collection of evidences is more reliable compared to client‟s

generated evidence.

5.1.6 Procedures to obtain audit evidence


Audit evidence can be obtained by Analytical Procedures, Enquiry,

Inspection, Observation, Computation & re-performance and

Confirmation (A.E.I.O.U + C)

Procedures Explanation Assertion

Analytical

procedures

(A)

-This is the analysis of significant ratios and

trends such as evaluating and comparing

financial and non- financial data for

relationship that is inconsistent with other

information.

For example, comparing total gross salary

against number of employees.

Completeness

Occurrence

Existence

Classification

Enquiry (E) -This involves seeking information from

client‟s staff or external sources. Strength of

evidence depends on the knowledge and

integrity of source of information. Normally,

inquiry will support corroborative evidence.

For example, auditors enquire the

management on the obsolete, slow moving

stock which has lower value.

Existence

Occurrence

Accuracy

Physical

inspection of

assets (I)

-Inspection of assets that are recorded in the

accounting records is to confirm the

existence, give evidence of valuation, but

does not confirm the right & obligation.

-Conformation that assets seen are recorded

in accounting records gives evidence of

completeness

For example, counting cash in hand,

counting stock quantity, inspecting the

condition of assets.

Existence,

valuation,

completeness

Inspection of

documentation

(I)

-Inspection of documentation is to confirm

an asset exists or a transaction occurred.

-Confirmation that items recorded in

supporting documentation are recorded in

accounting records tests “completeness”.

Existence

Occurrence

Completeness

Cut off

Valuation

Right &

Obligation


Procedures Explanation Assertion

-Cut-off can be verified by checking

transactions recorded after Statement of

Financial Position date to supporting

document to confirm they occurred after the

Statement of Financial Position date.

-Inspection of documentation provides

evidence of valuation/measurement, rights

and obligations and nature of items. It can

also be used to compare documents and

confirm authorisation.

For example, inspecting the land title to

ascertain the ownership.

Observation

(O)

-Just watching how a procedure being

performed. Observation can just confirm

that the procedure took place.

For example, auditor observed the

segregation of duties between the person

receiving payments from customers and the

person recording those payments in the

accounts receivable ledger.

Completeness

Classification

CompUtation

and re-

performance

(U)

-Computation involves checking arithmetic

accuracy such as cross casting, testing

addition and subtraction. For example,

compute the depreciation amount.

-Re-performance involves auditor applying

the client‟s procedures and check for

accuracy. It is normally viewed as highly

reliable because the auditors collect the

evidence themselves.

Accuracy

Confirmation -This involves seeking confirmation from

another source of details in client‟s

accounting records such as obtain bank

confirmation on the bank statement balance.

Occurrence

Existence

Accuracy



5.1.7 Quality of evidence

High quality of evidence Low quality of evidence

-Independent external evidence - Internally generated evidence

-Internal evidence with strong control - Internal evidence with poor control

system system

-Evidence obtained directly by auditor - Evidence obtained indirectly by others

-Written document - Oral

-Original document - Photocopied document

Audit Evidence

(Gathering evidence)

2.

Substantive Analytical

Procedures

3.

Examples- inspection,

observation, enquiry etc

Examples- Verify original

documents, 3rd

party confirmation

Audit Opinion

1. Risk Assessment

Procedures

P


5. 2 Management Assertions (Financial Assertions) (EXAM FOCUS

AREA)

Management is responsible for the true and fair presentation of the financial

statements. ASSERTIONS are expressed or implied representations by

management in the financial statements. For example, when the Statement of

Financial Position has an item of receivable of RM5 million, management

asserts that the receivables actually exist and related transactions occurred.

Thus, management assertions can be grouped into 3 categories:

Category 1- Assertions about transactions and events for the period under audit.

Category 2- Assertions about account balances at the period end.

Category 3- Assertions about presentation and disclosure.

IMPORTANT! When you design audit tests/procedures for specific areas,

you should focus on the management (financial) assertions.

C

3. Presentation &

Disclosure

2. Account

Balances

1. Transactions &

events

1. Completeness 2. Accuracy 3. Cut off 4. Classification 5. Occurrence “CACCO”

1. Completeness 2. Obligation 3. Valuation & allocation 4. Existence 5. Rights “COVER”

1. Completeness 2. Classification & understandability 2. Occurrence & right 3. Valuation & Accuracy 5. Rights “CCOVR”


Remember this: “A.C.C.A. C.O.V.E.R.” for management assertions

1. Accuracy- amounts and other data relating to recorded transactions have

been recorded precisely.

2. Completeness- all transaction/disclosure that have been recorded/ disclosed.

3. Cut off- transactions have been recorded in the correct accounting period

4. Allocation-A transaction or event is recorded at the proper amount and

revenue or expense is allocated to the proper period.

5. Classification/understandability- transactions have been recorded in the

proper account. Understandability means the financial information is

appropriately presented and described and disclosed clearly.

6. Occurrence- transactions and events that have been recorded actually

occurred and relate to the entity.

7. Valuation- assets, liabilities and equity are included in the financial

statements at appropriate amounts and any resulting valuation or allocation

adjustments are appropriately recorded.

8. Existence- assets, liabilities and equity interest do exist.

9. Rights and obligation-the entity holds or controls the rights to assets.

Liabilities are the obligation of the entity.

5.3 Audit Objectives

5.3.1 In obtaining evidence to support the assertions contained in the financial

statements, auditor develops specific audit objectives that relate to each

management assertion.

5.3.2 Audit objectives test the category (transactions, account balances &

disclosure) of each management assertions.

5.3.3 Some audit objectives and their related assertions are more important than

others. For example, audit objective to test assets will be on its validity; while,

a test of a liabilities will place more emphasis on completeness.


5.3.4 Relationship between management assertions and their related audit

objectives

Management Assertions Audit Objectives

Existence Validity

Rights and obligations Ownership

Occurrence Validity

Completeness Completeness and cut off

Valuation Accuracy

Presentation and disclosure Classification and disclosure

The relationship between the management assertion of existence and

audit objective is to verify the validity of the transactions in the financial

statements by performing a physical inspection on the assets.

The relationship between the management assertion of right and

obligation and audit objective is to verify the ownership of the

assets/liabilities in the financial statements by inspecting the title deed of

the assets or agreement.

The relationship between the management assertion of occurrence and

audit objective is to verify the validity of the transactions in the financial

statements.

The relationship between the management assertion of completeness and

audit objective is to verify the completeness and proper cut off of the

transactions, assets and liabilities in the financial statements.

The relationship between the management assertion of valuation and

audit objective is to verify the accuracy of the amount of transactions,

assets and liabilities in the financial statements.

The relationship between the management assertion of presentation and

disclosure and audit objective is to verify the proper classification and

disclosure of the transactions, assets and liabilities in the financial

statements.


5.3.6 The following are the discussion of audit objectives

Validity. It relates to the existence or occurrence assertion and is

concerned with whether the transactions included in the financial

statements are valid or in existence. The auditor‟s main concern is that

the account balances are not overstated.

Ownership. It addresses whether the assets and liabilities belong to the

entity and relates directly to management‟s assertions about rights and

obligations. If the entity does not have rights to an asset or liability, it

should not be included in the financial statements.

Completeness. It relates to the management assertion of completeness

and address whether all transactions are included in the accounts.

Cut-off. It relates to the completeness assertion and is concerned with the

transactions included in the account are recorded in the proper accounting

period.

Accuracy. It relates to the valuation or allocation assertion and addresses

proper accumulation of transactions and amounts.

Classification. It relates to the presentation and disclosure assertion. It is

important that transactions be included in the correct account and that

accounts be properly presented in the financial statements.

Disclosure. It relates directly to the presentation and disclosure assertion

and is concerned with that all financial statement disclosures are made in

accordance with approved accounting standards and regulations.


5.4 The relationship of audit evidence to the audit report

An overview of the relationships between the financial statements,

management assertions, audit procedures and the audit report

In order to form an opinion whether the financial statements prepared show true

and fair view, auditors need to carry out audit procedures to obtain evidences.

These evidences would support the audit opinion. The audit procedures

designed by auditors are derived from management assertions. The audit

opinion expressed in the audit report is to provide reasonable assurance that the

financial statements are free from material misstatement.

5.4.1 Relationship of the types of evidence to audit objectives

Audit Objectives

Type of

evidence

Validity Complete

-ness

Cut off Ownership Accuracy Valuation Classification Disclosure

Analytical

Procedures

Enquiry

Inspection –

physical

assets

Financial Statements Audit report

Evidences on the “true and fair

view” of financial statements

Management assertions about

components of financial

statements

Audit procedures


Type of

evidence

Validity Complete

-ness

Cut off Ownership Accuracy Valuation Classification Disclosure

Inspection-

documentatio

n

Observation

Computation

Reperforman

ce

Confirmation

5.5Management Representation (Letter of Representation)

5.5.1 ISA 580 Written Representations requires auditors to obtain written

confirmation of appropriate representations before the audit report is issued,

when other sufficient appropriate audit evidence cannot reasonably be expected

to exist.

5.5.2 The purposes of Management Representation are:

To allow directors to acknowledge their responsibilities for FS

To confirm matter material to financial statements where representation is

the audit evidence.

Used as audit evidence when other audit evidence is expected to be not

available

Requirement of ISA580 to obtain management representation

Acknowledges representations previously made verbally by management

Minimises the misunderstandings between management and auditor

Reasonable assurance about effective working of internal control system


CHAPTER 6

AUDIT PROCEDURES

________________________________________________________________

Learning Outcomes


Explain the audit objectives and audit procedures

Describe the types of audit tests.



6.1 Audit Procedures

6.1.1 Audit procedures are specific actions performed by the auditor to gather

evidence to draw conclusions on which to base the audit opinion. Audit

procedures can be grouped under the following 3 main categories:

1. Risk assessment procedures.

2. Tests of controls.

3. Substantive procedures.


Audit Evidence

(Gathering evidence)

2.

Substantive Analytical

Procedures

Tests of details

3.

Examples- inspection,

observation, enquiry etc

Examples- Verify original

documents, 3rd

party confirmation

Audit Opinion

1.

P


6.1.2 Risk Assessment Procedures

ISA 315 Understanding an Entity and Its Environment requires the

auditor to perform risk assessment procedures and obtain an

understanding of the entity and its environment including its internal

control in order to assess the risks of material misstatement at the

financial statement and assertion level.

The auditors always perform risk assessment procedures to obtain

understanding of the entity and its environment. By performing these

procedures, auditors are able to assess the risk of material misstatement at

the financial statement and assertion levels.

Examples of risk assessment procedures are inspection of

records/documents, examination of physical assets, observation, inquiries,

confirmation and others.

6.1.3 Tests of Control (TOC)

TOC are performed to obtain audit evidence about the suitability of

design and effectiveness of operation of the accounting and internal

control systems in the organisation. They are based on the auditor‟s

understanding of the entity‟s internal control. The auditor may perform

tests of controls to test the operating effectiveness of controls in

preventing or detecting and correcting material misstatements at the

assertion level.

