Audit and Internal review Assurance engagement: Is one where a professional accountant evaluates or measures a subject matter that is the responsibility of another party against suitable criteria, and expresses an opinion which provides the intended user with a level of assurance about the subject matter. An assurance engagement means an engagement in which the practitioner expresses a conclusion designed to enhance the degree of confidence of the intended user other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. Types of assurance engagements: 1. engagements intended to provide high or moderate levels of assurance 2. engagements to report internally and externally 3. engagements in the private or public sector Levels of Assurance: Auditing nature of service Comparative level of assurance provided Report provided
Related services
Audit
Review
High, but not absolute assurance
moderate assurance
Agreed upon compilation porcedures No assurance No assurance
Positive Negative Factual assurance on assurance on findings of assertion(s) assertion(s) procedures
Identification of info compiled
Audit engagement: The objective of an audit of F/S is to enable the auditor to express an opinion whether the F/S are prepared, in all material respects, in accordance with an identified financial reporting framework. Review engagement: The review engagement enables an auditor to state whether, on the basis of procedures which do not provide all the evidence that would be required in an audit, anything that has come to the auditor’s attention that causes the auditor to believe that the financial statements are not prepared, in all
material aspects, in accordance with an identified financial reporting framework. Agreed-upon procedures: The auditor simply provides a report of the actual findings, so no assurance expressed. Users of the report must instead judge for themselves the auditor’s procedures and findings, and draw their own conclusions from the auditor’s work. Compilation engagement: Users of the compiled information gain some benefit from the accountant’s (as opposed to auditor’s) involvement, but no assurance is expressed on report. Positive and Negative assurance: Positive: in giving this, an accountant reports that financial statements do give true and fair view. Negative: an accountant reports that nothing has come to his attention to suggest that the financial statements do not give a true and fair view.
Advantages of an Audit: The need for an external audit arises primarily when the ownership and management of an enterprise are separated. There are however, certain inherent advantages in having financial statements audited even when no statutory requirement exists for such an audit. • Disputes between management may be more easily settled. • Major changes in ownership may be facilitated if past accounts contain an unqualified audit report.
• Applications to third parties for finance may be enhanced by audited accounts. • The audit is likely to involve an in-depth examination of the business so may enable the auditor to give constructive advice to management on improving the efficiency of the business. Disadvantages of an audit: • The audit fee. Unless required by local statute, it is unlikely that many businesses would like to have their accounts audited. • The audit involves the client’s staff and management in giving time to providing information to the auditor. A professional auditor should therefore plan his audit carefully to minimize disruption which his work will cause. Differences between internal and external audit: Internal auditing External auditing Objectives Means of advising the To provide an opinion on organization, as to whether its whether the financial systems are running soundly. statements provide a true and fair view of the org. Legal basis No legal basis, although it is Usually a requirement advised that company should imposed by statute. For have regular internal audits. larger ltd and public comp. Scope Operational and financial Financial focus Approach Risk based Increasingly risk based Assess risks Evaluate internal control make recommendations for improvements Responsibilit Advice and recommend Form an opinion y The Scope of External Audit Chronology of an Audit: • Determine audit approach 1. Determine scope of audit. 2. The scope is already laid out by legislation for statutory audits.
3. Prepare an audit plan and file it. • Ascertain the system and controls 1. Determine the flow of documents and extent of controls in existence in the client’s system. 2. Prepare a comprehensive record of the system to facilitate evaluation of the systems. The records may be in various formats e.g. charts, narrative notes, internal control questionnaire and flow charts. 3. Confirm the system recorded is the same as that in operation. • Assess the system and internal controls Evaluate the systems to gauge their reliability and formulate a basis for testing heir effectiveness in practice. • Test the system and internal controls These tests should only be carried out if the controls in the previous stage are evaluated as effective. 1. Testing of controls 2. If controls are strong, then the records should be reliable and the amount of detailed testing is reduced, otherwise more substantive testing is required. • Test the financial statements 1. Substantiating the figures given in the final financial statements. 2. these also serve to assess the effect of errors. • Review the financial statements 1. Substantiating the figures given in the financial statements. 2. These also serve to assess the effect of errors, should they exist. • Express an opinion 1. Evaluate the evidence obtained and express opinion to members in the form of an audit report. 2. The final report to management is an important end product of an audit.
3. The purpose of it is to make further suggestions for improvements in the system and to place on record specific opinion points in connection with the audit and the accounts. CHAPTER 4: INTERNAL AUDIT AND INTERNAL REVIEW 1 Corporate governance: Corporate governance is the set of processes, customs, policies and laws affecting the way a corporation is directed, administered or controlled. • Corporate governance spells out the rules and procedures for making decisions on corporate affairs. It also provides structure through which the company objectives are set, as well as the means of attaining and monitoring the performance of those objectives. • It is used to monitor whether outcomes are in accordance with plans; and to motivate the organization to be more fully informed in order to maintain or alter organizational activity. Why have corporate governance? In organizations, shareholders delegate decision rights to the manager to act in their best interest. This separation of ownership from control implies a loss of effective control by shareholders over managerial decisions. As a result a system of corporate governance is implemented to assist in aligning the incentives of shareholders with mangers, in order to limit the selfsatisfying opportunities of managers. A key factor in an individual’s decision to participate in an organization is trust that they will receive a fair share of the organizational returns. If some parties are receiving more than their fair return, then participants may choose to not continue participating, potentially leading to organizational collapse. Corporate governance is the key mechanism through which this trust is maintained across all stakeholders. PRINCIPALS OF CORPORATE GOVERNANCE: 1. Rights and Equitable treatment of shareholders: organizations should
respect the rights of shareholders and help shareholders to exercise those rights by communicating information that is understandable and
accessible. The corporate governance framework should ensure the equitable treatment of all shareholders, including minority. 2. Role and responsibilities of the board: the board needs to be of
sufficient size and accommodate a range of skills to be able to deal with various business issues. It should review and challenge management performance and its commitment towards fulfilling roles and responsibilities. 3. Integrity and ethical behavior: organizations should develop a code of
conduct of their directors and executives that promotes ethical and responsible decision making. It is important to understand, though, that systematic reliance on integrity and ethics is bound to eventual failure. 4. Disclosure and transparency: the corporate governance framework
should ensure that all material matters are disclosed. Implementation of procedures to safeguard the integrity of the company’s financial reporting should be undertaken. 5. The role of stakeholders in corporate governance: organizations
should realize that they have legal and other obligations to all legitimate stakeholders. Auditor’s communication with those involved in corporate governance: The auditor should first clearly identify those charged with governance, if for some reason he is unable to do so, then that should be addressed in the engagement letter. It is left to the auditor to decide what should be communicated. These include: • The general approach and scope of the audit, including any limitations or requirements. • The selection of or changes in, significant accounting policies and practices that have, or could have, a material effect on the entity’s financial statements. • Any disclosures that might need to be made, having potential effect on the F/S. • Material uncertainties related to events that may case significant doubt on the entity’s ability to continue as a going concern. • Disagreements with management about matters that could be significant to the auditor’s report.
• Expected modifications to the auditor’s report. Any other matter that the auditor deems worthy of a report should be raised. AUDIT COMMITTEE: • Is a committee of the board of directors, consisting of three to five directors with no operating responsibility in the financial management. It primarily consists of non-executive directors who are able to view the company’s affairs in a detached and independent manner. • Their primary function is to assist the board to fulfill its managing responsibilities by reviewing the systems of internal control, the audit process and the financial information which is provided to shareholders. AUDIT COMMITTEE ROLES: i. To monitor the integrity of the financial statements. ii. To review the company’s internal control functions & internal control and risk management systems (unless addressed to a separate board risk committee). iii. To monitor and review the internal audit function. iv. To make recommendations in relation to appointments of external auditors and to approve the remuneration and terms of engagement of the external auditor. v. To review the effectiveness of the audit process & the independence and objectivity of the auditor. vi. To report to the Board, identifying any matters in respect of which it considers that action or improvement is needed. Advantages: i. Increasing public confidence in the credibility and objectivity of published financial information. ii. Assisting directors in meeting their responsibilities in respect of financial reporting. iii. Strengthening the independent position of a company’s external auditor by providing an additional channel of communication. Leading to better communication between the directors, external auditors and management. Disadvantages: i. Fear that their purpose is to catch management out. ii. Non-executive directors being over burdened.
iii.
A two-tier board of directors, making it difficult and cumbersome to administer. iv. There is an additional cost to the company in terms of money and time involved. The two-tier board of directors: This consists of executive directors who take part in the day to day management of the company, & non-executive directors who act as a corporate conscience, over viewing the functions of the board. Along with a supervisory board made up of representatives of employees and investors. This type of structure is problematic in two ways: 1. The non-executive directors lose a lot of credibility if they condone any misbehavior on the part of the company. The expectation is that the nonexecutive directors will either restrain any proposals that are unacceptable or they will resign. 2. The supervisory board is referred to for major decision approvals, however this is not entirely true. The supervisory board is too often illinformed or informed too late of major decisions (often after they have been implemented). Also, investors and other stakeholders are often reluctant to discuss many key issues in the presence of employees’ representatives. INTERNAL AUDIT AND CORPORATE GOVERNANCE: Corporate governance mirrors itself upon internal auditing. Internal auditing has converted from purely accountancy type auditing to operational controlling. Companies now have an internal audit function to provide the board with much of the assurance it requires regarding the effectiveness of the system of internal control. An internal control system is concerned with the following areas: • Risk requirements • The nature and extent of the risks regarded as acceptable • The threat of such risks realizing • The ability to reduce their incidence and impact if risks arise • Costs and benefits relating to operating relevant controls
OUTSOURCING OF INTERNAL AUDIT FUNCTION: The mere pressure of providing ‘best value’ and to adopt competitive tendering has resulted in companies looking toward outsourcing. Advantages: 1. Quick provision of professional services by a professional firm. 2. Better quality of service as the personnel working at outsourcer are expected to have wider experience of all sectors of industry market. 3. Reduces the risk of high turnover or loss of staff from the internal audit department. 4. Skills required for only a short time each year can be provided without incurring excessive costs of maintaining an in-house expertise. 5. With a professional outsourced department, less management time is required on internal audit, e.g. in appraisals, training and development. 6. The relationship with the outsourcer is contracted and can be revoked at any point of time. In other words, the contract is flexible to extend or terminate. Disadvantages: 1. Conflict of interest may arise if the outsourced internal audit service is being provided by the external auditors. 2. Outsourcing charges might not prove cost effective. 3. Exit routes must be defined with the outsourcer. 4. There is a risk of lack of knowledge or awareness of the organizational objectives. 5. An outsourced department may not be able to provide the same flexibility or ready staff available. 6. Company might lose strategic or sensitive info, as internal audits will have access to all the info of the company and might lose competitive edge if internal auditing would disclose the info to other clients of the outsourcing firm. Procedures of outsourcing: Certain procedures should be carried out to minimize the risks or outsourcing. 1. Controls over acceptance of internal audit contracts to ensure no impact on independence. 2. Regular reviews of the quality of internal audit work performed 3. Separate departments covering internal and external audit
4. Clearly agreed scope, responsibilities and reporting lines 5. Performance measures and procedure manuals for internal audit. INTERNAL AUDIT AND INTERNAL REVIEW -2 LIMITATIONS ON THE INTERNAL AUDIT FUNCTION: Independence: internal audit should be an independent and objective function. However this is not the case. The department carrying out the internal audit function is still part of the entity, and there is always pressure to avoid confrontation when providing a critical comment on a function (e.g. Finance), even when one is required. Rather such a comment is omitted or softened. Relationships of internal versus external audit: a relationship between internal and external audit cannot exist if the two functions don’t have a common understanding of the organization’s needs. Variations of standards: since approaches to internal audit differ from industry to industry comparisons cannot be made, and the ‘best value’ cannot be determined. Relatively new profession: internal auditing being a fairly new profession is looked upon as being inferior as compared to mainstream accountancy profession. Expectation gap: organizations are increasingly subject to change in objectives, systems and processes which impact the company risk profile. Internal auditors may not always be geared up for such constant change, which impacts both the scope of work carried out and the skills required. MANAGEMENT ROLE IN INTERNAL AUDITING: Management is responsible for implementing an internal control system in order to achieve the corporate objectives such as the accurate maintenance of accounting records. The key to an effective control system is the creation of a sound control environment. The control environment includes the governance and
management functions along with the attitudes, awareness and actions of those charged with governance and management. In other words, senior management set the tone for the control system within the entity. If they are committed to internal control then the system is far more likely to be well designed and also to work in the prescribed manner. NATURE AND PURPOSE OF INTERNAL AUDIT ASSIGNMENTS: Value for money: is concerned with obtaining the best possible combination of services for the least resources. It is the pursuit of ‘Economy’, ‘Efficiency’ and ‘Effectiveness’. Economy: least cost. Cost is proportionate with the risk. Efficiency: best use of resources. Goals and objectives are accomplished with accurate and timely fashion and minimal use of resources. Effectiveness: best results. Providing assurance that the organization objectives will be achieved VFM audits tend to focus on either economy and efficiency or effectiveness, but not both. This is because, economy and effectiveness are usually opposed to each other. For example, it would be relatively easy to reduce costs by providing a lower standard of service or to improve effectiveness by spending more. The solution to this is usually to treat current effectiveness levels as fixed and to try to identify ways of cutting costs or to aim to spend the same as before but to improve results in the process. Best value: is a requirement for organizations to demonstrate achievement of the 4C principles (challenge, compare, consult and compete). This includes meeting customer needs through effective performance management systems. The ‘Best Value’ approach cannot be ignored by internal audit as it has an influence on the way in which decisions are made about the provision of all services and activities. Challenge: review internally the different options for providing services and question the status quo. Compare: comparing with other service providers to review options for improving performance. Consult: consult all users of services and those affected by services.
