Audit Practice Manual (2022 Edition) Guidance Notes

Hong Kong Institute
of CPAs
Audit Practice Manual

(2022 edition)
HKICPA AUDIT PRACTICE MANUAL (2022 EDITION)
GUIDANCE NOTES
CONTENTS
1 Using the Audit Practice Manual .................................................................................................................... 2
2 Key Issues from Hong Kong Standards on Auditing ...................................................................................... 5
3 The APM: An Overview ................................................................................................................................ 25
4 Completing the Forms .................................................................................................................................. 31
5 Audit Evidence .............................................................................................................................................. 60
6 Assessment of Risk ...................................................................................................................................... 67
7 Materiality ..................................................................................................................................................... 70
8 Analytical Procedures ................................................................................................................................... 74
9 Sampling ....................................................................................................................................................... 78
10 Evaluation of Misstatements ....................................................................................................................... 82
11 Use of Audit Data Analytics ........................................................................................................................ 86
12 Practical Points on File Completion ............................................................................................................ 91
Appendix 1: Letter of Engagement
Appendix 2: Letter of Representation
Appendix 3: Letter of Comment
Appendix 4: Summary of Example Auditor’s Report
Appendix 5: Small and Medium-sized Entity Financial Reporting Framework and Financial Reporting Standard
(Revised)—Checklist for financial statements presentation and disclosure
Appendix 6: Hong Kong Financial Reporting Standard for Private Entities—Illustrative financial statements and
presentation and disclosure checklist
Appendix 7: Summary of HKFRS/IFRS Illustrative Financial Statements and Presentation and Disclosure
Checklists
Appendix 8: Companies Ordinance (Cap. 622)—Checklist for financial statements presentation and disclosure
1 USING THE AUDIT PRACTICE MANUAL
This Audit Practice Manual (APM) was developed by Mercia Group Limited. It was reviewed by the Standard
Setting Department of the Hong Kong Institute of Certified Public Accountants (HKICPA) who incorporated
changes to the manual to address requirements and practices applicable to Hong Kong. Updates to the APM
in 2022 were reviewed by an advisory panel made up of practitioners who have practical experience and direct
knowledge of performing audits of financial statements under Hong Kong Standards on Auditing (HKSAs), and
are technically conversant with HKSAs.
This APM has been approved by the HKICPA’s Auditing and Assurance Standards Committee for publication.
1.1 Introduction
The APM is a stand-alone system, with complete audit documentation available for use as required.
The system is very flexible, allowing you, through the planning, to decide the best approach to auditing each
of the relevant sections. This enables you to comply with relevant HKSAs as efficiently and effectively as
possible.
An example audit engagement file, Manufacturing Company Limited, has been created to illustrate how the
APM can be applied to a simply manufacturing company. It is provided to assist users’ understanding in the
application of the APM. Not all requirements and/or audit procedures of the HKSAs are covered in the example
file, nor it covers all parts of those requirements and/or audit procedures on items it illustrates.
1.2 Changes in this version
The main changes made in this version of the APM are set out below.
 The following programmes are updated to reflect the new and revised requirements of HKSA 315 (Revised
2019):
- Understanding the Entity (C4)
- Internal Controls (C5)
- Evaluate the Design and Implementation of Control Activities (C5.1)
- Risk Assessment (C8)
- Detailed Risk Assessment (C8.1)
- Financial Statement Risk Action Plan (C8.2)
- Assertion Risk Action Plan (C8.3)
- Know Your Client Checklist (PAF04)
 Other minor consequential amendments from the above changes.
 Revision of Second Partner Review / EQCR/ EQR (B2.2) to reflect the requirements of HKSQM 2,
Engagement Quality Reviews.
 Other minor amendments throughout to reflect the changes from Hong Kong Standards on Quality Control
(HKSQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other
Assurance and Related Services Engagements to Hong Kong Standard on Quality Management (HKSQM)
1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other
Assurance or Related Services Engagements and HKSQM 2 where relevant.
 Amendments to Independence Questionnaire (C2.1) to reflect changes to HKICPA Code of Ethics for
Professional Accountants (Code).
Page 2 APM Guidance Notes

 Amendments to the following programmes for clarity and to reflect the latest requirements:
- Checklist for reporting exemptions (HK incorporated company) (Capp01)
- New client checklist (PAF08)
- Audit programme – Other financial instruments and derivatives under HKAS 39 (App3.3)
- Audit programme – Other financial instruments and derivatives under HKFRS 9 (App3.4)
- Classification of financial assets (App3.5)
 Removal of the following programmes which are no longer applicable:

- Accountancy work planning (C13.1)
- Construction Contracts (App 4)
- Checklist: Issues Arising on Transition to HKFRS 9
 Appendices accompanying these guidance notes are updated to reflect the latest requirements and
references.
1.3 Referencing system
All working papers generated during the course of the audit or documents filed in the audit working paper file
should be referenced and cross-referenced to facilitate review.
The system contains detailed indices for all sections.
1.4 Forms
The forms in the APM have been designed to facilitate and encourage review and conclusions.
Where a form requires a formal conclusion, this will always be found at the bottom of the form, where space is
provided for originator and reviewer to sign. Many of the forms may be signed by staff other than the audit
principal, hence the use of the terms “prepared by” and “reviewed by” respectively. Where, however, a
signature is required by a senior/manager and/or partner specifically, the forms specify this.
Where forms do not require a formal conclusion, the “prepared by” and “reviewed by” sections are to be found
at the head of the form or schedule. Staff of appropriate seniority, should complete these with reviewers, in
particular, being trained to carry out the task.
The term “partner” or “principal” has been used to denote the responsible individual engagement partner on
the audit, who may be a sole practitioner. In certain circumstances, “second partner” may refer to another firm,
sole practitioner or other external agency with whom consultation has taken place. Incorporated practices
should interpret these terms accordingly.
The checklists in the APM do not address the required contents for an audit engagement letter. Instead, an
example engagement letter that satisfies the requirements of HKSAs is included in Appendix 1 of these
guidance notes.
1.5 Printing
The forms in the APM have been designed to be photocopied with copyright being waived in certain
circumstances (See 1.8 Copyright below). All forms are designed to be reproduced on single sided paper to
facilitate ease of copying.
The Excel Programme Generator of the APM allows a tailored selection of programmes to be produced in
Microsoft Excel with client’s name and period end together with some tailoring of the programmes themselves.
The forms may then be printed at this stage and completed manually or completed on-screen.

1.6 System requirements
The Excel template accompanying this APM does not require an installation although it does require that
macros be enabled. The same template will work on both 32-bit and 64-bit machines. A currently supported
version of Microsoft Excel is required.
1.7 Using the Excel template
The Excel template provides basic functionality and is simple to use. Tailoring takes place on the “Questions”
sheet consists of the following:
 Adding the client name, year-end date and any file reference number where indicated. These will then
appear on every sheet.
 Selecting the sheets required by use of the tick boxes. A sheet will appear when the adjacent box is ticked
and will be hidden where it is unticked. Each sheet will be displayed or hidden as the relevant box is ticked
or unticked. There is no longer any need to refresh the tailoring selection for it to be effective.
 Tailoring of individual programmes is now completed manually by the use of shading and / or strike through
text to show those procedures that are not required.
1.8 Copyright
The intellectual property rights to all contents and materials in this APM belong to and remain vested in
HKICPA. A waiver is granted to all subscribers of the APM who are allowed to use any checklists, programmes,
forms, memoranda or questionnaires for the purposes of any audit engagements or for any non-commercial
internal training of audit practice units. Save as aforesaid no part of this APM may be reproduced, modified,
adapted, or translated in any manner or format whatsoever or be utilized for any commercial purposes without
the authorization of HKICPA.
1.9 Disclaimer
Whilst every effort has been made to ensure accuracy, the APM is only a reference material and information
contained therein may not be comprehensive or may have been omitted that may be relevant to a particular
user. In particular, the APM does not constitute legal advice and it is not a substitute for reading the Code,
Hong Kong Financial Reporting Standards (HKFRSs), HKSAs, Companies Ordinance (Cap. 622) and relevant
professional and/or regulatory requirements in full. You should read the full Code, HKFRSs, HKSAs,
Companies Ordinance (Cap. 622) and relevant professional and/or regulatory requirements for, inter alia, the
corresponding definitions, interpretations, or other detailed provisions which may be applicable in a particular
situation. It remains an auditor’s professional responsibility to ensure that all relevant laws and regulations, as
well as professional standards, have been complied with.
HKICPA accepts no responsibility for any errors contained in the APM, or for any loss or damage caused,
directly or indirectly, by any acts or omission as a result of any reliance on any information in the APM.

2 KEY ISSUES FROM HONG KONG STANDARDS ON AUDITING
2.1 Introduction
The following HKSAs are the major standards covering risk assessment and risk response in an audit
engagement:
 HKSA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement;
 HKSA 330, The Auditor’s Responses to Assessed Risks; and
 HKSA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements.
This section of the guidance highlights key issues from the above standards and explains how they are
addressed in the APM.
Some important requirements in HKSA 540 (Revised), Auditing Accounting Estimates and Related Disclosures
are discussed as well.
These guidance notes incorporate the amendments to the standards that are effective for audits of financial
statements for periods commencing on or after 15 December 2021.
2.2 HKSA 315 (Revised 2019), Identifying and Assessing the Risks of Material
Misstatement
HKSA 315 (Revised 2019) sets out two areas that are fundamental to the audit planning process.
The first is the information you need to demonstrate that you have understood the entity and its environment
and the applicable financial reporting framework.
The second is your assessment of the risk of a material misstatement arising.
Objective
According to paragraph 11 of HKSA 315 (Revised 2019),
The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or
error, at the financial statement and assertion levels thereby providing a basis for designing and implementing
responses to the assessed risks of material misstatement.
Fraud is dealt with separately under HKSA 240 and is looked at later in these guidance notes.
According to paragraph A16 of HKSA 315 (Revised 2019), the nature and extent of risk assessment
procedures will vary based on the nature and circumstances of the entity. The auditor uses professional
judgment to determine the nature and extent of the risk assessment procedures to be performed to meet the
requirements of HKSA 315 (Revised 2019). Paragraph A54 further specifies that while some financial reporting
frameworks allow smaller entities to provide simpler and less detailed disclosures in the financial statements,
this does not relieve the auditor of the responsibility to obtain an understanding of the entity and its environment
and the applicable financial reporting framework as it applies to the entity.

High risk and significant risk
HKSA 315 (Revised 2019) defines a significant risk as:
An identified risk of material misstatement:
(i) For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to
the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring
and the magnitude of the potential misstatement should that misstatement occur; or
(ii) That is to be treated as a significant risk in accordance with the requirements of other HKSAs.
The spectrum of inherent risk used within this APM includes “Low”, “Medium” and “High”. A “High” risk will
therefore be at the upper end of the spectrum of inherent risk, and hence for purposes of the APM “high risk”
is considered to be a “significant risk”.
Risk assessment procedures
Paragraph 12 of HKSA 315 (Revised 2019) defines “risk assessment procedures”, being the audit procedures
designed and performed to identify and assess the risks of material misstatement, whether due to fraud or
error, at the financial statement and assertion levels.
According to paragraph 14 of HKSA 315 (Revised 2019),
The risk assessment procedures shall include the following:
(a) Inquiries of management and of other appropriate individuals within the entity, including individuals within the
internal audit function (if the function exists).
(b) Analytical procedures.
(c) Observation and inspection.
These procedures can be carried out in conjunction with substantive testing and control testing.
Inquiry alone, however, is not sufficient for such purposes. The auditor is required to perform all the risk
assessment procedures described in paragraph 14 of HKSA 315 (Revised 2019) in the course of obtaining the
required understanding of the entity and its environment, the applicable financial reporting framework, and the
entity’s system of internal control. It should be noted that these procedures must be documented. A large
amount of this information will be filed in the permanent file. For example, the Know Your Client Checklist
(PAF04) will guide you through the requirements of HKSA 315 (Revised 2019) and help you to identify areas
that an understanding with respect to the entity is required by the standard. However, if you are going to rely
on information that has been obtained in previous periods, according to paragraph 16 of HKSA 315 (Revised
2019), you need to ensure that the information remains relevant and reliable for the current audit.
A key element of the risk assessment procedures is the engagement team meeting. It is vital that this meeting
is properly documented. In the APM this is on section 9 of the Planning Memorandum (C1) or alternatively on
the specific form provided Notes of Engagement Planning Meeting (C9). There is a similar requirement to hold
a planning meeting in HKSA 240 which could be performed within the same meeting.

Understanding the entity and its environment, and the applicable financial reporting
framework
Paragraph 19 of HKSA 315 (Revised 2019) sets out specific issues with respect to the entity and its
environment, and the applicable financial reporting framework that the audit team need to understand to
demonstrate that they have assessed the risk of material misstatement adequately:
The auditor shall perform risk assessment procedures to obtain an understanding of:
(a) The following aspects of the entity and its environment;
(i) The entity’s organizational structure, ownership and governance, and its business model, including the
extent to which the business model integrates the use of IT;
(ii) Industry, regulatory and other external factors; and
(iii) The measures used, internally and externally, to assess the entity’s financial performance;
(b) The applicable financial reporting framework, and the entity’s accounting policies and the reasons for any
changes thereto;
(c) How inherent risk factors affect susceptibility of assertions to misstatement and the degree to which they do
so, in the preparation of the financial statements in accordance with the applicable financial reporting
framework, based on the understanding obtained in (a) and (b).
Paragraph 20 of HKSA 315 (Revised 2019) adds that:
The auditor shall evaluate whether the entity’s accounting policies are appropriate and consistent with the
applicable financial reporting framework.
As noted above, the Know Your Client Checklist (PAF 04) is a guide to the information required.
Understanding the components of the entity’s system of internal control
The following table summarizes areas of the APM that assist auditors to obtain an understanding of and
perform evaluation over the components of the entity’s system of internal control:
Ref. in HKSA 315

Component Understanding Evaluation
(Revised 2019)
a Control environment Paragraph 21 Section 9 of PAF04 Section 4.4 of C4
The entity’s risk assessment
b Paragraph 22 Section 10 of PAF04 Section 4.5 of C4; C8
process
The entity’s process to
c monitor the system of internal Paragraph 24 Section 11 of PAF04 Section 4.6 of C4
control
The information system and
d Paragraph 25 Section 12 of PAF04 Section 4.7 of C4
communication
e Control activities Paragraph 26 Section 13 of PAF04 C5, C5.1
a. Control Environment
The control environment is a key component of internal control. Paragraph 21 of HKSA 315 (Revised 2019)
requires the auditor to obtain an understanding of the control environment relevant to the preparation of
the financial statements.

In the APM,
 Understanding the control environment is addressed in section 9 of the Know your Client Checklist
(PAF04)
 Evaluation of the control environment is addressed in section 4.4 of Understanding the Entity (C4).
b. The Entity’s Risk Assessment Process
Paragraph 22 of HKSA 315 (Revised 2019) states that the auditor shall obtain an understanding of the
entity’s risk assessment process relevant to the preparation of the financial statements, through performing
risk assessment procedures, by:
(a) Understanding the entity’s process for:
(i) Identifying business risks relevant to financial reporting objectives;
(ii) Assessing the significance of those risks, including the likelihood of their occurrence; and
(iii) Addressing those risks;
(b) Evaluating whether the entity’s risk assessment process is appropriate to the entity’s circumstances
considering the nature and complexity of the entity.
If the entity has not established such a process or has an ad hoc process, it is important to establish
whether business risks relevant to financial reporting objectives have been identified and how they have
been addressed. It is also necessary to consider whether the process, such as it is, is appropriate in the
circumstances, or whether it represents a significant deficiency in internal control.
Less complex entities are less likely to have an established risk assessment process. In such cases, it is
likely that management will identify risks through direct personal involvement in the business. But,
irrespective of the circumstances, inquiry about identified risks and how they are addressed by
management is still necessary.
In the APM,
 Understanding the entity’s risk assessment process is addressed in section 10 of the Know your Client
Checklist (PAF04)
 Evaluating the entity’s risk assessment process is addressed in section 4.5 of Understanding the Entity
(C4) and on Risk Assessment (C8).
c. The Entity’s Process to Monitor the System of Internal Control
entity’s process for monitoring the system of internal control relevant to the preparation of the financial
statements, through performing risk assessment procedures, by:
(a) Understanding those aspects of the entity’s process that address:
(i) Ongoing and separate evaluations for monitoring the effectiveness of controls, and the identification and
remediation of control deficiencies identified; and
(ii) The entity’s internal audit function, if any, including its nature, responsibilities and activities;

(b) Understanding the sources of the information used in the entity’s process to monitor the system of internal
control, and the basis upon which management considers the information to be sufficiently reliable for the
purpose; and
(c) Evaluating whether the entity’s process for monitoring the system of internal control is appropriate to the
entity’s circumstances considering the nature and complexity of the entity.
In less complex entities, and in particular owner-manager entities, the auditor’s understanding of the
entity’s process to monitor the system of internal control is often focused on how management or the
owner-manager is directly involved in operations, as there may not be any other monitoring activities.
Paragraph 10 of Appendix 3 of HKSA 315 (Revised 2019), Understanding the Entity’s System of Internal
Control recognizes that the entity’s process to monitor the system of internal control is a continual process
to evaluate the effectiveness of the entity’s system of internal control, and to take necessary remedial
actions on a timely basis. Ongoing monitoring activities are often built into the normal recurring activities
of an entity and may include regular management and supervisory activities.
In the APM,
 Understanding the entity’s process to monitor the system of internal control is addressed in section 11
of the Know your Client Checklist (PAF04)
 Evaluating the entity’s process for monitoring the system of internal control is addressed in section 4.6
of Understanding the Entity (C4)
d. The Information System and Communication
entity’s information system and communication relevant to the preparation of the financial statements,
through performing risk assessment procedures, by:
(a) Understanding the entity’s information processing activities, including its data and information, the resources
to be used in such activities and the policies that define, for significant classes of transactions, account
balances and disclosures1:
(i) How information flows through the entity’s information system, including how:
a. Transactions are initiated, and how information about them is recorded, processed, corrected as
necessary, incorporated in the general ledger and reported in the financial statements; and
b. Information about events and conditions, other than transactions, is captured, processed and
disclosed in the financial statements;
(ii) The accounting records, specific accounts in the financial statements and other supporting records
relating to the flows of information in the information system;
1
According to paragraph 12(k) of HKSA 315 (Revised 2019), “significant classes of transactions, account balances and disclosures”
refers to a class of transactions, account balance or disclosure for which there is one or more relevant assertions.
According to paragraph 12(h), “relevant assertions” refers to an assertion about a class of transactions, account balance or disclosure
is relevant when it has an identified risk of material misstatement. The determination of whether an assertion is a relevant assertion is
made before consideration of any related controls, i.e., the inherent risk.
As further explained in paragraph A15a of HKSA 200, a risk of material misstatement exists when there is a reasonable possibility of:
(a) a misstatement occurring (i.e., its likelihood); and (b) being material if it were to occur (i.e., its magnitude).

(iii) The financial reporting process used to prepare the entity’s financial statements, including disclosures;
and
(iv) The entity’s resources, including the IT environment, relevant to (a)(i) to (a)(iii) above;
(b) Understanding how the entity communicates significant matters that support the preparation of the financial
statements and related reporting responsibilities in the information system and other components of the
system of internal control:
(i) Between people within the entity, including how financial reporting roles and responsibilities are
communicated;
(ii) Between management and those charged with governance; and
(iii) With external parties, such as those with regulatory authorities; and
(c) Evaluating whether the entity’s information system and communication appropriately support the preparation
of the entity’s financial statements in accordance with the applicable financial reporting framework.
In the APM,
 Understanding the information system and communication is addressed in section 12 of the Know
your Client Checklist (PAF04)
 Evaluating the entity’s process for monitoring the system of internal control is addressed in section 4.7
of Understanding the Entity (C4).
e. Control Activities
control activities component, through performing risk assessment procedures, by:
(a) Identifying controls that address risks of material misstatement at the assertion level in the control activities
component as follows:
(i) Controls that address a risk that is determined to be a significant risk;
(ii) Controls over journal entries, including non-standard journal entries used to record non-recurring,
unusual transactions or adjustments;
(iii) Controls for which the auditor plans to test operating effectiveness in determining the nature, timing and
extent of substantive testing, which shall include controls that address risks for which substantive
procedures alone do not provide sufficient appropriate audit evidence; and
(iv) Other controls that the auditor considers are appropriate to enable the auditor to meet the objectives of
paragraph 13 with respect to risks at the assertion level, based on the auditor’s professional judgment;
(b) Based on controls identified in (a), identifying the IT applications and the other aspects of the entity’s IT
environment that are subject to risks arising from the use of IT;
(c) For such IT applications and other aspects of the IT environment identified in (b), identifying:
(i) The related risks arising from the use of IT; and
(ii) The entity’s general IT controls that address such risks; and

(d) For each control identified in (a) or (c)(ii):
(i) Evaluating whether the control is designed effectively to address the risk of material misstatement at the
assertion level, or effectively designed to support the operation of other controls; and
(ii) Determining whether the control has been implemented by performing procedures in addition to inquiry
of the entity’s personnel.
It is not necessary to identify all control activities. According to paragraph A148 of HKSA 315 (Revised
2019), the auditor’s identification and evaluation of controls in the control activities component is focused
on information processing controls, which are controls applied during the processing of information in the
entity’s information system that directly address risks to the integrity of information. However, the auditor
is not required to identify and evaluate all information processing controls related to the entity’s policies
that define the flows of transactions and other aspects of the entity’s information processing activities for
the significant classes of transactions, account balances and disclosures.
Paragraph A153 of HKSA 315 (Revised 2019) gives examples of types of controls that may be identified:
 Authorizations and approvals;
 Reconciliations;
 Verifications (such as edit and validation checks or automated calculation);
 Segregation of duties;
 Physical or logical controls (including those address safeguarding of assets).
Paragraphs A156 to A157 of HKSA 315 (Revised 2019) recognizes that whilst controls in less complex
entities are likely to be similar to those in larger entities, the formality with which they operate may vary
and that it may be less practicable to establish segregation of duties in less complex entities.
In the APM,
 Understanding control activities is addressed in section 13 of the Know your Client Checklist (PAF04)
 The evaluation of design and determination of implementation of controls is addressed on Internal

Controls (C5) and Evaluate the Design and Implementation of Control Activities (C5.1)
Control Deficiencies
Paragraph 27 of HKSA 315 (Revised 2019) requires the auditor to determine whether one or more control
deficiencies have been identified, based on the evaluation of each of the components of the entity’s system of
internal control. This is documented on Internal Controls (C5).

