DEBARK UNIVERSITY

COLLEGE OF BUSINESS AND ECONOMICS

DEPARTMENT OF ACCOUNTING AND FINANCE

Auditing principles & Practice I

Reading guide for Exit-Exam

1|Page
 April, 2015
Debark, Ethiopia

Course Objectives & Competences to be acquired

After studying this course, the student should be able to:

 Describe the nature of an audit and explain the economic and legal basis for auditing.
 Demonstrate ability in the use of International Auditing Standards in various audit issues.
 Assess professional ethics with respect to the audit function and review the main components of
Code of Professional Conduct.
 Examine the auditor's legal liability to clients and third parties.
 Demonstrate expertise in planning and carrying out audit procedures in accordance with
International Auditing Standards and demonstrate how an auditor documents his work.
 Demonstrate how the auditor obtains an understanding of the entity and its environment and
assesses the risk of material misstatement.
 Explain how materiality and various risk assessments impact the audit program.
 Determine the audit procedure needed to audit any assertion.
 Relate management assertions to general and specific audit objectives, relate audit evidence, and
audit objectives to evidence-gathering decisions.
 Demonstrate ability in carrying out functions of internal control systems and examine the
elements of an internal control structure and their components.
 Describe the audit report and explain conditions for qualifications in the audit report.

CHAPTER ONE

2|Page
 Overview of Auditing
Introduction
Economic decisions are typically based upon the information available to the decision maker. To obtain
the most benefit, users should have economic information that is both relevant and reliable. This need
for relevant and reliable financial information creates a demand for accounting and auditing service.
1.1 Origin and historical development of Auditing
The original meaning of the term Audit is derived from the Latin word ‘Audere’ which means ‘to hear’
and the term Auditor is ‘one who hear’. In earlier periods, commercial and governmental records were
approved only after a public reading in which the accounts were read allowed to peoples those hear.
From medieval period up to the industrial revolution Audit were performed to determine whether person
in position of official responsibility in government and commerce were acting and reporting in an honest
manner.
In the first half the 20th century, the direction of audit works tends to move away from fraud detection
towards a new goal of determining whether financial statements give a full and fair picture of financial
position, operating results, and change in financial position. Although banks were the primary users of
financial reports, auditors become more responsible to stockholders, government agencies and to other
parties who might rely up on financial information.
In the middle of 20th century, the large-scale corporate entities growth rapidly, and auditory began to
examine selected transaction rather than study all transactions. Auditors and business managers
gradually come to accept the careful examination of relatively few transactions selected at random and
they believe that it would be a cost effective and reliable indication of the accuracy of other similar
transaction.
In addition to sampling, auditors become aware of the importance of effective internal control. A
company internal control consists of the policies and procedures established to provide reasonable
assurance that the objective of the company will be achieved. Auditor found that by studying the firm’s
internal control they could identify areas of strength and weaknesses. Now a days, Auditors began to use
sophisticated computer software to test the intensity of firm’s internal control and the accuracy financial
statement balances.

1.2 Nature and definition of auditing

3|Page
 Definition of Auditing
What will be your answer if you asked to provide a complete definition of auditing and audit
engagement?
Dear learners, it is quite difficult to give a single and precise definition of the term “Audit”. Many
notable authors and other bodies have defined the word “audit”, and every one of them has attempted to
emphasize one aspect or the other, but the central idea is more or less the same.
Definition 1: Some authors define auditing as an independent examination of an expression of
opinion on, the financial statements of a concern by an appointed auditor in pursuance of that
appointment and in compliance with any relevant statutory obligations.
Definition 2: Some scholars also define auditing as an independent examination of the books of
account and the related documentary evidence by a qualified person in order to ascertain the
accuracy of figures.
Auditing is a systematic examination of the books and records of a business of other organizations in
order to ascertain or verify and to report upon the facts regarding the financial operations and the results
thereof.
Generally, we can define
 Auditing is the accumulation and evaluation of evidence about information to determine and report
on the degree of correspondence between the information and established criteria.
 Auditing should be done by a competent, independent person.
 To do an audit, there must be information in a verifiable form and some standards (criteria) by
which the auditor can evaluate the information.
To attest to information means to provide assurance as to its reliability. More formally, the AICPA has
defined an attest engagement as one in which:
A practitioner is engaged to issue or does issue a written communication that expresses a conclusion
about the reliability of a written assertion that is the responsibility of another party.
1.3 Why Audits are conducted?
There is a need for auditing when ownership is separated from control. At a practical level, it helps
prevent or detect misstatements-errors or fraud. It may prevent or detect misstatements on the part of 1)
the employees who actually handle the money, or 2) management. Auditing is needed to enhance the
credibility of financial information prepared by an entity. The independent audit requirement fulfills the
need to ensure that those financial statements are objective, free from bias and manipulation and relevant
to the needs of users. The major reasons for increase in demand of auditing are:
A. Control Mechanism
4|Page
Audits whether internally or externally performed are valued as important control mechanisms for
accountability the overall need for monitoring activities, especially financial activity includes the need
for auditing to provide credibility for reported and unreported information.
B. To resolve Conflict of Interest
The agency relationship that exists between an owner and manager produces a natural conflict of interest
because of the information asymmetry that exists between the manager and the absentee owner.
Information asymmetry means that the manager generally has more information about the "true"
financial position and results of operations of the entity than the absentee owner does. If both parties
seek to maximize their own self-interest, it is likely that the manager will not act in the best interest of
the owner.
Whenever there is a conflict of interest between parties, the need for an arbiter or a non-partisan view is
obvious. In financial affairs there are natural grounds for conflict of interest between information
preparer and user, which can result in the production of a biased information data. Thus an audit is
required for an objective review of the information.
C. To reduce damaging consequences
The ultimate objective and function of accounting is to provide information for economic decision-
making. Information is used for decisions that have serious and substantial economic consequences.
Thus the need for an audit for verifying the accuracy of information before they are used in decisions
that may bring damaging consequences.
D. To simplify complexity: In our age, financial information & translation has been come complex in
preparation, content, and format. Therefore it demands drippy specialized body of knowledge to
prepare (compilation), verify and interpret them.
E. Regulatory Requirements
Many business laws, memorandum of association and regulatory agencies acts make audits annual
requirements to be complied with for renewal of license or permit. For example, the security exchange
commission (SEC) in the US; the Commercial Code of Ethiopia (1966), and later the Public Financial
Regulation of Proc. 163/1999 in Ethiopia make the filing of audited financial statements annually. Thus,
compliance requirements create a very large demand for auditing services.
1.4 Accounting versus Auditing
Many financial statement users and members of the general public confuse auditing with accounting.
The confusion results because most auditing is concerned with accounting information, and many
auditors have considerable expertise in accounting matters. The confusion is increased by the fact that
auditing is performed by individuals described as public accountants.
5|Page
 Accounting is the process of recording, classifying and summarizing economic events in a logical
manner for the purpose of providing financial information for decision-making. Accounting is
constructive, It starts with the raw financial data to process and produce financial summary through
reports known as financial statements as the end product of its work. The function of accounting, to an
entity and to society as a whole, is to provide certain quantitative information that management and
others can use to make decisions. To provide relevant information, accountants need to have a thorough
understanding of the rules and principles and provide the basis for preparing the accounting information.
Auditing on the other hand is analytical work that starts with the end product of accounting to lend
credibility and fairness of the measurements. In auditing, the concern is with determining whether
recorded information properly reflects the economic events that occurred during the accounting period.
Since the accounting rules and principles are the criteria for evaluating whether the accounting
information is properly recorded, any auditor involved with this data must also thoroughly understand
the accounting rules and principles. In the context of the audit of financial statements these are generally
accepted accounting principles (GAAP).
In addition to understanding accounting, the auditor must also possess expertise knowledge in the
accumulation and interpretation of audit evidence, determining the proper audit procedures, sample size,
particular items to examine, timing of the tests, and evaluating the results are unique to the auditor. It is
this expertise that distinguishes auditors from accountants.
1.5. Types of Audits and Auditors
A. Types of Audits
Audits are often viewed as falling into three major types:
1) Audits of financial statements,
2) Operational audits, and
3) Compliance audits.

1. Audits of financial statements: - is conducted to determine whether the overall financial statements
are stated in accordance with specified criteria (GAAP). It involves obtaining and evaluating evidence
about an entity’s financial statements for the purpose of expressing an opinion on whether they are
presented fairly in conformity with established criteria, e.g., GAAP.

 This type of audit is made by external auditors

 The result of such audits is distributed to a wide spectrum of users such as stockholders,
creditors, regulatory agencies and general public.
2. Operational audit (Performance audit or management audit) - is a review of any part or specific
6|Page
 unit of an organization’s operating procedures & methods for the purpose of evaluating
performance (efficiency and effectiveness). It involves obtaining and evaluating evidence about the
efficiency and effectiveness of an entity’s operating activities in relation to specific objectives.
3. Compliance audits: - Compliance audit determines whether the specified rules, regulations, or
procedures are being carried out or followed. The specific procedures or rules set out by some higher
authority such as management, government, creditors, corporations, etc.
It involves obtaining and evaluating evidence to determine whether certain financial or operational
activities of an entity conform to specified conditions, rules or regulations. The results of compliance
audits, reports, are generally directed to authority that established the criteria and to someone within the
organizational unit being audited rather than to external parties and may include a summary of findings or
an expression of assurance as to the degree of compliance with those criteria.
B. Types of Auditors
The most known types of auditors are
1. Independent auditors,
2. Internal auditors,
3. Government auditors.
1. Independent (external auditors): - Independent auditors have no connection to the firm as an owner
or employee/manager. The basic task of independent auditor is to confirm to the owners that the
employees are correctly reporting on their financial position and performance. These are either
individual practitioners or members of public accounting firms such as Certified Public Accounting
(CPA), authorized certified chartered accountant (ACCA) firms etc. who render professional auditing
services to clients on fee basis.
2. Internal auditor: - Are employees of the organizations they audit. They conduct internal auditing
within an organization as a service to the organization. They are primarily involved with compliance
and operational audits and supplement the work of independent auditors in financial audits. They assist
the management of the organization in the effective discharge of its responsibilities. An internal auditor
is paid salary as employee on the organization that is being audits. He/she is responsible to appraise and
investigation the performance of unit and/or units within the organization and give recommendation to
top management.
 They are not independent of the entity
2. Government auditor: - The government auditor is paid a salary by the government. He/she is
responsible to the legislature or executive. - are employed by local, regional, or federal
government agencies. They conduct all types of audits according to their engagements. They
include Office of the Auditor General (OAG) & Internal Revenue Auditors.

7|Page
 Chapter Two

The auditing standards and professional ethics

2.1. The Regulatory Frameworks Governing Auditing

1. Statutory Requirements of Audits

1.1 Legal requirements (Companies Ordinance, Listing Rules and other relevant legislation)

Companies Ordinance: The Companies Ordinance requires every limited company to have an annual
audit after which the auditor must give an opinion on whether the client’s financial statements give a
true and fair view and comply with the relevant legislation. And also, it sets out the rights and duties of
auditors, procedures of appointment, resignation and removal of auditors. Reasonable skill and care
should be exercised by auditors when carrying out an audit assignment.
Listing Rules: Listing Rules specify the safeguard procedures which should be carried out to identify
conflict of interest and maintain independence.
1.2 Professional requirements

8|Page
As part of the regulatory mechanism to monitor professional accountants’ conduct, IAASB has issued
international Standards on Auditing (ISA), Practice Notes (PN), and national Auditing Industry
Guidelines for its members to follow in their professional practices.

2. Appointment of Auditors
2.1 Persons qualified to be appointed as auditors: The requirements for person qualified to
be appointed under the Companies Ordinance includes:

 A person shall not be appointed as auditor of a company unless he is qualified to be appointed as

auditors under the Professional Accountants Ordinance.

 Person not qualified for appointment as auditor under the Companies Ordinance if:

 He/she is an employee of the company or its subsidiary and holding companies.

 A person who is a partner of or an employee of an officer or an employee of the company or its

subsidiary and holding companies.

A person shall be qualified to be registered under Professional Accountants Ordinance as a

Certified Public Accountant (CPA) in the Council required that he or she:
 Has attained the age of 21 years and is of good character and is a fit and proper person to be a
CPA.
 Is a student or a member: (and they should pass the required examinations).
 A member of an accountancy body which has a mutual or reciprocal recognition agreement with
CPA and he/she has complied with all conditions for the recognition and full exemptions was
granted.
 Has fulfilled the practical experience prescribed by the putted guideline.
2.2 Appointment Procedures

Appointed by members at annual general meeting

Every Company is required to appoint an auditor for each financial year.

 If the directors fail to appoint the first auditors before the first Annual General Meeting of the
company, the company may appoint an auditor in the general meeting.
 The company may fill any casual vacancy in the office of auditor in general meeting.
Appointed by directors

9|Page
 If the directors have not done so within one month after the casual vacancy occurs, the members
may, by a resolution passed at a general meeting, appoint a person to fill the casual vacancy.
Appointed by court
 Where at an AGM of a company, no auditor is appointed or reappointed, the court may, on the
application of any member of the company, appoint a person to fill the vacancy.
3. Vacation of Office
3.1 Removal of auditors
The removal of an auditor before expiry of term of office includes the following procedures:
 Ordinary resolution and special notice of the Companies Ordinance.
 On receipt of such notice, the company shall forth with send a copy thereof to the auditor
proposed to be removed.
3.2 Resignation of auditors
Upon resignation, the auditors must deposit a notice in writing to the registered office of the company
and send, within 15 days, a copy of the notice to the Registrar.
4. Rights and Duties of Auditors under Companies Ordinance
4.1. Rights of Auditors
An auditor has the following rights so as to carry his or her duty properly:
Resignation notice – deposit a resignation notice in writing to that effect at the company’s registered
office and the notice shall be effective only when it is signed by auditors.
Make representation – have statements of circumstances connected with the resignation or the
termination, prepared by the auditor who retires or is removed sent to all members; or to have them read
out at the general meeting, except that the auditor is using the notice to secure needless publicity for
defamatory matter.
Resigning auditor may requisition meeting – require the director to convene a general meeting for the
purpose of receiving and considering such explanation of the circumstances connected with his
resignation as he may wish to place before the meeting.
Attend general meeting – receive all notices and communication of, attend and be heard at the general
meetings at which his term of office would otherwise have expired and it is proposed to appoint a new
auditor.
4.2 Duties of Auditors
It is the duty of resigning auditor and auditor who retires or is removed to give the company:

10 | P a g e
  A statement of circumstances that should be noted by the members or creditors of the
company, if the person considers that there are circumstances connected with his resignation or
termination.
 A statement to that effect if the person considers that there are no such circumstances.

