AA SHORT NOTES

Kaplan Study Text 24/25

 Introduction to Audit and Assurance

What is assurance:
• An assurance engagement is a process where a practitioner, such as an auditor or consultant,
gathers enough relevant and reliable evidence to provide an informed opinion or conclusion. The
goal of this process is to increase the confidence of the intended users, who are different from the
entity or individuals being evaluated. This opinion or conclusion relates to the outcome of
evaluating or measuring a specific subject matter (like financial statements or compliance with
regulations) against a set of established criteria or standards. The aim is to provide reassurance to
those users that the information has been thoroughly examined and can be trusted.
• Giving assurance means providing a professional opinion on certain information, which helps
users trust that the information is accurate. This allows them to make decisions with confidence,
knowing that the chances of the information being wrong are minimized.
• There are five elements of an assurance engagement:
o Three party involvement
▪ Practitioner — the reviewer of the subject matter who provides the assurance.
▪ Intended users — the people using the subject matter to make economic decisions.
▪ Responsible party — the party responsible for preparing the subject matter.
o Appropriate subject matter—the information subject to examination by the practitioner.
o Suitable criteria—the criteria against which the subject matter is evaluated, i.e., standards,
guidance, laws and regulations.
o Sufficient appropriate evidence—sufficient appropriate evidence is needed to provide a
basis for the opinion/conclusion.
o Written assurance report in an appropriate form—the output of the assurance engagement
expressing a conclusion/opinion about the subject matter.
• General principles the assurance provider must follow when performing such engagements
include:
o Comply with ethical requirements.
o Apply professional skepticism and judgement.
o Perform acceptance and continuance procedures to ensure only work of acceptable risk is
accepted.
o Agree the terms of engagement.
o Comply with quality management standards.
o Plan and perform the engagement effectively.
o Obtain sufficient and appropriate evidence.
o Consider the effect of subsequent events on the subject matter.
o Form a conclusion expressing either reasonable or limited assurance as appropriate.
o Document the evidence to provide a record of the basis for the assurance report.
• There are two types of assurance engagements:
o Reasonable Assurance Engagements: In this type of engagement, the practitioner gathers a
lot of detailed evidence and performs thorough tests to form a conclusion. The goal is to
ensure that the information meets all relevant standards. This allows the practitioner to
confidently state that, in their opinion, the subject matter is accurate and reliable. It
provides a high level of confidence to users because the review process is comprehensive.
o Limited Assurance Engagements: This engagement involves gathering less evidence and
performing simpler checks, like asking questions and analyzing data. The practitioner
concludes whether the information seems reasonable, but not with the same level of
certainty as a reasonable assurance engagement. The conclusion is more cautious, and it
provides a moderate level of confidence to users, meaning that the information appears to
be accurate but isn't as thoroughly verified.

1|Page
External audit engagements:
• External Audit is an example of a reasonable assurance engagement.
• An auditor should express an opinion on whether the financial statements give a true and fair view
(or present fairly in all material respects) and are prepared, in all material respects, in accordance
with an applicable financial reporting framework.
• The objectives of an auditor are:
o Obtain reasonable assurance that the financial statements are free from material
misstatements.
o Express an opinion on whether the financial statements are prepared in accordance with
the applicable financial reporting framework.
o Report on the financial statements.
• Some users incorrectly believe that an audit provides absolute assurance—that the audit opinion is
a guarantee the financial statements are correct. This and other misconceptions about the role of
an auditor are referred to as the expectation gap.
• Limitations of an audit:
o Financial statements often include estimates and judgments that may vary, making them
less precise.
o Auditors may depend on a company’s internal controls, which can have their own
weaknesses or flaws.
o Sometimes, the auditor must rely on information provided by the management, which might
be biased.
o Audit evidence usually supports conclusions but doesn’t fully eliminate all uncertainty.
o Auditors don’t review every single transaction; instead, they examine a sample, which
means some errors might go undetected.

Review engagements:
• A review engagement is an example of limited assurance.
• A review engagement is a simpler and cheaper alternative to an audit for companies not required
by law to have one. It provides some confidence in the financial statements, focusing on analyzing
data and asking management questions, without testing internal controls. The goal is to identify if
there are any apparent issues with the financial statements, but it doesn’t guarantee full accuracy.
• Accountability means, being responsible for one's actions and decisions, and being expected to
explain and justify them to others.
• Agency is the ability to act and make decisions on behalf of another person or entity.
• Stewardship means, managing and taking care of resources or responsibilities entrusted to you,
ensuring their preservation and growth for the benefit of others.

2|Page
 Rules and Regulation

Legal requirements for audits and auditors:

• A person is eligible to act as an auditor if he is a member of a Recognized Supervisory Body (RSB),
or if he is authorized by the state.
• A person must not act as an auditor if he is excluded by law (i.e., he works for the company or has
personal relationships with the company), or if he excluded by the Code of Ethics (i.e., he doesn't
meet the competence, confidentiality and independence (CCI) criteria).
• The auditor can be removed if there are doubts about his continuing ability to perform to carry out
their duties. This removal can be achieved by a majority vote at a general meeting. The auditor has
a right to circulate representations stating why they shouldn't be removed.
• The auditor may resign if he finds it difficult to work with the management. He must issue written
notice of the resignation and a statement of circumstances to the members and regulatory
authority. Furthermore, he must notify ACCA of his resignation.
• Following are the rights of an auditor during appointment:
o Access to the company’s books and records at any reasonable time.
o To receive information and explanations necessary for the audit.
o To receive notice of and attend any general meeting of members of the company.
o To be heard at such meetings on matters of concern to the auditor.
o To receive copies of any written resolutions of the company.
• Following are the rights of an auditor on resignation:
o To request a General Meeting of the company to explain the circumstances of the
resignation.
o To require the company to circulate the notice of circumstances relating to the resignation.

International regulation:
• The International Federation of Accountants (IFAC) is a global organization for accountants. It sets
standards for qualifications, experience, and practices in accounting and assurance to ensure
consistency and build public trust in the profession worldwide.
• The International Audit and Assurance Standards Board (IAASB), part of IFAC, develops and
promotes International Standards on Auditing (ISAs). There are 37 ISAs and two standards on
quality management, but not all are required for your studies. You don’t need to memorize the
names or numbers of the ISAs, but you should understand and apply their key principles.
• Main Features of ISAs:
o ISAs provide guidance for auditors to ensure audits are consistent and of high quality.
o They are not legal requirements; if local laws conflict with ISAs, the local laws take
precedence.
o While ISAs are primarily for auditing financial statements, they can also apply to other
historical financial information.
o Auditors must generally follow ISAs, but if they need to deviate for the audit's overall
purpose, they must explain why.
o ISAs include basic principles and requirements, along with additional materials to help
auditors understand how to apply them.
• To issue an International Standard on Auditing (ISA), a thorough process of discussion and debate
takes place to gather input from affected members. An exposure draft (ED) is released for public
comments, which may lead to changes in the draft. The ISA requires approval from two-thirds of
IAASB members to be adopted.

3|Page
 • IFAC is a group of accounting bodies and has no legal authority in individual countries. Therefore,
countries must establish their own systems for:
o Regulating the audit profession.
o Implementing auditing standards.
• National standard setters can create their own auditing and ethical standards or adopt ISAs,
possibly adjusting them to meet local needs. If there’s a conflict between international and
national guidance, local regulations will take precedence.

4|Page
 Corporate Governance

Corporate governance introduction:

• Corporate governance is the means by which a company is operated and controlled.
• The aim of corporate governance is to ensure that companies are run well in the interest of their
shareholders and other stakeholders. Furthermore, it aims to prevent the directors from abusing
their power.

The UK Corporate Governance Code:

• The Organization for Economic Co-operation and Development (OECD) has produced the following
six principles to guide policy makers:
• Ensuring the basis of an effective corporate governance framework.
• The rights and equitable treatment of shareholders and key ownership functions.
• Institutional investors, stock markets, and other intermediaries.
• The role of stakeholders in corporate governance.
• Disclosure and transparency.
• The responsibilities of the board.
• The UK Corporate Governance Code is reflects the OECD principles; it is split into five parts which
will be discussed below:
o Board leadership and company purpose
o Division of responsibilities
o Composition, succession and evaluation
o Audit, risk and internal control
o Remuneration

Board leadership and company purpose:

• A successful company should have an effective board that promotes long-term sustainable
business and generate value for shareholders.
• The board should establish the purpose, values and strategy of the company and the directors
should lead by example.
• The board should ensure that the resources are available to meet the objectives of the company.
Furthermore, it should establish a framework of effective controls to assess and manage risk.
• The board should engage effectively with the shareholders and other stakeholders and encourage
participation.
• The board should ensure that the workforce policies are in line with the company's values;
workforce must be able to raise matters of concerns if necessary.
• The chair's role is to lead the board of directors; he should be independent.
• The chief executive's role is to ensure effective operation of the company; head of the executives.
• Executive directors run the company on a day-to-day basis.
• Non-executive directors monitor the executive directors; they contribute to overall strategy and
direction of the company and do not take part in routine management.

5|Page
Division of responsibilities:
• The chair is responsible for the effectiveness of the board; he should ensure that the board
members are contributing effectively and the directors are receiving accurate information on time.
• The board should be balanced; a single person or a small group should not be able to dominate the
board.
• NEDs should have sufficient time to fulfill their responsibilities and hold the management
accountable if necessary.
• The board should ensure that it has the policies, processes, information, time and resources to
function effectively.
• The chair should be independent; roles of chair and chief executive should not be taken by the
same person and the chief executive should not become the chair of the same company.
• At least half the board, excluding the chair, should consist of independent NEDs.
• The board should identify in the independence of NEDs in the annual report.
• Independence of a NED will be deemed affected if he has been an employee of the company within
the last five years, he had a material relationship with the company within the last three years, he
received or receives remuneration in addition to directors' fee, he has close family ties with the
company, he has significant links with the major directors of the company, and if he has served on
the board for more than nine years form the date of their first appointment.
• One of the independent NEDs should be appointed as a senior independent director; the NEDs and
senior independent director should meet at least once every year to appraise the chair's
performance.
• NEDs appoint, appraise and remove the executive directors.
• The responsibilities of all the parties of the board should be written and made available publicly.
• The annual report should mention the number of meetings of the board and committees and the
attendance of the directors.

Composition, succession and evaluation:

• Appointments to the board should be subject to formal and transparent procedures.
• An effective succession plan should be maintained for the board and senior management.
• Appointments and succession should be based on merit and objective criteria; it should promote
diversity.
• The board and its committees should a have combination of skills, experience and knowledge.
• Annual evaluation of the board should consider its composition, diversity, etc.
• A nomination committee should be established to appoint board members; the committee should
majorly consist of independent NEDS.
• All directors should be subject to annual re-election.
• The chair should not remain for more than nine years but this period can be extended for a limited
time to maintain effectiveness.
• The nomination committee reduces the risk of 'job for the boys.'

Audit, risk and internal control including audit committees:

• The board should establish formal and transparent policies and procedures to ensure that the
internal and external audit function are effective and independent.
• The board should present a fair, balanced and understandable assessment of the company's
position and prospects.
• The board should establish procedures to manage risk, oversee the internal control framework and
determine the extent of the risks that the company can take.

6|Page
 • The board should establish an audit committee comprising at least three independent NEDs (two
in the case of small companies), with at least one member possessing up-to-date financial
expertise. Furthermore, the chair should not be a member of the committee.
• The audit committee's main roles include:
o Ensuring the accuracy of financial statements.
o Advising if the annual report is fair, balanced, and clear.
o Reviewing internal financial controls and risk management.
o Monitoring the internal audit's effectiveness or considering the need for one if absent.
o Recommending the appointment, removal, and pay of the external auditor.
o Reviewing the external auditor’s independence and the quality of their work.
o Setting policies for the external auditor’s non-audit services.
• The annual report should include details about the audit committee's work, such as:
o Key issues related to the financial statements.
o How the independence and effectiveness of the external audit were evaluated.
o Reasons for not having an internal audit and how internal assurance is maintained.
o How the independence of the auditor is ensured when they also provide non-audit services.
• Directors should explain their role in preparing the annual report.
• The board should thoroughly assess the company's main and emerging risks.
• In the annual report, the board should confirm this assessment, describe key risks, the procedures
to identify new risks, and how these risks are managed.
• The board should review the company's risk management and internal controls annually and
report their effectiveness, covering financial, operational, and compliance controls.
• The board should state if it’s appropriate to use the going concern basis for financial statements
and mention any major uncertainties for at least the next 12 months.
• The board should explain in the annual report how it has evaluated the company's future
prospects, the time period considered, and why that time frame is suitable.
• The board should state if it reasonably expects the company to continue operating and meet its
obligations during the assessment period.
• Objectives of audit committees:
o Ensure financial information is credible and objective.
o Help directors fulfill their financial reporting duties.
o Provide an extra communication channel for the external auditor.
• Internal audit helps the board and audit committee fulfill their corporate governance
responsibilities. The audit committee works closely with internal audit to:
o Ensure internal auditor has direct access to the board chair and audit committee.
o Review the annual internal audit work plan.
o Receive regular reports on audit results.
o Monitor management's response to audit findings.
o Meet with the head of internal audit yearly without management present.
o Assess the effectiveness of internal audit within the company's risk management system.