Compete: demonstrate through performance management and continuous improvement that the most effective and efficient service is being provided. The 4Cs equally apply to internal auditors, who must demonstrate best value in the provision of their own service, including appropriate consultations with users and effective performance management information. Information technology auditing: Information technology auditing is a specialist type of internal auditing, reviewing and reporting on all aspects of IT systems. Project auditing: Project auditing is a specialist type of internal audit review, examining and evaluating the way that change is managed. Internal auditors can help to improve the effectiveness of a project by reviewing its management and associated risks and controls. Financial internal audit: Financial audit embraces the conventional tasks of examining records and evidence to support financial statements and management reporting. This includes analyzing information, identifying trends and potential significant variations from the norm. Operational internal audit: This reviews the business operations and control procedures, to ensure whether they are being adhered to. The audit would also identify areas for improvement in efficiency. The business functions that operational and internal audit deals with include: • • • •
Procurement Marketing Treasury Human resources
Audit work includes identification of areas (above) where there are principal business risks that are preventing an organization to achieve its objectives.
Procurement: is the process of purchasing goods and services within the organization. Organizations spend significant amounts of money on goods and services. As a result effective control should be established here to minimize risk of financial loss, fraud or damage to company reputation. Main areas of risk exposure: • Fraudulent payments to suppliers • Inaccurate payments for goods and services • Delays in payment resulting in damage to company reputation Control procedures: • Establishing policy and procedures for procurement, communicated to all levels of management. • Approved list of suppliers • Authorization and approval procedures required before any sale or purchase is made. • Making the best deals in the market place using a fixed procedure. Test of controls: • Conducting a walk-through to ensure that procedures are being followed. • Trace orders of goods and services through the system, confirming use of authorized suppliers, correct pricing and appropriate terms. • Review a sample of purchasing transactions to ensure that they have been correctly authorized. Marketing: includes all aspects about marketing (promotion, advertising, placement, image, pricing etc). Main areas of risk exposure: There are significant risks associated with marketing that need to be identified and controlled. • Poor brand image – resulting in damage to shareholder reputation.
• Poor cost control – resulting from poor investment decisions. • Fraudulent practices • Excessive or inappropriate use of marketing entertainment. Control procedures: • Placement of a marketing strategy • Approved policy and procedures • Authorization of key activities • Appropriate skills and training of staff • Proper market research along with cost/benefit analysis produced for market campaigns. Tests of control: • Walk through tests of marketing campaign • Reviewing of market strategy placed • Review training plans Treasury: is the process of managing cash flow and investments within an organization to maximize use of available finances. Main areas of risk exposure: • Lack of records of deals leading to financial loss • Inaccurate cash flows listed • Duplicate transactions or settlements • Errors in accounting records • Errors in management reporting • Poor investment performance Control procedures: • Authority levels for the processing and placing of deals. • Data maintenance controls • Regular update of cash flow forecasts • System controls, including security and access. • Appropriate levels of staff, training and expertise Tests of controls:
• Check sample of reconciliations and confirm that they have been completed in a timely manner • Review trends in performance to identify any potential areas of concern. • Check agreement with counterparties • Review valuations Human resources: includes (recruitment, pay and benefits, performance management, training and development, disciplinary and grievance procedures etc) Main areas of risk exposure: • Failure to identify and recruit the right skills • Setting up of ghost employee • Inaccurate standing data on staff, resulting in failure to maximize the potential of individuals. • Failure to provide feedback to staff on performance • Failure to provide training and development • Incorrect or fraudulent payments Control procedures: • Policy and procedure manuals should be up to date and should be formally approved • Training of HR to ensure delivery of agree and approved policy (above) • System access controls • Audit trail of key actions and decisions Tests of controls: • Walk through tests of key procedures • Review of reconciliations undertaken • Review of access and security to HR systems. • Review a sample of key transactions to ensure that they have been processed accurately and appropriately. CHAPTER 6: PLANNING AND RECORDING THE AUDIT
ANALYTICAL PROCEDURES: (AT THE REVIEWING STAGE) Analytical procedures mean the analysis of significant ratios and trends, including the resulting investigation of fluctuations and relationships that are inconsistent with other relevant information or which deviate from predicted amounts. 1. Introduction (Comparisons, Relationships, Methods and Purpose) 2. Auditor Knowledge of the Business 3. Procedure 1. Introduction: Analytical review involves doing an analysis of the financial and non-financial information. The analysis usually considers both comparisons and relationships. Comparisons: Financial information is compared, for example, with: • Prior periods (historical data); • Budgets and forecasts (future-oriented data); • Predictive estimates (e.g., of the annual depreciation charge); • Industry averages It is common practice for the auditor to prepare a schedule of account balances for the current year (un-audited) with comparatives (audited) with ± difference columns expressed in both absolute (i.e. $) and relative (i.e. %) terms. Relationships: Typically, relationships are considered between: • Elements of financial information which are expected to adhere to a predicted pattern (e.g., gross profit percentages); • Financial and non-financial information (e.g., hotel revenue to room occupancy). Methods used: Methods of analysis vary considerably, from simple comparisons to complex analyses using advanced statistical techniques. Analytical procedures may be applied to: • Consolidated financial statements; • Components (e.g., subsidiaries, divisions, segments); • Individual elements of financial information (e.g., account balances).
Purposes: • To assist in PLANNING the nature, timing and extent of other audit procedures. • As SUBSTANTIVE procedures when their use is more effective or efficient then tests of detail. • As an overall REVIEW, to conclude whether financial statements as a whole are consistent with auditors’ knowledge of the business. Analytical procedures at this stage (sometimes called ‘preliminary analytical review’) assist in: Increasing knowledge and understanding of the business through the accumulation of information on trends in key relationships; • Identifying areas of potential risk (e.g. relating to the enterprise’s financial condition); • Determining the nature, timing and extent of other audit procedures (i.e. audit strategy) by directing tests to areas of potentially material misstatement. •
2. Auditor knowledge of the business:
3. Procedure: The procedures remain the same whatever the stage of the audit. A series of steps are identified which are listed below: Obtain understanding of the business Identify relevant and credible relationships – e.g. the gross profit % expresses the relationship between sales revenue and cost of sales. • Establish the validity of any data to be used – this involves independently verifying the cost of sales and then applying the percentage to it. • Predict the likely range of expected values – the audited cost of sales percentage can be used to predict the value of sales. Auditors must take all their knowledge of the business into account in making this prediction. For example, they may know of a factor in this particular • •
accounting period affecting the gross profit percentage and should adjust their calculations accordingly. •
Compare predictions: with actual and consider the implications of any variances. The auditor here is looking at two things: 1. The changes which do occur but which differ significantly from those expected. 2. The changes which would normally be expected to occur but which fail to do so.
Auditors should investigate both categories fully. •
Seek explanations for the above (auditors should never take the word of the management for why a change has happened or failed to happen).
ANALYTICAL PROCEDURES: (AT THE PLANNING STAGE) Auditor’s work on planning the audit will usually take place before annual financial statements are available. Accordingly, any analytical procedures performed at this stage of the audit will be based on interim financial statements. The auditor will have expectations as to the relationships between various items in the financial statements and will examine the financial data available at the planning stage to see whether these expectations match with recorded values. In any case, where the results vary from expectations, the auditor should plan to conduct further work. In developing expectations, the auditor should consider non-financial data and the likely impact of changes in factors external to the enterprise. TYPICAL AUDIT PLANINNG PROCEDURES: • Consider the background of the client’s business and attempt to ascertain any problem for that sector of industry which may affect the audit work. • Consider an outline plan of the audit including the extent to which the auditor ay wish to reply upon internal controls and the extent to which work can be allocated to interim or final audit stages.
• Review matter raised in the audit of the previous year by examining the audit files. • Assess the effect of any changes in legislation or accounting practice on the financial statements of the client. •
Review any management accounts which the client has prepared as these may indicate areas of concern in audit.
• Meet with the senior management to identify problem areas. • Consider the timing of significant phases in the preparation of the financial statements. E.g. dates of physical inventory counting, balancing of receivables and payables, preparation of trial balances etc. • Consider the extent to which the client’s employees may be able to analyze and summarize the financial data to the relevance of the audit work. • Determine the number and grade of audit staff to be allocated to each stage of the audit. • Consult members of the audit team to discuss any foreseeable problems. The preparation of a memorandum setting out the outline audit approach may be helpful. • Assign a budget to allocate the time to each member of the audit team. The timing of audit work: The timing of the audit work must be planned to suit the nature of the business being audited. There are three main possibilities: • All the audit work is done at or after the year end. (small businesses) • The work is divided into interim and final audits, planning and tests of controls taking place at the interim stage, while substantive balance sheet audit taking place at the final stage. (medium size businesses) • The third possibility is continuous audits, where the client is so large that the auditor is present throughout the year. (large businesses)
AUDIT RISK: At its most simple ‘Audit Risk’ is the risk that the auditor will get his opinion wrong. This means that the auditor will fail to qualify an audit report that he should have qualified. In order for this situation to arise there needs to be a material error in the accounting records or the financial statements which was not corrected before the accounts were published and to which the auditor did not refer in the Audit Report. 1. Explanation of the approach and the Audit Risk model: The situation referred to in the preceding paragraph can only come about if three things have happened in sequence: •
Firstly, a material error needs to have occurred. The chance of this happening is commonly referred to as the Inherent Risk.
•
Secondly, the error needs to have not been detected by the client’s system of Internal Control. The chance of this happening is referred to as the Control Risk.
•
Thirdly, the auditor must have failed to find the error in the course of his substantive testing or analytical review procedures. The chance of this happening is known as the Detection Risk.
