General

• Should it be in the accounts?

• Is it in at the correct amount?
• Anything missed?
• Presentation, disclosure

Types of procedure

• Inquiry
• Observation
• Inspection
• Recalculation
• Confirmation
• Analytical procedures

Tests of details used if

• No controls, controls ineffective

• Inefficient to test effectiveness of controls
• Test is for overstatement
• Insufficient comfort obtained from controls work

General purpose tests

• Review board minutes

• Enquiries of management, staff
• Attend meetings of audit committee
• Agree opening position
• Vouching, matching, agreeing, casting
• Sequence checks
• Review for unusual items
• Circularisations
• Reconciliations
• Third party confirmations
• Use of experts
• Cut off testing
• Management reps
• Review subsequent events/post year end amounts

General risk types – inherent, detection and control

Accounting estimates

The term “estimation uncertainty” can be defined as susceptibility to an inherent lack

of precision in measurement

Allowance to reduce inventory due to obsolescence

Depreciation methods

Valuation or impairment of assets or financial

instruments Provision for a loss from a

lawsuit

Revenue recognised for long term contracts

Determination of fair value in a goodwill calculation

Directors and management are responsible for disclosing accounting estimates within
the financial statements if something cannot be directly observed – this is referred to as
“management’s point estimate”

Auditors should be most concerned with estimation uncertainty – auditors are

concerned about estimation uncertainty because the inherent limitations in any
knowledge or data used to create accounting estimates inevitably lead to increased risk
of material misstatement from either deliberate or accidental management bias in the
financial statements

For this reason, auditors need to consider inherent risks when assessing the estimation
uncertainty attached to an accounting estimate

In addition to inherent risk, complexity and subjectivity within management’s point

estimate should be of concern to auditors

If estimation uncertainty, complexity and subjectivity exist, professional scepticism should be

increased

ISA (UK) 540 (Revised December 2018) mentions that professional scepticism should
be maintained specifically for estimates relating to fair value, asset impairments and
provisions

Under ISA (UK) 540 (Revised December 2018), the auditor should consider the following
specific inherent risk factors:

the entity and its environment

the experience that management has in developing its own

 point estimate the volatility associated with the estimates

the degree of judgement and subjectivity involved when creating an estimate

The auditor should gain an understanding of whether controls exist and have
been implemented and that controls are operating effectively

Acquisition –associate

Risks
• Correct treatment in SFP, single company PorL and consolidated PorL i.e. not as a
subsidiary
• Correct share and time apportionment of associate profit
• Valuation
• Investment in Associate line
• Correct classification as an associate

Tests

• If not auditors of that associate we still have a responsibility if we are auditing the
parent
• Amount of work depends on extent to which we can rely on component auditors
• Should have requested a summary of audit procedures at planning stage
• Should have assessed competence of component auditors at planning stage
• Review summary of audit procedures and assess whether comprehensive enough
• Identify any areas requiring special consideration and/or additional procedures
• Consider impact of any significant findings made by the component auditors

• Above should satisfy use on individual statements of the associated company

so then look at mechanics of equity accounting:

• Confirm date of acquisition and that shareholding is 25%

• Check shareholder agreement to verify that relationship is “significant
influence”

• If component not significant, analytical procedures at group level may be

sufficient
• If the relationship is stronger as “joint control”, could be looking at a JV entity
• Agree purchase price of cost of investment to purchase documentation
• Recalculate group share of profit/loss and ensure that is post-acquisition element
only
• Recalculate SFP balance to ensure that correctly takes into account post-
acquisition results
• Confirm that intragroup transactions have been identified and dealt with
appropriately
Acquisition – subsidiary

Risks

• Increases inherent risk of group accounts

• Unrecognised impairment
• Incorrect amortisation
• Errors in FV and unrecognised assets
• Incorrect recognition/categorisation of intangibles
• Correct statement of SFP figures – goodwill etc
• Correct statement of consolidated PorL figures – profit post-acquisition