Identifying and assessing the risks of material misstatement
The key requirements for risk assessment are set out in paragraphs 28 to 37 of HKSA 315 (Revised 2019).
In the APM, any risk for which the inherent risk is assessed as “High”, therefore be at the upper end of the
spectrum of inherent risk, is a significant risk.
The risks that are required to be treated as a significant risk in accordance with the requirements of other
HKSAs are:
 Risks of material misstatement due to fraud, including management override of controls (paragraphs 28
and 32 of HKSA 240); and
 Significant related party transactions outside the entity’s normal course of business (paragraph 18 of HKSA
550, Related Parties).
In the APM, risk assessment is addressed as part of the planning process. The forms provided and their
purpose is described below.
Risk Assessment (C8) is a guide through the risk assessment process.
Detailed Risk Assessment (C8.1) is a questionnaire which is intended to assist in the identification of risks that
may apply to the client. The questionnaire can also be used to record how low level risks will be managed.
Financial Statement Risk Action Plan (C8.2) should record the risk, response and outcome in respect of
financial statement level risks arising.
Assertion Risk Action Plan (C8.3) should record the risk, response and outcome in respect of assertion level
risks arising.
Risk Response Summary (C8.4) summarizes the overall response to risk on a section by section basis. In
particular, it addresses the residual risk that remains once specific risks have been dealt with on C8.3.
Stand-back assessments
HKSA 315 (Revised 2019) includes two stand-back requirements in its paragraphs 35 and 36 with respect to
risk assessment.
 The auditor shall evaluate whether the audit evidence obtained from the risk assessment procedures
provides an appropriate basis for the identification and assessment of the risks of material misstatement. If
not, the auditor shall perform additional risk assessment procedures until audit evidence has been obtained
to provide such a basis. In identifying and assessing the risks of material misstatement, the auditor shall
take into account all audit evidence obtained from the risk assessment procedures, whether corroborative
or contradictory to assertions made by management.
 For material classes of transactions, account balances or disclosures that have not been determined to be
significant classes of transactions, account balances or disclosures, the auditor shall evaluate whether the
auditor’s determination remains appropriate.
In the APM, these evaluations are covered by Questions 20 and 21 on Risk Assessment (C8) which the
evaluation results should be documented.

Revision of risk assessment
Paragraph 37 of HKSA 315 (Revised 2019) contains a requirement for auditor to revise the risk assessment if
new information obtained is inconsistent with the audit evidence on which the auditor originally based the
identification or assessments of the risks of material misstatement.
In the APM, the revision of the risk assessment is addressed by questions prompting a review of risk in the
conclusion of each detailed work area and by the requirement for the planning to be reviewed and signed-off
as part of the audit completion.
Documentation
As set out in paragraph 38 of HKSA 315 (Revised 2019),
The auditor shall include in the audit documentation:
(a) The discussion among the engagement team and the significant decisions reached;
(b) Key elements of the auditor’s understanding in accordance with paragraphs 19, 21, 22, 24 and 25; the
sources of information from which the auditor’s understanding was obtained; and the risk assessment
procedures performed;
(c) The evaluation of the design of identified controls, and determination whether such controls have been
implemented, in accordance with the requirements in paragraph 26; and
(d) The identified and assessed risks of material misstatement at the financial statement level and at the
assertion level, including significant risks and risks for which substantive procedures alone cannot provide
sufficient appropriate audit evidence, and the rationale for the significant judgments made.
These documentation requirements will be met by firstly ensuring that the necessary information is recorded
on the permanent file. The Know Your Client Checklist (PAF04) is a guide to the sort of areas that should be
included.
Identified risks, the assessment of those risks and the response to them should be recorded on either the
Financial Statement Risk Action Plan (C8.2) or the Assertion Risk Action Plan (C8.3) as appropriate. Related
controls should be referenced from the “Management Response” column on C8.3 and recorded on Evaluate
the Design and Implementation of Control Activities (C5.1).
The engagement team discussion should be recorded on Notes of Engagement Team Planning Meeting (C9).
The supporting notes to this area say that the form and extent of the documentation will be influenced by the
nature, size and complexity of the business and its internal control. The availability of information from the
business and the audit approach adopted by the firm will also have an impact on the level of information.
Ordinarily, the more complex the entity and the more extensive the audit procedures performed by the auditor,
the more extensive the auditor's documentation will be.

2.3 HKSA 330, The Auditor’s Responses to Assessed Risks
This standard sets out the responses that the engagement team should have to the risks that have been
identified at the planning stage. It also covers further responses that may be needed if additional risks are
identified during the audit stage.
The objective of HKSA 330 is set out in paragraph 3:
The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of
material misstatement, through designing and implementing appropriate responses to those risks.
The standard requires the auditor to demonstrate that his or her planned audit approach has a link between
the level of assessed risk and planned audit procedures in response to the risk.
The standard considers the auditors’ responses to risks identified at the financial statement level and the
assertion level. The financial statement level relates to the overall view given by the financial statements as a
whole and the assertion level relates to specific assertions in individual areas.
Paragraph 5 of HKSA 330 requires that:
The auditor shall design and implement overall responses to address the assessed risks of material misstatement
at the financial statement level.
In the APM, the Financial Statement Risk Action Plan (C8.2) and the Assertion Risk Action Plan (C8.3) have
columns to record the auditor’s response to each risk and also a cross reference to the outcome of the
procedures performed.
Response to risk at the assertion level
Paragraph 6 of HKSA 330 requires the auditor to design and perform further audit procedures whose nature,
timing and extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level.
Planning a response at the assertion level means looking at how a risk will affect particular amounts or
disclosure in the financial statements, for example, the understatement of income or the overstatement of trade
receivables. Responses to risks specified on the Assertion Risk Action Plan (C8.3) should therefore be specific
tests that can be evidenced, not vague statements which are impossible to execute.
In certain circumstances, HKSA 330 specifies the responses required; however, as a general principle the
higher the risk the more persuasive the audit evidence that is required to reduce that risk to an acceptably low
level.
Tests of Control
HKSA 315 (Revised 2019) requires an evaluation of the design, and determination of the implementation of
specified controls namely:
 Controls that address a risk that is determined to be a significant risk;
 Controls over journal entries, including non-standard journal entries used to record non-recurring, unusual
transactions or adjustments;

 Controls for which the auditor plans to test operating effectiveness in determining the nature, timing and
 Other controls that the auditor considers are appropriate to enable the auditor to meet the objectives of
paragraph 13 of HKSA 315 (Revised 2019) with respect to risks at the assertion level, based on the
auditor’s professional judgment; and
 The entity’s general IT controls that address the risks arising from the use of IT.
However, this is not the same as testing the operating effectiveness of controls. Evaluating the design and
determining the implementation of a control is part of the auditor’s risk assessment procedures and is intended
to enable the auditor to form an initial expectation of the operating effectiveness of controls identified in the
control activities component. Determining implementation is like carrying out a walkthrough test; it gives no
assurance as to the effective operation of the control.
With certain exceptions, HKSA 330 does not require testing of the operating effectiveness of controls. Auditors
may therefore usually undertake a wholly substantive approach to auditing if they choose. However, as noted
above there are some exceptions as specified in paragraph 8 of HKSA 330:
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the
operating effectiveness of controls if:
(a) The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that
the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of
controls in determining the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
So, in practical terms, what does this mean? This is best illustrated with some examples.
Expectation of controls operating
If you have a business selling widgets from a retail outlet and also online and by mail order then the sales
system for this company, even if the turnover is relatively small, are likely to include some basic controls. In
these circumstances paragraph “a” above says that the auditor should not justify low risk for sales on the basis
that the client has a good system and that staff know what they are doing (that is an expectation that controls
are operating) without performing tests on controls of the entity’s system of internal control to confirm that that
is the case.
Contrast this with fixed assets in the same company. Perhaps there is a freehold building carried at cost and
some plant and fixtures that are not material. In this instance the risk relating to the fixed assets can be
assessed as low without any reference to controls as the auditor is only concerned about the ownership,
existence and valuation of the property.
Substantive procedures provide insufficient evidence
An obvious example here would be a business with significant cash sales. Substantive tests are not usually
effective in confirming completeness of sales. Therefore, it is necessary to look at controls to obtain sufficient
evidence that all sales are recorded.
Another example would be an online automated sales system. As the transaction is processed automatically
with little or no manual intervention, substantive testing may be difficult or impossible. So again, tests on the
system would be required.

Nature and extent of reliance
A fairly obvious point:
In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the greater
the reliance the auditor places on the effectiveness of a control. (Paragraph 9 of HKSA 330)
The auditor is also able to place reliance on controls tested in interim or previous periods, subject of course to
confirming the continuing relevance and reliability of that evidence. That is confirming that the systems have
not changed from the previous period (Paragraphs 12 to 14 of HKSA 330).
In respect of significant risks, if the auditor plans to reply on the operating effectiveness of controls, paragraph
15 of HKSA 330 states that those controls must be tested in the current period.
In the APM,
 All work on testing the operating effectiveness of controls is recorded in the S section. If a wholly
substantive approach is applied, then the S section is not required.
 Review of the design and implementation of controls that is required on every audit (regardless whether a
test of controls approach is applied) and is recorded in the C section, notably Understanding the Entity
(C4), Internal Controls (C5) and Evaluate the Design and Implementation of Control Activities (C5.1).
Substantive Procedures
According to paragraph 18 of HKSA 330, irrespective of the assessed risks of material misstatement, the
auditor shall design and perform substantive procedures for each material class of transactions, account
balance, and disclosure.
A wholly control-based audit is therefore not permitted and some substantive testing must be carried out.
According to paragraph 4 of HKSA 330, substantive procedures comprise (i) tests of details; and (ii) substantive
analytical procedures.
When dealing with a significant risk, according to paragraph 21 of HKSA 330,
If the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant
risk, the auditor shall perform substantive procedures that are specifically responsive to that risk. When the
approach to a significant risk consists only of substantive procedures, those procedures shall include tests of
details.
Evaluating the sufficiency and appropriateness of audit evidence
Paragraph 25 of HKSA 330 requires that:
Based on the audit procedures performed and the audit evidence obtained, the auditor shall evaluate before the
conclusion of the audit whether the assessments of the risks of material misstatement at the assertion level remain
appropriate.
As noted above this is addressed in the conclusion of each detailed work programme; it is also addressed by
the requirement to review and sign-off the planning at the completion stage.

Documentation
As with HKSA 315 (Revised 2019), the requirements for documenting the work undertaken have not changed.
Paragraph 28 of HKSA 330 states that:
(a) The overall responses to address the assessed risks of material misstatement at the financial statement
level, and the nature, timing and extent of the further audit procedures performed;
(b) The linkage of those procedures with the assessed risks at the assertion level; and
(c) The results of the audit procedures, including the conclusions where these are not otherwise clear.
In the APM,
 Use of the Assertion Risk Action Plan (C8.3) clearly shows the linkage between the identified risk, the
assessment of that risk, the planned response and a reference to the outcome of the procedures
undertaken.
 Where this form is not used or the layout is amended for inclusion in a planning memorandum, users
should ensure that the above requirements are still addressed.
2.4 HKSA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of

Financial Statements
The term “fraud” refers to an intentional act by one or more individuals among management, those charged
with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal
advantage.
The auditor is primarily concerned with any fraud or risk of fraud that may cause a material misstatement in
the financial statements. The auditor is not expected or required to make a legal determination as to whether
fraud has actually taken place or not.
The objective of HKSA 240 as stated in paragraph 11 is therefore as follows:
The objectives of the auditor are:
(a) To identify and assess the risks of material misstatement of the financial statements due to fraud;
(b) To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to
fraud, through designing and implementing appropriate responses; and
(c) To respond appropriately to fraud or suspected fraud identified during the audit.
HKSA 240 is essentially application notes for applying HKSA 315 (Revised 2019) and HKSA 330 to fraud. The
approach required by the standard follows HKSA 315 (Revised 2019) and HKSA 330 and it repeats a number
of their requirements, but with the emphasis placed on fraud.

Professional skepticism
As required by paragraph 13 of HKSA 240,
In accordance with HKSA 200, the auditor shall maintain professional skepticism throughout the audit, recognizing
the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor's past experience
of the honesty and integrity of the entity’s management and those charged with governance.
However, the auditor is also entitled to accept documents and explanations received as genuine unless there
are indications to the contrary (see paragraph 14 of HKSA 240). The auditor should be skeptical, not
disbelieving of everything.
Discussion among the Engagement Team
HKSA 240 also has requirements for discussion among the engagement team as discussed above in relation
to HKSA 315 (Revised 2019). HKSA 240 does not envisage a separate meeting, rather it highlights additional
matters to be considered at the meeting.
Paragraph 16 of HKSA 240 states the following:
HKSA 315 (Revised 2019) requires a discussion among the engagement team members and a determination by
the engagement partner of which matters are to be communicated to those team members not involved in the
discussion. This discussion shall place particular emphasis on how and where the entity’s financial statements
may be susceptible to material misstatement due to fraud, including how fraud might occur. The discussion shall
occur setting aside beliefs that the engagement team members may have that management and those charged
with governance are honest and have integrity.
In the APM,
 The engagement team meeting can be documented as part of the Planning Memorandum (C1) or on the
Notes of Engagement Team Planning Meeting (C9).
 A checklist of issues that may be relevant to the engagement team discussion is included on Fraud Risk
Factors (C9.1) and a general Engagement Team Planning Meeting Checklist (C9.2) is also included.
Risk assessment procedures
The auditor is required to consider how management and, where different, those charged with governance
identifies and responds to the risks of fraud.
According to paragraph 18 of HKSA 240,
The auditor shall make inquiries of management regarding:
(a) Management’s assessment of the risk that the financial statements may be materially misstated due to fraud,
including the nature, extent and frequency of such assessments;
(b) Management’s process for identifying and responding to the risks of fraud in the entity, including any specific
risks of fraud that management has identified or that have been brought to its attention, or classes of
transactions, account balances, or disclosures for which a risk of fraud is likely to exist;
(c) Management’s communication, if any, to those charged with governance regarding its processes for
identifying and responding to the risks of fraud in the entity; and

(d) Management’s communication, if any, to employees regarding its views on business practices and ethical
behavior.
Paragraphs 19 and 22 of HKSA 240 specifically require the auditor to ask whether management and, where
they are not involved in management, those charged with governance whether they have knowledge of any
actual, suspected or alleged fraud affecting the entity.
Paragraphs 23 and 24 of HKSA 240 specifically require that the auditor considers whether any unusual or
unexpected relationships, or indeed any other information obtained, indicate a material risk of misstatement
due to fraud.
In the APM, the approach to risk of fraud is addressed together with other risks of misstatement. Therefore,
whilst there are some specific fraud-related questions in the various checklists, the assessment of fraud risk is
part of the overall risk assessment process. See Risk Assessment (C8), section 18 of the Detailed Risk
Assessment (C8.1) and section 15 of the Know Your Client Checklist (PAF04).
Identification and assessment of risk due to fraud
Paragraph 26 of HKSA 240 requires that fraud risks be identified and assessed in the same way as other risks
in accordance with HKSA 315 (Revised 2019).
However, HKSA 240 has some specific requirements in relation to revenue recognition.
Paragraph 27: When identifying and assessing the risks of material misstatement due to fraud, the auditor shall,
based on a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue,
revenue transactions or assertions give rise to such risks.
Paragraph 28: The auditor shall treat those assessed risks of material misstatement due to fraud as significant
risks and accordingly, to the extent not already done so, the auditor shall identify the entity’s controls that address
such risks, and evaluate their design to determine whether they have been implemented.
In the APM these requirements are addressed on Risk Assessment (C8).
Response to risks of fraud
A response to risks of fraud is required in the same way as other risks in accordance with HKSA 330. However,
as with identification and assessment there are some specific requirements in HKSA 240 in respect of fraud
risks.
Overall response
In determining overall responses to the assessed risks of material misstatement due to fraud at the financial
statement level, paragraph 30 of HKSA 240 requires the auditor to:
(a) Assign and supervise personnel taking account of the knowledge, skill and ability of the individuals to be
given significant engagement responsibilities and the auditor’s assessment of the risks of material
misstatement due to fraud for the engagement;
(b) Evaluate whether the selection and application of accounting policies by the entity, particularly those related
to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting
resulting from management’s effort to manage earnings; and
(c) Incorporate an element of unpredictability in the selection of the nature, timing and extent of audit procedures.

Also, paragraph 31 of HKSA 240 states that,
In accordance with HKSA 330, the auditor shall design and perform further audit procedures whose nature, timing
and extent are responsive to the assessed risks of material misstatement due to fraud at the assertion level.
Management override of controls
HKSA 240 has some specific requirements in respect of the risk of management override of controls.
Firstly, paragraph 32 requires that this be treated as a significant risk (see Risk Assessment (C8)).
Secondly, paragraph 33 states:
Irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall design
and perform audit procedures to:
(a) Test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the
preparation of the financial statements. In designing and performing audit procedures for such tests, the
auditor shall:
(i) Make inquiries of individuals involved in the financial reporting process about inappropriate or unusual
activity relating to the processing of journal entries and other adjustments;
(ii) Select journal entries and other adjustments made at the end of a reporting period; and
(iii) Consider the need to test journal entries and other adjustments throughout the period.
(b) Review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any,
represent a risk of material misstatement due to fraud. In performing this review, the auditor shall:
(i) Evaluate whether the judgments and decisions made by management in making the accounting
estimates included in the financial statements, even if they are individually reasonable, indicate a
possible bias on the part of the entity’s management that may represent a risk of material misstatement
due to fraud. If so, the auditor shall re-evaluate the accounting estimates taken as a whole; and
(ii) Perform a retrospective review of management judgments and assumptions related to significant
accounting estimates reflected in the financial statements of the prior year.
(c) For significant transactions that are outside the normal course of business for the entity, or that otherwise
appear to be unusual given the auditor’s understanding of the entity and its environment and other information
obtained during the audit, the auditor shall evaluate whether the business rationale (or the lack thereof) of
the transactions suggests that they may have been entered into to engage in fraudulent financial reporting
or to conceal misappropriation of assets.
HKSAs include some significant requirements in respect of accounting estimates and these are addressed
later in this chapter.

Letter of representation
HKSA 240 has some specific requirements concerning representations from the client that must be obtained
in writing. According to paragraph 40 of HKSA 240,
The auditor shall obtain written representations from management and, where appropriate, those charged with
governance that:
(a) They acknowledge their responsibility for the design, implementation and maintenance of internal control to
prevent and detect fraud;
(b) They have disclosed to the auditor the results of management’s assessment of the risk that the financial
statements may be materially misstated as a result of fraud;
(c) They have disclosed to the auditor their knowledge of fraud, or suspected fraud, affecting the entity involving:
(i) Management;
(ii) Employees who have significant roles in internal control; or
(iii) Others where the fraud could have a material effect on the financial statements; and
(d) They have disclosed to the auditor their knowledge of any allegations of fraud, or suspected fraud, affecting
the entity’s financial statements communicated by employees, former employees, analysts, regulators or
others.
In the APM, the proforma letter of representation included in Appendix 2 of these guidance notes and
addresses these requirements.
Communications to management and with those charged with governance
The auditor is required by paragraphs 41 and 42 of HKSA 240 to inform both management and, where different,
those charged with governance of any indications of fraud on a timely basis.
The proforma letter of comment included in Appendix 3 of these guidance notes addresses these
requirements.
Documentation
The documentation requirements of HKSA 240 apply those of HKSA 315 (Revised 2019) and HKSA 330 to
risks of fraud.
As noted previously, the APM applies the same processes to risks of fraud as to other risks. Therefore,
following the documentation in the APM (see documentation requirements of HKSA 315 (Revised 2019) and
HKSA 330 above) ensures that identification, assessment and response to risks of fraud are properly
documented.

2.5 HKSA 540 (Revised), Auditing Accounting Estimates and Related Disclosures
The approach required by HKSA 540 (Revised) follows the framework established by HKSA 315 (Revised
2019). When applying HKSA 315 (Revised 2019) to accounting estimates, HKSA 540 (Revised) includes
requirements and guidance that refer to, or expand on, those of the HKSA 315 (Revised 2019) related to
accounting estimates.
Risk assessment procedures and related activities
Paragraph 13 of HKSA 540 (Revised) sets out some specific areas regarding accounting estimates about
which the auditor should obtain an understanding. These include but are not limited to:
 The requirements of the applicable financial reporting framework concerning related to accounting
estimates (including the recognition criteria, measurement bases, and the related presentation and
disclosure requirements).
 The nature and extent of oversight and governance that the entity has in place over management’s
financial reporting process relevant to accounting estimates.
 How the entity’s risk assessment process identifies and addresses risks relating to accounting estimates.
 The entity’s information system as it relates to accounting estimates.
In the APM these requirements are addressed in section 8 of the Know Your Client Checklist (PAF04) and on
Accounting Estimates (PAF13). All accounting estimates should be recorded on Accounting Estimates (PAF
13).
Paragraph 14 of HKSA 540 (Revised) then contains a specific requirement to review the outcome of accounting
estimates made in previous years:
The auditor shall review the outcome of previous accounting estimates, or, where applicable, their subsequent
re-estimation to assist in identifying and assessing the risks of material misstatement in the current period. The
auditor shall take into account the characteristics of the accounting estimates in determining the nature and extent
of that review. The review is not intended to call into question judgments about previous period accounting
estimates that were appropriate based on the information available at the time they were made.
This requirement is addressed within Review of Accounting Estimates (C4.1) and section 4.8 of Understanding
the Entity (C4).
Further, paragraph 15 of HKSA 540 (Revised) requires:
With respect to accounting estimates, the auditor shall determine whether the engagement team requires
specialized skills or knowledge to perform the risk assessment procedures, to identify and assess the risks of
material misstatement, to design and perform audit procedures to respond to those risks, or to evaluate the audit
evidence obtained.
This requirement is addressed in section 4.8 of Understanding the Entity (C4).

