Audit Manual

Australian Audit Manual and Toolkit 2010, Using Clarity Standards
For Small and Medium Sized Entities
Thomson Reuters (Professional) Australia Limited 100 Harris Street Pyrmont NSW 2009 Tel: (02) 8587 7000 Fax: (02) 8587 7100 LTA.Service@thomsonreuters.com www.thomsonreuters.com.au For all customer enquiries please ring 1300 304 195 (for calls within Australia only)
INTERNATIONAL AGENTS & DISTRIBUTORS NORTH AMERICA Thomson Reuters Eagan United States of America LATIN AMERICA Thomson Reuters So Paulo Brazil ASIA PACIFIC Thomson Reuters Sydney Australia EUROPE Thomson Reuters London United Kingdom
This book has been printed on paper certied by the Programme for the Endorsement of Forest Certication (PEFC). PEFC is committed to sustainable forest management through third party forest certication of responsibly managed forests. For more info: www.pefc.org

For Small and Medium Sized Entities
Published in Sydney by Thomson Reuters (Professional) Australia Limited ABN 64 058 914 668 100 Harris Street, Pyrmont, NSW National Library of Australia Cataloguing-in-Publication entry Australian audit manual and toolkit 2010, using clarity standards : for small and medium sized entities / Institute of Chartered Accountants in Australia. 2nd ed. 9780864607003 (pbk) Auditing Australia Handbooks, manuals, etc. Small business Australia Auditing. Other Authors/Contributors: Institute of Chartered Accountants in Australia. 657.450994 Manual based on a nal IFAC publication The Audit Manual component of the Australian Audit Manual and Toolkit 2010, Using Clarity Standards is based on the Guide to Using International Standards on Auditing in the Audits of Small-and Medium-sized Entities of the Small and Medium Practices Committee, published by the International Federation of Accountants (IFAC) in October 2010, and is used with the permission of IFAC. Copyright October 2010 by the International Federation of Accountants (IFAC). All rights reserved. Permission is granted to make copies of this work provided that such copies are for use in academic classrooms or for personal use and are not sold or disseminated and provided that each copy bears the following credit line: Copyright October 2010 by the International Federation of Accountants (IFAC). All rights reserved. Used with permission of IFAC. Contact permissions@ifac.org for permission to reproduce, store or transmit this document. Otherwise, written permission from IFAC is required to reproduce, store or transmit, or to make other similar uses of, this document, except as permitted by law. Toolkit based on a nal CICA publication The Audit Toolkit CD component of the Australian Audit Manual and Toolkit 2010, Using Clarity Standards, copyright 2010 by the Canadian Institute of Accountants (CICA). All rights reserved. Permission is granted to make copies of the Audit Toolkit provided that such copies are for use in academic classrooms or for personal use and are not sold or disseminated and provided that each copy bears the following credit line: Copyright 2010 by the Canadian Institute of Chartered Accountants (CICA). All rights reserved. Used with permission of CICA. Contact permissions@cica.org for permission to reproduce, store or transmit this document. Otherwise, written permission from CICA is required to reproduce, store or transmit, or to make other similar uses of this document, except as permitted by law. The Institute of Chartered Accountants in Australia Commonwealth Copyright All Commonwealth data herein are reproduced by permission but do not purport to be the ofcial or authorised versions. They are subject to Commonwealth of Australia copyright. The Copyright Act 1968 permits certain reproduction and publication of Commonwealth legislation. In particular, section 182A of the Act enables a complete copy to be made by or on behalf of a particular person. For reproduction or publication beyond that permitted by the Act, permission should be sought in writing. Requests should be addressed to Commonwealth Copyright Administration, Copyright Law Brand, Attorney-Generals Department, Robert Garran Ofces, National Circuit, Barton ACT 2600, or posted at www.ag.gov.au/cca.
