Uol Aa Notes (l6 l10) .May2021

SIM-GE AC3093 – Auditing and Assurance
Lecture Notes (Lecture 6 to 10)
Lecture 6 – Sampling and Materiality
Learning objectives
a) To discuss the importance of audit sampling.

b) To distinguish between non-statistical and statistical sampling.
c) To describe the key steps and data required for the auditors to perform
statistical sampling.
d) To discuss the importance of the concept of materiality.
e) To explain the role of materiality in relation to the financial statements.
f) To describe how the auditors set the materiality level and use it in various
stages of the audit.
Audit sampling and materiality
Audit sampling is one method auditors use to gather evidence to reach an opinion on
financial statements. When auditors select transactions, documents, accounts balances
for testing they take a sample, using audit sampling as a technique.
Materiality is vital concept when auditors seek to determine company’s financial

statements give a true and fair view. Without an idea of what level of misstatement in
financial statements would be misleading, auditors would not be able to evaluate the
importance of misstatements discovered during audit testing.
The two concepts are related: when auditors assess significance of errors or
misstatements in sample, they are putting into operation concept of materiality.
What is sampling?
Auditors wish to be reasonably certain that audit conclusions are soundly based at
reasonable cost. Audit sampling is used to achieve both aims and auditors select a
sample from a population
The objective of sampling: ‘to provide a reasonable basis for the auditor to draw
conclusions about the population from which the sample is selected’ (ISA 530).
Auditors must decide when appropriate to use sampling.
Sufficiency, relevance and reliability apply to audit sampling:

– Is sample large enough to be representative of population?
– Is sample relevant in the circumstances of this population?
– Will selection procedures achieve a sample representative enough to
assess the reliability of the population?
AY 2020-2021 Page | 1
Designing and selecting the sample for testing
Auditors may use either:

– Judgemental sampling, or
– Statistical sampling
Judgemental sampling (also known as non-statistical sampling)

Auditors use judgement in selection of samples and their interpretation.
Judgement has to be exercised in both statistical and non-statistical sampling.
But non-statistical sampling is said to be judgemental sampling because all aspects of

sampling require exercise of judgement.
Problem with judgemental sampling is that characteristics of sample do not

necessarily reveal characteristics of population.
Statistical sampling
Auditors use statistical and mathematical models to calculate sample size and select
the samples. For sample to be representative, there must be homogeneity in the
population.
Examples of lack of homogeneity:

– Transactions not subjected to same internal controls, e.g. large
transactions treated differently from small, or controls more lax in one
part of period.
– Balances in a population may have widely different values.
Because of lack of homogeneity – common practice to stratify and to treat different

strata as different populations.
Sample can only be truly representative if it is taken from the whole population.
Sample selection methodology
a) Random sampling
This method tries to ensure that each item in the population has the same chance of
selection as any other item
b) Systematic or interval sampling

Possibly employs random starting point and then selects every nth item – provides
cover throughout a population but only same effect as random sampling if errors
spread randomly throughout population.
c) Block or cluster sampling (non-statistical)

Involves selection of a block of transactions and testing for the existence of some
criteria.
AY 2020-2021 Page | 2
d) Haphazard sampling (non-statistical)

Samples selected using (say) blindfolds, pins, spouses’ birthdays – not mathematically
valid as sample may be biased – may not provide sample from which conclusions can
be drawn about the whole population.
Size of sample (level of confidence)
Sample size is important – depends on 1) level of confidence sought, and 2) expected

and acceptable error/deviation rate (also known as tolerable rate).
1) Level of confidence auditors require is influenced by assessment of inherent and

control risks:
– How confident are they about misstatements in transactions/balances
prior to applying internal controls
– Initial assessment of internal control system influences extent to which
auditors believe misstatements exist in transactions/balances after
processing
– If auditors have obtained evidence from other relevant audit tests on
control system or balances, degree of confidence they require from
sampling is correspondingly reduced.
2) Expected error rate in population – important determinant of sample size.
When testing company’s internal controls auditors use attribute sampling, in which
there are two responses to a test:
– yes the control has been applied correctly, or
– no the control has not been applied.
When testing account balances, auditors are concerned with determining if balance is
correctly stated.
The greater expected error/deviation rate, the greater sample size must be to conclude
that actual error rate is less than tolerable error rate.
Then what is tolerable error rate?

Tolerable error rate: maximum error rate auditors are prepared to accept.
Tolerable deviation rate: when testing controls this is maximum deviation rate in the
sample auditors are willing to accept and still conclude initial evaluation of control
risk is valid.
Tolerable error when testing amounts is related to materiality level set by auditors.
The lower the tolerable error rate, the greater sample size.
Reliability of evidence will also affect/determine sample size.
AY 2020-2021 Page | 3
Evaluation of test results
First stage: determine number of errors in sample. Auditor must define error or
deviation.
Next stage: auditors estimate on basis of sample results, at given level of confidence,
upper error rate in population – known as ‘projecting errors’.
Auditors use reliability factor relevant to number of errors in sample to assess upper
error rate at a certain confidence level.
If upper error rate is 2.14% at 80% confidence level, auditor can state with 80%
degree of confidence there will be no more than just over two errors out of every 100
items in population.
Another perspective: if no errors found, what sample size is commensurate with

confidence level of 80% – may enable auditors to determine if under- or over-
auditing.
Monetary unit sampling (MUS)
Auditors not only interested in error rates – also in monetary effects.
Decide materiality – maximum value of errors prepared to accept.
MUS: sampling method that allows auditors to estimate amount of most likely error
(MLE) and likely upper error limit (UEL) in monetary terms.
Auditors specify confidence level and tolerable error. Using confidence level,
tolerable error and estimate of likely error, AND statistical sampling tables, determine
appropriate sample size.
Using sample results auditors calculate MLE and, at confidence level used, the UEL.
If UEL less than tolerable error, auditors can accept.
If UEL more than tolerable error, auditors may adjust UEL for errors found to
determine if that reduces UEL to below the tolerable error.
If UEL remains above tolerable error, auditors should carry out additional procedures,
such as extending detailed testing or performing alternative audit procedures.
Comparative advantages of statistical and non-statistical sampling
Advantage of statistical sampling: auditors make explicit judgements on confidence

level, expected error rate and tolerable error rate, to ensure they adopt methodical
approach
AY 2020-2021 Page | 4
Disadvantages include:
More time consuming and costly than non-statistical sampling.
Documents must be separately identified for selection.
Statistical sampling is more difficult to understand, but specialized computer
statistical sampling packages may get round this problem.
Statistical sampling only significant use is in specialized audit situations such as audit
of banks or insurance companies.
Modern day auditing uses risk-based auditing which places greater emphasis on
analytical review and the investigation of large or unusual items detected using audit
software.
Reduction in emphasis on sampling also because of move from detailed checking to

placing emphasis on other aspects of control such as evaluating effectiveness of the
control environment.
Materiality – Introduction (examined in the 2018 ZA Paper Q6)
Financial statements do not give a true and fair view when misstatements are
significant or material.
Misstatements, including omissions are considered to be material if they, individually

or in the aggregate, could reasonably be expected to influence the economic decisions
of users taken on the basis of the financial statements. Judgements about materiality
are made in the light of surrounding circumstances, and are affected by the size or
nature of a misstatement, or a combination of both.
Materiality and size (Amount) are related but we will see later that factors other than
size may be important.
Materiality and decision-making
The effect on users’ decisions is important in determining whether an item is material.
Auditors have to determine extent to which financial statements can be misstated

before they would alter decision of shareholders – primary user group.
Type of investor auditor should consider is a sophisticated and knowledgeable

investor.
At outset of audit – particularly during planning, auditors have to decide what level of
error or misstatement could occur in the financial statements before an investor’s
decision would be influenced.
AY 2020-2021 Page | 5
Materiality in the financial statements
Auditors often set materiality in terms of % of company’s financial statement figures.

Eg 5% of Net profit before tax, or 1% of total assets or 0.5% of sales.
Materiality level and amount of evidence auditors need are related – lower the
materiality level the greater quantity of evidence that auditors must acquire – and the
greater the cost.
Most common profit figure is profit before tax or profit before tax from continuing
operations. (most users look at profit figure when making decision)
Materiality levels may be set for other figures, such as total assets and net assets.
Auditors often calculate materiality levels on a number of different criteria and then
decide on appropriate materiality levels for different aspects of the audit.
Auditors should give same emphasis to under- and overstatements type of error.
Other aspects of materiality in relation to profit include:

– The trend in profits over the last few years.
– The effect of the profit figure on important ratios.
– External influences.
Materiality at the planning stage
Auditors set materiality levels at planning stage in context of audit risk: consider
material individual items.
Auditors assess general risks and component risk, assigning materiality, depending
on:
– Importance of heading
– Nature
– Auditors’ past experience
– Trend in a/c balance.
To reduce probability that total of uncorrected and undetected misstatements is

greater than set materiality, auditors may set performance materiality lower.
ISA 320 = Materiality in PLANNING and PERFORMING the audit. So there is a

planning M vs performance M.
So what is performance materiality?
AY 2020-2021 Page | 6
Audit firm may decrease materiality if inherent or control risk high, thereby
influencing nature and scope of work.
Audit firms may reduce materiality level when arriving at tolerable level to be prudent
or because of evidence from other tests.
Auditors should record decisions on materiality in audit files – at planning stage in

audit planning memorandum.
Materiality during the audit
Auditors may change views on materiality level for account balances if significant
changes in figures or as a result of audit evidence.
Auditors calculate and evaluate the effect not only of misstatements found but of
misstatements not discovered.
Auditors extrapolate from test results. Closer value of misstatements found to set
materiality level, more likely sum of detected and undetected misstatements will
exceed materiality. May extend tests.
If auditors’ estimate of misstatements exceeds materiality, consider nature, discuss

with management and determine if adjustment of financial statements appropriate. If
management not willing to adjust, auditors ascertain the reasons and decide on action.
Auditor document misstatements above trivial amount, both corrected and

uncorrected. Where management do not want to adjust, bring to attention of audit
committee.
Audit committee should also receive from the auditors a list of the misstatements
found during audit and corrected by management.
Nature of misstatements found
Auditors will be interested in the following features:

– The size and incidence of misstatements discovered.
– If the misstatements exhibit some pattern.
– If the errors or misstatements relate to factual matters or to matters of
opinion.
– If the misstatements found relate to matters that are illegal.
– If there is any suspicion that some of the misstatements may have
arisen because of fraud by employees.
– If similar misstatements have been discovered in previous years’ audits
of this client.
– If the misstatements affect only balance sheet items or whether they
affect the profit and loss account.
AY 2020-2021 Page | 7
Materiality and the audit report
For clients who are required to comply with the UK Corporate Governance Code,
auditors have to identify their overall materiality level and how they have applied the
materiality concept in planning and performing the audit. This is a fairly recent
innovation and it will interesting to see how it operates in practice and what effect it
has on users perceptions of the value of the audit.
Quantitative vs Qualitative materiality
What is material may not always be based on quantitative amount. Sometimes, an

error can still be material even if the amount involved is immaterial.
Auditors need to have regard to the following considerations when considering

qualitative materiality:
- Whether the item is required to be disclosed by law or by professional
requirements.
- Improper disclosure of accounting policies.
- Improper classifications in the financial statements.
Examples of qualitative materiality -
END OF LECTURE 6 NOTES
AY 2020-2021 Page | 8
Q6.1)
Consider the following statements and explain why they may be true or false:
a) Statistical sampling methods do not require auditors to exercise judgement.
b) Tolerable error is the amount of error auditors expect to find in an account
balance.
c) Monetary unit sampling is a form of statistical sampling that enables auditors
to estimate both the most likely monetary error in an account balance and the
upper error limit.
d) Auditors only use the concept of materiality at the final stage of an audit when
considering whether the financial statements give a true and fair view.
e) The most important factor influencing the materiality of an item in the
financial statements is its monetary value.
f) When setting a materiality level for the financial statements an important
factor influencing the auditors’ decision is likely to be the company’s profit
for the year.
Q6.2) ACCA Paper 6 June 1993

It is important to recognize that audit sampling may be constructed on a non-statistical
basis. If the auditors use statistical sampling, probability theory will be used to
determine the sample size and random selection methods to ensure that each item or
£1 in value of the population has the same chance of selection. Non-statistical
sampling, typically using haphazard selection methods and placing no reliance upon
probability theory. However, in certain situations, statistical sampling techniques may
be difficult to use. The auditors will review the circumstances of each audit before
deciding whether to use statistical or non-statistical sampling.
Required:
a) List three situations where the auditors would be unlikely to use audit
sampling techniques.
b) Explain what you understand by the following terms:
i) Attribute sampling;
ii) Monetary unit sampling.
c) Describe the factors which auditors would consider when determining the size
of a sample.
d) Describe to what extent statistical sampling enhances the quality of audit
evidence.
a)
Three situations when the auditor would be unlikely to use sampling techniques are:
(i) When the population is very small it is practical for the auditor to examine all
the items in the population. It may also be more cost effective. This is because
the time it may take the auditor to design and implement a sampling strategy
may outweigh the additional time they spend checking all the items rather than
a sample.
(ii) When individual transactions or balances are material they will usually be
automatically tested by the auditor as a matter of course and therefore not be
subject to audit sampling techniques.
AY 2020-2021 Page | 9
(iii) Where the company's records are held in such a way that it is impossible to
identify the population, it may be more convenient and cost-effective for the
auditor to use alternative audit procedures to verify the account balance or
transactions.
(iv) Where items are specifically identified as high risk, they may all be checked.
An example would be the items included in a computer generated exception or
error report.
(v) Where auditors have obtained evidence to suggest that some form of fraud
may be occurring, they may carry out a complete check of specific types of
transactions or balances where they believe the fraud may be taking place
rather than checking a sample of those transactions or balances.
bi)
Attribute sampling is commonly applied in compliance testing where the auditor is
testing whether a company's control procedures are implemented properly. From the
sample selected auditors are concerned with identifying whether for each item in the
sample the control has been applied or not. Thus the auditors are essentially
concerned with identifying two attributes relating to the control procedures; YES! -
the control has been applied, or NO! - the control has not been applied. In applying
attribute sampling to internal control procedures the auditor's objective is to determine
the likely error/deviation rate and upper error/deviation rate in the population.
From these two figures the auditors can decide whether the amount of confidence they
have in the control being tested is justified or whether they need to revise their
estimate of control risk. Attribute sampling can also be used to estimate likely error in
account balances and indeed the statistical foundation of it forms the basis of
monetary unit sampling.
bii)
Monetary unit sampling is used to provide the auditor with an estimate of the most
likely and upper error limit in monetary terms which may exist in an account balance.
The auditor can then compare the upper error limit with the tolerable error and decide
on an appropriate course of action. This course of action will depend on whether the
upper error limit is less than or in excess of the tolerable error. The auditor may also
be influenced by how close the upper error limit is to the tolerable error.
c)
The factors auditors consider when determining the size of a sample are:
- The expected error rate or amount in the population. This would depend
among other things on the effectiveness of the internal control system, the
results from other related audit tests and the auditor's results relating to testing
this internal control in the previous year's audit.
- The confidence level used by the auditor. This would depend on the auditors'
assessment of inherent and control risk over the internal control or account
balance being tested, the degree of assurance the auditor has gained from other
audit tests of the same (or related) internal controls or account balances, and
AY 2020-2021 Page | 10
the materiality of the account balance or the importance of the internal control
being tested
- If the population is stratified this would also influence the sample size.
Normally stratification results in a smaller sample sizes.
d)
Although the question does not state what is meant by 'enhance' it is probably safe to
presume that it means quality or reliability of the evidence has been improved. In a
question of this sort students should attempt to give a balanced answer including,
where appropriate, both arguments for and against the proposition that using statistical
sampling will enhance the quality of audit evidence.
It may be argued that the use of probability theory and the requirement that the
auditor specifies their confidence level, expected error level and so on enhances audit
evidence. The use of random selection methods does reduce the possibility of bias in
determining the sample and this is likely to increase the reliability of the audit
evidence.
In addition, it may be argued that quantification of the results of the sample enhances
the audit evidence. The use of a systematic and statistically based method is also
likely to improve the consistency with which audit sampling is conducted.
It must be reiterated, however, that the results of the sample and hence the evidence
obtained will be influenced by the auditor's judgement in relation to the aspects
mentioned above. Thus, if the auditors' judgement of these aspects is faulty the use of
a statistical sampling method will not of itself compensate for the inappropriate
judgement.
It has been suggested that in non-statistical or judgmental sampling the auditor can
use their instinct in determining the size of the sample and sample selection and this
can be more effective in identifying errors and misstatements and hence producing
reliable evidence than mechanically applying statistical sampling methods.
Adherents of statistical sampling would obviously disagree that statistical sampling

reduces the scope for using the auditor's instincts. It also needs to be stressed that
audit sampling is only one form of audit testing. Depending on the circumstances it
may not be the most cost-effective method of obtaining reliable audit evidence.
Finally it should be mentioned that statistical sampling only enables the quantification
of sampling risk. Like other audit testing it does not control for non-sampling risk.
Thus, if the statistical sampling tests are poorly conducted by audit staff they will not
produce reliable audit evidence. It may also be considered that the very fact of
quantifying sampling risk may obscure the existence of non-sampling risk. As with
other audit tests, non-sampling risk can be reduced by the audit firm instigating good
training and review procedures.
AY 2020-2021 Page | 11
Q6.3)
During the audit of Level Ltd for the year ended 31 March 2015, your audit tests
reveal that trade receivables include £30 000 for a customer who went into liquidity
shortly before the end of the financial year. Leven’s profits for the year amount to
£190 000 and receivables shown in the balance sheet are stated at £585 000. The
directors do not wish to reduce the stated profits to £160 000 and the receivables to
£555 000 and suggest that accounts will still give a true and fair view if the notes to
the accounts explain that the debtor has gone in to liquidation and that no amount is
expected to be received from the liquidator. Do you agree? What would you say to the
directors?
The case of Leven Ltd gives a chance to consider the principle that disclosure of
circumstances in the notes to the accounts may not be enough to cause the accounts to
give a true and fair view.
What the directors are proposing needs further appraisal. Are they really suggesting
that: (a) The profit and loss account and balance sheet figures are not true and fair in
themselves; but that (b) If readers take information in the notes to the accounts and
makes the necessary adjustments themselves, they will have been given all the
information necessary to make proper decisions and that, therefore, the accounts taken
as a whole will give a true and fair view?
It seems unlikely that a rational person would agree with them. The amount in
question (£30,000) is clearly material, at more than 15% of stated income and more
than 5% of stated trade receivables/debtors. In these circumstances the auditor would
have to explain that an adjustment to the financial statements should be made if a
modification of the audit opinion is to be avoided.
Q6.4)
Roberts and Dwyer (1998) appear to suggest that auditors should disclose the level of
materiality they have used when conducting the audit. Given that this is now a
requirement for companies that are required to follow the UK Corporate Governance
Code, can you suggest and reason why auditors may be unwilling to follow this
suggestion for all companies they audit?
The reasons why auditors might be unwilling to disclose the level of materiality they
have used include:
a) They might believe it would give some insight into their audit process. For
instance, employees of the company might recognise that a particular area in
the company is unlikely to come under the scrutiny of the auditors because its
monetary value falls below the materiality level. This might provide the
opportunity for employees to commit fraud with less chance of detection.
b) Auditors might want to resist the notion that they use one figure as an
indication of the level of materiality. Auditors might regard one figure as too
crude for what they do in practice, where they may use different materiality
AY 2020-2021 Page | 12
levels for different account items and which may involve different levels of
risk.
c) The giving of a figure for materiality might suggest that auditing can be
reduced to one figure. This, it might be argued, ignores all the qualitative
factors auditors might use when determining if a particular item is material.
d) Another concern of auditors is that if they give the figure of materiality it

might, if clients perceive the level to be high, cause them to doubt if they are
receiving value for money. In other words, clients might become aware that
because of the non-material monetary amount of certain items in the accounts,
auditors spend very little time on them during the audit. The client might then
question if they are receiving value for money from the audit fee they pay.
e) Auditors might be concerned that if the figure for materiality is disclosed and
the auditor is sued for negligence, the courts might attach great importance to
the figure which might be to the detriment of the auditors. For instance, if
there was an error in the accounts for an amount in excess of the disclosed
materiality level, the courts would rightly ask why the auditors did not detect
an error of a magnitude which the auditors themselves considered material.
f) Finally as Roberts and Dwyer suggest the non-revelation of the materiality

figure is a further factor that tends to keep the audit process somewhat obscure
and increases its mystique.
Q6.5)
Outline what you believe the term non-sampling risk means and give some examples
of what you consider to be a non-sampling risk.
Non-sampling risk is any risk arising from sampling other than that attributable to
sampling risk.
Sampling risk is that risk arising from the inherent nature of the statistical techniques
used in the sampling process. For instance, when we state something with 95%
confidence, this means that there is a 5% chance that our conclusions are incorrect.
Thus, sampling risk is essentially an outcome of the fact that we have tested a sample
rather than the population and that the sample may not be representative of the
population.
Non-sampling risk, therefore, tends to be risk that originates from the auditor.
Examples of non-sampling risk include:
- The auditor incorrectly defining the population.
- The auditor misapplying the statistical sampling technique.
- The auditor failing to perform audit tests that are consistent with the audit
objectives set for the test.
AY 2020-2021 Page | 13
- The auditor failing to recognise that an error has occurred when they have
examined a document or some other piece of evidence; or, conversely,
concluding that the document contains an error when it doesn’t.
Q6.6)
Give some examples of qualitative characteristics an auditor might take into account
when deciding if a particular item in the financial statement is materially misstated.
The qualitative characteristics an auditor might take into account when deciding if a
particular item is materially misstated include:
a) The requirement that the item is specifically required to be disclosed by
company law, for instance, directors’ remuneration.
b) Where the misstated item has arisen because of some fraudulent or illegal
activity.
c) The nature of the item; for instance, if the cash figure is misstated this may be
seen as more serious that a misstatement of the deferred tax figure.
d) The number of times similar errors or misstatements have arisen either in the
current or past audits.
e) Whether the misstatement affects the balance sheet or profit and loss account,
or both.
f) The nature of the misstatement, for instance, the inappropriate disclosure of an
accounting policy.
g) Where the item is related to the misclassification of an item in the financial
statements.
Q6.7)
ISA 320 Materiality in Planning and Performing an Audit provides guidance on the
concept of materiality in planning and performing an audit. Define materiality and
determine how the level of materiality is assessed.
Materiality is defined as follows:

‘Misstatements, including omissions, are considered to be material if they,
individually or in the aggregate, could reasonably be expected to influence the
economic decisions of users taken on the basis of the financial statements.’
In assessing the level of materiality there are a number of areas that should be
considered.
Firstly the auditor must consider both the amount (quantity) and the nature (quality)
of any misstatements, or a combination of both. The quantity of the misstatement
refers to the relative size of it and the quality refers to an amount that might be low in
value but due to its prominence could influence the user’s decision, for example,
directors’ transactions.
AY 2020-2021 Page | 14
In assessing materiality the auditor must consider that a number of errors each with a
low value may when aggregated amount to a material misstatement.
The assessment of what is material is ultimately a matter of the auditors’ professional

judgement, and it is affected by the auditor’s perception of the financial information
needs of users of the financial statements.
In calculating materiality the auditor should also consider setting the performance
materiality level. This is the amount set by the auditor, it is below materiality, and is
used for particular transactions, account balances and disclosures.
As per ISA 320 materiality is often calculated using benchmarks such as 5% of profit
before tax or 1% of total assets. These values are useful as a starting point for
assessing materiality.
Q6.8) Adapted from ACCA P7 Dec 2012 Exam

You are a manager in Sambora & Co, responsible for the audit of the Jovi Group (the
Group), which is listed. At the planning stage, materiality was initially determined to
be $900,000, and was calculated based on the assumption that the Jovi Group is a
high risk client due to its listed status. During the audit, a number of issues arose
which meant that the auditor needed to revise the materiality level for the financial
statements as a whole. The revised level of materiality is now determined to be
$700,000. One of the audit juniors was unsure as to why the materiality level had
been revised.
Explain why auditors may need to reassess materiality as the audit progresses.
Materiality is a matter of judgment, and is commonly determined using a numerical

approach based on percentages calculated on revenue, profit before tax and total
assets. ISA 320 Materiality in Planning and Performing an Audit requires that the
auditor shall revise materiality for the financial statements as a whole in the event of
becoming aware of information during the audit that would have caused the auditor to
determine a different level of materiality initially.
It may be that during the audit, the auditor becomes aware of a matter which impacts
on the auditor’s understanding of the client’s business and which leads the auditor to
believe that the initial assessment of materiality was inappropriate and must be
revised. For example, the actual results of the audit client may turn out to be quite
different to the forecast results on which the initial level of materiality was based.
Or, a change in the client’s circumstances may occur during the audit, for example, a
decision to dispose of a major part of the business. This again would cause the auditor
to consider if the previously determined level of materiality were still appropriate.
AY 2020-2021 Page | 15
If adjustments are made to the financial statements subsequent to the initial

assessment of materiality, then the materiality level would need to be adjusted
accordingly.
The initial calculation of materiality for the Jovi Group was based on the client’s
listed status, and therefore on an assumption of it being high risk. It is therefore
important that any events, such as those explained above, are taken into account in
assessing a new level of materiality for this client to ensure that sufficient appropriate
evidence is obtained to support the audit opinion.
Q6.9) Partial ACCA F8 Exam Dec 2006 Q5
a)
(i) In the context of ISA 530 Audit Sampling and Other Means of Testing,
explain and provide examples of the terms ‘sampling risk’ and ‘non-sampling’
risk. (4 marks)
(ii) Briefly explain how sampling and non-sampling risk can be controlled by the
audit firm. (2 marks)
b)
Tam Co, is owned and managed by two brothers with equal shareholdings. The
company specialises in the sale of expensive motor vehicles. Annual revenue is in the
region of $70,000,000 and the company requires an audit under local legislation.
About 500 cars are sold each year, with an average value of $140,000, although the
range of values is from $130,000 to $160,000. Invoices are completed manually with
one director signing all invoices to confirm the sales value is correct. All accounting
and financial statement preparation is carried out by the directors. A recent expansion
of the company’s showroom was financed by a bank loan, repayable over the next
five years.
The audit manager is starting to plan the audit of Tam Co. The audit senior and audit
junior assigned to the audit are helping the manager as a training exercise.
Comments are being made about how to select a sample of sales invoices for testing.
Audit procedures are needed to ensure that the managing director has signed them and
then to trace details into the sales day book and sales ledger.
‘We should check all invoices’ suggests the audit manager.
‘How about selecting a sample using statistical sampling techniques’ adds the audit
senior.
‘Why waste time obtaining a sample?’ asks the audit junior. He adds ‘taking a random
sample of invoices by reviewing the invoice file and manually choosing a few
important invoices will be much quicker.’
AY 2020-2021 Page | 16
Required:
Briefly explain each of the sample selection methods suggested by the audit manager,
audit senior and audit junior, and discuss whether or not they are appropriate for
obtaining a representative sample of sales invoices. (9 marks)
a)
Sampling risk
Sampling risk is the possibility that the auditor’s conclusion, based on a sample, may
be different from the conclusion reached if the entire population were subjected to the
audit procedure.
The auditor may conclude from the results of testing that either material
misstatements exist, when they do not, or that material misstatements do not exist
when in fact they do.
Sampling risk is controlled by the audit firm ensuring that it is using a valid method of
selecting items from a population and/or by increasing the sample size.
Non-sampling risk
Non-sampling risk arises from any factor that causes an auditor to reach an incorrect
conclusion that is not related to the size of the sample.
Examples of non-sampling risk include the use of inappropriate procedures,

misinterpretation of evidence or the auditor simply ‘missing’ an error.
Non-sampling risk is controlled by providing appropriate training for staff so they

know which audit techniques to use and will recognise an error when one occurs.
b)
The audit manager suggests checking all invoices, effectively ignoring any statistical
sampling; in other words this is not statistical sampling. Audit tests will be applied to
all of the sales invoices. This approach may be appropriate for the audit of Tam
because:
– The population is relatively small and it is likely to be quicker to test all the
items than spend time constructing a sample.
– All the transactions are not large but could be considered material in their own
right, e.g. compared to project. As all the transactions are material, then they
all need to be tested.
The audit senior suggests using statistical sampling. This will mean selecting a limited
number of sales invoices from the population using probability theory ensuring a
random selection of the sample and then applying audit tests to those invoices only.
This approach may be appropriate because:
– The population consists of similar items (i.e. it is homogeneous) and there are
no indications of the control system failing or changing during the year. There
AY 2020-2021 Page | 17
is the query about how long it will take to determine and produce a sample,
which may make statistical sampling inappropriate in this situation.
The audit junior suggests using ‘random’ sampling, which the junior auditor appears
to understand as manually choosing which invoices to look at. The approach therefore
involves an element of bias and is not statistical or true ‘random’ sampling.
While this approach appears to save time, it is not appropriate because:

– The sample selected will not be chosen ‘randomly’ but on the whim of the
auditor. Human nature will tend to avoid difficult items for testing.
– Also, as invoices will not have been chosen using statistical sampling, no valid
conclusion can be drawn from the results of the test. If an error is found it will
be difficult extrapolating that error on to the population.
END OF LECTURE 6
AY 2020-2021 Page | 18
Lecture 7 – Planning the audit, Risk-based approach to auditing
Learning objectives
a) To explain the important of audit planning and the planning documents that
the auditor produces at the end of the planning exercise
b) To define audit risk and suggest why risk-based approaches have become
more important in recent years.
c) To identify the components of audit risk and give practical explanatory
examples.
d) To identify risk in a number of practical scenarios and show how auditors
approach risk.
e) To define business risk, show how business risk approaches differ from audit
risk approaches and whether relevant to the audit of companies of all sizes.
f) To show how enhanced expectations of corporate governance have increased
business risk.
g) To explain why business risk approaches by auditors may widen the audit
expectations gap.
h) To explain why judgement is a vital aspect of accounting and auditing.
i) To make the distinction between judgement and technical compliance with
accounting standards.
j) To explain the relationship between audit judgement and audit risk.
k) To suggest what it is that enables successful audit judgements to be made.
The importance of audit planning
ISA 300 Planning an audit of financial statements
‘The objective of the auditor is to plan the audit so that it will be performed in an
effective manner.’
Why plan? Benefits of planning?
a) Helping the auditor to devote appropriate attention to important areas of the

audit
b) Helping the auditor identify and resolve potential problems on a timely basis
c) Helping the auditor properly organize and manage the audit engagement so that
it is performed in an effective and efficient manner
d) Assisting in the selection of engagement team members with appropriate levels

of capabilities and competence to respond to anticipated risks, and the proper
assignment of work to them
AY 2020-2021 Page | 19
Two documents - The Audit Strategy and the detailed Audit Plan
The audit strategy sets the scope, timing and direction of the audit, and guides the
development of the more detailed audit plan.
The matter to consider in establishing an overall audit strategy:
Characteristics of Financial reporting framework

the engagement Industry-specific reporting requirements
Expected audit coverage
Nature of business segments
Availability of internal audit work
Use of service organizations
Effect of information technology on audit
procedures
Availability of client personnel and data
Reporting Entity’s timetable for reporting
objectives, timing Organization of meetings with management and
of the audit and those charged with governance
nature of Discussions with management and those charged
communications with governance
Expected communications with third parties
Significant Determination of materiality

factors, Areas identified with higher risk of material
preliminary misstatement
engagement Results of previous audits
activities, and Need to maintain professional skepticism
knowledge gained Evidence of management’s commitment to design,
on other implementation and maintenance of sound internal
engagements control
Volume of transactions
Significant business developments
Significant industry developments
Significant changes in financial reporting
framework
Other significant recent developments
Nature, timing Selection of engagement team
and extent of Assignment of work to team members
resources Engagement budgeting
Examples of items to include in the overall audit strategy could be:

a) Industry-specific financial reporting requirements
b) Number of locations to be visited
c) Audit client’s timetable for reporting to its members
d) Communication between the audit team and the client
AY 2020-2021 Page | 20
An audit plan converts the audit strategy into a more detailed plan and includes the
nature, timing and extent of audit procedures to be performed by engagement team
members in order to obtain sufficient appropriate audit evidence to reduce audit risk
to an acceptably low level.
The audit plan should include:

a) A description of the nature, timing and extent of planned risk assessment
procedures sufficient to assess the risk of material misstatement
b) A description of the nature, timing and extent of planned further audit
procedures at the assertion level
c) Other planned audit procedures required to be carried out for the engagement
to comply with ISAs.
Examples of items to include in the audit plan could be:

a) A description of the nature, timing and extent of planned risk assessment
procedures sufficient to assess the risks of material misstatement.
b) This would include assessment of inherent risk and control risk at both the
entity and assertion level. An important element of the plan would be the
understanding and assessment of the control environment of the organisation.
c) A description of the nature, timing and extent of planned further procedures at
the assertion level for each material class of transactions, account balance, and
disclosure.
d) This would include an explanation of the decision whether to test the operating
effectiveness of controls (an important decision is whether reliance is to be
placed on controls) and on the nature, timing and extent of planned substantive
procedures (this would depend on the decision as to the level of control risk).
e) Audit procedures required to be carried out for the engagement in order to
comply with ISAs, for example, the use of external confirmations to obtain
sufficient appropriate evidence at the assertion level.
The Concept of Audit Risk
Why is risk-based approach an aid to auditor?
Auditor must obtain reasonable assurance financial statements are free from material
misstatement – obtaining sufficient appropriate evidence reduces audit risk.
Auditor is not expected to give absolute assurance. Existence of ‘material

misstatement’ means that financial statements may not be true and fair.
Auditors identify and assess risks of material misstatement:

– at financial statement level – risks pervasive to financial statements as
a whole – could affect many assertions
– at the assertion level – affect individual transactions, balances,
disclosures
AY 2020-2021 Page | 21
Auditors do not just look at audit risk (AR), they also look at business risk (BR).
(Auditor addresses both business risk and audit risk)
So what is the difference between AR and BR?
Audit risk – risk that auditor expresses an inappropriate audit opinion
Business risk – risk that could adversely affect entity’s ability to achieve its
objectives – could affect audit risk
Components of Audit Risk & Business Risk (Taken from GMC, Chap 5 pg 175)
AY 2020-2021 Page | 22
The audit risk model
Audit risk (AR) = Inherent risk (IR) x Control Risk (CR) x Detection Risk (DR)
Inherent risk – susceptibility of assertion to material misstatement, assuming no
related controls
Control risk – risk material misstatement could occur that internal control will not
prevent, detect and correct on a timely basis
Detection risk – risk auditor will not detect a material misstatement
Some textbooks/exams use the term “Risk of material misstatements” = Inherent

risk and Control risk
Broad approach to minimize audit risk

1. Investigate legitimacy of entity and integrity and competence of management
before acceptance of audit assignment, and before subsequent audits.
2. Consider independence of audit firm and staff before acceptance of audit
assignment, and before subsequent audits.
3. Understand nature of entity and its environment before commencing detailed
audit work.
4. Auditor plans to minimize risk of failing to detect material misstatement at
financial statement and assertion levels.
5. Design audit approach on basis of what is known about audit client: set
performance materiality; form engagement team with required experience and
skills.
6. Perform audit programmes to obtain evidence necessary to form conclusions
at assertion level, leading to opinion on truth and fairness of financial
statements taken as a whole.
AY 2020-2021 Page | 23
Earnings management and income smoothing
Definitions:
Healy and Wahlen (1999): ‘Earnings management occurs when managers use
judgement in financial reporting and in structuring transactions to alter financial
reports to either mislead some stakeholders about the underlying economic
performance of the company or to influence contractual outcomes that depend on
reported accounting numbers.’
Walker (2013): Earnings management is ‘the use of managerial discretion over

(within GAAP) accounting choices, earnings reporting choices, and real economic
decisions to influence how underlying economic events are reflected in one or more
measures of earnings.’
Income smoothing may be defined as measures that serve to reduce fluctuations in the
earnings of an entity’. It can range from good business methods through short-term
measures that affect earnings, which are not necessarily in the long-term interests of
the entity, to fraudulent reporting.
Example of good business method – bonuses to staff based on profit, resulting in

reduction of profit in good years.
Examples of short-term measures not in long term interests of entity – cutting R&D or
cutting maintenance expenditure.
Examples of fraudulent reporting – understating accounts payable and cost of goods

sold in years where earnings are low and omitting assets such as accounts receivable
in good years or being overly prudent in some years taking up profit on construction
contracts – and vice versa in other years.
Why management practice earnings management and income smoothing?
Profits have been adversely or favourably affected by conditions unlikely to be

repeated.
Remuneration of key people within the entity often tied to reported earnings. Income
smoothing avoids swings in remuneration.
To influence decisions by external investors and analysts. E.g. it might also be used to
influence the entity’s share price.
‘Big Bath’ provisions at time of reorganization or management takeover, reversed in

later years to make the ‘new company’ look good
AY 2020-2021 Page | 24
To influence perceptions of financial strength by third parties – present and potential

competitors, customers, suppliers, employees, politicians and regulators and providers
of finance, where debt covenants are in danger of being infringed.
Business risk and inherent risk approaches: similarities
Approaches to business risk and inherent risk both use ‘top-down’ approach initially –
entity considered in entirety
Decide steps necessary to prevent company achieving objectives or, in auditors’ case,
perform procedures to ensure financial statements give a true and fair view of results
and financial position.
Factors that increase inherent risk, such as management inexperience and lack of
skills, may make it less likely that business objectives will be obtained.
Factors increasing control risk, e.g. poor control environment, may inhibit achieving
business objectives.
Analysis of business risk and inherent risk helps auditors design work to prove
financial statements give a true and fair view. Both kinds of analysis give auditors a
better understanding of the entity and its operations.
Business risk and inherent risk approaches: differences (dissimilarities)
Auditors consider inherent risks in relation to impact they may have on financial
statements
Business risk approach considers risks that inhibit the company in achieving its
objectives. Many company objectives have little or only an indirect bearing on the
financial statements.
While factors that fail to reduce impact of inherent risk may also fail to reduce impact
of business risk, business and audit objectives are so dissimilar that the factors cannot
be regarded as creating a similarity.
Impact that a business risk approach might have on the audit process
Improves basic audit of financial statements and makes less likely erroneous
conclusions will be reached.
Makes audit more efficient and more profitable.
AY 2020-2021 Page | 25
Expands potential for giving assurance to management beyond traditional audit and
‘adds value’ to audit from client perspective.
Expanded audit has potential to contribute to corporate governance arrangements and

disclosures because of broader understanding of business and its risks.
Better understanding of client’s business and its risks will reduce audit firm’s own
‘business risk’ – sometimes referred to as ‘engagement risk’.
The business risk approach and smaller clients and smaller audit firms
Business risk approach needs wide variety of expertise within firm to identify
business risks and allow dialogue on equal terms with experts in client company.
Therefore, most of us will think that business risk approach most appropriate in the
audit of large multinational companies by the Big 4 audit firms?
But business risk approach is about attitude of mind on auditor’s part – involving
acquiring knowledge about business rationale.
Small audit client does not usually have wide expertise and therefore, smaller audit
firms may usefully discuss business risks with management as an aid to them. This
means that firms other than large firms might be able to use business risk approach.
This business risk approach is a “wider” approach and therefore may be more
expensive, but benefits could exceed costs. So we conclude that it is still useful for
small companies audit.
Analytical Procedures (ISA 520)
ISA 520:
Analytical procedures: ‘evaluations of financial information through analysis of
plausible relationships among both financial and non-financial data. Analytical
procedures also encompass such investigation as is necessary of identified
fluctuations or relationships that are inconsistent with other relevant information or
that differ from expected values by a significant amount.’
(Note: Textbooks sometimes use the term Analytical review or Analytical review
procedures)
In short, analytical procedures mean the analysis of relationships to identify

inconsistencies and unexpected relationships.
AY 2020-2021 Page | 26
The auditor should apply analytical procedures as risk assessment procedures and in
the overall review at the end of the audit. (it means the use of analytical procedures in
these 2 stages of the audit is compulsory, you got to use!)
They can also be used as a source of substantive audit evidence when their use is
more effective or efficient than tests of details in reducing detection risk for specific
financial statement assertions. (the use of analytical procedures as a substantive
procedure is not compulsory, you can choose not to use)
Analytical procedures include the following type of comparisons:

a) Prior periods
b) Budgets and forecasts
c) Industry information
d) Predictive estimates ie expectations
e) Relationships between elements of financial information, ie ratio analysis
f) Relationships between financial and non-financial information, eg
payroll costs to the number of employees.
Analytical procedures as a risk analysis tool
It is an important risk assessment procedures (one of the 4 Risk Assessment

Procedures (RAP) used in auditing) when obtaining an understanding of entity and
environment.
Aid in reducing overall audit risk and in particular reducing detection risk.
Of particular value in determining whether there is a going-concern problem/risk.