Nature and activities of Certified Public Accountants (CPA)

Certified public accountants (CPA) are licensed by the state in which they practice, but a significant
influence on CPA is exerted by their national professional organization, like international federation of
accounting (IFAC) and the American Institute of Certified Public Accountants (AICPA). Membership in
the AICPA is restricted to CPAs, but not all members are practicing as independent auditors. AICPA
membership is voluntary, so not all CPAs join. With over 360,000 CPA s, the AICPA is the largest
professional association for CPAs in the United States. The AICPA sets professional requirements for
CPAs, conducts research, and publishes materials on many different subjects related to accounting,
auditing, attestation and assurance services, management consulting services, and taxes. The AICPA
also promotes the accounting profession through organizing national advertising campaigns, promoting
new assurance services, and developing specialist certifications to help market and ensure the quality of
services in specialized practice areas. For example, the association currently offers specialty
designations in business valuation, financial planning, information technology, and financial forensics.
The purpose of auditing is to enhance the degree of confidence of the intended users in the financial
statements of the organization. This is achieved by the expression of an opinion by the competent and
independent auditors on whether the financial statements are prepared in all material respects in
accordance with an applicable financial reporting framework.
Except for certain governmental organizations, the audits of all general use financial statements in the
United States are done by CPA firms. The legal right to perform audits is granted to CPA firms by
regulation of each state. CPA firms also provide many other services to their clients, such as tax and
advisory services.
CPA Professions
Certified public accountants (CPA) are licensed by the state in which they practice, but a significant
influence on CPAs is exerted by their national professional organization, like the American Institute of
Certified Public Accountants (AICPA). Membership in the AICPA is restricted to CPAs, but not all
members are practicing as independent auditors. AICPA membership is voluntary, so not all CPAs join.
With over 360,000 CPAs, the AICPA is the largest professional association for CPAs in the United
States. The AICPA sets professional requirements for CPAs, conducts research, and publishes materials

11 | P a g e
on many different subjects related to accounting, auditing, attestation and assurance services,
management consulting services, and taxes. The AICPA also promotes the accounting profession
through organizing national advertising campaigns, promoting new assurance services, and developing
specialist certifications to help market and ensure the quality of services in specialized practice areas.
For example, the association currently offers specialty designations in business valuation, financial
planning, information technology, and financial forensics. The AICPA sets standards and rules that all
members and other practicing CPAs must follow. Four major areas in which the AICPA has authority to
set standards and make rules are as follows:
1. Auditing standards. The Auditing Standards Board (ASB) is responsible for issuing
pronouncements on auditing matters for all entities other than publicly traded companies. ASB
pronouncements are called Statements on Auditing Standards (SASs). They are further discussed
later in this chapter and throughout the text.
2. Compilation and review standards. The Accounting and Review Services Committee is responsible
for issuing pronouncements of the CPA’s responsibilities when a CPA is associated with financial
statements of privately owned companies that are not audited. They are called Statements on
Standards for Accounting and Review Services (SSARS), and they provide guidance for performing
compilation and review services. In a compilation service, the accountant helps the client prepare
financial statements without providing any assurance. In a review service, the accountant performs
inquiry and analytical procedures that provide a reasonable basis for expressing limited assurance on
the financial statements.
3. Other attestation standards. Statements on Standards for Attestation Engagements provide a
framework for the development of standards for attestation engagements. Detailed standards have
been developed for specific types of attestation services, such as reports on prospective financial
information in forecasts and projections.
4. Code of Professional Conduct. The AICPA Professional Ethics Executive Committee sets rules of
conduct that CPAs are required to meet. The rules and their relationships to ethical conduct.
The purpose of auditing is to enhance the degree of confidence of the intended users in the financial
statements of the organization. This is achieved by the expression of an opinion by the competent and
independent auditors on whether the financial statements are prepared in all material respects in
accordance with an applicable financial reporting framework.
Except for certain governmental organizations, the audits of all general use financial statements in the
United States are done by CPA firms. The legal right to perform audits is granted to CPA firms by

12 | P a g e
regulation of each state. CPA firms also provide many other services to their clients, such as tax and
advisory services.
Main Activities of CPA Firms
Additional services commonly provided by CPA firms include accounting and bookkeeping services,
tax services, and management consulting services. CPA firms continue to develop new products and
services, such as financial planning, business valuation, forensic accounting, and information technology
advisory services.
 Accounting and bookkeeping services. Many small clients with limited accounting staff rely on
CPA firms to prepare their financial statements. Some small clients lack the personnel or expertise
to use accounting software to maintain their own accounting records. Thus, CPA firms perform a
variety of accounting and book -keeping services to meet the needs of these clients. In many cases
in which the financial statements are to be given to a third party, a review or even an audit is also
performed.
 Tax services: CPA firms prepare corporate and individual tax returns for both audit and non-audit
clients. Almost every CPA firm performs tax services, which may include estate tax, gift tax, tax
planning, and other aspects of tax services. For many small firms, such services are far more
important to their practice than auditing, as most of their revenue may be generated from tax
services.

 Management consulting services: Most CPA firms provide certain services that enable their
clients to operate their businesses more effectively. These services are called management
consulting or management advisory services. These services range from simple suggestions for
improving the client’s accounting system to advice in risk management, information technology
and e-commerce system design, mergers and acquisitions due diligence, business valuations, and
actuarial benefit consulting. Many large CPA firms have departments involved exclusively in
management consulting services with little interaction with the audit or tax staff.

Auditing standards
Auditing standards are general guidelines to aid auditors in fulfilling their professional responsibilities in
the audit of historical financial statements. Standards are authoritative rules for measuring the quality of
performance. They include consideration of professional qualities such as competence and
independence, reporting requirements, and evidence. The three main sets of auditing standards are

13 | P a g e
International Standards on Auditing (ISA), U.S. Generally Accepted Auditing Standards (GAAS) for
private companies, and PCAOB Auditing Standards.

International Standards on Auditing (ISAs)

International Standards on Auditing (ISAs) are issued by the International Auditing and Assurance
Standards Board (IAASB) of the International Federation of Accountants (IFAC). IFAC is the
worldwide organization for the accountancy profession, with 159 members in 124 countries. ISAs do not
override a country’s regulations governing the audit of financial or other information, as each country’s
own regulations generally govern audit practices. These regulations may be either government statutes
or statements issued by regulatory or professional bodies, such as the Australian Auditing & Assurance
Standards Board. Most countries, including the United States, have their auditing standards on ISAs,
modified as appropriate for each country’s regulatory environment and statutory requirements.

Some lists of international standards on auditing (ISA)

ISA 200: Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with International Standards on Auditing

ISA 210:Agreeing the Terms of Audit Engagements

ISA 220:Quality Control for an Audit of Financial Statements

ISA 230: Audit Documentation

ISA 240:The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements

ISA 250: Consideration of Laws and Regulations in an Audit of Financial Statements

ISA 260: Communication with Those Charged with Governance

ISA 265: Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management

ISA 300: Planning an Audit of Financial Statements

ISA 315: Identifying and Assessing the Risks of Material Misstatement through Understanding the
Entity and Its Environment

14 | P a g e
 ISA 320: Materiality in Planning and Performing an Audit

ISA 330: The Auditor’s Responses to Assessed Risks

ISA 402: Audit Considerations Relating to an Entity Using a Service Organization

ISA 450: Evaluation of Misstatements Identified during the Audit

ISA 500: Audit Evidence

ISA 501: Audit Evidence-Specific Considerations for Selected Items

ISA 505: External Confirmations

ISA 510: Initial Audit Engagements-Opening Balances

ISA 520: Analytical Procedures

ISA 530: Audit Sampling

ISA 540: Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related
Disclosures

ISA 550: Related Parties

ISA 560: Subsequent Events

ISA 570: Going Concern

ISA 580: Written Representations

ISA 600: Special Considerations-Audits of Group Financial Statements (Including the Work of
Component Auditors)

ISA 610: Using the Work of Internal Auditors

ISA 620: Using the Work of an Auditor’s Expert

ISA 700: Forming an Opinion and Reporting on Financial Statements

15 | P a g e
 ISA 705: Modifications to the Opinion in the Independent Auditor’s Report

ISA 706: Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s
Report

ISA 710: Comparative Information-Corresponding Figures and Comparative Financial Statements

ISA 720: The Auditor’s Responsibilities Relating to Other Information in Documents Containing
Audited Financial Statements

ISA 800: Special Considerations-Audits of Financial Statements Prepared in Accordance with

Special Purpose Frameworks

ISA 805: Special Considerations-Audits of Single Financial Statements and Specific Elements,
Accounts or Items of a Financial Statement

ISA 810: Engagements to Report on Summary Financial Statements

ISA 200 Scope

ISA 200 deals with the independent auditor’s overall responsibilities when conducting an audit of
financial statements in accordance with ISAs.
 Explains the scope, authority and structure of the ISAs.
 ISAs are written in the context of an audit of financial statements.
 An audit in accordance with ISAs is conducted on the premise that management and, where
appropriate, those charged with governance have acknowledged certain responsibilities that
are fundamental to the conduct of the audit.
 The audit of the financial statements does not relieve management or those charged with
governance of their responsibilities

ISA 200 Objectives

To obtain reasonable assurance about whether the financial statements as a whole are free from material
misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on
whether the financial statements are prepared, in all material respects, in accordance with an applicable
financial reporting framework; and
To report on the financial statements, and communicate as required by the ISAs, in accordance with the
auditor’s findings.
16 | P a g e
 ISA 200 Requirements
 Compliance with ethical requirement relating to audit of financial statement.
 Auditor shall exercise professional judgment in planning and performing audit of financial
statement.
 Auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low
level for expression of opinion.
 Auditor shall comply with all ISAs relevant to the audit.
 Auditor shall comply with each requirement of an ISA unless, entire ISA is irrelevant or requirement
is conditional and condition doesn’t exist.
 In case of departure from ISA auditor shall perform alternative audit procedures to achieve the aim
of that requirement.
 If objective of ISA cannot be achieved, auditor shall evaluate whether this prevents the auditor from
achieving the overall objectives of the auditor and thereby requires the auditor, in accordance with
the ISAs, to modify the auditor’s opinion or withdraw from the engagement. Document the same in
accordance with ISA 230.

Note:-You can find the details of other standards at https://leaccountant.com/isa-210-summary/

US Auditing standards (GAAS)

US Auditing standards (GAAS): Auditing standards for private companies and other entities in the
United States are established by the Auditing Standards Board (ASB) of the AICPA. These standards are
referred to as Statements on Auditing Standards (SASs). These Generally Accepted Auditing Standards
(GAAS) are similar to the ISAs, although there are some differences. If an auditor in the United States is
auditing historical financial statements in accordance with ISAs, the auditor must meet any ISA
requirements that extend beyond GAAS.

The existence of generally accepted auditing standards is evidence that auditors are very concerned with
the maintenance of a uniformly high quality of audit work by all independent public accountants. The 10
generally accepted auditing standards fall into three categories:
A. General standards
B. Standards of field work
C. Reporting standards

17 | P a g e
A. General standards
The general standards stress the important personal qualities that the auditor should possess.
1. Adequate Technical Training and Proficiency

The examination is to be performed by a person or persons having adequate technical training and
proficiency as an auditor. The first standard is normally interpreted as requiring the auditor to have
formal education in auditing and accounting, adequate practical experience for the work being
performed, and continuing professional education. Recent court cases clearly demonstrate that auditors
must be technically qualified and experienced in those industries in which their audit clients are
engaged. In any case in which the CPA or the CPA’s assistants are not qualified to perform the work, a
professional obligation exists to acquire the requisite knowledge and skills, suggest someone else who is
qualified to perform the work, or decline the engagement.
Recent cases clearly demonstrate that auditors must be technically qualified and experienced in those
industries in which their audit clients are engaged.
2. Independence in Mental Attitude
18 | P a g e
CPA firms are required to follow several practices to increase the likelihood of independence of all
personnel.

A member should maintain objectivity and be free of conflicts of interest in discharging professional
responsibilities. A member in public practice should be independent in fact and appearance when
providing auditing and other attestation services.

Objectivity means being impartial and unbiased in all matters pertaining to an engagement. Adherence
to this principle is enhanced when members avoid circumstances that involve conflicts of interest. For
example, having an ownership interest in a client might impair a member's objectivity in auditing the
client.

The member must be independent in fact, i.e., the member should act with integrity and objectivity, and
be independence in appearance (should not have a financial interest or key business relationship with the
client).
For example, there are established procedures on larger audits when there is a dispute between
management and the auditors.

3. Due Professional Care

A member should observe the profession's technical and ethical standards; strive continually to improve
competence and the quality of services, and discharge professional responsibility to the best of his
ability.
Due care requires competence and diligence. Competence is the product of education and experience,
and diligence involves steady, earnest, and energetic application and effort in performing professional
services.
Due care includes consideration of the completeness of the audit documentation, the sufficiency of the
audit evidence, and the appropriateness of the audit report. As professionals, auditors must not act
negligently or in bad faith, but they are not expected to be infallible.
B. Standards of fieldwork
Field work standard relate to accumulating and evaluating evidence sufficient for the auditors to express
an opinion on the financial statements. The major types of evidence are knowledge about the client’s
internal control and information that substantiates the amount on the financial statements being audited,
e.g., conformation from outsiders and firsthand observation of assets by auditors.
19 | P a g e
 4. Adequate Planning and Supervision

The first standard requires that the audit be sufficiently planned to ensure an adequate audit and proper
supervision of assistants

Audit planning is essential to satisfactory audit. These include:

 The appropriate numbers of audit staff of various levels of skill

 The time required of

The work is to be closely supervised at every level. Supervision is essential in auditing because a
considerable portion of the field work is done by less experienced staff members

5. Sufficient understanding of the Internal control structure of the Entity and its Environment
To adequately perform an audit, the auditor must have an understanding of the client’s business and
industry. This understanding helps the auditor identify significant client business risks and the risk of
significant misstatements in the financial statements. For example, to audit a bank, an auditor must
understand the nature of the bank’s operations, federal and state regulations applicable to banks, and
risks affecting significant accounts such as loan loss reserves.
The auditor should obtain a sufficient understanding of the internal control structure to plan the audit
and to determine the nature, timing, and extent of tests to be performed.
6. Sufficient competent evidence as basis for opinion

Sufficient competent1 evidential matter is to be obtained through inspection, observation, inquiries, and
confirmation to afford a reasonable basis for an opinion regarding the financial statements under
examination. The decision as to how much evidence to accumulate are given set of circumstances is one
requiring professional judgment
C. Standards of Reporting-Contents of the Auditors’ report

The four reporting standards require the auditor to prepare a report on the financial statements taken as a
whole, including informative disclosures. The reporting standards also require that the report state
whether the statements are presented in accordance with GAAP and also identify any circumstances in
which GAAP have not been consistently applied in the current year compared with the previous one.
The following are the standards:

1
20 | P a g e
 7. Conformity of statement with GAAP-The report shall state whether the financial statements are
presented in accordance with GAAP.
8. Consistence of GAAP application-The report shall identify those circumstances in which such
principles have not been consistently observed in the current period in relation to the preceding
period.
9. Adequacy of Disclosure-Information disclosures in the financial statements are to be regarded as
reasonably adequate unless otherwise stated in the report. Informative disclosures are not
reasonably adequate, the auditor must so state in the auditor’s report
10. Expression of opinion on statements taken as a whole- The report shall either contain an
expression of opinion regarding the financial statements, taken as a whole, or an assertion to the
effect that an opinion cannot be expressed. When an overall opinion cannot be expressed, the
reasons therefore should be stated. In all cases where an auditor’s name is associated with
financial statements, the report shall contain a clear-cut indication of the charter of the auditor’s
examination, if any, and the degree of responsibility he is taking.
Keep in mind, however, that these standards represent the minimum requirements for all audit
engagements.