Foreword
I am delighted to present the second edition of the Australian Audit Manual and Toolkit (the Manual) on behalf of the Institute of Chartered Accountants in Australia (the Institute). The Institute recognised the need for audit practitioners, particularly those who deal with small- to medium-sized entities (SMEs) to have access to reference materials that encapsulate all the requirements of the Australian Auditing Standards (ASAs). This edition builds upon the previous work and incorporates requirements of the Clarity auditing standards, providing an up-to-date guide to assist practitioners, academics and students. In October 2009 the Auditing and Assurance Standards Board (AUASB) completed the reissuing of the auditing and assurance standards, as a result of the International Auditing and Assurance Boards (IAASB) decision to revise and update all its standards to present them in a clearer, more consistent format (known as the Clarity project). Practitioners using this book should be aware that the Clarity style standards contained in this Manual are applicable for nancial reporting periods commencing on or after 1 January 2010. The Manual and Toolkit have been developed to promote consistent application of the standards and help audit practitioners conduct high quality, cost-effective audits of SMEs. We hope this Manual will provide the knowledge and tools needed to effectively apply the ASAs. The Institute gratefully acknowledges the International Federation of Accountants (IFAC) for its generous assistance with this project; members of the Institutes Audit Advisory Committee for their invaluable feedback; and the Institutes team which, with the assistance of external specialists, successfully Australianised the content for our local audience and led the project to its successful conclusion. On behalf of the Institute, thank you to all for your generous time and contributions to this important initiative.
Michael Spinks FCA President Institute of Chartered Accountants in Australia (2nd edition, October 2010)
Request for comment

This is the second version of the Manual. While we consider this Manual to be useful and of high quality, it can be improved and we are committed to updating it regularly to ensure it remains current. We welcome feedback. These comments will be used to assess the Manuals usefulness and to improve it prior to publishing the next edition. In particular, we welcome views on: > How do you use the Manual? For example, do you use it as a basis for training and/or as a practical reference guide, or in some other way? > Do you consider the Manual to be sufciently tailored to the audit of SMEs? > Do you nd the Manual easy to navigate? If not, can you suggest how navigation can be improved? > In what other ways do you think the Manual can be made more useful? > Are you aware of any derivative products such as training materials, forms, checklists, and programs that have been developed based on the Manual? If so, please provide details. Please submit your comments to Andrew Stringer, Head of Audit at: Email: andrew.stringer@charteredaccountants.com.au Fax: Mail: +61 2 9262 1310 The Institute of Chartered Accountants in Australia 33 Erskine Street Sydney NSW 2001
Disclaimer
This Manual is designed to assist practitioners in the implementation of the Australian Auditing Standards (ASAs) on the audit of small- and mediumsized entities, but is not intended to be a substitute for the ASAs themselves. Furthermore, a practitioner should utilise this Manual in light of their professional judgement and the facts and circumstances involved in each particular audit. The Institute disclaims any responsibility or liability that may occur, directly or indirectly, as a consequence of the use and application of this Manual.
Table of contents
vii
Contents
Foreword .......................................................................................................v Request for comment...................................................................................vi Disclaimer.......................................................................................................vi How to use the Manual .................................................................................xix Content and organisation ...............................................................................xx Glossary of terms ...........................................................................................xxii Acronyms used in the Manual ........................................................................xxiv Claried ASAs ..............................................................................................xxvi ASA index and cross-references ...................................................................xxviii The audit process...........................................................................................xxxiii Part A 1. The risk-based audit overview ..............................................................3 1.1 Overview...................................................................................................4 1.2 Audit risk...................................................................................................7 1.3 How to perform a risk-based audit ..........................................................10 1.4 Documentation .........................................................................................17 1.5 Benets of the risk-based audit................................................................18 1.6 ASAs for smaller audits ............................................................................18 2. Ethics, ASAs and quality control ............................................................23 2.1 Overview...................................................................................................25 2.2 Quality control systems ............................................................................27 2.3 The control environment ...........................................................................28 2.4 Firm risk assessment ................................................................................30 2.5 Information systems ................................................................................33
viii
2.6 Control activities .......................................................................................34 2.7 Monitoring.................................................................................................36 2.8 Compliance with relevant ASAs ...............................................................37 3. Internal control purpose and components..........................................40 3.1 Overview...................................................................................................40 3.2 Internal control objectives ........................................................................41 3.3 The control environment ...........................................................................43 3.4 Risk assessment.......................................................................................49 3.5 Information system ...................................................................................51 3.6 Control activities .......................................................................................55 3.7 Understanding IT risks and controls ........................................................59 3.8 Monitoring.................................................................................................61 3.9 Understanding of internal controls relevant to the audit ..........................62 3.10 Manual versus automated controls ........................................................63 3.11 Pervasive controls ..................................................................................65 3.12 Anti-fraud controls ..................................................................................68 4. Financial report assertions......................................................................70 4.1 Overview...................................................................................................70 4.2 Description of assertions ..........................................................................71 4.3 Combined assertions ...............................................................................72 4.4 Using assertions in auditing .....................................................................74 5. Materiality and audit risk..........................................................................77 5.1 Overview...................................................................................................78 5.2 Financial report users ...............................................................................79 5.3 Nature of misstatements ..........................................................................80