Tests

• Agree purchase price and purchase date/date of control to purchase

documentation
• Ensure consolidated from date control achieved
• Review consolidation schedules to ensure amounts have been time apportioned
• Verify that contingent consideration measured at fair value – validate
discount rate used
• Consider initial calculation of goodwill and whether correct and whether
impairment necessary
• Review amount of corporation tax liabilities
• Review Deferred Tax assets and liabilities – consider any impairment
• Obtain breakdown of purchase consideration and determine allocation into
intangibles
• Establish how allocated and whether reasonable
• Determine nature of intangibles recognised e.g. customer lists – how are
contracts progressing?
• Confirm that goodwill does not include any non-purchased goodwill or any
identifiable intangible assets
• Discuss with directors the need to perform an impairment review, and check that
review is in line with IAS 36
e.g. allocation to CGUs
• Assess the determination of remaining useful economic life of fixed assets for
reasonableness
• Determine how FV was determined – review journals and external
information
• Ensure intangibles recognised correctly on consolidation
• Obtain consolidation schedule to ensure correct consolidated e.g. from correct
date, post-acquisition results only
• Review disclosures relating to the acquisition
• Check all relevant exchange rates
• Check qualifications and approach of component auditor
• Owe duty of care to purchaser/seller? Disclaim. Hold harmless letter.
Asset Held For Sale

Risks

• Misclassification if part of incorrect categorisation as discontinued operations

• Risks exist regarding the valuation and valuation methods used which could lead
to assets being
incorrectly recognised in the financial statements

Tests

• Verify date became AHFS

• Assess impairment issues
• Evaluate the design and implementation of controls around valuations by
considering the involvement of the board and expertise of board members
• Obtain a valuation report prepared by an external valuer (if available) and test its
integrity by comparing valuations with recent sale prices for similar assets and
appointing an auditor’s expert to agree valuations
• Obtain a surveyor’s calculation and test the inputs to the valuation by confirming
pricing assumptions used and agreeing the accuracy of the calculation and
reasonableness of assumptions
• Arrange a meeting with the valuer and assess the independence of the scope of work
they have performed
• Agree the surveyor’s qualifications and ensure that they have an appropriate
level of expertise to carry out the valuations
• Agree valuation to any evidence of offers made
• Obtain a copy of any relevant legal agreements to ensure that the classification is
correct
• Enquire with management at to how the asset has been accounted for in the
financial statements
• Discontinued operations disclosures – check if actually a discontinued op
• Discuss with management their plans for sale and marketing of asset
• Obtain evidence of management commitment e.g. proposed sale should be minuted
• Obtain evidence of an active programme for sale e.g. property agents appointed
• Assess market to determine likelihood of sale being completed within one-year
time frame
• Recalculate current book value of asset
• Assess means by which FV established and determine whether reasonable
• Obtain information about costs to sell to assess whether they relate directly to
the disposal of the asset
• Confirm that separate disclosure of the asset has been made in accordance with IFRS
5
• Ensure calculated as lower of CA and FV less CTS, and separately classified
• Enquiries of management or management representations regarding intention to
sell
• Review board minutes for evidence of plan to sell
• Review any contracts negotiated/sale particulars
• Compare sale price to FV – ensure amount held in BS is appropriate
• Ask estate agent for likelihood of completion within 1 year
Bank borrowings/loans

Risks
• breach of covenants and going concern issues
• insolvency and going concern

Tests
• Review agreements with bank: security for borrowings and nature/terms of covenants
• Consider how close to breach – analytical procedures
• If payable on demand, must be disclosed as current liability (IAS 1)
• Check whether one breach affects other agreements
• Examine correspondence with bank for evidence of future intention
• Consider cash budgets, including seasonality
• Discuss with management
• Discuss any alternative arrangements, contingencies
• Verify terms of existing loan agreement
• Examine terms of other agreements for potential breaches
• Determine how arrangement fee has been treated – could be in other current assets –
should be spread over term of loan in proportion to outstanding balance giving rise to
the income statement
• Check for any covenants etc
• Check long term financing = gearing
• If using analytical procedures, remove provisions and non-debt items from current
and non-current liabilities
• Check short term liquidity = overdraft versus cash
• Check financing costs
• Do these appear too low? Discuss with management
• Establish if any non-current assets held via leases – have correct entries been
included?
• If loans raised in forex and there are exchange differences, consider whether should
be included within finance charges
Bad debt allowances

Risks

• Valuation
• Existence
• Cut-off
• Correct allocation based on ageing?
• Overstatement of profit if no/wrong provision?
• Impairment required?