(calculating ratios and comparing it with previous years to see if the ratios are
deteriorating)
Used at several points in the audit process. (It can be use in 3 different stages of the
audit)
Judgement in accounting and auditing and its relationship to risk
Judgement is intangible in its nature.
The relationship between audit judgement and risk is direct, as it is exercised in the
context of risk.
In forming judgements, auditor makes initial risk assessments and then modifies them
on basis of controls in existence and of the validity of figures in the accounting
records. Any assessment of risk involves judgement.
Auditor judgement exercised in context of audit evidence collected and evaluated.
AY 2020-2021 Page | 27
Management of the audit process
Two basic audit objectives:
1) To form opinion on financial statements, requiring audit firm to act effectively

and to perform professional work of high quality
2) To make a profit in carrying out professional duties, requiring audit firm to act
efficiently as well as effectively.
Starting point is logical structure within audit firm and allocation of special
responsibilities to each person working in it, including:
– Leadership of the audit firm
– Ethics partner
– Engagement quality control reviewer (EQCR)
– Members of the Engagement Team:
The engagement partner
Managers
Seniors
Assistant auditors
Support staff including tax and IT experts
Engagement team supported by Technical Advisory Function.
AY 2020-2021 Page | 28
The letter of engagement: role and contents
Letter addressed to person with management authority, including TCWG, containing

reference to:
– Objectives and scope of the audit
– Responsibilities of the auditor
– Responsibilities of directors
– Audit reporting
– Fees
Sets scene for relationship between management and auditor – prevents subsequent
disagreements.
Matters that may be emphasized:

– Duties of management if financial statements on internet
– Fact that audit report will contain a disclaimer that audit firm only
responsible to entity and shareholders as a body and not third parties
– Auditors’ duties with respect to corporate governance
If the audit firm is providing non-assurance services, appropriate to prepare separate

engagement letter.
AY 2020-2021 Page | 29
Q7.1)
The audit firm consists of a collection of individuals with varying degrees of
experience and expertise. Briefly describe the role that individual staff members play
in achieving audit objectives.
The engagement team will comprise of:
1) The Engagement Partner (who has overall responsibility for the assignment)
2) Manager in charge of the assignment (who has overall responsibility for

supervising the assignment, staying in close contact with the Engagement
Partner and the other members of the Engagement Team)
3) Other audit staff, including people with varying degrees of experience – the
senior in charge who will be present throughout the assignment - and staff
with less experience such as semi-senior or junior staff whose work will be
closely supervised.
4) Other professional staff with special skills, including IT and tax experts, who
will be used at particular points of the audit work.
Apart from members of the Engagement Team, there are other individuals and
functions that play a role in achieving audit objectives. These include:
1) Staff providing a technical advisory services, such as advice on the application

of accounting and auditing standards
2) Ethics Partner who advises the Engagement Partner on possible threats to

independence, including possible breaches of the firms ethical guidelines.
3) Engagement Quality Control Reviewer (EQCR) who is there to ensure that

high standards are maintained during and at the end of the audit process. This
person may review working papers and act as intermediary in the event of
disagreement between the Engagement Partner and the Ethics Partner.
4) Others in the Audit Firm’s chain of command, including those at the top of the
firm who are responsible for the Firm’s Control Environment. It is important
to note that the activities of the firm must be organised to produce the
professional service when it is required. It is quite likely, for instance, that
there will be a partner in charge of the computer/IT services and of the
taxation services. In preparing the audit plan, approaches will have to be made
to the specialist services to ensure that their staff will be available when
required. It will also be desirable that the person in charge of the typing
services is aware of deadlines and other reporting requirements (for instance,
complicated diagrams and layouts) on a timely basis.
AY 2020-2021 Page | 30
Q7.2)
What are the main practical differences between the audit risk approach and the
business risk approach to auditing?
There is a very different approach to audit risk and business risk as can be seen from
their definitions:
Audit risk - the risk that auditors may give an inappropriate audit opinion on financial
statements.
Business risk - the risk that the entity will fail to achieve its objectives.
Clearly, audit risk involves an approach from the auditors' point of view, while the
business risk approach looks at risk from the company or businessman perspective. Of
course, both approaches do have, as an important end, an expression of opinion on the
financial statements of the company.
The protagonists of the business risk approach spend a lot of partner and manager
time (the most expensive time) finding out about the company, often going into areas
that only have an indirect relevance to the financial statements, but which may
nevertheless have a bearing in the medium or long term and even in the short term.
Auditors using this approach will look at company objectives such as increasing
market share and we concluded that this objective might have an impact on the going
concern status of the company. Similarly, a company objective of increasing customer
satisfaction might well have a bearing on the financial statements as customers will be
more likely to pay and to purchase company products in the future. A concern for the
environment may well avoid costly court cases by persons alleging personal damage,
or avoid fines by government for infringement of laws protecting the environment.
So both approaches will include the important audit objective of giving an opinion on
the financial statements. The business risk approach is however likely to give the
audit firm the chance of earning additional income by the provision of advice and
assurance services to management. The audit risk approach does involve the auditor
in expensive fact finding too and often inherent risk and business risk cannot be easily
differentiated.
However the audit risk approach does tend to concentrate on the financial statements.
We must remember that the financial statements only give one view of the company.
There are many other views that the business risk approach might uncover.
Q7.3)
‘It is very easy to apply the audit risk model. All you have to do is to multiply figures
together to determine the amount of testing you have to do.’ Discuss this statement.
If only this were true, but it is not. You will remember that the formula is expressed as
follows:
Audit risk (AR) = Inherent risk (IR) x Control Risk (CR) x Detection Risk (DR)
AY 2020-2021 Page | 31
The problem with formulas is that they tend to give a spurious sense of accuracy
whereas it is clear that a considerable amount of judgement is involved in its
application. Thus:
- Audit risk (AR). The auditors have to decide what level of risk they can live with,
that is, what is tolerable to them. This clearly is a matter of judgement as to what is
material (see earlier lecture on this topic) in relation to the financial statements.
- Inherent risk (IR). Again a considerable amount of judgement is involved. What

leads auditors to decide that a particular risk will affect the financial statements? What
makes them decide, for instance, that a particular group of customers in a particular
industry are not likely to pay unless there are controls in force.
- Control Risk (CR). This kind of risk is about the ability of the company controls to
reduce the impact of inherent risk. Auditors have to judge their effectiveness in the
light of what they thinks about the competence and skill of management, the control
environment management has put in and the functioning of individual controls. How
does the auditor decide that the credit worthiness controls, for instance, are working
properly all the time?
If auditors have got all these judgmental decisions right they can apply the formula
and calculate the desired level of detection risk - which they can then translate into a
desired level of tests of detail.
We might mention that the business risk approach tends not to assess inherent risk and
control risk separately, but nonetheless judgement is involved.
Q7.4)
Explain to your assistant what is meant by audit judgement and give examples of its
application. How certain can you be that your judgement has produced the right
answer?
You might like to explain what is meant by audit judgment to your assistant in more
simple terms. The main point is that there is usually much uncertainty surrounding
human activity so that we are all having to make judgments all the time in our daily
lives.
For instance, do I trust this person when he says he will pay back the £10 he wishes to
borrow until next Friday? The same is true in business life and auditors are
continually having to make judgements about the actions of management, controls in
force and figures in the financial statements.
Some things are easy and do not involve much judgement, if any. For instance, IAS
11 and FRS 102 allows profits on uncompleted Construction (long-term) contracts to
be reflected in the profits of this year. There is no argument about this and therefore
no exercise of judgement. Where judgement does have to be exercised is on the
AMOUNT of profit that you can take up.
AY 2020-2021 Page | 32
This contract is only 10% complete - is this too soon to judge whether any profit can
be taken up? This contract is running late. What is the likelihood that penalty clauses
will be invoked, thereby reducing expected profit and affecting the amount of profit
that can be taken up.
There are many other examples: This inventory is unsold at the year-end. Will it be
sold above cost? This debtor outstanding at the balance sheet date has not paid at the
time of the audit. What is the likelihood that he will pay? The company says this item
of plant has a twenty- year life. I have to judge that management's assertion is valid.
Why 20 years? Why not 15 or 25 years?
You should also say to your assistant, however, that judgment is not exercised in a
vacuum. The auditors may have a lot of information to help them make judgments.
For instance, in the case of the debtor, a review of the account shows that this debtor,
though slow-paying has always paid the balance outstanding in the past. Regarding
the inventory, the auditor might look at how well the inventory has moved in the past
in order to form a view about the movements in the future,
Finally, you can say to your assistant that the exercise of judgement becomes easier as
experience is gained. In the meantime you will help him or her to make the necessary
judgements and explain why they have been made.
Q7.5)
Discuss the major factors that might influence managers in engaging in earnings
management. Consider audit procedures that might be appropriate where earnings
management might be expected.
Earning management (EM) is quite a broad term and may encompass:

(a) deliberate misstatement of financial reporting figures, such as omitting
purchases and accounts payable or overstating inventories – and so on
(b) making accounting choices within GAAP that may influence the behaviour of
stakeholders, such as taking an over-positive or over-negative view of the lives
of non-current assets, value of inventories, collectability of debtors – and so on.
(c) Making real economic choices that will have an impact on stated earnings, for
instance:
i) basing part of employees’ remuneration on earnings, thereby
increasing expenditure in good years and reducing expenditure in poor
years
ii) cutting research and development expenditure or repairs and

maintenance expenditure in years where earnings are low, and
increasing such expenditure in years where earnings are high.
AY 2020-2021 Page | 33
We can regard (a) above as plainly wrong, (b) as sharp practice, using the
opportunities within GAAP for showing a desired outcome, (ci) is clearly an
acceptable practice but (cii) are short-term measures that may have an unfortunate
long-term effect.
Management might wish to manage earnings for a number of different reasons,

including:
1. The success of management is often judged by the share price of the company.
Managing earnings upward would tend to increase share price, making
management look more successful than it is.
2. There might also be pressure to increase share price in like fashion, if shares are
being issued as consideration for the purchase of a company.
3. In the circumstances of a reorganization of a company or a proposed
management takeover, excessive provisions before the event (known as ‘big
bath’ provisions) would make the company ‘look better’ in future years.
4. Management might indulge in income-smoothing, a form of earnings
management, if profits have been adversely or favourably affected by conditions
unlikely to be repeated. In other words, the smoothed income might be a better
guide to future earnings.
5. Remuneration of key people within the entity is often tied to reported earnings.
Income smoothing would avoid swings in remuneration.
6. Earnings management might be used to influence perceptions of financial
strength by a range of third parties, including present and potential competitors,
customers, suppliers, employees, politicians and regulators. In particular,
earnings management might be used to mislead providers of finance, where debt
covenants are in danger of being infringed.
AY 2020-2021 Page | 34
Q7.6) UoL AA 2017 Exam ZA Q3a

You are the auditor of FastTrack Ltd, a UK-based company that makes customized
road race bikes for motorcycle competitors. Bikes can cost the customer a minimum
of $50,000 because of the time it takes to build a bike using skilled labour and high-
end foreign-sourced components.
Recent political developments have caused the company greater uncertainty since
most customers are based overseas and there has been some anti-British feeling on
continental Europe. While the fall in the value of sterling now makes the bikes much
cheaper to these overseas customers, the cost of the company’s supplies will go up.
FastTrack has 6 engineers/mechanics who build the bikes and test the machines, 2
general labourers and one accounts clerk who handles all the records and transactions.
Control over the operations takes the form of the CEO and major shareholder, Mr
Bossi, taking a keen interest in arrangements and records. He will often do spot-
checks and at random question the accounts clerk about even the most trivial items.
More recently, Mr Bossi has been distracted by his attempts to find other business
ventures in case the worst happens and FastTrack fails. He is also thinking about
selling the business brand and intellectual property to a foreign competitor – though
he has not told the staff that since they would almost certainly lose their jobs.
He is concerned about the fact that the rising bank overdraft has called for the annual
accounts to be made available as soon as possible after the year-end. He in turn has
called you to ask what you can do to save his company and the jobs of the employees.
Required:
a) Identify audit risk factors in the above scenario and anything that would
make you feel uneasy about the situation. (15 marks)
There were some fairly obvious circumstances in the scenario set out. The better
candidates were able to identify all or most of them and the very good answers gave
brief explanations of why each was considered a potential problem. Weaker answers
simply stated, for instance, that the fact that the company had an overdraft was a
problem. Generally, a list of bullet points is never going to be sufficient to obtain
good marks and candidates are encouraged to fill out their answers with pertinent
discussion, provided they do not exceed the time allocated. Some of the specific
factors would include the fact that the product is very specialised in a niche market
meaning that it is likely to be more precarious than a more general product market.
Motorsport is dangerous and negligent manufacture or wrong fitting of a key

component to a machine could have catastrophic consequences for the rider and
potential claims against the client. Other factors include the secretive nature of the
owner's activities, looking for potential buyers without informing the staff, the
reliance on the bank could also present a litigation risk for the auditors, and the
involvement of overseas suppliers and customers pose a significant foreign exchange
risk.
AY 2020-2021 Page | 35
Q7.7) UoL AA 2017 Exam ZB Q1a

Your firm is planning the audit of its client, Business Plus Ltd (BPL), in respect of the
year ended 31st December 2016. The BPL offers courses in business administration,
IT and digital media. The courses are available to all but the majority of students are
16 to 18 year olds under a government-sponsored apprenticeship scheme.
The Government pays course providers in stages over the period of study for each
level of the qualification. Typically, 25% at the start of the course, 25% after three
months and the remaining 50% on the successful completion of the course. Students
not studying under the apprenticeship scheme must either pay full fees in advance or
pay monthly over the study period. Discounts are provided for fees paid in full at the
start of the program.
BPL has experienced an increase in student numbers over the past 12 months
following the closure of one of its competitors. In order to service this increase, BPL
recruited two new members of staff during the year, both of whom are experienced
trainers and required high salaries as a result.
BPL now has 25 members of staff, 10 of these are administration and support staff
with the remaining being lecturers and management, of which a third are part time.
The accounts department consists of one financial controller and two accounts
administrators.
The financial controller is part ACCA qualified and joined BPL in May 2016; the
accounts administrators also joined during the year and are both AAT trainees. BPL’s
payroll is outsourced to a local bookkeeper.
Your firm has audited BPL for the past three years but this is the first year you have
been involved. Previous audits have all resulted in unmodified audit reports although
there was an emphasis of matter included in the audit report to the year ended 31st
December 2015 due to uncertainty over BPL’s cash flow.
Required:
a) State the inherent risks associated with this audit and how the audit team
should respond to these risks. (15 marks)
Very good answers to part (a) included coverage of both the risks and the auditors'
response to the risks. However, many answers concentrated on only the risks and,
therefore, marks were lost unnecessarily.
Well-prepared candidates understand the audit process so that they know what to look
out for and how to respond to the problem. For example, the fact that candidates can
be enrolled but not pay full fees up-front poses the problem of non-payment of fees.
Auditors could respond to this by examining past drop-out rates which might give an
indication of the amount needed to allow for bad debts.
AY 2020-2021 Page | 36
The closure of a competitor may seem to be an advantage for the client, but it could
also be an indicator of trouble ahead - maybe market demand for this sort of education
is in general decline. The auditors would need to do more investigating to find out the
factors behind the closure.
With respect to the hiring of highly-paid lecturers, some candidates suggested that the
auditors challenge management about these high salaries, while others suggested that
the auditors sit in on lectures to see if these new recruits were really worth the money;
these are examples of auditing candidates themselves falling into the expectation gap
since such operational questions are outside the remit of the financial statement audit.
AY 2020-2021 Page | 37
Q7.8) UoL AA 2016 Exam ZB Q1a
Established in 1965, Sparkle Hotel Ltd is a country hotel offering luxury facilities on
a large country estate. Fred Frodden, a ruthless businessman who, despite being aged
76, is the CEO and majority shareholder. Fred does not like to have his ideas
challenged and is known for his bullying attitude towards his staff. The current chief
accountant, Bob Nobles, was appointed 6 months ago. He is the fourth chief
accountant in three years. Bob is engaged to Fred’s granddaughter.
The operations director is Fred’s son, William, who owns 25% of the company’s
shares and is due to replace Fred on his retirement. William is an excellent manager
with exceptional people skills. He is always on site though he will openly admit he
does not have a head for numbers and relies on Bob for advice.
The accounting system uses a small network of desktop computers with an old
version of a popular accounting package. Bob is in sole charge of the accounting
function. He has two assistants who are part-time, part-qualified accounting
technicians with no recent training.
When a guest arrives, a reception record is entered onto the computer so that the room
and any other services the guest uses are charged to the room. William, who often
mans the reception after 6pm at weekends, prefers to write out manual records for the
receptionist to enter onto the computer system on a Monday morning.
The restaurant and bar are staffed by casual (zero-hours contract) workers whom the
restaurant manager pays in cash each week. Details of payments to staff are recorded
in a payroll book and passed to the accounting department for processing. The
restaurant customer/guest paying the bill is required to sign a paper slip which
includes name and room number (if applicable), total expenditure and whether paid in
cash or charged to the room. The accounts office enters these details onto the
computer system every morning.
The financial statements for the year ended 31st March 2016 showed a fall in turnover
for the third consecutive year and post-year end bookings continue to fall.
Nevertheless the company reports a healthy profit margin. Salaries and wages are the
most significant expense in the financial statements and have remained at a constant
level over the years. Fred is unconcerned; he draws a modest salary, receives no
dividends but still affords cruises and a new car every year.
Required:
a) Write a memo identifying the audit risks posed by Sparkle Hotel Ltd and
your suggested responses to these risks. (15 marks)
Weaker candidates often ignored the instruction to produce the answer in the form of
a memorandum. This is not a big issue but the one or two marks that were available
for presentation were needlessly sacrificed.
AY 2020-2021 Page | 38
Better prepared candidates set out their answers neatly and in correct form.
In the body of the answer, generally candidates were able to identify the weaknesses
or factors that would cause auditors some concern – the bullying attitude of the chief
executive, the rapid turnover of senior staff and the lack of tighter controls on
transactions. Surprisingly few candidates mentioned that the continuing decline in
revenues might cause some concern for the long-term viability of the business.
Perhaps the most common reason for lower marks on this part of the question was the
failure to suggest appropriate audit responses to the identified weaknesses. Candidates
were expected to do more than say simply ‘do more substantive tests’; better
candidates suggested specific tests that could be performed – for example, a detailed
review of the bank statements to look for unusual transactions and being alert for
unusual expenses or invoices while carrying out audit work. A frank discussion with
the chief executive about the funding of his lifestyle might be necessary as will a
consideration of the auditor’s ability to continue with the audit engagement, if the
discussion does not allay their concerns.
Some answers showed some naiveté in failing to appreciate that a common feature of
smaller family businesses is that members of the family are involved in senior
positions. The suggestion that more outsiders should be brought in would not be
realistic in this setting. Similarly, the idea that the owner should be made to sell his
shares is as impractical as it is wrong.
END OF LECTURE 7
AY 2020-2021 Page | 39
Lecture 8 – Theory of evidence, Search for evidence
Learning objectives
a) Explain why the audit evidence search is a central concept of auditing.
b) Identify the stages of the audit process and show that evidence has to be
collected in different ways at each stage.
c) Explain the relationship between audit evidence and audit risk.
d) Show there are different grades of audit evidence and that evidence may be
upgraded or downgraded.
e) Explain the relationship between audit evidence and the application of audit
judgement.
f) Show to what extent the evidence-gathering process might be affected by a
decision by the auditor to rely on the directors and the control environment
they have introduced.
g) Form conclusions on the basis of evidence available in selected scenarios.
h) Explain the difference between an audit, a limited assurance engagement, a
compilation engagement and an engagement involving agreed upon
procedures, and suggest how the evidence-gathering process may differ
between them.
Audit is a search for evidence to enable an opinion to be formed.
Evidence search is to enable conclusions to be formed on:

– Accuracy and dependability of accounting records
– Truth and fairness of financial statements
– Compliance with legislation, accounting, reporting standards
Audit evidence collected from audited entity and independent sources.
Procedures used to obtain evidence (ISA 500 Audit Evidence)
Auditors collect audit evidence using inquiry, inspection of assets, inspection of

documents, observation, confirmation, recalculation, re-performance, analytical
procedures
Using the acronym – A E I O U
AY 2020-2021 Page | 40
ISA 500 Audit Evidence – Need to obtain sufficient appropriate audit evidence
‘Sufficient’: enough evidence is obtained to meet audit objectives. Persuasiveness of

audit evidence and quantity linked.
‘Appropriate’ has two elements:

- Relevance: evidence must be pertinent to matter in hand.
- Reliability: many grades of reliability.
Quantity vs Quality – Just like buffet dinner vs fine dining ….
Sufficiency and appropriateness related – the higher the quality (appropriate), the less
may be required (sufficient).
What is reliable evidence?
Example: If your friend tells you that he got S$10 m in his OCBC bank account. Is his
words reliable evidence?
AY 2020-2021 Page | 41
Factors affecting reliability of evidence:
Reliability of audit evidence (grades of audit evidence) depends on:

1. Reliability of audit evidence increases when from independent sources outside
the entity (particularly from professional persons).
2. Reliability of audit evidence generated internally increases when related

controls on preparation and maintenance are effective.
3. Audit evidence obtained directly by the auditor more reliable than evidence
obtained indirectly or by inference.
4. Audit evidence in documentary form more reliable than oral evidence.
5. Audit evidence provided by original documents is more reliable than copies,

reliability of which depends on controls over preparation and maintenance.
6. Evidence created in normal course of business is better than evidence specially

created to satisfy the auditor.
7. Best-informed source of evidence normally management of the company but

lack of independence reduces its value.
8. Evidence about future particularly difficult to obtain and less reliable than
evidence about past events.
AY 2020-2021 Page | 42
What is relevant?
Evidence is relevant if it supports the assertion that it is supposed to support. Then

what are assertions? See the 2 sets of assertions below.
Example: The auditor would want to audit the assertion of existence of a motor
vehicle. He asked the client to show him the original invoice from the car supplier
Honda Ltd. Is this a relevant evidence to audit existence? If not, what evidence should
the auditor gets in order to audit the assertion of existence?
Assertions about classes of transactions and events for period under audit
i. Occurrence – transactions and events that have been recorded have occurred
and pertain to the entity (It happened, its genuine, its real)
ii. Completeness – all transactions and events that should have been recorded
have been recorded – (whatever need to be in is already in, did not miss out
any)
iii. Accuracy – amounts and other data relating to recorded transactions and
events have been recorded appropriately – (the amount is right, it is accurate)
iv. Cut-off – transactions and events have been recorded in the correct accounting
period – (this will indirectly linked to accuracy, if the transaction is recorded
in the wrong accounting period, then the amount recorded will not be accurate
too)
v. Classification – transactions and events have been properly classified in the
financial statements (eg. long term non-current items we put under current,
that is wrong classification)
vi. Presentation & disclosure – transactions and events have been properly
presented and disclosed in the financial statements
Assertions about account balances at the period end (as at period end)
i. Existence – assets, liabilities, and equity interests (It exist, its genuine, its real)
ii. Completeness – all assets, liabilities and equity interests that should have been
recorded have been recorded – (whatever need to be in is already in, did not
miss out any)
iii. Valuation and allocation – assets, liabilities, and equity interests are included
in the financial statements at appropriate amounts and any resulting valuation
or allocation adjustments are appropriately recorded – Accurate
iv. Rights and obligations – the entity holds or controls the rights to assets, and
liabilities are the obligations of the entity – (ownership, belongs to the
company)
v. Presentation & disclosure – transactions and events have been properly
presented and disclosed in the financial statements
AY 2020-2021 Page | 43
Tables summarizing the assertions (Table 1 and Table 2)
Table 1
Assertions Occurrence:
about classes of transactions and events that have been recorded or disclosed have
transactions occurred and pertain to the entity.
and events and Completeness:
related all transactions and events that should have been recorded have
disclosures been recorded and all related disclosures that should have been
included in the financial statements have been included.
O Cut-off:
transactions and events have been recorded in the correct accounting
C period.
C Classification:
C transactions and events have been recorded in the proper accounts.
A Accuracy:
amounts and other data relating to recorded transactions and events
P have been recorded appropriately, and related disclosures have been
appropriately measured and described.
Presentation:
Transactions and events are appropriately aggregated or
disaggregated and are clearly described, and related disclosures are
relevant and understandable in the context of the requirements of the
applicable financial reporting framework.
Table 2
Assertions Completeness:
about account all assets, liabilities and equity interests that should have been
balances and recorded have been recorded and all related disclosures that should
related have been included in the financial statements have been included.
disclosures at Obligations and rights:
the period-end the entity holds or controls the rights to assets, and liabilities
are the obligations of the entity.
C Valuation and allocation:
O assets, liabilities, and equity interests are included in the financial
V statements at appropriate amounts and any resulting valuation or
E allocation adjustments are appropriately recorded and related
P disclosures have been appropriately measured and described.
Existence:
assets, liabilities, and equity interests exist.
Presentation:
Assets, liabilities and equity instruments are appropriately aggregated
or disaggregated and are clearly described, and related disclosures are
relevant and understandable in the context of the requirements of the
applicable financial reporting framework.
AY 2020-2021 Page | 44
Role of management assertions in the audit process
The importance of management assertions is that (reframed) they form audit