Remuneration:
• Remuneration should be designed to promote long-term sustainable success of the company.
• The board should establish formal and transparent procedures for developing the policy for
executive directors' remuneration.
• No director should be involved in setting his/her own pay.
• The remuneration committee must consist of at least three independent NEDs.
• The committee is responsible for setting the policy for executive director remuneration.
• The committee determines the pay for the chair, executive directors, and senior management.
• When setting the policy for executive director remuneration, the committee should review
workforce remuneration and related policies.

7|Page
 • The pay for NEDs is determined by the board and is based on their time commitment and
responsibilities.
• Remuneration schemes should be designed to encourage executive directors to hold company
shares for the long term.
• Only basic salary is pensionable, and pension contribution rates should be similar to those offered
to other employees.
• Notice periods for executive directors should be one year or less.
• The remuneration committee should ensure that the remuneration arrangements are transparent,
understandable, predictable, proportionate, and aligned with the company's culture.
• Risks associated with excessive rewards should be identified and mitigated.
• The committee's work should be described in the annual report.

Relevance of corporate governance to external auditors:

• ISA (UK) 700 requires auditors to report by exception in their reports for companies claiming
compliance with the UK Corporate Governance Code when the annual report includes:
o A director's statement that the annual report is fair, balanced, and understandable and
provides shareholders with the information needed to assess the company's performance,
business model, and strategy, but is inconsistent with the auditor's knowledge.
o A section on the audit committee's work that does not adequately address matters
communicated by the auditor.
o An explanation for why the annual report does not include a statement or section that is
materially inconsistent with the auditor's knowledge.
o Other information that, in the auditor's opinion, contains a material inconsistency.
• Other countries may have different reporting requirements based on local laws and regulations.

8|Page
 Ethics and Acceptance

Approaches to ethical guidance:

• The rules-based approach to ethical guidance involves specific, detailed rules that dictate what is
allowed or not. It provides clear guidelines and often leaves little room for interpretation. This
approach aims to ensure consistency and minimize ambiguity in decision-making but can be rigid
and may not cover every possible situation.
• The principles-based approach focuses on broader ethical principles rather than specific rules. It
emphasizes core values like integrity, fairness, and honesty, allowing individuals to interpret and
apply these principles to various situations. This approach is more flexible and adaptable but
requires a deeper understanding and judgment, which can lead to variations in how principles are
applied.

The fundamental principles of the conceptual framework:

• Objectivity: Accountants must be impartial and free from bias. Their judgments should not be
influenced by personal opinions or interests.
• Professional behavior: Accountants must adhere to laws and regulations, act in the public interest,
and avoid any behavior that could damage the reputation of the profession.
• Professional competence and due care: Accountants must have the necessary skills and
knowledge to perform their duties effectively. They must also exercise diligence and care in their
work.
• Integrity: Accountants must be honest and truthful in all their dealings. They should act with
integrity and avoid any conflicts of interest.
• Confidentiality: Accountants must protect the privacy of their clients' information. They should
only disclose confidential information when authorized to do so.

Threats and safeguards:

• Firms must establish procedures to:
o Identify threats.
o Assess threats.
o Apply safeguards if necessary.
o Either eliminate the threat or reduce it to an acceptable level.

Self-interest threats:
• Self-interest threats arise when an auditor’s financial interests compromise their judgment.
• Fee dependency—high reliance on a single client's fees can threaten independence, especially if it
makes up a significant proportion of the firm’s total revenue. Safeguards include diversifying
clients, external reviews, and adjusting partner compensation.
• Non-listed clients—independence risk exists if fees from a client exceed 30% of total fees for five
years. External reviews are required.
• Listed clients—independence risk exists if fees from a client exceed 15% of total fees for two
consecutive years. Reviews are needed, and firms may need to resign if the situation persists for
five years.
• Gifts and hospitality—acceptance can create self-interest or intimidation threats. Only trivial items
should be accepted to avoid conflicts.

9|Page
 • Owning shares/financial interests—auditors or close family members cannot hold direct or
significant indirect financial interests in audit clients to prevent bias.
• Loans and guarantees—not permitted unless immaterial. Any preferential loan terms could impair
the auditor's objectivity.
• Overdue fees—can create bias if fees are not collected before issuing the audit report. Partial
payments or external reviews can mitigate this risk.
• Business relationships—firms should avoid close business ties with audit clients unless the
relationship is insignificant to both parties.
• Potential employment with clients—auditors must report any employment offers and remove
themselves from the engagement if necessary.
• Contingent fees—fees tied to specific outcomes (like company profits) are prohibited as they can
influence audit judgments.
• Compensation policies—compensation based on selling non-audit services to audit clients creates
bias and should be adjusted to maintain objectivity.
• Litigation with clients—conflicts between auditors and clients can threaten impartiality.
Safeguards include external reviews or withdrawal from the engagement if unresolved.

Familiarity threats:
• Familiarity Threats occurs when auditors become too sympathetic or trusting of clients, losing
professional skepticism.
• Long association of senior personnel:
o Using the same senior personnel on engagements over time may cause less skepticism
and increase self-interest threats (e.g., concern about losing a long-term client).
o Key considerations include the length and closeness of the relationship and influence over
the audit.
• Safeguards for long association:
o Rotate team members, change their roles, or conduct independent reviews.
o For listed clients, engagement partners must rotate after 7 years and serve cooling-off
periods (5 years for partners, 3 for EQR, and 2 for key partners).
• Family and personal relationships:
o Threats arise if an audit team member has a family relationship with someone influential at
the client.
o The individual must be removed from the engagement team if a close relationship exists.
• Safeguards:
o Reassign team roles or ensure individuals do not handle matters related to family
members.
• Recruitment services:
o Threats may occur if a firm recruits senior personnel for a client.
o Firms can advise on candidates but must not make management decisions or recruit
directors or senior management.
• Employment with an audit Client:
o Threats occur if a firm’s partner or employee joins an audit client in a significant role.
o Ensure no ongoing connection with the firm and consider the new role and time since they
left the audit team.
• Safeguards for former team members joining a client:
o Adjust the audit plan and include experienced team members, or have an independent
reviewer.
• For listed clients:
o Independence is compromised if a former partner joins as a director or influential employee
without a 12-month gap since leaving the audit team.

10 | P a g e
Self-review threat:
• Self-review Threats arise when an auditor provides non-audit services to a client and later audits
those same areas, they may miss or overlook errors in their own work.
• Accounting and bookkeeping services:
o Includes preparing records, determining policies, making journal entries, and recording
transactions.
o Safe if the client retains responsibility for decision-making.
o For non-listed clients, the work must be routine, with review by someone uninvolved in
providing the service.
o Not allowed for listed clients.
• Internal audit services:
o Management must assume full responsibility to avoid self-review.
o Non-listed clients: Use independent professionals and reviewers.
o Listed clients: Internal audit services cannot relate to financial reporting controls or
significant financial statement areas.
• Tax services:
o Potential threats include self-review and advocacy.
o For listed clients, the firm cannot prepare tax calculations.
o Non-listed clients must use separate professionals and reviewers.
o Tax advice that relies on specific accounting treatments is not allowed.
• IT services:
o Risk of self-review if IT systems affect financial reporting.
o Allowed only if unrelated to financial reporting controls or minimal customization.
o Listed clients: No IT services that significantly impact financial reporting.
• Valuation services:
o Risk arises if valuations are subjective and affect financial statements.
o Prohibited for non-listed clients if valuations are highly subjective.
o Not allowed for listed clients if a self-review threat exists.
• Corporate finance services:
o Risks include self-review and advocacy, especially in strategy development, acquisitions,
and financing.
o Prohibited if advice affects accounting treatment or promotes client shares.
o Listed clients: Corporate finance services not allowed if self-review threat exists.
• Legal services:
o Risk of self-review and advocacy.
o Services must be done by legal professionals.
o Not allowed if the firm acts as general counsel or advocates in material matters.
• Temporary personnel assignments:
o Possible risks of self-review and familiarity.
o Allowed if personnel don’t take management roles and their work is independently
reviewed.
• Serving as director or officer:
o Creates significant self-review risks.
o Firm members cannot serve as directors or officers unless purely administrative and
allowed by local laws.
• Client staff joining audit firm:
o Potential threats when a former client employee joins the audit team.
o Audit team should exclude recent former employees of the client, with independent review
of their work if applicable.

11 | P a g e
Advocacy threats:
• Advocacy threats occurs when an audit firm appears to support or represent a client’s position,
creating a perception of bias.
• Examples Include:
o Representing a client in court or disputes that impact financial statements.
o Negotiating finance on behalf of a client.
o Loaning personnel to the client.
o Providing valuation or tax services to the client.

Intimidation threat:
• Intimidation threats arises when clients exert pressure or try to influence the audit firm's
impartiality.
• Examples include:
o Dependence on client fees.
o Receiving gifts or hospitality from clients.
o Close personal or family relationships with client personnel.
o Offering recruitment services to clients.
o Employment opportunities with the client.
o Litigation between the audit firm and the client.

Confidentiality:
• Confidential information may be obtained from:
o The firm or employing organization.
o Business relationship i.e., current clients and previous clients.
o Prospective clients and employers.
• Circumstances in which disclosure is permitted or required:
o Disclosure is required by law.
o Disclosure is permitted by law and is authorized by the client or the employer.
o There is a professional duty or right to disclose, when not prohibited by law.
• Factors to be considered when disclosing information:
o Whether harm could be caused by the disclosure.
o Whether all relevant information is known and substantiated.
o Whether the information is to be communicated to appropriate recipients.
• A conflict of interest occurs when an audit firm works for two companies that are connected to
each other, like competitors or companies that do business together. This can make it difficult for
the audit firm to be impartial and keep information confidential.
• Why are conflicts of interest bad?
o Lack of objectivity: People might think the auditor can't be fair because they're also working
for a competitor.
o Breach of confidentiality: The auditor might accidentally share information from one
company with another.
• How to avoid conflicts of interest:
o Disclosure: The audit firm must tell both companies about the conflict and get their
permission to continue working.
o Separate teams: Use different teams of people to work on each company's audit.
o Independent review: Have someone else check the work to make sure it's fair.
o Safeguards: Use measures like limiting access to information and having separate work
areas to protect confidentiality.

12 | P a g e
 • If the conflict can't be resolved, the audit firm must stop working for one of the companies if they
can't find a way to avoid the conflict of interest.

Accepting and/or continuing an audit engagement:

• Before taking on a new client, an audit firm should:
o Make sure the client isn't too risky for the firm to handle.
o Check the client's background and financial situation.
o Consider the factors including professional clearance, independence, management
integrity, preconditions for an audit, reputation, resources, professional competence, fees,
and risks.
• Independence, Objectivity, and Other Factors:
o Independence and objectivity: The audit firm must assess if they can remain impartial. If
they can't, they shouldn't take on the client.
o Management integrity: A lack of integrity can signal problems like:
▪ Aggressive accounting practices
▪ Weak internal controls
▪ Criminal activities
▪ Unreliable financial information
o Money laundering: The firm must check the client for any money laundering activity. If
found, they can't take on the client.
o Resources: The firm must have enough resources to do the audit properly.
o Risks: Any risks with the client, like poor performance or unusual transactions, can increase
the audit risk.
o Fees: The fees should be fair and match the level of risk. The client's ability to pay should
also be considered.
• Professional Competence, Reputation, and Preconditions:
o Professional competence: The audit firm must have the right skills and experience for the
job.
o Reputation of the client: The firm should evaluate the client's reputation and how it might
affect their own.
o Preconditions for an audit: The auditor and management must agree on the terms of the
audit, and management must acknowledge their responsibilities for preparing financial
statements, internal controls, and providing information. If the client limits the scope of the
audit, the firm might not be able to issue an opinion.
o Continuance: The firm should review these considerations annually to decide if it's
appropriate to continue the audit.
• Overall, the audit firm should carefully evaluate all these factors before accepting or continuing an
engagement to ensure the audit is conducted independently, objectively, and with the necessary
professional competence.

Engagement letters:
• Engagement letters are formal agreements between audit firms and their clients. They outline the
terms and conditions of the audit engagement.
• Key elements of an engagement letter:
o Identification of the financial reporting framework: Specifies the accounting standards
used for the financial statements.
o Reference to reports: Outlines the expected form and content of the audit reports.
o Professional standards: References relevant standards, regulations, and laws.
o Limitations of an audit: Acknowledges the inherent limitations of financial audits.
o Written representations: Requires management to provide written representations.

13 | P a g e
 o Fees: Specifies how fees will be calculated.
o Subsequent events: Requires management to notify the auditor of significant events after
the audit report is signed.
o Draft financial statements: Requires management to provide draft statements in time for
the audit.
o Communication: Details the form and timing of any communication during the audit.
• Additional matters:
o Internal auditors: Arrangements for the involvement of internal auditors.
o Limitations of liability: Outlines any limitations on the auditor's liability.
o Working papers: Specifies any obligations to provide working papers to others.
• Agreement and documentation:
o Agreement: The client and auditor must agree to the terms of the engagement letter before
any work begins.
o Documentation: The client's acknowledgement of the terms should be formally
documented, often through a director's signature.
• By understanding the contents of an engagement letter, both the audit firm and the client can
ensure a clear and transparent relationship throughout the audit process.