TOC consist of procedures directed toward testing the operating

effectiveness of controls to prevent, detect or correct material

misstatement. TOC include obtaining audit evidence about how controls

were applied, the consistency with which they were applied, and by

whom or by what means they were applied.

The auditor can use the following procedures to test the control system:

i. Inquiries of appropriate management, supervisor and staff

personnel.


ii. Inspection of documents, reports and electronic files

iii. Observation of the application of specific control.

iv. Walkthroughs, which involve tracing a transaction from its

original source to its inclusion in the financial statements.

v. Re-performance of the application of the control by the auditors.

After performing the tests of control, if the control risk is LOW (it means

the control system is very good), then auditor will perform LESS

substantive procedures because the auditor can rely on the internal control

system.

Conversely, if the control risk is ..........., the auditor has to perform

............. substantive procedures to collect more evidences because they

cannot rely on the internal control system.

6.1.4 Substantive Procedures

A substantive procedure is a procedure designed to test for misstatements

in a transaction class, account balance and disclosure components that

directly affect the financial statements.

Substantive procedures include detailed testing on account balance and

transaction, disclosure and analytical procedures. Based on the assessed

risk of material misstatement, the auditor performs substantive

procedures to detect material misstatement at the assertion level.

Under substantive procedures, there are 2 categories of substantive

procedures:-

i. Tests of details of class of transactions, account balances and

disclosure. These procedures are testing individual transaction for

fraud or errors. For example, auditor may verify a large purchase

invoices (one by one checking) to collect evidence about the

occurrence, completeness and accuracy assertions.

ii. Substantive analytical procedures (AP). AP can be used as

substantive procedures at the assertion level by comparison of

recorded value with the expectations developed by the auditor


6.2 Types of audit procedures

The following are the different types of audit procedures:

i. Documentation or records inspection: It involves examination of

documentary evidence both internal and external sources such as examine

the sales invoices a few days before the year end.

Tracing refers to first select a transaction and then follow it to the journal or

ledger. The direction is from source documents to ledger or journals. Testing

this direction ensures that the transactions are completely recorded in the

accounting records. For example, auditor selects a sample of shipping

documents and traces to the sales invoices and to the sales journals. Then,

auditor would have an evidence of completeness of sales.

Vouching refers to first select an item from ledger or journals and then

examining back the original source documents. The direction is from ledger /

journals to source documents. This direction testing is to ensure the

transaction is actually occurred or valid. For example, auditor select a sales

transaction in sales ledger to vouch to customer sales order to ensure a genuine

sales transaction.

ii. Physical assets inspection: It is conducted by inspecting the condition or

counting the tangible assets such as physical count of year end stock, cash

count, inspecting plant and machinery, examining share certificates and

so on. Physical inspection provides a highly reliable type of evidence. It

satisfies the assertion of existence and condition of assets. However,

physical inspection on assets cannot satisfy the right and obligations

assertion.

Source

documents

Ledger or

journal


iii. Observation: by looking at the process or activity that leaves no audit

trial such as observation of segregation of duties in the accounts

department. For example, observing how staff personnel carry out the

procedures. Observation does not provide very reliable audit evidence

and normally require additional corroborating evidence to support it.

iv. Enquiries: Seeking information of knowledgeable persons inside or

outside the company such as legal advice from a lawyer. Inquiry alone

does not provide sufficient audit evidence and the auditor will gather

additional corroborative evidence to support the response. In conducting

inquiry, the auditor should:

Consider the knowledge, objectivity, experience,

responsibility and qualification of the person to be

questioned.

Ask clear, concise and relevant questions.

Use open or closed questions appropriately.

Listen actively and effectively.

Consider the reactions and responses and ask follow up

questions.

Evaluate the response.

v. Confirmation: Obtain a written representation from an independent party

to justify the client‟s information such as obtain a bank confirmation for

bank balance and receivable confirmation from customers. The reliability

of confirmation depends of the following factors:

Written or oral confirmation.

Past experience with the entity

The nature of the information being confirmed.

The person /party giving the confirmation.

vi. Scanning: Scanning is the review of accounting data to identify

significant or unusual items. It can be performed either manually or using

computer.


vii. Computation: It consists of checking the mathematic accuracy of source

documents and accounting records such as casting the depreciation

calculation.

viii. Re-performance: Re-perform the procedures or controls that were part

of the entity‟s internal control system such as re-perform the bank

reconciliation.

ix. Analytical procedure: Conduct a study of comparison and relationships

among both financial and non-financial information such as compare

actual capital expenditure with the budget.

6.3 Relationship of audit procedures to assertions

6.3.1 Audit programme is a set of audit procedures prepared to verify

assertions for a component of the financial statements. Audit programme will be

designed to meet the assertions. The following is an example of audit

procedures for account receivable to meet the various assertions.

Management assertions about the

accounts receivables component of

the financial statements

Audit procedures for account

receivable

Existence Confirm accounts receivable

Rights and obligations Inquire of management whether

receivables have been sold.

Completeness Agree total of accounts receivable

subsidiary ledger to accounts

receivable control account.

Valuation or allocation Test the adequacy of the allowance for

doubtful debts.

Presentation and disclosure Examine listing of accounts receivable

for amounts due from related parties.


6.4 Reliability of the types of audit procedures

6.4.1 Hierarchy of the reliability of evidence from audit procedures.

Level of reliability Type of procedures

High Physical examination

Computation

Medium Documentation inspection

Confirmation

Analytical procedures

Low Inquiries of client‟s personnel

/management

Observation

6.4.2 Physical examination and computation are generally considered as “high

reliability” because the auditor has direct knowledge about them,

6.4.3 Inspection of documentation, confirmation and analytical procedures are

generally considered to be “medium reliability”.

6.4.4 Inquiries of client‟s personnel or management and observation provide

generally “low reliability” because both require further corroboration evidence

to verify.

6.5 Analytical procedures (AP)

6.5.1 Definition of Analytical Procedures

ISA 520 Analytical Procedures defines AP as evaluations of financial

information made by a study of plausible relationship among both financial and

non-financial data. The important concept of AP is the “comparison” of figures.

6.5.2 Analytical procedures include the consideration of comparisons with, for

example, the following:

a. Comparison of current year financial information with comparable prior

period by calculating ratio analysis, trend analysis.


b. Comparison of current year financial information with budgets,

projections and forecasts.

c. Predictive estimate prepared by the auditors, such as an estimation of the

depreciation charge for the year.

d. Comparison of company‟s results to the industrial standards.

e. Comparison between financial information against non-financial

information.

6.5.2 Purposes of AP- Analytical procedures are used by the auditor:

a. To assist in planning the nature, timing and extent of other audit

procedures. It is also known as PRELIMINARY Analytical Procedures.

(BEFORE AUDITING)

b. As substantive procedures when their use can be more effective and

efficient than other procedures in reducing detection risk for specific

financial statement assertions. It is also known as SUBSTANTIVE

Analytical Procedures. (DURING AUDITING)

c. As part of the overall review of financial statements when completing the

audit. It is also known as FINAL Analytical Procedures or Analytical

Review Procedures. (AFTER AUDITING). The objective of AP at the

overall review stage of an audit is to assist the auditor in assessing the

conclusions reached and evaluating the overall financial statement

presentation.

This requires reviewing the trial balance, financial statements,

explanatory notes in order to:

Judge the adequacy of the evidence gathered to support any

unusual balances during the audit.

Determine if any other unusual balances or relationships

have not been investigated.


6.5.3 Selected financial ratios that normally used as AP

1. Current ratio

2. Quick ratio

3. Days outstanding in accounts receivable

4. Inventory turnover

5. Days of inventory on hand

6. Gross profit percentage

7. Profit margin

8. Return on equity

9. Debt to equity

10. Time interest earned


CHAPTER 7

AUDIT RISK AND MATERIALITY

________________________________________________________________

Learning Outcomes


Understand the concept of audit risk.

Learn the form and components of the audit risk model.

Understand how to use the audit risk model in a risk based approach.

Understand the audit risk assessment procedures.

Understand the concept of materiality and steps in applying materiality.



7.1 Audit Risk

7.1.1 An auditors face two major types of risk:

1. Audit risk. This is the risk that the auditors express an inappropriate

(wrong) audit opinion when the financial statements are materially

misstated. In other words, audit risk is the risk that auditor will issue an

unqualified opinion when the financial statements contain material

misstatement.

2. Auditor’s business risk. This is the auditor‟s exposure to loss or

injury to his professional practice from litigation, adverse publicity or

other events arising in connection with financial statements audited and

reported on. For example, an auditor may conduct an audit in accordance

with established auditing standards and still be sued by the client or third

party. Although the auditor has complied with professional standards and

may ultimately win the lawsuit, his professional reputation may be

damaged in the process by the negative publicity.

Auditor‟s business risk cannot be eliminated completely but it can be

reduced by exercising quality controls of the audit works or by avoiding

engagement of client that lacks integrity or is in the financial difficulty.

7.1.2 The audit risk model. The auditor should use professional judgement to

assess audit risk and to design audit procedures to ensure it is reduced or

restricted to acceptable low level.

7.1.3 The auditors consider risks of material misstatement at 2 levels:-

1. The overall financial statement level. Risk at this level frequently

relates to an entity‟s control environment. The auditor‟s response to

address such risks may include the use of more experienced audit staff,

use of experts to minimize the risk.

2. The assertion level for individual account balances and classes of

transactions. [ Assertions mean expressed or implied representations by

management or a responsible party in an accountability relationship that

pertain to economic actions and events ].At this level, risk consideration

directly assists the auditor in determining the scope of auditing

procedures or a particular account balance or class of transactions, ie.


Determine whether the use of more tests of control or substantive

procedures is appropriate to address the risk.

7.1.4 Audit risk model can be expressed as the following: (EXAM FOCUS

POINT)

AR = IR x CR x DR where AR = Audit risk

IR = Inherent risk

CR = Control risk

DR = Detection risk

COMPANY

............ ....

................

....

.... ....

.... ....

....

............

............

....

....... ..... ....

Inherent risk

Control risk

FINANCIAL STATEMENTS

AUDITORS

Detection risk

AUDIT RISK RISK OF MATERIAL MISSTATEMENT= + DETECTION RISK

Audit risk (AR) is the risk that the auditor may fail to modify the opinion when

the financial statements contain material misstatement.

Inherent risk (IR) is the susceptibility of an assertion to material misstatement

in the financial statements in the absence of internal controls. It is a native

risk that cannot be eliminated.

This risk will be affected by such items as how much the company is subject to

market forces, the cash situation of the company, the trading history of the

company, and the nature and incidence of unusual transactions. Inventory, for

example, is more inherently risky than cash items because there is greater scope

for manipulation and error. A construction company is more risky than a food

retailer because construction company is subject to volatility of economic

situation.