The public companies accounting oversight board (PCAOB): Initially adopted existing auditing
standards established by the ASB as interim audit standards. In addition, the PCAOB considers
international auditing standards when developing new standards. As a result, auditing standards for U.S.
public and private companies are mostly similar. Standards issued by the PCAOB are referred to as
PCAOB Auditing Standards in the audit reports of public companies and when referenced in the text,
and apply only to the audits of public companies.

2.2. Professional Ethics

What is ethics? It is a set of moral principles and standard of conduct. It includes such characteristics
as honesty, integrity, reliability, accountability, as well as other aspects of rights versus wrong
behaviors.
All recognized professions have developed codes of professional ethics. Professionals are expected to
conduct themselves at a high level than most of other members of the society.

“Professional ethics” refers to the behavior of a professional man towards other members of his
profession and also towards the members of the public. Professional ethics refer to the basic principles

21 | P a g e
of right action for the member of a profession. Professional ethics may be regarded as a mixture of
moral and practical concepts

The term professional means a responsibility for conduct that extends beyond satisfying individual
responsibilities and beyond the requirement of our society’s law and regulations.

The underlying reason for high level of professional conduct by any profession is the need for public
confidence in the quality of service by the profession, regardless of the individual providing it.
The fundamental purpose of such codes is to provide members with guidelines for maintaining a
professional attitude and conducting themselves in a manner that will enhance the professional stature of
their discipline.

The AICPA code of professional conduct considers the following to be followed by auditors
(accountants) in the conduct of professional relations with others.
- Integrity: - An accountant should be straightforward, honest and sincere in his approach to his
professional work.
- Objectivity: - An accountant should be fair and should not allow bias to override his objectivity.
When reporting on financial statements, which come his review, he should maintain an impartial
attitude.
- Independence: - When in public practice, an accountant should both be and appear to be free of
any interest which might be regarded, whatever its actual effect, as being incompatible with integrity
and objectivity.
- Confidentiality: - A professional accountant should respect the confidentiality of information
acquired in the course of his work and should not disclose any such information to a third party
without specific authority or unless there is a legal or professional duty to disclose.
- Technical standards: - An accountant should carry out his professional work in accordance with the
technical and professional standards relevant to that work.
- Professional competence: - An accountant has a duty to maintain his level of competence
throughout his professional career. He should only undertake works, which he or his firm can expect
to complete with professional competence.
- Ethical behavior: - An accountant should conduct himself with a good reputation of the profession
and refrain from any conduct, which might bring discredit to the profession.
- Contingent fees: - The AICPA code of professional conduct prohibits a CPA firm from rendering
any professional services on a contingent fee basis.

22 | P a g e
- Responsibilities to colleagues: - The auditor should promote cooperation and good relations with
other members of the profession.
- Advertising: -The advertising should not be false or misleading,” should not contravene
“professional good taste,” should not make “unfavorable reflection on the competence or integrity of
the profession,” and should not” involve a statement the contents of which” cannot be substantiated.
2.3. Legal responsibility and liability of auditors
2.3.1 Auditor’s professional responsibilities

The objective of the ordinary audit of financial statements by the independent auditor is the expression
of an opinion on the fairness with which they present, in all material respects, financial position, results
of operations, and its cash flows in conformity with generally accepted accounting principles.

The auditor’s report is the medium through which he expresses his opinion or, if circumstances require,
disclaims an opinion.

In either case, he states whether his audit has been made in accordance with generally accepted auditing
standards. These standards require him to state whether, in his opinion, the financial statements are
presented in conformity with generally accepted accounting principles and to identify those
circumstances in which such principles have not been consistently observed in the preparation of the
financial statements of the current period in relation to those of the preceding period.

For this reason, the auditor has a responsibility to plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material misstatement, whether caused by
error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able
to obtain reasonable, but not absolute, assurance that material misstatements are detected. The auditor
has no responsibility to plan and perform the audit to obtain reasonable assurance those misstatements,
whether caused by errors or fraud, that are not material to the financial statements are detected.

Auditors’ responsibility for the detection of fraud and error

The detection and prevention of error and fraud is the management’s responsibility by designing and
implementing appropriate internal control systems. The auditor is not responsible for the prevention and
detection of error and fraud. The auditor is responsible to design audit procedures to reduce the risk of
not detecting a material error or fraud, to an appropriate level to provide reasonable assurance.
Accordingly, the auditor must exercise due care in planning, performing, and evaluating the results of
audit procedures.

23 | P a g e
2.3.2 Management Responsibility

The auditor should also understand the responsibilities of management and auditors.

The management is responsible for: -

 Adopting sound accounting policies

 Maintaining adequate internal control

 Making fair representation (assertion) in the financial statement

 Determining which disclosures to consider

2.3.3 Possible causes of misstated financial statements
To misstate means to state wrongly or falsely. Financial statements could be misstated by reason of
errors, irregularities, illegal acts or inappropriate assumptions about the entity's viability status.
Errors-are unintentional misstatements or omissions of amounts or disclosures in financial statements.
Irregularities: - are intentional misstatements or omissions of amounts or disclosures in financial
statements. There are two types of irregularities:
 Fraudulent financial reporting or management fraud –are irregularities undertaken to render
financial statements misleading. This is often perpetrated by top management and entails an
override of the control structure. Good control structures have little chance to prevent fraudulent
financial reporting.
 Defalcations or employee fraud- are irregularities that involve the misappropriation of assets by
employees. Often to conceal this irregularity, employees must perform incompatible functions.
Such irregularities thrive in weak control structures and can be prevented by proper controls.

Illegal acts: refer to violations of laws or governmental -regulations by the client (whose financial
statements are being audited) or by management and employees acting on behalf of the client. It does
not include personal misconduct by the entity's personnel unrelated to their business activities.
2.3.4 Auditor’s legal liabilities
Responsibilities impose liabilities if things go wrong.
The CPA can be sued under the following legal concepts.
(i) Prudent man concept: - The auditor is responsible for exercising due professional care, and
he is subject to lawsuit if he fails to do so.
(ii) Liable for acts of others: - The partners are jointly liable for civil actions against a partner.

24 | P a g e
 (iii) Lack of privileged communication: - CPA do not have the right under common law to
withhold information from the courts on the grounds that the information is privileged.
Auditor’s legal liabilities extend to two classes of parties – clients & third parties.
A. Auditors’ liability to their clients
When CPAS take on any type of engagement, they are obliged to render due professional care. This
obligation exists whether or not it is specifically set forth in the written contract with the client. Thus,
CPAS are liable to their clients for any losses proximately caused by the CPA’S failure to exercise due
professional care. That is to recover its losses, an injured client need only prove that the auditors were
guilty of negligence and that the auditors’ negligence was the proximate cause of the client’s losses.
Breaches the contract – failure of one or both parties in a contract to fulfill the requirements of the
contract.
B. Auditors’ liability to third parties
Bankers and other creditors or investors who utilize financial statements covered by an audit report can
recover damages from the auditors if it can be shown that the auditors were guilty of fraud or gross
negligence in the performance of their professional duties.

Moreover, the auditors can be held liable for negligence to a limited class of third parties if the auditors
have actual knowledge of such third parties or if there exists a special relationship between the auditors
and the third parties.

The clients (plaintiffs) must prove that they sustained losses that they relied on the audited financial
statements, which were misleading, that this reliance was the primate because of their losses, and that
the auditors were negligent.

Chapter three
Risk Assessment and Materiality
Audit Risk
The second standard of fieldwork requires the auditor to obtain an understanding of the entity and its
environment, including its internal control, to assess the risk of material misstatements in the client’s
financial statements.
As we saw, auditors accept some level of risk or uncertainty in performing the audit function.
The auditor recognizes, for example, the inherent uncertainty about the appropriateness of evidence,
uncertainty about the effectiveness of a client’s internal controls, and uncertainty about whether the
25 | P a g e
financial statements are fairly stated when the audit is completed. An effective auditor recognizes that
risks exist and deals with those risks in an appropriate manner. Most risks auditors encounter are
difficult to measure and require careful consideration before the auditor can respond appropriately.
Responding to these risks properly is critical to achieving a high-quality audit.
Auditors consider risk in planning procedures to obtain audit evidence primarily by applying the audit
risk model. The model is introduced here the understanding of the model to conduct effective audit
planning and to master the content presented in the next chapter.
The audit risk model helps auditors decide how much and what types of evidence to accumulate in each
cycle. It is usually stated as follows:

AAR
PDR=
CR × IR

Where, PDR = planned detection risk

AAR = acceptable audit risk
IR = inherent risk
CR = control risk
Each of the four risks in the audit risk model is sufficiently important to merit detailed discussion. This
section briefly discusses all four to provide an overview of the risks.
Planned detection risk is the risk that audit evidence for a segment will fail to detect misstatements
exceeding tolerable misstatement. There are two key points to know about planned detection risk.
Planned detection risk is dependent on the other three factors in the model. It will change only if the
auditor changes one of the other risk model factors.
Planned detection risk determines the amount of substantive evidence that the auditor plans to
accumulate, inversely with the size of planned detection risk. If planned detection risk is reduced, the
auditor needs to accumulate more evidence to achieve the reduced planned risk. For example, planned
detection risk is low for inventory and warehousing, which causes planned evidence to be high. The
opposite is true when planned detection risk increased.
Inherent risk measures the auditor’s assessment of the likelihood that there are material misstatements
due to error or fraud in a segment before considering the effectiveness of internal control. If the auditor
concludes that a high likelihood of misstatement exists, the auditor will conclude that inherent risk is
high. Internal controls are ignored in setting inherent risk because they are considered separately in the
audit risk model as control risk. For example, If inherent risk assessed high for acquisitions and
26 | P a g e
payments and inventory and warehousing and lower for payroll and personnel and capital acquisition
and repayment. Such assessments are typically based on discussions with management, knowledge of
the company, and results in audits of previous years.
Inherent risk is inversely related to planned detection risk and directly related to evidence.
In addition to increasing audit evidence for a higher inherent risk in a given audit area, auditors
commonly assign more experienced staff to that area and review the completed audit tests more
thoroughly. For example, if inherent risk for inventory obsolescence is extremely high, it makes sense
for the CPA firm to assign an experienced staff person to perform more extensive tests for inventory
obsolescence and to more carefully review the audit results.
Assessing inherent risk
The inclusion of inherent risk in the audit risk model is one of the most important concepts in auditing. It
implies that auditors should attempt to predict where misstatements are most and least likely in the
financial statement segments. This information affects the amount of evidence that the auditor needs to
accumulate, the assignment of staff and the review of audit documentation.
The auditor must assess the factors that make up the risk and modify audit evidence to take them into
consideration. The auditor should consider several major factors when assessing inherent risk:
 Nature of the client’s business
 Results of previous audits
 Initial versus repeat engagement
 Related parties
 Non-routine transactions
 Judgment required to correctly record account balances and transactions
 Makeup of the population
 Factors related to fraudulent financial reporting
 Factors related to misappropriation of assets
Control risk measures the auditor’s assessment of whether misstatements exceeding a tolerable amount
in a segment will be prevented or detected on a timely basis by the client’s internal controls. Assume
that the auditor concludes that internal controls are completely ineffective to prevent or detect
misstatements. The auditor will therefore assign a high, perhaps 100 percent, risk factor to control risk.
The more effective the internal controls, the lower the risk factor that can be assigned to control risk.
The audit risk model shows the close relationship between inherent and control risks. For example, an
inherent risk of 40 percent and a control risk of 60 percent affect planned detection risk and planned

27 | P a g e
evidence the same as an inherent risk of 60 percent and a control risk of 40 percent. In both cases,
multiplying IR by CR results in a de - nominator in the audit risk model of 24 percent.
The auditor may make a combined assessment of the risk of material misstatement or the auditor can
separately assess inherent risk and control risk. (Remember, inherent risk is the expectation of
misstatements before considering the effect of internal control.)
As with inherent risk, the relationship between control risk and planned detection risk is inverse,
whereas its relationship with substantive evidence is direct. If the auditor concludes that internal controls
are effective, planned detection risk can be increased and evidence therefore decreased. The auditor can
increase planned detection risk when controls are effective because effective internal controls reduce the
likelihood of misstatements in the financial statements. Before auditors can set control risk less than 100
percent, they must obtain an understanding of internal control, evaluate how well it should function
based on the understanding, and test the internal controls for effectiveness. Obtaining an understanding
of internal control is required for all audits. The latter two are assessment of control risk steps that are
required only when the auditor assesses control risk below maximum.
When controls are likely to be ineffective and inherent risk is high, the use of the audit risk model causes
the auditor to decrease planned detection risk and thereby increase planned evidence. We devote the
entire next chapter to understanding internal control, assessing control risk, and evaluating their impact
on evidence requirements.
Acceptable audit risk is a measure of how willing the auditor is to accept that the financial statements
may be materially misstated after the audit is completed and an unqualified opinion has been issued.
When auditors decide on a lower acceptable audit risk, they want to be more certain that the financial
statements are not materially misstated. Zero risk is certainty, and a 100 percent risk is complete
uncertainty. Complete assurance (zero risk) of the accuracy of the financial statements is not
economically practical.
Often, auditors refer to the term audit assurance (also called overall assurance or level of assurance)
instead of acceptable audit risk. Audit assurance or any of the equivalent terms is the complement of
acceptable audit risk, that is, one minus acceptable audit risk. In other words, acceptable audit risk of 2
percent is the same as audit assurance of 98 percent.
The concept of acceptable audit risk can be more easily understood by thinking in terms of a large
number of audits, say, 10,000. What portion of these audits can include material misstatements without
having an adverse effect on society? Certainly, the portion is below 10 percent. It is probably much
closer to 1 percent or less. If an auditor believes that the appropriate percentage is 1 percent, then
acceptable audit risk should be set at 1 percent, or perhaps lower, based on the specific circumstances.
28 | P a g e
When employing the audit risk model, there is a direct relationship between acceptable audit risk and
planned detection risk, and an inverse relationship between acceptable audit risk and planned evidence.
If the auditor decides to reduce acceptable audit risk, planned detection risk is thereby reduced, and
planned evidence must be increased. For a client with lower acceptable audit risk, auditors also often
assign more experienced staff or review the audit files more extensively.