Table of contents
ix
5.4 Materiality and audit risk ..........................................................................81 5.5 Materiality levels .......................................................................................82 5.6 Documentation of materiality ....................................................................87 6. Risk assessment procedures ..................................................................89 6.1 Overview...................................................................................................90 6.2 Audit evidence .........................................................................................90 6.3 The three risk assessment procedures ....................................................92 6.4 Enquiries of management and others (including enquiries relating to fraud) .............................................................................................93 6.5 Analytical procedures ..............................................................................96 6.6 Observation and inspection .....................................................................97 6.7 Design and implementation of internal controls .......................................98 6.8 Other sources of information about risks .................................................98 7. Responding to assessed risks ................................................................100 7.1 Overview...................................................................................................101 7.2 Overall responses to risks at the nancial report level.............................102 7.3 Response to assessed risks at the assertion level...................................107 8. Further audit procedures .........................................................................112 8.1 Overview...................................................................................................112 8.2 Substantive procedures ...........................................................................114 8.3 External conrmations ..............................................................................117 8.4 Substantive analytical procedures ...........................................................121 8.5 Tests of controls........................................................................................127 9. Accounting estimates ..............................................................................136 9.1 Overview...................................................................................................137
9.2 Risk assessment.......................................................................................139 9.3 Responses to assessed risks ...................................................................142 9.4 Reporting ..................................................................................................145 9.5 Documentation .........................................................................................146 10. Related parties ........................................................................................147 10.1 Overview.................................................................................................148 10.2 Risk assessment.....................................................................................151 10.3 Risk response .........................................................................................154 10.4 Reporting ................................................................................................157 11. Subsequent events .................................................................................159 11.1 Overview.................................................................................................159 11.2 Dual dating ............................................................................................166 12. Going concern ........................................................................................167 12.1 Overview.................................................................................................167 12.2 Risk assessment procedures .................................................................168 12.3 Evaluating managements assessment ..................................................170 12.4 Risk response when events are identied ...........................................173 12.5 Reporting ................................................................................................175 13. Summary of other ASA requirements ..................................................177 13.1 Overview.................................................................................................177 13.2 ASA 250 Consideration of Laws and Regulations in an Audit of a Financial Report .............................................................................178 13.3 ASA 402 Audit Considerations Relating to an Entity Using a Service Organisation ...................................................................................183 13.4 ASA 501 Audit Evidence Specic Considerations for Inventory and Segment Information ...............................................................191
Table of contents
xi
13.5 ASA 502 Audit Evidence Specic Considerations for Litigation and Claims ......................................................................................193 13.6 ASA 510 Initial Audit Engagements Opening Balances ..................195 13.7 ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors)......................198 13.8 ASA 610 Using the Work of Internal Auditors .....................................204 13.9 ASA 620 Using the Work of an Auditors Expert ..................................208 13.10 ASA 720 The Auditors Responsibilities Relating to Other Information in Documents Containing an Audited Financial Report ..............216 14. Audit documentation ..............................................................................219 14.1 Overview.................................................................................................219 14.2 Audit le organisation .............................................................................221 14.3 Common questions about audit documentation ....................................223 14.4 Specic documentation requirements ...................................................224 14.5 The experienced auditor ........................................................................229 14.6 Electronic documents.............................................................................229 14.7 File completion .......................................................................................231 15. Forming an opinion on a nancial report .............................................234 15.1 Overview.................................................................................................236 15.2 Financial reporting frameworks ..............................................................237 15.3 Forming the opinion ...............................................................................241 15.4 Form and wording of the auditors report ..............................................245 15.5 Reporting requirements under the Corporations Act 2001 ....................257 15.6 Supplementary information presented with the nancial report ............260 15.7 Audits conducted in accordance with ASAs and other auditing standards ........................................................................................261 15.8 Modied auditor reports .........................................................................262