External factors such as political, economic, social, technological, competitive

factors can influence inherent risks.


Control risk (CR) is the risk that material misstatements will not be

prevented, detected and corrected on a timely basis by an entity’s internal

control.

This risk will be affected by such factors as control environment in the company

including policies and procedures applied in particular areas.

When the control risk is assessed as high, auditor can use the following

strategies to reduce it:-

Use substantive testing strategy.

Not to use test of control

Carry out extensive substantive procedures.

Detection risk (DR) is the risk that the auditor’s procedures will not detect a

material misstatement that exists in an account balance or class of

transactions. Detection risk is a function of the effectiveness of auditing

procedures and their application by the auditor.

Detection risk made up by two sources of risks- sampling risk and non sampling

risk.

- Sampling risk is the risk that auditor‟s procedures select the wrong

sample which is not representative of the population and as a result

auditor draws an inappropriate conclusion.

- Non sampling risk is the risk that auditor may use inappropriate audit

procedures, and fail to detect a misstatement when applying audit

procedures or misinterpret an audit result.

7.1.6 Relationship among inherent risk, control risk and detection risk.

Detection risk has an inverse relationship to the risk of material misstatement

arising from inherent risk and control risk. The higher the risk of material

misstatement, the lower the acceptable detection risk. For example, if an entity‟s

inherent risk and control risk are high, the auditor sets a lower level of detection

risk in order to meet the planned level of audit risk.


AR = IR x CR x DR

DR = _____AR____

IR x CR

Example AR IR CR DR

1 Very low High High Low

2 Low Low High Moderate

3 Moderate High Low Moderate

7.2 The auditor’s risk assessment procedures

7.2.1 ISA 315 Understanding the entity and its environment and assessing the

risks of material misstatement provide guidance to auditors on understanding of

the firm business and its environment.

The auditor should obtain an understanding of the entity and environment

including internal control, sufficient to identify and assess the risks of material

misstatement of the financial statements and sufficient to design and perform

audit procedures.

7.2.2 The auditor’s understanding of the entity and its environment consists

of an understanding of the following aspects:

(a) Industry, regulatory, and other external factors, including the applicable

financial reporting framework.

(b) Nature of the entity, including the entity‟s selection and application of

accounting policies.

(c) Objectives and strategies and the related business risks that may result in a

material misstatement of the financial statements.


(d) Measurement and review of the entity‟s financial performance.

(e) Internal control systems.

7.2.3 Risk Assessment Procedures

The auditor should perform the following risk assessment procedures to obtain

an understanding of the entity and its environment, including its internal

control:

(a) Inquiries of management and others within the entity;

(b) Analytical procedures; and

(c) Observation and inspection.

7.2.4 Assessing the Risks of Material Misstatement

The auditor should identify and assess the risks of material misstatement at the

financial statement level, and at the assertion level for classes of transactions,

account balances, and disclosures. For this purpose, the auditor:

- Identifies risks throughout the process of obtaining an understanding

of the entity and its environment, including relevant controls that

relate to the risks, and by considering the classes of transactions,

account balances, and disclosures in the financial statements;

- Relates the identified risks to what can go wrong at the assertion level;

- Considers whether the risks are of a magnitude that could result in a

material misstatement of the financial statements;

- Considers the likelihood that the risks could result in a material

misstatement of the financial statements.


7.2.5 Auditor’s response to the results of the risk assessment

In the response to the results of the risk assessment, auditor will:-

Firstly, determine the overall responses to address the risks of material

misstatement at the financial statement level-i.e. assessment of control

environment.

Secondly, the auditor has to consider how to respond to the risks of

misstatement at the assertion level- i.e. the nature, timing and extent of

the audit procedures.

Nature of audit procedures refers to ..................... (e.g. tests of control or

substantive procedures) and ...............(e.g. inspection, observation,

confirmation, analytical procedures). If the risk of misstatement is

considered as high, auditor will perform detailed substantive procedures

to obtain more evidence.

Extent of audit procedures refers to the ...................or ....................... of a

specific audit procedure. If the risk of misstatement is high, the auditor

will increase the extent of audit procedure such as increasing the size of

sample.

Timing refers to ...............audit procedures are performed or the period

or date to which the audit evidence applies. Audit can be conducted at an

interim period or year end. If the risk of misstatement is high, auditor will

plan for unpredictable times of checking.

7.3 Materiality

7.3.1 Materiality can be defined in the following terms: “Information is

material if its omission or misstatement could influence the economic

decisions of users taken on the basis of the financial statements”.

7.3.2 Materiality depends on the size of the item or error judged in the

particular circumstances of its omission or misstatement. Thus, materiality

provides a threshold or cut off point rather than being primary qualitative

characteristic which information must have if it is to be useful.


7.3.3 An item is material if it affects the truth and fairness of the financial

statement as a whole. But, truth and fairness is a matter of opinion

(judgement). Therefore, an item is judged to be material if it is of sufficient

size and/ or importance that its disclosure or non- disclosure is likely to affect

or influence the opinions/ judgement of users of the financial statements.

7.3.4 ISA 320 Audit Materiality states that the assessment of what is material is

a matter of professional judgement. Materiality can be expressed in both

qualitative and quantitative aspects.

7.3.5 Factors affecting judgement of materiality:

a. Materiality is a ..................... rather than an absolute concept. A

misstatement of an amount might be material for a small company but

immaterial for a large company. For example, a total of misstatement of

RM500,000-00 would be material for a small company but it would be

immaterial for a large company. Hence, it is not possible to set a specific

Ringgit-value guideline for all the audit client- i.e. different client has different

materiality level.

b. Bases are needed for evaluating materiality. Since materiality is a

judgemental matter, it is necessary to have bases for setting the materiality

level. Normally, auditor uses the following quantitative bases to set materiality:

Total assets (e.g. 0.5% x total assets)

Total revenues (e.g. 0.5% x total revenue)

Net income before tax (e.g. 5% x net income before tax)

Equity (e.g. 1% of equity)

Example:

Statement of Financial Position

Assets $10,000,000

Liabilities $7,000,000

Equity $3,000,000

$10,000,000

Statement of Comprehensive Income


Revenue $14,000,000

COS ($12,000,000)

GP $2,000,000

Indirect expenses ($1,200,000)

Net Income before tax $800,000

Income tax ($300,000)

Net Income after tax $500,000

So, the materiality level for each item (used as base) is

Net income before tax:

Total assets:

Revenue:

Equity:

c. Qualitative factors also affect materiality. Certain types of misstatements

are likely to be more important to users than others, even if the amounts are the

same. For example:

Amounts involving fraud are usually considered more important than

unintentional errors even though both are the same amounts, because

fraud reflects on the honesty and reliability of management or personnel

involved.

Misstatements can be material as a result of not meeting the contractual

obligations. For example, illegal payment (i.e. under table money) may

be immaterial (small amount of money) to the financial statements, but

once the disclosure of such illegal act to the public it may result huge

loss. Thus, it is said to be material.

The auditors need to consider both the quantity (amount) and the quality

(nature) of the misstatement. For example, a qualitative misstatement

would be the inadequate or improper description of an accounting policy

which is likely to mislead the users.

If a small amount of error repeated, it can cumulate to become material

effect. For example, a small error in a month end procedures, can

cumulatively have a material effect, if repeated.


7.3.6 Steps in applying materiality on an audit.

Step 1

Step 2

Step 3

Step 1- Establish a preliminary judgement about materiality

The preliminary judgement about materiality is the maximum amount by which

auditor believes the financial statements could be misstated and still not affect

the decisions of reasonable users.

In designing the audit plan, the auditor establishes an acceptable materiality

level so as to detect quantitatively material misstatements.

By quantifying the estimate about materiality, the audit team is able to plan the

scope of audit and evaluate the results of the audit procedures.

In the planning materiality, auditor should concern about the qualitative factors

that may affect establishing and evaluating materiality such as the following

factors:

Material misstatements in prior years.

Potential for fraud or illegal acts.

Violation of covenants in a loan agreement.

Trend in earning.

Miss forecasted revenue or earning.

Establish a preliminary judgement about materiality

Estimate likely misstatements and compare totals to

the preliminary judgement about materiality

Determine Tolerable Misstatement


Materiality may be increased based on favourable qualitative factors as

mentioned above, such as no material misstatement in the previous years, no

fraud or breach of laws or regulations, no violation of covenants in a loan

agreement, increasing in earnings and meeting the forecasted revenue.

Materiality will be lowered if unfavourable qualitative factors exist such as

many misstatements in the previous years, high potential of fraud case, violation

of loan covenant, decreasing trends in earnings and failure to meet the

forecasted results.

Step 2- Determine tolerable misstatement or tolerable error (TE)

Tolerable misstatement or tolerable error is the amount of planning materiality

that is allocated to an account balance or class of transactions. Some common

tolerable misstatement or tolerable error is 2%- 15% of the account or 50%-75%

of planning materiality. TE must be less than materiality amount.

For example

Planning Materiality of revenue = 0.5% x $14,000,000 (revenue) =

$70,000

Tolerable error = $70,000 (planning materiality) x 50% = $35,000-00

Account balance represents an individual line of item such as accounts

receivables.

A class of transactions refers to a type of transactions processed by the client‟s

accounting system such as purchase or revenue transactions.

The purpose of allocating a portion of the preliminary judgement about

materiality is to plan the scope of audit procedures for the individual account

balance or class of transactions.

For example, if a small amount of materiality were allocated to a specific

account, such as receivable, more evidence would be gathered. If a larger

amount of materiality were allocated, then less evidence would be gathered.


Summary: Small Materiality, More Evidence

Example A Example B

Materiality Level Materiality Level

Material

High RM70k (High ML)

Material

RM35k TE

Immaterial

Low RM1k (Low ML)

Immaterial

In allocating materiality, the auditor should consider the following factors:

The magnitude (degree) of the account relative to the financial

statements;

The expectation of error

The relative cost to audit the account balance or class of transactions.

Step 3- Estimate likely misstatements and compare totals to the

preliminary judgement about materiality

Step 3 is done near the end of the audit, when the auditor review all the

evidence that has been gathered.

In this step, based on the results of the audit procedures conducted, the auditor

aggregates misstatements from each account or class of transactions. Auditor

compares this aggregate misstatement to the preliminary judgement about


materiality established in step 1 and may revise the planning materiality, if

necessary.

If the misstatements are less than the preliminary judgement about materiality,

the auditor can conclude that the financial statements are true and fair.

If the misstatements are greater than the planned judgement about materiality,

the auditor will ask the client to adjust the financial statements. If the client

refuses to correct the financial statements, the auditor should issue a qualified or

an adverse opinion because the financial statements do not present a true and

fair view.

