Audit Finals

Chapter 6, 7, 8 & 11 Summary

Chapter 9 Notes
Fuck Slides
Chapter 6: Risk Assessment

Summary:

A risk assessment carried out under the ISAs helps the auditor to identify financial statement areas
susceptible to material misstatement and provides a basis for designing and performing further
audit procedures.

• Auditors are required to carry out the audit with an attitude of professional skepticism, exercise
professional judgement and comply with ethical requirements.

• Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated. It is a function of the risk of material misstatement (inherent
risk and control risk) and the risk that the auditors will not detect such misstatement (detection
risk).

• Materiality for the financial statements as a whole and performance materiality must be
calculated at the planning stages of all audits. The calculation or estimation of materiality should
be based on experience and judgement. Materiality for the financial statements as a whole must be
reviewed throughout the audit and revised if necessary.

• The auditor is required to obtain an understanding of the entity and its environment in order to
be able to assess the risks of material misstatements.

• When the auditor has obtained an understanding of the entity, they shall assess the risks of
material misstatement in the financial statements, also identifying significant risks.

• Significant risks are complex or unusual transactions that may indicate fraud, or other special
risks.

• The auditor shall formulate an approach to the assessed risks of material misstatement.
• When carrying out risk assessment procedures, the auditor shall also consider the risk of fraud or
noncompliance with law and regulations causing a misstatement in the financial statements.

• Auditors must ensure they have documented the work done at the risk assessment stage, such as
the discussion among the audit team of the susceptibility of the financial statements to material
misstatements, significant risks, and overall responses.

Chapter 7: Audit Planning & Documentation

Summary:

 The auditor formulates an overall audit strategy which is translated into a detailed audit
plan for audit staff to follow.
 The overall audit strategy and audit plan shall be updated and changed as necessary during
the course of the audit.
 It is important to document audit work performed in working papers to:
o Enable reporting partner to ensure all planned work has been completed adequately
o Provide details of work done for future reference
o Assist in planning and control of future audits
o Encourage a methodical approach

Chapter 8: Introduction to Audit Evidence

Summary:

 Auditors must design and perform audit procedures to obtain sufficient appropriate audit
evidence.
 Audit tests are designed to obtain evidence about the financial statement assertions.
Assertions relate to classes of transactions and events and related disclosures and
account balances at the period end and related disclosures.
 Audit evidence can be obtained by inspection, observation, enquiry and confirmation,
recalculation, re-performance and analytical procedures.
Chapter 10: Test of Controls

Summary:

 The tests of controls in the sales system will be based around:

o Selling (authorization)
o Goods outwards (custody)
o Accounting (recording)
 The tests of controls in the purchases system will be based around:
o Buying (authorization)
o Goods inwards (custody)
o Accounting (recording)
 Inventory controls are designed to ensure safe custody. Such controls include restriction of
access, documentation and authorization of movements, regular independent inventory
counting and review of inventory condition.
 Controls over cash receipts and payments should prevent fraud or theft.
 Key controls over payroll cover:
o Documentation and authorization of staff changes
o Calculation of wages and salaries
o Payment of wages
o Authorization of deductions
 Most of the key controls over capital and revenue expenditure are the general purchase
controls.

Chapter 11: Audit Procedures & Sampling

Summary:

 Auditors need to obtain sufficient appropriate audit evidence to support the financial
statement assertions. Substantive procedures aim to obtain that evidence.
 Substantive tests are designed to discover errors or omissions.
 Analytical procedures are used at all stages of the audit, including as substantive
procedures. When using analytical procedures as substantive tests, auditors must consider
the information available, assessing its availability, relevance and comparability.
  When auditing accounting estimates, auditors must:
o Test the management process
o Use an independent estimate
o Review subsequent events
In order to assess whether the estimates are reasonable.
 Auditors usually seek evidence from less than 100% of items of the balance or transaction
being tested by using sampling techniques.
 CAATs are the use of computers for audit work. The two most commonly used CAATs
are audit software and test data.
 External auditors may make use of the work of an auditor's expert, internal auditors and
service organizations and their auditors when carrying out audit procedures.
 A service organization provides services to user entities. There may be special
considerations for the auditor of a user entity when that entity makes use of a service
organization.

Chapter 9: Internal Control Systems

Internal Control: is the process designed, implemented, and maintained by those charged with
governance, management, and other personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness
and efficiency of operations, and compliance with applicable laws and regulations.

An understanding of internal control assists the auditor in identifying types of potential

misstatements and factors that affect the risks of material misstatement, and in designing the
nature, timing and extent of further audit procedures.

Internal Control has 5 Components:

 The control environment

 The entity's risk assessment process
 The information system relevant to financial reporting
 Control activities
 Monitoring of controls
In obtaining an understanding of internal control, the auditor must understand the design of the
internal control and the implementation of that control.

1) Control Environment: includes the governance and management functions and the
attitudes, awareness and actions of those charged with governance and management
concerning the entity's internal control and its importance in the entity.

As part of this understanding, the auditor shall evaluate whether:

 Management has created and maintained a culture of honesty and ethical behavior.
 The strengths in the control environment provide an appropriate foundation for the other
components of internal control and whether those components are not undermined by
deficiencies in the control environment.