xii
Part B 16. How to use Part B ...................................................................................265 17. Introduction to the case studies ...........................................................266 Case study A ONeal Furniture Pty Ltd ........................................................266 Case study B Kane & Co. ...........................................................................274 18. Risk assessment overview .................................................................278 19. Engagement acceptance and continuance ..........................................281 19.1 Overview.................................................................................................283 19.2 Engagement acceptance .......................................................................285 19.3 Pre-conditions for an audit .....................................................................288 19.4 Agreeing the terms of engagement .......................................................289 19.5 Case studies client acceptance and continuance ..............................293 20. Overall audit strategy .............................................................................299 20.1 Overview.................................................................................................300 20.2 Developing the overall audit strategy.....................................................302 20.3 Communicating the audit plan with management and those charged with governance ..............................................................................306 20.4 Documentation .......................................................................................307 20.5 Case studies the overall audit strategy ...............................................308 21. Determining and using materiality ........................................................311 21.1 Overview.................................................................................................313 21.2 How to determine materiality ..................................................................315 21.3 Materiality in planning and risk assessment ..........................................321 21.4 Materiality in performing audit procedures ............................................323 21.5 Materiality in reporting ............................................................................324 21.6 Other considerations ..............................................................................325
Table of contents
xiii
21.7 Documentation .......................................................................................326 21.8 Case studies determining and using materiality .................................327 22. Audit team discussions .........................................................................329 22.1 Overview.................................................................................................330 22.2 Audit team planning meeting .................................................................331 22.3 Communication during and at completion of the audit ..........................334 22.4 Case studies audit team discussions ..................................................337 23. Inherent risks identication ................................................................340 23.1 Overview.................................................................................................343 23.2 Types of risk ...........................................................................................344 23.3 Sources of information about an entity ...................................................346 23.4 Risk assessment procedures .................................................................347 23.5 Sources of risk .......................................................................................349 23.6 Fraud risk................................................................................................351 23.7 Types and characteristics of fraud .........................................................352 23.8 The fraud triangle ...................................................................................352 23.9 Professional scepticism..........................................................................357 23.10 How to identify inherent risk factors .....................................................358 23.11 Documenting the risk identication process ........................................361 23.12 Case studies inherent risks identication .......................................364 24. Inherent risks assessment .................................................................368 24.1 Overview.................................................................................................369 24.2 Risk assessments performed by the entity ............................................372 24.3 Documenting assessed risks .................................................................372 24.4 Case studies inherent risks assessment ..........................................374
xiv
25. Signicant risks ......................................................................................380 25.1 Overview.................................................................................................382 25.2 Examples ................................................................................................382 25.3 Identifying signicant risks .....................................................................384 25.4 Responding to signicant risks ..............................................................386 25.5 Documenting signicant risks ................................................................387 25.6 Case studies signicant risks ..............................................................388 26. Understanding internal control .............................................................391 26.1 Overview.................................................................................................394 26.2 Risk and control......................................................................................394 26.3 Pervasive and specic internal controls.................................................395 26.4 The ve internal control components .....................................................397 26.5 Internal control in smaller entities ...........................................................399 26.6 Absence of internal control ....................................................................399 26.7 Controls to prevent fraud (anti-fraud controls) .......................................400 26.8 Internal controls relevant to the audit (the scope of understanding) .....401 26.9 Case studies identifying relevant controls ...........................................404 27. Evaluating internal control ....................................................................407 27.1 Overview.................................................................................................409 27.2 Step 1 what risks require mitigation? ...................................................410 27.3 Step 2 do the controls designed by management mitigate the risk? ..........................................................................................................412 27.4 How to identify internal controls .............................................................417 27.5 Step 3 are controls that mitigate the risk factors in operation? ..........420 27.6 Step 4 has the operation of relevant controls been documented? .....422