7.3.7 Roles of materiality concept

i. In the audit planning, auditor needs to set preliminary materiality level,

plan audit procedures to detect misstatement that is above materiality

level.

ii. During the auditing process, auditor will carry out audit procedures as

planned, focus on transactions above material level. Auditor will revise

materiality level and carry out additional audit procedure, if necessary.

iii. At the final audit, auditor will evaluate the impact of misstatement on the

true and fairness of financial statements and consider the appropriateness

of the audit report to be issued.

7.3.8 Significance of the concept of materiality to the auditor.

a. The concept of materiality is extremely important to the auditor because:

- It assists the auditor to determine whether true and fair view has been

distorted.

- It indicates the amount of audit work should be done on a specific

area.

- It enables the auditors to restrict the scope of audit work, and hence to

make the most efficient use of time and staff and also avoiding

unnecessary testing of those immaterial items.

b. Materiality is an important consideration in deciding the appropriate type of

audit report given in different circumstances.


c. Without setting a materiality level, auditors have to find all the misstatements

which are impossible. By nature of audit, auditors are responsible for obtaining

reasonable assurance that this materiality threshold has been satisfied.

d. However the use of predetermined materiality level has some drawbacks such

as:

The choice of materiality is subjective- there is nothing to decide what

figure is appropriate in any given case.

The use of a materiality level implies errors below a certain size may not

be detected by the auditor‟s work.

Individual immaterial errors may in total become material misstatement.

7.3.9 Relationship between materiality and audit risk.

The relationship between materiality and audit risk is inverse. The higher the

materiality level, the lower the audit risk and vice versa. If the auditor

determines that the acceptable materiality level is lower, audit risk is higher.

The auditor would have to compensate this by either:

a. Reducing the level of assessed control risk

b. Reducing the detection risk by modifying the nature, timing and extent of

substantive procedures (ISA320 requirement).

“High AR, low material level, thus auditor needs to .................. the volume of

checking”

“Low AR, high material level, thus auditor ..................... the volume of

checking”

Audit Risk Level


High

Low

Low Materiality High

CHAPTER 8

AUDIT PLANNING AND CONTROL

________________________________________________________________

Lesson Learning Outcomes


Understand the pre engagement planning

The content and purpose of engagement letter

Understand the flow of audit planning

Documentation of working papers and files.



8.1 The Process of Auditing

Step Process Description

1 Engagement letter Every auditor should send his client an engagement

letter which sets out the auditor‟s duties and

responsibilities before commencement of audit

work. If the client requires other services, the scope

of these services should be set out clearly.

2 Planning The auditor must plan and control the audit work if

the audit work is to be done to a high standard of

skill and care.

3 Ascertainment of

system

An auditor must enquire information and ascertain

the client‟s system of accounting and internal

control system in order to understand the

effectiveness and reliability of the system.

4 Testing

transactions

The auditor should test the controls if he intends to

rely on them and he must test the records in order

to obtain evidence that they are reliable basis for

the preparation of accounts.

5 Verifying assets

and liabilities

The auditor must verify the figure appearing in the


5.

Verifying

assets &

liabilities

1. Engagement

letter 2. Planning 3. Ascertainment

of system

7. Obtain management

representation

8. Signing audit report 6. Review of financial

statement

9. Auditor

re-

elected at

AGM

4. Testing

transactions


Step Process Description

6 Review of

financial

statements

The auditor reviews the financial statement to see

if overall they appear sensible.

7 Obtaining

management

representation

The auditor asks the management to formally

confirm the correctness of the financial statements.

8 Signing audit

report

The auditor signs the audit report once the directors

have approved the accounts. Audited accounts are

laid before the members at the company‟s AGM.

9 Auditor re-elected

at AGM

The end of AGM signifies the end of the auditor‟s

term of office. The members of the company may

decide by a majority to re-elect the auditor if he

wishes to continue to act for the company.

8.2 Preliminary Engagement Activities

Phases of an audit that relate to audit planning

Preliminary engagement activities help the auditor to consider events or

circumstances that may adversely affect the auditor‟s ability to plan and

perform the audit engagement to reduce audit risk to an acceptable low level.

Preliminary engagement activities

Obtain understanding of the entity

Planning: Set overall audit strategy & develop audit plan

Establish materiality & assess risks


8.2.1 Issues to consider before accepting an engagement

a. Qualification to act as an auditor. Determine if the auditors are independent

of the client and able to provide the desired service.

b. Technical competence. Determine whether the auditors have the necessary

expertise, technical skills and knowledge of the industry to carry out an

effective audit especially if the client business is in a specialised industry.

c. Resources available. Auditors should determine whether they have resources

(e.g. audit staff, audit techniques) to perform the audit work and complete the

audit engagement within the deadline.

d. Ethical matters. Auditors should determine if they accept the client would

violate any applicable regulations and standards or face any ethical threats to the

independence of the auditor.

e. Risk assessment. Auditors should consider if they accept the client and the

risk associated to the client would pose a significant danger to the auditor‟s

reputation. When auditors assess the risk, they need to consider the following:-

The viability and stability of the client‟s business

The character and involvement of management

The effectiveness of accounting system and internal control system

The application of accounting standards and policies

Whether is there any unusual item or going concern problem faced by the

client

f. Replacement of previous auditors. If this is the first year audit, auditors

should consider the reasons for resignation of the previous auditor. Auditors

should contact the previous auditor to find out is there any serious disagreement

with directors over accounting matters.

g. Procedures for obtaining information. When considering accepting

appointment, auditors should obtain and review the available financial

information (e.g. annual reports, interim management reports etc.) and inquire

third parties (e.g. banks, solicitors) about any information concerning the

integrity of the management.


8.2.2 Upon acceptance of an appointment, a contract is entered into. Terms of

the contract can be both implied or expressly agreed.

Implied terms include:-

Preserving client’s confidentiality

Caring of client’s books and documents

Compliance of rules and laws affecting his

appointment

Expressed terms are set out in writing in the ................................

8.2.3 Engagement Letter

a. Engagement letter is a letter that formalises the contract between the auditor

and the client and outlines the responsibilities of both parties.

b. Purposes of engagement letter

To clearly define the objective, scope of audit and the form of

report

To clearly define the extent of the auditor‟s responsibilities

To minimise the risk of misunderstandings between auditor and

client

To confirm acceptance by the auditor of his engagement

To confirm acceptance by the auditor of his engagement

To inform and educate the client on the limitation of the

engagement

c. Procedures to issue engagement letter

Discuss with the directors on the terms of engagement on or before

acceptance of a new client.

Draft and sign the letter before commencing any part of the

assignment.

Receive the client‟s written resolution on acceptance to confirm to

engage the auditor.

Review the engagement letter every year to make any change.


d. Major terms/contents of engagement letter

The objective of the audit of financial statements.

Management‟s responsibility for the financial statements.

The scope of the audit, including reference to applicable

legislation, regulations or professional standards.

The form of reports.

The inherent limitations of an audit and the risk that material

misstatements may remain undiscovered.

Unrestricted access to whatever records, documentation and other

information requested in connection with the audit.

The basis of calculation of audit fees.

e. Other terms that auditor may include in the engagement letter are:

Arrangements regarding the planning of the audit.

Expectation of receiving from management written confirmation

concerning representations made in connection with the audit.

Request for the client to confirm the terms of the engagement by

acknowledging receipt of the engagement letter.

Description of any other letters or reports the auditor expects to

issue to the client.

Basis on which fees are computed and any billing arrangements.

Arrangements concerning the involvement of other auditors and

experts in some aspects of the audit.

Arrangements concerning the involvement of internal auditors and

other client staff.

Arrangements to be made with the predecessor auditor, if any, in

the case of initial audit.

Any restriction on the auditor‟s liability when such possibility

exists.

A reference to any further agreements between the auditor and the

client.


8.2.4 Regular review of engagement letter

a. Engagement letter should be regularly reviewed (usually on an annual basis)

and be updated in response to the changes in the terms of engagement.

b. Auditors should send a new engagement letter to client when:-

Any indication that the client misunderstands the objective and

scope of the audit.

Any revised or special terms of the engagement.

A recent change of senior management, board of directors or

ownership of company.

A significant change in nature or size of the client‟s business.

There is a legal requirement.

8.3 Overall Audit Strategy

8.3.1 The auditor should plan the audit work so that the audit will be performed

in an effective manner.

8.3.2 Planning involves developing an overall audit strategy and an audit plan

that detailed the nature, timing and extent of the planned audit procedures.

8.3.3 Objectives/ /advantages/importance/purposes of audit planning are:

Establish the means of achieving the objectives of the audit.

Direct and control the audit work by delegation and coordination of

work

Ensure the auditor focuses on high risk or important areas.

Ensure the potential problem areas are identified such as material

misstatement, control weaknesses.

Ensure the audit work can be completed in time.

Audit work is completed in efficient manner.

To facilitate the direction, supervision and review of their work.

8.3.4 Overall audit strategy determines the scope, timing and direction of the

audit, and guides the auditor in developing a more detailed plan. In developing

the overall audit strategy, auditor should consider the following


The results of preliminary engagement activity (i.e. preliminary

risk assessment) and experience gained from other services

provided.

The reporting framework, reporting requirement and its objectives.

The materiality level.

The high risk areas where material misstatements do exist.

8.4 Planning Considerations

8.4.1 ISA 300 Planning an Audit of Financial Statements states that audit

planning is a continual process. Planning must be completed before the

commencement of detailed audit procedures.

8.4.2 Issues and considerations relevant to the audit planning process.

a. Staffing requirements and use of experts.

Auditors should determine the number and grade of audit staff to be

allocated to each stage of the audit. More experience audit staff are

required for high risk areas or involvement of experts on complex

matters.

In some cases, auditor may require the assistance of an expert (e.g.

engineer/doctor/lawyer/valuer) in particular field of specialization.

b. Considerations of materiality and risks

When planning the audit, the auditor considers what would make the

financial statements materially misstated. The auditor‟s assessment of

materiality helps to answer questions relating to nature of audit

procedures.

Auditor uses his knowledge about the entity and its environment as a

basis for identifying and assessing the risks of material misstatements in

the financial statements. Auditor should assess the inherent risks and

control risks that affect the financial assertions.

In evaluating the effect of information technology on the client‟s

accounting systems, the auditor needs information on the following:


The extent to which information technology is used in each

significant accounting system.

The complexity of the client‟s technology activities.

The organisational structure of the information technology

activities.

The availability of data.

The need for information technology assisted techniques to

father data and conduct of audit procedures.

c. Understand the applicable laws and regulations.

The auditor should recognise that non-compliance of laws and regulations

by the client entity may materially affect the financial statements and he

should obtain a general understanding of the legal and regulatory

framework applicable to the client entity. The auditor should primarily be

concerned with the following laws and regulations:-

Legal provisions that determine the form and content of the

client‟s financial statement.

Laws and regulations that affect the continuing operation of

the entity

Non-compliance of which can result in financial losses.

d. Identify related parties.

The auditor should identify all related parties during the planning phase

of the audit so that the auditor will be alert for related party transactions

during the audit. The related parties are holding company, subsidiaries,

associates, close family members, substantial shareholders, joint venture,

major suppliers and buyers.

e. Going concern issue.