14 | P a g e
 Risk

Audit risk:
• Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial
statements are materially misstated.
• Audit risk comprises the risk of material misstatement and detection risk.
• Audit risk = inherent risk x control risk x detection risk.
• Risk of material misstatement is the risk that the financial statements are materially misstated
prior to the audit.
• A misstatement is a difference between the reported amount, classification, presentation, or
disclosure of a financial statement item and the amount, classification, presentation, or disclosure
that is required for the item to be in accordance with the applicable financial reporting framework.
Misstatements can arise from error or fraud.
• There are three categories of misstatements:
o Factual misstatements—there is no doubt about them.
o Judgmental misstatements—difference in an estimate or policy that the auditor considers
unreasonable and inappropriate.
o Projected misstatements—auditor's best estimate of misstatements in a population
through the projection of misstatements identified in a sample.
• Inherent risk refers to the chance that a mistake or error could happen in a financial transaction,
account balance, or disclosure, without taking into account any safety measures or controls that
might catch or fix the mistake. It’s about the natural risk of something going wrong, just because
of the way things are, before any checks or protections are applied.
• Control risk is the chance that a mistake or error, which could be significant, won’t be caught or
fixed in time by the company’s internal controls or procedures. It means that even though there are
checks in place, they might fail to prevent or spot a problem quickly enough.
• Detection risk is the chance that an auditor's methods and procedures might miss a significant
mistake or error in the financial statements, even when they’re trying to keep the overall audit risk
low. It means the auditor’s work might overlook a problem that is actually there.
• Sampling risk is the chance that an auditor’s conclusion, based on examining a sample of data,
differs from what it would be if the entire dataset had been reviewed, meaning the sample might
not accurately reflect the whole group.
• Non-sampling risk is the risk of reaching the wrong conclusion due to factors other than the
sample itself, such as using incorrect audit procedures or failing to identify a mistake.
• The auditor can adjust their approach based on risk assessment to better detect significant errors
in the financial statements. This includes emphasizing professional skepticism, involving more
experienced staff for complex tasks, adjusting supervision and review processes, introducing
unpredictability in audit procedures, and modifying the overall audit strategy (like setting
materiality levels, testing controls, and planning substantive procedures).
• Professional skepticism is an attitude that includes a questioning mind, being alert to conditions
which may indicate possible misstatement due to fraud or error, and a critical assessment of audit
evidence.

Materiality:
• Materiality means that mistakes or missing information in the financial statements are important if
they could affect the decisions that users, like investors or creditors, make based on those
statements. Even small errors could be significant if, together, they might influence someone's
economic choices.

15 | P a g e
 • The determination of materiality is a matter of professional judgement.
• ISA 320 threshold for materiality:
o ½ - 1% revenue
o 5 - 10% profit before tax
o 1 - 2% total assets
• Materiality is not just about numbers; it can also involve the nature of certain items. For example:
o Errors that impact compliance with laws or regulations.
o Mistakes that affect adherence to debt agreements.
o Adjustments that could change a profit into a loss.
o Changes that could shift a net asset position into a net liability.
o Transactions involving directors, like their salaries and benefits.
o Important disclosures about potential legal claims or concerns about the company’s future
that might influence user decisions, even if they are just narrative and not numerical.
• Performance materiality is a lower threshold set by the auditor, below the overall materiality level
for the financial statements. This means the auditor aims to find mistakes or errors by using this
lower limit when planning and conducting the audit. By doing so, they reduce the risk of missing
any significant misstatements that, when combined, could be important.

Risk assessment procedures:

• The auditor should perform the following risk assessment procedures:
o Enquiries
o Analytical procedures
o Observation
o Inspection
• The auditor is required to obtain an understanding of the following:

16 | P a g e
 • The information used to obtain this understanding can come from the following sources:

• Analytical procedures involve examining financial information by looking at reasonable

relationships between financial and non-financial data. This includes checking for unusual
changes or inconsistencies and investigating any amounts that significantly differ from what was
expected.
• The auditor is required to perform analytical procedures as risk assessment procedures in
accordance with ISA 315.
• Analytical procedures are utilized throughout the audit process in three stages:
o Preliminary Analytical Procedures: At this stage, auditors perform (are required to perform)
these procedures to assess risks and gain an understanding of the entity, as required by
ISA 315.
o Substantive Analytical Procedures: During this phase, auditors use (are allowed) analytical
procedures to detect misstatements, in accordance with ISA 500.
o Final Analytical Procedures: At the end of the audit, auditors apply (are required) analytical
procedures to ensure that the financial statements align with their understanding of the
entity, as outlined in ISA 520.

17 | P a g e
 Planning

Purpose of planning:
• Planning ensures that the risk of performing a poor-quality audit (and ultimately giving an
inappropriate audit opinion) is reduced to an acceptable level.
• The auditor must use professional skepticism and professional judgement to plan their audit.
• Professional judgement is the application of relevant training, knowledge and experience in making
informed decisions about the courses of action that are appropriate in the circumstances of the
audit engagement.
• Although risk assessment is a fundamental element of the planning process, risks can be
uncovered at any stage of the audit, and procedures must be adapted in light of revelations that
indicate further risks of material misstatement. It is the responsibility of the most senior reviewer
(usually the engagement partner) to confirm that this happens.
• Planning consists of a number of activities:
o Preliminary activities—such as compliance with ethical requirements, ensuring there are
misunderstandings between the client and the engagement team, etc.
o Planning activities—including the development of audit strategy and audit plan.

The audit strategy:

• The audit strategy sets the scope, timing and direction of the audit.
• Following are the matters that an auditor may consider in establishing the audit strategy:

• The audit strategy allows an auditor to determine the nature of resources to be deployed for
specific audit areas, when the resources are to be deployed and how the resources are directed
and supervised.

The audit plan:

• The strategy sets the overall approach to the audit and the plan fills in the operational details of
how the strategy is to be achieved.
• The audit plan should include specific descriptions of the nature, timing and extent of:
o The planned direction and supervision of engagement team members.

18 | P a g e
 o Risk assessment procedures.
o Further audit procedures such as what procedures are to be carried out, who will perform
them, how much work should be done and when the work should be done.
o Any other procedures.

Interim and final audit:

• For an interim audit to be justified, the client normally needs to be of a sufficient size because this
may increase costs. However, an interim audit should improve risk assessment and make final
procedures more efficient.
• It is important to note that the interim audit and final audit are two stages of the same audit. One
set of financial statements are audited. One auditor's report will be issued. The audit work however
is being performed in two stages—some work before the year end and some work after the year
end.
• Differences between interim and final audit:
• Timing:
o Interim audit: Conducted partway through the accounting year, before year-end. It provides
early identification of issues without interfering with year-end activities.
o Final audit: Performed after the year-end to ensure financial statements are filed on time.
Clients typically avoid scheduling this during the year-end to prevent disruptions.
• Purpose:
o Interim audit: Helps in spreading out audit procedures and planning for the final audit,
especially useful when there are tight deadlines.
o Final audit: Focuses on gathering sufficient evidence for issuing the auditor’s report,
marking the audit’s completion.
• Work performed:
o Interim audit: The focus is on documenting systems and evaluating controls to prepare for
the final audit. Auditors test specific transactions, such as purchasing new assets, and
review transactions like sales, purchases, and payroll up to the audit date. They assess
risks that could impact the final audit and attend perpetual inventory counts to ensure
accuracy in stock records.
o Final audit: Auditors concentrate on auditing year-end balances and testing transactions
that occurred after the interim audit. This includes reviewing year-end journal entries,
including adjustments to transactions tested earlier. They also verify that controls
examined during the interim audit continue to operate effectively. Additionally, they conduct
reviews for going concern, assess subsequent events, and communicate any findings or
misstatements with management and those charged with governance.
• Impact of interim audit work on final audit:
o If interim control testing shows low control risk, fewer substantive procedures are needed
in the final audit.
o Completing substantive procedures during the interim stage reduces the need for these
procedures later, making the final audit quicker.
o The auditor's report can be finalized closer to year-end, allowing for timely reporting to
shareholders.
o If the interim audit reveals increased risk (e.g., ineffective controls), more substantive
procedures will be necessary during the final audit.

Fraud and error:

• Fraud is an intentional act by one or more individuals among management, those charged with
governance, employees or third parties, involving the use of deception to obtain an unjust or illegal
advantage.

19 | P a g e
 • Fraud can be split in two ways: fraudulent financial reporting and misappropriation.
• An error can be defined as an unintentional misstatement in financial statements. including the
omission of amounts or disclosures.
• The primary responsibility for the prevention and detection of fraud rests with those charged with
governance and the management of an entity.
• The presence of an internal audit department may act as a deterrent to fraud in itself as there is a
greater chance of being discovered. The internal auditors shall test the effectiveness of internal
controls to prevent and detect fraud, perform fraud investigations, perform surprise asset counts
to identify misappropriation, etc.
• The external auditor's role, in respect to fraud, is to assess the risk of material misstatement due to
fraud and respond to the assessed risk.
• To assess the risk of fraud, auditors must ensure that financial statements are free from material
misstatement and maintain professional skepticism, acknowledging that fraud is possible
regardless of past experiences with a client. They should discuss potential risks with their team,
considering factors like incentives, weak controls, and management’s attitude. Auditors should
also ask management and relevant parties about their awareness of any suspected fraud and
analyze data for unusual patterns or relationships that could indicate fraud risks.
• To address assessed fraud risks, auditors should review journal entries for manipulation, focusing
on unusual adjustments and end-of-period entries. They must evaluate management estimates
for bias and analyze any unusual transactions for signs of fraudulent reporting. Auditors should
obtain written confirmations from management about their responsibilities regarding internal
controls and any known or suspected frauds. Even with thorough planning, some fraud may
remain undetected due to its concealed nature and factors like collusion among perpetrators.
• Auditors must promptly report any identified fraud to the appropriate management level
responsible for prevention and detection. If management is involved, the auditor should inform
those charged with governance. Concerns about governance integrity may require legal advice on
further actions. Auditors should also assess whether they need to report suspicions to external
parties, as legal obligations may take precedence over confidentiality. If the fraud materially
affects the financial statements, the audit opinion will be modified, and auditors must explain this
to shareholders.

Laws and regulations:

• Non-compliance—acts of omission or commission, either intentional or unintentional, committed
by the entity, which are contrary to the prevailing laws or regulations. Non-compliance does not
include personal misconduct unrelated to the business activities of the entity.
• It is the responsibility of the management with the oversight of those charged with governance to
ensure that the entity's operations are conducted in accordance with relevant laws and
regulations.
• An auditor is responsible to perform procedures to identify non-compliance with relevant laws and
regulations.
• The auditor may perform the following procedures to identify instances of non-compliance:
o Obtaining a general understanding of the legal and regulatory framework.
o Enquiring of management and those charged with governance.
o Inspecting correspondence.
o Remaining alert.
o Obtaining written representations.
• When the auditor finds out a possible instance of non-compliance, they should understand the
nature of the act and circumstances and obtain further information to evaluate the possible effect
of non-compliance.
• When non-compliance is identified, auditors should inquire with management about the penalties
that may be imposed. They should inspect correspondence with the regulatory authority to

20 | P a g e
 understand the consequences and review board minutes for discussions on actions to be taken
regarding the non-compliance. Additionally, auditors should consult the company's legal
department to assess the potential impact of the non-compliance.
• Auditors must report non-compliance to management and those charged with governance unless
prohibited by law or regulation. If the non-compliance is believed to be intentional and material, it
should be reported to governance bodies. In cases where management or governance is
suspected of involvement, the matter should be escalated to the audit committee or supervisory
board. If non-compliance materially affects the financial statements, the auditor should issue a
qualified or adverse opinion. Additionally, auditors should assess any legal or ethical obligations to
report non-compliance to third parties, such as regulatory authorities.

Quality management:
• ISA 220 requires audit firms to have a quality management system to ensure their audits are
conducted properly. This system should cover leadership, ethics, clients, resources, performance,
monitoring, and remediation.
• ISA 220 requires audit firms to ensure compliance with the ACCA Code of Ethics and Conduct. The
engagement partner must identify, evaluate, and address ethical threats, remain alert for breaches,
take appropriate action when necessary, and determine if ethical requirements have been fulfilled
before dating the auditor's report.
• ISA 220 requires audit firms to ensure sufficient and appropriate resources are assigned to the
engagement team. These resources include human resources (competent and capable team
members), technological resources (technology for meetings, communication, and automation),
and intellectual resources (audit methodologies, tools, guides, templates, and checklists). The
auditor must be careful not to rely too much on technological resources.
• Engagement performance is a critical aspect of audit quality. It involves the direction, supervision,
and review of the audit engagement:
o Direction entails informing team members of their responsibilities, which include
contributing to quality, maintaining a questioning mind, and fulfilling ethical requirements.
Team members should also understand the objectives of their work and address threats to
quality, such as budget or resource constraints.
o Supervision involves tracking the progress of the audit, addressing issues as they arise,
identifying matters for consultation, providing coaching, and creating a supportive
environment for team members.
o Review is the final stage of engagement performance. It involves assessing whether the
audit work was conducted in accordance with professional standards and policies,
appropriate consultations were held, the work supports the conclusions reached, the
evidence is sufficient and appropriate, and the objectives of the engagement procedures
were achieved. The engagement partner must review audit documentation at key points
throughout the engagement, focusing on significant matters, judgments, and other relevant
information.
• An engagement quality review (EQR) is a process where an independent reviewer checks the
important decisions made by the audit team and their conclusions before the final report is issued.
This reviewer can be a partner, another person in the firm, or someone from outside the firm who
has been appointed for this purpose.
• Listed entities and other high-risk clients must undergo an engagement quality review (EQR).
High-risk clients include those in the public interest, those facing unusual circumstances or risks,
and those required by law to have an EQR. For audits requiring an EQR, the engagement partner
must ensure an EQR reviewer is appointed, cooperate with the reviewer, discuss significant
matters with them, and refrain from dating the auditor's report until the EQR is complete.
Engagement quality reviewers cannot be part of the audit team and must possess the necessary
skills, time, and authority to perform the review while adhering to ethical standards and
regulations.