Identifying and assessing the risks of material misstatement
According to paragraph 16 of HKSA 540 (Revised), in identifying and assessing the risks of material
misstatement, the auditor shall take into account:
(a) The degree to which the accounting estimate is subject to estimation uncertainty; and
(b) The degree to which the following are affected by complexity, subjectivity, or other inherent risk factors:
(i) The selection and application of the method, assumptions and data in making the accounting estimate;
or
(ii) The selection of management’s point estimate and related disclosures for inclusion in the financial
statements.
These requirements are addressed on Review of Accounting Estimates (C4.1) and section 4.8 of
Understanding the Entity (C4).
Additionally, the auditor shall determine whether any of the risks of material misstatement identified and
addressed above are, in the auditor’s judgment, a significant risk.
This determination is indicated on the Assertion Risk Action Plan (C8.3) which includes a summary of
information about the risk associated with the estimate.
Responses to assessed risks of material misstatement
Paragraph 18 of HKSA 540 (Revised) sets out some procedures to be undertaken in response to a risk of
misstatement in an accounting estimate. The wording of the standard is very specific and it requires one or
more of the steps specified is undertaken:
The auditor’s further audit procedures shall include one or more of the following approaches:
(a) Obtaining audit evidence from events occurring up to the date of the auditor’s report;
(b) Testing how management made the accounting estimate; or
(c) Developing an auditor’s point estimate or range.
The auditor’s further audit procedures shall take into account that the higher the assessed risk of material
misstatement, the more persuasive the audit evidence needs to be. The auditor shall design and perform further
audit procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or
towards excluding audit evidence that may be contradictory.
Paragraphs 19 to 30 of HKSA 540 (Revised) add further requirements in connection with the above steps.
In the APM, the response should be documented on the Accounting Estimate: Work Programme (D3), a copy
of which is used for each estimate that is material, or where there is a risk it may have a material impact. The
programme is tailored for each particular estimate to ensure it is relevant, and a copy filed in the section to
which the accounting estimate relates. A summary of the approach is also documented on Review of
Accounting Estimates (C4.1).
Audit programmes throughout the APM include reminders to record and plan the work for all estimates.

Other requirements
Paragraph 32 of HKSA 540 (Revised) requires the auditor to consider the possibility of management bias in
making accounting estimates. A suggested working paper to assist with this process is included at Review of
Accounting Estimates for Bias (V3).
Paragraphs 33 to 36 of HKSA 540 (Revised) require an overall evaluation based on audit procedures
performed. This is principally guided by Evaluation of Accounting Estimates (B6.2) with confirmations on
Review of Financial Statements (B5) and Audit Highlights (B6).
Further, paragraph 37 of HKSA 540 (Revised) states that:
The auditor shall request written representations from management and, when appropriate, those charged with
governance about whether the methods, significant assumptions and the data used in making the accounting
estimates and the related disclosures are appropriate to achieve recognition, measurement or disclosure that is
in accordance with the applicable financial reporting framework. The auditor shall also consider the need to obtain
representations about specific accounting estimates, including in relation to the methods, assumptions, or data
used.
Under paragraph 38 of HKSA 540 (Revised), the auditor is also required to consider the matters, if any, to
communicate (to those charged with governance, management or other relevant parties) regarding accounting
estimates.
The documentation requirements for accounting estimates are set out in paragraph 39 of HKSA 540 (Revised):
(a) Key elements of the auditor’s understanding of the entity and its environment, including the entity’s internal
control related to the entity’s accounting estimates;
(b) The linkage of the auditor’s further audit procedures with the assessed risks of material misstatement at the
assertion level, taking into account the reasons (whether related to inherent risk or control risk) given to the
assessment of those risks;
(c) The auditor’s response(s) when management has not taken appropriate steps to understand and address
estimation uncertainty;
(d) Indicators of possible management bias related to accounting estimates, if any, and the auditor’s evaluation
of the implications for the audit, as required by paragraph 32; and
(e) Significant judgments relating to the auditor’s determination of whether the accounting estimates and related
disclosures are reasonable in the context of the applicable financial reporting framework, or are misstated.

3 THE APM: AN OVERVIEW
3.1 Introduction
The APM is intended for use whenever an audit is carried out in accordance with the HKSAs.
While the auditor is responsible for forming and expressing an opinion on the financial statements, the
responsibility for preparing and presenting the financial statements in accordance with the applicable financial
reporting framework is that of the management, with oversight from those charged with governance. The fact
that an audit is undertaken does not relieve management or those charged with governance of their
responsibilities.
The APM audit approach is summarized as follows:
 Planning;
 Collection of evidence;
 Controlling and recording; and
 Review and opinion.
The APM uses an approach that ensures compliance with HKSAs in an economical timescale.
3.2 Planning
Planning is essential for two reasons:
1. It is required by the HKSAs; and
2. It is the key to successful auditing and would be part of the APM approach.
In order to assist in a disciplined approach to planning and to ensure compliance with HKSAs, the APM
provides a series of optional forms and checklists enabling a record of planning to be kept, demonstrating the
approach adopted for each audit and the reasons for that approach.
Guidance on the APM audit planning is set out in Section 4.3 of these guidance notes.
The APM approach is built around the planning memorandum. A proforma memorandum is provided (C1) with
suggested headings but is otherwise blank. There is then a series of optional forms and checklists that may
be used as either a guide to matters to be addressed in the planning memorandum or to replace relevant
sections of the memorandum.
It must be stressed that the forms and checklists are optional. If matters that are required to be documented
by the HKSAs in a particular area which can be addressed by a paragraph or referred to the tailored procedures
in the planning memorandum, that will usually be the most effective approach. However, where the user is not
clear as to what is required, or alternatively for more complicated areas, the user may choose to use some or
all of the optional forms and checklists. This is not an all or nothing decision; a combination of a planning
memorandum and some forms and checklists is likely to be used in most cases.
A flow chart that illustrates the planning process is set out below. The flowchart refers to specific forms within
the APM. However, as noted above these are optional and if a detailed planning memorandum were prepared,
then all references to C section forms would be to C1.

APM’s approach to planning
C2 Preliminary
engagement activities
(HKSA 210 & Code of Ethics)
Partner
review
C4 and PAF04 Know

your client checklist
(HKSA 315) Update of
permanent file
information
PAF06 Related PAF07 Accounting PAF05 Laws & C5.2 Controls PAF09 Systems
parties policies review regs summary questionnaire notes &/or flowcharts
(HKSA 550) (HKSA 315) (HKSA 250) (HKSA 315) (HKSA 315)
C5 Systems & C5.1 Evaluate the Draft

internal controls design and management Controls
summary implementation of letter evaluation
control activities (HKSA 265)
(HKSA 315)
C6 Preliminary C8.1 Detailed risk

analytical assessment
procedures (HKSA 315) Risk
(HKSA 315)
assessment
C9 Team Section S Planned

planning Design and A controls
meeting perform tests compliance testing
(HKSA 240, of controls? (HKSA 330)
315)
C8.3 Assertion risk B

C5 Systems &
action plan internal controls Risk
(HKSA 330) response
summary
Questions 6
C8.2 Financial
statement risk
action plan
(HKSA 330)
C8.1 Detailed risk C7 Materiality

assessment & summary
C8 Risk assessment (HKSA 320)
Tailor audit Sample size

programmes calculations
(HKSA 530)
Key
Option A Controls testing Amend audit C3.1 Audit strategy

Option B Substantive testing programme tailoring (HKSA 300)
if required
Overall audit
planning
C1 Audit Partner C10 Audit strategy
planning review planning
memorandum C11 Audit
administration

3.3 Assessment of risk and materiality
The assessment of risk and materiality are two of the principal planning procedures. The assessment of risk
in particular is at the core of the approach to audit set out in the HKSAs.
A more detailed discussion of the assessment of risk and materiality is contained in Chapters 6 and 7
respectively.
In the APM approach, audit risk interacts with materiality and population value to determine sample sizes.
Sampling is considered in more detail in Chapter 9.
3.4 Analytical procedures
Analytical procedures can be a useful source of audit evidence. These procedures may include:
 Preliminary analytical procedures as part of risk assessment procedures (paragraph 14(b) of HKSA 315
(Revised 2019);
 Analytical procedures as a substantive test (Paragraph 5 of HKSA 520, Analytical Procedures) and used
instead of tests of details; and
 Final review of the financial statements (Paragraph 6 of HKSA 520).
The separate stages should not be considered to be mutually exclusive, but to serve different purposes in an
audit.
More detailed guidance on analytical procedures is set out in Chapter 8.
3.5 Tests of controls
The HKSAs require the obtaining of an understanding of an entity’s system of internal control even though a
wholly substantive approach is being followed. This is required for risk assessment purposes. A wholly
substantive approach does not mean that areas where controls are poor can be ignored. The greater risk of
misstatement through fraud or error where controls are weak or non-existent must be addressed.
The HKSAs require consideration of controls:
 As part of understanding the entity’s control activities under HKSA 315 (Revised 2019), it is a requirement
to evaluate the design and determine implementation of specified controls.
 Evaluating the design and determining implementation of control activities requires more than just inquiry;
further work such as inspecting documents or tracing transactions through the system is required.
 Testing of the operating effectiveness of internal controls (also referred to as “test of controls” or
“compliance testing”) is mandatory where:
- The auditor’s assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively, that is, the auditor plans to test the operating
effectiveness of controls in determining the nature, timing and extent of substantive procedures; or
- Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion
level.

The auditor may then choose to test the effectiveness of controls where this is more efficient than relying solely
on substantive procedures.
In the APM, one of the approaches is to complete the Internal Control Questionnaire (C5.2) in order to
determine the controls that operate over the main business cycles. Where controls have been identified, these
should be recorded on C5.1 to evaluate the design and implementation of those controls, which is mandatory
even if the auditor does not intend to test the operating effectiveness of those controls.
Where there is a requirement to test controls or where a decision is made to do so, the Internal Control
Evaluation (S3) allows you to record how operation of the controls will be tested. The results and consideration
of the impact that the results will have on the detailed audit testing should also be recorded here.
As noted in paragraph 18 of HKSA 330, where reliance is placed on testing the effectiveness of internal
controls, it is still necessary to undertake some substantive testing:
Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive
procedures for each material class of transactions, account balance, and disclosure.
Therefore, whilst it is not appropriate to abandon substantive testing completely, where an effective control
has been identified, the nature of the substantive tests can be altered or the sample size can be reduced in
line with the guidance on the sample selection planning form. This can be extended to show that the greater
the reliance that can be placed on controls, the lower the level of substantive work needed.
Operation of controls implicit in a low risk assessment
Paragraph 8 of HKSA 330 states that when the auditor’s assessment of risks of material misstatement at the
assertion level includes an expectation that controls are operating effectively, the auditor shall design and
perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of
controls.
What does this mean?
Let’s say that a client has a rusty old fridge near the entrance to their premises. The inherent risk of that fridge
being stolen is low. After all, who wants a rusty old fridge? But compare this to the situation where there is a
large wad of HK$500 notes near the entrance. The inherent risk of the cash being stolen is high. Now the client
realizes this and they therefore employ two burly security guards with baseball bats to guard the money. Taking
the control into account, we may then conclude that the overall risk of theft is low. But the risk is low only when
the control is operating effectively, and so if we want to place reliance on the control we would need to test it
to confirm its effective operation.
So when assessing the risk for the cash, if the auditor just looks at the overall risk, this may be low. However,
this is actually made up of high inherent risk and the assumed effective operation of controls to bring the risk
down.
Paragraph 8 of HKSA 330 says that you cannot have low risk in these circumstances without testing that the
control (the security guards in this case) is operating effectively.
The fridge on the other hand is inherently low risk and there is no expectation of controls operating in making
that assessment.
When calculating the sample size in these circumstances, it will be appropriate, based on the knowledge of
the client and the review of the design and implementation of control, to assume that the risk will be low and
that the corresponding internal control is operating effectively, provided that the control is tested with

satisfactory results which would warrant a reduced sample size in a test of details. Clearly if the controls are
proven not to be operating effectively and/or the risk assessment is revised, then it will be necessary to
consider increasing the relevant sample sizes.
However, users should note that it is not generally compulsory to test the operating effectiveness of controls.
It is acceptable to conclude that it is more efficient to follow a substantive approach and the samples for
substantive testing would be calculated accordingly.
In some areas of the audit that are material but not critical, it may be possible to argue that the risk assessment
is low without any need for reliance on controls. However, this is unlikely to be true for any of the main
transaction cycles.
3.6 Collection of audit evidence
The APM audit programmes are comprehensive and designed to deal with most eventualities. However, it is
crucial to note that almost all forms are optional and that the programmes must therefore be tailored to meet
particular circumstances.
The purpose of the audit programmes and other forms is to assist in documenting the nature, timing and extent
of audit procedures undertaken such that the completed file contains sufficient appropriate evidence to support
the audit opinion. It is important not to lose sight of this overall objective when completing the APM programmes
and forms.
Paragraph 8 of HKSA 230, Audit Documentation requires that:
The auditor shall prepare audit documentation that is sufficient to enable an experienced auditor, having no
previous connection with the audit, to understand:
(a) The nature, timing, and extent of the audit procedures performed to comply with the HKSAs and applicable
legal and regulatory requirements;
(b) The results of the audit procedures performed, and the audit evidence obtained; and
(c) Significant matters arising during the audit, the conclusions reached thereon, and significant professional
judgments made in reaching those conclusions.
Detailed guidance on their use is set out in Chapter 4.
3.7 Audit sampling
The question of how many items to test has always been a debatable subject. It is far better to design tests
directly relevant to the client rather than to merely “fill the forms”. Tailoring or drafting of programmes using the
APM as an aide memoire is therefore encouraged. Clearly, any sample must be representative of the whole
population and it must be sufficiently large to enable creditable conclusions to be formed.
The exercise of judgment must ultimately determine the sufficiency of sample sizes. The use of inherent risk
factors, materiality and population characteristics may give a useful theoretical starting point but ultimately
judgment must prevail. The standard risk model, however, provides a benchmark against which to assess the
reasonableness of your judgment.
More detailed guidance on audit sampling is set out in Chapter 9.

3.8 Evaluation of misstatements
Misstatements found in the performance of audit tests must be evaluated to determine their impact on the
population being tested and on the financial statements as a whole.
Evidence suggests that, at times, auditors have difficulty with this evaluation and what to do next. Too often
misstatements are dismissed as being isolated or one-off where there is no justification for such a conclusion.
More detailed guidance on the evaluation of misstatements is set out in Chapter 10.
3.9 Content of the letters of representation and comment
The HKSAs set out a number of matters that should be addressed in the letter of representation received from
the client, and also the letter of comment sent to the client.
Rather than include checklists setting out the issues that should be addressed in each letter, the APM includes
proforma versions of each letter that address all of the requirements from the HKSAs.
 Appendix 2 to these guidance notes includes a copy of the proforma letter of representation referenced to
the HKSAs.
 Appendix 3 to these guidance notes includes a copy of the proforma letter of comment referenced to the
HKSAs.
3.10 Subsequent events
The APM contains procedures that apply up to the date of approval of the audit report as this is the date that
most firms will sign off the audit file as complete.
In the event of facts becoming known after the date of the audit report that might have caused that report to
be amended, direct reference should be made to HKSA 560, Subsequent Events and HKSA 230, Audit
Documentation.

4 COMPLETING THE FORMS
This chapter provides detailed guidance on the use of the documentation, including the way in which the forms
should be completed for the preparation of a well-documented audit file.
4.1 Final completion (Section A)
File completion is dealt with in two stages on the file, to reflect the way that the completion process is dealt
with within a practice.
In the APM and these guidance notes, the term partner or principal is used throughout as a shorthand reference
to the audit engagement partner. Firms/ practices that are constituted or incorporated in other ways should
interpret the term partner accordingly.
A1 Final Completion Memorandum
The purpose of this memorandum is to document any matters arising between:
 The issue of the financial statements to the client for approval which was signed-off on the Completion
Memorandum (B1), and
 The completion of the audit report.
A1 is a short form and it is recommended that the standard form is always used as, in addition to the facility to
document any matters arising, it also includes confirmation of a number of matters by the audit engagement
partner.
Where considered necessary or where required by the firm’s policies and procedures, a second partner should
review the file and complete the relevant clearance section on this schedule. The firm’s procedures made
under HKSQC 1 or HKSQM 1 should specify clients where such a review is required. For example, this may
be non-listed public interest clients, or clients of higher audit risk. A1 includes provision for sign-off by the
second partner where appropriate.
In the case of a sole practitioner seeking consultation with another practitioner or other external agency, it
would be appropriate for the other practitioner to complete that section although the partner would retain the
ultimate responsibility.
A1.2 Final subsequent events review
This programme should be completed to cover the period between the date the subsequent events programme
T2 was completed, and the date of file completion and of the audit report. The programme is optional,
alternatively the review can be addressed by a short note on A1 box 3.
A1.3 Final Completion
This is an optional checklist and it provides guidance on the sorts of issues that should be addressed on the
Final Completion Memorandum (A1). The checklist can be used as an aide memoire when drafting A1.
Alternatively, A1 may be referenced to this checklist and it can be used as part of the final completion
documentation.

Initial completion (Section B)
The Completion Memorandum (B1) should be signed off before the financial statements are approved by the
client. The form allows the manager or partner to detail any work that needs to be undertaken before the audit
report is signed.
The form also allows for signature by a second partner where appropriate. Completion of B1 is discussed more
fully below.
The APM uses the phrase second partner review to refer to an engagement quality control reviewer or
engagement quality reviewer as defined in HKSQC 1 or HKSQM 1. Reference is also made to hot and cold
file reviews.
 A hot review is an engagement quality control review/ engagement quality review undertaken before the
audit is complete.
 A cold review is a review for monitoring purposes undertaken after the audit report has been signed.
Where the Second Partner Review /EQCR/ EQR (B2.2) is completed, only the table for the relevant period
(i.e., Before 15 December 2022, or From 15 December 2022) should be completed. The other table should be
deleted or hidden.
Financial Statements
The A section should contain the final draft of the financial statements and all subsequent journals.
The signed letter of representation and a copy of the letter of comment should also be filed in this section as
they are an essential part of the audit evidence and they will often contain issues of significance for future
years.
HKSA 580, Written Representations makes it clear that a letter of representation should be obtained from the
client. Remember, however, that they do not provide sufficient appropriate audit evidence on their own about
any of the matters with which they deal and it is not acceptable to use the letter as an excuse for not carrying
out necessary audit work. The letter of representation is not an audit substitute.
Care must be taken not to place excessive assurance on management representations. Although the client
will confirm responsibility for the financial statements, make sure that during this confirmation the client fully
understands what is being signed.
A7 Disclosure Checklist
An annual review for proper preparation of the financial statements in accordance with legislation and
applicable standards should take place and will form part of the critical review of the financial statements.
It is suggested that a full checklist should be completed as necessary on very small companies and more
frequently for larger or more complex companies. It will generally be necessary to complete a new checklist
following any major change in disclosure requirements or in the size/operating characteristics of the client in
question.
Disclosure checklists are not included as part of the APM; however, they are freely available from the websites
shown in Appendix 7 to these guidance notes and should be filed under A7 when completed.

4.2 Audit Completion
B1 Completion Memorandum
The purpose of this memorandum is to document the audit conclusions and the basis for the audit opinion.
The approach to completing this memorandum illustrates the approach to planning and completion in the APM.
B1 comprises:
 Confirmation of various matters by the partner.
 Evidence of review by a second partner (where appropriate) and agreement by the second partner that all
relevant issues have been addressed.
 A series of headings covering the matters to be addressed in the completion memorandum.
It is therefore possible to address the audit completion and approval for the issue of the financial statements
to the client for signature in a single memorandum. However, a series of completion checklists and other forms
have also been provided. These are entirely optional and should be used selectively as either an aide memoire
to the sort of issues that should be addressed in the relevant box on B1, or as a basis for documenting that
part of the completion: in which case B1 should be cross referenced to the appropriate checklist.
The supporting checklists and other forms that expand on the various headings on B1 are discussed below.
B1 should indicate whether or not the supporting checklists have been used. The key point to note is that all
relevant matters at the completion stage must be fully documented as required by the HKSAs. Whether this is
in a single memorandum or by use of the checklists and forms does not matter as far as compliance with
HKSAs is concerned. However, from an efficiency perspective the planning memorandum approach is likely
to be more effective.
B2.1 Engagement Partner Review
This checklist sets out the sort of issues that should be addressed, where relevant, by the partner’s review and
where it occurs, the second partner review. If completed, this checklist forms part of the completion process;
however, it is obviously important that the partner is involved throughout the audit.
Partners are notorious for failing to properly record matters that they have dealt with directly such as
discussions about significant matters with the client. Obviously such matters must be recorded. If they are not
recorded at the time by the partner, then Audit Highlights (B6) would be an appropriate place to note a summary
of the issues concerned.
B3 Compliance with Auditing Standards
Where it is decided to use this checklist, it should be the last form to be completed before the file is passed for
partner review.
The purpose of the form is to ensure compliance with the HKSAs; it can be a useful aid when completing a
review of the file, particularly where the reviewer is a little uncertain about the quality of the evidence on the
file or the reviewer is relatively inexperienced.
The form contains one or more high level questions relating to each HKSA. It provides a final check to ensure
that full consideration has been given to compliance with the HKSAs.