In the planning of audit, auditor should consider whether there are events

or conditions and related business risks which may cast significant doubt

on the entity‟s ability to continue as a going concern.

f. Considering the internal audit function.

Auditor should assess the effectiveness, competence and objectivity of

internal audit function. The important criteria for this assessment are:


Organisation status of internal audit department. Internal

auditor should report to audit committee, not finance

director.

Scope of function. The nature and extent of functions

performed by internal auditors will affect the usefulness and

relevance of their work to external audit objective.

Technical competence such as skills and knowledge of

internal auditor.

Due professional care requires work to be properly planned,

reviewed and documented by internal auditors.

g. Review audit strategy with audit committee.

The auditor should review the audit planning with audit committee. Audit

committee is a subcommittee from the board of directors whose

responsibilities are to assist the board of directors in meeting corporate

governance practice.

h. Additional value-added services.

As part of the planning process, the auditor may look for opportunities to

recommend additional value-added services such as risk assessment,

business performance measurement, and electronic commerce.

8.5 Documenting Overall Audit Strategy and Audit Plan

8.5.1 The auditor should document the overall audit strategy and the audit plan

including any significant changes to the strategy or audit plan made during the

audit engagement.

8.5.2 The form and extent of documentation would depend on the size and

complexity of the entity, materiality and the circumstances of the specific audit

engagement.

8.5.3 An audit plan will set out the overall strategy while the detailed

procedures will be given in the audit program.

8.5.4 An audit program consists of detailed instructions (detail audit procedures)

that instruct the auditor to collect the evidence.


8.5.5 Advantages of using audit programs

Provide a clear set of instructions on the work to be done.

Provide clear record of the audit work carried out and by whom they were

carried out.

They facilitate the review of audit work by the audit manager/partner.

Duplication of work can be avoided.

Omission of important audit work can be avoided.

8.5.6 Disadvantages of using audit programs

Audit may be too rigid and not able to tailor to different situation.

Audit program may be outdated against the change in client‟s business.

A standardised audit program limits the auditor from probing any matter

concerning audit.

Too standardised audit program may restrict the auditor‟s innovation in

performing audit.

8.6 The Audit Testing Hierarchy

8.6.1 Audit testing hierarchy starts with tests of controls and substantive

analytical procedures (AP) before substantive tests of details. Auditor begins the

audit with test the effectiveness of internal control. If the tests of control

indicate that internal control system is strong, less substantive analytical

procedures and substantive tests of details will be performed; and vice versa.

1 2 3

Tests of control Substantive Analytical

Procedures

Substantive tests of

details


8.6.2 An “Assurance Bucker” Analogy. Assurance bucker is a mixture of audit

procedures and evidence. The assurance bucker must be filled with evidence to

obtain the level of assurance to support the auditor‟s opinion.

Min 95%

Confidence

Desired assurance

Assurance Bucker

8.6.3 Auditor first begins with fill the bucker with evidence from the risk

assessment procedures. After completing risk assessment procedures, the

auditor will conduct tests of control, followed by substantive analytical

procedures and finally substantive tests of details. If the evidence collected from

tests of control is sufficient, then the auditor will reduce the volume of

substantive analytical procedures and substantive detail testing.

8.7 Audit Documentation

8.7.1 Audit documentation is the auditor‟s principal record of the work

performed and the basis for the conclusions in the auditor‟s report. Sometime,

audit documentation is also described as “working papers” or “audit files”.

Audit documentation can be prepared and stored in hard copy format or soft

copy format in the computer.

Remaining SUBSTANTIVE

TESTS OF DETAILS

SUBSTANTIVE ANALAYTICAL

PROCEDURES

TESTS OF CONTROLS

RISK ASSURANCE PROCEDURES

20%

80%

95%

50%


8.7.2 Audit documentation or working papers serve 2 functions/objectives:-

1. As sufficient and appropriate record of the basis for the auditor‟s

report;

2. As evidence that the audit was performed in accordance with ISAs and

applicable legal and regulatory requirements.

8.7.3 The content of working papers is affected by:

1. Nature of engagement.

2. Form of the auditor‟s report.

3. Nature and complexity of the business.

4. Nature and condition of the entity‟s accounting and internal control

system.

5. Needs in the particular circumstances for directors, supervision and

review of work performed by audit staff.

6. Specific audit methods and techniques used in the auditing.

8.7.4 Benefits that the auditors will obtain from working papers.

1. Working papers can help in the supervision of the audit work. The

engagement partner needs to supervise the work delegated by him has

been properly performed. Hence, by asking audit staff to produce detailed

working papers, he is able to monitor the process of auditing.

2. Working papers will provide, for future reference details of audit

problems encountered.

3. Working papers serve as evidence of work performed and conclusions

drawn in order to form opinion. This can be invaluable sources of

evidence in the litigation case where the Court orders the auditor to

produce evidence.

4. Good working papers can help in planning and control the process of

auditing.


5. The preparation of working papers encourages the auditors to adopt a

high quality of auditing.

8.7.5 Ownership and custody of working papers. The working papers are the

auditor‟s property and should maintain the confidentiality and safe custody.

Confidential information concerning the client should not be released to a third

party without getting consent from the client. If the client requests for the

auditor‟s working papers, auditor may at his discretion to release the extraction

of the working papers.

8.7.6 Standardisation of working papers.

Usually the working papers used are standardised such as standard referencing,

sequence of papers, symbols, flowcharts, checklists for disclosure and cross-

referencing.

8.7.7 Benefits of using standardised working papers.

1. Improve the efficiency in preparation and review of audit work.

2. Help to instruct audit staff and facilitate the delegation of work.

3. Provide a mean to control the quality of auditing.

8.7.8 Benefits of using electronic automated working papers.

1. The risk of human errors may be reduced.

2. The working paper will be neater and easier to review.

3. Any adjustment can be made easily to all the working papers since

change of one figure will automatically be adjusted in other figure.

4. Hard copy of standard forms does not have to be carried to client‟s

premise.

5. Electronic working papers can be transmitted from client office to audit

partner in the audit firm for review via Internet.


8.7. 9 Audit files can be separated into 2 types:- (1) permanent audit file (PAF)

& (2) current audit file (CAF).

8.7.10 Permanent audit files (PAF) are used to:-

1. document information which is of recurring value regarding items

appearing in the financial statements such as equity, number of issued

shares etc.

2. document information of a permanent nature regarding the client‟s

business.

3. give audit staff who are new to the audit information regarding the

client‟s affairs and the nature of audit.

8.7.11 Information stored in the Permanent Audit File (PAF) includes:

Statutory regulations governing the company.

Memorandum and Articles of Association.

Letter of auditor engagement.

Trade licences, agreements, debenture deeds, guarantees, and etc.

Address of the registered office.

Organisation chart and responsibility of key personnel.

Organisation„s background information on history, principal activities,

share capital, types of businesses, subsidiaries.

Accounting policies used.

A list of the directors, company‟s bankers, solicitors, insurance

companies, and etc.

8.7.12 Current audit files (CAF) are audit files contain information relating

primarily to the audit of a single (current) period. The objectives of the current

audit file are to:

Provide a record of the work planned.

Detail the work performed including audit procedures performed,

information obtained and conclusion reached.

Enable the audit partner to review the audit.

8.7.13 Current Audit File (CAF) contains the following information:


A copy of the accounts being audited.

An index to the file.

Information related to the understanding of internal control and

assessment of risk including ICQ & ICEQ.

An audit program performed including audit work carried out, results of

the test, conclusion drawn from them.

A schedule for each item in the Statement of Financial Position such as

non-current assets schedule, current assets schedule, liability schedules

and equity schedule.

A checklist for compliance with statutory disclosure.

Working trial balance that links the amount in the financial statements to

the audit working papers.

Account analysis that analyse the activity of a particular account for the

period such as legal fees.

Account listing of items in an account such as a trade payable listing.


CHAPTER 9

AUDIT ON CASH AND BANK

________________________________________________________________

Learning Outcomes


Understand internal control on cash & bank system

Explain the audit of cash and bank balances.



9.1 Cash

9.1.1 Cash is reported in the financial statements under Cash and Bank Balance

or Cash and cash equivalents. Cash includes certificates of deposit, current

accounts and fixed deposits.

9.1.2 Cash and bank balances usually have high inherent risk and therefore are

normally a critical audit area due to the following reasons:

It is highly liquid and therefore susceptible to fraud.

Most of the business transactions go through cash and bank

Because of its residual nature, cash does not have a predictable

relationship with other financial statement accounts. As a result,

analytical procedures could not be used in the audit of cash and its

equivalent.

9.2 Types of bank accounts

9.2.1 Cash management is an important function in all organisations because

proper management of cash allows company to earn interest on excess of cash

and reduce the cost of borrowing. To maximise the cash position, an entity

implements procedures for fast collection of cash receipts and delaying the

payment of cash disbursement.

9.2.2 The following types of bank accounts are used by an entity to aid in

controlling cash:

General cash accounts

Imprest cash accounts

Branch accounts

9.2.3 General cash account

The general cash account is the principal cash account for most entities. The

major source of cash receipts for this account is revenue cycle. The major

sources of cash disbursements are purchasing cycle and payroll cycle. For many

small entities, this general cash account is the only cash account maintained in

the book.


9.2.4 Imprest cash account

An imprest bank account contains a stipulated amount of money and the

account is used for limited purposes such as distribution of payroll and petty

cash. For example, before the disbursement of wages and salaries, a cash

transfer is made from general cash account to the payroll account for the

amount of the net payroll. Then, wages and salaries are drawn from this

account. Use of imprest account such a payroll account can minimise the time

required to reconcile the general cash account.

9.2.5 Branch account

Companies that operate branches in multiple locations may maintain separate

account at local banks. This allows each branch to pay local expenses and to

maintain a banking relationship in the local community. For proper control, the

branch should be required to submit periodic cash reports to head office and the

entity‟s management should carefully monitor the cash balances in the branch

accounts.

General cash

account

Imprest

account (e.g.

payroll

account)

Cash Transfer

Salary


9.3 Risk areas, internal control objectives, internal control procedures and

test of control.

HEAD OFFICE

BRANCH 3 BRANCH 2 BRANCH 1

BRANCH

ACCOUNT

1. Risk Areas

2. Internal Control

Objectives

3. Internal control

procedure

4. Test of Control

Tests of control are to

ensure the internal

control procedures are

effective

Internal control

procedures are to

achieve the internal

control objectives

Internal control

objectives are to

address the risk areas


9.4 Cash Receipts Transactions

Risk area Internal

control

objectives

Internal control

procedures

Tests of control

Cash receipts

recorded but not

received or

deposit

Validity -Segregation of

duties between cash

receipts and

recording.

-Perform monthly

bank reconciliation

to tally the receipts

and recording.

-Observe and

evaluate the process

of segregation of

duty.