objectives
Assertion: All trade receivables shown in the financial statements are collectable
Audit objective: To prove within reason that all trade receivables shown in the
financial statements are collectable
Suggested audit step to prove collectability: Test amounts received from credit
customers after the year-end
Evidence may be upgraded by skilful use of corroborative evidence.
Forming conclusions on the basis of evidence: the exercise of judgement
The business risk approach to gathering audit evidence
If auditors form good impression of management, evidence from them may be relied
on by auditor to greater extent.
As auditors get to know individual members of management well, engagement

partners may feel they can judge integrity.
Close involvement of audit team with management may reveal lack of integrity –
reason for withdrawing from engagement.
Trust in integrity and competence of management could lead to reducing level of

substantive tests of detail.
A basic idea of agency theory is principals cannot trust managers to use resources
properly. But, auditors cannot start with presumption that management lack integrity.
A major issue is that business risk approach brings auditor close to management and
independence may be threatened
Protagonists of business risk approach suggest audit failures are not because auditors
fail to perform tests of detail, but because they missed clear indicators of impending
catastrophe.
AY 2020-2021 Page | 45
The stages of the audit process and evidential requirements at each stage
Generally, we can break down the entire audit process into 3 broad stages:
1) the planning (prelim stage) stage;
2) the testing (include both control testing and substantive testing) stage; and
3) the completion (also known as the final review or overall review) stage.
So what do we do at each of the stage?
The following 4 diagrams depicts the different stages of the audit process and for each
stage, we can see the evidence gathering procedures and process, with the
corresponding purposes or objectives.
The stages of the audit process (Diagram 1 of 4 – Planning, risk assessment)
AY 2020-2021 Page | 46
The stages of the audit process (Diagram 2 of 4 – Interim audit, understanding

and assessing the internal control system)
AY 2020-2021 Page | 47
The stages of the audit process (Diagram 3 of 4 – Control testing, confirmed

system and initial plan and risk assessment before moving onto the final audit)
AY 2020-2021 Page | 48
The stages of the audit process (Diagram 4 of 4 – Final audit, reporting)
AY 2020-2021 Page | 49
Beside audit services, audit firms also provide other assurance or non-assurance
services. Examples:
Compilation engagements (it is like an accounting service)
Professional accountants prepare financial statements on basis of data and information

provided by management – not an audit. Normally carry out following procedures:
Find out what accounting principles and practices are common in entity’s industry.
Get general understanding of business, the risks facing it, nature of the transactions,
accounting principles used, and the presentation and content of the financial
statements. Generally review the financial statements using limited analytical
procedures and discuss critically with management.
Obtain letter from management saying they have been given all the books and records
and other information pertinent to the preparation of the financial statements.
Limited assurance engagement (eg Compliance audit)
Not full audit; accountant aims to obtain limited assurance financial statements
comply with legislation and accounting standards. Evidence-gathering procedures
include:
– Determine accounting principles and practices in industry.
– Get good understanding of business, how organized, operating characteristics,
risks facing it and related controls, nature of transactions, assets and
liabilities – goes further than compilation engagement work but very few
detailed tests.
– Analytical procedures to identify relationships between figures appearing
unusual and discuss with management. May advise management on
appropriate adjustments to financial statements.
– Letter of representation from management confirming significant oral
representations by management during review.
– At completion of review read financial statements to ascertain appear to
conform to requirements of Companies Act and accounting standards.
Agreed upon procedures engagement (mostly offered as a non-assurance service)
Similar to limited assurance engagement except certain detailed procedures would be

performed – as agreed with management. Most of the time auditors do not form an
opinion (non-assurance) but will just report what they found. This service is therefore
sometimes known as a fact-finding exercise. Report would indicate detailed
procedures carried out but would disclaim a full audit opinion.
AY 2020-2021 Page | 50
Agreed procedures would require the accountant to seek evidence the items subject to
the agreed procedures have been stated appropriately.
What are the advantages and disadvantages for an audit firm to provide non-
audit service to their audit clients?
Advantages:
1) Knowledge of the client – more efficient service?

2) Not wanting to reveal the company’s secret to another audit firm
3) Think of potential discount on fees
4) Extra revenue for the audit firm
5) Audit staff deployment/utilization during off peak season
Disadvantages:
1) Ethical issue – Independence, self review threat

2) Too familiar – not a fresh pair of eyes
3) Competence of audit staff doing non-audit work
4) Fee dependence – going back to the first point (independence)
AY 2020-2021 Page | 51
Q8.1)
Below is a list of sources of audit evidence:
(i) The chief accountant, who is a member of CIMA, explains why inventory
levels are higher at the end than at the beginning of the year.
(ii) A storeman in the main store explaining how the store control system
operates.
(iii) An invoice from a supplier of electricity.
(iv) A trainee accountant, presently studying for professional accounting
examinations, explaining the reason why telephone charges were lower this
year than last.
(v) A letter to the auditor from a lawyer confirming that, as far as he is aware,
there are no legal matters of material significance.
(vi) A confirmation from a credit customer agreeing that a balance in the books of
the entity is correct.
(vii) A calculation of tax charge and liability made by the auditor.
(viii) Inventory count sheets, the count having been observed by the auditor.
(ix) The company’s order book, showing orders received from customers. This
book is required for company planning purposes.
(x) Estimates of useful life of newly acquired plant, made by the production
director.
Required:
Suggest which sources may be regarded as reliable, explaining why this is so, and
how you might upgrade (corroborate) the evidence, if required?
i)
The chief accountant is a well-informed officer of the company. For this reason,
evidence emanating from him or her is good evidence. However, he or she is internal
to the organisation and the auditor would seek corroborative evidence that the
statement is acceptable. For instance, if the auditor finds that sales forecasts indicate a
higher level of sales in the coming year than in the year just ended, this might help to
prove the chief accountant's statement.
ii)
The storeman is again internal to the organisation and his statements should perhaps
be viewed with caution. However, such officials are frequently a very useful source of
evidence as they may be very well informed about a small segment of the company's
activities and may, indeed, be much better informed about them than the chief
accountant. For instance, the chief accountant may believe that inventory control
officials check physical inventory against inventory records at regular intervals,
whereas the storeman knows that this is not the case. On the other hand, it must be
said that often people in organisations are not aware of the whole picture so that care
must be taken in evaluating statements made by them. For instance, inventory control
officials may carry out inventory counts at night when the storeman is not on duty. It
would therefore be necessary to corroborate the statements made by the storeman.
AY 2020-2021 Page | 52
iii)
An invoice from a supplier of electricity is a document in the hands of the company
emanating from a third party. It may be regarded as a particularly reliable document
for the following reasons: – Electricity invoices are normally issued at regular
intervals during the year and can be easily compared with previous electricity
invoices, although there is a possibility that they may be forged. – The electricity
usage will be metered and meter readings can easily be tested by the auditor.
Electricity charges may be corroborated in general terms by assessing general levels
of activity.
iv)
Invoices of the Telephone Company will support the telephone charges and these
invoices are as reliable as the electricity invoice referred to above. The explanations
for the charges being lower this year depends upon whether they appear reasonable in
the light of what the auditor knows about the company. For instance, if company sales
are much lower because of a downturn in economic activity, telephone charges may
be lower if they are correlated to sales. Analytical review of activity levels could thus
help to corroborate telephone charges. Your view of the trainee accountant's ability
may also affect the credence given to his statements.
v)
The letter from the lawyer would be regarded as good evidence in itself because it
comes from an independent professional person and has been sent direct to the
auditor. The main problem for the auditor is identifying which legal advisors the
company had used. In particularly difficult cases involving perhaps complex legal
matters, the auditor might wish to corroborate the opinions of the company's legal
advisor(s) by seeking a second opinion.
vi)
The letter from the debtor is also good evidence, coming as it does from an
independent third party direct to the auditor. We would be inclined to regard it as less
reliable than that from the lawyer, however, for the reasons outlined in the text.
Confirmations from credit customers would not normally be the sole evidence sought
by the auditor in confirming trade receivables balances and sales invoices. Other
corroborative evidence would include other supporting evidence like subsequent cash
collection of the debt.
vii)
Most qualified auditors will have knowledge of taxation, although it is an area in
which one may get rapidly out of date. Assuming that the auditor is a tax expert or has
called upon expert help from within the audit firm, the computation of tax charge and
liability would be reliable evidence for the auditor, especially if the computation is
checked by others within the firm. Although the computation has been made by the
auditor, it would be necessary to ensure that management was in agreement with it.
AY 2020-2021 Page | 53
viii)
Inventory count sheets are prepared as a result of a physical count carried out by
company staff. If the system that the company has established to control the inventory
count is good and the auditor's observation has confirmed that the count has been
properly carried out, the inventory count sheets may be regarded as good evidence,
particularly if supported by the auditors own count sheets (that would serve to
corroborate the company's figures). Remember that inventory count sheets prepared
by the company are internal documents and may therefore be subject to manipulation.
ix)
The company requires the order book for its own planning purposes and in the normal
course of business. Such evidence is better than evidence prepared on an ad hoc basis
and may be used by the auditor for testing such matters as the saleability of inventory.
Provided that the auditor can corroborate its accuracy by reference to correspondence
from customers, salesmen’s' records etc., the order book may be good evidence.
x)
The estimate of useful life is a more difficult matter as it relates to the future and the
future is notoriously cloudy. In itself the estimate by the production director is poor
quality evidence, but it may be upgraded on the basis of past experience,
manufacturer's specifications, experience of others in the industry and so on.
Remember also that, within the company, the production director may be the best
qualified to estimate the useful lives of production plant. The auditor should certainly
discuss the matter with him or her.
Q8.2)
Explain the meaning of the following terms:
(i) Interim examination.
(ii) Final examination.
(iii) Inconsistent audit evidence.
(iv) Systems-based evidence.
(v) Third-party evidence.
(vi) Persuasive evidence.
i)
The term 'interim examination' is used for that part of the audit carried out prior to the
year-end. Normally, the interim will be used to review and test the operation of
systems and to test the accuracy and completeness of the recording of transactions and
balances. The results of this work and the conclusions drawn therefore will be used
during the final examination in planning and in supporting conclusions on the final
work. In the case of large assignments, there may be more than one interim
examination, and indeed for very large engagements, auditors may be present in the
company and its various locations throughout the year.
AY 2020-2021 Page | 54
ii)
‘Final examination' is the term given to the work on the financial statements after the
year-end. Note that in the case of small assignments, the systems, transaction testing
and work on the final financial statements are likely all to be carried out in the same
period.
iii)
'Inconsistent audit evidence' is evidence that does not support other evidence, thereby
downgrading it and rendering it of less value. It may reveal that the auditor has
initially formed a view that is not sustainable. For instance, let us assume that you are
auditing a roofing company, which makes provision for customer claims on the basis
of 3% of turnover per annum. The auditors may have satisfied themselves that 3% is
adequate on the basis of past experience, but a recent article in the trade press has
suggested that rate of claims is likely to rise because of problems in the use of new
materials. In this case the reliability of evidence based on past experience would be
reduced because it is inconsistent with more up-to-date evidence.
iv)
'Systems-based evidence' is evidence that has been produced or influenced in some
way by the accounting and control system in use by the company. For instance, a
supplier's invoice which has been checked by company officials and stamped to
indicate agreement with purchase order and goods received note has been checked by
the system. A sound system of control tends to make such evidence more reliable.
v)
'Third party evidence' is evidence emanating from persons or organisations external to
the company and therefore possesses the important quality of independence. It is
usual to distinguish between third party evidence coming from: - Professional people
such as lawyers or other accountants - Non-professional people such as customers and
suppliers - Third party evidence coming direct to the auditor such as a letter from a
bank manager confirming a bank balance, and third party evidence in the hands of the
company, such as the suppliers invoice referred to above. On the whole third party
evidence is reliable as far as the auditor is concerned.
vi)
The use of the term ‘persuasive’ in relation to audit evidence indicates that often
(normally) the evidence collected by the auditor is not conclusive. For instance, if the
auditor checks 10 items of inventory on hand with the inventory count sheets and
finds that the sheets are correct in each case, this may well persuade the auditor that
the inventory count is being properly conducted and that the inventory sheets are
reliable. Auditors would, however, be very unwise to draw the conclusion that the
inventory count was 100% correct on the basis of their test. They may of course
obtain sufficient confidence on the basis of the persuasiveness of the evidence in the
context of tolerable error.
AY 2020-2021 Page | 55
Q8.3)
An important objective of the business risk approach is to make the audit more
profitable by cutting down on the amount of evidence obtained by substantive tests of
detail. Discuss.
It is undoubtedly true that the audit will be less costly if audit effort is reduced.
Whether it will make the audit more profitable may be doubtful as detailed tests of
detail are normally performed by less costly staff, whereas the business risk approach
involves much greater expenditure of time by senior staff such as partners and
managers.
However, the protagonists of the business risk approach suggest that it will make the
audit more effective because intensive investigation of business risks and the quality
of management will make it more likely that audit effort will be directed to the high
risk areas.
This may involve tests of detail but the argument is that few audit failures occur as a
result of insufficient tests of detail but because warning signs of critical matters such
as lack of liquidity or unsaleability of goods are ignored or not detected because of
unimaginative auditing and failure to use such obvious tests as analytical review in a
sufficiently effective way.
That is not to say that tests of detail are useless. We don't know all the facts behind
the WorldCom debacle but extended testing of capital and maintenance expenditure
might well have detected that the capital/revenue decision was being incorrectly
made.
On the other hand, in view of the magnitude of the figures an outsider might well
wonder why analytical review comparing current year with prior year did not discover
that something strange was going on. It is of course worth mentioning that additional
assurance work by the auditor on behalf of management as a spin-off of the business
approach, may well mean that the total profitability from the relationship with the
company may be enhanced.
Q8.4)
You are the engagement partner of an audit assignment with an entity specializing in
the provision of information technology services and software. At the beginning of
the financial year the company entered into a contract with the government of China
and you have been discussing the implications of the contract, including the
investment in necessary new technology and amounts receivable from the Chinese
government. What evidence would you look for to satisfy yourself that business risks
have been considered and that the company has taken reasonable steps to reduce the
risks? Would this work be useful in ascertaining that management is competent and
trustworthy? Assume this is not a new client.
AY 2020-2021 Page | 56
As this is not a new client, the auditor should already be well informed about the
abilities of management. You will appreciate, however, that finding out about the
integrity of management, and how skilled they are, is no easy matter and it is not done
in a single meeting at the beginning of the audit but over a period of time, perhaps
even over a period of years.
However, in this particular case management is entering new territory and the auditor
would want to be satisfied that they are aware of the business risks and to ascertain
what steps they have taken to minimise these risks. The following are the kinds of
thing that the auditor should consider:
- Has the company the expertise, both technically and legally to handle a
contract of this kind?
- What steps have management taken to ensure that they can finance the new
business? In particular, have they ascertained when payment for the services
and goods provided will be made?
- Has the company discussed the implications of the contract with persons in
their own country, knowledgeable about conditions in China?
- Has management obtained legal advice on the contract and have they
ascertained under which laws the contract is enforceable.
- Has the company employed people with the necessary linguistic skills and
with a good knowledge of the Chinese cultural and business scene.
No doubt there are many other matters that would need to be taken into account, but if
the auditors discover that management have considered all relevant matters and that
the answers to questions such as those set out above can be answered positively, then
they will have gone a long way to satisfying themselves that management is
competent.
The question of integrity and trustworthiness is more difficult. If management have

consulted the auditors from the start to make sure that there were no problems
affecting the audit of the financial statements, that would be a positive sign. However,
the auditor may wish to carry out sufficient tests to ensure that the assertions of
management, implied or otherwise, are valid. For instance, apart from asking if the
project team has reported any technical problems affecting the contract, the auditors
may wish to peruse the reports themselves. They may seek legal advice for
themselves on the acceptability of the contracts. It is likely that the auditors would
wish to see if the terms of the contract are being adhered to by both parties. For
instance are the information services and software being supplied in accordance with
the contract, both as regards quality and timeliness. Are the final quality control
reports satisfactory? Is payment being received from the Chinese government on a
timely basis?
You may feel that the auditor's task is a difficult one and we would agree, but it can
also be most interesting and rewarding. We think you will agree that forming a view
on the integrity and competence of management is vital. The members of the
management team, both individually and as a group are a vitally important source of
audit evidence. These are the people who are running the company and they are,
AY 2020-2021 Page | 57
therefore, very well informed about the company, the risks it faces and the controls in
place. The problem for the auditor is that they are not independent of the company; in
fact their success is closely bound up with the company. This means that the auditor
has to take steps to corroborate evidence coming from management to increase its
reliability.
Another important step would be to make a record of any important matters discussed
with management and any significant decisions made or conclusions formed, together
with the evidence to justify those conclusions. We suggested that written evidence
would be superior to oral evidence, whether it is on paper or kept in electronic form
by the auditor.
Q8.5)
Explain how a review engagement differs from an audit engagement. Explain why a
report on a review engagement might be useful to the person requesting that the
engagement be carried out.
The basic difference between a review engagement and an audit is that the latter
requires auditors to collect enough appropriate evidence to satisfy themselves that the
financial statements give a true and fair view of what they purport to show. A review
engagement on the other hand does not have the same evidential requirements as the
report contains a disclaimer to the effect that a full audit opinion is not being given.
Thus, it would be unlikely that a review engagement would require the auditor to
attend inventory counts or to seek confirmation of balances from customers and
suppliers - unless of course the review engagement were to be extended to an agreed
upon procedures engagement.
However, the work performed in some respects is similar to an audit engagement as

the following work would be performed:
- Find out what accounting principles and practices are common in the
company's industry
- Get a good understanding of the business, how it is organised, its operating
characteristics, the risks facing it and how their impact is reduced by the
control environment and detailed controls, the nature of the transactions
entered into and of its assets and liabilities. However there would not be
detailed tests of controls or of transactions and balances.
- Apply analytical procedures to identify any relationships between figures that
appear unusual and discuss them with management. If necessary advise
management on appropriate adjustments to the financial statements
- Obtain a letter of representation from management confirming the significant
oral representations made by management during the review. The letter should
be signed by persons responsible for the preparation of the financial
statements.
AY 2020-2021 Page | 58
- At the completion of the review, read the financial statements to ascertain that
they appear to conform to the requirements of the Companies Acts and
accounting standards.
The important point is that the review is being carried out by a professional person
and that person is giving a report on the information prepared. That means that the
reader will assume that the information has been looked at by a professional person
and will assume that it can be relied on to some extent.
Reviews can be requested instead of a full audit where, for instance, the information
will be included in group accounts although it may not be significant enough to be
material in the group context. Reviews might also be requested by people extending
finance to the company. The assurance given is lower than for a full audit but can still
carry some weight for the reasons indicated.
Q8.6)
Audit evidence is required to be both sufficient and appropriate. Explain what is
meant by this statement giving appropriate examples.
Evidence gathered has to be sufficient (that is, enough has been collected) and
appropriate to enable the auditor to form conclusions about the assertions made by
management. Appropriateness includes both reliability and relevance.
Thus, let us assume that the auditor is trying to conclude that the trade receivables
figure represents balances that are collectible. What would be relevant evidence in
this respect? Well we suggest that you might look at the company's system for
checking credit worthiness. If this system is sound it will go some way to persuade the
auditor that the trade receivables are collectable - in other words this evidence will be
relevant. Similarly, if you were to examine receipts after the balance sheet date from
customers and to look at the ageing statement showing those customers that are
overdue and for how long and those which are not overdue. Again this is very relevant
evidence to proving collectability.
Now think about reliability - after date receipts from customers would be very reliable
evidence. The ageing statement might not be particularly reliable if it were prepared
by the person in charge of the trade receivables ledger, but if it were prepared by an
independent person or were produced by computer and reviewed by the chief
accountant, it would be much more reliable.
The final question is that of sufficiency. How many of the trade receivables balances
would you test. How many of the credit worthiness records would you test? The
answer is of course: "It depends." The amount of detailed testing we would perform
could be restricted if the controls in force were adequate to reduce the impact of
inherent risk to acceptable proportions. If we had concluded that credit worthiness
checks were adequate we might take a batch (say) of 50 sales order forms and
ascertain that every one of them had been signed by a responsible official in the credit
AY 2020-2021 Page | 59
control department. Alternatively, you might review a number of credit limits

exceeded reports and ascertain that approval had been given by a responsible official
to the credit limit itself and to any breach of such limits.
No doubt you can come up with other procedures, but the principle is clear – audit
evidence must be sufficient, reliable and relevant.
Q8.7) UoL AA 2013 Exam ZB Q7

Auditors can only form an opinion on the financial statements if they have sufficient,
appropriate audit evidence. Discuss what is meant by sufficient and appropriate audit
evidence and how auditors ensure this is obtained.
This is very much an open ended option and it is not possible to prescribe exactly how
an answer should be formulated. You should be able to draw on your knowledge of
the theory of auditing and your understanding of the auditing standards.
A basic principle of auditing is the need to obtain evidence before drawing

conclusions. For the evidence to be reliable auditors need to be confident that the
source of the evidence is independent of the client as far as possible and they also
need to check sources of consistent evidence.
Discussions of audit risk and materiality also featured in the best essays in 2013. The
need to exercise competent and independent judgement with a degree of professional
scepticism would merit discussion if the essay were to achieve the top marks. Finally,
some elaboration on sampling of evidence and discussion of compliance and
substantive tests would be relevant.
What the weaker essays tended to do was to recite lists of types of evidence along
with appropriate uses of each type. While these may have been technically correct,
unless the candidate attempted to mould that material to answer this particular
question it is unlikely that they would have received more than a 2:2 mark at best.
Q8.8) UoL AA 2013 Exam ZB Q8
Identify the various stages in the audit process, describe the main issues which
auditors address at each stage and comment upon the interrelationship between the
various stages.
This should be a relatively straightforward question for a well-prepared candidate.
The stages which could be discussed include:

1. understanding the client
2. identifying the risks
3. understanding the system of accounting and control
4. assessing materiality
AY 2020-2021 Page | 60
5. testing compliance
6. performing substantive tests
7. reviewing the results of all the tests
8. deciding on the form of audit report and other various opinions.
Most of the candidates who did attempt this question made a reasonable attempt at
discussing these stages in the process but what they nearly all lacked was a coherent
explanation of the links between each stage. For example, how the results of the
compliance tests will determine the nature and extent of the substantive tests and how
reviewing the results off all the tests will then lead on to the auditors making
judgements about the final audit opinion.
What this question illustrated quite starkly is that it is one thing to have the technical
knowledge of the subject area but quite another thing to be able to apply that
knowledge to answer the particular question set. Only a few of the very best scripts
were able to address each of the three components in the question: identifying the
stages in the audit process, describing what auditors do in that stage and explaining
how the stages relate to one another. It is vitally important that you learn to read the
question carefully and make every effort to answer each part.
END OF LECTURE 8
AY 2020-2021 Page | 61
Lecture 9 – Internal Control System
Learning objectives
a) To explain the significance of the layers of regulation and control.
b) To define internal control and explain the significance of the control
environment and related components, and accounting and quality
assurance/control systems.
c) To explain the nature and role of systems development/maintenance controls
and describe the main features of general controls.
d) To explain the nature and role of application controls and describe the main
features of these controls.
e) To distinguish between general and application controls.
f) To explain how the auditor records systems in use.
Internal controls and control risk
Main interest at interim is to determine accounting records are genuine, accurate and
complete. If accounting and control systems good, and general control environment
satisfactory, more likely accounting records will be reliable.
Effectiveness of accounting and control systems closely related to control risk – has a
bearing on extent of substantive procedures.
An understanding of internal control assists the auditor in identifying types of

potential misstatements and factors that affect risks of material misstatement, and in
designing the nature, timing and extent of further audit procedures (ISA 315, para
A42).
There is an important relationship between tests of controls and extent of substantive

procedures.
Definitions: substantive procedure and test of control (ISA 330, para 4)
Test of control – An audit procedure designed to evaluate the operating effectiveness

of controls in preventing, or detecting and correcting material misstatements at the
assertion level.
Substantive procedure – ‘An audit procedure designed to detect material

misstatements at the assertion level. Substantive procedures comprise:
(i) Tests of details of classes of transactions, account balances, and disclosures,
and
(ii) Substantive analytical procedures’.
AY 2020-2021 Page | 62
Layers of regulation and control expanded
(Source: GMC Chapter 7, Figure 7.1)
AY 2020-2021 Page | 63
What is internal control?
Controls are to prevent, detect or correct events that the entity does not wish to
happen.
Internal control: The process designed, implemented and maintained by those charged
with governance (TCWG), management and other personnel to provide reasonable
assurance about the achievement of an entity’s objectives with regard to reliability of
financial reporting, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations. (ISA 315, para 4).
Business risk approach – impact on extent of audit tests
Business risk approaches may result in reduced tests of controls and substantive tests
of detail; more reliance on effectiveness of control environment and analytical
evidence.
Auditors are becoming more selective in detailed work they perform, concentrating
on systems critical to their ability to form an opinion.
Important part of control environment is effective internal audit function and quality
standards group, if one exists.
Components of Internal Control System (COSO Model)
The 5 components of internal control are:

1) Control environment
2) Entity’s risk assessment process
3) Information system
4) Control activities
5) Monitoring of controls
1) The control environment
Control environment sets the tone of the organization. It includes the attitude, actions
and awareness (3As) of management and those in charge of corporate governance
(TCWG) towards control and how they view the importance of controls
Further breakdown of control environment – We look at the elements of control

environment which include:
– Communication and enforcement of integrity and ethical values
AY 2020-2021 Page | 64
– Commitment to competence
– Participation by TCWG
– Management’s philosophy and operating style
– Organizational structure
– Assignment of authority and responsibility
– Human resource policies and practices
2) Entity’s risk assessment process
Entities should consider likelihood of business risks crystallizing and the significance
of the consequent financial impact on the business.
Once this has been done suitable controls should be introduced to reduce risks to
acceptable level.
3) Information system
Includes related business processes, relevant to financial reporting and

communication.
Relevant and timely information about internal activities and external factors
essential if an entity is to be successful – including Key Performance Indicators
(KPIs).
4) Control activities
These include:
a) Authorization
b) Performance reviews,
c) General and application controls over information processing (IT Controls)
AY 2020-2021 Page | 65
d) Physical controls
e) Segregation of duties
5) Monitoring of controls
Basic task is to assess the performance of controls and their adequacy and relevance
over time.
Monitoring may be a special responsibility of a quality standards group, internal audit

or even external audit.
Accounting and quality assurance/control systems
Going back to the earlier textbook GMC Chapter 7, Figure 7.1, we now look into the
second part of the internal environment which is the accounting and quality assurance
(QA) system.
What is the difference between the accounting systems and internal control system?
Accounting control systems impose controls on accounting system to ensure, within

reasonable limits, that transactions and balances are valid.
Internal control system is a process for achieving control objectives identified

beforehand. It gives reasonable but not absolute assurance that control objectives are
met. For example, in a sales internal control system, one of the control objectives is to
ensure that the company only sell to authorised credit worthy customers (for fear of
bad debts later). So one of the internal control procedures we will put in is every new
customers must go through a credit check and the credit limit imposed have to be
authorised by the credit controller or financial controller.
Users of financial information primarily concerned with the information derived from
the accounting systems and its reliability.
Two kinds of control:

– General controls
– Application controls
Distinction between general controls and application controls
General controls are controls over the environment in which entity operates. Their
roles are to ensure that applications are trouble free and prevent, detect or correct
events that management do not wish to happen.
AY 2020-2021 Page | 66
Application controls are designed to ensure individual applications run smoothly.
Let us start with general controls. General controls include:

A) Systems development/maintenance controls
B) Organizational controls
C) Security and quality assurance
A) Systems development/maintenance controls
1. Organizational structure to manage project and ensure high standards.

Organizational structure should have a member of the board with final responsibility
for information systems, representatives of main user groups, a manager responsible
for quality assurance, a manager with responsibility for security of data, software and
hardware, a manager responsible for operations and an internal auditor providing
independent reviews on controls and completeness of information/audit trail.
2. Documentation of development process – to allow informed person to

understand development process and how system works.
3. Testing at each stage before permission is given to proceed to the next stage.
4. Persons involved in the process take responsibility by confirmation in writing.
5. Parallel developments (eg staff training, file conversion procedures)

alongside technical development.
6. Reliable system for reporting system malfunctions.
7. Ensure unauthorized changes are not made to programs.
8. Ensure completeness of information/audit trail.
AY 2020-2021 Page | 67
B) Organisational Controls
. Proper organization structure (with proper segregation of duties)
Segregation of duties: authorization of transactions; execution of transactions; custody

of assets; recording of transactions and assets. Important features include:
a) Operation of program segregated from ability to change it.
b) Alteration of master files in hands of responsible official.
c) Rotation of duties, eg in data base administration department.
2. Authorization and approval – by responsible persons – authority limitations.
3. Supervision controls – higher level controls by responsible management.
4. Management of data – e.g. way data collected, prepared and enters system.
C) Security and quality assurance
Security over physical assets

Security plan: identify risks, threats, likely occurrence: fire and water damage; energy
variations; pollution; unauthorized intrusion.
Security over software.

Controls over security of data: restrict access; maintain information/audit trails; hold
data and programs externally.
Quality assurance
Developed software to meet user needs: reliability, ease of use, efficient in use, easy
maintenance, clarity/completeness of system documentation, effective staff.
AY 2020-2021 Page | 68
A word about “collusion” – the enemy of segregation of duties
Value of segregation of duties depends on people being genuinely independent of

each other.
If work together – collude – to defeat the object of the control, it is as if the control
does not exist.
If A keeps inventory and B is required to count and compare it with inventory records
= important control to safeguard assets. If A misappropriates inventory and B in
cahoots states there were no differences between physical and book inventories =
collusion.
Collusion is one reason fraud so often difficult to detect. Looks as though proper
segregation of duties but ineffective where two people act as one.
Controls over master files

Errors in master files cause systematic errors to occur every time a routine such as
payroll preparation is run.
Controls include:
Master file copies in secure location outside computer room.
Master files identified internally and by external labelling.
Master files to be updated by persons not connected with the execution or processing
of transactions, using secured passwords.
Potential limitations in internal control
1) Cost benefits reason
2) Human errors
3) Management abuse power and override controls
4) Collusion (see above)
5) System not designed to identity unusual/extraordinary errors
AY 2020-2021 Page | 69
Application controls
The main objectives of computer applications are to ensure:
a) Data collected prior to input is genuine, accurate and complete.

b) Data accepted by the system remains genuine, accurate and complete during
processing.
c) Data stored temporarily or permanently should be genuine accurate and
complete.
d) Output data/information is genuine, accurate and complete and goes to the
intended recipient
e) Information/audit trail is complete.
Application controls are applied at the data capture/input stage; processing stage; and
output stage. Commonly known as input, process and output controls.
We will cover general computerised accounting system first with input controls,
processing controls and lastly output controls.
At the end of this lecture, we will cover some special controls related to database and
e-commerce.
1) Input controls
Boundary controls are controls over user and system interface: cryptographic controls
(encryption technique); plastic cards for identification; PINs; digital signatures;
passwords; firewalls; and initiation of information/audit trail.
Input controls in place before data passes interface: design of source documentation;
design of product, customer and other codes; check digits; sequence checking; limit or
reasonableness tests; one-for-one checking; and batch controls.
Input data verified as soon as possible after entry. Two useful controls: exception
reports and sound warnings of invalid data entry.
For example, a sales clerk receives a telephone order from a customer who asks for a
delivery of 100 units of a product, at a price of $5 per unit. What is particularly risky
about this transaction? (what can go wrong?)
Then now we think of what application controls would be appropriate to reduce the
risks to an acceptable level?
AY 2020-2021 Page | 70
Features of password:
Degrees of access (different level of access)
Use of alphanumeric digits
Avoid passwords identified with person using
Regular/frequent changes
Shutdown of terminals if keyed in incorrect for say, 3 times.
Input access controls

Restriction of terminals to one particular activity
Records of terminals and employees accessing
Restriction of use of terminals
Where national telephone system used for transmitting data:

Numbers ex-directory
Private secure lines
Numbers restricted to identified activities
Call-back system
Encryption.
Firewalls
Firewall – system controlling access between internet and entity network.
Intranets allow easy transfer of data between parts of the system.
Extranets – networks expanded to people and organizations outside the organization –
may be more vulnerable to outside threats.
2) Process controls
During processing, nothing is added or deleted. (completeness of processing). Process

controls include use of control total and document counts control.
Other process controls include overflow control (insufficient memory), and controls
to ensure that the right version of the programme is used to process the transactions.
3) Output controls
Two purposes of output controls: (1) outputs are genuine, accurate and complete; (2)
outputs are distributed to those who requested or need them.
Access controls, batch control and rapid correction of errors make genuine, accurate
and complete outputs more likely.
The exception report is a special kind of output, important in the context of control.
Users of output data and information should be trained to review the output for any
obvious errors.
AY 2020-2021 Page | 71
Special system - Database systems
A database is ‘a collection of data that is shared and used by a number of different

applications for different purposes’.
Prime advantage – provide the same data to all authorized users, but there are security
and integrity problems to be solved:
a) Loss of control over data by data preparation personnel.
b) Excessive power in the hands of the database administrator.
c) Technical features to secure safety in processing may reduce control.
d) The information/audit trail is particularly important.
Special system - E-commerce
Risk enhanced by the openness of the internet.
There are four degrees of internet use:

1. Using the internet as a means of making information available to
outsiders.
2. Exchanging information with trading partners.
3. Using the internet to transact business.
4. Full integration with business systems with direct impact on the
entity’s records.
Auditors determine management strategy and steps to identify risks and how
controlled:
1) security risks
2) legal and taxation matters
3) practical business and accounting problems
4) the internet never sleeps
5) crisis management
Security risks
Corruption of data by viruses and hackers
Threat to privacy of personal data
Infringement of intellectual property rights
Unwanted communication, e.g. ‘spam’
Controls to reduce impact of risks:
1. Security policy
2. Firewalls
3. Private networks, such as intranets and extranets
4. Information/audit trails
5. Other security measures
i. Encryption of data
ii. Identification and authentication information
AY 2020-2021 Page | 72
Legal and taxation matters

ISA 250: ‘The auditor shall obtain sufficient appropriate audit evidence regarding
compliance with the provisions of those laws and regulations generally recognized to
have a direct effect on the determination of material amounts and disclosures in the
financial statements.’
The internet is international in nature – must be known which legal jurisdiction

applies when transactions are entered into.
Also – which tax jurisdiction can tax income derived from a transaction, including
VAT.
Also the legal issues related to personal data protection, confidentiality of

information, sales of counterfeit goods,
Practical business and accounting problems

Entity carrying on business over internet may act as principal (record as sales) or
agent (record commission) – examine contractual arrangements with third parties.
Other accounting matters include:

Cut-off
Return of goods and claims under product warranties
Bulk discounts and special offers
Payment other than by monetary transfer
Browsing
Follow-through of transactions
The internet never sleeps

E-commerce systems must operate efficiently and effectively for 24 hours
Staffing implications
Systems robust enough to work properly over the 24-hour period
Integration of systems and automatic updates of accounting records desirable.
Crisis management
Systems to ensure losses minimized when things go wrong.
Possible consequences of failures include loss of reputation, loss or corruption of data

and information and significant reductions in positive cash flows – possible going
concern implications.
Appropriate measures include back-up of important data, installing emergency power

supplies, regular review of system quality by independent persons and regular
maintenance and testing of systems in use.
AY 2020-2021 Page | 73
Recording accounting and control systems
Auditors record systems and controls, using:
1) Narrative notes
2) Visual description (Eg Flowcharts)
3) Questionnaires (Eg Internal control questionnaire (ICQ))
In practice, a combination of narrative description, flowcharts and questionnaires and

checklists will be used. Each method has its value.
1) Narrative notes
The purpose of narrative notes is to describe and explain the system, at the same time as
making any comments or criticisms which will help to demonstrate an intelligent
understanding of the system.
Narrative notes
Advantages Disadvantages
They are relatively simple to record and Describing something in narrative notes can be
can facilitate understanding by all a lot more time consuming than, say,
audit team members. representing it as a simple flowchart,
particularly where the system follows a
logical flow.
They can be used for any system due to They are awkward to update if written
the method's flexibility. manually.
Editing in future years can be relatively It can be difficult to identify missing internal
easy if they are computerised. controls because notes record the detail of
systems but may not identify control
exceptions clearly.
2) Flowcharts
Flowcharts can take many forms, but in general are graphic illustrations of the physical flow of
information through the accounting system. Flowlines represent the sequences of
processes, and other symbols represent the inputs and outputs to a process.
Advantages:
1. Aids understanding of accounting/control systems.
2. To draw a flow chart properly auditor must understand how the entity
controls its operations.
3. Detect strengths, weaknesses, unnecessary procedures and documents.
Disadvantages:
1. Time-consuming to prepare and difficult to alter.
2. In simple systems, narrative descriptions better.
3. Considerable variation of symbols used.
4. Require experience to prepare and interpret.
5. In complex situations too simplistic.
AY 2020-2021 Page | 74
3) Internal control questionnaire (ICQ)
ICQs record details of the system – useful in recording small systems.
Used to interpret the strengths and weaknesses of the system.
The major question which ICQs are designed to answer is 'How good is the system of
controls?'
They comprise a list of questions designed to determine whether desirable controls are
present.
One of the most effective ways of designing the questionnaire is to phrase the questions so that
all the answers can be given as 'YES' or 'NO' and a 'NO' answer indicates a deficiency in the
system.
Questionnaires
Advantages Disadvantages
If drafted thoroughly, they can The principal disadvantage is that they can be
ensure all controls are considered. drafted vaguely, hence misunderstood and
important controls not identified.
They are quick to prepare. They may contain a large number of
irrelevant controls.
They are easy to use and control. They may not include unusual controls,
which are nevertheless effective in particular
circumstances.
Because they are drafted in terms of They can give the impression that all controls
objectives rather than specific controls, are of equal weight. In many systems one NO
they are easier to apply to a variety of answer (for example lack of segregation of
systems. duties) will cancel out a string of YES
answers.
AY 2020-2021 Page | 75
Q9.1)
Explain the importance of internal control within organizations. What are the main
elements and what is the auditor’s interest in them?
Internal control is defined in Paragraph 4c of ISA 315: The process designed,

implemented and maintained by those charged with governance, management and
other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency
of operations, and compliance with applicable laws and regulations.
The term “control” refers to any aspects of one or more of the components of internal
control. Note its aims:
(a) To ensure within reason that financial reports are valid and reliable
(b) To ensure within reason, that operations are effective and efficient
(c) To ensure within reason that applicable laws and regulations are adhered to
(d) To address identified business risks that may threaten the objectives in (a) to
(c) above.
The main elements (or components) of internal control are:

(a) The control environment.
(b) The entity’s risk assessment process.
(c) The information system, including the related business processes, relevant to
financial reporting, and communication.
(d) Control activities.
(e) Monitoring of controls.
The reason that the auditor is interested in the effectiveness of internal control and its
components is that good control systems reduce audit risk by mitigating the impact of
inherent risk. The auditor’s main interest, of course, is in determining that the
financial statements give a true and fair view, and the existence of strong internal
control within the organization will increase the likelihood that financial reporting is
valid and reliable.
If control risk is low the auditor will be able to reduce the amount of detailed
substantive testing.
Q9.2)
Integrity and ethical values are important factors in ensuring that internal control,
including the control environment is effective in reducing risk and in helping
management to achieve objectives. Do you think that these are just meaningless
words or are they really important in the business context? Why do you think that
auditors look for integrity and ethical values in management and throughout the
organization?
AY 2020-2021 Page | 76
In the textbook GMC Chapter 7, we saw that the control environment can only be
effective if integrity and ethical values permeate the organisation. However, they
CAN be just meaningless words unless management makes sure that staff know what
integrity means in the context of the organisation. For instance, management of an
electrical retailer would effectively be saying to customers that goods purchased were
safe to use. This would mean that statements about safety would have to be properly
backed up by a proper testing regime. If not, the company would expect to suffer loss
of reputation and to incur damages as the result of court cases.
An example like this can show us that integrity and ethical values have a practical
significance and are not just meaningless words. As far as auditors are concerned,
they have to decide if they can rely on company systems in achieving their own
objectives, the main one of which is to give an opinion on the truth and fairness of the
financial statement.
Management is responsible for putting in systems and creating a control environment

that will ensure that all of their objectives will within reason be met, including
preparing financial statements that truly and fairly represent the results of the
organisation and its state of affairs. If management possesses integrity and ensures
that company staff are aware of the ethical values needed in the context of the
company, the auditor will be more confident that the control environment and
associated detail controls can be relied on. In this connection, there have been a
number of well-publicised case (Eg Enron) of whistleblowing by people internal to
organisations, who have objected to the way that the organisations behave. Very often
these objections are legitimate and organisations should have a stated policy in respect
of whistle-blowing, including a system that enables employees to discuss their
misgivings to independent people within the organisation.
Q9.3)
You have recently become auditor of a small trading entity whose system is based on
a series of networked microcomputers, using bought-in software for basic accounting
functions. During the initial meeting with management, the managing director told
you that he is really scared of all ‘this computer stuff’, particularly as there is no one
in the entity who has any specialized knowledge of computers. How would you advise
him? What do you think might be the key risks in such an entity?
As an auditor, you might have preferred not to start from here (kind of late now when
the system is already been installed), but rather to have been involved when the
decisions were made to install the computer system.
The key risks would be as follows:

a) Physical risks affecting the microcomputers, the network server and the people
operating systems. You might suggest to the managing director that he should ensure
that physical equipment should only be used by authorised people and be kept secure
particularly outside working hours.
AY 2020-2021 Page | 77
It might be useful to employ someone with basic computer skills to help staff when
problems arise and to make sure that the server is working properly when needed. It
might also be desirable to shut down the server outside normal working hours. This
person might usefully draw up a code of conduct for computer users, including a
restriction in the time that people sit at the keyboard.
b) Risk that the system has not been developed properly in the first place. You
should ask the managing director to see the documentation prepared at the time the
system was developed, including any feasibility studies, documentation concerning
the desired characteristics of the systems, and testing that was carried out, and by
whom, prior to putting the system into use. You would be particularly interested in
discovering if the bought-in software performs in the way expected, for instance,
whether appropriate information/audit trails are recorded. Is double entry properly
carried through in all cases? You should also ask what kind of training staff received
at the time the system was introduced and what kind of ongoing training is provided.
For instance, were staff informed of the need to respond to error messages, to keep
passwords private, and to report bugs in the system.
c) Risks of loss of programs and data. The managing director might be