B4 File Completion
A senior staff member of the engagement team should complete this questionnaire.
B5 Review of Financial Statements
This review combines two elements:
 Final analytical procedures to form an overall conclusion as to whether the financial statements are
consistent with the auditor’s understanding of the entity
 Critical review
These have been combined into a single review of the overall reasonableness of the numbers and how they
have been presented and disclosed.
Reasonableness of financial statements
The final analytical procedures should confirm that any points arising during the audit have been satisfactorily
thought through and that the ratios in the final financial statements are consistent with those originally
calculated. Any differences should be adequately explained, documented and considered in the light of the
audit work performed.
The main purpose of this final review is to consider whether the financial statements make sense in view of
the audit evidence obtained and your knowledge of the client. Of central importance here are those trends and
ratios of direct relevance to the client. It is far more important to analyze, comment and conclude upon these,
than merely to file a schedule of standard ratios from the accounts preparation package.
Presentation and applicable financial reporting framework
A critical review of the financial statements should be performed in conjunction with updating of the annual
summary of statistics on the permanent audit file or within your accounts preparation package. The ratios and
trends noted on the permanent file should be specific and appropriate to the client. They should not just be
ratios for ratios sake.
This final critical review is not, of itself, a sufficient basis for the expression of an audit opinion on the financial
statements, but it should support the conclusions drawn from other audit work or else indicate areas in need
of further audit work.
For this review to be effective, it must be carried out by someone with adequate skill and experience and with
sufficient knowledge of the business to appreciate the expected trends, results and ratios as well as to prepare
this free-form report highlighting the significance of apparent inconsistencies.
B6 Audit Highlights
This checklist should be regarded as a guide to the sort of issues that should be addressed under the heading
audit highlights rather than a definitive contents list. The senior staff member should use this part of the
completion memorandum to highlight the major issues that have arisen during the audit, the key risk areas,
any contentious issues and how they were resolved. It is useful also to summarize the extent of audit coverage
in each audit area, and each major balance within that area. This will help the partner to structure the review
to ensure that adequate consideration is given to areas of importance.

Preparation of an audit highlights in the completion memorandum is a good discipline for the senior and
manager as it helps ensure that all key areas identified at the planning stage have been addressed. If the audit
highlights report is properly drafted, it will save partner’s time at the review stage as the partner will be able to
focus its review on key and significant areas.
B6.1 Summary of Significant Audit Matters
The purpose here is to show the work undertaken and the conclusion reached on all significant audit matters,
including all risks identified at the planning stage which might have been documented on Financial Statement
Risk Action Plan (C8.2) or Assertion Risk Action Plan (C8.3).
Whether this form is used or the content is embedded in a single audit highlights memorandum does not
matter. The key point is that the work in respect of significant audit matters is explained and the conclusions
documented.
When completing the form, a narrative summary should always be given for the nature of the matter, the work
undertaken and the conclusion, and not simply cross references. In this way, B6.1 will provide a meaningful
summary of the work undertaken and conclusions on all matters significant to the audit.
Heading Guidance on completion
Ref A numerical or alphabetical reference to aid cross referencing to this schedule.
Description of matter Details of the specific risk affecting the financial statements should be recorded
here. If details of the risk are set out elsewhere (such as C8.1, C8.2 or C8.3)
then the full explanation need not be repeated here, just sufficient to identify the
issue concerned with a cross reference to where the detail may be found.
Ref to C8.2 / C8.3 It is envisaged that most matters addressed on this schedule will derive from
risks identified at the planning stage. Cross referencing between this schedule
and C8.2 or C8.3, or wherever else the matter derives, will make it easier to
follow the approach, work and conclusion on any significant matters identified
during the audit.
Work undertaken The work undertaken should be explained. This need not be a detailed
explanation, particularly where the work followed the approach set out at the
planning stage as documented on, for example, C8.3. However, where the work
undertaken differed from that planned or where it was not specified at the
planning stage then a more explanation is required.
The explanation should include:
 a summary of the audit evidence obtained;
 where appropriate, references to the requirements of companies’ legislation,
accounting standards or other technical material; and
 key points arising from any discussion with the client.
Conclusion The key issue here is to record the overall conclusion on the work undertaken
and in particular:
 whether the risk has been reduced to an acceptably low level; and
 whether there is any impact on the audit opinion.
If any evidence or other information was found that was inconsistent with the
conclusion reached then the justification behind the conclusion as to the
resolution of the inconsistency should be documented.

B6.2 Evaluation of Accounting Estimates
The purpose here is to show the work undertaken on accounting estimates and the conclusion reached
thereon.
When completing the form, a separate column should be used for each accounting estimate and comments
should cross reference to the detailed work performed as appropriate.
B7 Unadjusted Misstatements
Paragraph 5 of HKSA 450, Evaluation of Misstatements Identified during the Audit requires:
The auditor shall accumulate misstatements identified during the audit, other than those that are clearly trivial.
Clearly trivial is defined in paragraph A2 of HKSA 450:
Paragraph 5 of this HKSA requires the auditor to accumulate misstatements identified during the audit other than
those that are clearly trivial. “Clearly trivial” is not another expression for “not material”. Misstatements that are
clearly trivial will be of a wholly different (smaller) order of magnitude, or of a wholly different nature than those
that would be determined to be material, and will be misstatements that are clearly inconsequential, whether taken
individually or in aggregate and whether judged by any criteria of size, nature or circumstances. When there is
any uncertainty about whether one or more items are clearly trivial, the misstatement is considered not to be
clearly trivial.
B7 includes space to record both the materiality level and the level below which matters are considered trivial.
All misstatements (except those that are trivial) should be recorded, so that their cumulative impact on the
financial statements may be assessed, and so that their disposal may be documented. Question 18 on
planning form C10 requires the level of clearly trivial to be determined and its rationale explained on C1.
Extrapolated misstatements and actual misstatements should be recorded separately on this form.
Misstatements should not be netted off or judged not material before being carried forward to this form. At the
end of the engagement, request should be made to management to correct all accumulated misstatements,
while the unadjusted misstatements should be evaluated against materiality. It should be noted that no
adjustment should be made in respect of extrapolated misstatements until such time as further work has been
undertaken to determine the extent of the misstatement with reasonable certainty.
Communication with those charged with governance
HKSA 450 contains the requirement to communicate unadjusted misstatements with those charged with
governance.
According to paragraph 12 of HKSA 450:
The auditor shall communicate with those charged with governance uncorrected misstatements and the effect
that they, individually or in aggregate, may have on the opinion in the auditor’s report, unless prohibited by law or
regulation. The auditor’s communication shall identify material uncorrected misstatements individually. The
auditor shall request that uncorrected misstatements be corrected.
Following on from this point, paragraph 14 of HKSA 450 states that:
The auditor shall request a written representation from management and, where appropriate, those charged with
governance whether they believe the effects of uncorrected misstatements are immaterial, individually and in

aggregate, to the financial statements as a whole. A summary of such items shall be included in or attached to
the written representation.
These requirements are addressed in the conclusion on B7 and in the proforma letters of comment and
representation included in the appendices of these guidance notes. If the proforma letters are amended or not
used, it is obviously vital to ensure that these matters are addressed where relevant.
Further guidance on dealing with misstatements is included in Chapter 10.
B8 Justification of Audit Report
The purpose of this checklist is to ensure that there is adequate evidence that the suitability of the audit report
has been considered. Any problems encountered should be scheduled and their effect on the audit report
considered.
The checklist specifically directs the engagement team to consider any problems resulting from issues such
as:
 A modification of the audit opinion in the previous year;
 Inadequate books and records;
 Difficulties obtaining adequate information from the directors or from branches not visited;
 A refusal by the directors to confirm certain representations in writing; and
 Doubts over going concern.
The final question asks for a conclusion on the nature of the audit opinion required. This will obviously be of
greater importance where issues have been identified in earlier questions that may impact the opinion.
B9 Points for Partner
A proforma is not provided here. It is recommended that B9 is used to list outstanding work or raise queries
about the audit rather than the audit highlights. Obviously a query and its resolution that starts on B9 may
subsequently be recorded in the audit highlights if the matter is significant.
B10 Points Forward to Next Year
A proforma is not provided here. It is essential that all points of relevance to next year’s audit are identified and
recorded. This should not be restricted to issues such as a proposed capital purchase, but should be used to
comment on any points that would ensure the subsequent year’s audit would be as effective and efficient as
possible.
B11 Commercial Observations on Client’s Business
A proforma is not provided here. This section should be used to accumulate commercial observations about
the client’s business pending drafting the letter of comment or management letter.

B12 Senior/Manager Review
A proforma is not provided here. Cleared manager and senior review points should be filed here. (See below
re clearance of points.)
B13 Cleared Audit Queries
A proforma is not provided here. A record of audit queries and their resolution, where retained, should be filed
here. It is essential that the working papers are updated to reflect the answer to the original query and that the
answer is not just recorded on the review schedule as this will lead to a loss of audit evidence. This is all the
more important if the audit queries themselves are not retained.
B14 Notes of Meetings with Client
A proforma is not provided here. Any notes of meeting with the client should be filed here.
4.3 Planning
C1 Planning Memorandum
The purpose of the Planning memorandum (C1) is to document fully the audit strategy and plan such that the
audit can be performed in an effective manner and in accordance with the HKSAs. In each section of the
proforma memorandum, issues relevant to the planning should be recorded. These can be either free form
notes, a reference to the relevant checklist or a combination of both.
Where the engagement is the audit of group financial statements, the planning memorandum should address
relevant matters from a group perspective.
C1 comprises:
 Confirmation of various matters by the partner.
 Evidence of involvement by a second partner (where appropriate) and agreement by the second partner
that all relevant planning issues have been addressed.
 Evidence that the engagement team members have read and understood the audit plan.
 A series of headings covering the matters to be addressed in the planning memorandum.
It is therefore possible to address all planning issues and deal with the entire C section in a single
memorandum. However, a series of completion checklists and other forms have also been provided. These
are entirely optional and should be used selectively as either an aide memoire to the sort of issues that should
be addressed in the relevant box on C1 or as a basis for documenting that part of the planning: in which case
C1 should be cross referenced to the appropriate checklist.
The supporting checklists and other forms that expand on the various headings on C1 are discussed below.
C1 should indicate whether or not the supporting checklists have been used. The key point to note is that all
relevant matters at the planning stage must be fully documented as required by the HKSAs. Whether this is in
a single memorandum or by use of the checklists and forms does not matter as far as compliance with HKSAs
is concerned. However, from an efficiency perspective, the planning memorandum approach is likely to be
more efficient.

C2 Preliminary Engagement Activities
This checklist addresses:
 Acceptance procedures including professional clearance, client due diligence and consideration of
whether the preconditions for an audit are present.
 Confirmation and review of engagement terms.
 Communication with those charged with governance.
C2.1 Independence Questionnaire
This form is designed to demonstrate that adequate consideration has been given to independence in
accepting appointment/reappointment for the audit. It also demonstrates that the firm has adequate resources
and the appropriate technical knowledge necessary to carry out the audit properly.
The form must be completed and signed by the partner prior to any detailed work being commenced on the
audit. This includes the completion of the detailed planning.
Where any of the questions have been answered with a “yes”, the partner must specify precisely what action
is to be taken to safeguard independence or overcome the problems with available resources or technical
knowledge.
Any “yes” answer will create either an ethical or practical issue, which may require consultation. As a result,
the form may have to be signed off by a second partner who is independent from the audit. This is a mandatory
requirement in the case of “public interest” audits and those of higher audit risk. If this is not possible, the form
may have to be signed by the firm or organization with whom consultation takes place. However, the partner
retains ultimate responsibility for the audit.
Where a “yes” answer is given to question 12 Long association of personnel with the audit client, it may not be
necessary to have a second partner review. However, there must be evidence to show that the partner has
considered any long term relationship with the client as this could affect auditor independence. A second
partner or other independent agency will normally corroborate this decision. There will normally be an
undertaking that the file will be subjected to a second partner review where any contentious issues, such as a
potential or actual qualification, have arisen.
A self-interest threat may be created if fees due from an audit client remain unpaid for a long time, especially
if a significant part is not paid before the issue of the audit report for the following year. Generally, the firm is
expected to require payment of such fees before such audit report is issued. If fees remain unpaid after the
report has been issued, the existence and significance of any threat shall be evaluated and safeguards applied
when necessary to eliminate the threat or reduce it to an acceptable level. An example of such a safeguard is
having an additional professional accountant who did not take part in the audit engagement provide advice or
review the work performed. The firm shall determine whether the overdue fees might be regarded as being
equivalent to a loan to the client and whether, because of the significance of the overdue fees, it is appropriate
for the firm to be re-appointed or continue the audit engagement (Code, Chapter A, paragraph R410.8).
Ongoing review
Possible new threats to independence must be considered throughout the audit and not just at the planning
stage.

C2.2 Accounting and Tax Compliance: Safeguards Applied
This form has been included to assist in documenting the extent of the threat from accounting and tax services
and the safeguards applied. This form is intended for smaller companies where it is common to provide a
number of non-audit services that are mostly of a routine compliance nature. Where other more complicated
independence issues are involved these should all be dealt with together on C2.1.
At the end of each audit, consideration should be given to whether or not it is appropriate to be
reappointed/continue in office for the following year. This is undertaken on Q23 of File Completion (B4).
C3.1 Strategy: General
Paragraph 8 of HKSA 300 requires the auditor to establish an overall strategy for the audit and this checklist
is a guide to what is required.
C3.2 Strategy: Group Audits
This checklist should only be used where the company is a parent company preparing group financial
statements. The checklist considers the strategy for obtaining sufficient evidence concerning the consolidation
process and the financial information of group components. In particular, it sets out the approach to setting
component materiality, determining which components of a group are significant and the reliance on the work
of component auditors.
Setting component materiality
The APM treats the components of a group in the same way as the different sections in the financial statements
of an individual company. The approach to setting component materiality and performance materiality for that
component is therefore the same.
 Use C7.1 as a basis for setting a materiality level for each component.
 Assess risk for each component (as high, medium or low).
 Look up the risk factor for the component based on the overall risk for the group and the component
specific risk set above.
 Apply that risk factors to determine component performance materiality.
Significant Components
Under HKSA 600, Special Considerations – Audits of Group Financial Statements (Including the Work of
Component Auditors), an audit of the financial information of the components should be undertaken for
components that are significant components. In deciding what is a significant component, the APM follows the
guidance in paragraph A5 of HKSA 600. A component should normally be regarded as significant if any of the
following exceed 15% of the group figure:
 Gross assets
 Liabilities
 Cash flows
 Profits

 Turnover
If a higher or lower percentage, or a different benchmark is deemed more appropriate in the particular
circumstances of the group, then this should be explained.
A component may also be assessed as significant because it is likely to include significant risks of financial
misstatement of the group financial statements due to its nature or the specific circumstances that apply.
In July 2022, HKICPA issued HKSA 600 (Revised), Special Considerations – Audits of Group Financial
Statements (Including the Work of Component Auditors). It includes new and revised requirements and
application material that better aligns the standard with HKSQM 1, HKSA 220 (Revised) and HKSA 315
(Revised 2019). The new and revised requirements also strengthen the auditor’s responsibilities related to
professional skepticism; planning and performing a group audit; two-way communications between the group
auditor and component auditors; and documentation.
HKSA 600 (Revised) will be effective for audits of group financial statements for periods beginning on or after
15 December 2023. This version of APM and guidance notes have not addressed and incorporated the new
and revised requirements under HKSA 600 (Revised).
C4 Understanding the Entity
This checklist is a guide to gathering information about the audit client. It addresses areas such as:
 Client background
 Applicable financial reporting framework and accounting policies
 Laws and regulations
 Evaluation of control environment
 Evaluation of the entity’s risk assessment process
 Evaluation of the entity’s process to monitor the system of internal control
 Evaluation of the entity’s information system and communication
 Accounting estimates
C4.1 Review of Accounting Estimates
This form is used to assess the inherent risk, control risk and risk of material misstatement for each accounting
estimate. One row is completed for each estimate.
Where appropriate, risks recorded here also need to be summarized on C8.3.
C5 Internal Controls
HKSA 315 (Revised 2019) requires a fairly detailed understanding of the client’s procedures and system of
internal controls. The purpose of C5 is therefore to guide users through the contents required on C1 (or
completion of the relevant forms) to document that understanding.
The approach to identify the company’s system of internal control required by the APM is set out below.

Understanding of the entity
Paragraph 19 of HKSA 315 (Revised 2019) sets out specific issues with respect to the entity and its
environment, and the applicable financial reporting framework that the audit team need to understand to
demonstrate that they have assessed the risk of material misstatement adequately.
(a) The following aspects of the entity and its environment;
(i) The entity’s organizational structure, ownership and governance, and its business model, including the
extent to which the business model integrates the use of IT;
(ii) Industry, regulatory and other external factors; and
(iii) The measures used, internally and externally, to assess the entity’s financial performance;
(b) The applicable financial reporting framework, and the entity’s accounting policies and the reasons for any
changes thereto;
(c) How inherent risk factors affect susceptibility of assertions to misstatement and the degree to which they do
so, in the preparation of the financial statements in accordance with the applicable financial reporting
framework, based on the understanding obtained in (a) and (b).
Paragraph 20 of HKSA 315 (Revised 2019) adds:
The auditor shall evaluate whether the entity’s accounting policies are appropriate and consistent with the
applicable financial reporting framework.
The Know Your Client Checklist (PAF04) has been provided to assist the engagement team in recording the
necessary detail. Other permanent file forms provided include:
 Register of Laws and Regulations (PAF05);
 Details of Related Parties (PAF06);
 Significant Accounting Policies (PAF07); and
 Significant Accounting Estimates (PAF13).
Under HKSA 315 (Revised 2019), the components of the entity’s system of internal control include:
 control environment;
 the entity’s risk assessment process;
 the entity’s process to monitor the system of internal control;
 the information system and communication; and
 control activities.

Controls
Paragraph 26 of HKSA 315 (Revised 2019) requires the identification, evaluation of the design and
determination of implementation of certain controls, including:
 Controls that address a risk that is determined to be a significant risk;
 Controls over journal entries, including non-standard journal entries used to record non-recurring,
unusual transactions or adjustments;
 Controls for which the auditor plans to test operating effectiveness in determining the nature, timing and
 Other controls that the auditor considers are appropriate to enable the auditor to meet the objectives of
HKSA 315 (Revised 2019) paragraph 13 with respect to risks at the assertion level, based on the
auditor’s professional judgment; and
 The entity’s general IT controls that address the risks arising from the use of IT.
An Internal Control Questionnaire (C5.2) (see below) has been provided to assist with the identification of
controls relevant to the audit.
C5.1 Evaluate the Design and Implementation of Control Activities
As noted above, paragraph 26 of HKSA 315 (Revised 2019) requires the auditor to obtain an understanding
of the design and implementation of certain controls. This understanding is required regardless of whether
any reliance will be placed on the effective operation of those controls.
Testing the operating effectiveness of controls (also referred to as “test of control” or “compliance testing”) is
a different issue. Paragraph A180 of HKSA 315 (Revised 2019) makes this clear: “evaluating the design and
determining the implementation of identified controls in the control activities component is not sufficient to test
their operating effectiveness”.
The design and implementation of controls must therefore be evaluated on every audit even where a
substantive approach is being adopted.
Testing operating effectiveness (test of controls)
Testing the operating effectiveness of internal controls so as to reduce the extent of substantive testing should
be considered where this approach is expected to be more effective. However, according to paragraph 8 of
HKSA 330, there are two occasions where testing the operating effectiveness of controls is required.
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the
operating effectiveness of relevant controls if:
(a) The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that
the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of
controls in determining the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
Testing the operating effectiveness of controls is dealt with in Section S.

Determining implementation of controls
Paragraph A21 of HKSA 330 notes:
Testing the operating effectiveness of controls is different from obtaining an understanding of and evaluating the
design and implementation of controls. However, the same types of audit procedures are used. The auditor may,
therefore, decide it is efficient to test the operating effectiveness of controls at the same time as evaluating their
design and determining that they have been implemented.
If a control based approach is followed, it is important that the planning explains the assumptions made about
the operation of controls. In such circumstances it would obviously be helpful if the work on controls could be
completed as soon as possible once the fieldwork starts. In that way, if there are any failures of controls that
require a change in audit approach, there is more time available for this to be resolved.
Completing C5.1
The purpose of C5.1 is to document the evaluation of the design and implementation of control activities. As
the precise nature of controls and their relevance to the audit will vary from one entity to another, the form is
mainly blank boxes.
HKSA 315 (Revised 2019) requires certain controls to be identified, have their design evaluated and
implementation determined (see above). All such controls should be listed on this form.
Guidance is given below on completion of this form.
Ref Each control listed should be given a reference, so that it can be cross
referenced back to the system notes and also to any schedules testing internal
controls or to the draft letter of comment.
Business area In what part of the system is the control to be found? Sales, purchases, work in
progress, etc.
Brief description of A brief description of the control should be given. It is not necessary to reproduce
control the system notes from the permanent file here. The description should be
sufficient to understand the control being evaluated without needing to refer back
to the system notes.
Evaluate whether the Comment on the design and potential effectiveness of a control, i.e., would the
control is designed control, individually or in combination with other controls, be effective in
effectively preventing or detecting and correcting material misstatements.
Inquiry alone is not sufficient to evaluate the design of a control. Further work
such as inspecting documents or tracing transactions through the system is
required. Comments made on the design should include the nature of the work
undertaken.
Any weaknesses in the control design should be flagged and recorded on the
draft letter of comment to the client.