Communication & Enforcement of Integrity & Ethical Values – Commitment to Competence –

Participation by those Charged with Governance – Management’s Philosophy and Operating Style
– Organizational Structure – Assignment of Authority & Responsibility – Human Resource
Policies & Practices

The auditor shall assess whether these elements of the control environment have been implemented
using a combination of enquiries of management and observation and inspection.

2) Entity’s Risk Assessment Process:

The auditor shall obtain an understanding of whether the entity has a process for:

 Identifying business risks relevant to financial reporting objectives

 Estimating the significance of the risks
 Assessing the likelihood of their occurrence
 Deciding on actions to address those risks

3) Information System Relevant to Financial Reporting:

The information system relevant to financial reporting is a component of internal control that
includes the financial reporting system, and consists of the procedures and records established to
record, process and report entity transactions and to maintain accountability for the related assets,
liabilities and equity.

The auditor shall obtain an understanding of the information system relevant to financial reporting
objectives, including the following areas:

 The classes of transactions in the entity's operations that are significant to the financial
statements
 The procedures, within both IT and manual systems, by which those transactions are
initiated, recorded, processed, transferred to the general ledger and reported in the financial
statements
 The related accounting records, supporting information and specific accounts in the
financial statements, in respect of initiating, recording, processing and reporting
transactions
 How the information system captures events and conditions, other than transactions, that
are significant to the financial statements
 The financial reporting process used to prepare the entity's financial statements, including
significant accounting estimates and disclosures
 Controls surrounding journal entries, including non-standard journal entries used to record
nonrecurring, unusual transactions or adjustments

4) Control Activities: are those policies and procedures that help ensure that management’s
directions are carried out.

Control activities include those activities designed to prevent or to detect and correct errors.
Examples include activities relating to authorization, performance reviews, information
processing, physical controls and segregation of duties.

5) Monitoring of Controls: is a process to assess the effectiveness of internal control

performance over time. It includes assessing the design and operation of controls on a
timely basis and taking necessary corrective actions modified for changes in conditions.

Inherent Limitations of Accounting & Control Systems:

  The costs of control not outweighing their benefits
 The potential for human error
 Collusion between employees
 The possibility of controls being bypassed or overridden by management
 Controls being designed to cope with routine and not non-routine transactions

These factors demonstrate why auditors cannot obtain all their evidence from tests of the systems
of internal control. The key factors in the limitations of control systems are human error and
potential for fraud.

Auditors are only concerned with assessing policies and procedures which are relevant to the
financial statements. Auditors shall:

 Assess the adequacy of the accounting system as a basis for preparing the accounts
 Identify the types of potential misstatements that could occur in the accounts
 Consider factors that affect the risk of misstatements
 Design appropriate audit procedures

There are several techniques for recording the assessment of control risk; that is, the system. One
or more of the following may be used depending on the complexity of the system.

 Narrative notes: The purpose of narrative notes is to describe and explain the system, at
the same time as making any comments or criticisms which will help to demonstrate an
intelligent understanding of the system.
 Questionnaires (Internal Control and Internal Control Evaluation Questionnaires)
 Flowcharts
 Checklists

The Evaluation of Internal Control Components

Tests of Control:

Tests of control are tests performed to obtain audit evidence about the effectiveness of the:

 Design of the accounting and internal control systems, i.e. whether they are suitably
designed to prevent, or detect and correct, material misstatement at the assertion level
  Operation of the internal controls throughout the period.

Tests of control may include the following:

 Inspection of documents supporting controls or events to gain audit evidence that internal
controls have operated properly, e.g. verifying that a transaction has been authorized
 Enquiries about internal controls which leave no audit trail, e.g. determining who
actually performs each function
 Re-performance of control procedures, e.g. reconciliation of bank accounts, to ensure
they were correctly performed by the entity
 Examination of evidence of management views, e.g. minutes of management meetings
 Observation of controls to consider the manner in which the control is being operated

Revision of Risk Assessment, Audit Strategy and Audit Plan:

The auditors may find that the evidence they obtain from controls testing indicates that controls
did not operate as well as they expected. If the evidence contradicts the original risk assessment,
the auditors will have to amend the further procedures they have planned to carry out.

Revising the risk assessment and audit procedures will necessitate an update of the audit strategy,
which sets out the scope, timing and direction of the audit. For example, if tests of controls
highlight that many controls are not operating as expected, this may lead to an increase in the
strategy's emphasis on substantive procedures.

Communication of Deficiencies in Internal Control:

Significant deficiencies in internal controls shall be communicated in writing to those charged with
governance in a report to management, which the auditor considers are of sufficient importance
to warrant their attention.

A deficiency in internal control exists when:

 A control is designed, implemented or operated in such a way that it is unable to prevent,

or detect and correct, misstatements in the financial statements on a timely basis
 A control necessary to prevent, or detect and correct, misstatements in the financial
statements on a timely basis is missing.
A significant deficiency in internal control is a deficiency or combination of deficiencies in
internal control that, in the auditor's professional judgment, is of sufficient importance to merit the
attention of those charged with governance.

Examples of indicators of significant deficiencies in internal control:

• Evidence of ineffective aspects of the control environment

• Absence of a risk assessment process

• Evidence of an ineffective risk assessment process

• Evidence of an ineffective response to identified significant risks

• Misstatements detected by the auditor's procedures that were not prevented, or detected and
corrected, by the entity's internal control

• Restatement of previously issued financial statements that were corrected for a material
misstatement due to fraud or error

• Evidence of management's inability to oversee the preparation of the financial statements.