-Review monthly

bank reconciliation to

ensure no

unexplained item

exists.

Cash receipts

being stolen or

lost before

recording

Completeness -Reconcile daily

cash receipts with

posting to accounts

receivable

subsidiary ledger.

-Prepare and send

the customer /

receivable

statements

periodically basis.

-Any customer

complain should be

handled by an

independent party

-Testing of the

reconciliation of

daily cash receipts

with posting to

accounts receivable

ledger to ensure it is

completely recorded.

-Inquiry of client

personnel about

handling of monthly

statements and

examination of

resolution of

complaints.

Cash receipts are

recorded in the

wrong period

Timeliness Control procedures

must be in placed to

ensure cash receipts

should be deposited

on daily basis.

Examine the cash

receipts and agree to

the bank deposit

slips.

Cash discounts

are not properly

taken into

Authorisation Procedures should

be in place to

authorize cash

Select a sample of

cash receipts

transaction and


Risk area Internal

control

objectives

Internal control

procedures

Tests of control

account discount. examine the approval

of discount given.

Cash receipts

recorded at the

wrong amount

Valuation Reconcile the daily

remittance report to

control listing of

remittance advice.

Prepare monthly

bank reconciliation

and having

independent

review.

Review and testing of

reconciliation.

Cash receipts

recorded in the

wrong account

Classification Prepare a chart of

accounts to avoid

confusion.

Tracing of cash

receipts from listing

to cash receipts

journal for proper

classification.

Review of cash

receipts journal for

unusual items.

Cash receipts

posted to the

wrong

customer‟s

account.

Cash receipts are

not properly

posted to general

ledger accounts

Posting and

summarisation

Reconcile daily

remittance report

with postings to

cash receipts

journal and

accounts receivable

ledger.

Review the

monthly customer

statements and

complaints.


reconciliation; its IT

application, testing of

programmed controls

of posting.


client procedure for

mailing statements

and handling

complaints from

customers.


9.5 Cash Disbursement Transactions

Risk Areas Internal

control

objectives

Internal control

procedures

Test of controls

Cash

disbursement

recorded but not

made.

Validity -Proper segregation

of duty

-Supplier statements

independently

reviewed and

reconciled to

accounts payable

records.

-Prepare and review

monthly bank

reconciliations.

-Observe and

evaluate proper

segregation of duties.

-Review client‟s

procedures for

reconciliation vendor

statements.

-Review monthly

bank reconciliations

for indication of

independent review.

Cash

disbursement

made but not

recorded.

Completeness -Proper segregation

of duty.

-Accounting for the

numerical sequence

of cheques.

-Reconcile daily

cash disbursements

to account payables.

-Observe and

evaluate proper

segregation of duties.

-Review and test

client‟s procedures

for numerical

sequence of cheques;

if IT application, test

programmed

controls.

-Review procedures

for reconciliation of

daily cash

disbursement to

account payable.

Cash

disbursement

recorded in

wrong period.

Timeliness -Reconcile daily

cheques issued with

posting to the cash

disbursements

Review daily

reconciliation.


Risk Areas Internal

control

objectives

Internal control

procedures

Test of controls

journal and accounts

payable subsidiary

records

Cash

disbursement

not authorised.

Authorisation -Proper segregation

of duties.

-Cheques prepared

only after all source

documents have

been independently

approved.

-Evaluate the process

of segregation of

duty.

-Examine the

indication of

approval on

vouchers.

Cash

disbursement

recorded in

incorrect

amount.

Valuation -Reconcile the daily

cash disbursement to

cheques issued.

-Reconcile supplier

statements to

account payable

records and

independently

reviewed.

-Reconcile monthly

bank statements and

independently

reviewed.

-Review all the

reconciliations

including cash

reconciliation,

supplier statement

reconciliation and

bank reconciliation.

Cash

disbursement

charged to

wrong account.

Classification -Prepare a chart of

accounts.

-Having independent

approval and review

of general ledger

account on vouchers.

-Review cash

disbursement journal

for reasonableness of

account distribution.

-Review general

ledger account code

on voucher for

reasonableness.


Risk Areas Internal

control

objectives

Internal control

procedures

Test of controls

Cash

disbursement

posted to the

wrong supplier

account.

Cash

disbursements

journal not

summarized

properly or not

properly posted

to GL accounts

Posting &

Summarization

-Reconcile the

supplier statements

to account payable

and independently

reviewed.

-Agree the monthly

cash disbursements

journal to general

ledger posting.

-Reconcile account

payable to general

ledger control

account

-Review the

reconciliation.

-Review posting

from cash

disbursements

journal to the general

ledger.

-Review the

reconciliation.

9.6Substantive procedures for cash transactions

Audit Objectives Cash Receipts Cash Disbursement

Validity Trace a sample of entries in

the cash receipts journals to

remittance advices, receipts,

daily deposit slips and bank

statement to ensure all the

cash receipts are accounted

for.

Trace a sample of entries

from the cash disbursement

journal to voucher and bank

statement.

Examine a sample of

payment vouchers for

authorised signature and

proper approval to ensure all

the disbursements are valid.

Completeness Trace a sample of remittance

advices to cash receipts

journal and deposit slips to

ensure they are completely

recorded.

Trace a sample of payment

vouchers to the cash

disbursement journal to

ensure the payments are


Cut off Compare the dates for Compare the dates for a


Audit Objectives Cash Receipts Cash Disbursement

recording a sample of cash

receipt transactions in the

cash receipt journal with the

dates the cash was deposited

in the bank to ensure they are

recorded in the right

accounting period.

sample of cheque payments

from disbursement journal

with the dates the cheques

cleared in the bank

statement to ensure they are

recorded in the right

accounting period.

Accuracy Calculate cash receipts

journal and agree posting to

the general ledger to ensure

the accuracy of cash receipts.

Calculate cash

disbursements journal and

agree posting to the general

ledger to ensure the

accuracy of disbursement.

Valuation Compare a sample of

remittance advices with

amount in cash receipts

journal to ensure the amount

is tally.

Compare a sample of

cheque payments &

payment voucher with

amounts in the cash

disbursements journal to

ensure the amount is tally.

Classification Examine a sample of

remittance advice for proper

account classification.

Examine a sample of

payment vouchers for proper

account classification.

9.7 Substantive procedures for cash/bank balances

Audit objectives Audit procedures

Completeness,

validity &

accuracy

1. Obtain the cash and bank schedule from client and

ensure the opening balance is agree to the financial

statements and also ensure the closing balances are

agree to the trial balance.

Completeness,

validity &

accuracy

1. Perform analytical procedures and test reasonableness

of closing balances.

Cut-off,

Completeness,

validity &

accuracy

1. Obtain bank reconciliation prepared by client.

2. Ensure balances agree to the lead schedule.

3. Select long outstanding unpresented cheques and

uncredited deposit.


Audit objectives Audit procedures

4. For unpresented cheques, trace to the following

month bank statement and ensure they are cleared at

the year end.

5. For uncredited deposit, select deposit from bank

reconciliation and ensure it appear in bank statement

prior to year end.

Completeness,

validity &

accuracy

1. Obtain direct confirmation from bank on the bank

account balance as well as name of account number,

balances of account, bank loan, any credit facilities

and charges of assets.

Completeness,

validity &

accuracy

1. Discuss with management on the reason for opening

new account and closure of account.

2. Discuss with management on the new facilities or

credit applied for the bank account.

Cut-off 1. Scrutinise the cash book and bank statement before

and after Statement of Financial Position date for

exceptional entries and transfers which have material

effect on the balance.

Ownership 1. Review BOD minutes and loan agreement.

2. Identify whether any account i secured on assets of

the company.

3. Determine whether the bank accounts are subject to

any restrictions.

4. Consider legal right of set off of overdraft against

positive bank balance.

Presentation and

disclosure

1. Investigate any unusual or large payments to related

parties.

2. Evaluate financial statement presentation.


9.8 Auditing the cash account

9.8.1 To audit a cash account, the auditor should obtain the following

documents:-

A copy of the bank reconciliation.

A standard letter request information from the bank (also known as bank

confirmation letter)

Bank statements.

9.8.2 Bank reconciliation working paper. Auditor will normally obtain a copy

of the bank reconciliation prepared by the client. The working paper reconciles

the balance per the bank with the balance as per the book. The major

reconciliation items are deposit in transit, outstanding cheques and other

adjustment such as bank charges and interest.

9.8.3 Bank confirmation letter. The auditor will send a letter to all the banks

that the client is dealing with. The bank confirmation is a reliable third party

confirmation. The objective of getting bank confirmation is to ascertain the

existence and amount of balance / liabilities; the existence, ownership and

proper custody of assets.

9.8.4 The procedures of getting bank confirmation are as follows:

a) Auditor must obtain an authorization letter from the client to permit their

banks to release / disclose information concerning audit to the auditor.

b) The request should be sent to the bank‟s branch manager stating both the

client‟s year end date.

c) The auditor must follow up the bank response and review all the

information released by the bank.

9.8.5 Tests of the bank reconciliation that prepared by client.

The auditor uses the following audit procedures to test the bank reconciliation:

1. Test the mathematical accuracy of the bank reconciliation working paper

and agree the balance per the book to the general ledger.

2. Agree the bank balance on the bank reconciliation with the balance

shown on the bank confirmation. The balance should correspond to the

balance per bank statement at the end of the period.


3. Trace the deposits in transit on the bank reconciliation to subsequent bank

statements. Any deposit in transit shown on the bank reconciliation

should be listed as a deposit shortly after the end of the period.

4. Compare the outstanding cheques on the bank reconciliation working

paper with the cheques cleared contained in the subsequent bank

statement for cheque number, date and amount. The auditor should ensure

that no cheques dated prior to the financial year end are included with the

subsequent bank statements that are not included as outstanding cheques

on the bank reconciliation.

5. Agree any charge included on the bank statement to the bank

reconciliation. These bank charges may result in an adjustment to the

client‟s book.

6. Agree the adjusted book balance to the cash account lead schedule. The

adjusted book balance would be part of the amount included in the

financial statements for cash.

9.8.6 Fraud related audit procedures for cash

In the event that auditor suspects that some form of fraud involving cash has

occurred, the auditor should extend the normal audit procedures for cash

transactions and balances. Three audit procedures can be used to detect

fraudulent activities in the cash account are:

Extended bank reconciliation procedures. Auditor will extend the coverage

period to investigate the outstanding cheques and have a detailed examination

of the outstanding items.

Proof of cash. Reconcile the receipts and payments in the cash book with bank

statement for a specific period to ensure all the transactions in the cash book and

bank statement agreed and no transactions have been omitted from the book

Tests of kiting. When cash has been stolen by an employee, it is possible to

cover the cash shortage by following a practice known as kiting. This involves

an employee covering the cash shortage by transferring money from one bank

account to another and recording the transactions improperly in the entity‟s

book. Test of kiting involves the preparation of an inter bank transfer schedule

to ensure proper cut off for the cash transactions.