21 | P a g e
 • A monitoring and remediation process is essential for providing timely and reliable information
about the quality management system, enabling the firm to address deficiencies quickly. The firm
should establish quality objectives, assess quality risks, and design appropriate responses.
• Monitoring involves reviewing completed engagements based on risk and considering other
activities. The firm must evaluate any deficiencies' severity and investigate their root causes to
determine their impact. Remedial actions may include engaging experts or enhancing supervision.
If a deficiency does not affect audit quality, no further action is needed. Annual evaluations of the
quality management system are required, and identifying deficiencies does not necessarily mean
audit quality is compromised.

Audit documentation:
• Audit documentation serves to provide evidence for the auditor's report and demonstrate
compliance with ISAs and legal requirements. It assists the engagement team in planning and
conducting the audit, helps supervisors review the work, ensures accountability, and maintains
records for future audits. Additionally, it supports engagement quality reviews, monitoring
activities, and external quality inspections.
• Audit documentation must be clear enough for an experienced auditor, without prior involvement,
to understand the nature, timing, and extent of the audit procedures performed, the results and
evidence obtained, significant matters encountered, conclusions reached, and key professional
judgments made.
• Working papers should be completed in a timely manner, typically within 60 days after the
auditor's report date, and retained for the duration specified by national regulations, usually five
years from the report date.
• Audit documents include planning, programs, matters, representations, checklists,
correspondence, records.
• For large audits, key business information is often stored in a permanent file, which the audit plan
may reference or summarize. This permanent file typically includes details such as the names of
management, those charged with governance, and shareholders; information about systems;
background on the industry and the client's business; title deeds; directors' service agreements;
and copies of contracts and agreements.
• The audit work for a specific period is organized into a current file, typically divided into three
sections:
o Planning: The Audit Planning Memorandum is the main document in this section,
containing background information about the client, changes since the last audit, key
accounting policies, relevant laws and regulations, trial balance or draft financial
statements, preliminary analytical procedures, key audit risks, overall audit strategy,
materiality assessment, timetable, deadlines, staffing, budget, and locations to be visited.
o Performance: This section includes working papers such as lead schedules (total figures
matching financial statements), back-up schedules (sub-totals), and an audit work
program that details objectives being tested, work completed, sampling methods,
conclusions, and documentation of who performed and reviewed the work.
o Completion: Also known as the review stage, it involves several standard components,
including going concern and subsequent events reviews, final analytical procedures, an
accounting standards checklist, written representations from management, a summary of
adjustments, a summary of unadjusted misstatements, draft final financial statements, and
a draft report to governance and management.
• The auditor owns the audit working papers, which helps preserve their independence since access
is controlled by the auditor, not the client. It's essential to secure working papers because they
contain confidential and sensitive information. If lost or stolen, auditors may need to recreate the
evidence, incurring additional costs and risking breaches of confidentiality. Cases have occurred
where clients altered working papers to hide fraud.

22 | P a g e
 Evidence

Audit evidence:
• ISA 500 states that the objective of the auditor, in terms of gathering evidence, is 'to design and
perform audit procedures in such a way to enable the auditor to obtain sufficient appropriate audit
evidence to be able to draw reasonable conclusions on which to base the auditor's opinion.’
• Sufficiency relates to the quantity of evidence.
• Appropriateness relates to the quality or relevance and reliability of evidence.

Financial statements assertions:

• Assertions are claims made by management about the accuracy of financial statements, including
aspects like recognition, measurement, presentation, and disclosure of information, ensuring they
comply with relevant financial reporting standards. Auditors use these assertions to identify,
assess, and respond to possible errors or misstatements that could significantly affect the
financial statements.
• Assertions about classes of transactions and events, and related disclosures, for the period under
audit:
o Occurrence
o Completeness
o Accuracy
o Cut-off
o Classification
o Presentation
• Assertions about account balances and related disclosures at the period end:
o Existence
o Rights and obligations
o Completeness
o Accuracy, valuation and allocation
o Classification
o Presentation

Sources of audit evidence:

• Tests of control are audit procedures designed to evaluate the operating effectiveness of controls
in preventing, or detecting and correcting material misstatement.
• Substantive procedures are audit procedures designed to detect material misstatements at the
assertion level.
• The stronger the control system, the lower the control risk. This reduces the risk of material
misstatement in the financial statements.
• The focus of a test of control is not the monetary amount of a transaction. A test of control
provides evidence of whether a control procedure has operated effectively.
• The test of control itself does not test the figure within the financial statements, this is the purpose
of a substantive procedure.
• Substantive procedures consist of:
o Tests of detail: to verify individual transactions and balances.
o Substantive analytical procedures: involve analyzing relationships between information to
identify unusual fluctuations which may indicate possible misstatement.
• The auditor must always carry out substantive procedures on material items.

23 | P a g e
 • The auditor is required to carry out the following substantive procedures:
o Agreeing the financial statements to the underlying accounting records.
o Examination of material journals and other adjustments made in preparing the financial
statements.

Types of audit procedure:

• The auditor can adopt the following procedures to obtain audit evidence:
o Inspection of records, documents or physical assets.
o Observation of processes and procedures, e.g., inventory counts.
o External confirmation obtained in the form of a direct written response to the auditor from a
third party.
o Recalculation to confirm the numerical accuracy of documents or records.
o Reperformance by the auditor of procedures or controls. Analytical procedures.
o Enquiry of knowledgeable parties.
• Analytical procedures cannot be used in isolation and should be. coupled with other, corroborative,
forms of testing, such as enquiry of management.
• In order to use analytical procedures effectively, the auditor needs to be able to create an
expectation. It would be difficult to do this if operations changed significantly from the prior year.
• To use analytical procedures, the auditor must:
o Develop an expectation.
o Define the difference or threshold of variation which is considered acceptable.
o Calculate the difference between the recorded amount and expected amount.
o Investigate the differences which are greater than the acceptable level of variation
established in step 2.

Relying on the work of others:

• There are two types of experts an auditor may use:
o Management's expert—an employee of the client or someone engaged by the audit client
who has expertise that is used to assist in the preparation of the financial statements.
o Auditor's expert—an employee of the audit firm or someone engaged by the audit firm to
provide sufficient appropriate evidence.
• To rely on the work of a management expert, the auditor must evaluate the competence,
capabilities and objectivity of them. Furthermore, their work and the appropriateness of that work
as audit evidence must also be evaluated.
• Similarly, the auditor must evaluate an auditor expert's competence, capabilities and objectivity.
• Before relying on the work of internal audit, the external auditor must assess the effectiveness of
the internal audit function and assess whether the work produced by the internal auditor is
adequate for the purpose of the audit.
• The external auditor must evaluate the internal audit function, objectivity and competence of the
internal auditors, and the approach of internal auditors.
• To evaluate the work adequately, the external auditor must reperform some of the procedures that
the internal auditor has performed to ensure they reach the same conclusion.
• Note that the auditor is not required to rely on the work of internal audit. In some jurisdictions, the
external auditor may be prohibited or restricted from using the work of the internal auditor by law.
• External auditors can consider whether the internal auditor can provide direct assistance with
gathering audit evidence under the supervision and review of the external auditor.
• Key considerations to let the internal auditors to work include compliance with legal restrictions,
the competence and objectivity of internal auditors, and not assigning tasks with high risks of
material misstatement or significant judgment. Agreements with governance are needed to ensure
that the internal auditor’s role is not excessive.

24 | P a g e
 • When internal auditors provide direct assistance, written agreements must be in place, and
confidentiality must be maintained. The external auditor supervises and reviews the internal
auditor's work while being vigilant about objectivity risks. Proper documentation of evaluations,
decisions, agreements, and work reviews is required for transparency.
• If a company uses a service organization, audit evidence will need to be obtained from the service
organization instead of, or in addition to, the client. This needs to be considered when planning the
audit.
• Auditors can gather information about a service organization using various sources. One primary
method is through obtaining a Type 1 or Type 2 report from the service organization’s auditor. A
Type 1 report describes the design of controls at the service organization, with the service
auditor's opinion on their suitability. A Type 2 report includes additional details on the operating
effectiveness of these controls, along with tests of controls conducted by the auditor.
• When relying on these reports, auditors should assess the competence and independence of the
service auditor and the standards used for the report. Other methods of obtaining information
include direct contact with the service organization through the client, visiting the organization, or
using another auditor to perform specific procedures to evaluate the controls.
• When addressing assessed risks, the auditor should confirm if sufficient evidence is available from
the client. If not, they must either conduct further procedures themselves or use another auditor. If
relying on effective controls, obtaining a Type 2 report and verifying its relevance to the audit is
key. Auditors may also directly test controls or use another auditor for this task. Additionally, they
should ask the client about any reported or known frauds involving the service organization.
• If sufficient evidence is not obtained, the auditor may issue a qualified or disclaimer of opinion.
References to a service organization auditor's work are not typically included in the auditor's report
unless legally required or necessary for understanding a modified opinion. This does not alter the
external auditor's responsibility for their opinion.
• The use of a service organization provides several benefits to the audit, such as enhanced
independence since external evidence is seen as more reliable than client-generated evidence.
Additionally, the service organization’s specialized expertise can lead to greater competence and
fewer errors. It also allows the audit firm to potentially rely on direct information from the service
organization’s auditors.
• A key drawback of using service organizations is limited access to records and information. While
auditors have the right to access the client’s records, they do not have the same authority over
third-party service organizations. If access is restricted, it can limit the auditor’s work scope,
potentially leading to a modified audit opinion if evidence remains insufficient.

Selecting items for testing:

• The auditor has three options:
o Select all items to test (100% testing).
o Selecting specific items for testing—e.g., high value items, all items over a certain amount,
items to obtain information, etc. Note that this is not sampling.
o Sampling.
• Sampling is the application of audit procedures to less than 100% of items within a population of
audit relevance such that all sampling units have a chance of selection in order to provide the
auditor with a reasonable basis on which to draw conclusions about the entire population.
• A sample must be representative of the whole population—it should have the characteristics that
the other items in the population have. For this, stratification can be used which is a process of
breaking down a population into sub-populations having similar characteristics.
• Statistical sampling is the approach which used random selection of samples and the probability
theory:
o Random selection—this can be achieved through the use of a random number generator or
table.

25 | P a g e
 o Systematic selection—where a constant sampling interval is used (e.g., every 50th balance)
and the first item is selected randomly.
o Monetary unit selection—selecting items based upon monetary values (usually focusing on
higher value items).
• Non-statistical sampling is the approach having no characteristics on statistical sampling:
o Haphazard selection — the auditor does not follow a structured technique but avoids bias
or predictability.
o Block selection — this involves selecting a block of contiguous items from the population
(i.e., next to each other). To reduce sampling risk, many blocks should be selected as valid
references cannot be made beyond the period or block examined.

Automated tools and techniques:

• Test data involves auditors using ‘dummy’ data to check if a client’s system processes information
accurately and controls errors. It includes both correct and incorrect data, like non-existent codes
and transactions over limits. Testing can occur during regular operations (live data) or separately
(dead data), each with specific benefits and drawbacks.
• The main advantages of using test data include the ability to test programmed controls that might
not be assessable otherwise. Additionally, once the test data is designed, the cost of conducting
the tests remains low unless significant changes to the programmed controls necessitate
redesigning the test data.
• There are drawbacks of using test data, such as the risk of corrupting the client’s systems when
using live data. Additionally, testing in a live environment requires time spent on the client’s
system, which may be inconvenient for their operations. Dead testing avoids interference but may
not accurately reflect the system’s performance under normal conditions.
• Audit software is a tool used to examine a client's financial system. It can be either pre-made or
customized for specific needs. This software automates tasks like selecting samples, identifying
risks, and performing calculations, which would be time-consuming to do manually. By analyzing
large amounts of data, audit software helps auditors identify potential issues and assess the
accuracy of financial records. However, it's important to note that this software is a tool and
doesn't replace the need for human judgment and expertise.
• Audit software offers several benefits to auditors. It can significantly speed up the process of
calculations and report generation, saving time and effort. Additionally, it allows for the testing of a
larger number of transactions compared to manual methods, providing a more comprehensive
audit. By working directly with computer files, the software reduces the risk of errors associated
with manual data entry and calculations. Furthermore, while there might be initial setup costs,
audit software can be cost-effective in the long run due to increased efficiency and reduced
manual labor.
• Audit software also has some drawbacks. Customized software can be expensive to develop and
implement, especially if it requires specific features tailored to a client's needs. Moreover, staff
may need training to use the software effectively, adding to the overall cost. The software could
also potentially slow down or even damage the client's systems if not properly configured or used.
Additionally, if the software is designed incorrectly, it might miss important issues, leading to
inaccurate audit results.
• Integrated test facilities create dummy data to test the system without affecting real records.
• Embedded audit software is built into the client's system to monitor transactions and identify
potential issues.
• Data analytics (DA) involves analyzing patterns and inconsistencies in data to support audit
planning and execution. It allows auditors to work with large data sets, including entire data
populations rather than samples. DA can help identify risks, test controls, and perform substantive
procedures, using a broader range of data sources like social media and industry data, with results
evaluated using the auditor’s judgment.