It is only when all of these conditions are fulfilled simultaneously that the auditor will give an inappropriate opinion on a set of financial statements, and the Audit Risk will materialize. Thus it can be said that the Audit Risk is the product of the Inherent Risk by the Control Risk by the Detection Risk. This is normally abbreviated to: AR = IR x CR x DR Note: Maximum Risk is assessed as 1 and lower levels between 0 and 1 e.g. Control Risk might be assessed e.g. 0.25 or 0.5. 2. Use of the model: In order to make use of the model we need to realize that only some elements of the model are within the auditor’s control. In particular the auditor can do nothing about the Inherent Risk and the Control Risk. He can assess them but cannot change them. The auditor can, however, decide what
level of overall Audit Risk he wishes to take. Naturally this will normally be quite low: usually about 5% is considered acceptable. So now we have .05 = IR x CR x DR Theoretically, the auditor can make Detection Risk as low as he pleases. To eliminate risk altogether the auditor simply has to check every transaction, every asset and every liability! Of course, in practice this is usually just not possible. The usefulness of this model is that it allows the auditor to set quantitative values on Inherent Risk and Control Risk so as to allow for an increased amount of Detection Risk and hence a lower level of substantive testing. In other words, the auditor will need to do less substantive testing if the Inherent Risk and/or the Control Risk are low. If, for example, the system of internal control is good then the Control Risk will be low leading to less substantive testing. On the other hand, the auditor might decide to take no comfort from inherent or control factors and to base his audit opinion purely on substantive procedures (including analytical review). In terms of this model that would mean putting IR and CR = 1 and thus AR = DR. This approach is often taken in the case of smaller or owner- managed enterprises, and it is purely the substantive or vouching approach to auditing. More commonly nowadays auditors will place at least some reliance on internal control and hence control risk will be evaluated at less than one. The exact figure will be found by means of an analysis of the results of tests of control but the auditor should err on the side of caution. In particular, control risk should never be assessed as zero. Placing a numeric value on Inherent Risk is more difficult. Many auditors will always regard Inherent Risk as maximum (i.e., one), but to do this, while prudent, is to reduce the usefulness of the model somewhat. Factors which need to be considered when placing a value on Inherent Risk would include: •
The financial position of the client;
The type of industry in which the client is operating (e.g., newer, more high-tech industries carry higher levels of risk); • The history of the client and the auditor’s past experiences with the client. This is sometimes referred to as CAKE — Cumulative Auditing Knowledge and Experience; • The amount of pressure on the client or the client’s staff to produce results which live up to expectations, or the extent to which the remuneration of the management and staff are dependent upon the client’s results. •
In summary, let us take an example of a client who has decided that an overall Audit Risk of 5% is acceptable, that the Inherent Risk is 80% and the Control Risk is 50%. We have: 0.05 = 0.5 x 0.8 x DR Therefore DR = 0.05 / 0.5 x 0.8 DR = .125 or 12.5% The auditor now knows that he can afford to take a 12.5% chance of not detecting an error during the substantive testing. Conversely he needs 87.5% assurance that the substantive testing will pick up all material errors. He can use this information in conjunction with statistical sampling techniques (which are outside the scope of this article) so as to determine appropriate sample sizes for the purposes of substantive testing.
3. Relationship to the traditional ‘systems-based’ approach: Thus, it can be seen that the ‘Risk Based Approach’ is, in substance, no different from the more traditional ‘Systems Approach’. Both are based on the simple idea that an auditor can reduce substantive procedures if the results of tests of control are good. The Risk Based approach is, however, more specific. It should thus help to reduce the possibility of the auditor doing too much or too little work. 4. Advantages and disadvantages of the model: Advantages:
It helps to eliminate ‘under’ or ‘over’ auditing; The results appear more rational and defensible than if the model is not used. This may be important if the auditor is called upon to support his decisions in a Court of Law; • The model should help to allow work to be delegated to more junior members of staff who will be able to proceed without having to rely too much on their own judgment; • The increased use of computers should make the statistical calculations required easier. • •
Disadvantages: It is very difficult to put a quantitative value on Inherent Risk. Hence, the model may give an impression of accuracy which is unrealistic. • For the model to be useful the populations (i.e., numbers of items) involved need to be sufficiently large to allow for valid statistical conclusions to be drawn. This rules out the use of the model in many smaller audits. • As is always the case with such models, there is a danger of adapting an overly mechanistic approach and that the auditor will lose his ‘feel’ for the assignment. •
5. The audit risk matrix considered: An alternative form of the AR = IR x CR x DR model is the Audit Risk Matrix. This places the Inherent Risk and the Control Risk on the vertical and horizontal axis respectively and accesses them as maximum, high, moderate or low. Reading off the correct combination gives the level of detection risk required.
Planning Materiality: An item is material if its omission or misstatement could influence the economic decisions of users taken on the basis of financial statements. Materiality is considered in planning audit procedures and in evaluating the effect of misstatements. In planning, the auditor therefore needs to establish materiality levels to ensure that any material misstatement or omissions in the accounting records are discovered. Materiality levels: there are two levels to be considered here:
1. Materiality at the overall financial statement level. 2. Materiality for individual balances of transactions. • There is an inverse relationship between materiality and audit risk. Higher the materiality, lower the Audit Risk. • Materiality at the planning stage is often set a lower level in order to reduce the risk of undiscovered misstatements.
STAFFING AND TRAINING ISSUES: Staffing issues include: • Number of staff required • Level of expertise required • Length of time each member of staff will be needed • Exact timing of their work
Job title Partner
Manager
Supervisor or junior manger Senior
Clerks, juniors and semi seniors
Job description as regards the Audit • Agree fees with client • Review audit • Sign audit report • Assign staff to job • Agree detailed timetable with supervisor • Review staff requirements • Review audit in detail at end of interim and final audits • Take charge of large jobs e.g. a large group of companies where each company or division is audited by a senior • • • • •
Take charge of the audit Agree audit timetable with manager Decide on detailed audit work Compile audit working papers Perform detailed audit work assigned by seniors
It is important that staff with the correct mix of experience and knowledge of the client and industry are employed on the audit. Training needs include: • Sitting in professional examinations such as ACCA • Practical training (article-ship) • Fulfillment of CDP requirement (continuing professional education) RECORDING THE AUDIT PROCESS: Working papers ISA 230 Documentation states that auditors should document matters which are important in providing evidence to support the audit opinion and evidence that the audit was carried out in accordance with ISAs’. Working papers should be sufficiently complete and detailed to provide an overall understanding of the audit. They should record: • Planning information • The work done and when it was done • Results and conclusions
Auditors are required to record all matters which are important in supporting the report. They are particularly required to record matters that demand the exercise of opinion, as auditors may/will be questioned later on any matter and they should be able to show what they knew at that time. Extracts from working papers can be made available to the client at the discretion of the auditor, but working papers should not be made available to third parties without client consent. Contents of working papers: Working papers should include the following: • Information that can be used again i.e. permanent file information that could be used on recurring audits. • Audit planning information (time and budget) • Detail of the internal control systems and auditor’s evaluation and risk assessment. • Detail of audit work carried out, including notes of errors, action taken and conclusions drawn. • Evidence of review of audit work. • Audit summary including copies of engagement letter, representation letters and approved financial statements. Standardization of working papers: Standardization offers several advantages: • It improves efficiency of the audit work in terms of its preparation and review. • It helps in delegation of work. • It helps to maintain quality control. However a certain amount of flexibility is essential to exercise professional judgment rather than mechanically following a standardized procedure. Engagements to review financial statements: Auditors may be required to carry out a review of the financial statements. This is called a review engagement and it cannot be termed as a full audit. The purpose of such a review is to bring anything to the auditor’s attention that causes him to believe that the financial statements are not prepared, in all material respects, in accordance with an identified reporting framework.
Principles of review engagement: • The auditor should review with an attitude of ‘professional skepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated. • The auditor should obtain sufficient appropriate evidence (through analytical procedures) to be able to draw a conclusion. Detailed procedures of a review engagement: • Obtain an understanding of the entity’s business and the industry. • Info concerning the accounting principals and practices followed. • An inquiry on all material statements included. • Analytical procedures carried out to identify relationships. This can be done through comparison with previous year financial statements and their comparison with expected results. A pattern of relationships should then be formed that would be expected to conform to a predictable pattern. CHAPTER: 7 RELIANCE ON THE WORK OF OTHERS IN THE AUDIT: RELIANCE ON EXPERTS: Auditors need to be aware of areas within the audit which may require the use of an expert. An auditor may not have expertise in certain areas of an audit and may need to obtain evidence in the form of reports, opinions, valuations or statements from an expert. The need to use an expert depends on the materiality and nature in terms of complexity of the matter at hand and the risk of misstatement. If however, it is decided that expert evidence is needed, the expert should be engaged or employed either by the client, or by the auditor with the consent of the client. If the client refuses and there are no other sources of evidence for the item concerned, the auditor should qualify the audit report. Competence and objectivity: In order to rely on the evidence provided by the expert, the auditor must be satisfied that the expert is competent and objective. 1. Competence would be evidenced by certification or membership of a professional body. 2. Objectivity requires that the expert should work with a fair mind without having any interest in the business. Objectivity will be impaired if the
expert is the employee of the entity or is dependant on it in some other way (financially). Scope of the expert’s work: This is to be decided in a meeting between the auditor, the client and the expert. Where the following is discussed: • the objectives of the expert’s work • sources of info available to expert • the form and content of work required by the expert • expert’s access to books and records • the assumptions and methods the expert is to use Assessing the work of the expert: This will be done by examining the expert’s report and determining whether it is appropriate in the light of other work performed. The auditor should obtain an understanding of the assumptions and methods used and consider whether they are appropriate. If unsatisfied, the problem is discussed with the client’s management and the expert. It may occasionally be necessary to obtain an opinion of a second expert. The audit report: The auditor should not show reference of use of an expert in the audit report, as this may imply a division of responsibilities. If the auditor has used an expert in part of the audit work, the auditor must evaluate the work done in detail, so as to satisfy himself that the results are sufficient, reliable and relevant. The auditor is doing so, is taking upon himself the responsibility for the work completed and hence does not make any reference of use of an expert in the audit report. The above procedure is important as the work of the auditor may be challenged by the client or in a court of law, and hence needs to be defect free. RELIANCE ON INTERNAL AUDIT: The extent to which the external auditor can depend directly on the work done by the internal audit depends on its relevance to the external audit function and its quality. Relevance: A number of objectives of the internal audit may be similar to those of external audit. The extent of dissimilarity can be amended by the
external auditors to suit their own audit work. In order to do this the external auditors will need to take in account the internal audit’s program of work. Quality: Quality of the work will depend on the internal auditor’s technical competence. The internal audit department needs to be fully equipped in terms of staffing, experience and qualification. Factors to be considered when assessing the internal audit department: 1. The organizational status of internal audit: The internal auditors should: • be able to plan and carry out their work as they wish • have access to the highest level of management • be free of any operating responsibility • be able to communicate fully with the external auditor 2. The scope of the internal audit function: Scope of work underlined by IAS includes: • pay roll and accounts • IT and HRM • Corporate governance 3. Due professional care: External auditors need to make a judgment as to whether the work of internal audit generally appears to be properly planned, controlled and recorded. 4. Technical competence: The internal audit department should include the right mix of core competencies. This should be reviewed by the external auditors time after time and significant weaknesses notified and reported to the management in writing. Evaluating and testing the work of internal audit: The external auditors need to set out the extent to which they will rely on the internal audit function, along with the reasons for doing so. Once relied upon, the auditors must ensure that: • The work has been performed by those with adequate technical training and that under proper supervision.
• Sufficient relevant evidence is obtained to support the conclusions reached. • Conclusions reached are appropriate and that reports are consistent with conclusions. In planning out the audit, the external auditors need to consider: • The materiality of areas that need to be tested. • The information that can be obtained from IA department. • The level of audit risk inherent in the areas to be tested or info from IA. • The sufficiency of complementary audit evidence • Specialist skills possessed by internal audit staff AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANIZATIONS: Planning the audit: The auditor should identify at the planning stage of the audit whether or not an organization uses service organizations to assist it; the auditor needs to assess the type and range of service provided in order to asses audit risk. The use of a service organization affects the audit procedures dramatically, as now it is more difficult to state whether the financial statements are free from material misstatement. Planning will include assessment of inherent risk of the organization and its control environment. This will be affected by: • The nature of the service provided • The degree of authority delegated to SO • Arrangements of ensuring quality service is provided. • Whether the activities involve assets which are susceptible to loss or misappropriation. • The financial status of the service organization. If the auditors determine that they can rely on the controls within the organization, they should perform a thorough assessment of control risk. This includes: • The nature of controls operated by the client and the extent to which the service organization operates these controls.