There are important distinctions in how the auditor assesses the four risk factors in the audit risk model.
For acceptable audit risk, the auditor decides the risk the CPA firm is willing to take that the financial
statements are misstated after the audit is completed, based on certain client related factors. An example
of a client where the auditor will accept very little risk (low acceptable audit risk) is for an initial public
offering. We will discuss factors affecting acceptable audit risk shortly. Inherent risk and control risk are
based on auditors’ expectations or predictions of client conditions. An example of a high inherent risk is
inventory that has not been sold for two years. An example of a low control risk is adequate separation
of duties between asset custody and accounting.
Other Factors Affecting Acceptable Audit Risk
When auditors modify evidence for engagement risk, it is done by control of acceptable audit risk. We
believe that a reasonably low acceptable audit risk is always desirable, but in some circumstances an
even lower risk is needed because of engagement risk factors.
Research points to several factors affecting engagement risk and, therefore, acceptable audit risk. Only
three of those are discussed here: the degree to which external users rely on the statements, the
likelihood that a client will have financial difficulties after\ the audit report is issued, and the integrity of
management.
The Degree to Which External Users Rely on the Statements When external users place heavy
reliance on the financial statements, it is appropriate to decrease acceptable audit risk. When the
statements are heavily relied on, a great social harm can result if a significant misstatement remains
undetected in the financial statements.
Auditors can more easily justify the cost of additional evidence when the loss to users from material
misstatements is substantial. Several factors are good indicators of the degree to which statements are
relied on by external users:
• Client’s size. Generally speaking, the larger a client’s operations, the more widely the statements are
used. The client’s size, measured by total assets or total revenues, will have an effect on acceptable audit
risk.

29 | P a g e
• Distribution of ownership. The statements of publicly held corporations are normally relied on by
many more users than those of closely held corporations.
For these companies, the interested parties include the SEC, financial analysts, and the general public.
• Nature and amount of liabilities. When statements include a large amount of liabilities, they are more
likely to be used extensively by actual and potential creditors than when there are few liabilities.
The Likelihood That a Client Will Have Financial Difficulties after the Audit Report Is Issued If a
client is forced to file for bankruptcy or suffers a significant loss after completion of the audit, auditors
face a greater chance of being required to defend the quality of the audit than if the client were under no
financial strain. The natural tendency for those who lose money in a bankruptcy, or because of a stock
price reversal, is to file suit against the auditor. This can result both from the honest belief that the
auditor failed to conduct an adequate audit and from the users’ desire to recover part of their loss
regardless of the adequacy of the audit work.
In situations in which the auditor believes the chance of financial failure or loss is high and a
corresponding increase in engagement risk occurs, acceptable audit risk should be reduced. If a
subsequent challenge occurs, the auditor will be in a better position to defend the audit results
successfully. Total audit evidence and costs will increase, but this is justifiable because of the additional
risk of lawsuits that the auditor faces.
It is difficult for an auditor to predict financial failure before it occurs, but certain factors are good
indicators of its increased probability:
• Liquidity position. If a client is constantly short of cash and working capital, it indicates a future
problem in paying bills. The auditor must assess the likelihood and significance of a steadily declining
liquidity position.
• Profits (losses) in previous years. When a company has rapidly declining profits or increasing losses
for several years, the auditor should recognize the future solvency problems that the client is likely to
encounter. It is also important to consider the changing profits relative to the balance remaining in
retained earnings.
• Method of financing growth. The more a client relies on debt as a means of financing, the greater the
risk of financial difficulty if the client’s operating success declines. Auditors should evaluate whether
fixed assets are being financed with short- or long-term loans, as large amounts of required cash
outflows during a short time can force a company into bankruptcy.
• Nature of the client’s operations. Certain types of businesses are inherently riskier than others. For
example, other things being equal, a start-up technology company dependent on one product is much
more likely to go bankrupt than a diversified food manufacturer.
30 | P a g e
 Competence of management: Competent management is constantly alert for potential financial
difficulties and modifies its operating methods to minimize the effects of short-run problems. Auditors
must assess the ability of management as a part of the evaluation of the likelihood of bankruptcy.
The Auditor’s Evaluation of Management’s Integrity As a part of new client investigation and
continuing client evaluation, if a client has questionable integrity, the auditor is likely to assess a lower
acceptable audit risk.
Companies with low integrity often conduct their business affairs in a manner that results in conflicts
with their stockholders, regulators, and customers. In turn, these conflicts often reflect on the users’
perceived quality of the audit and can result in lawsuits and other disagreements. A prior criminal
conviction of key management personnel is an obvious example of questionable management integrity.
Other examples of questionable integrity might include frequent disagreements with previous auditors,
the Internal Revenue Service, and the SEC. Frequent turnover of key financial and internal audit
personnel and ongoing conflicts with labor unions and employees may also indicate integrity problems.
Summary of Risk and evidence relationship
 Assuming AAR and CR being constant, if IR is high PDR will be lower, and more evidence is needed.
 Assuming AAR and IR being constant, if CR is high PDR will be lower, and more evidence is needed.
 Assuming AAR being constant, if IR and CR is high PDR will be lower, and more evidence is needed.
 Assuming AAR and CR being constant, if IR is low PDR will be higher, and little evidence is needed.
 Assuming AAR and IR being constant, if CR is low PDR will be higher, and little evidence is needed.
 Assuming AAR being constant, if IR and CR is low PDR will be higher, and little evidence is needed.
 Assuming IR and CR being constant, if AAR is high PDR will be higher, and little evidence is needed.
 Assuming IR and CR being constant, if AAR is low PDR will be lower, and more evidence is needed.

3.2. Audit Materiality

We conducted our audits in accordance with auditing standards. Those standards require that we plan
and perform the audit to obtain reasonable assurance about whether the financial statements are free of
material misstatement.
The phrase obtain reasonable assurance is intended to inform users that auditors do not guarantee or
ensure the fair presentation of the financial statements. Some risk that the financial statements are not
fairly stated exists, even when the opinion is unqualified.

31 | P a g e
The phrase free of material misstatement is intended to inform users that the auditor’s responsibility is
limited to material financial information. Materiality is important because it is impractical for auditors to
provide assurances on immaterial amounts.
Materiality and risk are fundamental to planning the audit and designing an audit approach. In this
chapter, we apply both materiality and risk to the concepts studied when auditors decide materiality and
assess risks, they use a considerable amount of the information acquired and documented during the first
four parts of audit planning.
Materiality is a major consideration in determining the appropriate audit report to issue.
FASB defines materiality as:
• The magnitude of an omission or misstatement of accounting information that, in the light of
surrounding circumstances, makes it probable that the judgment of a reasonable person relying
on the information would have been changed or influenced by the omission or misstatement.
Because auditors are responsible for determining whether financial statements are materially misstated,
they must, upon discovering a material misstatement, bring it to the client’s attention so that a correction
can be made. If the client refuses to correct the statements, the auditor must issue a qualified or an
adverse opinion, depending on the materiality of the misstatement. To make such determinations,
auditors depend on a thorough knowledge of the application of materiality.
A careful reading of the FASB definition reveals the difficulty that auditors have in applying materiality
in practice. While the definition emphasizes reasonable users who rely on the statements to make
decisions, auditors must have knowledge of the likely users of the client’s statements and the decisions
that are being made. For example, if an auditor knows that financial statements will be relied on in a
buy–sell agreement for the entire business, the amount that the auditor considers material may be
smaller than that for an otherwise similar audit. In practice, of course, auditors may not know who all
the users are or what decisions they may make based on the financial statements.
Types of Audit Materiality
I. Overall Materiality
The level which represents the significant level in the company’s financial statements, which can
influence the decision making of the users of the company’s financial statement as a whole, as judged by
the auditor appointed by the company, is known as the “overall materiality.”
II. Performance Materiality
“Performance materiality” is the materiality level judged by the company’s auditor. It can be the amount
that is less than the overall materiality level. This materiality level is reduced from the “overall

32 | P a g e
materiality level” to consider the risk of several smaller errors or omissions that the auditor could not
find. But they are material if aggregated in totality, thereby reducing the probability that the aggregate
amount of small misstatements exceeds the overall materiality level.

III. Specific Materiality

Specific materiality refers to the materiality level set to identify potential misstatements. These may
exist in different areas in the company, for certain classes of transactions, and for the account balances
that may affect the economic decisions of the users of the company’s financial statement of the
company.
Example;
Assume that, ABC Corporation, which is undergoing an audit. The auditors have determined the
following materiality thresholds:
Overall Materiality: $500,000 (This represents the maximum amount by which the financial statements
could be misstated without affecting the decisions of reasonable users of the financial statements.).
 If the total misstatement in the financial statements, including individual errors and omissions,
does not exceed $500,000, the financial statements are considered to be fairly presented.
Performance Materiality: 75% of Overall Materiality = $375,000 (Performance materiality is set lower
than overall materiality to ensure that the aggregate of uncorrected and undetected misstatements does
not exceed overall materiality. It guides the audit scope and resource allocation.)
 During the audit, auditors may identify misstatements in individual account balances or classes
of transactions. As long as the aggregate of these misstatements does not exceed $375,000
(75% of overall materiality), they do not need to be individually corrected. Instead, the
auditors focus on correcting significant errors and ensuring that the total misstatement is below
the performance materiality threshold.
Specific Materiality: Various thresholds for specific accounts or classes of transactions. For example:
Accounts Receivable $50,000; Inventory $100,000; Property, Plant, and Equipment: $200,000
 If the auditors determine that a misstatement in Accounts Receivable greater than $50,000 would
be material to users of the financial statements, they focus on ensuring the accuracy of this account.
Similarly, they set specific materiality thresholds for Inventory and Property, Plant, and Equipment
based on their relative importance.
Generally, while overall materiality sets the maximum threshold for the financial statements as a
whole, performance materiality guides the audit scope, and specific materiality addresses the materiality

33 | P a g e
of individual accounts or classes of transactions within the financial statements. These thresholds help
auditors prioritize their efforts and ensure the accuracy and reliability of financial reporting.
Importance of Audit Materiality
Audit materiality is an important concept that considers both the quantitative and qualitative aspects.
Both aspects impact the economic decision-making of the users of the company’s financial statement.
Qualitative aspects such as adequate disclosures concerning the contingent liabilities, related party
transactions, changes in the accounting policy, etc., of the company also significantly influence the
economic decision-making of the users of the company’s financial statement.

Example
Let’s consider an example of Company XYZ Ltd, which took a loan from the bank for $ 100,000. Bank
gave the loan but on the condition that the company’s current ratio should not fall below the level of
1.0. The company agreed to this and signed an agreement with the bank in this aspect. While conducting
the audit, the auditor of the company came to know about this agreement.
At present, the company’s current ratio is only slightly more than the level of 1.0. Now for the
company’s auditor, a minute misstatement of $ 3,000 can be material. It could lead to a violation of the
agreement between the company and the bank. With the $ 3,000 misstatement also, the company’s
current ratio would fall below the level of 1.0. So this would be considered part of the audit materiality
as it could lead to the violation of the agreement. It can reasonably influence the economic decision-
making of the users of the company’s financial statement
Limitations
 The auditor may not be able to set the materiality at the proper level, which may hamper the
purpose of the same.
 The misstatement that affects the company’s compliance with the regulatory requirements might
not get detected by the company’s auditor.
 In the case of the qualitative aspects, the approach is generally quite difficult to measure
compared with the quantitative approach.

CHAPTER FOUR
Client Acceptance and Planning the Audit
4.1. Client Acceptance and Continuance
Client Acceptance: Before accepting a new client, most CPA firms investigate the company to
determine its acceptability. They do this by examining, to the extent possible, the prospective
34 | P a g e
client’s standing in the business community, financial stability, and relations with its previous
CPA firm.

For example, many CPA firms use considerable caution in accepting new clients in newly
formed, rapidly growing businesses. Many of these businesses fail financially and expose the
CPA firm to significant potential liability. The CPA firm must also determine that it has the
competency, such as industry knowledge, to accept the engagement and that the firm can satisfy
all independence requirements. For prospective clients that have previously been audited by
another CPA firm, the new (successor) auditor is required by auditing standards to communicate
with the predecessor auditor. The purpose of the requirement is to help the successor auditor
evaluate whether to accept the engagement. The communication may, for example, inform the
successor auditor that the client lacks integrity or that there have been disputes over accounting
principles, audit procedures, or fees. The burden of initiating the communication rests with the
successor auditor, but the predecessor auditor is required to respond to the request for
information.

However, the confidentiality requirement in the Code of Professional Conduct requires that the
predecessor auditor obtain permission from the client before the communication can be made. In
the event of unusual circumstances such as legal problems or disputes between the client and the
predecessor, the predecessor’s response can be limited to stating that no information will be
provided. If a client will not permit the communication or the predecessor will not provide a
comprehensive response, the successor should seriously consider the desirability of accepting a
prospective engagement, without considerable other investigation. Even when a prospective
client has been audited by another CPA firm, a successor may make other investigations by
gathering information from local attorneys, other CPAs, banks, and other businesses. In some
cases, the auditor may even hire a professional investigator to obtain information about the
reputation and background of key members of management. Such extensive investigation is
appropriate when there has been no previous auditor, when a predecessor auditor will not provide
the desired information, or if any indication of problems arises from the communication.

Continuing Clients: Many CPA firms evaluate existing clients annually to determine whether
there are reasons for not continuing to do the audit. Previous conflicts over the appropriate scope
of the audit, the type of opinion to issue, unpaid fees, or other matters may cause the auditor to
discontinue association. The auditor may also drop a client after determining the client lacks

35 | P a g e
integrity. Even if none of the previously discussed conditions exist, the CPA firm may decide not
to continue doing audits for a client because of excessive risk. For example, a CPA firm might
decide that considerable risk of a regulatory conflict exists between a governmental agency and a
client, which could result in financial failure of the client and ultimately lawsuits against the CPA
firm. Even if the engagement is profitable, the long-term risk may exceed the short-term benefits
of doing the audit.

What is an Audit Plan?

Before beginning our discussion, we briefly introduce two risk terms: acceptable audit risk and
inherent risk. These two risks significantly influence the conduct and cost of audits. Much of the
early planning of audits deals with obtaining information to help auditors assess these risks.
An audit planning states the overall strategy and detailed steps to be followed in the conduct of an
audit. The plan includes risk assessment procedures, as well as additional procedures to be
followed based on the outcome of the risk assessment. The contents and timing of the plan will
vary from year to year, depending on changes in the circumstances of the client.
The planning of audit involves the following common steps;
i. Accept client and perform initial audit planning
ii. Understand the client’s business and industry
iii. Assess client business risk
iv. Perform preliminary analytical procedures
v. Set materiality and assess acceptable audit risk and inherent risk
vi. Understand internal control and assess control risk
vii. Gather information to assess fraud risks
viii. Develop overall audit plan and audit program
i. Accept client and perform initial audit planning: Initial audit planning involves four things, all
of which should be done early in the audit:
1. The auditor decides whether to accept a new client or continue serving an existing one. This
determination is typically made by an experienced auditor who is in a position to make important
decisions. The auditor wants to make this decision early, before incurring any significant costs that
cannot be recovered.
2. The auditor identifies why the client wants or needs an audit. This information is likely to affect
the remaining parts of the planning process.