26 | P a g e
 • Data analytics enhances audit quality by providing a deeper understanding of the entity, which
improves the auditor’s professional skepticism and judgment. It allows for the analysis of
complete data sets, reducing sampling risk, and enables faster, continuous audit procedures with
more time for analysis. Additionally, results can be visualized for easier interpretation, and
reporting can be timelier, with audits potentially completed within weeks. This approach can lead
to more frequent client interactions and greater audit efficiency, though it may reduce the auditor’s
fees due to fewer billable hours.
• Data analytics has limitations that auditors must consider to avoid compromising audit quality.
The effectiveness of DA relies on the reliability of the underlying data, which may be incomplete or
from untrustworthy sources. Additionally, financial statements often include significant estimates,
and DA cannot substitute for the professional skepticism and judgment required by auditors.
Consequently, even when analyzing 100% of a data population, auditors can still only provide
reasonable assurance.

27 | P a g e
 Systems and Controls

Effect of controls on the audit:

• Low control risk: When an auditor assesses control risk to be low, they can place more trust in the
company's internal controls and the evidence generated within. This allows for more reliance on
interim testing and a reduction in detailed substantive procedures at the final audit stage. The
audit strategy and plan are adjusted accordingly to reflect the decreased need for substantive
procedures or smaller sample sizes.
• High control risk: Conversely, if control risk is deemed high, the auditor must increase the scope
and intensity of their audit procedures. This includes conducting more tests both during and after
the year-end, increasing the level of substantive procedures, especially tests of detail, and
expanding the geographic locations included in the audit. Additionally, the auditor should place
less reliance on the company's systems and management representations. Instead, they seek
more evidence from external sources like confirmations from customers and suppliers. The audit
strategy and plan are updated to accommodate the increased testing requirements at the final
audit stage.
• Limitations of internal control:
o Human error
o Ineffective controls
o Collusion of staff
o The abuse of power by those with ultimate controlling responsibility (management)
o Use of management judgement on the nature and extent of controls it chooses to
implement

Components of internal control:

• For an auditor to understand an entity's internal controls, the ISA has identified five components
including the control environment, risk assessment process, information system, control activities
and monitoring.
• The control environment forms the foundation for an organization’s internal control system,
influencing the overall tone and culture regarding internal controls. It encompasses the
governance and management functions, emphasizing management’s attitudes, awareness, and
actions in implementing and monitoring controls. Key aspects include management’s commitment
to integrity, the independence and oversight exercised by those in governance roles, the
assignment of authority and responsibility, the recruitment and development of competent
personnel, and accountability measures.
• When assessing the control environment, auditors consider management's response to internal
audit findings and any actions taken to address control deficiencies. Evidence for evaluating the
control environment is gathered through inquiry, observation, and the review of documents like
codes of conduct and organizational charts.
• The entity’s risk assessment process involves identifying, assessing, and addressing business
risks that could affect financial reporting. The auditor needs to understand this process, focusing
specifically on risks that could lead to misstatements in the financial statements. The
appropriateness of the process is evaluated based on the entity's nature and complexity. Key risks
include changes in information systems, rapid growth, new accounting requirements, data
integrity, and IT-related disruptions.
• A robust risk assessment process by the entity can reduce the overall risk of misstatements. If the
auditor finds that management has not identified certain risks, they should investigate why the
process failed and consider the implications for the audit. Understanding this process helps the
auditor assess how effectively the entity manages risks related to accurate financial reporting.

28 | P a g e
 • The entity’s process to monitor internal controls involves regularly assessing their effectiveness
and making necessary adjustments. Monitoring can be ongoing or through separate evaluations,
often with the internal audit function playing a key role. This process ensures that controls remain
effective and responsive to changes over time.
• The information system and communication component include all activities and policies related
to financial reporting, encompassing both computerized and manual procedures. It involves
processes for initiating, recording, processing, and reporting transactions, maintaining
accountability for assets, liabilities, and equity, and handling errors or overrides. Additionally, it
ensures that information is accurately transferred to the general ledger and that relevant events
and disclosures are properly captured and reported. This system supports accurate and timely
financial reporting.
• Control activities are the policies and procedures designed to ensure that management’s control
objectives are met. These activities include actions like authorizations to validate transactions,
reconciliations for accuracy, verifications to ensure completeness, and physical or logical controls
to protect assets and data. Segregation of duties is another key control activity, reducing the risk
of fraud by ensuring no single individual can execute and conceal errors or fraud during their
duties. These activities help maintain the integrity and reliability of the entity's financial reporting.
• A control objective identifies the risk that the entity needs to manage (i.e., the reason for a control
procedure or activity being required).
• Controls may be direct or indirect. A direct control addresses the risk of material misstatement at
the assertion level. Indirect controls support the direct controls.
• IT risks vary depending on how complex an entity’s technology is, from basic data entry systems
to advanced ones like blockchain. Auditors need to identify these risks and assess the controls in
place.
• IT controls include general controls and information processing controls. General controls ensure
the IT environment runs smoothly, covering access management, program changes, and system
operations. Information processing controls focus on data accuracy and can be automated or
manual, such as checks for correct data entry, sequence completeness, and transaction
authorization. Both types of controls are necessary to maintain data integrity and ensure accurate
information.

Ascertaining the systems:

• The auditor may obtain evidence regarding the design and implementation of controls by enquiring
the personnel, observing the application of controls, a walkthrough test and inspecting documents.
• The auditor may also use the client's existing knowledge about the controls. However, they mustn't
rely on this knowledge solely as the controls change by time.
• For controls which do not address a significant risk, the auditor must test the control at least once
every third audit.

Documenting client’s systems:

• The auditor must document the client's system before evaluating whether the system is working
effectively. Possible ways of documenting are discussed below.
• Narrative notes—a written description of a system.
• Flowcharts—a diagrammatical representation of the system.
• Questionnaires—a prepared list of questions in relation to the client's control system. There are
two types of questionnaires that can be used:
o Internal Control Questionnaire (ICQ)—a list of controls is given to the client and they are
asked whether or not those controls are in place.
o Internal Control Evaluation Questionnaire (ICEQ)—the client is asked to describe the
controls they have in place for a given control objective.

29 | P a g e
 • Organization chart—a diagram showing reporting lines, roles and responsibilities.

Testing the system:

• Testing controls: Auditors only test controls that are designed and implemented effectively to
prevent or detect material misstatements. Testing methods include observation, inspection of
documents, and using test data.
• Designing valid tests: To design valid tests, auditors must identify the controls they want to test. A
control is an additional activity to ensure the system operates as intended. Simply finding no
errors doesn't prove controls are working effectively. Auditors should reperform procedures and
look for evidence of actual control implementation.

Communicating control deficiencies:

• ISA 265 requires auditors to communicate deficiencies in internal controls to management and
those charged with governance. Deficiencies occur when a control is not designed, implemented,
or operated effectively to prevent or detect misstatements, or when a necessary control is missing.
Significant deficiencies are those that warrant the attention of those charged with governance.
• To determine if a deficiency is significant, auditors should consider:
o The likelihood of the deficiency leading to material misstatements.
o The susceptibility of related assets or liabilities to loss or fraud.
o The complexity and subjectivity of determining estimated amounts.
o The financial statement amounts exposed to the deficiency.
o The volume of transactions affected by the deficiency.
o The importance of the controls to the financial reporting process.
o The frequency and cause of exceptions detected due to the deficiency.
o The interaction of the deficiency with other internal control deficiencies.
• The auditor will send a report to the company's management after the audit is finished. This report
will list any problems found in the company's control systems and suggest ways to fix them. The
report will also say that it is not a complete list of problems, and that it is only for the company's
use. The auditor will not be responsible for any problems that happen to other people.
• The appendix of the cover letter should list each deficiency found in the company's control
systems and suggest ways to fix them. For each deficiency, the appendix should clearly explain
what is wrong and the potential consequences if it is not fixed. It should also provide specific
recommendations for how to fix the deficiency, including who should be responsible for
implementing the new control and how often it should be performed.

Sales system:
• The stages of the sales system are: order received -> goods dispatched -> invoice sent ->
transactions recorded in books -> cash received.
• The objectives of controls in the sales system are to ensure that goods are only supplied to
creditworthy customers, all orders are processed and dispatched promptly and in full to the correct
customers, and all goods dispatched are accurately invoiced. Furthermore, only valid sales are
recorded, sales and receivables are recorded accurately and in the correct accounts, revenue is
recorded in the correct period, cash received is allocated to the correct customer and invoices,
overdue debts are followed up on, and irrecoverable debts are identified and written off
appropriately.

30 | P a g e
Purchase system:
• The stages of the purchase system are: order placed -> goods received -> invoice received ->
transactions recorded in books -> cash payments.
• The objectives of controls in the purchases system are to ensure that all purchases are made with
approved suppliers for valid business purposes, orders are placed with consideration of delivery
lead times, only ordered goods are accepted and recorded promptly, invoices received are related
to the company and the goods received, and invoices are accurate in terms of quantities, prices,
and discounts. Furthermore, all purchases and related payables are recorded accurately and in the
correct period and accounts, and that payments are only made for goods received, made once, and
made on time.

Payroll system:
• The stages of the payroll system are: clock cards submitted and input -> gross pay, deductions
and net pay calculated -> other amendments put -> final payroll calculated and pay slips produced
-> payments to employees and tax authorities -> payroll costs and payments recorded.
• The objectives of controls in the payroll system are to ensure that employees are only paid for the
work they actually do, only genuine employees are paid, employees are paid at the correct rates,
payroll calculations are accurate, standing data is up-to-date and access is restricted, all payroll
amounts are recorded accurately and on time, payroll costs are recorded in the correct period, and
payments to employees and tax authorities are made in correct amounts and on time to valid
employees.

Inventory system:
• The stages of the inventory system are: goods received/goods dispatched -> receipt
recorded/dispatch recorded -> movements posted to inventory ledger.
• The objectives of controls in the inventory system are to ensure that inventory levels are adequate
to meet production and customer needs, but not excessive to avoid obsolescence and
unnecessary storage costs. Inventory should be protected from theft, loss, and damage, and all
inventory transactions should be recorded accurately and on time. Additionally, inventory should
be valued appropriately, and only inventory owned by the company should be recorded.

Bank and cash system:

• The stages of the bank and cash system are: request for payment -> payment authorization ->
payment made/ receipts -> payments and receipts recorded.
• The objectives of controls in the cash cycle are to ensure that petty cash levels are kept low to
prevent theft, payments are only made for legitimate business expenses, cash is only withdrawn
for business purposes, cash is safeguarded to prevent theft, receipts are deposited promptly to
prevent theft, and cash movements are recorded accurately and on time.

31 | P a g e
 Internal Audit

The need for internal audit:

• Internal audit is an independent assurance and consulting activity that enhances an organization’s
operations by evaluating the effectiveness of its internal controls. While not legally required,
having an internal audit department is considered best practice, particularly in larger and more
complex organizations where there is a higher risk of control failures due to delegation of
responsibilities.
• The necessity for internal audit depends on several factors: the scale and diversity of activities, the
complexity of operations, the number of employees (which increases the risk of fraud), cost-
benefit considerations, management’s desire for assurance on risks and controls, and the existing
control environment, especially if there is a history of fraud or deficiencies. Overall, internal audit
plays a critical role in monitoring and improving organizational effectiveness and governance.

The difference between internal and external auditors:

• Objective:
o EA: To express an opinion on the truth and fairness of financial statements in a written
report.
o IA: To improve the company's operations by reviewing the efficiency and effectiveness of
internal controls.
• Reporting:
o EA: Reports to shareholders.
o IA: Reports to management or those charged with governance.
• Availability of Report:
o EA: Reports are publicly available.
o IA: Reports are not publicly available and are usually seen only by management or those
charged with governance.
• Scope of Work:
o EA: Focuses on verifying the truth and fairness of financial statements.
o IA: Has a wider scope dependent on management's requirements.
• Appointment and Removal:
o EA: Appointed by the shareholders of the company.
o IA: Appointed by the audit committee or board of directors.
• Relationship with Company:
o EA: Must be independent of the company.
o IA: May be employees (limiting independence) or an outsourced function (enhancing
independence).

The role of the internal audit function:

• The internal audit function plays a crucial role in assessing and enhancing an organization’s
operations based on its specific requirements. Key activities include evaluating corporate
governance best practices, assessing risk identification and management processes, testing
internal controls, and ensuring the reliability of financial and operational information. Internal
auditors also examine the efficiency and effectiveness of operations, ensuring compliance with
relevant laws and regulations, and provide recommendations to prevent and detect fraud. These
tasks contribute to management's efforts to meet corporate governance standards.