• The actual occurrence of errors detected by the client arising from the SO. • The information the service organization provides to show its compliance with controls. • Whether the SO has its own external auditors who provide the client with relevant information on the appropriateness of controls within the service organization. • The skills and knowledge of staff within the SO. Audit procedure: • Inspection of documents and records held by the client • Assess effectiveness of controls with the client and the SO. • Obtain written statement from SO in respect of confirmation of balances and transactions. • Performing analytical review procedures. • Requesting the service organization’s auditor or client’s internal audit function to do specific procedures. • Reviewing the reports produced by the SO regarding the design of internal control systems. OUTSOURCING OF ACCOUNTING FUNCTIONS Degree of risk Characteristics High Complex transactions Delegated authority to initiate and execute transactions Reversal of outsourcing costly/difficult Medium
High proportion of finance functions outsourced Some business knowledge is outsourced Transactions can be initiated but execution requires approval from user entity Analytical techniques are insufficient for an adequate degree of control Discrete functions are outsourced
Low
Little requirement for judgment in processing transaction Non-complex transactions Analytical control techniques are effective Easy to reverse the outsourced function Low proportion of functions outsourced
CHAPTER 8 INTERNAL CONTROL SYSTEMS: Internal control: Is a process designed by those charged with governance & management to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. Internal control system consists of: a) The control environment b) The entity’s risk assessment process c) The information system d) Control activities e) Monitoring of controls a) Control environment: refers to the general attitude, awareness and actions of directors and management regarding the internal control system and its importance to the entity. This includes management style, corporate culture, values, operating style, the organizational structure and policies and procedures. b) Risk assessment process: is the process for identifying and responding to business risks. Risks relevant to financial reporting include external and internal events that may adversely affect an entity’s ability to process and report financial data. Once the risks are identified, management considers their significance, the likelihood of occurrence and how they should be managed. Management may now decide either to take steps to reduce the risk or accept the risk (as the cost of removing the risk will be more than the cost of the risk itself).
Risks can arise due to the following reasons: • Changes in operating environment • New personnel • New information systems • New technology • Corporate restructuring • New accounting standards c) Information systems: this consists of infrastructure, software, people and procedures relevant to financial reporting that are used to perform the following: • Recording of accounting transactions • Present properly the transactions and related disclosures in the financial statements. • Helps in determining the time period in which transactions occurred to permit recording of transactions in the proper accounting period. • Measures the value of transactions in a manner that permits recording their proper monetary value in financial statements. d) Control activities: are policies and procedures that help ensure that management orders are carried out. Control activities can take a number of forms: •
Performance reviews: Involve looking at reports to identify mgt and control issues from the past performance. E.g. a comparison or budgeted and actual figures, which might highlight book keeping problems if the variance is due to errors in the recorded figures.
•
Information processing: Encompasses controls that are performed to check the accuracy and completeness of transactions. E.g. a print out of every name added to the company payroll might help prevent the fraudulent addition of bogus employees.
•
Physical controls: E.g. physical security to prevent staff or third parties from simply stealing high value items.
e) Monitoring of controls: is a process to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Types of internal control: There are a number of controls that an auditor should consider: 1. Preventive: these are controls that prevent risks from occurring. E.g.
authorization controls should prevent fraudulent transactions taking place. 2. Detective: these are controls that detect if any problems have occurred.
They are designed to pick up errors that have not been prevented. E.g. large amounts paid without being authorized, reconciliations etc. 3. Corrective: are ones that address any problems that have occurred.
Where problems are identified, the controls ensure that they are properly rectified. E.g. follow up procedures and management action. Specific control procedures: • Reporting, reviewing and approving reconciliations • Checking the arithmetical accuracy of records • Maintaining control accounts and trial balance • Comparing internal data with external sources such as supplier statement reconciliations • Limiting direct physical access to assets and records. An alternative to this is segregation of responsibilities. There should be a division of responsibilities for: - authorizing the transaction - the physical custody and control of assets - recording the transaction No one person should be in a position both to misappropriate an asset and to conceal his act by falsifying the records. Documenting the internal control system: documenting the internal control system has two portions: first the auditor learns about the system and then he records the system.
1. Learning about the system: an auditor can learn about the system in the following ways: - Examining previous audit work: the audit files should contain a record of the system as it operated at the last audit date. Unless there have been major changes, this will only require updating. -
Client’s own documentation of the system: these will be in the form of manuals of accounting procedures; these are usually a valuable source of info.
-
Interviews with client’s staff: this involves the auditor taking interviews of the staff to find out how they carry out their functions.
-
Tracing transactions: also known as walk through checks, this involves following a particular sequence relating to a single transaction in order to learn how the system works.
-
Observation of client’s procedures: it will often be useful to watch the client carrying out procedures such as wages pay out and opening of the mail.
2. Recording the system: an auditor can record the system in the following ways: - Narrative notes: this is a simple and convenient way of describing systems. However it can become cumbersome as system notes take up a disproportionate amount of space. Furthermore, notes may be difficult to interpret in order to show the changes made in the system. -
Organization charts: this provides a convenient way of describing the relationships between individuals in an organization. However, it does not specify the precise duties of then individuals concerned and it only describes the formal relationships between them.
Internal control questionnaires: these can be divided into two categories: 1. Internal Control Evaluation Questions (ICEs) and 2. Internal Control Questions (ICQs) 1. ICE: the ICE is designed to determine whether desirable controls are present that prevent particular errors or omissions and are answered using knowledge of the system obtained from the flow chart or ICQ. -
E.g. ‘Can goods be dispatched without being invoiced?’ they are often referred to as control questions that require the exercise of the auditor’s judgment. An answer of ‘No’ to the ICE implies that the system is strong as controls exist to prevent the specified problem. A compliance test (test of control) will be required to ensure the controls are operating An answer of ‘Yes” to the ICE implies that the system is weak and a substantive test (test of detail) will be required to quantify the effect of any errors that may have occurred. 2. ICQ: these are objective questions which focus on specific controls and the information obtained in completing the ICQs are used to answer the relevant ICE. The objectives of ICQs are to ascertain, record and identify controls in the client’s system. -
Flow charts: A flow chart is a diagrammatical representation of a system such as the accounting system. These are also used by the auditor to document the system. Symbols are used to represent the flow of documents and books of account, where they are filed and the accounting operations performed on them.
Testing the internal control system: •
Strong internal controls: if the conclusion to the ICE indicates that the entity appears to have a strong internal control system, certain compliance tests will be performed by the auditor to obtain ‘sufficient evidence that the controls were operating effectively at relevant times during the period under audit’.
Compliance tests can take three main forms: 1. Examination of evidence: e.g. an auditor might examine a sample of recorded invoices to ensure that they have been initialed. This provides evidence that the sampled items have been signed, although it does not necessarily prove that the client’s staff member actually checked the invoice before signing it. 2. Re-performance: e.g. the auditor takes a sample of recorded invoices and traces them back to their supporting order forms and goods received records. This proves that the original comparison by the staff member
could have taken place because the necessary evidence exists. If the supporting records are missing and the invoices have been signed then the auditor would have strong grounds for believing that the control has not operated. 3. Enquiry and observation: e.g. the auditor asks staff to describe the
system and listens carefully for confirmation that a system operates as described. The secret is to ask indirect questions and to avoid leasing the interviewee. Rather than asking whether X compares invoices to records, ask X to explain what the process involves and listen for references to order forms and good records. Note: it does not matter that the auditor cannot prove conclusively that any given control or controls operated consistently throughout the year. It is sufficient that the auditor can prove that sufficient care and skill has been applied to the collection of audit evidence. •
Weak internal controls: if the ICE indicates an absence of controls to prevent a particular error or omission then the auditor might conduct detailed substantive testing in order to determine whether the weakness has resulted in error and if so to quantify the effect on the financial statements. If the system is generally weak then the external auditor is more likely to consider more extreme options, such as resignation, rather than staying and attempting to resolve the problem. It is unlikely that a cost effective audit could ever be conducted on a system that is very seriously flawed.
CHAPTER 9 INTERNAL CONTROL – REVENUE AND PURCHASES: Control objectives: can be outlined as follows: • Only authorized transactions are correctly and promptly recorded in the appropriate accounts. • And that access to assets is only in accordance with proper authorization and that recorded assets are compared with existing assets. Control procedures: can be outlined as follows: • Sequential numbering of documents
• Maintenance of batch and other totals at the input stage with subsequent checking for completeness and accuracy • Authorization, verified by the signature of responsible officials for the distribution or input of documents. Tests of control: by the auditor involve ensuring that the procedures above (control procedures) have been applied, by looking for evidence of, for example, the checking of sequence, batch totals, control account reconciliations etc. Tests of control are performed by either looking for a signature to give evidence that the control procedure has been performed. Or by reperforming the control, to check whether all the documents are actually there, with no omissions or duplications, in order to prove to themselves that the control has actually been performed, rather than the document simply having been signed. INTERNAL CONTROL - REVENUE SYSTEM The revenue system includes revenue obtained from sales. The control objectives outlined above can now be translated into control objectives for sales. 1. Control objectives: the control objectives for sales include the following: • Sales are made in accordance with company objectives • Customer’s orders should be authorized, controlled and recorded in order to execute them and determine any allowance required for losses arising from unfulfilled commitments. • Goods shipped and work completed should be controlled to ensure that invoices are issued and revenue recorded for all sales. • Goods returned and claims from customers should be controlled in order determine the liability for goods being entered in the accounts. • Invoices should be appropriately checked as being accurate and authorized before entered in the accounts • There should be procedures to ensure that sales invoices are subsequently paid and that doubtful amounts are identified in order to determine allowance for losses. Achievement of objectives: in order to achieve these objectives there should be good segregation of duties. There are three distinct processes in
the sales system which should be separated and performed by different staff in order to establish effective internal controls. They are: •
Accepting customer’s orders: 1. Sequence controlled documents should be used to acknowledge all orders received. Any uncompleted orders should be regularly reviewed. 2. Credit limits should be checked by the credit control department. 3. Selling prices, discounts and delivery dates should be fixed by senior members of the sales department – never by the accounts staff.
• Dispatch department: 1. Sequence controlled documents should be used for all goods leaving the premises. 2. Dispatch notes should be completed by the gatekeeper or the dispatch department – never by the accounts staff. • Invoicing the goods: 1. Sequence controlled documents should be raised by the sales department and then passed to the accounts department for recording. 2. Strict control of credit notes is essential to ensure that they are raised by proper authority in the sales department. 2. Control procedures: control procedures for sales can be explained using a sales cycle, covering, orders, dispatch, invoicing, returns and receivables. Orders: • The orders should be checked against the customer’s account; this should be evidenced by signing. Any new customer should be reffered to the credit control department before the order is accepted. • All orders received should be recorded on pre-numbered sales order documents. • All orders should be authorized before any goods are dispatched. • The sales order should be used to produce a dispatch note for the goods outwards department. No goods may be dispatched without a dispatch note.
Dispatch: • Dispatch notes should be pre-numbered and a register kept of them to relate to sales invoices and orders. Invoicing and credit notes: • Sales invoices should be authorized by a responsible official. • All invoices should be entered in sales day book, accounts receivable ledger and accounts receivable ledger control account. • Sales invoices and credit notes should be serially pre-numbered and regular sequence checks should be carried out. • Credit notes should be authorized by someone unconnected with dispatch or accounts functions. • Copies of cancelled invoices should be retained. • Cancelled invoices should be signed by a responsible official. Returns: • Any goods returned by the customer should be checked for obvious damage and when accepted, a document should be raised. • All goods returned should be used to prepare appropriate credit notes. Receivables: • A receivables ledger control account should be prepared regularly and checked to individual sales ledge balances. • Formal procedures should exist for following up overdue debts. Reminders should be sent regularly to customers for collection of overdue debts. Bad debts: • The authority to write off a bad debt should be given in writing and adjustments made to the accounts.
3. Tests of control:
Tests of control should be designed to check that the control procedures are being applied. Appropriate testing includes: • Carry out sequence test checks on invoices, credit notes and dispatch notes. Ensure that all items are included and that there are no omissions or duplications. • Check the authorization for the: - acceptance of the order - dispatch of goods - raising of invoice - pricing and discounts - write off of bad debts • Check arithmetical accuracy of invoices, credit notes and sales tax. • Check dispatch notes and good returned notes to ensure that they are referenced to invoices and credit notes and vice versa. • Check that control account reconciliations have been performed. Substantive procedures 1. Accounting records: • Check additions of the sales day book and sales returns day book. • Check the posting of individual invoices to the general ledger and the control account. 2. Invoices and credit notes: • Obtain a sample of potential sales • Check sales invoices to ensure that quantities and descriptions are correctly stated. • Compare invoiced prices with authorized, up to date price lists. • Check calculations and additions of invoices and credit notes. • Ensure that invoices are posted to the appropriate accounts. 3. Control account reconciliations: • Test the year end control account reconciliations, checking back to source documentation. Ensure that any reconciling items are dealt with properly.