36 | P a g e
3. To avoid misunderstandings, the auditor obtains an understanding with the client about the terms
of the engagement.
4. The auditor develops an overall strategy for the audit, including engagement staffing and any
required audit specialists.
ii. Understand the client’s business and industry: A thorough understanding of the client’s
business and industry and knowledge about the company’s operations are essential for the auditor
to conduct an adequate audit. Another of the underlying principles in auditing standards states:
The auditor identifies and assesses risks of material misstatement, whether due to fraud or error,
based on an understanding of the entity and its environment, including the entity’s internal control.
The nature of the client’s business and industry affects client business risk and the risk of material
misstatements in the financial statements. (Client business risk is the risk that the client will fail to
meet its objectives). Strategic Systems for understanding of the Client’s Business and Industry:
 Understand Client's Industry and External Environment (unique accounting requirements,
inherent risks are common to all clients in certain industries Risks associated with specific
industries may affect the auditor’s assessment of client business risk and acceptable audit risk)
 Business Operations and Processes (Tour Client Facilities and Operations, Identify Related
Parties)
 Management and Governance (Minutes of Meetings, Code of Ethics)
 Objectives and Strategies : Strategies are approaches followed by the entity to achieve
organizational objectives. Auditors should understand client objectives related to:
 Reliability of financial reporting
 Effectiveness and efficiency of operations
 Compliance with laws and regulations
 Measurement and Performance (ratio analysis and benchmarking against key competitors)
iii. Assess client business risk: The auditor uses knowledge gained from the understanding of the
client’s business and industry to assess client business risk, the risk that the client will fail to
achieve its objectives. Client business risk can arise from any of the factors affecting the client and
its environment, such as significant declines in the economy that threaten the client’s cash flows,
new technology eroding a client’s competitive advantage, or a client failing to execute its strategies
as well as its competitors. The auditor’s primary concern is the risk of material misstatements in
the financial statements due to client business risk. For example, companies often make strategic
acquisitions or mergers that depend on successfully combining the operations of two or more

37 | P a g e
companies. If the planned synergies do not develop, the fixed assets and goodwill recorded in the
acquisition may be impaired, affecting the fair presentation in the financial statements.
iv. Perform preliminary analytical procedures: Auditors perform preliminary analytical
procedures to better understand the client’s business and to assess client business risk. One such
procedure compares client ratios to industry or competitor benchmarks to provide an indication of
the company’s performance. Such preliminary tests can reveal unusual changes in ratios compared
to prior years, or to industry averages, and help the auditor identify areas with increased risk of
misstatements that require further attention during the audit.
v. Set materiality and assess acceptable audit risk and inherent risk:
Materiality defined as: The magnitude of an omission or misstatement of accounting information
that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable
person relying on the information would have been changed or influenced by the omission or
misstatement. Because auditors are responsible for determining whether financial statements are
materially misstated, they must, upon discovering a material misstatement, bring it to the client’s
attention so that a correction can be made. If the client refuses to correct the statements, the auditor
must issue a qualified or an adverse opinion, depending on the materiality of the misstatement. To
make such determinations, auditors depend on a thorough knowledge of the application of
materiality.
Those standards require that we plan and perform the audit to obtain reasonable assurance about
whether the financial statements are free of material misstatement.
The phrase obtain reasonable assurance is intended to inform users that auditors do not guarantee
or ensure the fair presentation of the financial statements. Some risk that the financial statements
are not fairly stated exists, even when the opinion is unqualified.
The phrase free of material misstatement is intended to inform users that the auditor’s
responsibility is limited to material financial information. Materiality is important because it is
impractical for auditors to provide assurances on immaterial amounts.
The standard requires the auditor to obtain an understanding of the entity and its environment,
including its internal control, to assess the risk of material misstatements in the client’s financial
statements. The auditor recognizes, for example, the inherent uncertainty about the appropriateness
of evidence, uncertainty about the effectiveness of a client’s internal controls, and uncertainty
about whether the financial statements are fairly stated when the audit is completed. An effective
auditor recognizes that risks exist and deals with those risks in an appropriate manner. Most risks

38 | P a g e
auditors encounter are difficult to measure and require careful consideration before the auditor can
respond appropriately.
vi. Understand internal control and assess control risk
A system of internal control consists of policies and procedures designed to provide management
with reasonable assurance that the company achieves its objectives and goals. These policies and
procedures are often called controls, and collectively, they make up the entity’s internal control.
Management typically has three broad objectives in designing an effective internal control system:
a. Reliability of financial reporting: management is responsible for preparing statements for
investors, creditors, and other users. Management has both a legal and professional responsibility
to be sure that the information is fairly presented in accordance with reporting requirements of
accounting frameworks such as U.S. GAAP and IFRS. The objective of effective internal control
over financial reporting is to fulfil these financial reporting responsibilities.
b. Efficiency and effectiveness of operations. Controls within a company encourage efficient and
effective use of its resources to optimize the company’s goals. An important objective of these
controls is accurate financial and nonfinancial information about the company’s operations for
decision making.
c. Compliance with laws and regulations. The standard requires management of all public
companies to issue a report about the operating effectiveness of internal control over financial
reporting. In addition to the legal provision, public, non-public, and not-for-profit organizations are
required to follow many laws and regulations. Some relate to accounting only indirectly, such as
environmental protection and civil rights laws. Others are closely related to accounting, such as
income tax regulations and anti-fraud legal provisions.
Management designs systems of internal control to accomplish all three objectives. The auditor’s
focus in both the audit of financial statements and the audit of internal controls is on controls over
the reliability of financial reporting plus those controls over operations and compliance with laws
and regulations that could materially affect financial reporting.
Committee of Sponsoring Organizations of the Trade way Commission (COSOs) is a private
sector initiative established in 1985 with the intent of improving the quality of financial reporting
through a focus on corporate governance, ethical practices, and internal control. It is the most
widely accepted internal control framework in the United States, describes five components of
internal control that management designs and implements to provide reasonable assurance that its
control objectives will be met. Each component contains many controls, but auditors concentrate on

39 | P a g e
those designed to prevent or detect material misstatements in the financial statements. The COSO
internal control components include the following:
 Control environment  Information and communication
 Risk assessment  Monitoring
 Control activities
1. Control environment: consists of the actions, policies, and procedures that reflect the overall
attitudes of top management, directors, and owners of an entity about internal control and its
importance to the entity. To understand and assess the control environment, auditors should consider
the most important control subcomponents.
 Integrity and Ethical Values
 Commitment to Competence
 Board of Director or Audit Committee Participation
 Management’s Philosophy and Operating Style
 Organizational Structure
 Human Resource Policies and Practices
2. Risk assessment: risk assessment for financial reporting is management’s identification and
analysis of risks relevant to the preparation of financial statements in conformity with
appropriate accounting standards. For example, if a company frequently sells products at a
price below inventory cost because of rapid technology changes, it is essential for the company
to incorporate adequate controls to address the risk of overstating inventory. Similarly, failure
to meet prior objectives, quality of personnel, and geographic dispersion of company
operations, significance and complexity of core business processes, introduction of new
information technologies, economic downturns, and entrance of new competitors are examples
of factors that may lead to increased risk. Once management identifies a risk, it estimates the
significance of that risk, assesses the likelihood of the risk occurring, and develops specific
actions that need to be taken to reduce the risk to an acceptable level.
3. Control activities: are the policies and procedures, in addition to those included in the other
four control components that help ensure that necessary actions are taken to address risks to the
achievement of the entity’s objectives. There are potentially many such control activities in any
entity, including both manual and automated controls. The control activities generally fall into
the following five types:
 Adequate separation of duties
 Proper authorization of transactions and activities
40 | P a g e
  Adequate documents and records
 Physical control over assets and records
 Independent checks on performance
4. Information and communication: The purpose of an entity’s accounting information and
communication system is to initiate, record, process, and report the entity’s transactions and to
maintain accountability for the related assets. An accounting information and communication
system has several subcomponents, typically made up of classes of transactions such as sales,
sales returns, cash receipts, acquisitions, and so on.
5. Monitoring: Activities which deal with ongoing or periodic assessment of the quality of
internal control by management to determine that controls are operating as intended and that
they are modified as appropriate for changes in conditions. The information being assessed
comes from a variety of sources, including studies of existing internal controls, internal auditor
reports, exception reporting on control activities, reports by regulators such as bank regulatory
agencies, feedback from operating personnel, and complaints from customers about billing
charges.
Assess Control Risk
The auditor obtains an understanding of the design and implementation of internal control to make
a preliminary assessment of control risk as part of the auditor’s overall assessment of the risk of
material misstatements. The auditor uses this preliminary assessment of control risk to plan the
audit for each material class of transactions. However, in some instances the auditor may learn that
the control deficiencies are significant such that the client’s financial statements may not be
auditable. So, before making a preliminary assessment of control risk for each material class of
transactions, the auditor must first decide whether the entity is auditable.
Two primary factors determine auditability: the integrity of management and the adequacy of
accounting records. If management lacks integrity, most auditors will not accept the engagement.
The accounting records are an important source of audit evidence for most audit objectives. If the
accounting records are deficient, necessary audit evidence may not be available. For example, if
the client has not kept duplicate sales invoices and vendors’ invoices, it is usually impractical to do
an audit.
In complex IT environments, much of the transaction information is available only in electronic
form without generating a visible audit trail of documents and records. In that case, the
company is usually still auditable; however, auditors must assess whether they have the

41 | P a g e
 necessary skills to gather evidence that is in electronic form and can assign personnel with
adequate IT training and experience.
After obtaining an understanding of internal control, the auditor makes a preliminary assessment of
control risk as part of the auditor’s overall assessment of the risk of material misstatement. This
assessment is a measure of the auditor’s expectation that internal controls will prevent material
misstatements from occurring or detect and correct them if they have occurred. The starting point
for most auditors is the assessment of entity-level controls. By nature, entity-level controls, such as
many of the elements contained in the control environment, risk assessment, and monitoring
components, have an overarching impact on most major types of transactions in each transaction
cycle. For example, an ineffective board of directors or management’s failure to have any process
to identify, assess, or manage key risks, has the potential to undermine controls for most of the
transaction-related audit objectives. Thus, auditors generally assess entity-level controls before
assessing transaction specific controls.
Identify and Evaluate Control Deficiencies, Significant Deficiencies, and Material Weaknesses
Auditors must evaluate whether key controls are absent in the design of internal control over
financial reporting as a part of evaluating control risk and the likelihood of financial statement
misstatements. Auditing standards define three levels of the absence of internal controls:
1. Control deficiency: A control deficiency exists if the design or operation of controls does not
permit company personnel to prevent or detect misstatements on a timely basis in the
normal course of performing their assigned functions. A design deficiency exists if a
necessary control is missing or not properly designed. An operation deficiency exists if a
well-designed control does not operate as designed or if the person performing the control is
insufficiently qualified or authorized.
2. Significant deficiency: A significant deficiency exists if one or more control deficiencies exist
that is less severe than a material weakness (defined below), but important enough to merit
attention by those responsible for oversight of the company’s financial reporting.
3. Material weakness: A material weakness exists if a significant deficiency, by itself or in
combination with other significant deficiencies, results in a reasonable possibility that
internal control will not prevent or detect material financial statement misstatements on a
timely basis. To determine if a significant internal control deficiency or deficiencies are a
material weakness, they must be evaluated along two dimensions: likelihood and
significance. If there is more than a reasonable possibility (likelihood) that a material

42 | P a g e
 misstatement (significance) could result from the significant deficiency or deficiencies, then
it is considered a material weakness.
vii. Gather information to assess fraud risks
As a broad legal concept, fraud describes any intentional deceit meant to deprive another person or
party of their property or rights. In the context of auditing financial statements, fraud is defined as
an intentional misstatement of financial statements. The two main categories are fraudulent
financial reporting and misappropriation of assets, which we introduced when defining the
auditor’s responsibilities for detecting material misstatements.
Fraudulent financial reporting is an intentional misstatement or omission of amounts or
disclosures with the intent to deceive users. Most cases involve the intentional misstatement of
amounts, rather than disclosures. Omissions of amounts are less common, but a company can overstate
income by omitting accounts payable and other liabilities. While most cases of fraudulent financial
reporting involve an attempt to overstate income either by overstatement of assets and income or by
omission of liabilities and expenses, companies also deliberately understate income.
At privately held companies, this may be done in an attempt to reduce income taxes. Companies may
also intentionally understate income when earnings are high to create a reserve of earnings or “cookie jar
reserves” that may be used to increase earnings in future periods. Such practices are called income
smoothing and earnings management. Earnings management involves deliberate actions taken by
management to meet earnings objectives. Income smoothing is a form of earnings management in which
revenues and expenses are shifted between periods to reduce fluctuations in earnings. One technique to
smooth income is to reduce the value of inventory and other assets of an acquired company at the time
of acquisition, resulting in higher earnings when the assets are later sold. Companies may also
deliberately overstate inventory obsolescence reserves and allowances for doubtful accounts to counter
higher earnings.
Misappropriation of assets is fraud that involves theft of an entity’s assets. In many cases, but not
all, the amounts involved are not material to the financial statements. However, the theft of
company assets is often a management concern, regardless of the materiality of the amounts
involved, because small thefts can easily increase in size over time. The term misappropriation of
assets is normally used to refer to theft involving employees and others internal to the organization.
According to estimates of the Association of Certified Fraud Examiners, the average company loses
five percent of its revenues to fraud, although much of this fraud involves external parties, such as
shoplifting by customers and cheating by suppliers.