Determine whether the Did the control exist and was it implemented as expected?
control has been Again inquiry alone is not sufficient to determine the implementation of a control.
implemented Further work such as inspecting documents or tracing transactions through the
system in a walkthrough type test is required. Comments made on the
implementation should include the nature of the work undertaken, specifying the
documents inspected as part of the review of implementation.
And again, any weaknesses in implementation should also be flagged and
recorded in the draft letter of comment to the client.
Is this a key control? Not all controls relevant to the audit will be key controls. If a control could be
Y/N relied upon to reduce the level of substantive testing in a particular area, then
that is a key control. Clearly there will be little value in testing the operating
effectiveness of controls that are not key controls.
Further testing Testing of the operating effectiveness of internal controls must be undertaken
required? Y/N where:
 the risk assessment at the assertion level includes an expectation that
controls are operating effectively; or
 substantive tests alone do not provide sufficient appropriate audit evidence
at the assertion level.
If either of these circumstances applies or if control testing is just more cost
effective, the question should be answered “Yes” and a test on its operating
effectiveness added to S3.
Ref to ICE (S3) This is simply a cross reference to the schedule referred to above.
C5.2 Internal Control Questionnaire
This questionnaire is provided to assist in identifying controls relevant to the audit.
C6 Preliminary Analytical Procedures
Paragraphs 13 and 14 of HKSA 315 (Revised 2019) state that the auditor should apply analytical procedures
as risk assessment procedures to provide a basis for the identification and assessment of risks of material
misstatement at the financial statement and assertion levels. This applies even where there are no draft
accounts available for analysis and comparison. The main purpose of this procedure is to determine the overall
audit approach by, for example:
 Identifying abnormal transactions, balances or ratios meriting further enquiry;
 Highlighting new transactions, balances or areas of increased importance; and
 Indicating whether further analytical procedures or control reliance might be appropriate.
For those entities with less formal systems of controlling and monitoring performance, discussions with
management focussing on identifying significant changes in the business since the prior financial period may
also be useful. In this scenario, the auditor should look at whatever records the client has in order to assess if
there are any particular changes indicated by the books and records.
For example, if the auditor can see, on looking at the bank statements, that the company appears to be trading
at or around their overdraft limit, then this could indicate a potential going concern problem.

Many clients, although not being able to produce full financial statements for the auditor to audit at the planning
stage, may well prepare and provide certain schedules. A potential example of this would be a sales daybook.
The auditor could then assess whether or not the sales daybook indicated sales on a seasonal basis consistent
with expectations and previous years.
The client may also have computerized purchase and sales ledgers. These might give the auditor not only
balances owed to suppliers and due from customers, but also the level of activity. From this information, basic
ratios such as creditors days and debtors’ days can be calculated.
If this is not possible at the outset of the job, then the auditor should be looking to calculate key ratios such as
stock turnover and debtors’ days as and when the relevant information becomes available during accounts
preparation work. If the figures and ratios vary significantly from previous periods and this cannot be adequately
explained, then the risk assessments relating to that particular area need to be revised wherever necessary.
Discussion with the client
Analytical procedures at the planning stage may also take the form of a discussion with the directors of the
business as to how they feel the business has performed over the last accounting period. Most clients usually
have a reasonable idea as to how their business has performed in the last 12 months. Such discussions should
be undertaken close to the year-end so that any relevant events are still fresh in the minds of the directors and
management of the entity.
The results of preliminary analytical procedures should be reviewed on an ongoing basis as detailed audit
procedures may result in original ratios being changed as misstatements/adjustments from the exercise of
judgment are picked up during the audit. When performing the final analytical procedures, the final ratios for
the current year should be compared to the preliminary ones, with explanation being given on changes arising
during the course of the audit and a new conclusion added.
It should be noted that preliminary analytical procedures will not provide audit assurance of itself.
The most important point to note is that a conclusion to the work is required. This will normally be expressed
in terms of whether any particular problems have been identified or there are any particular areas of the audit
that require more detailed investigation.
Use of audit data analytics (ADA)
Data analysis tools and applications may be utilized as part of performing the preliminary analytical procedures.
Such analysis tools and applications may range from relatively routine analysis within a spreadsheet to the
use of sophisticated applications which apply algorithms to interrogate client data. Where ADA is considered,
its use must be evaluated on a client-by-client basis. It’s also necessary to evaluate the data to be used in the
analysis, especially with regard to its completeness and accuracy.
The use of ADA is not mandatory. Further guidance on ADA can be found in Chapter 11.

C7 Materiality Summary
Since materiality is determined at the planning stage, figures for the financial statements being audited will on
occasions not be available. Where this is the case the anticipated figures for the current year (e.g., based on
sales ledger), and, if appropriate, the figures for the previous years should be used.
The materiality figure establishes the overall materiality to apply to the audit as a whole. It must be emphasized
that setting the materiality level is a matter of professional judgment. The percentage benchmarks set out
Determining Materiality (C7.1) are intended to provide guidance in exercising that judgement. They should not
be used as a formula to “calculate” materiality.
HKSA 320, Materiality in Planning and Performing an Audit requires the auditor to consider the level of
materiality throughout the audit. In the APM this is addressed in the conclusion of each detailed work section,
the requirement to sign-off the planning as part of audit completion and in the Audit Highlights (B6).
The Materiality Summary (C7) also records any lower levels specified for Overall Materiality and for
Performance Materiality. A separate form is provided for recording materiality for group components on
Materiality Summary – Group Components (C7.2).
Materiality is discussed in more detail in Chapter 7.
C8 Risk Assessment
Paragraph 38 of HKSA 315 (Revised 2019) requires the auditor to include in the audit documentation:
(a) The discussion among the engagement team and the significant decisions reached;
(b) Key elements of the auditor’s understanding in accordance with paragraphs 19, 21, 22, 24 and 25; the
sources of information from which the auditor’s understanding was obtained; and the risk assessment
procedures performed;
(c) The evaluation of the design of identified controls, and determination whether such controls have been
implemented, in accordance with the requirements in paragraph 26; and
(d) The identified and assessed risks of material misstatement at the financial statement level and at the
assertion level, including significant risks and risks for which substantive procedures alone cannot provide
sufficient appropriate audit evidence, and the rationale for the significant judgments made.
C8 is a checklist to assisting that the risk assessment is comprehensive, undertaken with sufficient rigour and
that risks that are treated as high/significant risks where required by the HKSAs.
The checklist at C8 serves two purposes:
 Firstly, it acts as a guide through the various stages in assessing risk and determining the responses to
those risks.
 Secondly, it is a checklist to help ensure that all those stages are followed.
The approach to risk assessment under the APM is set out below.

Risk assessment
Paragraphs 19 to 27 of HKSA 315 (Revised 2019) require the auditor to obtain an understanding of the entity
and its environment, the applicable financial reporting framework and the entity’s system of internal control.
This is the starting point for the risk assessment. The process should gather sufficient information to enable
identification of the various risks facing the company.
Paragraphs 28 to 37 of HKSA 315 (Revised 2019) go on to address identifying and assessing the risks of
material misstatement.
C8.1 Detailed Risk Assessment
This detailed risk assessment serves two main purposes:
 As an aide memoire for identifying specific risks affecting the client and that may require further action;
and
 A means of formally documenting the approach to issues where the risk is assessed as low and which
may as a result not require specific additional testing.
C8.1 should be reviewed with particular attention paid to areas assessed as high risk in previous year’s audit,
or where further information available to the auditor suggests that an area should be reassessed as being
higher risk.
Completing C8.1
Specific risk affecting The first column of the checklist is questions which identify general risk. The
client purpose of this column is to translate those general risk questions into a specific
risk affecting the client.
Assessment H, M or L The risk should be categorized as “High”, “Medium” or “Low”.
How will the audit risk be Where a risk is assessed as medium or high this will normally be carried forward
managed? to C8.2 or C8.3 and a reference to this effect will be sufficient.
Where a risk is assessed as low, then this column should explain how that risk
would be managed.
Once the individual risks on the form have been assessed as high, medium or low, the major risk areas must
be identified and an overall assessment of risk at the financial statement level must be recorded on C1 (Q8.1).
It must be stressed that the overall assessment is not an arithmetic average of the number of high, medium
and low points recorded above. Indeed, any one high-risk item in the section “other external factors” may be
enough to give an overall high-risk assessment. Conversely, a number of the detailed points may be identified
as high risk, but the overall general risk may still be set as medium or low. This is very much a matter of
professional judgment.

Response to risk
Once risks have been identified:
 Paragraph 5 of HKSA 330 requires the auditor to determine overall responses to address the risks of
material misstatement at the financial statement level; and
 Paragraph 6 of HKSA 330 requires the design and performance of further audit procedures whose nature,
timing, and extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level.
Paragraph 28 of HKSA 330 states:
(a) The overall responses to address the assessed risks of material misstatement at the financial statement
level, and the nature, timing and extent of the further audit procedures performed;
(b) The linkage of those procedures with the assessed risks at the assertion level; and
(c) The results of the audit procedures, including the conclusions where these are not otherwise clear.
In the APM, responses to risks are documented on:
 Financial Statement Risk Action Plan (C8.2) for financial statement level risks; and
 Assertion Risk Action Plan (C8.3) for assertion level risks.
Risk Response Summary (C8.4) then pulls together the work in respect of specific risks with the assessment
of residual risk and the approach to testing those areas.
Guidance on the completion of these forms is given below.
C8.2 Financial Statement Risk Action Plan
This schedule documents the response to risks identified at the financial statement level.
According to paragraph A195 of HKSA 315 (Revised 2019),
Risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial
statements as a whole, and potentially affect many assertions. Risks of this nature are not necessarily risks
identifiable with specific assertions at the class of transactions, account balance or disclosure level (e.g., risk of
management override of controls). Rather, they represent circumstances that may pervasively increase the risks
of material misstatement at the assertion level. The auditor’s evaluation of whether risks identified relate
pervasively to the financial statements supports the auditor’s assessment of the risks of material misstatement at
the financial statement level. In other cases, a number of assertions may also be identified as susceptible to the
risk, and may therefore affect the auditor’s risk identification and assessment of risks of material misstatement at
the assertion level.
Responses to risks recorded on this schedule should therefore be similarly pervasive of the audit as a whole
and affect the approach taken to many assertions. Assigning a more experienced senior to the engagement
team or increasing the overall risk assessment for the client are examples of such responses.

Where a financial statement level risk can be addressed by identifying a series of assertion level risks and
responses, these should be recorded on the Assertion Risk Action Plan (C8.3).
The “outcome ref” column will need a reference to where the work that was actually undertaken in response
to these assessed risks is documented. This could be to the work undertaken column on Summary of
Significant Audit Matters (B6.1).
C8.3 Assertion Risk Action Plan
The purpose of C8.3 is to document the responses to specific risks assessed and the work undertaken in
response to those risks as required above. Proper completion of this schedule is therefore crucial to conducting
an audit in compliance with HKSAs. The schedule provides a link between the risks assessed, the controls (if
any) in those areas, the audit approach and the outcome of the work.
Completing C8.3
When completing the form, a summary of the relevant issues in each column should always be given, and not
simply a cross-reference. In this way C8.3 will, for each risk, give a complete picture of the risk itself, the
impact, the planned work and a reference to the outcome of that work.
Specific risk affecting Details of the specific risk affecting the client should be recorded here.
client
Classes of transactions, For example, “Existence of trade receivables”, “Completeness of cost of sales”.
account balances and The main financial statement assertions are set out in paragraph A190 of HKSA
disclosures affected, and 315 (Revised 2019), but it is not sufficient to simply reproduce the wording of
relevant assertions the relevant assertion from the HKSA. The assertion affected should be
expressed in terms specific to the client so it is clear exactly how the risk will
impact. For example, under paragraph A190(a)(ii) of HKSA 315 (Revised 2019),
the assertion relating to completeness is:
All transactions and events that should have been recorded have been recorded, and
all related disclosures that should have been included in the financial statements
have been included.
But, if the risk is that cash sales at a particular location may not have been
recorded, then the assertion should be worded in those terms e.g.,
completeness of cash sales at location X.
Where a general risk relates to all financial areas and assertions such as the
possible sale of the business, then “All” should be included in this column.

Completing C8.3 (Continued)
Inherent risk (including The inherent risk should be assessed as High (“H”), Medium (“M”) or Low (“L”).
likelihood and magnitude Risks recorded on this schedule would not normally be categorized as low as
of misstatement) specific testing would not normally be undertaken in response to a low risk.
Where a low risk is recorded, careful consideration should be given as to
whether any specific testing is necessary or whether the risk is properly
assessed as low.
Consideration should be given to the inherent risk factors:
 Complexity;
 Subjectivity;
 Change;
 Uncertainty; and
 Susceptibility to management bias or other fraud risk factors.
In assessing inherent risk, both the likelihood and magnitude of misstatement
must be considered. In doing so, the auditor must take into account how, and
the degree to which:
 Inherent risk factors affect the susceptibility of relevant assertions to
misstatement; and
 The risks of material misstatement at the financial statement level affect the
assessment of inherent risks of material misstatement at the assertion level.
Management response This column should be used to record management’s response to each risk.
This may be in the form of relevant procedures; control activities such as
authorization or reconciliation; or monitoring controls by management.
Where it appears that management were not aware of a risk or had ignored it
then careful consideration should be given to the design of the audit approach.
Any weaknesses in internal controls identified at this stage should be noted on
the draft letter of comment.
Details of any internal controls implemented by management should be cross-
referenced to the review of the design and implementation of those controls on
C5.1.
Control risk If a test of operating effectiveness of controls is planned, control risk must be
assessed. This should be as High (“H”), Medium (“M”) or Low (“L”).
If a test of operating effectiveness of controls is not planned, no assessment is
required here since it will not affect the assessment of the risk of material
misstatement (RMM). In that case, the assessment of RMM is the same as the
assessment of inherent risk.
RMM The RMM is assessed as High (“H”), Medium (“M”) or Low (“L”).
Where operating effectiveness of controls is planned, RMM is based on the
inherent risk and the control risk.
Where test of operating effectiveness of controls is not planned, RMM is the
same as the assessment of inherent risk.

Completing C8.3 (Continued)
Audit approach The specific work to be undertaken in response to the identified risk should be
recorded. A summary of the audit approach and a cross-reference to the
programme where the detailed tests may be found is sufficient.
Where the reference is to one or more of the standard tests (instead of tailored
procedures), then an explanation as to why these are sufficient should be given.
Outcome ref The outcome ref column will need a reference to where the work that was
actually undertaken in response to these assessed risks. This reference will
obviously need to be added at the completion stage which also assists to check
that all assessed risks are addressed by relevant procedures.
C8.4 Risk Response Summary
This is a key schedule as it documents in respect of each area:
 The residual risk in that area.
 Whether any testing at all is required.
 If testing is required, whether the standard programme is sufficient.
 Any additional or alternative procedures to be undertaken.
The purpose of the Risk Response Summary (C8.4) is to pull together the responses to identified assertion
level risks and set out the audit approach to these and to the residual risk on a section by section basis. Risks
on this schedule are therefore considered in summary and are categorized by financial statement area, rather
than by the nature of the risk or the order they were recorded on C8.2 or C8.3.
The Risk Response Summary (C8.4), as the name suggests, is therefore a summary of how risk is dealt with
in the individual financial statement areas.
It is quite feasible for specific areas of the audit to be identified as a specific high risk, even where the general
audit risk of the engagement is not high. The Risk Response Summary (C8.4) sets out the approach by
financial statement area in such circumstances.
In addition to summarizing risks by financial statement area, the Risk Response Summary (C8.4) plays an
important part in determining sample sizes through the setting of a residual risk level for each financial
statement area.

Completing C8.4
Major risks identified The major risks affecting the financial statement area that have been identified
should be noted. These need not be shown in any great detail as this will be set
out on C8.3. The purpose here is to give an overview of main risks.
Other Assertion Level The assessment here is effectively the residual risk. If there is a major risk factor,
Risks: the existence of stocks for example, but other areas/assertions in stocks such as
Risk (H, M, L) valuation are well controlled then the assessment of the other risks could be low.
Specific procedures will be documented on C8.3 in relation to the risks affecting
existence; these do not affect valuation so the conclusion in this area can be low
risk.
It will also be possible to conclude that the risk in a particular area is medium or
high even though there are no specific risk factors. This may be because of value.
For instance, trade debtors are the largest item in the balance sheet and whilst
there are no indications of problems and the controls are good, if there is going to
be a material misstatement in the financial statements this is where it would be.
This approach allows the audit work to be increased in areas where the risk is
higher and reduced where the risk is lower since the risk assessments made for
each section determine the sample size for that area.
Other Assertion Level This column provides space for an explanation of the risk assessed as discussed
Risks: above.
Justification of risks In particular, an explanation should be given where the assessment is other than
low, or where the assessment is low and there are factors that suggest that this
should not be the case.
Audit approach and A summary of the approach to each financial statement area should be given. This
reference to work will often be completion of the standard programme as amended by additional
programme tests identified on C8.3.
It would be appropriate to opt out of using the standard audit programme in the
following instances:
 for an immaterial area of the audit;
 where a more efficient or effective audit approach can be performed, e.g.,
proof in total; or
 where it is a specialist area, such as some types of work in progress and the
standard audit programme is judged as not appropriate.
Where the standard programme is not used, the form should explain what work is
to be carried out on that section or cross-reference it to a tailored audit
programme. There are optional blank programmes that can be used should these
be required.
References to specific tests should be made where necessary.

C9 Notes of Engagement Team Planning Meeting
Both HKSA 240 and HKSA 315 (Revised 2019) require the audit engagement team to have a meeting on
client’s application of the applicable financial reporting framework and the susceptibility of the entity’s financial
statements to material misstatement due to fraud or error. The purpose of C9 is to provide a convenient layout
to record the results of that meeting.
It is optional to use the form provided at C9. Such matters could easily be recorded in the detailed planning
memorandum. Where that is the case, the C9 slot should be used to file notes used to brief staff at the planning
meeting.
A checklist of Fraud Risk Factors (C9.1) is provided to assist in identifying matters for discussion at the
meeting.
The engagement partner and other key members of the engagement team shall be involved in planning the audit,
including planning and participating in the discussion among engagement team members.
It is therefore vital that the audit partner and the manager (i.e., key members of the engagement team) are
present at the meeting. If the planning meeting is to be led by the audit manager, then a separate prior meeting
between the audit partner and the manager must be documented so as to evidence the involvement of the
audit partner in the process.
Engagement Team Planning Meeting Checklist (C9.2) is provided to assist in identifying matters to be
discussed and recorded at the meeting.
C12 Engagement Quality
This schedule is used to determine whether an engagement quality control review/ engagement quality review
is required. This will be determined by the firm’s procedures which will be influenced by ethical requirements
and HKSQC 1/ HKSQM 1.
C13 Other Planning Schedules
A number of optional planning schedules are included for use where appropriate. Many users prefer to deal
with such matters in the detailed planning memorandum.
C13.2 Sample Size Planning
The form provides a convenient summary of the sample sizes in each area.
C13.3 Assignment Planning Timetable
This schedule may be useful if there are a number of organizational points arising on the audit.
It will help to ensure that both the firm and the client are aware of key dates, which may reduce the risk of
misunderstandings.

C13.4 Budget and Performance Summary
It is increasingly likely that a formal estimate of the cost of the audit work will be agreed with the client in
advance.
Regardless of this, audit quality must never be compromised. If the audit is to be carried out efficiently, it is
necessary to know how best the time should be allocated. It is normally the case that the smaller the audit the
more precisely the time can be budgeted.
Although not considered compulsory, it is highly recommended that this form be completed.
If time increases over budget, it will be essential to be able to explain to the client where costs increased and
why.
In any debriefing at the end of the audit, the budget to actual comparison can provide evidence of how the time
was spent, whether it was wisely spent, and can provide a basis for planning next year’s audit in terms of
staffing and audit focus, in order to minimize the risk of recurrence.
C13.5 Job Progress Report
This form allows progress to be tracked of work on the main file sections. Tracking progress against budget
both in terms of timings and time spent is a good way to identify problems early.
4.4 Selected Current File Forms
Rapp02 Related Party Transactions
R2 includes some basic tests concerning related parties. This is intended to be sufficient where the risk of
misstatement due to the existence of related parties is low.
However, where related party relationships and transactions are more complicated or where the risk of
unidentified related parties or related party transactions is higher, the more extensive optional programme
Rapp02 should be used.
A checklist to assist with the identification of related parties is included at PAF06.1.
V2 General Ledger
Tests 6 and 7 are specific requirements under paragraph 33 of HKSA 240 which must be performed. If the V2
programme is not used these tests must be added to another programme.
V3 Review of Accounting Estimates for Bias
This form is provided to show a possible layout for a review of accounting estimates for bias as required by
HKSA 540 (Revised).

V4 Testing Journal Entries
When testing journal entries, audit data analytics (ADA) may be used in selecting and reviewing journals. Such
analysis tools and applications may range from relatively routine analysis within a spreadsheet to the use of
sophisticated applications which apply algorithms to interrogate the client’s journals. Where ADA is considered,
its use must be evaluated on a client-by-client basis.
It is necessary to evaluate the data to be used in the analysis, especially with regard to its completeness and
accuracy, as well as evaluating any particular algorithms used. Even if ADA is not used, procedures should be
performed to ensure the completeness of the population used to select samples for testing.
W2 Group Accounts
This programme addresses overall group planning issues and the consolidation process in case of a group
audit engagement. The overall group issues include consideration of whether the group auditors are able to
obtain sufficient evidence concerning the group as a whole and whether any restrictions have been placed on
this process by management.
The programme sets out the different procedures required by HKSA 600 in respect of financially significant
components, components that are significant due to identified risks and non-significant components. It should
be noted that this distinction applies regardless of whether the component is dealt with by the group
engagement team or another component auditor.
Where the group engagement team also audit all components in the group, this programme is all that is
required. Programmes W3, W4 and W5 need not be completed.
However, where the group engagement team does not audit all components of the group and other auditors
are involved, the work of component auditors must be considered and programmes W3 to W5 are required.
This applies regardless of whether the components audited by component auditors are significant components.
The only exception would be where all components not audited by the group engagement team are in total not
material to the group and no component auditors are involved; in which case W3, W4 and W5 are not required.
W3 Component Auditors
This programme should be completed in respect of each component auditor. In the Excel version of the APM,
extra columns may be added for each different component auditor.
It should be noted that a component auditor will not always be another firm. If different audit teams from the
same firm are used to audit the parent and components, then component auditors are involved and component
auditor programmes are still applicable. However, the communication and quality control/ quality management
aspects will obviously be far easier to address where the component audits are part of the same firm.
W4 Component Auditor Instructions
This form is a proforma. It is vital to tailor it to address issues relevant to the group and components concerned.