9.8.7 Auditing a petty cash fund

Control procedures for petty cash

1. A petty cash fund should be maintained on an imprest basis by an

independent petty cash cashier.

2. Pre-numbered petty cash vouchers should be used for withdrawal of

cash from the fund and a limit should be placed on the size of

reimbursements made from petty cash.

3. Accounts payable clerk should review the vouchers of payment before

replenishing the petty cash fund.

4. Surprise cash count should be conducted by an independent officer.

Audit tests for petty cash

1. The auditor should gain understanding of the client‟s control

procedures over petty cash to assess the adequacy which in turn

determine the nature and extent of the auditor‟ work.

2. The auditor should focus on both the transactions processed through

the fund during the period and the balance in the fund.

3. The auditor selects a sample of petty cash reimbursements and

examines the particulars of payments.

4. The auditor should test count the physical cash to ensure it is tally to

the petty cash book balance.


CHAPTER 10

AUDIT ON PROPERTY, PLANT AND EQUIPMENT

________________________________________________________________



Develop an understanding of the management process for property,

plant and equipment.

Understand the internal control on property, plant and equipment

Audit of Property, Plant & Equipment.



10.1 Auditing property, plant and equipment (PPE)

10.1.1 For most business entities, property, plant and equipment often represent

a material portion of the total assets and hence they are significant in the


10.1.2 If the client is a small entity with a few asset acquisitions during the

period, it is more cost effective for the auditor to follow a substantive strategy.

Following this strategy, the auditor conducts substantive analytical procedures

and substantive test of the account balances.

10.1.3 For large entities are likely to have formal capital budgeting procedures

for authorisation and purchasing non-current assets. While routine purchase

might be processed through the purchase cycle, acquisition or construction of

specialized property, plant and equipment may be subject to different

requisition and authorization procedures. When the entity has a formal control

system over non-current assets, the auditor may follow a reliance strategy and

test the internal control.

10.2 Types of transactions

10.2.1 Four types of PPE transactions may occur:

Acquisition of non-current assets for cash or other non-monetary

considerations.

Disposal of non-current assets through sale, exchange, retirement or

abandonment.

Depreciation of non-current assets over their useful economic life.

Leasing of non-current assets.

10.3 Inherent risk assessment of PPE

10.3.1 The assessment of inherent risk for the purchasing cycle provides a

starting point for assessing inherent risk for PPE. The reasons for auditor focus

on PPE due to the following three inherent risk factors:


Complex accounting issues. FRS 116 sets the standards for the

accounting treatment of PPE. Some of the PPE transactions can give rise

to complex accounting issues, for example, lease accounting, self

constructed assets and capitalisation of interest.

Difficult to audit transactions. When assets are purchased directly from

suppliers, initial measurement of costs can be verified by examining the

invoice and purchase contracts. However, the transactions involving

donated assets, non monetary exchanges and self constructed assets are

more difficult to audit.

Misstatements detected in prior audits. If the auditor has detected

misstatements in prior audits, the assessment of inherent risk should be

set higher than if few or no misstatements have been found in the past.

10.3.2 Due to the complexity of PPE transactions as mentioned above, a non

current asset register will be maintained. The advantages of maintaining

non-current asset register are

Complete information for each PPE such as description, location

and serial number, date of purchase, installation cost, depreciation

method, residual value and estimated useful economic life are


Any addition or disposal of PPE could be easily identified and

managed.

It facilitates the calculation of depreciation or amortization.

10.4 Control risk assessment- PPE

10.4.1 The following are the major 4 internal control objectives, control

procedures and test of control for PPE.

Control

Objectives

Control procedures Test of Control

1.Occurrence 1. The purchase of PPE

must pass through a

specific capital

budgeting process

which should require

Analytical review

1. General review

between current and

prior year figures to


Control

Objectives


higher approval

authority.

2. Review of supplier‟s

invoices to satisfy the

assertion of occurrence.

ascertain any

unexplained

differences

2. Review of sensitive

codes in the general

ledger such as repairs

or maintenance

2.Authorisation

Purchase

requisitions are

initiated in relevant

departments and

authorized at the

appropriate level

within the entity.

1. Internal control

procedures should be in

place to ensure that the

authorisation to

purchase PPE is

consistent with the

authorization.

2. Control procedures

must be in place for

authorising the sale or

disposal of non- current

assets.

3. All major maintenance

or improvement

transactions should be

properly authorised by

an appropriate level of

management.

1. Discuss the level of

capital purchases in

the year with the

purchasing manager

2. Review the board

minutes for

authorisation of

capital

purchases

3.Completeness

The detailed PPE

ledger should

includes complete

information for

each PPE such as

description,

location and serial

number, date of

purchase,

1. Perform monthly

reconciliation of the

PPE subsidiary ledger

to general ledger

control account.

2. Periodically compare

the details recorded in

PPE subsidiary ledger

with the existence of

physical assets. Obtain

1. Review of the

movements on the

non-current asset

codes

2. Compare budgeted

capital purchases with

actual capital

purchases


Control

Objectives


installation cost,

depreciation

method, residual

value and

estimated useful

economic life.

or prepare a summary

of tangible non-current

assets showing how

gross book value,

accumulated

depreciation, and net

book value reconcile

with the opening

position.

3. Compare non-current

assets in the general

ledger with the non-

current assets register

and obtain explanations

for differences.

4. Check whether assets

which physically exist

are recorded in non-

current asset register.

5. If a non-current asset

register is not kept,

obtain a schedule

showing the original

costs and present

depreciated value of

major non-current

assets.

6. Reconcile the schedule

of non-current assets

with the general

ledger.


4. Segregation of duty. The existence of adequate segregation of duties for

PPE within an entity depends on the volume and significance of the

transaction processed. The table below shows the key segregation of

duties for PPE transactions and possible errors/fraud resulting from

conflict of duties.

Segregation of duties

Possible Errors/Fraud Resulting from

Conflict of Duties

The initiation function should be

segregated from final approval

function to avoid unauthorised or

unnecessary purchase

If one individual is responsible for

initiating a PPE transaction and also has

authority to approve the transaction, it is

likely unauthorised purchases of assets

can occur. This can result in purchase of

unnecessary assets that do not meet the

company‟s quality control standards; or

illegal payments to supplier or contractors.

The PPE records function should

be segregated from the general

ledger function.

If an individual is responsible for the PPE

records and also for the general ledger

functions, that individual can conceal any

defalcation that would normally be

detected by reconciling subsidiary records

with the GL control account.

The PPE records function should

be segregated from the custodial

function.

If an individual is responsible for the PPE

records and also has custodial

responsibility for the related assets, tools

and equipment can be stolen and the theft

can be concealed by adjustment of the

accounting records.

If a periodic physical inventory of

PPE is taken, the individual

responsible for the inventory

should be independent of the

custodial and record keeping

functions.

If an individual who is responsible for the

periodic physical inventory of PPE is also

responsible for the custodial and record

keeping functions, theft of the entity‟s

physical assets can be concealed.


10.5 Substantive procedures for PPE

10.5.1 Analytical procedures

Compare prior year balances in PPE and depreciation charges with

current year balances after consideration of any changes in conditions or

asset composition.

Example 20x9 compared to 20x8

Property, plant & equipment (o/s) xxx yyy

Depreciation charged xxx yyy

Compute the ratio of depreciation charges to the related PPE account and

comparison to prior years‟ ratios.


Depreciation / PPE x ratio y ratio

Compute the ratio of repairs and maintenance expense to the related PPE

account and comparison to prior years‟ ratios.


Repair & maintenance expense/PPE x ratio y

ratio

Compute the ratio of insurance expense to the related PPE account and

comparison to prior years‟ ratio.


Insurance expense/PPE x ratio y ratio

Review capital budgets and comparison of the amounts spent with

amounts budgeted.

Example: Compare actual expense on PPE to budgeted amount.


10.5.2 Substantive procedures for testing transaction- PPE

Assertions about

classes of

transactions

(Objective of

procedure)

Substantive procedures

Occurrence 1. Vouch significant additions and disposals to

vendor invoices or other supporting documents.

2. Review lease agreements to ensure that lease

transactions are accounted for properly.

Completeness 1. Trace a sample of purchase requisitions to

loading dock reports and to the PPE records i.e.

transaction and master file.

2. Vouch a sample of PPE additions to

documentation indicating proper authorisation.

Accuracy 1. For assets written off, test amounts charged

against income and accumulated depreciation.

Cut-off 1. Examine the purchases /sales of capital assets

for a few days before and after year end.

2. Inquiry of client personnel and a review of lease

transactions for the same period can provide

evidence on proper cut off for leases.

Classification 1. Vouch transactions included in repairs and

maintenance for items that should be recognised

as PPE.

2. Review lease transactions for proper

classification between operating and finance

leases.


10.5.3 Substantive procedures for testing account balances- PPE

Assertions about

account balances

(Objective of

procedures)

Substantive procedures

Existence 1. Verify the existence of major additions by

physically examining the property, plant &

equipment.

2. Confirm that the company physically inspects

all items in the non-current asset register each

year

3. Inspect assets, concentrating on high value

items and additions in year. Confirm items

inspected exist, are in use, are in good condition

and have correct serial numbers

4. Review records of income yielding assets

5. Reconcile opening and closing vehicles by

numbers as well as amounts

Rights and obligations 1. Examine or confirm deeds or title documents for

proof of ownership.

Completeness 1. Obtain a lead schedule of property, plant &

equipment and agree the total to the general

ledger.

2. Obtain detailed schedules for additions and

disposals of PPE and agree the amount to total

shown on lead schedule.

3. Physically examine a sample of capital assets

and trace them into the PPE subsidiary ledger.

Valuation & allocation 1. Evaluate fixed assets for significant write off by

performing the following procedures:

Identify the event or change in circumstance

indicating that the carrying value of the asset

may not be recovered.

Verify written off loss by determining the sum

of expected future cash flows and comparing

that sum to the carrying value.

Examine entity‟s document supporting such as

directors‟ minutes on the written off.


10.5.4 Audit procedures in respect of additions, disposal and self constructed

assets-PPE.

Audit procedures

Additions of assets

(Assertions are to

confirm rights and

obligation, valuation

and completeness)

1. Verify additions by inspection of architects‟

certificates, solicitors‟ completion statements,

suppliers‟ invoice etc.

2. Check capitalisation of expenditure is correct by

considering for non-current assets additions and

items in relevant expense categories. For

example, capital or revenue must be distinctively

differentiated. Capitalisation must be

consistently applied.

3. Check purchases have been properly allocated to

correct non-current asset accounts.

4. Check purchases have been authorised by

directors/senior management.

5. Check additions have recorded in PPE

subsidiary ledger and general ledger.

6. Agree the addition of PPE to the supplier‟s

invoices or purchase agreement to ensure the

accuracy and validity of transaction.