43 | P a g e
Misappropriation of assets is normally perpetrated at lower levels of the organisation hierarchy. In
some notable cases, however, top management is involved in the theft of company assets. Because
of management’s greater authority and control over organization assets, embezzlements involving
top management can involve significant amounts. In one extreme example, the former CEO of
Tyco International was charged by the SEC with stealing over $100 million in assets. A fraud
survey conducted by the Association of Certified Fraud Examiners found that asset
misappropriations are the most common fraud scheme, although the size of the fraud is much
greater for fraudulent financial reporting.
Three conditions for fraud arising from fraudulent financial reporting and misappropriations of
assets are described in the auditing standards. These three conditions are referred to as the
fraud triangle.
1. Incentives/Pressures. Management or other employees have incentives or pressures to commit fraud.
2. Opportunities. Circumstances provide opportunities for management or employees to commit fraud.
3. Attitudes/Rationalization. An attitude, character, or set of ethical values exists that allows
management or employees to commit a dishonest act, or they are in an environment that imposes
sufficient pressure that causes them to rationalize committing a dishonest act.
viii. Develop overall audit plan and audit program
This critical step establishes the audit strategy and entire audit program the auditor plans to follow,
including all audit procedures, sample sizes, items to select, and timing. The chapter-opening
example deals with the importance of making correct decisions in forming the overall audit strategy
and developing a detailed audit program, considering both the effectiveness of evidence and audit
efficiency. First, the overall audit strategy is discussed, which means selecting a mix of five types
of tests that will result in an effective and efficient audit. This topic includes discussion of the
trade-offs among the types of tests, including consideration of the cost of each type. After deciding
on the most cost-effective mix of the types of tests, the auditor designs a detailed audit program.
In developing an overall audit strategy, auditors use five types of tests to determine whether
financial statements are fairly stated. Auditors use risk assessment procedures to assess the risk of
material misstatement, represented by the combination of inherent risk and control risk as described
previously. The other four types of tests represent further audit procedures performed in response
to the risks identified. Each audit procedure falls into one, and sometimes more than one, of these
five categories.

44 | P a g e
 4.4. Planning the Audit Appointment, Remuneration, and Removal of
Auditors
The Commercial Code of Federal Democratic Republic of Ethiopia set how auditors are appointed,
remunerated, and removed and also their responsibilities to third parties and the clients. The following
section deals with the appointment remuneration and removal of auditors especially those of auditors
appointed to the public.

4.4.1. Appointment of auditors

The directors appoint the first auditor of the company. They then hold office until the end of the first
meeting of the shareholders at which the accounts are laid before the members. At that meeting the
members can re-appoint the auditor, or appoint a different one, to hold office from that date until the end
of the next shareholders' meeting at which accounts are laid.

However, private companies can pass an 'elective resolution' not to lay accounts before the members in a
general meeting. If this is done, then the auditor has to be re-appointed, or a new one appointed, at
another meeting of the company's members that must be held within 28 days of the accounts being sent
to the members. Private companies can also pass an elective resolution dispensing with the need to
appoint an auditor every year. If that happens, the auditor already appointed remains in office without
further formality until a resolution is passed to re-introduce annual appointment or to remove them as
auditor.

4.4.2. Remuneration of auditors

Remuneration of auditors are conducted under different ways. These ways are;
1) When an auditor is appointed by the Board of Directors, (First auditors and Casual vacancy), the
remuneration is fixed by the board of directors.
2) When an auditor is appointed by the Central Government, the Central government fixes the
remuneration.
3) Shareholders also fix the remuneration of an auditor in the following two circumstances.
 When the auditor is appointed in the annual general meeting.

 When the auditor is appointed by an Auditor General.

(The remuneration may be fixed either at the annual general meeting or at any general meeting).
4) Any sum paid by the company to meet the expenses of the auditors will be included in the word
‘remuneration’.
45 | P a g e
 5) In addition to remuneration for audit, an auditor may receive separate remuneration for
rendering consultancy services and for attending to cases pertaining to Income-tax. Such fees
do not require the approval of the general meeting.
To prevent undue influence and dependence on an audit client, Companies (Amendment) Act 2003,
prescribes a limit for the remuneration of auditor.
As per section 226 of the Act; the remuneration to an auditor from a company cannot exceed 25% of
his total income in any financial year.
4.4.3. Removal of auditors
How is a company auditor removed from office?
The members of a company may remove an auditor from office at any time during their term of office or
decide not to re-appoint them for a further term.

They must give the company 28 days’ notice of their intention to put a resolution to remove the auditor,
or to appoint somebody else, to a general meeting. A copy of the notice of the intended resolution must
be sent to the auditor, who then has the right to make a written response and require that it be sent to the
company's shareholders. If an auditor ceases for any reason to hold office, they must deposit a statement
at the company's registered office. The statement should set out any circumstances connected with their
ceasing to hold office that they consider should be brought to the attention of the members and creditors
of the company.

If there are any such circumstances, the company must send a copy of the statement to all the
shareholders unless a successful application is made to the court to stop this. If the auditor does not
receive notification of an application to the court within 21 days of depositing the statement with the
company, they must within a further 7 days send a copy of the statement to Companies House for the
public record. If there are no such circumstances, the auditor must deposit a statement with the company
to that effect. This statement need not be circulated to the members.

Chapter 5

Auditor Responsibilities and Objectives

The objective of the audit of financial statements by the independent auditor is the expression of an
opinion on the fairness with which the financial statements present financial position, results of
operations, and cash flows in conformity with generally accepted accounting principles. The auditor
meets that objective by accumulating sufficient appropriate evidence to determine whether the financial
46 | P a g e
statements are fairly stated. It is management's responsibility to adopt sound accounting policies,
maintain adequate internal control and make fair representations in the financial statements.

The auditor must rely on management for certain information in the conduct of his or her audit.
However, the auditor must not accept management's representations blindly. The auditor must,
whenever possible, obtain appropriate evidence to support the representations of management. As an
example, if management represents that certain inventory is not obsolete, the auditor should be able to
examine purchase orders from customers that prove part of the inventory is being sold at a price that is
higher than the company's cost plus selling expenses. If management represents an account receivable as
being fully collectible, the auditor should be able to examine subsequent payments by the customer or
correspondence from the customer that indicates a willingness and ability to pay.

5.1. Auditor responsibility

The auditor's responsibility is to conduct an audit of the financial statements in accordance with
auditing standards and report the findings of the audit in the auditor's report. An audit must be designed
to provide reasonable assurance of detecting material misstatements in the financial statements.

The auditor is responsible for reasonable, but not absolute, assurance for several reasons:
1. Most audit evidence results from testing a sample of a population such as accounts receivable or
inventory. Sampling inevitably includes some risk of not uncovering a material misstatement.
Also, the areas to be tested; the type, extent, and timing of those tests; and the evaluation of test
results require significant auditor judgment. Even with good faith and integrity, auditors can
make mistakes and errors in judgment.
2. Accounting presentations contain complex estimates, which inherently involve uncertainty and
can be affected by future events. As a result, the auditor has to rely on evidence that is
persuasive, but not convincing.
3. Fraudulently prepared financial statements are often extremely difficult, if not impossible, for
the auditor to detect, especially when there is collusion among management.
Further, the audit must be planned and performed with an attitude of professional scepticism in all
aspects of the engagement. Because there is an attempt at concealment of fraud, material misstatements
due to fraud are usually more difficult to uncover than errors. The auditor’s best defence when material
misstatements (either errors or fraud) are not uncovered in the audit is that the audit was conducted in
accordance with auditing standards.

47 | P a g e
Professional scepticism consists of two primary components: a questioning mind and a critical
assessment of the audit evidence.

While auditors would like to believe that the organizations they accept as clients have integrity and are
honest, maintaining a questioning mind helps auditors offset the natural bias to want to trust the client. A
questioning mind set means the auditor approaches the audit with a “trust but verify” mental outlook.
Similarly, as they obtain and evaluate evidence supporting financial statement amounts and disclosures,
professional scepticism also involves a critical assessment of the evidence that includes asking probing
questions and attention to inconsistencies. When auditors embrace the responsibility to maintain a
questioning mind and to critically evaluate evidence, they significantly reduce the likelihood of audit
failure throughout the audit.

Elements of professional scepticism: Recent academic research on the topic of professional scepticism
suggests there are six characteristics of scepticism:

1. Questioning mind-set — a disposition to inquiry with some sense of doubt

2. Suspension of judgment—withholding judgment until appropriate evidence is obtained
3. Search for knowledge—a desire to investigate beyond the obvious, with a desire to corroborate
4. Interpersonal understanding—recognition that people’s motivations and perceptions can lead
them to provide biased or misleading information
5. Autonomy—the self-direction, moral independence, and conviction to decide for oneself, rather
than accepting the claims of others.
6. Self-esteem—the self-confidence to resist persuasion and to challenge assumptions or conclusions.
Awareness of these six elements throughout the engagement can help auditors fulfil their responsibility
to maintain an appropriate level of professional scepticism.

Generally, Auditors have responsibility;

 to Detect Material Errors

 to Detect Material frauds
 to Consider Laws and Regulations
 to act with professional scepticism
5.2. Management assertions
Management assertions are implied or expressed representations by management about classes of
transactions and the related accounts and disclosures in the financial statements. Management also

48 | P a g e
asserts that all required disclosures related to cash are accurate and are understandable. Similar
assertions exist for each asset, liability, owners’ equity, revenue, and expense item in the financial
statements. These assertions apply to classes of transactions, account balances, and presentation and
disclosures. Management assertions are directly related to the financial reporting framework used by the
company (usually U.S. GAAP or IFRS), as they are part of the criteria that management uses to record
and disclose accounting information in financial statements. The definition of auditing in Chapter 1, in
part, states that auditing is a comparison of information (financial statements) to established criteria
(assertions established according to accounting standards). Auditors must therefore understand the
assertions to do adequate audits. International auditing standards and AICPA auditing standards classify
assertions into three categories:

1. Assertions about classes of transactions and events for the period under audit. Management makes
several assertions about transactions. These assertions also apply to other events that are reflected in
the accounting records, such as recording depreciation and recognizing pension obligations.
Occurrence: The occurrence assertion concerns whether recorded transactions included in the
financial statements actually occurred during the accounting period. For example, management
asserts that recorded sales transactions represent exchanges of goods or services that actually
took place.
Completeness: This assertion addresses whether all transactions that should be included in the
financial statements are in fact included. For example, management asserts that all sales of
goods and services are recorded and included in the financial statements.
Accuracy: The accuracy assertion addresses whether transactions have been recorded at correct
amounts. Using the wrong price to record a sales transaction and an error in calculating the
extensions of price X quantity are examples of violations of the accuracy assertion.
Classification: The classification assertion addresses whether transactions are recorded in the
appropriate accounts. Recording administrative salaries in cost of sales is one example of a
violation of the classification assertion.
Cut-off: The cut-off assertion addresses whether transactions are recorded in the proper
accounting period. Recording a sales transaction in December when the goods were not shipped
until January violates the cut-off assertion.
2. Assertions about account balances at period end. Assertions about account balances at year-end
address existence, completeness, valuation and allocation, and rights and obligations.

49 | P a g e
 Existence: The existence assertion deals with whether assets, liabilities, and equity interests
included in the balance sheet actually existed on the balance sheet date. For example,
management asserts that merchandise inventory included in the balance sheet exists and is
available for sale at the balance sheet date.
Completeness: This assertion addresses whether all accounts and amounts that should be
presented in the financial statements are in fact included. For example, management asserts that
notes payable in the balance sheet include all such obligations of the entity. The completeness
assertion addresses matters opposite from the existence assertion. The completeness assertion is
concerned with the possibility of omitting items from the financial statements that should have
been included, whereas the existence assertion is concerned with inclusion of amounts that
should not have been included. Thus, violations of the existence assertion relate to account
overstatements, whereas violations of the completeness assertion relate to account
understatements.
Valuation and Allocation: The valuation and allocation assertion deals with whether assets,
liabilities, and equity interests have been included in the financial statements at appropriate
amounts, including any valuation adjustments to reflect asset amounts at fair value or net
realizable value. For example, management asserts that property is recorded at historical cost
and that such cost is systematically allocated to appropriate accounting periods through
depreciation. Similarly, management asserts that trade accounts receivable included in the
balance sheet are stated at net realizable value.
Rights and Obligations: This assertion addresses whether assets are the rights of the entity and
whether liabilities are the obligations of the entity at a given date. For example, management
asserts that assets are owned by the company or that amounts capitalized for leases in the balance
sheet represent the cost of the entity’s rights to leased property and that the corresponding lease
liability represents an obligation of the entity.
3. Assertions about presentation and disclosure. With increases in the complexity of transactions and
the need for expanded disclosures about these transactions, assertions about presentation and
disclosure have increased in importance. These assertions include occurrence and rights and
obligations, completeness, accuracy and valuation, and classification and understandability.
Occurrence and Rights and Obligations: This assertion addresses whether disclosed events
have occurred and are the rights and obligations of the entity. For example, if the client discloses
that it has acquired another company, it asserts that the transaction has been completed.

50 | P a g e
 Completeness: This assertion deals with whether all required disclosures have been included in
the financial statements. As an example, management asserts that all material transactions with
related parties have been disclosed in the financial statements.
Accuracy and Valuation: The accuracy and valuation assertion deals with whether financial
information is disclosed fairly and at appropriate amounts. Management’s disclosure of the
amount of unfunded pension obligations and the assumptions underlying these amounts is an
example of this assertion.
Classification and Understand ability: This assertion relates to whether amounts are
appropriately classified in the financial statements and footnotes, and whether the balance
descriptions and related disclosures are understandable. For example, management asserts that
the classification of inventories as finished goods, work-in process, and raw materials is
appropriate, and the disclosures of the methods used to value inventories are understandable.
5.3. Audit Objectives
General audit objectives follow from and are closely related to management assertions. General audit
objectives, however, are intended to provide a framework to help the auditor accumulate sufficient
appropriate evidence required by the third standard of field work. Audit objectives are more useful to
auditors than assertions because they are more detailed and more closely related to helping the auditor
accumulate sufficient appropriate evidence.

The existence objective deals with whether amounts included in the financial statements should actually
be included. Completeness is the opposite of existence. The completeness objective deals with whether
all amounts that should be included have actually been included. In the audit of accounts receivable, a
non-existent account receivable will lead to overstatement of the accounts receivable balance. Failure to
include a customer's account receivable balance, which is a violation of completeness, will lead to
understatement of the accounts receivable balance. Specific audit objectives are the application of the
general audit objectives to a given class of transactions, account balance, or presentation and disclosure.
There must be at least one specific audit objective for each general audit objective and in many cases
there should be more. Specific audit objectives for a class of transactions, account balance, or
presentation and disclosure should be designed such that, once they have been satisfied, the related
general audit objective should also have been satisfied for that class of transactions, account, or
presentation and disclosure. For the specific balance-related audit objective, all recorded fixed assets
exist at the balance sheet date, the management assertion and the general balance-related audit objective
are both satisfied.

51 | P a g e
For the specific presentation and disclosure-related audit objective, read the fixed asset footnote
disclosure to determine that the types of fixed assets, depreciation methods and useful lives are clearly
disclosed, the management assertion and the general presentation and disclosure-related audit objective
are both "classification and understand ability."

The four phases of the audit are:

1. Plan and design an audit approach.
2. Perform tests of controls and substantive tests of transactions.
3. Perform analytical procedures and tests of details of balances.
4. Complete the audit and issue an audit report.
The auditor uses these four phases to meet the overall objective of the audit, which is to express an
opinion on the fairness with which the financial statements present fairly, in all material respects, the
financial position, results of operations and cash flows in conformity with GAAP. By accumulating
sufficient appropriate evidence for each audit objective, the overall objective is met. The accumulation
of evidence is accomplished by performing the four phases of the audit.