W5 Component Auditor Questionnaire
The questionnaire should be tailored to the requirements of the particular component in respect of which it is
sent and also the significance of the component to the group. Simply sending a component auditor
questionnaire to every component regardless of its significance to the group does not comply with HKSA 600.
The bottom line is that the group auditor must have sufficient appropriate evidence to support the audit opinion
on the group accounts and requirements in HKSA 600 concerning significant components.
Note: In July 2022, HKICPA issued HKSA 600 (Revised) which will be effective for audits of group financial
statements for periods beginning on or after 15 December 2023. This version of APM and guidance notes with
respect to a group audit have not addressed and incorporated the new and revised requirements under HKSA
600 (Revised). Where necessary, relevant checklists and procedures tin this APM should be tailored according
to meet the requirements of HKSA 600 (Revised).
4.5 Selected Permanent File Forms
PAF04 Know Your Client Checklist
This checklist is an aide memoire for issues that should be addressed on the permanent file.
Whilst the checklist is extensive, it should not be regarded as exhaustive. Although the use of PAF04 is not
mandatory, it reflects the requirements of HKSA 315 (Revised 2019) hence it is strongly recommended that
PAF04 be followed in obtaining an understanding in the entity.
It must be emphasized that completing the checklist and simply answering questions as yes, no or not
applicable does not document understanding of the entity in accordance with HKSA 315 (Revised 2019). The
checklist is a guide to the scope of the notes required on the permanent file and it is these notes that document
the understanding in the client. Where a matter is relevant, it should be addressed in sufficient detail on the
file as to provide a basis for further review as part of the risk assessment or evaluation of relevant controls.
PAF05 Register of Laws and Regulations
The register of laws and regulations is often completed badly. The two most common problems are:
1. Listing every conceivable regulation that applies to the client with no explanation as to their significance
or the consequences of non-compliance from the client’s perspective.
2. Giving bland descriptions such as “health and safety” with no explanation as to their significance or the
consequences of non-compliance from the client’s perspective.
It is only those laws and regulations where non-compliance may have a material impact on the financial
statements that the auditor is concerned with. If there are no such laws or regulations, then the schedule should
say so. Once relevant laws have been identified, the schedule should also record:
 The systems, if any, that the client has to ensure compliance; and
 The audit approach to the risk of non-compliance.
The audit approach should then address the specific steps to be taken to obtain sufficient evidence as to
compliance with laws and regulations. These procedures should be referenced to the relevant audit
programmes or to the Assertion Risk Action Plan (C8.3).

PAF06 Details of Related Parties
HKSA 550 requires the auditor to obtain an understanding of related party relationships and transactions. In
particular, the auditor is concerned with:
 The completeness and accuracy of related party disclosures; and
 Identification of fraud risk factors arising from related party transactions.
It is therefore vital that the entire audit team is clear as to who are known related parties and are kept informed
of any changes as the audit progresses. Paragraph 17 of HKSA 550 states:
The auditor shall share relevant information obtained about the entity’s related parties with the other members of
the engagement team.
To assist in the identification of related parties, two forms are provided:
 Related Parties Checklist (HKAS 24) (PAF06.1)
 Letter to client requesting completion of the appropriate checklist (PAF06.2).
Any risks arising from identified related party relationships should be recorded on the Assertion Risk Action
Plan (C8.3).
PAF07 Significant Accounting Policies
Significant Accounting Policies (PAF07) is another form that is often badly completed. The most common
mistake is to simply attach a copy of the accounting policies from the financial statements and state that they
comply with the applicable financial reporting framework. This misses the purpose of the form. The objective
here is to identify accounting policies that push the boundaries of acceptability, or where there is a significant
degree of judgment or estimation uncertainty that could have a material impact on the financial statements.
The schedule should therefore set out policies in much more detail than they appear in the financial statements.
Any risks arising from the application of accounting policies should be recorded on the Assertion Risk Action
Plan (C8.3).
PAF13 Accounting Estimates
The same principles apply to this schedule as to those dealing with laws and regulations or significant
accounting policies. The purpose of the schedule is to identify accounting estimates that could have a material
impact on the financial statements. Therefore, simply listing the estimates will be of little value. Rather, the
schedule should address:
 Financial reporting (including disclosure) and regulatory requirements and how they are applied;
 Approach to making the estimate (including assumptions, models and use of an expert);
 Sources of data used in making the estimate;
 Approach to estimation uncertainty;
 Control procedures; and

 Assessment of materiality.
The audit approach should then address the specific steps to be taken to obtain sufficient evidence as to the
reasonableness of the estimate. Review of Accounting Estimates (C4.1) is used to assess the inherent and
control risk associated with each estimate, as appropriate. A summary of the audit approach is also
documented on this schedule with the full details being added to the Accounting Estimate: Work Programme
(D3) for which one copy of the form is used for each accounting estimate.

5 AUDIT EVIDENCE
This chapter explains the use of the audit programmes in sections D to R within the APM.
Particular reference is made to the summary sheets, on which conclusions on individual audit areas are
required.
In respect of audit evidence, paragraph 9 of HKSA 500, Audit Evidence states that:
When using information produced by the entity, the auditor shall evaluate whether the information is sufficiently
reliable for the auditor's purposes, including as necessary in the circumstances:
(a) Obtaining audit evidence about the accuracy and completeness of the information; and
(b) Evaluating whether the information is sufficiently precise and detailed for the auditor’s purposes.
5.1 Substantive analytical procedures
Substantive analytical procedures should be adopted when it is considered as appropriate to derive audit
evidence. It is often very cost effective.
For substantive analytical procedures to be effective, they must be targeted. You must firstly set your own
expectations of the result and an acceptable level of difference in respect of the target area, and you must be
able to corroborate the results. The work must be undertaken by a suitably senior individual.
A substantive analytical procedure includes comparison of an entity’s financial information with auditor’s
anticipated results. For a substantive analytical procedure to be valid, the resulting difference arising from the
comparison should be within an acceptable threshold. Any difference beyond the acceptable threshold may
indicate a potential issue which would require further investigation by the auditor, in which case the result of
the substantive analytical procedure may not provide the extent of audit evidence as intended.
The extent to which the results of substantive analytical procedures can be used to reduce the level of
substantive testing will depend on the results of the analysis.
It may be, for example, that substantive analytical procedures undertaken lead to the belief that there is a
particular problem in the valuation of stock. It would obviously be wrong to blindly accept the results of the
substantive analytical procedures in such circumstances. Substantive analytical procedures may, therefore,
help concentrate the audit on significant aspects of the company’s financial statements for audit efficiency.
To continue the stock analogy, it may be that the results of the substantive analytical procedure indicate that
stocks have been overvalued, throwing the problem back onto the rate of gross profit, which will have been
affected by the required reduction in stock values. This new area of apparent difficulty would now need to be
investigated.
A substantive analytical procedure performed with satisfactory result might indicate that the nature and/or
extent of detailed testing may be reduced. Any such rationale should be recorded on the “sample selection
planning form”. This form may be found useful as a means of linking assessment of risk, materiality and, where
appropriate, the results of substantive analytical procedures to determine an objective sample size.
An audit programme for Substantive Analytical Procedures (D1) is included as an optional programme in
section D. This programme should be used as a bank of tests for tailoring other programmes. If the programme
itself is completed, this and the work undertaken should be filed in the appropriate file section and not section
D. For example, a substantive analytical procedure to derive audit evidence on depreciation expenses should
be filed in the Property, Plant and Equipment section of the audit file.

A working paper for the recording of substantive analytical procedures to ensure compliance with HKSA 520,
Analytical Procedures is also included in Substantive Analytical Procedures: Working Paper (D1.1). Again this
is intended to be filed as part of the relevant test, rather than in section D. If substantive analytical procedures
are undertaken in several areas, then multiple versions of the form should be completed and filed at respective
sections of the audit file.
Analytical procedures are considered in more detail in Chapter 8.
5.2 Summary sheets
The summary sheets are contained within the relevant sections of the APM. For example, the fixed assets
summary sheet is included at Fs.
Audit objectives
Paragraph 6 of HKSA 500 states that:
The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose
of obtaining sufficient appropriate audit evidence.
In representing that the financial statements are in accordance with the applicable financial reporting
framework, management is making assertions regarding the recognition, measurement, presentation and
disclosure of the various elements of financial statements and related disclosures. Auditors typically turn these
assertions around the other way to create objectives.
The main assertions are set out in paragraph A190 of HKSA 315 (Revised 2019):
Assertions used by the auditor in considering the different types of potential misstatements that may occur may
fall into the following categories:
(a) Assertions about classes of transactions and events, and related disclosures, for the period under audit:
(i) Occurrence—transactions and events that have been recorded or disclosed have occurred, and such
transactions and events pertain to the entity.
(ii) Completeness—all transactions and events that should have been recorded have been recorded, and
all related disclosures that should have been included in the financial statements have been included.
(iii) Accuracy—amounts and other data relating to recorded transactions and events have been recorded
appropriately, and related disclosures have been appropriately measured and described.
(iv) Cut-off—transactions and events have been recorded in the correct accounting period.
(v) Classification—transactions and events have been recorded in the proper accounts.
(vi) Presentation—transactions and events are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of the requirements
of the applicable financial reporting framework.
(b) Assertions about account balances, and related disclosures, at the period end:
(i) Existence—assets, liabilities and equity interests exist.
(ii) Rights and obligations—the entity holds or controls the rights to assets, and liabilities are the obligations
of the entity.
(iii) Completeness—all assets, liabilities and equity interests that should have been recorded have been
recorded, and all related disclosures that should have been included in the financial statements have
been included.

(iv) Accuracy, valuation and allocation—assets, liabilities and equity interests have been included in the
financial statements at appropriate amounts and any resulting valuation or allocation adjustments have
been appropriately recorded, and related disclosures have been appropriately measured and described.
(v) Classification—assets, liabilities and equity interests have been recorded in the proper accounts.
(vi) Presentation—assets, liabilities and equity interests are appropriately aggregated or disaggregated and
clearly described, and related disclosures are relevant and understandable in the context of the
requirements of the applicable financial reporting framework.
Within the summary sheets of the APM, “audit objectives” are the auditor’s method of defining and testing
those assertions. Audit tests must be designed to meet each of these financial statement assertions.
Some of these assertions are often more inherently risky than others. For example, it is often the case that the
“Completeness” and “Valuation” assertions are riskier from an auditing point of view than (say) the “Existence”
assertion. The key to an efficient audit lies in appreciating where the risks truly lie in terms of the underlying
assertions within a particular balance and focusing the audit work accordingly.
At the commencement of each audit programme section, there is a summary sheet setting out the audit
objectives for that audit area and how the audit tests are assigned to meet those objectives.
By keeping specific audit objectives in mind, i.e., to obtain sufficient and appropriate audit evidence on relevant
financial statements assertions, audit tests can be efficiently directed to meet them.
If the programme is tailored, the audit objectives should be cross-referenced to the tailored programme to
ensure that they continue to be met by the revised/new programme.
If additional or alternative tests are carried out, these should likewise be cross-referenced to the audit
objectives to ensure that these tests also meet the objectives set.
Space is available for comments and for initialling by whoever has planned the audit programme.
Conclusion
A conclusion should be drawn for each audit area. This is vitally important. Not only should the summary sheet
be concluded upon, but for each main test within each area, the following should be stated:
 Objective of the tests;
 Work performed;
 Results obtained; and
 Conclusion reached.
The conclusion section provides the following options:
Planning conclusion
Where there has been significant tailoring of the audit approach, it is essential that there is evidence to show
that the partner has approved the approach being taken to the audit of the particular section before the work
is commenced. This will also serve to improve the efficiency of the audit.

Final conclusion
The conclusion requires confirmation of a number of different things. This includes confirmation that:
 The work detailed in the audit programme has been carried out;
 The results have been adequately recorded;
 All necessary information has been collected for the preparation of the financial statements;
 Sufficient appropriate evidence has been obtained to support the audit conclusion reached; and
 Subject to any matters highlighted on B6 or B9 the objectives have been met.
Alternative conclusion
The summary sheet should state clearly the alternative conclusion reached, with adequate explanation for the
conclusion to be understood.
The alternative conclusion must be brought to the attention of the partner on schedule B6 or B9.
Before reaching an alternative conclusion, consideration should be given to whether or not there are any
additional audit procedures that could be carried out to enable achieving the audit objectives.
5.3 Audit programmes
The audit programmes from section D to R contain the main tests that would normally need to be undertaken
when carrying out an audit. However, the programmes should always be considered in the light of the specific
needs of the client. The programmes must be amended to include any additional tests required to meet specific
aspects of the client. In many cases, certain tests may not be applicable.
Take Intangible Assets (E2) as an example. The first column asks “Test required?”. This column should be
completed at the planning stage of the audit, by entering a “Y” against those tests to be undertaken, or
“N” for those tests which are not required.
Where specific tests are not being performed, ensure that other sufficient audit work is being performed
adequately to satisfy the audit objectives. Any amendments to the audit programme should be reflected in the
objectives on the “Summary sheet”.
The second column should state whether the results of the test were satisfactory. A “no” answer here means
that audit objectives have not been satisfied. This represents an “audit problem” and should be referred to on
schedule Audit Highlights (B6) or Points for Partner (B9). This should include a note of any alternative
procedures that have been applied to demonstrate that the objectives have in fact been met.
Any comments relating to a test can be noted in the fourth column. For example, where a planned test is not
applicable, the reason should be noted rather than simply stating that it is not applicable.
If the programmes are completed properly, it should be relatively straightforward for the manager or partner to
review the programmes and quickly spot any problems.

5.4 Permanent audit file index
The Permanent Audit File Index (PAF01) provides a detailed list of various matters that are often of ongoing
relevance and that should be maintained on the permanent audit file. Users can tick the boxes on the “Index”
to identify what information is actually on the file, or put down the working paper reference in the boxes.
The purpose of the permanent audit file is to maintain documentation and information of continuing relevance
to the audit. The file must be reviewed at least annually, with material that is no longer of use being removed
from the file, and archived. The file should not be considered to be a permanent repository for all documentation
that may once have been pertinent.
Forms have been provided to allow recording of the basic information, which should be contained on the
permanent audit file. These include:
 Background Information (PAF02)
 Details of Bankers and Professional Advisors (PAF03)
 Know Your Client Checklist (PAF04)
 Register of Laws and Regulations (PAF05)
 Details of Related Parties (PAF06)
 Significant Accounting Policies (PAF07)
 New Client Checklist (PAF08)
 Systems Overview (PAF09)
 Register of Non-Assurance Services for Audit Clients (PAF10)
 Register of Involvement in the Audit (PAF11)
 (PAF12) – Not Used
 Accounting Estimates (PAF13)
Know Your Client Checklist (PAF04)
The Know Your Client Checklist (PAF04) is an aide memoire of the sort of information that should be recorded
in order to comply with the requirements of HKSA 315 (Revised 2019).

Register of Laws and Regulations (PAF05)
The Register of Laws and Regulations (PAF05) is, as the name suggests, a form for recording all the significant
laws and regulations which affect the client company.
Paragraph 13 of HKSA 250 (Revised), Consideration of Laws and Regulations in an Audit of Financial
Statements states that:
As part of obtaining an understanding of the entity and its environment in accordance with HKSA 315 (Revised
2019), the auditor shall obtain a general understanding of:
(a) The legal and regulatory framework applicable to the entity and the industry or sector in which the entity
operates; and
(b) How the entity is complying with that framework.
The form must therefore be tailored to suit the client: this requires more than a vague note about the
applicability of the Companies Ordinance or employment legislation. It requires specific comment on:
 Procedures the client has in place to ensure compliance with each requirement; and
 Audit approach for determining compliance.
The form has been split to consider those laws and regulations which relate to the financial statements, those
which relate to business in general, and those which are specific to the client. Particular attention should be
given to those laws and regulations that provide a framework within which the entity operates, as well as those
whose infringement could threaten the entity’s ability to continue to trade.
5.5 External Confirmations
External confirmations are an excellent source of audit evidence; however, it is vital that the auditor retains
control over the process for requesting such confirmations. If the client refuses to allow external confirmations
to be sent, the reasons for this must be investigated and in particular the implications for the assessment of
risk concerning fraud and misstatement in this area reviewed.
According to paragraph 9 of HKSA 505, External Confirmations,
If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is
unreasonable, or the auditor is unable to obtain relevant and reliable audit evidence from alternative audit
procedures, the auditor shall communicate with those charged with governance in accordance with HKSA 260
(Revised). The auditor also shall determine the implications for the audit and the auditor’s opinion in accordance
with HKSA 705 (Revised).
Paragraph 10 of HKSA 505 then states that:
If the auditor identifies factors that give rise to doubts about the reliability of the response to a confirmation request,
the auditor shall obtain further audit evidence to resolve those doubts.
If it is not possible to resolve those doubts, then the implications for the risk assessment (including the risk of
fraud) must be considered together with the impact on the nature, timing and extent of other audit procedures.

Negative confirmations
According to paragraph 15 of HKSA 505, negative confirmations provide less persuasive audit evidence than
positive confirmations. Accordingly, they should not be used as the sole substantive audit procedure to address
an assessed risk of material misstatement at the assertion level unless all of the following are present:
(a) The risk of material misstatement is low and there is evidence regarding the operating effectiveness of
controls relevant to the assertion;
(b) The population comprises a large number of small, homogeneous account balances, transactions or
conditions;
(c) A very low exception rate is expected; and
(d) There are no reasons to suggest that recipients of negative confirmation requests would ignore them.
5.6 Completing the File
HKSA 230 requires that the file is finalized and signed off on a timely basis after the audit report is signed.
Once the file assembly process has been completed nothing should be deleted from the file before the end of
its retention period. If anything is added to the file or existing documentation modified, then the reasons for this
and who made and reviewed the changes must be recorded.

6 ASSESSMENT OF RISK
6.1 Introduction
The framework for a risk-based audit under HKSAs is founded on two standards, HKSA 315 (Revised 2019)
and HKSA 330.
Paragraph 19 of HKSA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in
Accordance with Hong Kong Standards on Auditing requires an auditor to have an understanding of the entire
text of the HKSAs.
The nature of risk
Audit risk is present in the giving of any audit opinion on financial statements. Elements of audit risk include:
 Inherent risk, such as those from the business environment in which the entity operates;
 Control risk, such as those from the operation of the entity’s control systems; and
 Detection risk, such as those from the failure of auditing procedures, for example “sampling risk”.
The third component can rarely be eliminated completely. Accordingly, it is almost certain that some audit risks
will remain. The purpose of APM is to ensure that the risk is minimized and that, even in the event of auditing
procedures failing to detect misstatements in the financial statements, the auditors can nevertheless be shown
to have undertaken adequate auditing procedures.
For these reasons, an assessment of the audit risk is essential on all audits, no matter how small the company
may be.
Even in a small company audit, it is necessary to consider the business environment in which the company
operates. This will include an assessment of its regulatory environment, the markets it serves, the risks it faces,
its strategic objectives, the threats to those objectives and any related pressures on management.
Consideration should also be given, for example, as to whether or not the view presented by the company’s
financial statements is consistent with the lifestyle of its directors and shareholders. To a large extent, this is
why it is considered necessary in any audit to see the company at its own premises. If the company operates
from the director’s home, then go and see him or her at home. It is not easy to satisfactorily assess audit risk
from a completely office-bound perspective. You cannot get a “feel” for a company by sitting behind a desk.
Business risk
Paragraph 22 of HKSA 315 (Revised 2019) requires the auditor to obtain an understanding of the entity’s
process for identifying business risks relevant to financial reporting objectives.
Detailed Risk Assessment (C8.1) includes a section on objectives, strategies and business related risks to
assist firms in identifying such risks. It is a questionnaire which is intended to assist in the identification of risks
that may apply to the client. The questionnaire can also be used to record how low level risks will be managed.
Further guidance to C8.1 is set out in Chapter 4.3.

Audit risk
Audit risk is defined as the risk that the auditors will give an inappropriate audit opinion. This can arise by
either:
 An audit report being qualified when it should not have been; or
 An unqualified audit opinion being issued when a qualification was appropriate.
Fraud risk
Fraud risk is addressed in Risk Assessment (C8) and Detailed Risk Assessment (C8.1).
Further guidance to C8 and C8.1 is set out in Chapter 4.3.
6.2 Financial statement level risk assessment
Paragraph 11 of HKSA 315 (Revised 2019) requires the auditor is to identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement level thereby providing a basis for
designing and implementing responses to the assessed risks of material misstatement.
Financial statement level risk affects the entity as a whole. It relates to the commercial and regulatory
environment in which the audit client operates. It is also affected by the business risks the entity faces and an
assessment of the integrity of management.
This assessment should assist in determining the risk level of the engagement as a whole. The higher the
perceived risk, the greater the audit assurance needed.
The overall assessment of risk for a client is determined after completion of the Detailed Risk Assessment
(C8.1).
Financial Statement Risk Action Plan (C8.2) should record the risk, response and outcome in respect of
financial statement level risks arising. Further guidance to C8.2 is set out in Chapter 4.3.
6.3 Assertion level risk assessment
Similarly, the assessment of assertion level risk is required by HKSA 315 (Revised 2019) to provide a basis
for designing and implementing responses to the assessed risks of material misstatement.
Identified risks, the assessment of those risks and the responses to them at the assertion level should be
recorded on Assertion Risk Action Plan (C8.3). Further guidance to C8.3 is set out in Chapter 4.3.