particularly concerned about loss of (say) trade receivables, trade payables and
inventory records, and information used to manage the business. We are not told
much about the system but we would recommend simple security measures, such as
keeping back-up copies of programs and data outside the operating areas, supported
by the use of grandfather, father, son method of back up. You should advise the
managing director to establish degrees of access to data if this has not been done
already, supported by the use of appropriate passwords. You might also suggest that
one person keep master copies of programs and of back-up copies of data in a
computer library, together with a booking in/out system.
d) Risk that the company does not observe appropriate organisational controls.
For instance, does the company have a system for allocating responsibility? Are
duties appropriately segregated? You might reassure the managing director that in a
small company where there is little computing knowledge among staff and where
systems analysts and programmers are not employed there is a lower risk that people
will interfere with the proper operation of programs.
Q9.4)
At the beginning of this lecture, there is a diagram that talked about the two broad
levels of regulation and control relating to the external and internal environment.
Assume that you are the auditor of an entity providing advice to clients on financial
matters. You are aware that there have been serious reductions in the value of shares
quoted on stock exchanges throughout the world and that this will have a negative
impact on pensions in the future. Explain how management of the entity should react
to this external factor. Consider the control environment of the entity and auditors’
interest.
AY 2020-2021 Page | 78
A company providing financial services to the public is governed by the terms of the
Financial Services Acts, the most recent of which is the Financial Services and
Markets Act 2000 and management should ensure that staff are aware of the terms
and implications of those acts.
We do not intend to discuss the detailed provisions but clients have certain rights that
must be communicated to them. For instance, clients must be told who the regulator
is, with whom the financial advisor is registered, they have to be told whether the
advisor will recommend a wide range of financial products or if they are tied to one
company only. Clients also have to be informed of their rights, including a cooling off
period, which enables the client to withdraw (or cancel) from a contract within a
certain period of time.
Any serious fall in the quoted values of shares on stock exchanges will put
considerable pressure on companies providing financial services as one of their prime
selling tools is projected growth of stock exchange values, more or less on the lines
of: 'if growth is at the rate of 6%, the increase in value of your fund will be £n over a
period of 10 years, if growth is at the rate of 7%, the increase in value over 10 years
will be £m.
Company management would have to inform their staff that clients should be told that
conditions have changed, that growth rates of the fairly recent past are unlikely in the
future, that annual bonus and terminal rates have had of necessity to be reduced.
In other words management philosophy should include providing clients with an open
discussion of risks with the aim, among other things of discovering the client's
attitude to risk, and the time scale that is appropriate to the particular client.
Management should insist that a reasoned discussion of expectations over the time
scale take place.
Clearly, advisory staff should be kept well trained and well informed by the company
and communication lines should be clear. Management should also ensure that
advisory staff are remunerated in such a way that they will not be encouraged to
advise financial products which are more advantageous to them (because of high
commission rates) than to the clients themselves.
The auditor should ensure that the control environment within which financial
advisory staff operate is strong and reflects high integrity and the provision of
procedures to protect the public interest. This is a matter of considerable interest to
the auditor as selling inappropriate financial products (such as life assurance and
pensions) in the 1990s resulted in large successful claims against financial advisors
and assurance companies.
AY 2020-2021 Page | 79
Q9.5)
As organizations have become more dependent on the reliability of information
systems, they have become more aware of the need to maintain quality of systems and
the data/information derived from them. If you were asked to set up a quality
standards group, what role do you think it should have and what steps should be taken
to render it effective?
A quality standards group clearly needs to be of high quality itself. Its broad role
would be to provide independent monitoring of systems and the information derived
from those systems, information that management requires to achieve company
objectives and reduce risk. Information/computer systems have become critical to an
organisation's survival. The group would ensure at the development stage that quality
standards are incorporated in the design of the system and that they are maintained
thereafter.
The basic matters that the quality assurance group will be concerned with is whether
the developed software will meet user needs, how reliable it is, the ease of use of the
software, whether the software is efficient in terms of the resources used and how
easy it is to maintain.
The quality assurance function will also be concerned with such matters as the clarity
and completeness of documentation of the system and the training and effectiveness
of staff.
Auditors would have greater confidence that controls over development, maintenance
and operations are reliable with a consequent impact on the amount of substantive
testing required. In smaller organizations, the quality control function might be in the
hands of internal audit, which will also possess the necessary degree of independence.
The steps that should be taken to ensure its effectiveness include the following:
1) High status (or organization status), as would be evidenced by its position in
the company's organisational structure with responsibility to top management and
reporting at this level also. High status would also be evidenced by the attitude of top
management to its recommendations and by the resources that it provides to the
group.
2) Independence from any persons or functions responsible for the development

and operation of systems. It may be that group members become involved in
recommending quality features at an early stage of development and in testing
systems before they become on-stream, but independence is so important that the
group should not be involved in detailed development, including systems analysis and
programming.
3) Competence of staff. Clearly, quality standards group staff should be as highly

qualified and experienced as staff of groups involved in the development. This means
that care must be taken in engaging staff, ensuring that they have appropriate
education attainments and experience.
AY 2020-2021 Page | 80
They should be skilled in interviewing staff and possess firmness of character,

sufficient to get their ideas accepted. Their duties should be allocated properly.
Q9.6)
Segregation of duties is a basic requirement of a good control system. Explain what is
meant by this statement and show how segregation of duties in a modern computer
system might differ from that in a manual system.
The reason that segregation of duties of duties is important is that data and
information derived from systems will be more reliable if no one person sees
transactions through from inception to final disposition or if one person has too much
power in critical areas. Segregation of duties is closely associated with:
a) Proper allocation of authorisation to individuals to give approval to
transactions or to hold balances.
b) Supervision by responsible officials of the activities of subordinate staff
Here is a summary of the points made, including how segregation may change in a
computer system:
i) The first basic rule of division of duties is that there should be segregation of
the functions as far as possible of: (a) Authorisation of transactions; (b) Execution of
transactions; (c) Custody of assets; (d) Recording of transactions and assets
ii) However, in computer systems this may not be possible because a large
number of actions that might be in different hands in a manual system are often
carried through by computer program. (Eg the automatic generation of purchase
orders by a computer program once a minimum inventory level has been reached).
This means that when traditional segregation of functions is not possible, there must
be additional control devices in operation - or a rethink of segregation. It is important
to consider where decision-making lies:
– Operation of a program should be segregated from the ability to
change it
– Alteration of master file data should be in the hands of a responsible
official
iii) A further basic rule of segregation of duties is that where control is dependent
on segregation of duties within a particular function, management should allocate
duties appropriately. (For example, the trade receivables' control account kept or
reviewed by the chief accountant)
iv) There should be rotation of duties at appropriate intervals for critical tasks,
such as reviewing and changing customers' credit limits for a long period of time, or
control of particular aspects of a database. There should also be independent review of
data for reasonableness, either manually or computer aided analytical reviews - this
would be part of the duties of a supervising officer.
AY 2020-2021 Page | 81
Q9.7)
Assume that Ann Paterson, an established customer, has telephoned asking that she be
supplied with three recently published books. She has been passed to a sales clerk
who deals with her order. Suggest controls that should be in force before her order is
accepted.
As Ann Paterson is an established customer of the company, she would be able to

identify herself and authenticate her status as a valued customer. She might already
have given her credit card number and expiry date and an identifying word to the
sales clerk before the order was processed. The clerk would either complete a
hardcopy form or a form called up on the monitor screen. If the latter is the case,
important controls would be:
(a) form design enabling easy completion
(b) non-acceptance unless all fields on the form were complete.
Further controls would be procedures to ensure that the clerk knows if the books are
available and when they would be despatched, that calculated the amount of the
invoice and compared Ann's credit limit with the outstanding balance, adjusted for the
new transaction.
The clerk would be prompted to inform Ann whether the order had been accepted,
and if accepted, to read the terms of the order and amount of the invoice to her. The
system should send a copy of the accepted order to her, and, if not accepted, a letter
detailing reasons for non-acceptance.
Further controls would be numbering of the orders processed by the sales clerk and
the preparation of control totals for all transactions entered by the clerk during the day
(the clerk would also need to be identified and authenticated). We would expect
sequence checking of orders entered by the sales clerk.
Q9.8)
Describe the nature of an extranet and explain why it might be a useful means of
achieving business objectives. Assume that you are auditor of an entity carrying on
business using an extranet and explain what controls you would expect to be in force
to protect it.
An extranet may be described as a secure market place using internet technology. It

differs from an intranet in that it admits people and organisations outside the company
itself, with which the company has ongoing relationships. Major customers and
suppliers are obvious candidates for admission, but it is not uncommon for
competitors to be admitted as well. Organisations in the same industry may have a
wide range of common interests.
Both extranets and intranets are made secure by the use of firewalls, which are
specially designed systems to protect computer networks from unauthorised intrusion.
AY 2020-2021 Page | 82
Particular features of firewall control are those that require identification and
authentication of persons or organisations attempting entry, and identification of data
being transmitted. There are a number of different ways that firewalls identify data,
but they all try to stop data that does not meet certain criteria. They may not be able to
stop undesired interventions by persons within the extranet or intranet, such as a
disgruntled employee (heard of hacking?).
Extranets are also vulnerable to viruses as effective actions against viruses may slow
down the system to the extent that it becomes unworkable. The tighter the firewall,
the more restrictive it is and may indeed be too restrictive for effective use of email
communication. Some companies allow easy access for emails but are much more
restrictive when data packages are being transmitted.
END OF LECTURE 9
AY 2020-2021 Page | 83
Lecture 10 – Testing and Evaluation of Systems
Learning objectives
a) To suggest audit and systems objectives for selected components of the

financial statements.
b) To evaluate systems in use in selected areas and draw up audit conclusions.
c) Explain the role of tests of control, and in particular those used to test
computer systems.
Testing internal controls
It is very important to realise that the controls themselves should be thought of as

distinct from the tests of controls. If you are asked for tests of controls in a scenario-
based exam question, be careful not to just state control procedures managers should
adopt. Instead you should focus on testing existing or potential controls. When
formulating tests of controls based on information in a scenario, the best approach is
to identify those controls present before considering how these controls can be
confirmed.
Why do auditors want to test the internal control system of their clients? Remember
this question that we discussed at the beginning of lecture 9. Two main reasons:
1) Auditors have to decide whether the system appears strong enough for them to
rely on it in arriving at conclusions.
2) Auditors perform tests of control to satisfy themselves initial conclusion about
system is valid.
We will cover 3 common internal control systems in this lecture: Namely the Sales,
Purchase and the Payroll system.
Sales and debtors (trade receivable) control objectives
Let us revise the concept of control objectives. What are control objectives?
For sales system, the control objectives, namely, are to ensure that:
a) Customers receive the goods that they require at advertised prices and quality
b) Customers receive goods on credit only if they are likely to pay for them
c) Recorded sales are genuine, accurate and complete
d) Trade receivables' accounts are debited with sales on credit, which are
genuine, accurate and complete
e) All cash received is recorded in full before banking
f) Inventory records reflect genuine outward movements in correct quantities
Using the above control objectives generated for the sales system, you will need to
think about creating similar control objectives for the purchase and payroll systems.
AY 2020-2021 Page | 84
Typical controls – Sales System
Based on documents in the sales system:
Order received Sequentially numbered and recorded in a register

Checking the inventory to see that the items are available
Order by phone (verbal)
Order by internet (online)
Sales order form Sequentially numbered
Order confirmation Sequentially numbered orders

Check that it is an authorised customer or cash received
Check that order will not put customer over credit limit
Check that goods in stock
Goods delivery note Sequentially numbered

(GDN) – Commonly Check that authorised customer or cash received
known as dispatch Check that order will not put customer over credit limit
note or delivery order Gate controls (goods not allowed to go out of warehouse
(DO) until approved to go)
Sales invoice Sequentially numbered

Checking arithmetic (qty x price = sales amount, GST etc)
Use of approved (authorized) sales price, control over
discount given
Authorised (signed) by sales director
Recorded in Sales Sequence checks of invoices received

Day Book
Total recorded in Reconciliations of sales ledger and control account

ledger
Payment received 2 people open post

(collection from Segregation of duties between opening post, banking, a/cs
customers) List of receipts reconciled to banking in slip
Cash banked promptly, or locked securely until banked
Other key controls for the Sales/Debtors cycle:
Statements sent to customers monthly
Follow up of sequential items & sequence checks
Changes to customer master file data must be authorised
AY 2020-2021 Page | 85
Good credit control procedures:

- credit references obtained before allowing credit
- small limit initially, extend if pay on time
- customers put on ‘stop’ if exceed credit limit
- chase (follow up) for collection for overdue amount
Bad debt write offs authorised
Typical controls – Purchases System
Based on documents in the purchase system:
Purchase requisition Sequentially numbered

Authorised by department head
Purchase order Sequentially numbered

Authorised by purchasing manager/director
Can only order from authorised supplier
Quotations for best price/quality
Regular checks by management that purchasing from most
appropriate supplier
Goods received note Sequentially numbered

(GRN) – Also known Goods received checked to PO (is that what we ordered)
as receiving report Goods inspected for correct quantity and for quality (any
(RR) damage/spoilage)
Supplier invoice Check for correct amount on invoice (arithmetic accuracy)

Recorded in a register/Kept in a unpaid invoice file
Recorded in Purchase Before recording the purchase:

Day Book - matched with purchase order
- matched with GRN
- arithmetic checked
- authorized
Total recorded in ledger Reconciliations of purchase ledger and control account
Payment made Supplier invoices inspected before payment

(payment made to Payee cheques (crossed cheques)
suppliers 2 signatories if over a certain amount
Controls over amendments to supplier details
Cheques sequencing and bank reconciliations
AY 2020-2021 Page | 86
Other key controls for Purchase/Creditor cycle:
Reconciliations of creditor balances to suppliers’ statements
Segregation of duties between requisition/ordering/receipt/recording
Changes to standing data (supplier master file) checked and authorised
Try this exercise below:

You are an audit manager in charge of the audit of KLE Co. You are auditing the
company’s procurement system. Extracts from your system notes, which are correct
and contain no errors, are provided below:
Details on ordering department

i) Six members of staff – one buyer and five purchasing clerks.
ii) Receives about 75 orders each day, many orders for duplicate items come
from different departments in the organisation.
iii) Initial evaluation of internal control risk is high.
Ordering department
i) All orders are raised on pre-numbered purchase requisitions and sent to the
ordering department.
ii) In the ordering department, each requisition is signed by the chief buyer. A
purchasing clerk transfers the order information onto an order form and
identifies the appropriate supplier for the goods.
iii) Part one of the two part order form is sent to the supplier and part two to the
accounts department. The requisition is thrown away.
Goods inwards department

i) All goods received are checked for damage. Damaged items are returned to
the supplier and a damaged goods note completed.
ii) For undamaged items a two-part pre-numbered Goods Received Note (GRN)
is raised.
– Part one is sent to the ordering department with the damaged goods notes.
– Part two is filed in order of the reference number for the goods being ordered
(obtained from the supplier’s goods despatched documentation), in the goods
inwards department.
iii) Ordering department GRNs are separated from damaged goods notes, which
are filed. The GRN is forwarded to the accounts department.
Accounts department
GRNs matched with the order awaiting the receipt of the supplier invoice.
Required:
Identify and explain five internal control weaknesses and provide a
recommendation to overcome each weakness.
AY 2020-2021 Page | 87
Internal control weaknesses Recommendations

Transfer of information from purchase
requisition to order form
Details of the goods to be ordered are The order form should be signed for
transferred onto the order form after the chief authority to purchase and to show that
buyer has authorised the initial order details have been agreed to the
requisition. This means that there is no check requisition.
on the transfer of order information onto the
form; clerks could easily make an error or even
complete an order form for which there is no
valid requisition.
Purchase requisition
The purchase requisition is destroyed after The requisition should be filed in the
goods have been ordered. This means that there ordering department as audit evidence
is no audit trail to show who ordered the goods of goods being ordered.
or whether the order form has been completed
correctly.
Order form
Only the original and one copy of the order The order document is in three copies,
form are available – one is sent to the supplier with the additional copy being kept in
and the second to accounts. This means that the ordering department.
there is no record of goods ordered in the
ordering department. There are risks that goods
could be ordered twice and that late deliveries
cannot be identified and queried with suppliers.
No copy order to goods inwards department

A copy of the order form is not available in the A copy of the order is sent to goods
goods inwards department. This means that the inwards. Deliveries are only accepted
department does not know what goods to where they relate to an authorised
expect and may therefore receive goods that the order.
organisation has not ordered.
GRN filed in order of goods reference number

GRNs are filed in order of the reference GRNs are filed in numeric sequence.
numbers for the goods being ordered. Filing
GRNs in this way provides an internal control
weakness because a numeric sequence check
on the completeness of the filing system cannot
be performed. GRNs may be missing meaning
that the organisation cannot necessarily prove
that goods have been received.
AY 2020-2021 Page | 88
Typical controls – Payroll System
Recruitment/ Separate HR department

Resignation Authorised new employees/resignations
Attendance/Clock-in Supervision of clocking in and out

and clock-out Surprise attendance taking by independent personnel
Overtime Obtain permission and approval before working overtime
Annual leave/ Entitlement approved, authorization before going on leave

Sick leave
Time-sheet Time-sheet sequentially numbered

Authorised by supervisor
Pay rates Use of approved rates

Changes to pay rates authorized
Calculation Checking of calculations (hrs worked x rate)

Checking of calculation of deductions (gross less deduction
= net pay)
Preparation of payroll If payment by cash – use of secure courier to withdraw cash

Packing of pay packages done by independent person
Wage payout/Payment Signature/Photo ID to collect wages

Authority to collect wages for someone else
Uncollected wages put in safe and promptly bank in
Approval/Authorisation of bank payment list
Other controls for Payroll cycle:
Additions to the payroll authorised
System for informing the payroll department of employees resigning
Segregation of duties between people calculating payroll, making up pay packets,

distributing pay-packets
Physical controls over cash/cheque book.
AY 2020-2021 Page | 89
Tests of controls and substantive testing
Para A4 ISA 330:
‘The auditor’s assessment of the identified risks at the assertion level provides a basis
for considering the appropriate audit approach for designing and performing
further audit procedures.
For example, the auditor may determine that:

(a) Only by performing tests of controls may the auditor achieve an effective
response to the assessed risk of material misstatement for a particular
assertion;
(b) Performing only substantive procedures is appropriate for particular

assertions and therefore, the auditor excludes the effect of controls from the
relevant risk assessment. This may be because the auditor’s risk assessment
procedures have not identified any effective controls relevant to the assertion,
or because testing controls would be inefficient and therefore the auditor does
not intend to rely on the operating effectiveness of controls in determining the
nature, timing and extent of substantive procedures; or
(c) A combined approach using both tests of controls and substantive procedures
is an effective approach.’
Different approaches to audit: Control testing (CT) only, Substantive testing (ST)
only, or Combined approach (= CT plus ST)
But do take note of Para 18 ISA 330 which state that:

‘Irrespective of the assessed risks of material misstatement, the auditor shall design
and perform substantive procedures for each material class of transactions, account
balance, and disclosure.’
Can auditors rely on internal controls tested in last year? Can they “re-use”
those tests done last year and not do so much testing during the current year?
YES but ……
Para A13 of ISA 315 (walk through tests in existing client): ‘The auditor is required
to determine whether information obtained in prior periods remains relevant, if the
auditor intends to use that information for the purposes of the current audit. This is
because changes in the control environment, for example, may affect the relevance of
information obtained in the prior year. To determine whether changes have occurred
that may affect the relevance of such information, the auditor may make inquiries and
perform other appropriate audit procedures, such as walk-throughs of relevant
systems.’
AY 2020-2021 Page | 90
In summary, we can use the following figure (taken from the textbook GMC) to work
out our audit approach.
Source: Figure 9.5, GMC Chapter 9
Examples of tests of controls

• Tests of information/audit trail.
• Testing outputs on a restricted basis.
• Interviews with company staff (inquiry) using interviewing style conducive to
getting people to be open with them.
• Observing staff at work (observation), keeping eyes open and not assuming
staff will always operate in the manner they have told you they do.
• Re-performance of control procedures.
• Examination of management reviews.
• Testing reliability of budgets prepared by management.
Remember A E I O U in lecture 8? For test of controls, we can only use E I O U.
Why not include “A” – Unlikely we use analytical procedures as test of controls, it is
meaningless.
AY 2020-2021 Page | 91
Approaches to computer systems
Two main approaches:
1) Auditing round the computer
What do you mean by auditing around?
2) Auditing through the computer: Using computer assisted audit techniques

(CAATs)
Then what do you mean by auditing through? How do you audit through?
Source: Figure 9.6, GMC Chapter 9
AY 2020-2021 Page | 92
Specific tests of control in computer systems
• Code reviews of programs.
• Use of test data.
• Use of program code comparison.
• Continuous review of data and its processing.
• Integrated Test Facility (ITF).
• Systems Control and Review File (SCARF).
AY 2020-2021 Page | 93
Q10.1)
You are auditing a company engaged in the development and sale of games software
over the internet. You are satisfied that the software is of high quality and are now
directing your attention to the controls over the sale of their products. You have
confirmed that the company’s systems are fully integrated and that sales automatically
update bank and trade receivables records (depending on whether the sales are by
credit card or on credit) and quantity inventory records. Your initial discussions with
management have satisfied you that the control environment is good and you have
classified control risk as ‘medium’. (Your firm asks audit staff to classify control risk
as ‘high’, ‘medium’ and ‘low’.)
Required:
a) Explain what the three control risk classifications probably mean in practice.
b) What basic controls would you expect to see to ensure that sales are genuine,
accurate and complete, that the risk of bad debts is low, and that inventory
movements resulting from sales are genuine, accurate and complete? Suggest
suitable tests of control.
a)
Firstly, note that assessment of control risk tends to be very subjective and your firm
has given guidance to staff using terms like ‘high’, ‘medium’ and ‘low’ rather than
suggesting percentages that might give the impression of spurious accuracy.
However, ‘high’ control risk will mean that controls are so weak that you would not
rely on the controls at all, but go immediately over to substantive testing. ‘Low’
control risk would mean that you had decided that controls were very good and were
backed up by a strong control environment, including perhaps a high quality internal
audit department.
In this case you have decided that the control environment is good, but some initial
tests have revealed some weaknesses in detailed controls (so you assessed control risk
as medium). Perhaps the audit trail is incomplete or you have discovered that control
totals are not always checked, so you have decided that although controls are
generally satisfactory, you feel the need to extend substantive testing to some extent.
b)
We would expect the controls to include the following:
i) Complete audit trail from initial order to final updating of bank and trade
receivables accounts, inventory records and entry in general ledger accounts.
ii) Controls identifying customers and acceptance of customer credit card.
iii) Controls to ensure orders are complete
AY 2020-2021 Page | 94
iv) Controls over giving credit (for instance, submission by the customer of bank
references; issuing credit limit and updating customer master file by a
responsible official; programmed comparison of new balance with credit limit)
v) Controls to ensure bank accounts are properly updated.
To test all the above controls, the auditor might use embedded audit facilities that
allow continuous review of the data and their processing (SCARF) or alternatively put
test data through the system to ensure that all the records are properly updated.
vi) Controls to ensure customers’ accounts are properly updated. A good test here
would be to check after date payments, although this would be used as a
substantive test to confirm the validity of balances at the year-end.
vii) Controls to ensure that inventory records are properly updated. A good control
here would be for the company to count inventory quantities periodically for
comparison with inventory records. The auditor might re-perform such a test
and also enquire into significant differences between quantities counted and
inventory records. This would also be a good substantive test.
AY 2020-2021 Page | 95
Q10.2) ACCA 2.6 Exam June 20016 Q1
a) State the control objectives for the ordering, despatch and invoicing of goods.
(5 marks)
b)
Atlantis Standard Goods (ASG) Co has a year end of 30 June 2006. ASG is a retailer
of kitchen appliances such as washing machines, fridges and microwaves. All sales
are made via the company’s Internet site with dispatch and delivery of goods to the
customer’s house made using ASG’s vehicles. Appliances are purchased from many
different manufacturers.
The process of making a sale is as follows:

(1) Potential customers visit ASG’s website and select the kitchen appliance that
they require. The website ordering system accesses the inventory specification
file to obtain details of products ASG sells.
(2) When the customer chooses an appliance, order information including price,
item and quantity required are stored in the orders pending file.
(3) Online authorisation of credit card details is obtained from the customer’s
credit card company automatically by ASG’s computer systems.
(4) Following authorisation, the sales amount is transferred to the computerised
sales day book. At the end of each day the total from this ledger is transferred
to the general ledger.
(5) Reimbursement of the sales amount is obtained from each credit card
company monthly, less the appropriate commission charged by the credit card
company.
(6) Following authorisation of the credit card, order details are transferred to a
goods awaiting despatch file and allocated a unique order reference code.
Order details are automatically transferred to the dispatch department’s
computer system.
(7) In the despatch department, goods are obtained from the physical inventory,
placed on ASG vehicles and the computerised inventory system updated.
Order information is downloaded on a hand held computer with a writable
screen.
(8) On delivery, the customer signs for the goods on the hand held computer. On
return to ASG’s warehouse, images of the customer signature are uploaded to
the orders file which is then flagged as ‘order complete’. This year’s audit
planning documentation states that a substantive approach will be taken on the
audit.
Required:
Tabulate the audit tests you should carry out on the sales and despatch system,
explaining the reason for each test. (15 marks)
AY 2020-2021 Page | 96
a) Control objectives
Ordering of goods
– Goods are only supplied to authorised customers
– Orders are recorded correctly regarding price, quantity, item and customer
details.
Despatch and invoicing of goods

– Orders are despatched to the correct customer
– All despatches are correctly recorded
– Despatches only relate to goods ordered and paid for by customers
– Invoices raised relate to goods supplied by the company.
b) Audit tests on sales and despatch system
Audit test Reason for test

Using test data if necessary, access Ensure that order details are completely
ASG’s website site and input order and accurately recorded by the website
details for specific goods. Trace those software. Ensure that details recorded
order details to the orders pending file. agree to those input.
For a sample of items in orders pending To ensure that details from the website
file, software are completely and accurately
– agree to the orders awaiting despatch transferred to the orders awaiting
file, ensuring that appliance details and despatch file.
quantities are the same.
– agree sales details for that customer to To confirm that amounts are received for
the monthly reimbursement from the each appliance sold, and therefore that
credit card company, checking amount monies received are complete and
received is the product price less the accurate.
appropriate commission charged by the
credit card company.
– agree the sales amount to the sales To confirm that the amount of sales is not
ledger file. understated or overstated in the ledger,
general ledger or financial statements.
Review goods awaiting despatch file for To ensure that reasons for orders not
old items and inquire as to why those being
items are still on file. processed are being obtained. A large
number of old items may also indicate
problems with the credit card
authorisation systems which again will
need to be investigated.
For a sample of days, cast the sales day To check the numerical accuracy of the
book file and agree the total sales to the day book and the accuracy of posting to
general ledger accounts for that day. the general ledger file.
For a sample of items in the goods To confirm that order details are
awaiting despatch file, agree to the completely and accurately transferred to
despatch information held on the the despatch department.
despatch department computer.
AY 2020-2021 Page | 97
For a sample of items on the despatch To ensure that the despatch information is
department computer, accurate and that the despatch record
– agree back to the goods awaiting itself relates to a valid sale.
despatch file ensuring details of product,
quantity and customer agree.
– agree to the inventory records Ensures that the inventory system
confirming that the correct appliance correctly records the appliance ordered
record was updated. and that the inventory system remains
accurate.
– check customer signature is on file To confirm that evidence is available for
agreeing receipt of goods. receipt of goods confirming that goods
have been delivered.
For a sample of items on the despatch To ensure that goods have been received
department computer, review to see that and that procedures for investigating non-
evidence of delivery to customer is despatch or receipt are working.
available. Investigate records where no
delivery information is available
obtaining reasons for this.
Review the despatch department To ensure that the despatch process is
computer files for items not flagged working correctly and that incomplete
‘order complete’. Investigate and obtain items are being investigated.
reasons for these items.
AY 2020-2021 Page | 98
Q10.3) Partial ACCA F8 Exam Dec 2010 Q1b
Greystone Co is a retailer of ladies clothing and accessories. It operates in many

countries around the world and has expanded steadily from its base in Europe. Its
main market is aimed at 15 to 35 year olds and its prices are mid to low range. The
company’s year end was 30 September 2010.
In the past the company has bulk ordered its clothing and accessories twice a year.
However, if their goods failed to meet the key fashion trends then this resulted in
significant inventory write downs. As a result of this the company has recently
introduced a just in time ordering system. The fashion buyers make an assessment
nine months in advance as to what the key trends are likely to be, these goods are
sourced from their suppliers but only limited numbers are initially ordered.
Greystone Co has an internal audit department but at present their only role is to
perform regular inventory counts at the stores.
Ordering process
Each country has a purchasing manager who decides on the initial inventory levels for
each store, this is not done in conjunction with store or sales managers. These
quantities are communicated to the central buying department at the head office in
Europe. An ordering clerk amalgamates all country orders by specified regions of
countries, such as Central Europe and North America, and passes them to the
purchasing director to review and authorise.
As the goods are sold, it is the store manager’s responsibility to re-order the goods
through the purchasing manager; they are prompted weekly to review inventory levels
as although the goods are just in time, it can still take up to four weeks for goods to be
received in store.
It is not possible to order goods from other branches of stores as all ordering must be
undertaken through the purchasing manager. If a customer requests an item of
clothing, which is unavailable in a particular store, then the customer is provided with
other branch telephone numbers or recommended to try the company website.
Goods received and Invoicing
To speed up the ordering to receipt of goods cycle, the goods are delivered directly
from the suppliers to the individual stores. On receipt of goods the quantities received
are checked by a sales assistant against the supplier’s delivery note, and then the
assistant produces a goods received note (GRN). This is done at quiet times of the day
so as to maximise sales. The checked GRNs are sent to head office for matching with
purchase invoices.
AY 2020-2021 Page | 99
As purchase invoices are received they are manually matched to GRNs from the
stores, this can be a very time consuming process as some suppliers may have
delivered to over 500 stores. Once the invoice has been agreed then it is sent to the
purchasing director for authorisation. It is at this stage that the invoice is entered onto
the purchase ledger.
Required:
b)
As the external auditors of Greystone Co, write a report to management in
respect of the purchasing system which:
i) Identifies and explains FOUR weaknesses in that system;
ii) Explains the possible implication of each weakness;
iii) Provides a recommendation to address each weakness.
A covering letter is required.

Note: Up to two marks will be awarded within this requirement for presentation.
(14 marks)
b)
Board of Directors
Greystone Co
30 Any Street
Any Town
8 December 2010
Dear Sirs,
Audit of Greystone Co for year ended 30 September 2010
Please find enclosed the report to management on significant weaknesses in internal

controls identified during the audit for the year ended 30 September 2010. The report
considers weaknesses in the purchases system, implications of those weaknesses and
provides recommendations to address those weaknesses.
(i) Weakness
The purchasing manager decides on the inventory levels for each store without
discussion with store or sales managers. The purchasing manager may not have the
appropriate knowledge of the local market for a store.
(ii) Implication
This could result in stores ordering goods that are not likely to sell and hence require
heavy discounting. In addition as a fashion chain, if customers perceive that the goods
are not meeting the key fashion trends then they may cease to shop at Greystone at all.
AY 2020-2021 Page | 100

(iii) Recommendation
The purchasing manager should initially hold a meeting with area managers of stores;
if meeting all store managers is not practical, he should understand the local markets
before agreeing jointly goods to be purchased.
(i) Weakness
The purchase orders are only reviewed and authorised by a purchasing director in a
wholly aggregated manner (by specified regions of countries).
(ii) Implication
It will be difficult for the purchasing director to assess whether overall the correct
buying decisions are being made as the detail of the orders is not being presented and
he is the only level of authorisation. This could result in significant levels of goods
being purchased that are not right for particular market sectors.
A purchasing senior manager should review the information prepared for each
country and discuss with local purchasing managers the specifics of their orders.
These should then be authorised and passed to the purchasing director for final review
and sign off.
(i) Weakness
The store managers are responsible for re-ordering goods through the purchasing
manager.
(ii) Implication
If the store managers forget or order too late, then as the ordering process can take up
to four weeks, the store could experience significant stock outs leading to loss of
income.
Automatic re-order levels should be set up in the inventory management systems. As
the goods sold reach the re-order levels the purchasing manager should receive an
automatic re-order request.
(i) Weakness
It is not possible for a store to order goods from other local stores for customers who
request them. Instead they are told to contact the stores themselves, or use the
company website.
(ii) Implication
Customers are less likely to contact individual stores themselves and this could result
in the company losing out on valuable sales. In addition some goods which are slow
AY 2020-2021 Page | 101

moving in one store may be out of stock at another, if goods could be transferred
between stores then overall sales may be maximised.
An inter-branch transfer system should be established between stores. This should
help stores whose goods are below the re-order level but are awaiting their deliveries
from the suppliers.
(i) Weakness
Deliveries from suppliers are accepted without being checked first.
In addition they are then checked by sales assistants to the suppliers’ delivery note to
agree quantities but not quality.
Sales assistants are producing the goods received note (GRN) on receipt of a
supplier’s delivery note.
(ii) Implication
The stores are receiving goods without checking that these are correct. Hence if a
delivery is subsequently disputed there may be little recourse for the company.
If the sales assistants are only checking quantities then goods which are not of a
saleable condition may be accepted.
The assistants may not be adequately experienced to produce the GRN, and this is an
important document used in the invoice authorisation process. Errors could lead to
under or overpayments.
Deliveries from suppliers should only be accepted between designated hours such as
the first two hours of the morning when it is quieter. The goods should then be
checked on arrival for quantity and quality prior to acceptance from the supplier. A
responsible official at each store should produce the GRN from the supplier’s delivery
information.
(i) Weakness
Goods are being received without any checks being made against purchase orders.
(ii) Implication
This could result in Greystone receiving and subsequently paying for goods it did not
require. In addition if no check is made against order then the company may have
significant purchase orders which are outstanding, leading to lost sales.
A copy of the authorised order form should be sent to the store. This should then be
checked to the GRN. Once checked the order should be sent to head office and logged
AY 2020-2021 Page | 102

as completed. On a regular basis the purchasing clerk should review the order file for
any outstanding items.
(i) Weakness
Purchase invoices are manually matched to a high volume of GRNs from the
individual stores.
(ii) Implication
A manual checking process increases the risk of error, resulting in invoices being
accepted or
rejected erroneously.
The checked GRNs should be logged onto the purchasing system, matched against the
relevant order number, then as the invoice is received this should be automatically
matched. The purchasing clerk should then review for any unmatched items.
(i) Weakness
The purchase invoice is only logged onto the system as it is being authorised by the
purchasing director.
(ii) Implication
If the invoice is misplaced then payables may not be settled on a timely basis. In
addition at the
year-end the purchase ledger may be understated as invoices relating to the current
year have been received but are not in the purchase ledger.
Upon receipt of an invoice this should be logged into a file of unmatched invoices. As
it is matched and authorised it should then be moved into the purchase ledger. At the
year-end, items in the unmatched invoices file should be accrued for, to ensure
liabilities are not understated.
Please note that this report only addresses any significant weaknesses identified
during the audit and if further testing had been performed then more weaknesses may
have been reported.
This report is solely for the use of management and if you have any further questions
then please do not hesitate to contact us.
Yours faithfully,
An audit firm
AY 2020-2021 Page | 103

Q10.4) ACCA F8 Exam Dec 2008 Q1
Introduction
Blake Co assembles specialist motor vehicles such as lorries, buses and trucks. The
company owns four assembly plants to which parts are delivered and assembled into
the motor vehicles.
The motor vehicles are assembled using a mix of robot and manual production lines.
The ‘human’ workers normally work a standard eight hour day, although this is
supplemented by overtime on a regular basis as Blake has a full order book. There is
one shift per day; mass production and around the clock working are not possible due
to the specialist nature of the motor vehicles being assembled.
Wages system – shift workers

Shift-workers arrive for work at about 7.00 am and ‘clock in’ using an electronic
identification card. The card is scanned by the time recording system and each
production shift-worker’s identification number is read from their card by the scanner.
The worker is then logged in as being at work. Shift-workers are paid from the time of
logging in. The logging in process is not monitored as it is assumed that shift-workers
would not work without first logging in on the time recording system.
Shift-workers are split into groups of about 25 employees, with each group under the
supervision of a shift foreman. Each day, each group of shift-workers is allocated a
specific vehicle to manufacture. At least 400 vehicles have to be manufactured each
day by each work group. If necessary, overtime is worked to complete the day’s quota
of vehicles. The shift foreman is not required to monitor the extent of any overtime
working although the foreman does ensure workers are not taking unnecessary or
prolonged breaks which would automatically increase the amount of overtime
worked. Shift-workers log off at the end of each shift by re-scanning their
identification card.
Payment of wages
Details of hours worked each week are sent electronically to the payroll department,
where hours worked are allocated by the computerised wages system to each
employee’s wages records. Staff in the payroll department compare hours worked
from the time recording system to the computerised wages system, and enter a code
word to confirm the accuracy of transfer. The code word also acts as authorisation to
calculate net wages. The code word is the name of a domestic cat belonging to the
department head and is therefore generally known around the department.
Each week the computerised wages system calculates:

(i) gross wages, using the standard rate and overtime rates per hour for each
employee,
(ii) statutory deductions from wages, and
(iii) net pay.
AY 2020-2021 Page | 104

The list of net pay for each employee is sent over Blake’s internal network to the
accounts department. In the accounts department, an accounts clerk ensures that
employee bank details are on file.
The clerk then authorises and makes payment to those employees using Blake’s
online banking systems. Every few weeks the financial accountant reviews the total
amount of wages made to ensure that the management accounts are accurate.
Termination of employees
Occasionally, employees leave Blake. When this happens, the personnel department
sends an e-mail to the payroll department detailing the employee’s termination date
and any unclaimed holiday pay. The receipt of the e-mail by the payroll department is
not monitored by the personnel department.
Required:
a) List FOUR control objectives of a wages system. (2 marks)
b) As the external auditors of Blake Co, write a management letter to the

directors in respect of the shift-workers wages recording and payment
systems which:
(i) Identifies and explains FOUR weaknesses in that system;
(ii) Explains the possible effect of each weakness;
(iii) Provides a recommendation to alleviate each weakness.
Note up to two marks will be awarded within this requirement for presentation.
(14 marks)
a) Control objectives – wages system
– Employees are only paid for work that they have done
– Gross pay has been calculated correctly
– Gross pay has been authorised
– Net pay has been calculated correctly
– Gross and net pay have been recorded accurately in the general ledger
– Only genuine employees are paid
– Correct amounts are paid to taxation authorities.
AY 2020-2021 Page | 105

b)
The Directors
Blake Co
110 Any Street
Anywhere
3 December 2008
Dear Sirs
Management letter
As usual at the end of our audit, we write to bring to your attention weaknesses in
your company’s internal control systems and provide recommendations to alleviate
those weaknesses.
P
Weakness
The logging in process for employees is not monitored.
Possible effect
Employees could bring cards for absent employees to the assembly plant and scan that
card for the employee; absent employees would effectively be paid for work not done.
Recommendation
The shift manager should reconcile the number of workers physically present on the
production line with the computerised record of the number of employees logged in
for work each shift.
Weakness
Overtime is not authorised by a responsible official.
Possible effect
Employees may get paid for work not done e.g. they may clock-off late in order to
receive ‘overtime’ payments.
Recommendation
All overtime should be authorised, either by the shift manager authorizing an
estimated amount of overtime prior to the shift commencing or by the manager
confirming the recorded hours in the payroll department computer system after the
shift has been completed.
Weakness
The code word authorising the accuracy of time worked to the wages system is the
name of the cat of the department head.
AY 2020-2021 Page | 106

Possible effect
The code word is not secure and could be easily guessed by an employee outside the
department (names of pets are commonly used passwords).
Recommendation
The code word should be based on a random sequence of letters and numbers and
changed on a regular basis.
Weakness
The total amount of net wages transferred to employees is not agreed to the total of
the list of wages produced by the payroll department.
Possible effect
‘Dummy’ employees – payments that do not relate to any real employee – could be
added to the payroll payments list in the accounts department.
Recommendation
Prior to net wages being sent to the bank for payment, the financial accountant should
cast and agree the total of the payments list to the total of wages from the payroll
department.
Weakness
Details of employees leaving the company are sent on an e-mail from the personnel
department to payroll.
Possible effect
There is no check to ensure that all e-mails sent are actually received in the payroll
department.
Recommendation
There needs to be a control to ensure all e-mails are received in personnel –
prenumbering of e-mails or tagging the e-mail to ensure a receipt is sent back to the
personnel department will help meet this objective.
Weakness
In the accounts department, the accounts clerk authorises payment of net wages to
employees.
Possible effect
It is inappropriate that a junior member of staff should sign the payroll; the clerk may
not be able to identify errors in the payroll or could even have included ‘dummy
employees’ and is now authorising payments to those ‘people’.
AY 2020-2021 Page | 107

Recommendation
The payroll should be authorised by a senior manager or finance director.
If you require any further information on the above, please do not hesitate to contact
us.
Yours faithfully,
Global Audit & Co.
AY 2020-2021 Page | 108

Q10.5) UoL 2013 Exam ZA Q1
NorthLea Co. is a construction company (building houses, offices and hotels)

employing a large number of workers on various construction sites. The internal audit
department of NorthLea Co. is currently reviewing the wages system within the
company.
The following information is available:

1) Hours worked are recorded using a clocking in/out system. On arrival for
work and at the end of each day’s work, each worker enters their unique
employee number on the keypad.
2) Workers on each site are under the control of a foreman. The foreman has a
record of all employee numbers and has authority to issue temporary numbers
for new employees.
3) Any overtime has to be authorised by the foreman. The rate is 150% outside
normal hours during the week and 200% at week-ends and holidays. Overtime
is calculated by the computerised wages system and added to the standard pay.
4) Any amendments necessary for sickness and holidays are made manually by
the accounts personnel in the wages department. They are also responsible for
setting up and maintaining employee records.
5) The computer calculates the wages and produces a report showing net pay for
each employee.
6) Cash is delivered to the wages office by secure courier.
7) The accounts staff in the wages department place the cash in pay packets for
each employee together with a hand written note showing gross pay and
deductions for tax. These are passed to the foremen for distribution to the
employees.
Required:
a) Identify the strengths and weaknesses within the NorthLea’s wages

system that could result in a loss or misappropriation of company assets
and for each weakness you identify suggest an internal control to
overcome the weakness. (15 marks)
b) What factors will determine how much reliance the external auditors of
NorthLea Co. can place on the work of the internal audit department in
relation to the company’s wages system? (10 marks)
This question was the one that most candidates attempted and part a) was the one for
which the highest number of candidates obtained maximum marks. A large number of
candidates were able to produce a list of the strengths and the weaknesses and for
each of the latter were able to come up with a valid and practical control to overcome
the weakness.
AY 2020-2021 Page | 109

Because you were asked to produce a solution to each of the weaknesses, this part of
the question was ideally suited to a columnar style answer.
Of course, such an approach did not allow for inclusion of the strengths in the system
since these do not need a response. Some candidates clearly had thought about this
and wisely started the answers to part (a) with a list of the strengths then went on to
produce the columnar tabulation of weaknesses and suggested responses.
Poorer answers often launched straight into the question with a tabular format; only to
find that strengths then had to be included in the same column as weaknesses and that
for each strength there would be a blank in the right hand column because no response
was needed. This situation could have been avoided if the candidates had only thought
through their answer before deciding on a format.
If part (a) of this question was the best attempted part of the paper, part (b) was almost
certainly the worst attempted on the entire paper. A large number of candidates sought
to answer this part of the question with explanations of audit tests that could be
performed. It appeared as though few candidates had looked at the material relevant to
the work of an internal audit department and the extent to which external auditors may
rely on the work of internal auditors. The texts are not difficult to understand.
They list a number of factors which will influence the external auditors’ decision,
such as:
the scope of the internal audit team’s review, the qualifications and competences of
the internal audit team, the level within the company to which the internal auditors
report.
a)
Strengths
- Unique employee number to identify each worker
- Overtime need to be authorized
- Overtime calculated by the computer system (better than manual calculation)
- Delivery of cash by security personnel
- Computer calculate the wages (better than manual calculation)
AY 2020-2021 Page | 110