Analytical procedures 1. Fluctuations in sales levels: fluctuations around the year can be identified by comparing levels of sales throughout the year on a month to month basis, or by comparing the sales in the last month of the year to sales in the first month of the next year. Significant fluctuations from month to month may indicate misclassification between months or the omission of sales. 2. Cut of problems: an increase in sales just before the year end with low sales just after the year end may indicate that the client has tried to distort profits. The auditor should consider identifying and checking large items in the last month and the first month of the next period to ensure delivery took place before the year end. 3. Disclosure: sales revenue must be disclosed by class of business and geographical market. INTERNAL CONTROL – PURCHASES SYSTEM 1. Control objectives: control objectives for purchases are to ensure that: • Purchased goods are ordered under proper authority. • They are only ordered as required. • When received, they are properly checked for quality and quantity. • Invoices and related documentation are properly checked and approved. 2. Control procedures: as with the sales system, controls procedures are also required for purchases, they can be described using the purchases cycle as follows: Orders: • Requisition notes for purchases should be authorized. Being authorized by a responsible official. • All orders to be recorded on documents showing supplier’s name, quantities and price. Copies of orders should be maintained. • Re-order levels should be pre-set.
Receipt of goods: • Goods inwards centers should be identified to deal with the receipt of all goods. • All goods should be checked for quantity, quality and condition. Goods received notes should be created for all goods accepted. This note should be signed by an official. • GRNs should be checked against purchase orders and procedures should exist to notify the supplier of under or over deliveries. Invoicing and returns: • Purchase invoices received should be stamped with an approval grid and given a unique serial number to ensure purchase invoices do not go astray. • The invoice should be matched with the order and the GRN. • The invoices should be signed as approved for payment by a responsible official. • Invoice sequential numbers should be checked against purchase day book details. • Any recoverable purchase tax should be separated from the expense. • Invoices should be properly allocated to the general ledger accounts. • A record of goods returned should be kept and checked to the credit notes received from suppliers. Accounts payable ledger: • An accounts payable ledger control account should be maintained and regularly checked against balances in the ledger. • Reminders of payment from suppliers should be checked against the purchase ledger account. 3. Tests of control: as before, these should be drawn up to check whether the control procedures have been properly applied. Purchase order: purchase order should be tested for: • Evidence of a sequence check • Evidence of approval and authority. Goods received notes: tested for sequence check
Purchase invoice: test for: • Serial numbering • Evidence of sequence checking • Evidence of matching purchase invoices with GRNs and orders. • Evidence of correct treatment of purchase taxes. Credit note: • Test for evidence of matching credit notes to GRNs. Payables ledger control account: test for • Evidence of reconciliation to purchase ledger • Evidence of authorization of adjustments. Substantive procedures 1. Accounting records: • Check additions of the purchase day book and purchase returns book • Check posting from the day books and the general ledger to the control account. 2. Invoices and Credit notes: • Check additions of credit notes and invoices. • Check invoices and credit notes with day books • Ensure invoices have been approved for payment. • Agree invoices to orders • Agree prices charged on invoices and credit notes to supplier’s price lists. 3. Control accounts: test the year end control account reconciliations checking back to source documents. Analytical procedures Can be used to review unusual purchasing trends, levels of purchasing outside agreed limits or non-authorized suppliers
CHAPTER -10 INTERNAL CONTROL – PAYROLL, CASH AND OTHER AREAS; REPORTS TO MANAGEMENT INTERNAL CONTROL – PAYROLL 1. Control objectives: the control objectives of internal control for wages and salaries are as follows: • Wages and salaries should only be in respect of client’s staff and of correct rates. • Wages and salaries should be in accordance with records of work performed. • Payment should be made to correct employees. • Liabilities to tax authorities for income tax should be properly recorded. 2.1 Control procedures (wages): Authorization and control of documents • There should be written authorization to employ or dismiss any employee. • Changes in rates of pay should be authorized in wiring by an official outside the wages department. • Overtime worked should be authorized by the works manager. • The wages cheque should be signed by two signatories. • Where pay relates to hours at work, some form of rime recording should be used, e.g. time keys. There should be supervision of time recording. There is a clear risk that staff can manipulate systems to obtain additional hours and therefore additional payments. The supervisor should know the hours worked by staff and check outputs to ensure that expected and actual hours tally. • When employees have been absent for a significant period, their entitlement to salary should be checked against personnel details. • Personnel records should be kept for each employee giving details of engagement, retirement, dismissal or resignation, rates of pay, holidays etc.
Prompt recording and arithmetical accuracy • Payroll should be prepared from job cards and a sample checked for accuracy against current rates of pay. • Payroll should provide for accurate calculation of deductions such as tax, pension, insurance etc. Access to assets and records • Employees should sign for their wages. • No employee should be allowed to take the wages of another employee. • When wages are claimed late, the employee should sign for the wage packet and release should be authorized. • The wages department should be a separate department with their personnel not involved with receipts and payments functions. • Unclaimed wages should be recorded in a register and held by someone outside the wages department until claimed. Control accounts • Control accounts should be maintained in respect of each of the deductions showing amounts paid periodically to the tax authorities. • Management should exercise overall control. 2.2 Control procedures (salaries): • Personnel records should be kept similar to those for hourly paid employees. • Written authority should be required to employ or dismiss an employee or change salary rate. • Overtime should be authorized by someone outside the payroll department. • The usual checks on deductions are required. • Direct bank transfers of salaries should be signed. 3. Tests of Payroll controls: tests of payroll control include the following: • Test sample of time sheets, clock cards for approval by responsible official. • Test the authority for payment to casual labour. • Observe wages distribution, ensuring employees sign for wages, that unclaimed wages are re-banked.
• • • •
Test control over payroll amendments. Examine evidence of approval of payrolls by a responsible official. Inspect payroll reconciliations. Test authorities for payroll deductions and test controls over unclaimed wages. Substantive procedures Substantive testing procedures include the following: • Select sample of personnel records • Test sample for: rates of pay, authorization of changes in pay and personal details. • Ensure employees are paid only for work done • Test personnel records to ensure that employees exist and are being paid at the correct rate. • Check whether deductions are actually being paid over to the tax authorities on time and that no unrecorded penalties may arise. • If payroll control account is maintained, check this against the general ledger. • Test totals of cheques drawn with 1. Net amount paid to employees. 2. Amount paid to tax authorities. INTERNAL CONTROL – CASH SYSTEM 1. Control objectives: control objectives for cash are of prime importance in any business. The central objectives are that: - All sums are received and accounted for. - No payments are made which should not be made. - All receipts and payments are accurately recorded. 2. Control procedures: there are a number of areas of the business that have different control procedures, these are as follows: Controls over cash receipts by post • The company should safeguard against possible interceptions between the receipt and opening of the post. E.g. by using a locked mail box and restricting access to keys. • The opening of the post should be supervised by a responsible official.
• All cheques and postal orders should be restrictively crossed ‘Account payee only, not negotiable’ as soon as the mail is open to prevent them from being endorsed and paid into someone else’s account. • A record should be kept of all the cheques and cash received by post; this should be done in the form of a rough cash book. Controls over cash collected by salespeople • Authority to collect cash should be clearly defined. • Salespeople should be required to report sales at regular intervals which should be formally notified to such employees. • A responsible official should quickly follow up salespeople who do not submit returns as required. • Collections should be recorded when received, e.g. in a rough cash book register. • Periodically a responsible official should check the salespeople’s own receipt books with cash book entries. Control over cash sales • Cash sales should be recorded when sale is made • If cash sale invoices are used they should be pre-numbered, a register should be maintained of cash sale invoice books. • Cash received should be reconciled daily with the invoice totals. • Daily banking of the cash sales should be checked against the invoice total and differences investigated. • A responsible official should sign cancelled cash sale invoices at the time of cancellation. Controls over banking • Each day’s receipts should be banked and recorded in the cash book. • Sales ledger personnel should have no access to the cash. • Periodically a comparison should be made between the split of cash and cheques received and banked. Controls over cheque payments • Unused cheques should be held in a secure place • The person who prepared the cheques should have no responsibility over purchase ledger or sales ledger.
• Cheques should be signed after evidence of a properly approved transaction is available. • Cheque signatories should be restricted to a minimum practical number. • The signing of blank cheques should be prohibited. • Cheques should be crossed before being signed. • Supporting documents should be cancelled as paid to prevent their use to support further cheque payments. This cancellation is to be done by the cashier before the cheque is signed. • Returned cheques may be obtained from the bank. Bank reconciliations • Bank reconciliations should be prepared at least once a month. • Person responsible for preparation should be independent of the receipts and payments function. • Bank statements should be obtained directly from the bank and held until reconciliation is completed. Controls over petty cash • The level of cash float should be laid down formally • There should be restricted access to the floats • Cash should be securely held. • All expenditure should require a voucher signed by a responsible officer, not the petty cashier. • The ‘imprest system’ should be used to reimburse the float i.e. at any time the total cash and value of vouchers not reimbursed equals the float. • Vouchers should be cancelled once reimbursements have taken place. • Periodically the petty cash should be reconciled by an independent person. 3. Tests of control: Cash receipts • Attend mail opening and ensure procedures are adhered to • Test independent check of cash receipts to bank lodgments. • Test authorization of cash receipts • Test for evidence of arithmetical accuracy on cash received records.
Cash payments • Inspect cheque books for, any signatures on blank cheques and controlled custody of blank cheques. • Test to ensure that paid invoices are marked paid • Examine evidence of authority for current standing orders and direct debits. Bank reconciliations • Examine evidence of regular bank reconciliations • Examine evidence to follow up outstanding items on bank reconciliations such as un-presented cheques. Petty cash: • Test petty cash vouchers for approval. • Test cancellations of petty cash vouchers. • Test for evidence of arithmetical accuracy. INTERNAL CONTROL – OTHER SYSTEMS (INVENTORIES AND NON-CURRENT ASSETS) INVENTORIES 1. Control objectives: • Control over goods inwards, outwards and dispatches. • Inventory records authenticated by physical counts • Adequate steps should be taken to identify all inventories for which write-downs may be required. • Inventory levels should be controlled so that materials are available when required but that inventory is not unnecessarily large. 2. Control procedures: Approval and control of documents • Issues from inventories should be made only on properly authorized requisitions. • Reviews of damaged and obsolete inventories should be carried out. Arithmetical accuracy
• All receipts and issues should be recorded on inventory cards, cross referenced to the appropriate GRN. • The costing department should allocate direct and overhead costs to the value of work in progress according to the stage of completion method. • To do this standard costs are normally used. Such standards must be regularly reviewed to ensure that they related to actual costs being incurred. Control accounts • Total inventory records should be reconciled with the detailed inventory records and discrepancies investigated. Comparison of assets to records • Inventory levels should be periodically checked against the records by a person independent of the stores personnel, and material differences investigated. • Maximum and minimum inventory levels should be pre-determined. • Re-order quantity should be pre-determined and regularly reviewed for adequacy. Access to assets and records • Deliveries of goods from suppliers should pass through a goods inwards section to the stores. All goods should pass through stores and hence be recorded and checked as received. • Inventories should be held in their locations so that they are safe from damage and theft. • Access to the stores should be limited. 3. Tests of control: • Observe physical security of inventories and environment. • Test procedures for recording of movements of goods in and out of inventory. • Test authorization for adjustments to inventory records. • Tests controls over recording of inventory movement belonging to third parties. • Inspect reconciliation of inventory counts to inventory records.