5.4. Audit evidence

Evidence was defined as any information used by the auditor to determine whether the information
being audited is stated in accordance with the established criteria. The information varies greatly in the
extent to which it persuades the auditor whether financial statements are fairly stated. Evidence includes
information that is highly persuasive, such as the auditor’s count of marketable securities, and less
persuasive information, such as responses to questions of client employees. The use of evidence is not
unique to auditors. Evidence is also used extensively by scientists, lawyers, and historians.

A major decision facing every auditor is determining the appropriate types and amounts of evidence
needed to be satisfied that the client’s financial statements are fairly stated. There are four decisions
about what evidence to gather and how much of it to accumulate:

i. Which audit procedures to use

ii. What sample size to select for a given procedure
iii. Which items to select from the population
iv. When to perform the procedures
Persuasiveness of evidence
Audit standards require the auditor to accumulate sufficient appropriate evidence to support the opinion
issued. Because of the nature of audit evidence and the cost considerations of doing an audit, it is
52 | P a g e
unlikely that the auditor will be completely convinced that the opinion is correct. However, the auditor
must be persuaded that the opinion is correct with a high level of assurance. By combining all evidence
from the entire audit, the auditor is able to decide when he or she is persuaded to issue an audit report.
The two determinants of the persuasiveness of evidence are appropriateness and sufficiency.

1. Appropriateness of evidence: is a measure of the quality of evidence, meaning its relevance

and reliability in meeting audit objectives for classes of transactions, account balances, and related
disclosures. If evidence is considered highly appropriate, it is a great help in persuading the auditor
that financial statements are fairly stated. Note that appropriateness of evidence deals only with the
audit procedures selected. Appropriateness cannot be improved by selecting a larger sample size or
different population items. It can be improved only by selecting audit procedures that are more
relevant or provide more reliable evidence.
Relevance of Evidence: Evidence must pertain to or be relevant to the audit objective that the
auditor is testing before it can be appropriate. For example, assume that the auditor is concerned that
a client is failing to bill customers for shipments (completeness transaction objective). If the auditor
selects a sample of duplicate sales invoices and traces each to related shipping documents, the
evidence is not relevant for the completeness objective and therefore is not appropriate evidence for
that objective. A relevant procedure is to trace a sample of shipping documents to related duplicate
sales invoices to determine whether each shipment was billed. The second audit procedure is
relevant because the shipment of goods is the normal criterion used for determining whether a sale
has occurred and should have been billed.

Reliability of Evidence: Reliability of evidence refers to the degree to which evidence can be
believable or worthy of trust. Like relevance, if evidence is considered reliable it is a great help in
persuading the auditor that financial statements are fairly stated. For example, if an auditor counts
inventory, that evidence is more reliable than if management gives the auditor its own count
amounts. Reliability, and therefore appropriateness, depends on the following six characteristics of
reliable evidence:

 Independence of provider
 Effectiveness of client’s internal controls
 Auditor’s direct knowledge.
 Qualifications of individuals providing the information
 Degree of objectivity

53 | P a g e
  Timeliness
2. Sufficiency: The quantity of evidence obtained determines its sufficiency. Sufficiency of evidence
is measured primarily by the sample size the auditor selects. For a given audit procedure, the
evidence obtained from a sample of 100 is ordinarily more sufficient than from a sample of 50.
Several factors determine the appropriate sample size in audits. The two most important ones are the
auditor’s expectation of misstatements and the effectiveness of the client’s internal controls.
Therefore, the persuasiveness of evidence can be evaluated only after considering the combination of
appropriateness and sufficiency, including the effects of the factors influencing appropriateness and
sufficiency. A large sample of evidence provided by an independent party is not persuasive unless it is
relevant to the audit objective being tested. A large sample of evidence that is relevant but not objective
is also not persuasive. Similarly, a small sample of only one or two pieces of highly appropriate
evidence also typically lacks persuasiveness. When determining the persuasiveness of evidence, the
auditor must evaluate the degree to which both appropriateness and sufficiency, including all factors
influencing them, have been met.

Ways of getting audit evidence

In deciding which audit procedures to use, the auditor can choose from eight broad categories of
evidence, which are called types of evidence. Every audit procedure obtains one or more of the
following types of evidence:

1. Physical examination: is the inspection or count by the auditor of a tangible asset. This type of
evidence is most often associated with inventory and cash, but it is also applicable to the verification of
securities, notes receivable, and tangible fixed assets.

2 Confirmation: describes the receipt of a direct written response from a third party verifying the
accuracy of information that was requested by the auditor. The response may be in paper form or
electronic or other medium, such as the auditor’s direct access to information held by the third party.

3. Inspection: is the auditor’s examination of the client’s documents and records to substantiate the
information that is, or should be, included in the financial statements. The documents examined by the
auditor are the records used by the client to provide information for conducting its business in an
organized manner, and may be in paper form, electronic form, or other media. Because each transaction
in the client’s organization is normally supported by at least one document, a large volume of this type
of evidence is usually available.

54 | P a g e
4. Analytical procedures: consist of evaluations of financial information through analysis of plausible
relationships among financial and nonfinancial data. For example, an auditor may compare the gross
margin percent in the current year with the preceding years. Analytical procedures are used extensively
in practice, and are required during the planning and completion phases on all audits.

5. Inquiries of the client: Inquiry is the obtaining of written or oral information from the client in
response to questions from the auditor. Although considerable evidence is obtained from the client
through inquiry, it usually cannot be regarded as conclusive because it is not from an independent source
and may be biased in the client’s favour. Therefore, when the auditor obtains evidence through inquiry,
it is normally necessary to obtain corroborating evidence through other procedures.

6. Recalculation: Recalculation involves rechecking a sample of calculations made by the client.

Rechecking client calculations consists of testing the client’s arithmetical accuracy and includes such
procedures as extending sales invoices and inventory, adding journals and subsidiary records, and
checking the calculation of depreciation expense and prepaid expenses

7. Re-performance: Re-performance is the auditor’s independent tests of client accounting procedures

or controls that were originally done as part of the entity’s accounting and internal control system.
Whereas recalculation involves rechecking a computation, re-performance involves checking other
procedures. For example, the auditor may compare the price on an invoice to an approved price list, or
may re-perform the aging of accounts receivable.

8. Observation: Observation consists of looking at a process or procedure being performed by others.

The auditor may tour the plant to obtain a general impression of the client’s facilities, or watch
individuals perform accounting tasks to determine whether the person assigned a responsibility is
performing it properly. Observation provides evidence about the performance of a process or procedure
but is limited to the point in time at which the observation takes place. Observation is rarely sufficient
by itself because of the risk of client personnel changing their behaviour because of the auditor’s
presence. They may perform their responsibilities in accordance with company policy but resume
normal activities once the auditor is not in sight. Therefore, it is necessary to follow up initial
impressions with other kinds of corroborative evidence. Nevertheless, observation is useful in most parts
of the audit.

5.5. Audit documentation

55 | P a g e
Auditing standards state that audit documentation is the record of the audit procedures performed,
relevant audit evidence, and conclusions the auditor reached. Audit documentation should include all the
information the auditor considers necessary to adequately conduct the audit and to provide support for
the audit report. Audit documentation may also be referred to as working papers or work papers,
although audit documentation is often maintained in computerized files.

5.5.1. The purpose of audit documentation

The overall objective of audit documentation is to aid the auditor in providing reasonable assurance that
an adequate audit was conducted in accordance with auditing standards. More specifically, audit
documentation, as it pertains to the current year’s audit, provides:

A Basis for Planning the Audit: If the auditor is to plan an audit adequately, the necessary reference
information must be available in the audit files. The files may include such diverse planning information
as descriptive information about internal control, a time budget for individual audit areas, the audit
program, and the results of the preceding year’s audit.

A Record of the Evidence Accumulated and the Results of the Tests Audit documentation is the
primary means of documenting that an adequate audit was conducted in accordance with auditing
standards. If the need arises, the auditor must be able to demonstrate to regulatory agencies and courts
that the audit was well planned and adequately supervised; the evidence accumulated was appropriate
and sufficient; and the audit report was proper, considering the results of the audit.

Data for Determining the Proper Type of Audit Report Audit documentation provides an important
source of information to assist the auditor in deciding whether sufficient appropriate evidence was
accumulated to justify the audit report in a given set of circumstances. The data in the files are equally
useful for evaluating whether the financial statements are fairly stated, given the audit evidence.

A Basis for Review by Supervisors and Partners The audit files are the primary frame of reference used
by supervisory personnel to review the work of assistants. The careful review by supervisors also
provides evidence that the audit was properly supervised. Audit documentation should indicate who
performed the audit work, the date the work was performed, who reviewed the work, and the date of that
review. In addition to the purposes directly related to the audit report, the audit files often serve as the
basis for preparing tax returns, filings with the SEC, and other reports. They are also a source of
information for issuing communications to management and those charged with governance, such as the
audit committee, concerning various matters such as internal control deficiencies or operational

56 | P a g e
recommendations. Audit files are also a useful frame of reference for training personnel and as an aid in
planning and coordinating subsequent audits.

Chapter 6
Internal control
Introduction
Policies, procedures, and other best practices are all essential to the smooth functioning of any
organization. They help set the right expectations at every level, guide employees to distinguish well
from bad conduct, and bring consistency and predictability to daily operations.
They also protect the firm’s business-critical assets and allow the company to comply with laws,
regulations, and internal rules. Ultimately, they empower the enterprise to meet its objectives and deliver
value to stakeholders.
All three are types of internal controls. Different organizations use different types of controls, depending
on their business needs, risk environment, or stakeholder demands – but overall, any system of internal
control that wants to be effective consists of five interconnected key elements. Read on to learn more
about these elements.
6.1. What Is an Internal Control?
COSO (the Committee of Sponsoring Organizations) defines internal controls as “a process, effected by
an entity’s board of directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives.”
Also known as internal safeguards, internal controls can be processes, procedures, tasks or activities,
rules, policies, and even automated tools. Controls could also include any of the following:
 Physical security
 Access controls
 Internal or independent audits
 Transaction authorizations, verifications, and reconciliations
 Management reviews
 Segregation of duties
 Employee training
Internal controls are essential for any organization because of what they do:
 Improve the effectiveness and efficiency of company operations
 Assure the reliability of financial disclosures
 Help to maintain the integrity of financial statements and accounting records
57 | P a g e
  Allow the firm to meet regulatory compliance objectives
A robust internal control system also increases transparency and accountability throughout the
enterprise. It promotes ethical behaviours. It assures consistent actions and output, which can improve
employee productivity and quality, and enable the firm to meet its stated goals.
Well-designed, consistently implemented controls also prevent undesirable situations such as cyber
breaches, fraud, errors, and other irregularities; that protects your company’s assets, reputation, and
brand value.
On the other hand, poorly designed or missing controls can cause all sorts of problems, including:
 Financial information misreporting
 Inefficient, error-prone processes
 Poor output quality
 Customer complaints
 Unethical or illegal behaviours such as fraud
 Costly fines
 Legal damages
6.2. Types of Internal Controls
Regardless of your organization’s structure, size, or industry, you should have an internal control system
that includes three types of internal controls:
6.2.1. Detective Controls
Detective controls help to find and investigate a problem that has already occurred. For example, if the
company has recently experienced a data breach, these controls will help you find the cause and
implement an appropriate response strategy.
The right detective controls show whether preventive controls (more on those in a moment) are
operating properly or if there are control gaps that resulted in the unwanted event. Detective controls
also help to improve process quality and prevent errors that may result in financial, legal, regulatory, or
reputational damage.
Some common detective controls are:
 Monthly transaction reconciliations
 Performance reviews
 Physical inventories
 Cash counts
 External and internal audits
 Surveillance systems
58 | P a g e
  Intrusion Detection Systems (IDS)
6.2.2. Preventive Controls
Preventive controls, as the name implies, aim to prevent issues or errors from occurring in the first place.
These issues include accounting errors, material misstatements, fraud, cyber attacks, financial
manipulations, and so forth
Many organizations implement these preventive controls:
 Segregation of duties
 System access controls
 Financial authorizations
 IT access controls
 Physical security controls
 Firewalls and Intrusion Prevention Systems (IPS)
 Data backups
 Employee training and drug testing
6.2.3. Corrective Controls
Corrective controls come into play after an issue has already occurred and needs to be fixed. They play a
vital role in the internal control system because they resolve the issue that may result in (or has already
resulted in) fraud, data breaches, financial losses, or reputational damage. These controls also provide a
measure of relief that the issue has been fixed and won’t recur in future.

Corrective controls include:

 Software patches
 Device upgrades
 Quarantine of infected devices
 Updated policies
 Ledger verifications
 Disciplinary action
 Business continuity planning and incident response planning
Altogether, detective, preventive, and corrective controls allow organizations to identify risks, detect
threats, and respond appropriately to prevent damage to their systems, people, customers, or data.

6.3. The Five Components of an Internal Control System

59 | P a g e
As discussed in the earlier chapter, COSO released its revised Internal Control – Integrated
Framework (first released in 1992). The updated framework helps organizations to design internal
controls, implement audit procedures to assess and improve these controls, and mitigate risks to
acceptable levels.
The framework consists of five components that together create an effective and integrated enterprise
controls system.
1. Control Environment
The control environment is how senior management tries to inculcate a strong sense of ethics and high
performance across the whole enterprise. It includes all the standards, processes, policies, and rules that
enable an organization to implement and improve its internal controls. The control environment provides
a foundation so the company’s other, more specific controls can:
 Support its strategic objectives
 Assure reliable financial reporting to stakeholders
 Improve business efficiency and effectiveness
 Facilitate compliance with all applicable laws and regulations
 Safeguard assets from the effects of careless errors or malicious activities
An effective control environment includes these seven important factors:
 Integrity and ethical values
 Commitment to competence
 Audit committee or board of directors
 Management philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resource policies
These factors demonstrate the organization’s commitment to responsible and ethical operations. A
strong tone from the top is crucial to build a strong control environment. Senior managers must reiterate
the importance of internal controls and establish the expected standards of conduct throughout the
organization. Only then can the environment help to:

 Align business processes with applicable laws, regulations, and industry-standard practices
 Attract and retain competent staff
 Increase accountability throughout the organization in pursuit of objectives
2. Risk Assessment

60 | P a g e
Risk assessment is the basis for risk management. For effective risk assessment, management must
identify possible changes in the internal and external environment that may impede the organization’s
ability to achieve its goals. Managers must also:

 Act in a timely manner to manage the effect of these changes

 Consider risk tolerance when assessing acceptable risk levels

 Consider risk severity after considering its velocity, persistence, impact, and likelihood

The COSO internal control framework suggests that risk assessment should be a “dynamic and iterative
process” – meaning, risk assessments should happen at regular intervals. The risk assessment should
also include sub-processes for risk identification, risk analysis, and risk response.