Control weaknesses and recommendations
Control weakness Internal control recommendations
Employees can be paid for work not done. A record of hours worked by each employee
There appears to be no check to ensure that should be printed from the computerised
hours recorded in the computer system actually wages system and signed by the site foreman
relate to hours worked. to confirm that the hours are accurate.
There is no check to ensure that each employee The computerised wages system should print
inputs his/her employee number. One employee a list of employees present per the computer
could input two numbers hiding the fact that one system during the day and the foreman should
employee is absent. then sign this list to confirm it is accurate.
Fake or dummy employees can be put onto The wages office should check the list of
the payroll. employees against workers personnel records
The foreman can set up employee records for of authorised employees. Any new employees
who do not exist as payment is made particularly should be verified in this way
automatically from the records of hours worked. before payment is made.
The staff in the wages office could collude by The list of employees on the payroll should be
setting up fake employee records in a similar checked for accuracy by a person outside of
way to the site foreman. the wages department, for example the
personnel department or the chief accountant.
The list of net payments should be signed by
this person to show it is correct.
Gross pay inflated by wages department staff. The computerised payroll system should be
The staff in the wages department could add programmed to produce a list of all
extra hours to the records of some employees, amendments made to the payroll. This list
and remove the net pay from the payment should be reviewed by a responsible official
received from the courier prior to making up the outside of the wages department prior to
pay packets. wages being paid.
Alternatively, the computerised payroll

system should produce payslip for each
employee showing the hours worked, gross
and net pay etc. Employees should then check
that the cash paid agrees to the net payment
recorded on the payslip.
AY 2020-2021 Page | 111

Q10.6) UoL AA Exam 2014 ZA Q2
Conrad is a young fashion designer who opened his first store in Manchester at the
start of 2013. His shop sells mainly high value designer dresses aimed at the late
twenties to early thirties professional woman. However, he also stocks several lines of
low value accessories in order to tempt other potential customers into the shop.
Conrad followed the bank manager’s advice and set up the business as a limited
company. Conrad is the only shareholder and the only director. He has invested
£100,000 of his own money. The company has a borrowing facility of £100,000 from
the bank. However, a condition of the bank loan is that he has to give a personal
guarantee on the loan.
You discover that there are four employees who work in the backroom making the
dresses and five who serve in the shop, at various times. The five sales ladies are
essentially casual workers who are paid by the hour. They try to fit the hours around
the demands of their home life and/or children. Often there is only one of them in the
shop. Conrad knows them all personally, he trusts them and is happy for whoever is
the last to leave to count up the cash, close up the shop and bank the cash on their way
home. He also allows them to make minor payments for things like materials for
window displays, tea, coffee and milk for the staff to be paid out of the takings.
However, he assures you that he has control of the bank since he is the only one who
has access to the cheque book and the internet banking. He receives but never checks
the bank statements. He says he is too busy out on the road finding new outlets,
attending trade shows and making contacts.
Conrad engaged your firm to do the accounts and prepare the tax return. He has no
accounting experience and no knowledge of or interest in financial matters. He
expressed concern when you presented him with the accounts. His sales for the year
came to £900,000 and the cost of sales in the form of materials and bought-in goods
came to £500,000. He had done some rough costing in setting his prices and aimed to
make a mark-up of 200% on cost. So he would have expected his gross profit on sales
to be £600,000, not the £400,000 shown in your accounts. He has no idea why the
figures are different but wants you to investigate and to conduct a full audit. He is also
stunned to find that while your accounts show that the company has made a £50,000
net profit, the bank balance is now up to the limit of the permitted borrowing.
Required:
a) Set out in a letter to Conrad your concerns about the control

environment, the possible risks of his management style and what he
might do to improve control in his company. (15 marks)
b) Discuss the advantages and disadvantages for small companies

voluntarily to engage an external auditor to audit their annual financial
statements. (10 marks)
AY 2020-2021 Page | 112

Examiner comments:
Reading for this part a) question

Subject guide, Chapter 7
Porter et al. (2014) Chapter 10
Gray and Manson (2011) Chapter 5
Approaching the question

This question required candidates to think about the potential weaknesses in the
controls over the business and its resources. As with many examination questions the
situation is almost too extreme to be believable but you should not let that put you off.
Do not refrain from commenting on a particular aspect just because it looks
ridiculous; for example, the comment that Conrad ‘never checks the bank statements’
is an open invitation for some comment to him about the need to keep a firm control
over his own company. Banks can and do make mistakes with customer accounts and
the only check upon this is to have the discipline of examining the transactions which
the bank claims to have processed.
Identifying various inherent and control risks in the scenario would be expected in the
context of this question. For example the fashion industry is high risk and it would be
worth the auditors finding out how Conrad attempts to be aware of changing trends,
etc.
Some explanation for Conrad’s benefit of the difference between cash and profit (a
Year One concept) was intended to be a gift for the sharp-eyed candidate but too few
candidates even mentioned this area of confusion in the mind of the client.
The need for good internal control is essential in any business. In small companies,
formal systems are often not feasible but there are other ways of reducing risks of loss
and misappropriation – namely a greater involvement from the owner.
Setting out the answer as a proper memo or report would have improved the
appearance of some attempts.
Reading for this part b) question

Porter et al. (2014) Chapter 1

There are certainly advantages to having an audit although in Conrad’s case his lack
of engagement in the detailed running of the business would make an effective audit
practically impossible.
It would be important to explain that some form of internal controls and adequacy of
accounting records are essential. Without these the auditor’s report is likely to be so
heavily qualified that any value in having an audit is lost.
AY 2020-2021 Page | 113

An audit can help to find some but cannot be expected to find all errors/
frauds/weaknesses that might save the business money in the long run.
In the real world, audits are carried out in small companies but the lack of evidence
can make them inordinately costly.
On the plus side, Conrad might find it easier to raise bank loans if he could produce
audited accounts.
Q10.7) UoL AA Exam 2015 ZA Q3a
Compete Ltd is a large private limited company which buys and sells computers,
mobile phones and other electronic items. It has a number of large retail stores around
the country. According to its chief financial officer, its stores, offices, warehouse and
accounting function are all highly computerised. You are the external auditor
currently examining Compete’s purchasing system and note the following features:
Inventory levels are closely physically monitored by the managers at the individual
stores. When an inventory line is close to running out, the manager emails the
purchasing department in head office to place an order for sufficient additional items
to return the inventory to its original level. Managers are instructed to keep a copy of
the email on their hard drives.
Purchasing staff check the incoming orders for reasonableness and then try to source
the best price from those on the list of approved suppliers. Once the most appropriate
supplier is identified, an order is given a unique number and the order is sent to the
supplier. An electronic copy is kept on the purchasing department’s database. The
system records a list of unfulfilled orders.
Warehouse staff check in all deliveries from suppliers. They check the deliveries for
quality and quantity against the order as shown on the system – they have read-only
access to the electronic copy of the order. They are instructed not to accept any goods
which are not supported by a delivery note from the supplier and an order from
Compete. The quality and quantity of the delivery note and order must agree exactly
otherwise the entire delivery is rejected and must be returned to the supplier.
Provided the delivery details agree with the order, warehouse staff accept the goods
from the supplier and that acceptance is recorded by a staff member pressing the
‘Accept’ button on the system, an action which removes the item from the outstanding
orders list and updates the perpetual inventory records. The hard copy of the delivery
note is stamped ‘Delivered’.
In due course, and not always on time, the supplier will sent an invoice to the
accounts payable department at Compete. The staff in this department are required to
check that the goods had been ordered and had been received before entering the
AY 2020-2021 Page | 114

details of the supplier’s invoice onto the accounts payable system, which action debits
purchases and credits the individual supplier’s account.
At the end of each month, some suppliers send in statements showing the amount due
to them from Compete. The accounts payable staff use the statements received from
these suppliers to check the ledger accounts’ balances for accuracy.
Required:
a) Identify any strengths or weaknesses in the accounts payables system and

how you would suggest that these could be tested. (15 marks)
Examiner comments:
Reading for this part a) question

Porter, Simon and Hatherly (2014) Chapters 10 and 11
Gray and Manson (2008) Chapters 7 and 13

Part a) of this question was a test of candidates’ ability to identify from the scenario
the strengths and weaknesses in a client’s purchases system, which is an important
element of the audit planning process. The focus for the question was on how these
strengths and weaknesses could be tested by the client and not on how the weaknesses
could be improved by the client. It is pleasing to note that the majority of candidates
did recognise this.
It is important to note that just listing strengths and weaknesses was not sufficient for
full marks and some explanation as to why the issue was a strength or weakness was
required.
A tabular approach could have been used in this question listing the strength or
weakness and then how it could be tested.
Strengths in the system included:
1) The computerised nature of the system, which helps to strengthen controls and
minimise errors.
2) Physical monitoring of inventory levels provides an extra check of the
computer system further strengthening the controls to prevent over ordering or
running out of stock items.
3) The necessity to keep a copy of emails is a strength as it provides an audit trail
if there are queries or problems at a later date. However, it is only a strength if
it is complied with and so this would need to be tested by the auditors.
4) Having an approved list of suppliers is a strength in preventing purchases from
unsuitable suppliers or inappropriate sources however this does need to be
routinely monitored and revised.
AY 2020-2021 Page | 115

5) The requirement for buyers to look for best prices is a strength as it ensures
company funds are not wasted; however, this should not be at the expense of
quality.
6) Having a list of unfulfilled orders is a strength as it provides a record of future
commitments for the company. However, its accuracy relies on warehouse
staff correctly pressing the accept button for orders delivered.
7) Read-only access is a strength as it prevents deliberate or accidental changes
to sales orders by warehouse staff.
8) The checking of invoices is a strength to ensure they agree with the original
purchase order and delivery note – the fact that the invoices are often received
late is an inconvenience but is out of the control of the company and not a
weakness.
Weaknesses in the system included:

1) The computerised nature of the system is also a weakness if it is not properly
tested, controlled and backed-up regularly. This will need to be checked and
tested by auditors.
2) The email order for re-stocking is a little casual and open to abuse – a more
formal system should be used.
3) There is a lack of management authorisation for orders which leaves the
system open to some abuse by purchasing staff particularly if the approved
supplier list is not reviewed and updated regularly.
4) The requirement to reject and return a complete delivery if it does not match
the order exactly could be a weakness due to being inefficient and the
potential for unnecessary delays.
5) The use of an accept button by staff is a weakness due to the risks involved in
its inappropriate or inaccurate use – management authorisation is needed to
strengthen this control.
6) Checking ledger balances against supplier statements is a strength; however,
given the fact that not all suppliers provide statements it is a weakness if
accounts staff only check balances for which a statement has been received.
Examiners provided some flexibility in terms of how these strengths and weaknesses
could be tested, however, suggestions should have been linked to the issue being
raised and involve auditors either ensuring the strength was effective or the
consequences of the weakness.
AY 2020-2021 Page | 116

Q10.8) ACCA F8 Exam Dec 2012 Q3
You are a member of the recently formed internal audit department of Oregano Co
(Oregano).
The company manufactures tinned fruit and vegetables which are supplied to large
and small food retailers. Management and those charged with governance of Oregano
have concerns about the effectiveness of their sales and despatch system and have
asked internal audit to document and review the system.
Sales and despatch system
Sales orders are mainly placed through Oregano’s website but some are made via
telephone. Online orders are automatically checked against inventory records for
availability; telephone orders, however, are checked manually by order clerks after
the call. A follow-up call is usually made to customers if there is insufficient
inventory. When taking telephone orders, clerks note down the details on plain paper
and afterwards they complete a three part pre-printed order form. These order forms
are not sequentially numbered and are sent manually to both despatch and the
accounts department.
As the company is expanding, customers are able to place online orders which will
exceed their agreed credit limit by 10%. Online orders are automatically forwarded to
the despatch and accounts department.
A daily pick list is printed by the despatch department and this is used by the
warehouse team to despatch goods. The goods are accompanied by a despatch note
and all customers are required to sign a copy of this. On return, the signed despatch
notes are given to the warehouse team to file.
The sales quantities are entered from the despatch notes and the authorised sales
prices are generated by the invoicing system. If a discount has been given, this has to
be manually entered by the sales clerk onto the invoice. Due to the expansion of the
company, and as there is a large number of sale invoices, extra accounts staff have
been asked to help out temporarily with producing the sales invoices. Normally it is
only two sales clerks who produce the sales invoices.
Required:
a) Describe TWO methods for documenting the sales and despatch system;
and for each explain an advantage and a disadvantage of using this
method. (6 marks)
b) List TWO control objectives of Oregano Co’s sales and despatch system.
(2 marks)
AY 2020-2021 Page | 117

c) Identify and explain SIX deficiencies in Oregano Co’s sales and despatch
system and provide a recommendation to address each of these
deficiencies. (12 marks)
(20 marks)
a) Documenting the sales and despatch system
There are several methods which can be used by the internal audit department of
Oregano Co (Oregano) to document their system.
Narrative notes
Narrative notes consist of a written description of the system; they would detail what
occurs in the system at each stage and would include any controls which operate at
each stage.
Advantages of this method include:

– They are simple to record; after discussion with staff members of Oregano,
these discussions are easily written up as notes.
– They can facilitate understanding by all members of the internal audit team,
especially more junior members who might find alternative methods too
complex.
Disadvantages of this method include:

– Narrative notes may prove to be too cumbersome, especially if the sales and
distribution system is complex.
– This method can make it more difficult to identify missing internal controls
as the notes record the detail but do not identify control exceptions clearly.
Questionnaires
Internal control questionnaires (ICQ) or internal control evaluation questionnaires

(ICEQ) contain a list of questions; ICQs are used to assess whether controls exist
whereas ICEQs test the effectiveness of the controls.

– Questionnaires are quick to prepare, which means they are a timely method for
recording the system.
– They ensure that all controls present within the system are considered and
recorded; hence missing controls or deficiencies are clearly highlighted by the
internal audit team.

– It can be easy for the staff members of Oregano to overstate the level of the
controls present as they are asked a series of questions relating to potential
controls.
– A standard list of questions may miss out unusual controls of Oregano.
AY 2020-2021 Page | 118

Flowcharts
Flowcharts are a graphic illustration of the internal control system for the sales and
despatch system. Lines usually demonstrate the sequence of events and standard
symbols are used to signify controls or documents.

– It is easy to view the sales system in its entirety as it is all presented together
in one diagram.
– Due to the use of standard symbols for controls, they are easy to spot as are
any missing controls.

– They can sometimes be difficult to amend, as any amendments may require
the whole flowchart to be redrawn.
– There is still the need for narrative notes to accompany the flowchart and
hence it can be a time consuming method.
b) Control objectives for sales and despatch system
– To ensure that orders are only accepted if goods are available to be processed
for customers.
– To ensure that all orders are recorded completely and accurately.
– To ensure that goods are not supplied to poor credit risks.
– To ensure that goods are despatched for all orders on a timely basis.
– To ensure that goods are despatched correctly to customers and that they are
of an adequate quality.
– To ensure that all goods despatched are correctly invoiced.
– To ensure completeness of income for goods despatched.
– To ensure that sales discounts are only provided to valid customers.
c) Deficiencies and controls for Oregano Co’s sales and despatch system
Deficiency Control
Inventory availability for telephone When telephone orders are placed,

orders is not checked at the time the the order clerk should check the
order is placed. The order clerks inventory system whilst the customer
manually check the availability later is on the phone; they can then give
and only then inform customers if there an accurate assessment of the
is insufficient inventory available. availability of goods and there is no
risk of forgetting to inform
customers.
AY 2020-2021 Page | 119

There is the risk that where goods are

not available, order clerks could forget
to contact the customers, leading to
unfulfilled orders. This could lead to
customer dissatisfaction, and would
impact Oregano’s reputation.
Telephone orders are not recorded All telephone orders should be

immediately on the three part pre- recorded immediately on the three
printed order forms; these are part pre-printed order forms. The
completed after the telephone call. clerk should also double check all the
details taken with the customer over
the telephone to ensure the accuracy
of the order recorded.
There is a risk that incorrect or

insufficient details may be recorded by
the clerk and this could result in
incorrect orders being despatched or
orders failing to be dispatched at all,
resulting in a loss of customer
goodwill.
Telephone orders are not sequentially The three part pre-printed orders
numbered. Therefore if orders are forms should be sequentially
misplaced whilst in transit to the numbered and on a regular basis the
dispatch department, these orders will dispatch department should run a
not be fulfilled, resulting in dissatisfied sequence check of orders received.
customers. Where there are gaps in the
sequence, they should be investigated
to identify any missing orders.
Customers are able to place online Customer credit limits should be

orders which will exceed their agreed reviewed more regularly by a
credit limit by 10%. This increases the responsible official and should
risk of accepting orders from bad credit reflect the current spending pattern of
risks. customers. If some customers have
increased the level of their purchases
and are making payments on time,
then these customers’ credit limits
could be increased.
The online ordering system should be

amended to not allow any orders to
be processed which will exceed the
customer’s credit limit.
AY 2020-2021 Page | 120

A daily pick list is used by the despatch In addition to the pick list, copies of
department when sending out customer all the related orders should be
orders. However, it does not appear printed on a daily basis. When the
that the goods are checked back to the goods have been picked ready to be
original order; this could result in despatched, they should be cross
incorrect goods being sent out. checked back to the original order.
They should check correct quantities
and product descriptions, as well as
checking the quality of goods being
despatched to ensure they are not
damaged.
Signed despatch notes are returned to Upon receipt of the signed despatch
the warehouse department who file notes, a copy of these should
them. If the accounts department do not immediately be forwarded to the
receive a copy of these signed despatch accounts department, who should use
notes, they will not know when to raise them to raise the invoices in a timely
the related sales invoices. This could manner.
result in goods being despatched but
not being invoiced, leading to a loss of
revenue.
Additional staff have been drafted in to Only the sales clerks should be able
help the two sales clerks produce the to raise sales invoices. As Oregano is
sales invoices. As the extra staff will expanding, consideration should be
not be as experienced as the sales given to recruiting and training more
clerks, there is an increased risk of permanent sales clerks who can
mistakes being made in the sales produce sales invoices.
invoices. This could result in customers
being under or overcharged.
Discounts given to customers are For customers who are due to receive
manually entered onto the sales a discount, the authorised discount
invoices by sales clerks. This could levels should be updated to the
result in unauthorised sales discounts customer master file. When the sales
being given as there does not seem to invoices for these customers are
be any authorisation required. raised, their discounts should
automatically appear on the invoice.
In addition, a clerk could forget to The invoicing system should be

manually enter the discount or enter an amended to prevent sales clerks from
incorrect level of discount for a being able to manually enter sales
customer, leading to the sales invoice discounts onto invoices.
being overstated and a loss of customer
goodwill.
END OF LECTURE 10
AY 2020-2021 Page | 121

Uol Aa Notes (l6 l10) .May2021

Uploaded by

Copyright:

Available Formats

Uol Aa Notes (l6 l10) .May2021

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Uol Aa Notes (l6 l10) .May2021

Uploaded by

Copyright:

Available Formats

SIM-GE AC3093 – Auditing and Assurance

Lecture Notes (Lecture 6 to 10)

Lecture 6 – Sampling and Materiality

a) To discuss the importance of audit sampling.

Audit sampling and materiality

Materiality is vital concept when auditors seek to determine company’s financial

Auditors must decide when appropriate to use sampling.

Sufficiency, relevance and reliability apply to audit sampling:

Designing and selecting the sample for testing

Auditors may use either:

Judgemental sampling (also known as non-statistical sampling)

Judgement has to be exercised in both statistical and non-statistical sampling.

But non-statistical sampling is said to be judgemental sampling because all aspects of

Problem with judgemental sampling is that characteristics of sample do not

Examples of lack of homogeneity:

Because of lack of homogeneity – common practice to stratify and to treat different

Sample selection methodology

b) Systematic or interval sampling

c) Block or cluster sampling (non-statistical)

d) Haphazard sampling (non-statistical)

Size of sample (level of confidence)

Sample size is important – depends on 1) level of confidence sought, and 2) expected

1) Level of confidence auditors require is influenced by assessment of inherent and

2) Expected error rate in population – important determinant of sample size.

Then what is tolerable error rate?

Reliability of evidence will also affect/determine sample size.

Evaluation of test results

Another perspective: if no errors found, what sample size is commensurate with

Monetary unit sampling (MUS)

Auditors not only interested in error rates – also in monetary effects.

Decide materiality – maximum value of errors prepared to accept.

Comparative advantages of statistical and non-statistical sampling

Advantage of statistical sampling: auditors make explicit judgements on confidence

Reduction in emphasis on sampling also because of move from detailed checking to

Materiality – Introduction (examined in the 2018 ZA Paper Q6)

Misstatements, including omissions are considered to be material if they, individually

Materiality and decision-making

The effect on users’ decisions is important in determining whether an item is material.

Auditors have to determine extent to which financial statements can be misstated

Type of investor auditor should consider is a sophisticated and knowledgeable

Materiality in the financial statements

Auditors often set materiality in terms of % of company’s financial statement figures.

Other aspects of materiality in relation to profit include:

Materiality at the planning stage

To reduce probability that total of uncorrected and undetected misstatements is

ISA 320 = Materiality in PLANNING and PERFORMING the audit. So there is a

So what is performance materiality?

Auditors should record decisions on materiality in audit files – at planning stage in

Materiality during the audit

If auditors’ estimate of misstatements exceeds materiality, consider nature, discuss

Auditor document misstatements above trivial amount, both corrected and

Nature of misstatements found

Auditors will be interested in the following features:

Materiality and the audit report

Quantitative vs Qualitative materiality

What is material may not always be based on quantitative amount. Sometimes, an

Auditors need to have regard to the following considerations when considering

Examples of qualitative materiality -