32 | P a g e
 • In addition to these core responsibilities, internal audit teams may undertake various ad hoc
assignments as directed by management. These can include fraud investigations, where auditors
detect fraud and identify perpetrators, as well as IT systems reviews to assess controls within the
computer environment. They may also conduct mystery shopper visits to evaluate customer
service in retail settings, perform contract audits to ensure compliance with contractual terms, and
carry out asset verifications to confirm the existence of non-current assets. Furthermore, internal
audit staff can assist external auditors with their procedures, thereby enhancing the overall audit
process.
• An effective internal audit function has several key qualities. It should be well-resourced, with
qualified staff and organized work practices. Independence and objectivity are crucial for unbiased
assessments of operations. The chief internal auditor must be appointed by the audit committee
to reduce management bias, and the department should have no operational responsibilities to
avoid conflicts of interest. The audit committee sets the work plan, and internal auditors should
have unrestricted access to all organizational areas.
• However, internal audit functions face limitations that can hinder effectiveness. Internal auditors,
as employees of the organization, may hesitate to raise critical issues due to job security
concerns. In smaller organizations, they may be part of the finance function, leading to reluctance
in reporting deficiencies within their department. Familiarity with colleagues can also create bias.
To address these limitations, strategies include establishing separate reporting channels from
management, conducting independent reviews of internal audit work, and considering outsourcing
the internal audit function to a third-party professional.

Internal audit assignments:

• The Value for Money (VFM) assignment evaluates how organizations can achieve the best
services for minimal resources, focusing on Economy, Efficiency, and Effectiveness. Auditors
compare VFM across organizations using performance indicators, particularly in the not-for-profit
sector.
• An operational audit systematically reviews an organization's processes to assess their efficiency
and effectiveness, aiming to identify opportunities for streamlining. The focus is on enhancing
process efficiency to improve profitability.
• The audit of IT systems involves evaluating their reliability for financial statement preparation and
assessing internal controls to minimize misstatement risks. While external auditors focus on these
aspects, internal auditors take a broader approach by examining whether the organization is
getting value for money from its IT systems, the effectiveness of the procurement process, and the
appropriateness of ongoing management and maintenance. Additionally, internal auditors conduct
project audits to determine if specific project objectives, such as implementing new IT systems,
have been successfully achieved.
• A financial audit aims to ensure the accuracy, completeness, and timeliness of financial
information, which is crucial for decision-making and meeting the needs of investors and trading
partners. Internal financial audits focus on verifying the reliability of the information produced, as
unreliable data can lead to poor executive decisions.

33 | P a g e
Reporting:
• Internal audit reports differ from independent external audit reports in that they lack a formalized
reporting structure. The format of these reports is typically agreed upon with the audit committee
or board of directors before the assignment begins, and they are generally intended for internal use
only. However, external auditors may review these reports if they plan to rely on the work of the
internal audit team.
• A typical internal audit report includes several key components:
o It starts with terms of reference that outline the assignment's requirements,
o followed by an executive summary highlighting the key risks and recommendations.
o The body of the report provides a detailed account of the work performed and its results.
o Finally, an appendix contains any relevant additional information that does not fit within the
main body of the report.

34 | P a g e
 Procedures

Exam focus:
• An audit procedure should be a clear instruction of how the audit evidence is to be gathered.
• It should contain an ACTION applied to a SOURCE to achieve an OBJECTIVE.
• In other words, it should describe what needs to be done, how it should be done and why it should
be done.
• There are several ways to design audit procedures:
o Identify the financial statement assertion to be tested.
o Identify the sources of evidence available.
o Identify the types of procedure the auditor can use from ISA 500.

Directional testing:
• Directional testing is based on the principle of double-entry bookkeeping, where every debit has a
corresponding credit, and it aims to reduce over-auditing for a more efficient audit process.
• By applying this concept, an error in a debit entry implies an error in a corresponding credit entry,
such as testing payables for understatement, which also tests expenses for understatement.
• Auditors must apply directional testing both forward (checking for understatement) and in reverse
(checking for overstatement) to ensure accuracy.
• Testing for understatement involves selecting samples outside the accounting system and tracing
them through to financial statements to verify completeness and accuracy. For example, auditors
might trace goods dispatch notes to sales invoices to confirm completeness.
• Testing for overstatement, on the other hand, involves verifying recorded figures by checking
financial statements against supporting documents to ensure existence and accuracy, such as
confirming sales figures in the statements with sales invoices and related documents.

Bank and cash:

• The key assertions for bank and cash are existence and valuation.
• Sources of evidence:
o Bank confirmation letter
o Bank reconciliation
o Bank ledger account
o Bank statements
• The balance in the bank ledger should match the financial statements, with any timing differences
explained through reconciliation.
• Bank confirmation letters, considered reliable, provide third-party verification of bank balances,
with client consent needed for release. These requests should be sent at least two weeks before
the client’s year-end.
• If cash is material or fraud is suspected, a cash count should be done to verify existence, with all
balances counted simultaneously to prevent manipulation. Auditors must be accompanied by
client staff during counts to avoid allegations and record details like location, amounts, staff
present, and date.

35 | P a g e
Non-current liabilities:
• The key assertions for liabilities are completeness and valuation.
• Sources of evidence:
o Loan agreement
o Bank ledger account
o Bank statements
o Bank confirmation letter
• Loan balances must be fully recorded and correctly valued in the financial statements, with proper
allocation between current and non-current portions based on repayment timelines.
• The bank confirmation letter provides details on outstanding loans, accrued interest, and any
related security. Third-party evidence, such as the bank confirmation letter and original loan
agreement, supports the accuracy of these balances.
• The procedures for auditing loans include verifying the completeness and accuracy of loan
balances by reconciling them with bank confirmation letters and financial statements. This
involves checking for any unlisted loans, inspecting security details over assets, and ensuring
proper disclosures of interest rates and loan splits between current and non-current portions.
Auditors must recalculate these splits for accuracy and evaluate any loan covenant breaches,
which could affect liability classification.
• The bank ledger account is reviewed for loan repayments to ensure accuracy and valuation.
• Finance costs are checked for accuracy in the profit or loss statement, including interest charges
and accruals.

Non-current assets:
• For non-current assets, the key assertions are existence, valuation, completeness, and rights and
obligations.
• Sources of evidence:
o Non-current asset register
o Purchase invoices (additions)
o Sales invoices/asset disposal forms (disposals)
o Bank statements and bank ledger account
o Physical assets
o Ownership documents including title deeds and registration documents
o Depreciation policy and rates
o Asset expenditure budgets/asset replacement plans
• Non-current assets must exist, be fully recorded, accurately valued, and properly owned or
controlled.
• Auditors need evidence for existing assets, new additions, disposals, revaluations, depreciation,
and related disclosures such as asset notes, depreciation policies, useful lives, and revaluations.

Intangible non-current assets:

• The key assertion for development cost is existence.
• Sources of evidence:
o Breakdown of expenditure during the year
o Purchase invoices
o Bank statements and bank ledger account
o Timesheets
o Development expenditure/project plans
o Project test/trial results

36 | P a g e
 o Cash flow forecasts
o License agreement
o Third-party valuation report (e.g., for brand names and trademarks)
o Amortization policy and rates
• Development costs can only be capitalized as intangible assets if they meet the recognition criteria
of IAS 38. The audit focuses on ensuring that the treatment of these costs aligns with these
requirements.
• The audit procedures for development costs and other intangible assets focus on ensuring
valuation, existence, and compliance with IAS 38.
• They include verifying a breakdown of capitalized costs for accuracy, matching sample costs to
invoices or timesheets, and checking project documentation for compliance. Inspecting board
minutes, project discussions, and financial feasibility is crucial for confirming existence.
• Disclosures in financial statements are reviewed for accurate presentation.
• For other intangibles, purchase documentation and valuation reports are examined to confirm
existence, rights, obligations, and valuation.
• Amortization is assessed by comparing forecasts with the amortization policy, recalculating
charges for accuracy, and ensuring that license-related amortization aligns with the license period.

Inventory:
• The key assertions for inventory are existence, valuation, completeness and rights and obligations.
• Sources of evidence:
o Aged inventory listing
o Inventory assets
o Inventory count sheets
o Purchase invoices
o Goods received notes
o Sales invoices
o Goods dispatch notes
o Client calculations of overhead allocation, absorption and apportionment and percentage of
completion for work-in-progress
• Inventory must exist, be fully recorded, properly valued, and owned or controlled by the entity.
• Auditing involves two main aspects: verifying quantity through inventory counts and assessing
valuation.
• The auditor attends the inventory count if inventory is material, as required by ISA 501, to observe
procedures, inspect inventory, and confirm count accuracy.
• Inventory counts can be full year-end counts or done through a perpetual inventory system.
• Full year-end counts involve counting inventory at the end of the financial year, with adjustments
for movements around the count date.
• A perpetual system updates inventory in real-time, with periodic counts to reconcile system and
actual quantities.
• Controls over inventory counts include segregation of duties, ensuring no inventory movement
during the count, avoiding duplication, excluding third-party inventory, and counting all storage
locations.
• Adequate controls and adjustments help ensure accurate inventory records for financial reporting.
• During inventory counts, cut-off procedures are essential to ensure that the count is not impacted
by ongoing goods movements, such as dispatches and deliveries.
• Ideally, inventory movements should halt during the count. However, in organizations with
continuous operations, it’s advisable to relocate items scheduled for dispatch to a different area
before the count. Deliveries should also be directed elsewhere to minimize disruptions.
• Any items delivered during the count can be separately counted and added to the total afterward,
ensuring accuracy in reporting inventory completeness and existence.

37 | P a g e
 • For clients storing third-party inventory, robust procedures must prevent this inventory from being
recorded as the client's own.
• Third-party items should be clearly identifiable and ideally relocated to avoid unintentional
inclusion in the client’s inventory records.
• Similarly, when clients use third-party storage facilities, the inventory stored there must still be
included in their records, necessitating auditor verification of ownership and existence through
external confirmations and site visits if material.
• In the final audit, auditors must perform procedures that address various assertions, including cut-
off, valuation, rights and obligations, classification, and presentation.
• These procedures should be tailored to the specific types of inventories, such as raw materials,
work-in-progress, and finished goods.
• If a standard costing system is employed, additional verification procedures will be required to
ensure accurate inventory valuation and reporting.

Receivables:
• The focus of testing for receivables is valuation and existence.
• Sources of evidence:
o Aged listing of individual customers
o Sales invoices
o Goods dispatch note
o Receivables circularization letter
o Post-year-end bank statements
o Policy for allowance for doubtful receivables
• It is essential that the receivables balance in the financial statements exists and is accurately
stated.
• Overstatement of receivables can occur if irrecoverable amounts are not written off or if doubtful
receivables are not appropriately adjusted. Therefore, audit procedures should gather evidence
about the recoverability of outstanding amounts as of the year-end.
• One reliable method to verify the existence of receivables is through circularization, where the
auditor sends letters to a sample of customers requesting confirmation of their outstanding
balance. This process provides documentary evidence from an external source, which is
particularly useful for verifying existence but not valuation since customers typically only confirm
the transaction amount without indicating their intention to pay.
• Circularization can be positive or negative; positive requests require a response regardless of
agreement with the balance, while negative requests only require a response if there is a
disagreement, which is suitable only when the risk of material misstatement is low.
• To conduct positive circularization, the auditor must first obtain client consent and prepare a list of
customers with outstanding balances, ensuring it reconciles with the trade receivables account.
• A sample of customers should be selected, including various types of balances. The circularization
letters should be prepared on the client's letterhead and signed by an appropriate staff member,
such as the finance director, before being sent to customers, with replies directed to the auditor. If
no responses are received, follow-up actions should include sending another letter or making
phone calls, and alternative procedures like testing cash receipts may be necessary. When replies
are obtained, they should be reconciled with the client's records, and any discrepancies should be
further investigated.
• ISA 505 emphasizes the auditor's responsibility to control external confirmation requests. This
involves preparing confirmation letters, determining the required information, selecting the sample
of customers to contact, and sending the requests to them.
• Prepayments represent goods or services that a company has paid for in advance and should be
recorded as receivables in the financial statements.

38 | P a g e
 • To verify the existence of prepayments, auditors should inspect bank statements and the bank
ledger to ensure payments were made before the year-end and review invoices to confirm that
these payments relate to goods or services that have not yet been received.
• To confirm valuation, the auditor should recalculate the prepaid amounts to verify their
mathematical accuracy.
• Additionally, comparing prepayments with the previous year can help identify any missing items or
new prepayments that may require further testing, addressing assertions of existence, valuation,
and completeness through an analytical procedure.

Payables and accruals:

• The primary focus of testing for payables and accruals is on completeness.
• Sources of evidence:
o Aged listing of individual suppliers
o Purchase invoices
o Goods received notes
o Post-year-end bank statements
o Supplier statements
o Supplier circularization (where supplier statements are not available)
• It's crucial for the payables balance in the financial statements to be complete, as any unrecorded
liabilities related to purchases will result in understated payables.
• Auditors will obtain third-party evidence through supplier statements and circularization letters to
confirm the completeness of these liabilities.
• When auditing trade payables, several procedures are implemented to ensure completeness,
existence, and proper classification in the financial statements.
• Initially, auditors obtain a list of individual suppliers at year-end, verifying its accuracy and
reconciling it with the general ledger and financial statements. This includes reconciling the total
supplier list with the trade payables account to confirm completeness.
• Supplier statements are then obtained and reconciled with the individual balances, where
discrepancies are investigated to ensure obligations and valuation are accurate.
• After-date payments and invoices received post-year-end are inspected to ascertain
completeness, while management is questioned about their process for identifying received goods
that have not yet been invoiced.
• For accruals, auditors start by obtaining the list of accruals, ensuring its mathematical accuracy
and agreement with the general ledger and financial statements.
• They recalculate a sample of accrued costs, referencing contracts and payment schedules to
validate the amounts recorded.
• Post-year-end invoices are inspected to confirm the accuracy of accruals, and comparisons are
made to the previous year’s accruals to identify any unusual fluctuations or omissions, ensuring
completeness and appropriate valuation.