3. Control Activities
Control activities are the specific actions that allow the enterprise to mitigate risk and achieve its
objectives. These actions are usually described in standards, policies, and control procedures, and are
communicated to all stakeholders.

Control activities can be preventive, detective, or corrective. They are performed at all levels of the
business and at various stages of business processes.

4. Information and Communication

Information is an important element in an internal control system because it supports the other
components and allows the organization to achieve its objectives. Effective, clear, and honest
communication is required to assure that the necessary information is available whenever required to
manage and optimize the internal control system.

Communication then disseminates the information, so the relevant stakeholders can carry out daily
internal control activities. For example, if an audit identifies a major flaw in cybersecurity, the audit
findings should then be communicated to the IT department, the CISO, and perhaps even the board or
legal team. Those executives will then (ideally) understand their responsibilities for assuring that the
findings are addressed and internal controls work as expected.

5. Monitoring Activities
Internal or external auditors must regularly monitor the internal control system to verify that it is
functioning properly. They should also evaluate the findings and communicate internal control
deficiencies to top management and the board.

61 | P a g e
 Per COSO’s framework, ongoing evaluations should be built into routine operations and performed in
real-time. Regular spot checks instead of an annual “big bang evaluation” can help to identify and fix
control gaps quickly, before the company suffers significant harm.

Chapter-7
Audit Reports
7.1. Definitions
 The audit report is the report that contains the audit’s opinion, which
independent auditors issue after they examine the entity’s financial statements
and related reports. An auditor's opinion is a certification that accompanies financial statements.
It is based on an audit of the procedures and records used to produce the statements and delivers an
opinion as to whether material misstatements exist in the financial statements. An auditor's opinion may
also be called an accountant's opinion.

Understanding Auditor's Opinions

An auditor's opinion is presented in an auditor’s report. The audit report begins with an introductory
section outlining the responsibility of management and the responsibility of the audit firm. The second
section identifies the financial statements on which the auditor's opinion is given. A third section
outlines the auditor’s opinion on the financial statements. Although it is not found in all audit reports, a
fourth section may be presented as a further explanation regarding a qualified opinion or an adverse
opinion.
For audits of companies in the United States, the opinion may be an unqualified opinion in accordance
with generally accepted accounting principles (GAAP), a qualified opinion, or an adverse opinion. The
audit is performed by an accountant who is independent of the company being audited.

7.2 Types of audit opinion

There are four different types of opinions
 Unqualified Opinion: An unqualified opinion, also called a clean opinion, is issued when the
auditor determines that the financial records are free of any misrepresentations. An unqualified
opinion is the best opinion given to the Company and the management. The unqualified
opinion represents that the financial reports are in accordance with established criteria

 Qualified Opinion: The Auditor gives a qualified opinion in case the financial records are not
maintained in accordance with established criteria, but the auditors do not find any

62 | P a g e
 misrepresentation in the financial reports. A qualified opinion highlights the reason for the audit
report being qualified. A qualified opinion is also given in the case when adequate disclosures are
not made to the financial statements.

 Adverse Opinion: Adverse opinion on the financial report is the worst type of financial report
issued to the Company. An adverse opinion is given in case the financial reports do not conform
to the established criteria, and the financial records are grossly misrepresented. The adverse
opinion may refer to the onset of fraud in the Company. In this case, the Company has to correct its
financial reports and financial statements. The Company will have to get the statement re-audited
as investors and lenders would require the Company to give financial reports free of any errors and
misrepresentation.

 Disclaimer of Opinion: In cases when the auditor is unable to complete the audit of the Company
due to details of evidence not provided by the Company, it will give a disclaimer of Opinion. It
means that the status of the financial condition of the Company cannot be determined.

Contents of Audit Report

1 – Title: The title of the report mentions it is ‘Independent Auditors’ report.’
2 – Addressee: The addressee is the person/group of persons to whom the report addresses. In the case
of the statutory audit report, the addressee is the shareholders of the Company. Also, addressee refers
to the person appointing the auditors. Since the shareholders of the Company appoint the auditors, the
report addresses to them.
3 – The Responsibility of the Auditor and the Management of the Company (introductory
paragraph)
This paragraph gives the responsibility of the auditor and the management of the Company. It defines
that the responsibility of the auditor is to perform an unbiased audit of financial statements and give
their unbiased opinion.
4 – The Scope of the Audit
This paragraph describes the scope of the audit conducted by the Auditor by explicitly mentioning that
the audit was done as per the generally accepted auditing standards in the country. It refers to the ability
of the auditor to perform an audit and provides assurance to the shareholders and investors that audit
was done as per auditing standards. It should include that the audit examination of the Company’s
financial reports was done, and there are no material misstatements. The Auditor shall assess

63 | P a g e
the internal controls and perform tests, inquiries, and verifications of the Company’s accounts. Any
limitations on the scope of work done by the auditor are provided in this section of the Auditors report.

5 – The Opinion of the Auditor

It is the primary paragraph of the Audit report content. The Auditors give their opinion on the financial
reporting by the Company.
6 – Basis of Opinion: This paragraph gives the basis on which the opinion was based. It should mention
the facts of the grounds in the report.
7 – Signature of Auditor: The partner of the auditor must sign the audit report content at the end.
8 – Place of Signature: It gives the city in which the audit report was signed.
9 – Date of Signature: It gives the date on which the audit report was signed.

The Emphasis of Matter in Audit Report

The Content of Audit report can have an Emphasis of matter paragraph. The emphasis of matter
paragraph can be added in the audit report if the auditor feels to draw the attention of the readers
towards the vital matter. The auditor does not need to alter its opinion in case it has emphasized on some
subject. This paragraph includes the audit conducted by the Auditor and their reliance on audits
performed by other auditors on some of the subsidiaries of the Company. Sometimes auditors do not
perform any Audit of non-material subsidiaries, and they mention the details like revenue, profit, assets
of such subsidiaries, and their reliance on the financial reports furnished by the management of the
Company.

Generally, the auditors issue an audit report after doing a financial audit of the Company, which
contains their opinion about the financial status of the Company. The Audit report is a mandatory report
to be attached to the annual report of the Company. It gives an independent view of the Company’s
accounts and highlights misrepresentations (if any) by the Company.

Sample audit Reports

Standard Unqualified Audit Report
Independent Auditor's Report (Title)
To the Shareholders of XYZ Corporation
Addis Ababa, Ethiopia (Addressee)
Introductory paragraph
We have audited the accompanying financial statements of XYZ Corporation, which comprise the
64 | P a g e
balance sheet as of December 31, 2023, and the related statements of income, changes in equity, and
cash flows for the year then ended, and a summary of significant accounting policies and other
explanatory information. Management is responsible for the preparation and fair presentation of these
financial statements in accordance with International Financial Reporting Standards (IFRS); this
includes the design, implementation, and maintenance of internal control relevant to the preparation and
fair presentation of financial statements that are free from material misstatement, whether due to fraud or
error. Our responsibility is to express an opinion on these financial statements based on our audit. We
conducted our audit in accordance with International Standards on Auditing (ISA). Those standards
require that we comply with ethical requirements and plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free from material misstatement.
Scope paragraph
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in
the financial statements. The procedures selected depend on the auditor's judgment, including the
assessment of the risks of material misstatement of the financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant to the entity's
preparation and fair presentation of the financial statements in order to design audit procedures that are
appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of
the entity's internal control. An audit also includes evaluating the appropriateness of accounting policies
used and the reasonableness of accounting estimates made by management, as well as evaluating the
overall presentation of the financial statements. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our audit opinion.
5. Opinion paragraph
In our opinion, the financial statements present fairly, in all material respects, the financial position of
XYZ Corporation as of December 31, 2023, and its financial performance and its cash flows for the year
then ended in accordance with International Financial Reporting Standards (IFRS).
[Auditor's Signature]
Addis Ababa Ethiopia
[Date]

Qualified report
Independent Auditor's Report (Title)
To the Shareholders of XYZ Corporation
Addis Ababa, Ethiopia (Addressee)
Introductory paragraph
We have audited the accompanying financial statements of XYZ Corporation, which comprise the
balance sheet as of December 31, 2023, and the related statements of income, changes in equity, and
cash flows for the year then ended, and a summary of significant accounting policies and other
explanatory information. Management is responsible for the preparation and fair presentation of these
financial statements in accordance with International Financial Reporting Standards (IFRS); this
includes the design, implementation, and maintenance of internal control relevant to the preparation and
fair presentation of financial statements that are free from material misstatement, whether due to fraud or
error. Our responsibility is to express an opinion on these financial statements based on our audit. We
conducted our audit in accordance with International Standards on Auditing (ISA). Those standards
require that we comply with ethical requirements and plan and perform the audit to obtain reasonable
65 | P a g e
assurance about whether the financial statements are free from material misstatement.
Scope paragraph
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in
the financial statements. The procedures selected depend on the auditor's judgment, including the
assessment of the risks of material misstatement of the financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant to the entity's
preparation and fair presentation of the financial statements in order to design audit procedures that are
appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of
the entity's internal control. An audit also includes evaluating the appropriateness of accounting policies
used and the reasonableness of accounting estimates made by management, as well as evaluating the
overall presentation of the financial statements. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our audit opinion.
Basis for Qualified Opinion (explanatory paragraph)
As discussed in Note X to the financial statements, the company has not recognized an impairment loss
on certain assets, which is not in accordance with IFRS. If the impairment loss had been recognized, the
carrying value of these assets and the net income would have been adjusted accordingly.
Opinion Paragraph
In our opinion, except for the possible effects of the matter described in the Basis for Qualified Opinion
section, the financial statements present fairly, in all material respects, the financial position of XYZ
Corporation as of December 31, 2023, and its financial performance and cash flows for the year then
ended in accordance with International Financial Reporting Standards (IFRS).
[Auditor's Signature]
[Place of signature]
[Date]

Adverse report
Independent Auditor's Report (Title)
To the Shareholders of XYZ Corporation
Addis Ababa, Ethiopia (Addressee)
Introductory paragraph
We have audited the accompanying financial statements of XYZ Corporation, which comprise the
balance sheet as of December 31, 2023, and the related statements of income, changes in equity, and
cash flows for the year then ended, and a summary of significant accounting policies and other
explanatory information. Management is responsible for the preparation and fair presentation of these
financial statements in accordance with International Financial Reporting Standards (IFRS); this
includes the design, implementation, and maintenance of internal control relevant to the preparation and
fair presentation of financial statements that are free from material misstatement, whether due to fraud or
error. Our responsibility is to express an opinion on these financial statements based on our audit. We
conducted our audit in accordance with International Standards on Auditing (ISA). Those standards
require that we comply with ethical requirements and plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free from material misstatement.
Scope paragraph
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in
the financial statements. The procedures selected depend on the auditor's judgment, including the
assessment of the risks of material misstatement of the financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant to the entity's
preparation and fair presentation of the financial statements in order to design audit procedures that are

66 | P a g e
appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of
the entity's internal control. An audit also includes evaluating the appropriateness of accounting policies
used and the reasonableness of accounting estimates made by management, as well as evaluating the
overall presentation of the financial statements. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our audit opinion.
Basis for Adverse Opinion (explanatory paragraph)
As discussed in Note X to the financial statements, the company has not consolidated a material
subsidiary, which is required by IFRS. Furthermore, the company has not recognized certain liabilities,
resulting in an understatement of liabilities and an overstatement of equity.
Opinion Paragraph
In our opinion, because of the significance of the matters discussed in the Basis for Adverse Opinion
section, the financial statements do not present fairly the financial position of XYZ Corporation as of
December 31, 2023, or its financial performance and cash flows for the year then ended in accordance
with International Financial Reporting Standards (IFRS).
[Auditor's Signature]
[Place of signature]
[Date]

Disclaimer report
Independent Auditor's Report (Title)
To the Shareholders of XYZ Corporation
Addis Ababa, Ethiopia (Addressee)
Introductory paragraph
We have audited the accompanying financial statements of XYZ Corporation, which comprise the
balance sheet as of December 31, 2023, and the related statements of income, changes in equity, and
cash flows for the year then ended, and a summary of significant accounting policies and other
explanatory information. Management is responsible for the preparation and fair presentation of these
financial statements in accordance with International Financial Reporting Standards (IFRS); this
includes the design, implementation, and maintenance of internal control relevant to the preparation and
fair presentation of financial statements that are free from material misstatement, whether due to fraud or
error. Our responsibility is to express an opinion on these financial statements based on our audit. We
conducted our audit in accordance with International Standards on Auditing (ISA). Those standards
require that we comply with ethical requirements and plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free from material misstatement.
Scope paragraph
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in
the financial statements. The procedures selected depend on the auditor's judgment, including the
assessment of the risks of material misstatement of the financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant to the entity's
preparation and fair presentation of the financial statements in order to design audit procedures that are
appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of
the entity's internal control. An audit also includes evaluating the appropriateness of accounting policies
used and the reasonableness of accounting estimates made by management, as well as evaluating the
overall presentation of the financial statements. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our audit opinion.
Explanatory paragraph
As discussed in Note X to the financial statements, the company’s accounting records were destroyed in
a fire, and we were unable to perform alternative audit procedures to verify the completeness and

67 | P a g e
accuracy of the financial statements.
Opinion paragraph
We do not express an opinion on the accompanying financial statements of XYZ Corporation. Because
of the significance of the matters described in the Basis for Disclaimer of Opinion section, we have not
been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion.
[Auditor's Signature]
[Place of signature]
[Date]

Read the following Book for more;

Arens, Elder and Beasley, Auditing and Assurance Service, Global Edition, 16th Edition, 2016

References
 Arens, Elder and Beasley, Auditing and Assurance Service, Global Edition, 16th Edition, 2016
 Hayes R., Wallage P., and Gortemake H., Principles of Auditing: An Introduction to
International Standards on Auditing, 3rd Edition, 2014
 Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related
Services Pronouncements (the handbook),2012.
 Leung P., Coram P., et. all., Modern Auditing and Assurance Services, 6th Edition, Wiley 2015
 Messier. Glover, Prawitt, Auditing & Assurance Services, 9th Edition, with ACL software
McGraw-Hill ISBN: 978 125 9162343Louwers, T., Ramsay, (2012). Auditing & Assurance
68 | P a g e
 Services (5th ed.). Boston, MA: McGraw‐Hill.
 R. Whittington and K. Pany; Principles of Auditing & Other Assurance Services 19th Edition,
McGraw-Hill Irwin 2014
 Timothy Louwers, Robert Ramsey, et. al., Auditing and Assurance Services (3rd ed.). Irwin
McGraw-Hill, 2008 (ISNB: 0-07-337936-0).

69 | P a g e