NON-CURRENT ASSETS 1. Control objectives: control objectives are to ensure that: • Non-current assets are correctly recorded, secured and maintained. • Acquisitions of disposals of non-current assets are properly authorized. • Non-current assets are properly recorded, depreciated and written down when necessary. 2. Control procedures: • Annual capital expenditure budgets should be prepared by someone directly responsible to the board of directors. • Applications to authority to incur capital expenditure should be submitted to the board for approval and should contain reasons for the expenditure, estimated cost and any non-current asset replaced. • A document should show what is to be acquired and be signed as authorized by the board. • Capital projects made by the company itself should be separately identifiable in the company’s costing records. • Disposal of non-current assets should be authorized and any proceeds from sale should be related to the authority. • A physical inspection of non-current assets should be carried out periodically and checked to the non-current asset register. Any discrepancies should be noted and investigated. • Assets should be properly maintained and adequately insured. • Depreciation rates should be authorized and a warren statement of policy produced, this should be reviewed annually to assess the need of changes. • The calculation of depreciation should be checked for accuracy. 3. Tests of control: • Check authorization of purchase of non current assets. • Check authorization of disposal of significant assets. • Confirm existence of non-current asset register. Ensure register reconciles to nominal ledger. • Test evidence of reconciliation of register to physical checks of existence and condition of assets. • Check authorization of depreciation rates and changes in rates if any. • Ensure correct calculations of depreciation have taken place.
CHAPTER 11 AUDIT EVIDENCE Sufficient, appropriate evidence ISA 500 Audit Evidence requires that auditors ‘obtain sufficient appropriate audit evidence to be able to draw a reasonable conclusion on which to base the audit opinion. ‘Sufficient’ relates to the quantity of evidence, ‘Appropriate’ relates to the quality or reliability and relevance of evidence. The auditor’s judgment as to what constitutes sufficient appropriate evidence is influenced by such factors as: • The nature of the accounting and internal control system and control risk. • The materiality of the item • Experience gained during previous audits • Results of audit procedures • The source and reliability of information available. Substantive procedures – relevance
Substantive procedures are tests performed to obtain evidence of any material misstatements in the financial statements. Financial statement assertions must be used to obtain sufficient evidence. Financial assertions 1. Existence: An asset of liability exists at a given date. Auditors spend a great deal of time on this assertion confirming the existence of assets such as tangible non-current assets, inventories and cash etc. 2. Rights and Obligations: Here the auditor must ensure that it is the business which owns the asset at the balance sheet date. There are many situations where an asset could be on the business premises but belong to someone else. Inventories, for example, may have been sold but not yet delivered. 3. Occurrence: A transaction or event occurred during the relevant accounting period which concerns to the reporting entity. 4. Completeness: There are unrecorded assets or liabilities, transactions or events. 5. Valuation: This assertion deals with the valuation of assets and liability to see whether they have been valued at an appropriate carrying value. 6. Measurement: A transaction or event is recorded at the proper amount and in the correct period. This refers to income statement transactions. 7. Presentation and disclosure: Presentation and disclosure must be in accordance with accounting standards. Note: Mnemonic got the assertions above ‘COVER MP’ Substantive procedures – reliability Although the reliability of audit evidence is dependent upon particular circumstances, the following general presumptions may be found helpful: • Evidence obtained from external sources is more reliable from that obtained from the entity’s records.
• Evidence obtained from the entity’s records is more reliable where the accounting and internal control systems operate effectively. • Evidence obtained directly by auditors by such means as analysis and physical inspection is more reliable than evidence obtained by or from the entity. • Documentary evidence is more reliable than oral evidence. • Documentary evidence is least reliable if created and held by the entity. It is more reliable if created by third parties and held by the entity. It is most reliable if it is created by third parties and held by the auditor. Synergy The auditor should consider whether conclusions drawn from differing types of evidence are consistent with one another. If however it does appear inconsistent with one another, the reliability of each remains in doubt until further work is done to resolve the inconsistency. However, when the individual items of evidence relating to a particular matter are all consistent, then the auditor may obtain a cumulative degree of assurance higher than that which they obtain from individual items. This is a form of ‘Synergy’ Problems with obtaining reliable evidence: there are no hard fast rules for reliability of evidence, as it is a matter of professional judgment. There can be situations where the auditor does not have a great deal of choice; for example, the figures of payroll are likely to be supported by evidence that is almost totally from the entity’s records. Therefore it is sometimes impossible to replace internally generated evidence with third party evidence. Analytical Procedures:
Nature and Purpose of Analytical Procedures
Substantive procedures:
Assertions and their tests:
AUDIT EVIDENCE AND WORKING PAPERS
Working papers provide an experienced auditor with no previous connection with the audit with an understanding of the work performed and the basis of decisions taken. Therefore it can be said that audit files are a prime source of audit evidence and thus must be capable of supporting the audit opinion. However working papers should be sufficiently complete and detailed to provide an overall understanding of the audit. AUDIT EVIDENCE & THE AUDIT OF ACCOUNTING ESTIMATES An accounting estimate can be defined as an approximation of the amount of an item in the absence of a precise means of measurement. E.g. estimates for accumulated depreciation, deferred tax, net realizable value, losses on long term contracts, legal claims against the company and other contingent liabilities. Such items are inherently more risky than non-judgment items and control risk is usually higher as these are non-routine transactions. Management is responsible for making estimates. The audit of accounting estimates involves the following steps: • Review and test the process used by management – this will involve evaluation of the data and consideration of assumptions on which the estimate is based. It will also involve checking of the mechanical calculations, comparison with estimates made in prior periods and consideration of management’s approval procedures. • Use an independent estimate (generated by the auditor) to compare with management’s estimate. • Review subsequent events which confirm the estimate. Where in case of contingent liabilities, subsequent events ‘crystallize’ the liability, there will be no need to review management’s processes or use independent estimates.
CHAPTER 12 THE AUDIT OF NON-CURRENT ASSETS
PROCEDURES TO VERIFY LAND AND BUILDINGS 1. Ownership, rights and obligations: The extent of testing will depend upon the materiality of the land and buildings. Verification of existence is unlikely to be an issue, although the auditor may have to make special arrangements to prove that a piece of property actually exists. The bigger problem is obtaining proof of ownership. The auditor will have to look for documents of title, transfer documentation from lawyers, mortgages or other securities. 2. Valuations: • Check a sample of entries in the asset register and trace back to source documentation to ensure properly stated at cost. • Review company policy for depreciation and ensure appropriate in the light of useful life of the building (commonly 50 years). And ensure that land is not depreciated. • Ensure accurate calculation of depreciation. • Establish the need for any write-down for impairments
3. Existence: • Physical check of sample of assets. 4. Completeness and measurement: • Ensure asset register reconciles to the general ledger. PROCEDURES TO VERIFY PLANT AND EQUIPMENT 1. Ownership, rights and obligations: • Here the auditor should look for evidence of vehicle registration documents to ensure ownership entitlement. 2. Valuation and measurement: • Review company policy for depreciation and ensure that they are appropriate in the light of the useful life of the asset. • Ensure accurate calculation of depreciation. • Establish the need for any write down for impairments in value. 3. Existence: • Physical existence inspected using sample of assets. PROCEDURES TO VERIFY INVESTMENTS Audit procedures relating to long term investments normally include considering evidence as to whether the entity has the ability to continue to hold the investments on a long term basis, discussing the matter with management and obtaining written representation to that effect. 1. Existence and ownership: • Evidence in the form of share certificates • Dividends/interests from securities, dividend warrants. • Internal control procedures. Valuation: Valuation of listed securities is easily confirmed with appropriate financial publications. Director’s valuation of unlisted securities is something on which audit report, and the basis of the calculations must therefore be
examined. The auditor must also consider whether any write-downs for impairment in value are adequate, which may mean examining copies of accounts of companies in which investments are held. Income: Income from securities can be verified with known interest rates for fixed interest securities. CHAPTER 13 THE AUDIT OF RECEIVABLES, PREPAYMENTS, BANK & CASH PROCEDURES TO VERIFY RECEIVABLES
Confirmation: Confirmation is the name given to a specific form of inquiry that is particularly widely used. It involves obtaining written confirmation from a third party, typically, although not exclusively, in relation to an account balance in which the third party has an interest. Situations for using confirmations Confirmations are best used where there is a knowledgeable party, independent of the entity and where alternative reliable evidence is not readily available. The most knowledgeable parties are those in a commercial relationship with the entity holding reciprocal information as to entity balances. These include debtors, creditors, banks, lenders, borrowers and custodians of entity assets such as stocks and securities. It is in their
own interest for such parties to maintain reliable records of their relationship with the entity. As a general rule, larger organizations are more likely to have reliable internal control. This ensures that their own accounting information is accurate. Therefore, larger organizations are more likely to have a positive policy for responding to audit confirmations. Smaller organizations may have less reliable accounting records and may be more likely to regard a request for confirmation as an imposition on their time. Generally speaking, parties from whom confirmation is sought are likely to be independent, ensuring the evidence is reliable. However, there are two situations where the auditor may need to exercise caution. The first is where the other party is ‘related’, e.g. a fellow subsidiary. The second is where the other party might be economically dependent on the entity and may be motivated to provide an inaccurate response for fear of losing business with the entity. Again, the larger the third party, the less likely it is to be economically dependent and thus the more reliable the evidence from confirmation. Form of request As a general rule, the request must be presented in such a form that facilitates a response by the other party. This can be achieved by using a standard form with space for the response and enclosing a return addressed envelope. However, there is sometimes a conflict between facilitating a response and the reliability of that response. For example, it is possible that the other party might confirm the information without checking it. Hopefully, such instances are rare. More likely is a general reluctance to confirm through misunderstanding the purpose of the request. Debtors may misinterpret the confirmation as a demand for payment. Other parties may fear that confirmation might be binding if they should subsequently discover an error in their own records. It is usually customary to draft the wording of the confirmation to allay such fears when dealing with parties not accustomed to receiving such requests. Nevertheless, some respondents disclaim responsibility should their response be in error. This is usually the case with bank confirmations. However, this does not necessarily compromise the reliability of the confirmation.
Types of request: • Positive: customers are asked to confirm to the auditor directly in all cases, whether they agree or disagree with the balance. • Negative: customers are only asked to respond if they disagree. This method may give some assurance, although many positive confirmation requests are ignored and so a failure to respond to a negative confirmation does not mean that the customer has actually agreed the balance. Positive confirmations provide more reliable evidence than negative confirmations. The choice depends on the auditor’s assessment of risk. The positive form is generally preferred. The negative form is unlikely to be used unless inherent risk and control risks are relatively low. Where detection risk is high, or the materiality of the account balance is high, positive confirmation will be needed to provide substantive evidence. When request for confirmation is made, the likeliness of a respond is more probable if the request is sent to the right party. For example, a request addressed to the senior management is more likely to be ignored. However a request addressed to the party responsible for maintaining the relevant records has a greater probability of being responded to. A potential danger is that the response might conceal errors in the other party’s records for which the respondent is responsible. It is nearly always the case that management of the audited entity must authorize each confirmation request. This exposes the risk that the process could be interfered with by the entity because the confirmation is usually in the form of a request – from the entity – for information to be supplied to their auditor. It is important that auditors control the process by ensuring that confirmations sent are in agreement with those selected for confirmation. It is also important that the envelopes bear the auditors’ return address in the event of non delivery. Interpretation of evidence Confirmation responses are at their most reliable when the auditor has reason to believe that the information has been checked by responsible officials against the other party’s records. Reliability must be questioned where the auditor has reason to suspect that the request might not have been
given appropriate consideration or that the other party’s records might not be wholly reliable. Where no response to a request is received to a positive request for confirmation even after suitable follow-up requests, alternative evidence must be obtained depending upon the materiality of the transaction. Debtors’ confirmations The use of confirmation evidence is usually very important in the audit of trade debtors because there are few other sources of external corroborative evidence. It is important that the source from which the sample is selected is tested for completeness. This usually requires selecting the sample from a list of balances that has been tested against the sales ledger, totaled and agreed with the general ledger balance. The list of debtors is usually subdivided into current due balances and overdue balances. Each present separate audit risks. Overdue balances are more likely to contain errors and thus require a proportionately larger sample. It is necessary to verify non-responses with alternative reliable evidence of the outstanding balance in order to maintain the integrity of the sample where positive confirmations are used. Such evidence includes delivery notes signed for by the customer, written customer sales orders and, if subsequently paid, a remittance advice accompanying the payment identifying the specific invoices being paid. Creditors’ confirmations Creditors are much less frequently confirmed than debtors. The auditor already has external evidence in the form of supplier invoices and statements. Although held by the entity and thus potentially at risk from being manipulated, they are likely to provide sufficient appropriate evidence in the absence of any suspicious circumstances. In addition, the principal assertion verified by confirmation evidence would be that of completeness. The available population (creditor balances recorded by the entity), is not a suitable starting point for selecting a sample for confirmation when verifying completeness. If time is available, auditors tend to prefer to use the complementary/reciprocal population of purchases (or payment transactions
recorded after the period end) when verifying the completeness of recorded creditors. Bank confirmations In many countries, the auditing profession has come to a mutual agreement with the banking industry on the method to be employed in seeking confirmations. A standardized form is commonly used with open questions for the bank to complete. The evidence should be reliable because banks usually maintain a high level of internal control over records of customer balances. However, because the task of completing the confirmation is often entrusted to relatively junior personnel and is not subject to independent checks, auditors must be alert for the possibility of clerical errors when making use of the evidence obtained by confirmation. Another consideration when confirming bank balances is that they involve both debit and credit balances and contingencies. Therefore, evidence of both completeness and existence is sought. Although balances with each bank are usually individually material (in that all banks are confirmed – not just a sample), the auditors must take reasonable care that all banks which the entity has had dealings with during the year are identified. Auditors should request confirmations from each bank, not just those with recorded balances outstanding at the period end.