Self-constructed assets

1. Verify material and labour costs and overheads

to invoices, wage records etc.

2. Ensure expenditure has been analysed correctly

and properly charged to capital.

3. Check no profit element has included in costs.

Disposals

Assertions are to

confirm rights and

obligations, valuation

and completeness)

1. Verify disposals with supporting documentation,

checking transfer of title, sales price and dates of

completion and payment.

2. Check calculation of profit or loss.

3. Check that disposals have been authorized.

4. Consider whether proceeds are reasonable.

5. If the property was used as security, ensure

release from security has been correctly made.

6. For significant disposals, consider impact upon

other areas of business and whether disposal

should be disclosed.


10.5.5 Evaluating the audit finding- PPE.

If the aggregate likely misstatement is less than the tolerable misstatement, the

evidence indicates that the PPE accounts are not materially misstated.

If the likely misstatement were greater than tolerable misstatement, the auditor

would either require adjustment to the accounts or issue a qualified auditor‟s

report.


CHAPTER 11

COMPUTER IN AUDITING

________________________________________________________________



Understand the effect of IT on elements of control environment and

control procedures

Understand the meaning and importance of general controls in an IT

environment.

Learn the audit process in an IT environment.

Understand the concept of CAAT.

Reference Text: Auditing and Assurance in Malaysia- Chapter 7


11.1 The effect of information technology on internal control components

11.1.1 The usage of IT can affect any 5 components of internal control. The

information system in an IT environment includes computer hardware,

software, automated controls and procedures, and data in electronic format.

11.1.2 There are potential benefits to an entity‟s internal control arising from

using the IT. The potential benefits of IT on internal control include:-

Consistent application of predefined business rules and performance of

complex calculations in processing large volume of transactions or data.

Enhancement of the timeliness, availability and accuracy of information.

Facilitation of additional analysis of information.

Enhancement of the ability to monitor the performance of the entity‟s

activities and its policies and procedures.

Reduction in the risk that controls will be circumvented.

Enhancement of the ability to achieve effective segregation of duties by

implementing security controls in applications, databases and operating

system.

11.1.3 The potential risks of usage of IT to internal control include:

Reliance on systems or programmes that inaccurately process data,

process the wrong data or both.

Unauthorised access to data that may result in destruction of data or

improper changes to data, including the recording of unauthorised or non-

existent transactions or inaccurate recording of transactions.

Unauthorized changes to data in master files.

Unauthorized changes to systems or programmes by unauthorized person.

Failure to make necessary changes to systems or programmes when

control environment has changed.

Inappropriate manual intervention / override by management.

Potential loss of data if non protection (or firewall) is in place on the

database.

11.1.4 The effects of IT on an organisation‟s internal controls are:

IT affects all the factors that affect the control environment.

IT affects the business risks that influence the achievement of entity

objectives.


It affects the control procedures that ensure management‟s directives are

carried out.

IT affects the information and communication requirement

It affects the monitoring activities.

11.1.5 The control environment factors and control procedures affected by IT

are:

11.1.5.1 Control environment factors

Assignment of authority and responsibility. A clear line of authority and

responsibility is important so that the entity is able to achieve its

objectives.

Human resource policies and practices. It is important to have personnel

who possess the skills and expertise needed to oversee and operate the

information system.

11.1.5.2 Control procedures

Information processing. Two areas in which control procedures can be

affected by the use of IT in processing are (1) authorisation of

transactions; and (2) the keeping of adequate documents and records.

Proper segregation of duties. In an IT environment, the programmes

within the system may assume the responsibilities of all the functions

relating to the initiation, authorisation and recording of transactions as

well as the custody of assets.

Physical controls. Physical control over the computer terminals and

access the database must be protected against unauthorised access and

stealing the private information. Entity should have a disaster recovery

plan including backup copies of programme and storage of database in

different locations.


11.2 Types of controls in an IT environment

There are 2 broad categories of information systems control procedures: (i)

General controls; (ii) Application controls.

Category 1- General Controls

i. General controls are related to the overall information processing

environment and have pervasive effect on the entity‟s computer

operations. It relates to the overall environment within which

computer base accounting systems are developed, maintained and

operated to all the applications. General controls are sometimes

referred to as supervisory, management or information technology

controls.

Objective: General controls are to ensure proper development and

implement of applications and the integrity of programme and data files

and of computer operations. General controls can be either manual or

programmed. [Manual control means control procedures are performed

by personnel; programmed control procedures are executed by computer

software].

General controls include controls over:

(i) Data Centre and Network Operations Controls include controls

over computer and network operations, data preparation, work flow

control and library function control. It prevents unauthorised access

to the network programs, files and systems documentation by

computer operators. The operating system log should record all the

computing activities.

(ii) System software acquisition, change and maintenance; systems

software are the computer programmes that control the computer

functions and the application programmes to run. Any installation,

change or modification of software must be controlled.

(iii) Access security; Security and access controls are

Restricting access to computers to authorised users only such as

locked doors, authorized cards.


Password to restrict access to programmes and data files.

Logging or trail to record and monitor access to computer files and

programmes.

Secure storage of backup data in a safe and separate location.

(iv) Application system acquisition, development and maintenance.

Policies and procedures for planning, acquiring or developing and

implementing new systems should be controlled.

Category 2- Application Controls.

Application controls apply to the processing of individual accountings,

such as sales or payroll and help ensure the completeness and accuracy of

transaction processing, authorisation and validity. It applies to the

processing of individual accounting applications such as payroll or sales

system

Objective: Application controls are to ensure the completeness and

accuracy of the accounting records and validity of the entries made

therein resulting from both manual and programmed processing.

Application controls cover the following

(i) Data Capture Controls. Data capture controls must ensure that all

transactions are recorded in the application system; transactions are

recorded only once (it means no double recording) and any rejected

transactions are identified, controlled, corrected and re-entered into

the system. Therefore data capture controls are concerned the

assertions of occurrence, completeness and accuracy. Batch

processing procedures should be used to control the data capture.

[Batch processing is an input and processing method whereby data

are accumulated by classes of transactions and are entered and

process in batches.]

(ii) Data Validation Controls. Data can be validated for its existence

and accuracy by the following controls.


Limit test. A test to ensure that a numerical value does not

exceed some predetermined value, such as “Not exceeding

RM1,000-00.”

Range test. A check to ensure that the value in a field falls

with an allowable range of value; such as “Between 1 to 10

units”

Sequence check. A check to determine if input data are in

proper numerical or alphabetical sequence; such as “#20001,

20002, 20003....... 20009”

Existence test. A test of an account number or account code

by comparison to a file or table containing valid account

number or code. For example, Account code for receivables

“D10020”, Account code for credit sale “A10010”

Field test. A check on a field to ensure that it contains either

all numerical or alphabetic character. For example,

units.

Sign test. A check to ensure that the data in a field have the

proper arithmetic sign. For example, decimal point

Check digit verification. A numeric value computed to

provide assurance that the original value was not altered.

(iii) Processing Controls. These are the controls that ensure a proper

processing of transactions. For example, file labels control

whereby internal and external file labels should be assigned.

(iv) Output Controls. Outputs are reports and printed documentation.

Only authorized persons would be able to access the reports.

(v) Error Controls. Errors can be identified at any point in the

system. Once the errors are identified, they should be corrected

immediately.

11.3 The audit process in an IT environment

11.3.1 The auditor‟s understanding of the entity‟s internal control information

system must include the following issues:

The extent to which IT is used in each significant accounting application.

The complexity of the entity‟s IT applications and operations.

20

21. 19


The organisational structure of the IT processing activities.

The availability of data for audit evidence.

11.3.2 Low complexity system. A low complexity system would be composed

of a stand-alone PC or a small network of computers. In a low complexity

system environment, auditor will concern the manual control elements in the

information processing rather than control over computer programme.

Two types of audit approach in an IT environment.

i. Audit around the computer: it is concerning only the input and

output

ii. Audit through the computer: it is concerning about the input,

output and also the processing routines of the computer.

11.3.3 Advanced system. Advanced systems comprise the mixture of online,

real time processing, extensive database system, distributed data processing,

electronic data interchange (EDI) and e-commerce.

11.3.4 Depth of understanding of internal control. When the entity‟s

information system becomes more complex with the use of IT, the auditor may

need to devote more effort to understanding internal control in order to conduct

tests of control and substantive procedures.

11.3.5 The use of IT specialist. In the advanced IT environment where auditor is

lack of expertise in the IT knowledge, auditor may seek the assistance from the

IT specialist to test the control system and collect the audit evidence.

11.3.6 The use of IT can provide an audit trail for the purpose of auditing. Audit

trail is a chain of evidence provided by documentation or other cross

referencing that connects account balances and other summary results with

original transaction data.

11.4 Computer Assisted Audit Techniques (CAATs)

11.4.1 CAATs are techniques that involve the auditor using the computer in the

performance of the audit. They include the use of test data and computer

software to test an entity‟s files and databases. Test data is the auditor created

simulated transaction data to be used for testing the control system.


11.4.2 CAATs may be used by the auditor to execute substantive procedures or

in testing application controls. An auditor would find it necessary to use CAATs

in advanced IT systems when the validation and processing controls for routine

transaction are embedded in the application programmes. Use of CAATs for

substantive procedures may be efficient when the entity‟s data files are

maintained in software format.

11.4.3 In determining whether to use CAATs, the auditor should consider the

following factors (or factors influencing the choice between CAATs and manual

technique):

The IT knowledge, expertise and experience of the auditor in IT.

The availability of CAATs

The availability of computer facilities and data.

The impracticality of manual test.

The effectiveness and efficiency of using CAATs.

The timing of applying CAATs.

11.4.4 The common audit procedures that can be performed with CAATs

include substantive procedures for transactions and balances, analytical

procedures and tests of controls.

11.4.5 Advantages of CAATs to the auditor

In a computer based system the large volume of transactions is

likely to force the auditor to rely upon programmed controls.

CAATs are likely to be the only effective way of testing

programmed controls.

CAATs are able to audit a large volume of items quickly and

accurately and therefore increase the assurance.

CAATs enable the auditor to test the accounting system and its

records in the soft copy rather than relying on testing printouts

which can easily amended by client.

Once CAATs are set up, it will be cost effective way of

obtaining audit evidence.


The results of CAATs can be used to compare the traditional

clerical audit work to increase the auditor confidence.

11.4.5 Major steps in applying CAATs

o Set the objective of the CAATs application;

o Identify the specific files or database to be examined;

o Determine the accessibility of the entity‟s files;

o Define the specific tests or procedures and related transactions

and

balances affected;

o Define output requirements;

o Identify the personnel who will participate in the application of

the

o CAATs.

o Ensure the use of CAATs is properly controlled and

documented;

o Reconcile data to be used for the CAAT with the accounting

records;

o Evaluate the results after execution of the CAAT application.

ABFA 3114 Principle of Audit

Documents

Transcript of ABFA 3114 Principle of Audit