6.4 Reliability factors
The sampling model as used in the APM can be expressed as:
Population Value - Values of Items above Performance Materiality - Value of Key Items
Sample size =
Performance Materiality
i.e.,
Adjusted Population Value
Sample size =
Performance Materiality
Note: Definition of key items is discussed in Chapter 9.2.
By using the normal distribution, it is possible to express confidence in sampling results in the form of risk
factors. The reciprocal of a risk factor is a reliability factor and these form the basis of the sampling method.
A table of reliability factors (i.e., risk factors) can be found on Risk Response Summary (C8.4). When sampling
is undertaken, reliability factor will be multiplied by a quotient dependent upon whether tests of detail only or
tests of detail plus substantive analytical procedures and/or tests of control are to be undertaken. The multiple
is also different for balance sheet and income statement testing. Details of the multiplier that affect the reliability
factor are given on the sample selection planning forms in each section.
6.5 Vouching the total population
It may be that a total population is tested in the audit of very small companies. For example, it may be that a
flat management company has 12 invoices a year and that it is decided to vouch all 12 invoices.
At the assertion level, the risk that income may not be complete must be considered because the vouching of
all 12 recorded invoices cannot, on its own, provide all the audit evidence that we require to form a reasonable
conclusion that all income has been completely and accurately recorded in the company’s accounting records.
6.6 Conclusion
The assessment of risks and the responses to those risks is the central plank of the audit approach implicit
within HKSAs. The responses to assessed risks affect all parts of the audit; therefore, they must be an integral
part of the audit planning. This will enable the auditor to direct resources to key areas of the audit.

7 MATERIALITY
7.1 Introduction
Paragraph 11(a) of HKSA 200 states that the overall objectives of the auditor are:
To obtain reasonable assurance about whether the financial statements as a whole are free from material
misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the
financial statements are prepared, in all material respects, in accordance with an applicable financial reporting
framework.
To do so would require assessment as to what is material and what is not.
Paragraph 2 of HKSA 320 does not give a definition of materiality as such. Rather, it notes some key points
that are explained by various financial reporting frameworks when materiality is discussed:
Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and
presentation of financial statements. Although financial reporting frameworks may discuss materiality in different
terms, they generally explain that:
(a) Misstatements, including omissions, are considered to be material if they, individually or in the aggregate,
could reasonably be expected to influence the economic decisions of users taken on the basis of the financial
statements;
(b) Judgments about materiality are made in light of surrounding circumstances, and are affected by the size or
nature of a misstatement, or a combination of both; and
(c) Judgments about matters that are material to users of the financial statements are based on a consideration
of the common financial information needs of users as a group. The possible effect of misstatements on
specific individual users, whose needs may vary widely, is not considered.
In general, information is material if its omission or misstatement could influence the economic decisions of
users of the financial statements. Accordingly, there should be greater focus by auditors on the needs and
expectations of users in setting overall materiality levels. Other key considerations include:
 Qualitative factors relating to the needs and expectations of users of an entity’s financial statements should
be one of the key considerations for auditors in determining the overall materiality level (e.g., liquidity risk
disclosures may be important to users of the financial statements of a financial institution).
 Auditors should ensure that where materiality benchmarks are adjusted for “one-off” items, these
adjustments are appropriate in the circumstances. Firms should ensure that their guidance assists audit
teams in making these judgments.
 Auditors should demonstrate the consideration of risk and professional judgment in setting performance
materiality and avoid, as a default, simply setting this at the highest level allowed under their firm’s
guidance.
 Auditors should improve the quality and accuracy of their reporting of materiality levels to those charged
with governance and ensure that all uncorrected misstatements above the reporting threshold agreed are
collated and reported.
 Auditors should ensure that materiality is appropriately addressed when planning analytical procedures.

 Audit firms should review their internal guidance in the light of the areas requiring improvement identified
in audit engagements, including in particular how the needs and expectations of users of financial
statements are assessed and taken into account in determining materiality levels.
In general, and in the APM, the assessment of materiality pervades the whole audit approach:
 It is relevant in identifying and assessing risks.
 It is also relevant in determining the responses to identified risks.
 It influences decisions as to whether or not an auditor should seek adjustment for misstatements found in
assessing projected misstatements and for assessing the significance of areas of disagreement on
judgmental values presented by the client.
 It is one of the factors used in sample size calculations and therefore influences the nature and extent of
the tests of detail.
7.2 Basis of determining materiality
Any basis of determining materiality is necessarily judgmental. No basis should be applied blindly and it should
certainly not be treated as a standard formula or calculation.
In general, the level of materiality is relative to the size of the business. However, some items might be material
by their nature, regardless of magnitude (for example, statutory disclosures such as directors’ emoluments).
Paragraph 9 of HKSA 320 addresses this issue by introducing the concept of performance materiality.
For the purposes of HKSAs, performance materiality means the amount or amounts set by the auditor at less
than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that
the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as
a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than
the materiality level or levels for particular classes of transactions, account balances or disclosures.
Performance materiality can therefore be used to give a working figure for materiality below the level of
materiality for the financial statements as a whole. However, HKSA 320 also envisages different levels of
performance materiality being set in different areas of the audit where this is required by the nature of the
transactions, balances or disclosures.
When establishing the overall audit strategy, the auditor shall determine materiality for the financial statements
as a whole. If, in the specific circumstances of the entity, there is one or more particular classes of transactions,
account balances or disclosures for which misstatements of lesser amounts than materiality for the financial
statements as a whole could reasonably be expected to influence the economic decisions of users taken on the
basis of the financial statements, the auditor shall also determine the materiality level or levels to be applied to
those particular classes of transactions, account balances or disclosures. (Paragraph 10 of HKSA 320)
The auditor shall determine performance materiality for purposes of assessing the risks of material misstatement
and determining the nature, timing and extent of further audit procedures. (Paragraph 11 of HKSA 320)
Paragraph A13 of HKSA 320 makes it clear that determination of the performance materiality, like the level of
materiality for the financial statements as a whole, should not be a simple mechanical calculation. It requires
the exercise of judgment and is affected by the risk assessment in the area concerned.

The APM envisages three separate types of materiality level.
1. An overall financial statement level materiality.
2. One or more section specific materiality levels as and when required for areas such as related party
transactions or director’s remuneration.
3. Performance materiality for each of the materiality levels set in “1” and “2” above.
In the APM these are recorded on the Materiality Summary (C7).
Performance materiality is determined by dividing the relevant materiality level by the risk factor (see Chapter
6) applicable to the audit as a whole, or to the specific area being tested. Whilst this is a mechanical calculation,
a judgment is required as per paragraph A13 of HKSA 320 in determining the risk factor.
Tolerable Misstatement
In the APM, the level of tolerable misstatement for a population will always be the same as or lower than the
performance materiality. See paragraph A3 of HKSA 530, Audit Sampling.
Materiality for the financial statements as a whole
Turnover is normally used as the principal yardstick in determining the level of materiality because it is
indicative of the level of business and transactions undertaken in the year. Total assets are also indicative of
size and, therefore, should be taken into account. A trading entity would usually be audited to turnover-based
materiality. An investment company would normally be audited on an asset-based materiality.
Profit before tax on ordinary activities is determined after directors’ remuneration. In most small businesses,
the impact of such remuneration on profit will be significant. Where exceptional salaries, including bonuses, or
other exceptional items have been charged in arriving at profit before tax, the exceptional element of such
costs should be added back when calculating profit-based materiality to the extent these costs are
discretionary.
The following notes are a guide only to determining materiality in particular circumstances. Wherever the figure
of materiality appears to be more appropriately calculated by other means, an alternative basis should be
applied but the reasons for doing so must be documented.
7.3 Determining materiality
A guide for determining the financial statement level of materiality is set out below. It must be emphasized that
the table is guidance only. The level of materiality is a matter for professional judgment.
Range of turnover or gross assets Percentage of turnover or gross assets
HK$0 to HK$7.5m 3.00%
HK$7.5 m to HK$ 15m 2.50%
HK$15 m to HK$ 30m 2.00%
HK$30 m to HK$ 50m 1.50%
Over HK$ 50m 1.00%
The above table is also available in Determining Materiality (C7.1).

The above approach should not be applied to setting section specific materiality levels. Determination of such
materiality levels is solely a matter of professional judgment based on the nature of the transaction, balance
or disclosure concerned.
7.4 Conclusion
The above table is not mandatory. Firms are free to set their own levels for financial statement materiality, but,
in doing so, should take care not to set levels of materiality which are either too high or too low.
Setting materiality too low will result in larger sample sizes. This may cause time problems without necessarily
increasing audit efficiency. By opining that the financial statements are “not materially misstated”, auditors do
themselves no favours by setting materiality too low.

8 ANALYTICAL PROCEDURES
8.1 Introduction
Paragraph 14(b) of HKSA 315 (Revised 2019) states that risk assessment procedures shall include analytical
procedures. HKSA 520 addresses the use of analytical procedures as a substantive test and as part of a final
review when forming an overall opinion on the financial statements.
In the context of a small company, the extent to which analytical review procedures are effective or even
possible will vary widely. It would, however, be quite wrong to suggest that analytical procedures need not be
carried out for smaller companies.
Substantive analytical procedures are particularly useful when other audit procedures cannot provide adequate
evidence of completeness on relevant transactions and balances. For instances, audit tests on till rolls can
never provide total audit assurance that all sales have been rung up on the till. Substantive analytical
procedures may, in such circumstances, provide the only practicable alternative procedures to verify
completeness of sales through, for example, analysis of margins, stock reports, brewery statistics of barrelage,
etc.
Extensive analytical procedures may highlight fluctuations in ratios. These may be normal fluctuations
(business trends, seasonal changes, trade cycles, cost/selling price relationships) or abnormal fluctuations
(exceptional transactions, bad debts, loss of assets by fire or theft, bases of valuation of stocks and cut-off
misstatements).
In analysing the cause of the fluctuations, there is a tendency in small company audits for the auditor to accept
too readily the explanation given by the management. Care must be taken to check that the facts given by the
management are valid and complete and that their effect is sufficient to explain the fluctuation. The recording
of such explanations and corroborating their validity in the working papers will be as important as the
identification of the fluctuation itself. Only corroborated commentary provides valid audit evidence.
Experience indicates that many auditors do not adequately appreciate the extent to which substantive
analytical procedures can help, believing erroneously that such procedures are only applicable to a large audit.
8.2 Timing and objectives of analytical procedures
Analytical procedures may be relevant to three distinct but interrelated stages of the audit:
 The planning stage (preliminary analytical procedures);
 Extensive analytical review as a substantive test (substantive analytical procedures); and
 Critical review of the financial statements (final analytical procedures).
The planning stage
Preliminary analytical procedures should be carried out as required by paragraph 14 of HKSA 315 (Revised
2019). This states that risk assessment procedures shall include analytical procedures.
Where draft financial statements are not available, information should be extracted from available records such
as daybooks, or expected changes from previous years should be discussed with the directors. If management
accounts or draft financial statements are available at an early stage in the audit, it may be appropriate to carry
out a more detailed preliminary analytical procedures as soon as they are available.

Preliminary analytical procedures should assist in identifying significant matters that require consideration
during the audit. This suggests that preliminary analytical procedures should be carried out before completing
the assessment of general and specific risk. Risk assessments should be reconsidered as further evidence
comes to light.
Preliminary analytical procedures do not provide audit assurance, although they should contribute to effective
auditing by minimizing the risk of over- and under-auditing.
The purpose of preliminary analytical procedures is to identify areas of the audit where there are greater risks
or areas that may, for other reasons, require more detailed investigation. It is therefore vital that there is some
commentary on the variances and ratios calculated together with a conclusion identifying any matters that
require further investigation, or noting that there are none.
Applying analytical procedures as a substantive test (substantive analytical procedures)
HKSA 520 includes a number of compulsory requirements that must be addressed when undertaking
substantive analytical procedures and which therefore may trip up those not familiar with the standard. These
requirements are set out in paragraph 5 of HKSA 520. Working Paper in section D of the APM will assist in
satisfying these requirements.
Requirement from HKSA 520.5 Guidance
a Determine the suitability of particular Some firms believe that substantive analytical
substantive analytical procedures for given procedures will always be more efficient and effective
assertions, taking account of the assessed than other substantive tests and try to use them even
risks of material misstatement and tests of when this is clearly not the case. Other firms will not
details, if any, for these assertions; consider their use in any circumstances.
The availability of information from computerized
systems encourages the use of substantive analytical
procedures; however, the auditor must be satisfied as to
the appropriateness of substantive analytical procedures
in the circumstances of the client and document that
reasoning.
b Evaluate the reliability of data from which the This is an area that is often done poorly or not
auditor’s expectation of recorded amounts considered at all. It is quite common for the audit
or ratios is developed, taking account of approach to state that no reliance will be placed on
source, comparability, and nature and systems but to then use data produced by that system in
relevance of information available, and substantive analytical procedures.
controls over preparation; Another problem we sometimes see is that of a circular
argument, whereby the results of substantive analytical
procedures are used to justify the reliability of the source
data used in those substantive analytical procedures.
It is necessary to be satisfied as to the reliability of data
used in substantive analytical procedures and each
source should be considered individually. Where this
comes from the client being audited, confidence in the
reliability of the data can be obtained from tests of control
over the production of the information or by other
substantive tests on the input data.

c Develop an expectation of recorded It is something that is almost never done before the work
amounts or ratios and evaluate whether the is undertaken. It is quite common to see a conclusion
expectation is sufficiently precise to identify along the lines that “x” or “y” has increased or decreased
a misstatement that, individually or when “as expected”. But those expectations are never
aggregated with other misstatements, may formulated before the work is performed.
cause the financial statements to be This is an area that will catch out many firms. Auditors
materially misstated; and may have performed a vague comparison against the
budget and previous years and then to see what the
results would look like before seeking plausible
explanations. However, this is not sufficient.
Substantive analytical procedures should be undertaken
using reliable data. Assessing the results without first
setting expectations will not comply with the
requirements of the HKSA.
d Determine the amount of any difference of The acceptable level of difference should be specified
recorded amounts from expected values before the work is started, rather than after the work is
that is acceptable without further completed and the difference derived.
investigation.
It is necessary to follow the above approach to ensure an expectation of the results and an acceptable level
of difference are specified before the work is undertaken.
Developing an expectation
For example, the auditor performs substantive analytical procedures on the tuition fees income of a school.
The hypothesis may be phrased as follows: “It is expected that the tuition fees income in current year be the
combined effect of (i) [X]% higher than that of the prior year due to the [X]% tuition fees increase in the current
academic year; and (ii) $[Y] less than that of the prior year to reflect the decrease in [Z] students.”
Substantive analytical procedures are not merely performing a vague comparison or producing a time-series
chart showing the two years running along roughly similar lines. Rather, a precise statement on auditor’s
expectation is required up-front. It is therefore necessary to understand factors attributable to the transactions
or balances (for example, the annual increment imposed by a utility company in case of a substantive analytical
procedure on utility charge) and build them into the expectation. The auditor should not “wait and see” how the
comparison turned out and seek plausible explanations, without understanding and building in attributable
factors in the expectation.
Precision of the expectation
The auditor must evaluate whether the expectation is sufficiently precise. This assessment will obviously take
materiality into account.
Any factors or data used in developing the expectation should also be validated, i.e., evaluate the reliability of
data, through tests of control over the production of the information or by other substantive tests on the input
data. In the example above, the auditor should obtain evidence on the reliability of the [X]% tuition fees
increment and the number of students in the current and prior year (in order to derive the changes in the
number of students). Failure to do so would invalidate the results of a substantive analytical procedure.

Critical review of financial statements
The auditor shall design and perform analytical procedures near the end of the audit that assist the auditor when
forming an overall conclusion as to whether the financial statements are consistent with the auditor’s
understanding of the entity.
Final analytical procedures will, therefore, compare current year final figures and ratios with those of previous
years and with the findings of the audit tests. It is similar to performing the preliminary analytical procedures
but at the final stage with a different objective. In the APM this is addressed on Review of Financial Statements
(B5).
As with preliminary analytical procedures, it is the commentary and conclusion that are important rather than
the number crunching.
8.3 Conclusion
It is mandatory to carry out preliminary analytical procedures and final analytical procedures in an audit.
Wherever applicable, carry out substantive analytical procedures, corroborate and explain the findings to
reduce the extent of transaction testing or to refocus audit work.
Always carry out a final critical review of the financial statements. This should involve primarily a review of the
financial statements but auditors must also read other information to be issued with the financial statements.
The critical review should help auditors to form a final overall view on the truth and fairness of the financial
statements as well as ensuring that the other information is not inconsistent with them.

9 SAMPLING
9.1 Introduction
The auditor shall determine a sample size sufficient to reduce sampling risk to an acceptably low level.
The sampling method in the APM is designed to provide a reasonable guide to the level of testing that should
be applied to individual populations. However, it is important to always consider whether the sample size
produced is appropriate. The sample size must ultimately be a matter of professional judgment. Accordingly,
the suggested sample size may be adjusted, but the reasons for the adjustment must be given on the relevant
audit working papers and must be justifiable.
9.2 Determining sample sizes
The proposed basis of determining sample sizes uses the following figures:
 Monetary value of the population;
 Overall level of materiality set for the audit;
 Reliability factor (i.e., a converse measure of risk); and
 Identification of high value and key items.
By basing the sample size on a combination of monetary value of the population, materiality and risk, the
auditor is using the data determined at the planning stage of the audit to determine an audit sample. The lower
the materiality and the lower the sampling risk the auditor is willing to accept (i.e., the higher the risk factor),
the larger the sample size will be:
The level of sampling risk that the auditor is willing to accept affects the sample size required. The lower the risk
the auditor is willing to accept, the greater the sample size will need to be. (Paragraph A10 of HKSA 530)
Following the APM sampling method therefore ensures that work undertaken is responsive to the level of
assessed risk in that area. As the APM allows risk to be assessed on an assertion by assertion basis, this
should mean that time is not wasted checking unnecessarily large samples.
High value items and key items have been stratified separately for testing. These are considered sufficiently
important to justify selecting all such items. In general, high value items are those transactions or balances
that are higher than the specific performance materiality for that section (i.e., overall materiality divided by the
inherent risk factor). Judgment is required in assessing whether or not an item is a “key” item for these
purposes. For example, in the context of debtors, this might be by reference to ageing or known risk sectors
of debtor balances, suggesting that greater audit attention should be given to particular debtors or balances.
No absolute definition of key items is suggested or possible. Judgment must be exercised as necessary.
Tests for understatement are concerned with completeness of the population and may therefore start outside
the accounting system. The value of items in the recorded population is not relevant when testing for
understatement; therefore, once an understatement test has been completed, any balances over performance
materiality remaining unaudited should be verified.
The value of the population should relate specifically to the test being carried out. For example, a test designed
to verify the provision for obsolete stocks should not be based on the value of the provisions made by the
client. The main concern is to ensure that all items of obsolete stocks have been identified. In these

circumstances, the population should be the total value of stocks. Of course, it is necessary to concentrate
testing on high-risk items, such as those with no sales over the past few months. The remainder of the
population cannot, however, be ignored. Tests must cover some apparently low risk items, hence the value of
the residual population forming the basis for this sample.
The auditor shall select items for the sample in such a way that each sampling unit in the population has a chance
of selection. (Paragraph 8 of HKSA 530)
Care must therefore be taken when the approach is to test higher value items. If the sample size is 10, then
testing the valuation of say the 10 highest value stock lines does not comply with paragraph 8 of HKSA 530 if
the residual population is material yet the lower value stock lines had no chance of selection. However, it
should also be noted that paragraph 8 of HKSA 530 does not require every item in the population to have an
equal chance of selection. It would therefore be plausible to test, say 9 items from the highest value lines, 1
from the residual population, and testing other items identified as high-risk.
It should be noted that paragraph 8 of HKSA 530 does not apply where testing the higher values items leaves
a residual population that is not material. This is not sampling. In these circumstances the total population has
been stratified based on value, i.e., one population (those with the attribute of total value above a certain
amount) has been tested 100% and the other will not be tested at all on the basis that it is not material and no
other high-risk or key items identified.
9.3 Sample selection planning form
Sample selection planning forms may be used to determine sample sizes in all the examples referred to in 9.2
above and are included in each of the main file sections.
Sample sizes may be determined without using the form, but, in such circumstances, the basis should be
explained.
The form takes you step-by-step through the data determined in the planning stage to provide an objective
means of determining the sample size. Reference to the inherent risk factors should be made as necessary.
In the APM’s sample selection, different fractions are applied to the risk factor used for items in the balance
sheet, and items in the profit and loss (so make sure you are using the correct sample selection form).
The form is not intended to provide an absolutely rigid approach to sample selection. Where the sample size
determined by means of the form is not be considered appropriate, do not simply override the form and select
a different figure; think about whether the information derived from the planning forms is fair in the
circumstances. If a different sample size is selected, the reason for having done so must be explained in the
working papers. Judgment must be used and the sample shown by the form is a convenient starting point for
the exercise of that judgment.
An example of a difficulty commonly encountered in sample selection is the determination of a very large
sample size. Any large sample sizes determined must be capable of proper testing in an appropriate time
scale. However, it is generally not efficient in a small company audit to test such samples, suggesting that a
rethink of audit strategy is necessary. It is likely that alternative audit tests or approaches should be considered
as a means of obtaining sufficient audit evidence, reducing the tests of detail accordingly.
Care should also be taken where the calculated sample size is small, say below 10. While this might be
because the population has a low value or because assurance has been gained from tests of control or
substantive analytical procedures, judgment is needed to determine whether a small sample size is likely to
be representative or a change in audit strategy is necessary.