Provisions and contingencies:

• According to IAS 37 on Provisions, Contingent Liabilities, and Contingent Assets, a provision must
be recognized by an entity when a present obligation arises from a past event, payment is deemed
probable (more likely than not), and the amount can be reliably estimated.
• If a payment is merely possible, it should be classified as a contingent liability and disclosed in the
financial statement notes.
• Conversely, a contingent asset can only be recognized if it is virtually certain to be received; if it is
probable but not certain, disclosure is required, and if the likelihood is only possible, it should be
ignored.

39 | P a g e
 • When auditing provisions and contingent liabilities, the focus is on determining whether an
obligation exists, whether payment is likely, and if the provision is accurately valued.
• Completeness is a critical assertion, as companies may understate liabilities to enhance their
financial standing.
• For contingent assets, audit procedures will evaluate whether the inflow of economic benefits is
virtually certain or probable, and whether the asset is valued correctly, emphasizing the
importance of existence.
• Examples of contingent assets include amounts expected from insurance claims, legal claims, or
receivables from a liquidator concerning investments or bankruptcies.
• When auditing provisions and contingent liabilities, several key procedures are implemented to
ensure accuracy and compliance with financial reporting standards.
• First, auditors obtain a breakdown of provisions, cast it to verify accuracy, and ensure it aligns with
the financial statements.
• They also inquire with directors or review relevant documentation to confirm the existence of a
present obligation at year-end, addressing rights and obligations.
• Inspecting board minutes helps ascertain whether payment is probable, contributing to the
existence assertion.
• Auditors recalculate the liability and check its components against supporting documentation to
ensure completeness.
• They review post-year-end bank statements to identify any payments made, comparing these to
the provided amounts to evaluate the reasonableness of the provision, focusing on valuation.
• Additionally, the financial statement disclosure of provisions and contingent liabilities is reviewed
to confirm compliance with IAS 37 regarding presentation.
• Finally, obtaining a written representation from management assures auditors that the provisions
and contingent liabilities are treated appropriately, valued correctly, and complete.
• When auditing contingent assets, several key procedures are followed to ensure their existence
and accurate valuation in the financial statements.
• First, auditors review correspondence from relevant third parties—such as lawyers, insurance
companies, and insolvency practitioners—to assess the likely value to be received and the
probability of payment.
• They then verify that this figure aligns with the disclosure notes regarding the contingent asset,
focusing on existence, accuracy, valuation, and presentation.
• Next, auditors examine additional correspondence confirming any amounts awarded to the client,
comparing these figures to other receivables and income within the financial statements to ensure
accuracy, valuation, existence, rights and obligations, and proper presentation.
• Finally, they review post-year-end bank statements and the bank ledger account to confirm any
amounts received, checking for accuracy, valuation, existence, rights and obligations, and
presentation.
• According to ISA 501, auditors must identify potential litigation risks by inquiring management and
reviewing meeting minutes and legal expenses.

Accounting estimates:
• Accounting estimates are inherently risky due to their reliance on future events and limited
documentary evidence. This risk is heightened by management's judgment, which can lead to
potential manipulation of financial results. Therefore, auditors must exercise professional
skepticism to assess the reasonableness of these estimates and ensure they do not bias the
financial statements.
• According to ISA 540, auditors should understand the context surrounding accounting estimates,
including the entity's financial reporting framework, regulatory factors, and internal controls
related to estimates. This includes understanding how management reviews past estimates and
governs the financial reporting process.

40 | P a g e
 • Auditors need to separately evaluate inherent and control risks related to these estimates.
• Inherent risk assessment should focus on estimation uncertainty, the complexity and subjectivity
of the methods and assumptions used, and how management selects its point estimates.
• To address potential material misstatement, auditors should gather evidence from subsequent
events, test management's estimation processes, and develop their own point estimates or ranges
for comparison.

Share capital:
• Sources of evidence:
o Share register
o Share certificates
o Bank statements and bank ledger account
o Board minutes
o Registrar of companies (e.g., Companies House)
• To verify share capital, auditors should confirm authorized share capital against shareholding
agreements, check bank records for cash received from share issues, and review board minutes to
validate the amount of share capital issued during the year.

Dividends:
• Sources of evidence:
o Board minutes
o Bank statements and bank ledger account
o Dividend warrant
• Auditors should review board minutes to confirm dividends declared before year-end, check bank
statements to verify dividends paid, and inspect dividend warrants to validate payment amounts.

Director’s emoluments:
• Sources of evidence:
o Directors’ service contracts
o Board minutes
o Bank statements and bank ledger account
o Payroll records
o Written representation from management
• Auditors should compile and verify a schedule of directors’ remuneration, including wages,
bonuses, benefits, and pension contributions, against financial statements.
• They should inspect payroll records for accuracy, check bank statements to confirm payments to
directors, review board minutes for approval of bonuses or additional remuneration, and obtain
written confirmation from directors regarding full disclosure of their remuneration.

Reserves:
• To audit reserves, the auditor should verify that opening reserves match the prior year's closing
reserves and reconcile any movements.
• They should also confirm changes in reserves with supporting documentation, such as reconciling
revaluation surplus movements to reports from independent valuers.

41 | P a g e
Payroll:
• The focus of testing for payroll is completeness, accuracy and occurrence.
• Sources of evidence:
o Payroll account
o Payroll payment listing
o Payslips
o Contracts of employment
o Hourly rates of pay
o Timesheets
o Bank statements and bank ledger account
o Starters and leavers forms
• In auditing revenue, purchases, and payroll, the auditor relies on the company's internal controls
due to the high volume of transactions.
• While they will perform substantive analytical procedures to gather evidence efficiently, specific
tests of detail will also be necessary to validate the statement of profit or loss items.
• Additionally, the auditor will gather indirect evidence related to revenue and purchases by testing
corresponding receivables and payables on the statement of financial position, a method known as
directional testing.
• In auditing payroll, the auditor must ensure that the payroll expenses are neither understated due
to unpaid employees nor overstated by including fictitious or former employees.
• The auditor will perform various procedures to verify the accuracy and completeness of payroll
calculations. This includes agreeing the total wages and salaries expense to the general ledger,
casting monthly payroll listings for accuracy, and recalculating gross and net pay for selected
employees.
• Additionally, the auditor will verify statutory deductions, check the accuracy of payments for
joiners and leavers, and reconcile total net pay to bank transfer listings.
• For cash wages, the auditor will ensure the total cash withdrawn matches the amounts paid.
• Analytical procedures will also be conducted, such as comparing the payroll figures year-over-year
to identify unusual fluctuations.

Revenue:
• The focus of testing for revenue is completeness, cut-off, occurrence and accuracy.
• Sources of evidence:
o Revenue account
o Detailed sales listing/sales day book
o Sales invoices
o Customer contracts
o Goods dispatch notes
o Sales orders
• In auditing revenue, it's crucial to ensure accuracy by verifying that all sales transactions are
recorded and that there are no fictitious sales or errors in calculations.
• The auditor will inspect a sample of goods dispatch notes (GDNs) to ensure sales are recorded in
the correct period, recalibrate discounts and sales tax on significant invoices, and trace customer
orders to ensure completeness.
• Additionally, the auditor will review credit notes issued after year-end to confirm that any returns
are accurately reflected.
• Analytical procedures will include comparing current revenue to prior years and budgets to identify
significant fluctuations and calculating the gross profit margin for further insights into any
discrepancies.

42 | P a g e
Purchase and other expenses:
• The focus of testing for purchases is completeness, cut-off, occurrence, accuracy and
classification.
• Sources of evidence:
o Purchase account
o Detailed purchase listing/purchase day book
o Purchase invoices
o Supplier contracts
o Goods received notes
o Purchase orders
• In auditing purchases, it's essential to ensure that all transactions are accurately recorded and
classified.
• Understatements can occur if not all purchases, particularly around year-end, are recorded, while
overstating can happen if personal purchases are included or returns are not accounted for.
• The auditor will inspect goods received notes (GRNs) to confirm purchases are recorded in the
correct period and recalculate discounts and sales tax on selected invoices for accuracy.
• They will trace purchase orders to GRNs and invoices to ensure completeness and inspect
invoices for accuracy, occurrence, and classification.
• Analytical procedures will involve comparing expenses year-on-year and against budgets to
identify significant fluctuations, as well as calculating and comparing gross and operating profit
margins to detect potential misstatements. Any significant discrepancies will be discussed with
management.

Audits of smaller entities:

• Smaller entities often engage in simpler activities, which can reduce overall risk, making their
operations easier to understand.
• Owner-managers can exercise real control over the business, but this also raises the risk of
manipulation or personal transactions affecting financial records.
• While smaller entities typically have less sophisticated IT systems, the prevalence of manual
bookkeeping errors is decreasing, although effectiveness still depends on the person managing
the system.
• Auditors can expect less quantity of evidence due to fewer transactions, and conducting a fully
substantive audit may be more efficient in smaller organizations.
• Smaller entities face issues like management override of controls, lack of segregation of duties,
and a less formal approach to processes, which limits reliance on internal controls.

Audits of Not-For-Profit organizations:

• Not-for-profit (NFP) organizations, such as charities, focus on social or philanthropic objectives
rather than profit maximization, with no shareholders or dividend distribution.
• NFPs must prepare financial statements that include a statement of financial activities, balance
sheet, cash flow statement, and notes, where any excess of income over expenditure is termed a
surplus.
• Control risks in NFPs can be higher due to part-time volunteer trustees, a lack of segregation of
duties, unqualified staff, and less formalized internal control systems.
• Income for NFPs often comes from donations without accompanying documentation, leading to
theft risks, while grant income may require compliance with conditions to avoid repayment risks.
• Restricted funds must be clearly identified in the financial statements, as they are donated for
specific purposes, and the auditor needs to ensure they are reported correctly.

43 | P a g e
 • Assessing the going concern status of NFPs can be challenging, especially for those reliant on
voluntary donations, as economic factors and trends can impact income generation.
• NFPs may face complex regulatory environments, necessitating auditors with specialized
knowledge of applicable regulations to conduct audits competently.
• Sufficient appropriate evidence must be gathered through a mix of tests of controls and
substantive procedures, with additional planning activities necessary due to the higher risks
associated with NFPs.
• The scope of NFP audits often includes value-for-money audits, regularity audits, and audits of
performance indicators, requiring a modified audit opinion if sufficient evidence is not obtained.

44 | P a g e
 Completion and Review

Subsequent events:
• A subsequent event is an event occurring between the date of the financial statements and the
date of the auditor’s report, and facts that become known to the auditor after the date of the
auditor’s report.
• ISA 560 requires auditors to gather sufficient evidence to ensure that events occurring in this
period that need adjustments or disclosures are reflected properly according to the financial
reporting framework.
• It also requires auditors to respond appropriately to any facts that emerge after the auditor’s report
is issued.
• IAS 10 categorizes subsequent events into adjusting and non-adjusting events. Adjusting events
provide new evidence about conditions existing at the reporting date, leading to necessary
adjustments in the financial statements.
• Non-adjusting events, on the other hand, are related to conditions that arise after the reporting
date. While they do not alter the financial statements, material events require disclosure in the
notes, detailing their potential impact.
• Auditors have active duties between the year-end and report signing, ensuring subsequent events
are properly reflected. After signing, they have passive duties, needing to act only if new
information affects their opinion before issuing the financial statements.
• Between the date of the financial statements and the auditor's report, the auditor must identify
events that may need adjustments or disclosures in the financial statements. If material adjusting
events are not accounted for, or if non-adjusting events are not disclosed, the auditor will request
management to make the necessary changes. If management fails to make these adjustments, the
auditor must consider modifying their opinion.
• To carry out subsequent event procedures, auditors should inquire with management about any
unreported events, examine management's procedures for identifying events, review minutes of
meetings, and analyze accounting records like budgets and forecasts. They should also obtain
written confirmation from management regarding the reporting of subsequent events and inspect
correspondence with legal advisors, as well as evaluate known risk areas. The auditor may look
into external information, inspect after-date receipts, and check cash transactions.
• After the auditor’s report is issued, there is no obligation to perform further procedures, but if the
auditor becomes aware of facts that warrant changes to the report, they must act. This typically
involves requesting the client to amend the financial statements and reissuing the auditor's report.
If management does not amend the financial statements before issuance, the auditor may still
modify their opinion. Should the client issue the statements despite the auditor's warning, the
auditor must take action to prevent reliance on their report, potentially involving legal consultation.
• After financial statements are issued, if the auditor learns of a fact that could lead to an
amendment of the report, they should discuss it with management and consider whether the
financial statements need to be revised. The auditor must verify that any amendments are
correctly implemented and ensure that recipients of the earlier issued financial statements are
informed. If management refuses to amend, the auditor must take steps to prevent reliance on
their report.