Tests

• Up to date review of year end receivables and cash received post year end
• Ageing analysis – does this look at past due?
• Any specific conflicts with customers? Correspondence with solicitors, management
• Review debts that make up whole balance from a customer, especially if new
customer: analyse, compare to PY
• Reason for and authorisation of bad debt write offs
• Compare with prior period data/experience/audit knowledge
• If a financial asset, confirm that normal impairment conditions met (IFRS 9 rules
and IFRS 7 disclosures)
• Consider impact on Deferred Tax assets/liabilities
Big Data, data analytics and cloud computing

• Accountants are increasingly using data analytics for the purposes of visualisation,
summary and interpretation of ever larger datasets so auditors need to become more
accustomed to using this information in their audits so that they can develop the skills
that allow them to manage the output of data analytics in their audit approach
• A key challenge for auditors will be to unlock the messages contained in the content
created by data analytics.
• Should start to consider how they can leverage their professional judgement and
scepticism skills when presented with the outcome of data analytics activity. As an
example, an auditor may possess software that uses data imported from its client to
perform analysis that either applies Artificial Intelligence or the auditor’s own
judgement to highlight trends or anomalies within a population for closer inspection
• Review of a data analytics “dashboard” – general points to consider in your answer
• Consider percentages and whether this provides comfort relative to the nature of the
issue and/or materiality – quote the percentages you have calculated
• Determine whether there are any outliers – compare to the average, quoting figures
Trying to find several patterns and look for the possible risks implied
• Consider average amount of unusual transactions – high average amount is
concerning but look also for a large number of transactions with an average just
below a reporting threshold: is this being done deliberately in an attempt to avoid
detection? Are transactions being split to avoid detection? If the average is well below
the maximum authorised amount in a particular period but very close in a following
period, does this indicate manipulation of the timing of transactions for a particular
reason? If so, use the software to quickly analyse possible patterns such as delayed
orders at the end of the month.
• Determine whether there is a specific customer/supplier/staff member who is
responsible for a significant proportion of any errors (and calculate and specify the
percentage) – make comparisons between different customers/suppliers/staff
members, if possible.
• At the same time, a single event could be noteworthy so be prepared to mention this
e.g. override of controls.
• If the percentage/metric relating to a particular customer or supplier matches that of
the general population then this provides some assurance regarding the
balance/entries.
• Use software to make statistical predictions and compare to actual results.
• Obtain further information and raise enquiries of management to determine reasons
for any issues singled out by your dashboard review
• Recommend analysis of noteworthy amounts/events and production of more detailed
data which disaggregates or “drillsdown” in some useful way (e.g. by month)
 • Use of a data analytics “dashboard” for risk assessment – example of a journals
dashboard.
• Provides information on journals which exceed the materiality threshold (either
individually or in total) and which would require investigation.
• Allows easy comparison of proportion of manual journals compared to automated
journals (compared both in volume terms and in value terms).
• Allows easy comparison to the prior year/prior month to determine if the issue is an
anomaly or normal for the business.
• Does not provide explanations in itself – further investigation, testing and enquiries
will be required but the “dashboard” can be helpful in giving focus to such further
activities

Audit procedures on a database

• Key risk is that subsequent costs have been incorrectly capitalised
• Check that the original database cost has been amortised – this type of asset may also
need to be impaired (for example, if key personnel have left the company or there is
any indication that the information in the database is out of date)
Procedures:
• evaluate the accounting policy and methodology for capitalisation of expenditures
and ensure it complies with IAS 38
• challenge management over the change to fair value, quantify the impact and propose
an adjustment (particularly if the amount is material and exceeds planning materiality)
• determine the control procedures for triggering an impairment review at the
appropriate time – enquire about the state of the project and the need for impairment
• there is a high risk of disconnect between the research technical team who
understand the project and the accounting team who understand the accounting but
not the technical issues
• make enquiries of key technical personnel to ensure that the acquisition cost of the
database is fairly stated to determine whether the conditions for amortisation have
been met