CHAPTER 14 THE AUDIT OF INVENTORIES Risks associated with inventory • Inadequate inventory held to meet the demand of sales and production. • High inventory levels resulting in poor cash flow and financial loss. • Lack of security over inventory resulting in theft. • Inventory inappropriately stored resulting in damage or deterioration. • Obsolete inventory held or incorrectly supplied to customers, resulting in financial loss and damage to reputation. • Omission from the accounting records of inventory owned by the business but held externally by third party. Auditor may seek an external confirmation on this. PHYSICAL INVENTORY COUNTS Client’s procedures There are two methods of carrying out inventory counts: - Made at or close to the year end (periodical) - On a continuous basis over the whole year. (perpetual) Perpetual counting: in perpetual counting each item is physically inspected at least once a year, and more frequently in case of items liable to loss. Adequate records are kept up to date. Investigation procedures are undertaken for discrepancies. Advantages of perpetual counting: • There is little or no disruption caused as opposed to periodical count which causes a lot of disruption. • There is more accurate and regular counting. Earlier identification of errors leaves way for less disruption to be caused in the closing months of the year. • There is increased discipline of store keepers because of surprise elements of checks. Periodical counting: this is usually undertaken towards the end of the financial year, or around the financial year end. If undertaken around the financial year end, the time gap between the physical count and financial
year end should be kept to a minimum, so as to ensure the accuracy of the records, which are necessary to adjust the year end figures. The auditor and the inventory count When inventory is material to the financial statements, the auditor should obtain sufficient evidence regarding its existence and condition by attendance at physical inventory counting. Where attendance is impracticable, the auditor should consider whether sufficient evidence is available to avoid a qualification of audit report. Note: counting inventory does not fall within the duties of the auditor. However there are certain duties that the auditor has to fulfill that lie before, during and after the counting of inventory. 1. Planning (before the count): the auditor should carry out the following: • Review prior year’s working papers, to familiarize with the nature, volume and location of inventories. • Identify problems areas in the internal control system to assess the amount of reliance to be put on internal auditors. • Assess inherent control, and detection risks. • Establish whether inventory is material to the financial statements. • Arrange third party confirmations of inventories held by third parties. • Auditor should also perform analytical procedures on inventory as part of planning process, this can be done using ratios: Inventory turnover (cost of sales/average inventory) Inventory days (average inventory/cost of sales) x 365 2. During the counting: the main task is to ensure that the client’s staff are carrying out their duties effectively. • Make notes of items counted, damaged inventory, instances where the counting procedures are not being followed. • Make test counts: from physical inventory to inventory sheets, and from inventory sheets to physical inventory. • Compare the test inventory sheets with the client’s inventory sheet register.
• Reach a conclusion as to whether or not the counting was satisfactory. 3. After the counting: the auditor should check the cut-off details obtained at the inventory count to the ledgers to ensure items are accounted for in the correct period. The auditor should also ensure that inventory records have been adjusted or reconciled to the physical count and all differences investigated. Cut-off: the auditor should examine the link between purchases records and inventories, and between sales and inventories, to ensure that there is complete agreement between inventory and financial records. These are known as cut-off procedures. Tests the auditor would carry out to ensure correct cut-off include the following: • During the inventory count note the serial numbers of the last sales invoice, dispatch note and goods received note generated before the inventory count. • After the inventory count, check the year end dispatch notes to sales invoices and sales day book and vice versa to ensure that dispatches and the related invoice both fall before the year end. • Similarly for purchases, ensure year-end goods receipts notes and related purchase invoices are correctly treated in the current period. Internal audit and inventory audits: The external auditor may be able to rely on the work done by the internal auditor. The internal auditor should approach the inventory count in the same way as any other auditor. In particular the internal auditor will: • Evaluate previous audits; find information on company policy on inventory management. • Identify risks associated with inventory and assess impact and probability of risks. • Review whether controls are in place. To test the controls the auditor must: • Review evidence of inventory counts being undertaken on a regular basis • Confirm accuracy of data inputs • Sample disposals to confirm authorization of transactions
The internal auditor will be able to formulate a report based on conclusions from the testing including an overall evaluation of the level of risk exposure.
Summary diagram on physical inventory count:
INVENTORY VALUATION PROCEDURES Raw materials and consumables • Ascertain what elements of cost are included, e.g. carriage inwards, duties etc. • Ascertain method of valuing material. • If standard costs are used, check against budget and analyze variances. • Test check cost prices with purchase invoices received in the month. • Follow up valuation of all damaged or obsolete inventories with a view of establishing a net realizable value. Work-in-progress • Ascertain what elements of cost are included. If overheads are included, test basis on inclusion. • Ensure material costs exclude abnormal wastage factors. • Ensure that any addition for overheads includes only normal expenses based on normal production, and that any cost arising from underutilization of production facilities or excessive waste are not carried forward in the inventory valuation. Finished goods and goods for resale • Enquire into what costs are included and how they have been established. • Test check prices on inventory lists with official sales list. • Ensure that inventories are held valued at NRV is less than cost. • Ascertain damaged or obsolete finished goods. NRV Inventories should be measured at the lower of cost and net realizable value. Net realizable value is calculated by adding the current selling price of goods plus the selling and distribution directly attributable to the goods. Post balance sheet events may influence the NRV calculation. Low selling prices after the year end may result in NRV value being less than cost. In such a situation, the individual inventory line affected should be revalued at the (lower) NRV. The only exception to this rule is for raw materials and components to be used in manufacture. No reduction in value is needed if it can be shown that the product made from these items can still be sold at a profit.
CHAPTER -15 THE AUDIT OF LIABILITIES AND CAPITAL LIABILITIES (CURRENT LIABILITIES) 1. Trade payables (creditors): the auditor needs to find sufficient evidence
• •
• • • • 2. • • •
to conclude that trade payables are not materially understated. The main procedures are as follows: Check trade payables schedule with the control account and the purchase ledger. A sample of credit balances should be obtained from a list of known suppliers. Similarly, a sample of debit balances from the purchases account will be taken that will serve as a sample of contacts from whom credit purchases have been made in the past. The amount due to creditors should be calculated by direct confirmation through telephone or writing to creditors. Review the cut-off procedures for purchases. Large purchases recorded after the year end should be checked to ensure that the goods were not received before that date. Review internal control over the purchases system, which ensures that all goods received are properly recognized as liabilities of the company. Perform analytical procedures using ratios and comparison. Accrued charges: Consider the client’s own system for capturing accruals. Obtain a schedule for accruals and ensure that it is made correctly. A sample of accruals should be test checked for correct calculation. This can be done by reference to supporting invoices received in the next period.
3. Short-term borrowings: short term borrowings include bank overdrafts.
Verification of bank overdrafts are in every respect similar to the verification of bank balances. LIABILITES (LONG-TERM LIABILITIES) 1) Loan notes: An issue of loan notes will be dealt by the auditor by
reference to the company’s constitutional documents and other borrowing agreements to ascertain the borrowing powers of the company. The
auditor should also inspect any registration documents. Disclosure by notes of loan notes by the financial statements should also be checked. If the loan notes are to be redeemed, the auditor should examine the provisions of the contract relating to the redemption. 2) Bank loans: verification of bank loans are similar to verification of cash
balances. 3) Provisions and contingent assets & liabilities: IAS 37 requires that the
amount recognized as a provision should be the best estimate of the expenditure required to settle the obligation at the balance sheet date. No provision should be recognized unless a present obligation exists. An intention to make a payment is not enough; an actual obligation to pay must exist. The auditor’s main task will be to decide whether a provision has been set up properly in accordance with IAS 37. Contingent asset/liability: is a possible asset/liability that arises from past events and whose existence will be confirmed only be the occurrence or non-occurrence of one ore more uncertain future events not wholly within the control of the enterprise. Contingent assets should be disclosed where an inflow of economic benefits is probable. Contingent liability (definition 2): is a present obligation that arises from past events but it is not recognized because it is not probable that an outflow of resources will be required to settle the obligation, or the amount of the obligation cannot be measured with sufficient reliability. Contingent liabilities should be disclosed, unless the possibility of an outflow of resources is remote.
Sources of audit evidence for liabilities, provisions and contingencies
SHARE CAPITAL Audit of share capital: changes in share capital should be checked. Sampling would not be appropriate except for an issue of shares for cash involving a substantial number of shareholders. Appropriate procedures: • Check authorized share capital limit to company constitutional documents. • Check changes in issued capital in the year and agree to board minutes. • Trace all transactions involving cash to the cash book and bank statement. • Ensure appropriate disclosure as either debt or equity. (ordinary or preference) • Ensure that all transactions are legal and that premiums have been accounted for properly. Audit of revaluation reserve: • Assessment of the reason for revaluation, the basis of revaluation. Compare with current property market list. • Evaluation of the qualifications, experience and independence of the valuer. • Ensure that adequate disclosures are made. Audit of replacement and redemption reserve: In order to finance the replacement of inventory and non-current assets in the future, some businesses set aside additional amounts of profits by transferring them to replacement reserves. Within the conventional accounting system, these should be regarded as appropriations of profit. Loans notes are often issued to finance the purchase of non-current assets. Thus, in the balances sheet, the liabilities of loan notes are represented by non-current assets. When the loan notes are redeemed, the liability is removed by a payment of cash. In such circumstances, some companies transfer an amount equivalent to the nominal value of the loan note redeemed out of un-appropriated profit and into a loan note redemption reserve account. Although these reserves are legally distributable, the directors have effectively indicated that they should not be distributed. The auditor should examine the basis of transfers to reserves and their disclosure in the financial statements.
CHAPTER 16 AUDIT SAMPLING & COMPUTER AIDED AUDIT TECHNIQUES AUDIT SAMPLING Involves the application of audit procedure to less than 100% of the items within: • An account balance; and • Class of transaction Sampling risk: because auditors do not examine all the items in the population when applying audit sampling, there is a risk that the conclusion they draw will be different from that which they would have drawn had they examined the entire population. In order to reduce the risk, auditors should use a rational basis for planning, selecting and testing the sample and for evaluating the results so that they adequate assurance that the sample is representative of the population. Non-sampling risk: this component of risk arises from audit mistakes e.g. failing to identify errors or incorrect evaluation of sample results. Audit firms can minimize the risk by improving training and review procedures. Constructing samples The steps involved in sampling can be summarized as follows: • Sample design • Sample size • Selection of the sample • Evaluation of the sample SAMPLE DESIGN: when designing the sample, the auditor should consider the specific audit objectives and the population from which the sample must be taken and the sample size. Objectives: audit objectives relate to tests of control or substantive procedures. The auditor may want to use statistical sampling (i.e. may want to be 90% or 95% sure that control procedures are being applied). This makes it possible to quantify the results. Judgment sampling, however, tends to offer little or no scope of quantifying the relationships.