9.4 Selecting the sample from the population
Various means are available for selecting the chosen sample from the population. High value and key items
will already have been identified. The sample from the residual population should be selected so as to cover
fairly the whole of the population being selected and as noted above, every item in the population must have
a chance of selection.
This involves the use of either random, systematic or judgmental means of selection. Try to avoid the selection
of a block of items as this is prone to bias and might not adequately consider the whole population.
An example of a random selection would be to start with a random number (for example, the serial number of
a bank note), and select every nth item thereafter where n equals the residual population value divided by the
sample size. Again, exclude high value items and key items as these will already have been selected for
testing.
Regardless of the basis used, state the basis and, if necessary, why it was chosen.
Test not applicable to item sampled
If the audit procedure is not applicable to an item selected in the sample, according to paragraph 10 of HKSA
530, a replacement item should be selected.
It must be emphasized that an item being not applicable is not the same as a misstatement. So, if we are
looking to check that all despatch notes have been invoiced and a particular despatch note number was not
used (for whatever reason, which should be verified), then it would be appropriate to select another item.
However, if the despatch note tested was not invoiced properly, this would be a misstatement and should be
treated accordingly, rather than replacing the sample by another item for the test. The evaluation of
misstatements is dealt with in the next chapter.
Recording the Sample
HKSA 230 has some specific requirements concerning the sample selected for testing. According to paragraph
9 of HKSA 230,
In documenting the nature, timing and extent of audit procedures performed, the auditor shall record:
(a) The identifying characteristics of the specific items or matters tested;
(b) Who performed the audit work and the date such work was completed; and
(c) Who reviewed the audit work performed and the date and extent of such review.
Simply stating that a sample of items was tested does not satisfy this requirement. Sufficient information must
be noted about the samples tested to allow them to be identified in the event that further investigation is
required.
9.5 Samples for tests of control
No specific guidance is given on the size of samples for tests of control, as this is essentially a judgmental
area. The standard sampling approach does not apply, as the population for many controls will be monthly,
weekly, daily or of other frequencies. In these circumstances, it is a matter of judgment as to how many should
be tested.
Where a control operates at a transaction level, dual purpose testing is normally the most effective approach.
This means that a sample is selected, based on the assumption that the control is operating, and is tested

substantively (for example, vouching purchase invoices to support a nominal ledger debit) and also for the
operating effectiveness of the control (say validating whether the purchase invoice was approved by the client
personnel against a goods received note).
9.6 Conclusion
Determining an appropriate sample size is a matter of judgment. Therefore, it is not sufficient to determine the
size of a sample without recording the logical thought used in its selection.
The sample selected should be capable of being properly tested. If this cannot be done, it is nearly certain that
the work will not be carried out well.
Finally, once a sample size has been selected, it is essential to stick to it. Testing less than the selected sample
size is positively dangerous. All misstatements or deviations must be followed up to determine the implications
for the audit.

10 EVALUATION OF MISSTATEMENTS
10.1 Introduction
The investigation and evaluation of misstatements encountered during audit tests is a vital part of the audit.
Indeed, paragraph 14 of HKSA 530 states:
For tests of details, the auditor shall project misstatements found in the sample to the population.
Misstatements should always be investigated and the nature and cause of any deviations or misstatements
identified. Their possible effect on the purpose of the audit procedure and on other areas of the audit should
also be evaluated. In no circumstances should they be ignored.
10.2 Nature and cause of deviations and misstatements
When a misstatement is encountered, questions which must be addressed are:
 Could other misstatements exist elsewhere within the population?
 Is it possible that those misstatements could be material to the financial statements?
A common mistake seen on many files is to conclude that the misstatement found is an isolated occurrence.
This is a very convenient assumption as it can be used as a means of justifying that no further work is required.
However, in most cases there is no valid reason for reaching such a conclusion. If a misstatement really is an
isolated occurrence, the reasons for this should be fully explained. According to paragraph 13 of HKSA 530:
In the extremely rare circumstances when the auditor considers a misstatement or deviation discovered in a
sample to be an anomaly, the auditor shall obtain a high degree of certainty that such misstatement or deviation
is not representative of the population. The auditor shall obtain this degree of certainty by performing additional
audit procedures to obtain sufficient appropriate audit evidence that the misstatement or deviation does not affect
the remainder of the population.
Paragraph 13 of HKSA 530 requires additional work to be carried out to confirm that a particular the
misstatement is an isolated occurrence. Some additional work must be carried out, so there is nothing to be
gained by treating it as isolated. However, in most cases, the answers to the above questions will both be
“yes”, and in these circumstances some additional audit work must be carried out to reach the conclusion.
Remember, the second question is asking whether it is possible, not whether it is likely.
Having considered the nature of a misstatement, it may well be possible to devise an alternative test which
can more effectively and efficiently identify the likely impact. This may involve detailed analytical procedures
or some other test altogether. In the absence of this, it will be appropriate to extend the sample size in order
to determine whether the level of misstatement encountered is typical of the population as a whole.
Since the method of sampling has already identified all high value items and tested these individually, any
misstatements within these items will have already been fully evaluated. Increased audit work will, therefore,
be likely within the “residual population”.
Where the increased work identifies a certain level of misstatement within the population, it will usually be
appropriate to extrapolate that level of misstatement over the residual population. This, combined with the
misstatements found in the high value items tested, will give us the most likely level of misstatement in the
population as a whole. Consideration must be given to whether this level of misstatement is likely to produce
a material misstatement within the financial statements.

Misstatements are not always most effectively dealt with by simply increasing the sample size. The nature of
the misstatement and why it may have arisen must be considered. For example, if posting misstatements arise
during the period when a particular member of staff was on holiday, it would clearly be sensible to extend tests
to concentrate on that period of absence, rather than the year as a whole. Similarly, if misstatements are
coming out of one particular branch or depot, additional testing should concentrate on these.
10.3 Projecting the value of misstatements
Two non-statistical methods of projecting misstatements in a population are set out below.
 The ratio method may be more appropriate where the amount of misstatement in a transaction relates
closely to its size, i.e., the bigger the transaction, the bigger the misstatement.
 The difference method may be more appropriate where the size of the transaction would make no
difference to the amount of the misstatement, i.e., the misstatement is of a constant amount.
Both bases of calculation are able only to project a misstatement in the population as a whole.
The ratio method
Population value
Projected misstatement in population = Misstatement found x
Sample values
Example
HK$
Total value of population 250,000
Total value of high value key items tested 100,000 (misstatements – $4,000)
Sample value of the residual population tested 45,000 (misstatements – $2,000)
Projected misstatement in the residual population $6,667 ($2,000 x 150,000/45,000)
Overall projected misstatement $10,667 ($4,000 + $6,667)
Known misstatement $6,000 ($4,000 + $2,000)

The difference method
Number of items in population

Projected misstatement in population = Misstatement found in sample x
Number of items in sample
Example
Total number of items in population 300

Number of items examined 100% 20 (misstatements - $1,000)
Number of items in sample selected from the residual 25 (misstatements - $1,200)
pollution
Projected misstatement in the residual population $13,440 ($1,200 x 280/25)
Overall projected misstatement $14,400 ($1,000 + $13,400)
Known misstatement $2,200 ($1,000 + $1,200)
Where information about the nature of misstatements is not known, the ratio method should normally be used.
10.4 Misstatements and materiality
Except where the projection gives a total misstatement that can be classified as trivial according to paragraph
5 of HKSA 450, the total value of all projected misstatements must be accumulated to determine whether or
not this value could give rise to a material misstatement in the financial statements as required by paragraph
15 of HKSA 450. Any such misstatements should be recorded on Unadjusted Misstatements (B7).
The nature of the misstatements, their amount and the financial statements areas on which they impact will all
affect the auditor’s judgment in evaluating their effect on the truth and fairness of the financial statements.
10.5 Conclusion
Because a projected misstatement is unlikely to be the same as an actual misstatement in a population, it will
be necessary to evaluate judgmentally whether or not a material misstatement in the financial statements is
considered likely. If so, the choice of options would be to:
 Request the client to investigate the misstatements and the potential for further misstatements;
 Extend the audit tests to gain a more precise conclusion;
 Perform alternative procedures (if possible); or
 Qualify the audit opinion.
Where the client is asked to investigate the misstatement, paragraph 7 of HKSA 450 is relevant:
If, at the auditor’s request, management has examined a class of transactions, account balance or disclosure and
corrected misstatements that were detected, the auditor shall perform additional audit procedures to determine
whether misstatements remain.
The client’s analysis cannot simply be accepted.

The effect of misstatements found in audit tests must be resolved. It is not acceptable to leave a misstatement
position “open”. A conclusion about its impact on the area being tested and the financial statements as a whole
must be drawn.
The auditor shall determine whether uncorrected misstatements are material, individually or in aggregate. In
making this determination, the auditor shall consider:
(a) The size and nature of the misstatements, both in relation to particular classes of transactions, account
balances or disclosures and the financial statements as a whole, and the particular circumstances of their
occurrence; and
(b) The effect of uncorrected misstatements related to prior periods on the relevant classes of transactions,
account balances or disclosures, and the financial statements as a whole.
Ultimately it is necessary to form a conclusion on the results of the sample tested and whether this provides
sufficient appropriate evidence for the purpose intended.

11 USE OF AUDIT DATA ANALYTICS
11.1 Introduction
Data Analytics, when used to obtain audit evidence in a financial statement audit, is the science and art of
discovering and analysing patterns, deviations and inconsistencies, and extracting other useful information in
the data underlying or related to the subject matter of an audit through analysis, modelling and visualization
for the purpose of planning and performing the audit.
Audit data analytics (ADA) may be used to:
 Deepen the auditor’s understanding of the entity;
 Facilitate the focus of audit testing on the areas of highest risk through stratification of large populations;
 Aid the exercise of professional skepticism;
 Enabling the auditor to perform tests on large or complex datasets where a manual approach would not
be feasible;
 Improve audit efficiency; and
 Identify instances of fraud.
Guidance on the use of ADA in preliminary analytical procedure is included within section 4 (C6). Guidance
on the use of ADA for identifying high risk journals/transactions and for testing and responding to assessed
risks is included below.
The use of ADA is not mandatory and this guidance is therefore included for reference only.
11.2 Use of ADA for identifying high risk journals/transactions
As noted above, ADA can be applied to identify transactions for testing on the basis of risk criteria, including
journal entries. This allows testing to be focused more efficiently than it would be using manual sample
selection. This could involve using ADA to generate a risk score for each general ledger transaction, which
can either be based upon artificial intelligence/machine learning, criteria set manually by the audit team (which
is tailored for each client), or a combination of these methods depending on the ADA system being used.
Automated risk scoring
Where transactions have been risk scored using an automated ADA application, the application will usually
have pre-set parameters set by the developer. In such cases auditors should ensure they have understood
what these are and evaluate their use for each client, ensuring they are tailored as appropriate. Given the
bespoke nature of such applications, a freeform working paper will be needed to record this assessment.
Some efficiencies may be gained by a central team of experts within the firm undertaking the required
evaluation of the pre-set system parameters, which could be drawn on by engagement teams to complete the
assessment. Auditors may also want to consult with a central team of experts or the application developer to
confirm the appropriateness of any tailoring made to these parameters, recording details of this in the
assessment.

Manual risk scoring
Where auditors manually apply risk criteria to transactions (e.g., when analysing data in a spreadsheet), each
of the criteria selected should be allocated a risk score on a scale of, for example, 1 to 5 (1 being used for
criteria which is considered to be the lowest risk and 5 for criteria which is considered the highest risk). The
risk posed by certain factors will vary from client to client, so the tailoring should base upon auditors’ knowledge
and experience of each client.
There are various criteria auditors could apply when manually evaluating the level of risk posed by a
transaction. While not an exhaustive list, common criteria to apply are as follows:
Risk Condition Example of criteria that could be applied
Large amounts Greater than or equal to performance materiality
Round sum amounts Amounts which end 000.00, 999.99, 999.00
Unusual description / key word search Descriptions which include names / titles of key
management, directors and other related parties or
unusual words such as adjust, correct, etc.
Transactions posted at unusual times Journals posted when the office is usually closed,
such as weekends or between 7pm and 8am
Back dated transactions Journals which post to a prior period (i.e., a journal
raised in accounting period 3 which is shown in
accounting period 2)
Transactions posted and reviewed by the same Where a system had a “park and post” or
person “maker/checker” function and these roles have
been performed by the same person
Transactions posted by an unexpected person Journal posted by a senior member of staff/non-

finance staff who typically are not involved in day to
day ledger posting
Unexpected account combinations Journals which are posted to accounts which would
not typically be linked, for example sales and fixed
assets
Transactions which bypass the expected System entries which are usually
transaction flow automated/triggered from a sub-ledger but are
posted manually
These risk conditions and examples are not exhaustive examples and teams should also use their judgment
to consider additional criteria and tailoring which could be applied relevant to the client. The justification for the
criteria selected should be documented on file.
Risk enhancers
To further tailor the risk score, certain ADA applications (both automated and manual) may allow us to enhance
the risk score of a transaction by applying a multiple. This may be linked to certain document / journal types or
members of client staff considered to present a higher risk, the financial statement assertion risks (e.g., a high
risk area could receive a higher risk multiple) or certain accounts which are considered inherently riskier due
to their susceptibility to fraud. Details of enhancers applied should be recorded.

Manually calculating a transactions risk score
A transaction risk score is calculated by taking the sum of any risk scores triggered by a specific risk condition,
which is then multiplied by any applicable risk enhancers (where no enhancer is applicable to a particular
transaction, this will be assumed to be a multiplier of 1).
Example risk score calculation
Extract example of a manually applied risk criteria:
Risk condition Specific definition for this client Risk score applied
Large Value $100,000 (performance materiality) 3
Round sum amount or transaction Amount ending “000.00” 2

ending in “999”
Transaction posted at unusual time Any posting between before 7:30 am and 5
after 8.00 pm Monday to Friday and at
any time on a weekend
Extract example of a risk enhancer:
Risk enhancer Multiple to be applied
Any transactions posted to Revenue 3
Example extract transaction data and scores calculation:
Description Transaction Account Account Value Time and Risk score

ID Dr Cr $ Date
Correction to 1234 Accrued Sales 200,000 11:00 pm 30

accrued income income Friday [(3+2+5)x3]
dd/mm/yyyy
Monthly 1235 P&L Accumulated 105,000 2:00 pm 5

depreciation depreciation depreciation Monday [(3+2)x1]
charge for Motor (Motor (Motor dd/mm/yyyy
Vehicles Vehicles) Vehicles)
Items to be selected for testing
The final element of tailoring is setting the criteria which highlight the transaction to be tested. Teams need to
set a risk score and any transactions which score equal or greater than this will be selected for testing. Teams
should also consider other specific risk factors which may trigger a transaction to be tested or why it can be
excluded from testing (e.g., the value of the transaction is trivial or a reversing journals where it can be
confirmed the net impact in the period is nil). The criteria along with the rationale to the criteria should be
recorded.
Where teams are relying on an algorithm (e.g., in which risk scoring is done via machine learning or artificial
intelligence), their understanding and evaluation of the appropriateness of the algorithm being used should be
recorded.

11.3 Use of ADA for testing and responding to assessed risks
Undertaking the test utilizing ADA will generally involve using the application to develop an expectation for the
population being tested. This will draw on auditors’ understanding of the entity and ensure the application
being used is appropriate for the specific circumstances of the entity.
Upon reviewing the results, auditors may find these are generally in-line with their expectations, with some
exceptions that require further testing. In some circumstances, auditors may find the results do not match with
their expectations, with a significant number of outliers within the population meaning further analysis is needed
before they can begin to test exceptions.
Outliers which cause a deviation to auditors’ expectation can arise through one or a multiple of the following
factors:
 Auditors’ understanding of the entity was not sufficient to appropriately calibrate and set the parameters
within the ADA application.
 The data may not be of sufficient quality to facilitate the use of the ADA.
 Auditors’ initial evaluation of the appropriateness of the use of ADA for this entity may be inappropriate.
Point two may be overcome through data cleansing activity or discussion with the client to evaluate if a more
refined data set is available. Where this is the case auditors should update the evaluation. Where this is not
possible, the planned approach should be modified accordingly.
The third point will also mean the planned approach should be modified accordingly.
For the first point above, auditors may be able to recalibrate the parameters upon revising their understanding
of the entity. In this case, the following points are areas to consider:
 Undertaking careful analysis of the outliers in order to assess which of the parameters used within the
ADA require refinement and how this needs to be done. This includes revisiting auditors’ understanding of
the entity and its environment to determine if parameters can be refined in order to reduce the number of
outliers or identify those which are truly exceptions and therefore warrant further investigation as
exceptions.
 Discussion with management, in a similar fashion to how to refine an expectation when undertaking
analytical procedures under HKSA 520, to understand the underlying data and potential relationships
better.
When redefining the parameters used for ADA, it is inappropriate to make the following adjustments:
 Artificially reducing the amount of work required which ultimately results in obtaining insufficient
appropriate audit evidence.
 Attempting to generate the same number of outliers / exceptions as seen in previous periods.
 Adjusting the parameters to compensate for data quality issues.
Once we are comfortable that the ADA application has been configured appropriately such that there are no
outliers and any deviations from our expectation are due to true exceptions, we begin substantively testing
these.

When testing the exceptions we will first need to consider if the population is homogenous, in which case
sampling can be considered. Where we determine the population is not homogenous we will need to consider
if there is scope to stratify the population of exceptions into homogenous sub-populations before beginning
sampling and substantive testing of these discrete groups. Where we do stratify the population of exceptions
we need to take care that when sampling based on sub-populations, the untested population in a single
financial statement line item does not exceed materiality.
For the remaining population (i.e., that which falls in-line with our expectation), we may be able to leverage
testing undertaken elsewhere in the audit file in order to gain comfort over the non-exception population.
Where this is not the case we will need to consider what additional procedures are needed.

12 PRACTICAL POINTS ON FILE COMPLETION
Knowing the common pitfalls in audit engagements and how to avoid them can be a valuable skill. Auditors
are encouraged to read through inspection reports published by audit regulators which summarize common
audit deficiencies identified and provide suggestions to improve them.
HKICPA Quality Assurance Department Report
HKICPA’s practice review was a quality assurance programme that covered the provision of audit and other
related assurance services in Hong Kong by the Institute’s practice units.
Major findings from the practice review programme were summarized in the HKICPA’s Quality Assurance
Department Annual Reports.
Accounting and Financial Reporting Council Inspection Report
As a result of the regulatory reform, HKICPA’s regulatory powers in respect of auditors of public interest entities
(PIEs) was transferred to the Accounting and Financial Reporting Council (AFRC) from 1 October 2019. Under
the new regime, the AFRC is empowered to carry out inspections of PIE audit engagements completed by PIE
auditors on or after 1 October 2019. To take forward the reform, the AFRC’s power of inspection over auditors
is expanded to cover all practice units with effect from 1 October 2022.
The AFRC’s findings from their inspections of audit engagements are available in their Inspection Reports.

Hong Kong Institute of Certified Public Accountants
37th Floor, Wu Chung House
213 Queen’s Road East, Wanchai, Hong Kong
Tel: (852) 2287 7228
Fax: (852) 2865 6603
Email: hkicpa@hkicpa.org.hk
Website: www.hkicpa.org.hk

Audit Practice Manual (2022 Edition) Guidance Notes

Uploaded by

Copyright:

Available Formats

Audit Practice Manual (2022 Edition) Guidance Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Practice Manual (2022 Edition) Guidance Notes

Uploaded by

Copyright:

Available Formats

Hong Kong Institute

Audit Practice Manual

2 Key Issues from Hong Kong Standards on Auditing ...................................................................................... 5

3 The APM: An Overview ................................................................................................................................ 25

4 Completing the Forms .................................................................................................................................. 31

5 Audit Evidence .............................................................................................................................................. 60

6 Assessment of Risk ...................................................................................................................................... 67

8 Analytical Procedures ................................................................................................................................... 74

10 Evaluation of Misstatements ....................................................................................................................... 82

11 Use of Audit Data Analytics ........................................................................................................................ 86

12 Practical Points on File Completion ............................................................................................................ 91

Appendix 1: Letter of Engagement

Appendix 2: Letter of Representation

Appendix 3: Letter of Comment

Appendix 4: Summary of Example Auditor’s Report

1.2 Changes in this version

 Other minor consequential amendments from the above changes.

Page 2 APM Guidance Notes

 Removal of the following programmes which are no longer applicable:

1.3 Referencing system

The system contains detailed indices for all sections.

Page 3 APM Guidance Notes

1.7 Using the Excel template

Page 4 APM Guidance Notes

 HKSA 330, The Auditor’s Responses to Assessed Risks; and

The second is your assessment of the risk of a material misstatement arising.

According to paragraph 11 of HKSA 315 (Revised 2019),

Page 5 APM Guidance Notes

HKSA 315 (Revised 2019) defines a significant risk as:

An identified risk of material misstatement:

Risk assessment procedures

According to paragraph 14 of HKSA 315 (Revised 2019),

The risk assessment procedures shall include the following:

(b) Analytical procedures.

(c) Observation and inspection.

Page 6 APM Guidance Notes

(a) The following aspects of the entity and its environment;

(ii) Industry, regulatory and other external factors; and

Paragraph 20 of HKSA 315 (Revised 2019) adds that:

Understanding the components of the entity’s system of internal control

Ref. in HKSA 315

Page 7 APM Guidance Notes

b. The Entity’s Risk Assessment Process

(a) Understanding the entity’s process for:

(i) Identifying business risks relevant to financial reporting objectives;

(iii) Addressing those risks;

c. The Entity’s Process to Monitor the System of Internal Control

(a) Understanding those aspects of the entity’s process that address:

Page 8 APM Guidance Notes

d. The Information System and Communication

Page 9 APM Guidance Notes

(ii) Between management and those charged with governance; and

(i) Controls that address a risk that is determined to be a significant risk;

Page 10 APM Guidance Notes

 Authorizations and approvals;

 Verifications (such as edit and validation checks or automated calculation);

 Physical or logical controls (including those address safeguarding of assets).

 The evaluation of design and determination of implementation of controls is addressed on Internal

Page 11 APM Guidance Notes