45 | P a g e
Going concern:
• Going concern is the assumption that an entity will continue to operate for the foreseeable future,
typically at least twelve months beyond the reporting date. This assumption affects how financial
statements are prepared.
• Directors must assess the company's ability to continue as a going concern while preparing
financial statements, considering factors like profitability, debt repayment, and financing sources.
If management identifies material uncertainties affecting the company's future, they must disclose
these in the financial statements, explaining the events that raise doubts about the entity's ability
to continue.
• Auditors must obtain sufficient evidence about the appropriateness of management's use of the
going concern basis. They need to conclude whether material uncertainties exist that could impact
the entity's ability to continue operating. If problems are detected, such as net liabilities or
negative cash flow, auditors should perform specific procedures to assess the situation and may
need to modify their audit opinion if there are inadequate disclosures regarding going concern
uncertainties.
• Auditors should evaluate management's assessment of going concern, analyze cash flow and
profit forecasts, review interim financial statements, check loan agreements, and discuss financing
difficulties with management and legal advisors. They should focus on cash flows rather than
profits, ensuring the company can meet its obligations as they become due.
• If adequate disclosures are not made regarding going concern uncertainties, the auditor must
modify their opinion. If disclosures are appropriate, the auditor may issue an unmodified opinion
with additional communication.
• Indicators of Going Concern Problems:
o Net current liabilities
o Expired borrowing facilities
o Defaulted loans
o Unplanned asset sales
o Missing tax payments
o Failure to pay staff
o Negative cash flow
o Inability to obtain credit
o Legal claims
o Over-reliance on few products/customers
• To assess a client's going concern ability, auditors should evaluate the reasonableness of
assumptions in the cash flow forecast using these procedures:
o Verify the opening balance against the cash ledger
o Assess the accuracy of past forecasts to support the current one
o Identify and evaluate assumptions about cash flows in economic contexts
o Confirm the timing of receipts and payments based on credit periods
o Examine detailed budgets and discuss plans with management
o Review cash outflows for required non-current assets
o Confirm cash outflows for buildings against expected completion dates
o Evaluate the sufficiency of working capital included in forecasts
o Compare actual performance with forecast figures
o Verify accuracy through recalculation
o Check board meeting minutes for relevant issues

46 | P a g e
Overall review of the financial statements:
• Before forming an opinion on the financial statements, the auditor should conduct an overall
review, ensuring compliance with accounting standards and local disclosure requirements.
• The auditor should perform analytical procedures to corroborate conclusions and assess
uncorrected misstatements for potential materiality, discussing any necessary adjustments with
management.
• The auditor must evaluate whether the audit work complied with professional standards and if
significant matters require further consideration.
• It’s essential to ensure that the audit evidence gathered is sufficient to support the conclusions
reached.
• The auditor should confirm that initial assessments remain valid and adjust the audit plan as
necessary.

Evaluation of misstatements:
• The auditor must accumulate all identified misstatements unless they are trivial, considering if
they indicate the potential existence of other material misstatements.
• If misstatements suggest other errors may exist, the auditor should reassess the audit strategy
and plan.
• All accumulated misstatements should be communicated to management promptly, with a request
for corrections. If management refuses, the auditor must consider their reasons.
• The auditor should reassess materiality based on the circumstances and determine if uncorrected
misstatements, either individually or collectively, are material to the financial statements.
• The auditor must communicate uncorrected misstatements to those charged with governance,
explaining the implications for the audit opinion, and request a written representation from
management regarding their assessment of materiality.

Written representations:
• A written representation is a statement from management to confirm matters or support audit
evidence, necessary for confirming responsibilities for financial statement preparation and
ensuring all relevant information is provided.
• These representations are required to support other audit evidence, especially when more reliable
evidence is unavailable, such as regarding management judgments and compliance with
regulations.
• The auditor drafts the representation letter, which must be on client letterhead, signed by a senior
management member, and dated the same as the financial statement authorization.
• Written representations may be biased, so auditors should assess their reliability based on
management's competence, integrity, and consistency with other evidence.
• If management refuses to provide written representations, the auditor should discuss the reasons,
reassess management's integrity, and consider the implications for the audit report, which may
lead to a disclaimer of opinion.

47 | P a g e
 Reporting

Introduction to the independent auditor's report:

• The objectives of the auditor are to form an opinion on the financial statements based on an
evaluation of the conclusions drawn from the audit evidence obtained, and to express clearly that
opinion through a written report.
• The auditor forms an opinion on whether the financial statements are prepared, in all material
respects, in accordance with the applicable financial reporting framework.

Title and addressee:

• The title clearly identifies the report as an Independent Auditor's Report.
• The addressee identifies the intended user of the report and shows to whom the auditor owes a
duty of care.

Auditor’s opinion:
• The audit opinion can me unmodified or modified:

• An unmodified opinion indicates that the financial statements comply with the applicable reporting
framework, adequately disclosing significant accounting policies, applying appropriate accounting
policies consistently, and providing relevant and understandable information.
• A modified opinion is necessary when the auditor finds that the financial statements are not free
from material misstatement or when sufficient evidence cannot be obtained to confirm their
accuracy.
• A matter is deemed 'pervasive' if its effects are not limited to specific elements, represent a
significant portion of the financial statements, or are essential for users' understanding.
• A qualified opinion is issued for material but not pervasive misstatements, allowing reliance on the
rest of the financial statements, while stating that they present a true and fair view "except for" the
identified matter.
• An adverse opinion indicates that a misstatement is material and pervasive, rendering the financial
statements untrue and unfair, often due to significant errors or omissions.
• A disclaimer of opinion occurs when the auditor cannot obtain sufficient evidence, meaning they
do not express an opinion on the financial statements, typically due to inadequate records or
management's refusal to provide necessary information.

48 | P a g e
 • In issuing a disclaimer of opinion, the auditor modifies statements about the audit process,
refrains from including key audit matters, and may withdraw from the audit if the scope limitation
is pervasive, or issue a qualified opinion if it is not.

Basis for Opinion section:

• The Basis for Opinion section in an audit report outlines the professional standards followed by the
auditor to form their opinion, assuring users of the report's reliability.
• In reports with a modified opinion, this section details the reasons for the modification, specifying
which balances are misstated or which disclosures are inadequate, and explaining any evidence
the auditor could not obtain.
• The section title must match the opinion type, changing "Basis for Opinion" to "Basis for Qualified
Opinion," "Basis for Adverse Opinion," or "Basis for Disclaimer of Opinion" as needed.
• When issuing a qualified or adverse opinion, the auditor should amend the statement regarding the
sufficiency of the audit evidence to reflect the modified opinion.
• The auditor may include a quantification of the financial effect of the modification and, if
misstatements relate to narrative disclosures, provide an explanation or include omitted
disclosures if the information is available.

Key Audit Matters section:

• ISA 701 mandates auditors of listed companies to identify and communicate key audit matters
(KAMs) in their reports, which are significant issues from the audit process discussed with
governance.
• Auditors of non-listed entities may voluntarily include KAMs in their reports or do so at
management's request to help users understand the entity and facilitate discussions with
management and governance.
• Each KAM should explain its significance and how the auditor addressed it during the audit.

49 | P a g e
 • Key audit matters typically involve areas with higher risks of material misstatement, significant
auditor judgments regarding management estimates, or notable events or transactions during the
period.
• Examples of KAMs include significant fraud risks, goodwill assessments, valuation of financial
instruments, fair values, compliance with new accounting standards, revenue recognition, material
provisions (like restructuring), and changes related to IT systems.
• Matters leading to a qualified or adverse opinion, or material uncertainties related to going concern
are inherently key audit matters, but they are not detailed in the Key Audit Matters section; instead,
references are made to the Basis for Opinion or the going concern section.
• If no key audit matters exist, the auditor must discuss this with the engagement quality reviewer (if
applicable) and communicate the conclusion to those charged with governance.
• The auditor should clarify in the Key Audit Matters section of the report that there are no matters to
report.

Additional communications:
• Auditors must make additional communications in the report even if the financial statements show
a true and fair view, addressing issues such as Material Uncertainty Related to Going Concern,
Emphasis of Matter, and Other Matter paragraphs, which do not alter the opinion wording.
• The Material Uncertainty Related to Going Concern section highlights uncertainties about the
entity's ability to continue as a going concern, based on adequately disclosed information in the
financial statements.
• An Emphasis of Matter paragraph refers to significant matters presented in the financial
statements that the auditor believes warrant emphasis, such as uncertainties related to litigation,
significant subsequent events, or the early application of a new accounting standard.
• The Emphasis of Matter paragraph is placed after the Basis for Opinion section and may be
positioned around the Key Audit Matters section, with context-specific headings as needed.
• An Emphasis of Matter is not used for immaterial misstatements and should only emphasize
matters that have been adequately disclosed; if disclosure is insufficient, the opinion must be
modified.
• An Other Matter paragraph addresses issues relevant to the audit, auditor's responsibilities, or
report, such as explaining the intended audience of the report or the auditor's rationale for not
resigning due to restrictions imposed by management.
• The Other Matter paragraph can be included in the Report on Other Legal and Regulatory
Requirements section or as a separate section, with headings modified to provide additional
context.

Other Information section:

• Other information includes financial or non-financial data in an entity's annual report, excluding
the financial statements and auditor's report.
• This can comprise the chair's report, operating and financial review, social and environmental
reports, and corporate governance statements.
• If the auditor receives the final version of other information before the auditor's report date, they
must review it for material inconsistencies with the financial statements or the auditor's
knowledge from the audit.
• Upon identifying a material inconsistency, the auditor should evaluate it, discuss it with
management for correction, and if management refuses, inform those charged with governance. If
uncorrected, the inconsistency should be reported in the Other Information section of the auditor's
report or the auditor should withdraw from the engagement if possible.

50 | P a g e
 • Other Information section of the auditor's report identifies other information reviewed, states that it
hasn't been audited, outlines the auditor's responsibilities, and notes whether there are any
material misstatements.
• The auditor must avoid being associated with misleading information, as misstatements in other
information can damage the credibility of the financial statements and the auditor's report.
• The auditor must retain a copy of the final version of the other information in the audit file.
• If a disclaimer of opinion is issued for the financial statements, the Other Information section
should not be included, as it could overshadow the disclaimer.

Responsibilities of management and auditors:

• Management is responsible for preparing the financial statements and ensuring the effectiveness
of internal controls.
• Auditors express reasonable assurance regarding whether the financial statements provide a true
and fair view.
• The auditor's report includes the auditor's opinion based on their assessment.
• Auditors are responsible for assessing risks that may affect the financial statements.
• They evaluate the effectiveness of internal controls related to financial reporting.
• Auditors consider the going concern status of the entity during their assessment.
• They review the appropriateness of the accounting policies used by management.
• These responsibilities aim to minimize the expectation gap between what users expect from
auditors and what auditors can provide.

Report on other legal and regulatory requirements:

• This section outlines additional reporting responsibilities as required by specific jurisdictions.
• It may include reporting on the adequacy of accounting records maintained by the entity.
• Auditors may assess and report on the effectiveness of internal controls over financial reporting.
• The report can also cover other information published alongside the financial statements, such as
the Strategic Report in the UK.
• This section ensures compliance with legal and regulatory requirements relevant to the audit
engagement.

Signature, auditor’s address and date:

• The signature confirms the audit firm responsible for the report and opinion, including the
engagement partner's name for listed companies.
• The auditor's address specifies the office of the engagement partner, providing a point of contact
for queries.
• The date indicates the completion of the audit work, signifying that any information arising
afterward wasn't considered in forming the opinion.
• The report must be signed and dated after the directors approve the financial statements, often on
the same day.

51 | P a g e
Going concern reporting implications:

52 | P a g e
Exam approach:
• If issues remain unresolved, first check if they are material by assessing their impact on assets or
profit.
• Identify the issue type: material misstatement, missing evidence, uncertainty, inconsistency, or a
key audit matter.
• Comment on what accounting rule was breached, what evidence is lacking, what uncertainty
exists, or how it conflicts with other reports.
• Determine if the issue is material but not pervasive (small impact) or material and pervasive
(makes the statements unreliable).
• Conclude with the opinion: unmodified if there are no issues, qualified if there's a specific problem,
adverse if the statements are unreliable, or a disclaimer if no opinion can be expressed.
• Mention any necessary additional reporting, like a modified opinion or other relevant notes.

Communicating with TCWG:

• The external auditor must communicate with management and those charged with governance as
outlined in ISA 260 and ISA 265.
• Key forms of communication include the engagement letter and a management letter, typically
sent at the end of the audit.
• Throughout the audit, the auditor communicates to clarify responsibilities, scope, timing, and to
gather relevant information.
• The auditor must communicate several matters, including their responsibilities regarding the
financial statements, audit scope and timing, risks of material misstatement, and any significant
findings.
• They should also discuss the quality of accounting practices, any difficulties faced during the
audit, and any modifications to the opinion or other significant matters that could affect the
reporting process.
• Independence issues, such as compliance with ethical requirements and professional fees, also
need to be communicated.
• Examples of matters requiring governance attention include delays in obtaining information,
limitations on the audit, potential effects of material risks, misstatements, uncertainties regarding
going concern, and other agreed-upon issues from the audit engagement.
• Ultimately, the auditor uses professional judgment to determine what matters are significant for
governance attention.

53 | P a g e