Understanding the entity’s systems

ISA (UK) 315 (Revised June 2016) specifically requires the auditor to gain an understanding
of the entity’s accounting systems and control environment as part of the risk assessment
process at the planning stage of the audit – today, almost any accounting system and control
encountered by an auditor will involve some form of IT
Use of Artificial Intelligence in auditing
• Artificial Intelligence can be used as part of Big Data analytics to perform auditing of
entire populations, not just samples, thus reducing human error and expanding the
amount of data reviewed
• Artificial Intelligence can handle large data volumes without getting tired or making
mistakes
• Artificial Intelligence and machine learning techniques can provide greater analysis of
data to differentiate between “rogue” and “normal” activity

Problems with use of Artificial Intelligence

Artificial Intelligence may struggle with new and unusual situations which have little previous
data to use for machine learning to occur
Artificial Intelligence is currently not capable of exercising professional scepticism without
human intervention
Tests/Key questions for management where a client uses virtual arrangements and/or cloud
computing
• Does the cloud service take regular backups of client data?
• Does the cloud service have its own backup strategy?
• Is the cloud service’s process for restoring data regularly tested?
• Is there a service level agreement regarding data assurance and does the cloud service
perform exercises to ensure that these can be met?
• Is power regularly given to third-party “penetration testers” to test for vulnerabilities
in the system?
• Is there an adequate process in place in the event of a security breach being
determined?
• Is payment data held on a PCI-DSS compliant platform?
• Is the platform protected against “denial of service” attacks, where attackers could
prevent access to the service indefinitely by flooding the platform with erroneous traffic and
requests for
information?
• Are adequate compensation levels for loss of data written into agreements with the
service provider?
Cyber security – checklists for Boards
The following points are taken from the ICAEW IT Faculty document Audit insights: Cyber
Security – Taking Control of the Agenda

• Be ready to respond – consider the most serious possible breach and ask whether the
organisation is ready to cope
• Build intelligence – what does the business know about specific threats, the actors
and their possible methods? Have other major breaches happened?
• Be specific and real – how can critical data actually be accessed and by whom? What
controls are in place and how does the business know whether they are working? How are
any breaches
detected?
• Link to strategic action – how are major strategic initiatives changing the risks?
• Attach consequences – what behaviour is unacceptable? How does the business
know if non- compliance is occurring? What happens to employees who do not follow the
rules?
• Tailor activities – how relevant is cyber security training to specific roles and
responsibilities?
• Hold Boards to the same level accountability – are members of the Board expected to
follow the same rules as staff? Do members of the Board act as role models?
• Remember insider risk – what is in place to detect suspicious behavioural patterns?
Does the business know how much system access potentially disaffected staff have?
• Implement cyber-by-design – are new products and services designed with cyber
risks in mind?
• Continually review and re-evaluate – how often are cyber risks reviewed? How are
changing risks incorporated into existing processes?
• Take difficult decisions – is the business prepared to delay the major change of a
strategic project if the security is not good enough? Is the business using a “sticking plaster”
approach to an old
infrastructure?
• Embed cyber into start-ups – if investing in new businesses, are cyber risks
considered?
New legislation in the European Union regarding data protection
Note – although the UK has now left the European Union, some content on European Union
legislation such as GDPR remains relevant as the UK has not implemented any legal changes
in relation to GDPR

General Data Protection Regulation (GDPR) – GDPR was introduced in May 2018
• GDPR requires organisations to have appropriate security measures in place to
protect any personal data they hold.
• GDPR requires organisations to be able to prove that any personal data they collect is
relevant, fit for a specific purpose, accurate and up to date.
• If an organisation suffers a security breach, then this must be reported within 72
hours.
• If organisations do not comply with the regulations, they can be liable to penalty fines
of up to EUR20m or 4% of global turnover, whichever is higher.
• Network Information Security (NIS) Directive – specifies obligations regarding cyber
security and certain industry sectors, largely associated with the critical national
infrastructure and major information processing activities
Blockchain
• In a blockchain-based system of accounting, using what is also referred to as a
“distributed ledger”, transactions are recorded in blocks, with access and initiation
driven by encryption technology
• Instead of using a recognised currency, which can be difficult to use online, a virtual
currency called “cryptocurrency” is used within a blockchain
• Candidates need to be familiar with the technology and how it could be used in a
corporate context, including the business risks created from diverting traditional
funds into forms of cryptocurrency and how to accurately record, measure and review
transactions using such technology