The degree of certainty is known as the confidence level and the parameters are known as the precision limits. Clearly the more confident auditor wished to be and the narrower the precision limits, the larger the sample size will be. Population: a homogenous sample of population should be chosen. If there are elements of changes being brought during the year, the auditor will need to make two populations. If however the population needs to be tested for completeness or understatement, the test should go from source documentation to the financial statements. For example, if auditors wish to test for the overstatement of debtors, the population will be the debtors listing. If they wish to test for understatement of creditors, they might use a supplier’s turnover report, but not the accounts payable listing. Stratification: stratification is used to reduce the degree of variation between items within a population and enables auditors to direct attention to those areas where there is the greatest potential monetary error. It often has the effect of reducing sample sizes. SAMPLE SIZE: when determining the sample size, the auditor should consider sampling risk, the tolerable error and the expected error. Sample risk: auditors are faced with sampling risk in both tests of control and substantive procedures as follows: Tests of control: • Risk of under reliance: the risk that, although the sample result does not support the auditors' assessment of control risk, the actual compliance rate would support such an assessment. • Risk of over reliance: the risk that, although the sample result supports the auditors' assessment of control risk, the actual compliance rate would not support such an assessment. Substantive procedures: • Risk of incorrect rejection: the risk that, although the sample result supports the conclusion that a recorded account balance or class of transactions is materially misstated, in fact it is not materially misstated.
•
Risk of incorrect acceptance: the risk that, although the sample result supports the conclusion that a recorded account balance or class of transactions is not materially misstated, in fact it is materially misstated.
Points: The risk of under reliance and the risk of incorrect rejection may affect audit efficiency as they may lead to additional work being performed by the auditors, or the entity. The risk of over reliance and the risk of incorrect acceptance may affect audit effectiveness and are more likely to lead to an erroneous opinion on the financial statements than either the risk of under reliance or the risk of incorrect rejection. Sample size is affected by the level of sampling risk auditors are willing to accept from the results of the sample. The level of acceptable sampling risk depends upon the importance of the results of the audit procedure involving sampling to the auditors' conclusions. The greater the reliance on the results, the lower the sampling risk auditors are willing to accept and the greater the sample size needs to be. The extent of reliance on the results of the procedure is related to the extent to which other substantive procedures provide audit evidence regarding the same financial statement assertion. The more other substantive procedures lower the detection risk for a particular assertion, and therefore the lower the reliance on the results of the substantive procedure using audit sampling, the higher the acceptable sampling risk relating to the sampling procedure and consequently, the smaller the sample size. Tolerable error: Tolerable error is the maximum error in the population that auditors would be willing to accept and still conclude that the result from the sample has achieved the audit objective. Tolerable error is considered during the planning stage and, for substantive procedures, is related to the auditors' judgment about materiality. The smaller the tolerable error, the greater the sample size needs to be. In tests of control, the tolerable error is the maximum rate of deviation from a prescribed control procedure that auditors would be willing to accept and still conclude that the preliminary assessment of control risk is valid.
In substantive procedures, the tolerable error is the maximum monetary error in an account balance or a class of transactions that auditors would be willing to accept so that when the results of all audit procedures are considered, auditors are able to conclude, with reasonable assurance, that the financial statements are not materially misstated. Expected error: If auditors expect errors to be present in the population, a larger sample than when no error is expected ordinarily needs to be examined to conclude that the actual error in the population is not greater than the planned tolerable error. Smaller sample sizes are justified when the population is expected to be error free. In determining the expected error in a population, auditors would consider such matters as error levels identified in previous audits, changes in the entity's procedures and evidence available from other procedures, including tests of control. STATISTICAL VS. NONSTATISTICAL SAMPLING The difference between the two types of sampling is that the sampling risk of a statistical plan can be measured and controlled, while even a perfectly designed non-statistical plan cannot provide for the measurement of sampling risk. The basic similarity between the two types is that both sampling approaches require the exercise of auditor judgment during the planning, implementation and evaluation of the sampling plan. In other words, the use of statistical methods does not eliminate the need to exercise judgment. In some circumstances, statistical sampling is more appropriate than judgment sampling. Before deciding whether to use statistical or judgmental sampling, the auditor must determine the audit objectives; identify the population characteristics of interest; and state the degree of risk that is acceptable. After making those determinations, it may be advisable to use statistical sampling if the auditor has a well-defined population and can easily access the necessary documentation.
STATISTICAL PROBABILITY SAMPLING Simple Random Sampling In auditing, this method uses sampling without replacement; that is, once an item has been selected for testing it is removed from the population and is not subject to re-selection. An auditor can implement simple random sampling in one of two ways: computer programs or random number tables. Systematic (Interval) Sampling This method provides for the selection of sample items in such a way that there is a uniform interval between each sample item. Under this method of sampling, every "Nth" item is selected with a random start. Stratified (Cluster) Sampling This method provides for the selection of sample items by breaking the population down into stratas, or clusters. Each strata is then treated separately. For this plan to be effective, dispersion within clusters should be greater than dispersion among clusters. An example of cluster sampling is the inclusion in the sample of all remittances or cash disbursements for a particular month. If blocks of homogeneous samples are selected, the sample will be biased. Note: Remember, an essential feature of probability sampling methods is that each element of the population being sampled has an equal chance of being included in the sample and, moreover, that the chance of probability is known. Only in this way, is a probability sample representative of a population.
NON-STATISTICAL SAMPLING Some selection methods can be used only with non-statistical sampling plans. Haphazard Selection In this method, the auditor selects the sample items without intentional bias to include or exclude certain items in the population. It represents the auditor's best estimate of a representative sample -- and may, in fact, be representative. Defined probability concepts are not employed. As a result, such a sample may not be used for statistical inferences. Haphazard selection is permitted for non-statistical samples when the auditor believes it produces a fairly representative sample. Block Selection Block selection is performed by applying audit procedures to items, such as accounts, all of which occurred in the same "block" of time or sequence of accounts. For example, all remittances in the month of November. Alternatively, remittances 300-350 may be examined in their entirety. Block selection should be used with caution because valid references cannot be made beyond the period or block examined. If block sampling is used, many blocks should be selected to help minimize sampling risk. Judgment Selection Judgment sample selection is based on the auditor's sound and seasoned judgment. Three basic issues determine which items are selected: 1. Value of items. A sufficient number of extensively worked or older accounts should be included to provide adequate audit coverage. 2. Relative risk. Items prone to error due to their nature or age should be given special attention. 3. Representative-ness. Besides value and risk considerations, the auditor should be satisfied that the sample provides breadth and coverage over all types of items in the population.
Evaluation of sample results Having carried out, on each sample item, those audit procedures that are appropriate to the particular audit objective, auditors should: a. Analyze any errors detected in the sample; and b. Draw inferences for the population as a whole. (SAS 430.5) Analysis of errors in the sample Before analyzing the errors detected in the sample, auditors first would determine that an item in question is in fact an error. In designing the sample, auditors define those conditions that constitute an error by reference to the audit objectives. For example, in a substantive procedure relating to the recording of debtors, a misposting between customer accounts does not affect the total debtors. Therefore, it may be inappropriate to consider this an error in evaluating the sample results of this particular procedure, even though it may have an effect on other areas of the audit such as the assessment of doubtful accounts. When the expected audit evidence regarding a specific sample item cannot be obtained, auditors may be able to obtain sufficient appropriate audit evidence through performing alternative procedures. For example, if a positive debtor confirmation has been requested and no reply was received, auditors may be able to obtain sufficient appropriate audit evidence that the debtor is valid by reviewing subsequent payments from the customer. If auditors do not, or are unable to, perform satisfactory alternative procedures or if the procedures performed do not enable auditors to obtain sufficient appropriate audit evidence the item would be treated as an error. Auditors would also consider the qualitative aspects of the errors. These include the nature and cause of the error and the possible effect of the error on other phases of the audit. In analyzing the errors discovered, auditors may observe that many have a common feature, for example, type of transaction, location, product line or period of time. In such circumstances, auditors may decide to identify all items in the population which possess the common feature, thereby producing a subpopulation, and extend audit procedures in this area.
Auditors would then perform a separate analysis based on the items examined for each sub-population. Inferences to be drawn for the population as a whole Projection of errors and re-assessing sampling risk Auditors project the error results of the sample to the population from which the sample was selected in order to form a conclusion about the possible level of error in the population as a whole. The projection of the error results of the sample to the population as a whole involves estimating the probable error in the population by extrapolating the errors found in the sample. When7 projecting error results, auditors would ensure that the method of projection is consistent with the method used to select the sampling unit. This is in addition to considering the qualitative aspects of the errors found. When the population has been divided into sub-populations, the projection of errors is done separately for each sub-population and the results are combined. Auditors would consider whether errors in the population might exceed the tolerable error. To accomplish this, auditors compare the projected population error to the tolerable error taking into account the results of other audit procedures relevant to the specific control or financial statement assertion. The projected population error used for this comparison in the case of substantive procedures is net of adjustments made by the entity. When the projected error exceeds tolerable error, auditors re-assess the sampling risk and if that risk is unacceptable, consider extending the audit procedure or performing alternative audit procedures, either of which may result in them proposing an adjustment to the financial statements.
CHAPTER 17: GOING CONCERN The auditor and going concern evaluation Going concern means that the entity will continue in operational existence for the foreseeable future. This means that the balance sheet or the income statement assume no intention or necessity to liquidate or curtail significantly the scale of operations. Accounting standards have made it clear that, when preparing financials statements, management must make an assessment of the enterprise’s ability to continue as a going concern. In order to do this, management should look ahead at least one year from the balance sheet date (if circumstances compel, depending upon the type of industry). The management will need to satisfy itself that the going concern assumption is reasonable. Auditor’s relation to going concern: when planning audit procedures, the auditor should consider the appropriateness of management’s use of the going concern assumption in the preparation of financial statements.
Indicators of problems: there will be certain events that may cast significant doubt about the going concern assumption set by the management. These indicators are listed below: Financial indicators: • Net liability • Indications of withdrawal of financial support by lenders • Negative operating cash flows • Adverse financial ratios • Substantial operating losses • Discontinuance of dividends • Inability to pay of debts on due dates Operating indicators: • Loss of key managers without replacement • Loss of major market, franchise, license. • Labor difficulties Other: • Changes in government policy that may adversely affect the entity. • Pending legal proceedings against the entity that may result in claims that are unlikely to be satisfied. E.g. damages, cash payment etc. The Auditor’s Responsibility Planning considerations: in planning the audit, the auditor should consider whether there are events or conditions which may cast significant doubt on the entity’s ability to continue as a going concern. If these events or conditions are identified, the auditor should consider whether they affect the auditor’s assessments of the components of audit risk. Evaluating management’s assessment: the auditor should consider same period as that used by management in making its assessment. If period assessed by the management covers less than twelve months, auditor should ask the management to extend it to twelve months from
the the the the
balance sheet date, and also ask the management of any events subsequent to the assessment that may have an effect on the going concern. Additional audit procedures once events or conditions are identified: When events or conditions are identified which may cast significant doubt on the entity’s ability to continue as a going concern, the auditor should: • Analyze and discuss cash flow, profit and other relevant forecasts with management • Discuss the entity’s latest available interim financial statements • Review the terms of debentures and loan agreements and determine whether any have been breached • Read minutes of the meetings for reference to financial difficulties • Inquire entity’s lawyer against the existence of litigation or claims, their outcomes and financial implications. • Review events after period end to identify those that either mitigate or otherwise affect the entity’s ability to continue as a going concern. Audit conclusions and reporting: After detailed testing, the auditor must now consider whether the organization is a going concern. If it is considered that the organization is not a going concern, then the auditor needs to discuss the issues with the management and determine how F/S should be prepared. Financial statements may be prepared on a break up basis. This would require all assets and liabilities to be re-classified as ‘current’ and revalued at NRV. Further provisions for liquidation cost may also be required. Details of different ways in which the auditor may reports are as follows: 1. The auditor believes that there is a doubt over the going concern, but considers that the financial statements give adequate details of the problem. In this case the auditor will give an unqualified report but include an ‘emphasis of matter’ paragraph drawing attention to any notes or details in the F/S explaining the position. 2. The auditor believes that there is a doubt over the going concern status, but considers that the F/s do no give adequate disclosure. In this case the auditor’s report will be qualified.