Table of contents
xv
27.7 Updating control documentation in subsequent periods.......................424 27.8 Written representations about internal control........................................425 27.9 Case studies internal control evaluation..............................................425 28. Communicating deciencies in internal control ..................................438 28.1 Overview.................................................................................................440 28.2 Fraud ......................................................................................................441 28.3 Assessing the severity of a deciency ...................................................442 28.4 Smaller entities .......................................................................................443 28.5 Documenting control deciencies..........................................................444 28.6 Oral discussions with management .......................................................445 28.7 Written communications .........................................................................447 28.8 Managements response to the communication ....................................447 28.9 Timing of the written communication......................................................449 28.10 Case studies communicating deciencies in internal control ...........449 29. Concluding the risk assessment phase ...............................................452 29.1 Overview.................................................................................................453 29.2 Audit evidence obtained to date ............................................................454 29.3 Summarising the various risk assessments ...........................................455 29.4 Revision of risk assessments .................................................................457 29.5 Documentation .......................................................................................458 29.6 Case studies concluding the risk assessment phase .........................460 30. Risk response an overview.................................................................463 31. The responsive audit plan ......................................................................465 31.1 Overview.................................................................................................468 31.2 The starting point ...................................................................................468
xvi
31.3 Overall responses ..................................................................................469 31.4 Use of assertions in test design .............................................................470 31.5 Use of materiality in test design .............................................................471 31.6 The auditors toolbox ..............................................................................471 31.7 Developing the responsive audit plan....................................................474 31.8 Responding to the risk of fraud ..............................................................478 31.9 Risk of misstatements in presentation and disclosure ...........................482 31.10 Determining whether the audit plan is complete..................................482 31.11 Documenting the overall response and detailed audit plans ..............484 31.12 Communication of the audit plan .........................................................484 31.13 Case studies the responsive audit plan ............................................485 32. Determining the extent of testing..........................................................489 32.1 Overview.................................................................................................491 32.2 Use of sampling .....................................................................................493 32.3 Extent of substantive procedures (using statistical sampling) ..............496 32.4 Extent of substantive analytical procedures ..........................................503 32.5 Tests of control operating effectiveness ..............................................505 32.6 Evaluating deviations .............................................................................512 32.7 Case studies extent of testing .............................................................514 33. Documenting work performed ...............................................................521 33.1 Overview.................................................................................................522 34. Written representations..........................................................................525 34.1 Overview.................................................................................................527 34.2 Subject matter ........................................................................................528
Table of contents
xvii
34.3 Considerations in performing the audit ..................................................529 34.4 Written representations...........................................................................529 34.5 Example of written representations ........................................................534 34.6 Case study management representations ..........................................535 35. Reporting overview .............................................................................539 36. Evaluating audit evidence......................................................................541 36.1 Overview.................................................................................................542 36.2 Reassess materiality...............................................................................545 36.3 Changes in risk assessments.................................................................546 36.4 Evaluating the effect of misstatements...................................................547 36.5 Sufcient appropriate audit evidence ....................................................555 36.6 Final analytical procedures ....................................................................556 36.7 Signicant ndings and issues...............................................................556 36.8 Case studies evaluating audit evidence .............................................557 37. Communicating with those charged with governance........................560 37.1 Overview.................................................................................................563 37.2 Governance ............................................................................................564 37.3 Matters to be communicated .................................................................565 37.4 Case studies communicating with those charged with governance ....................................................................................................569 38. Modications to the auditors report ....................................................572 38.1 Overview.................................................................................................575 38.2 Modications to the audit opinion ..........................................................576 38.3 Financial report is materially misstated ..................................................579 38.4 Inability to obtain sufcient appropriate audit evidence ........................583
xviii
39. Emphasis of Matter and Other Matter paragraphs ..............................586 39.1 Overview.................................................................................................589 39.2 Emphasis of Matter paragraph...............................................................590 39.3 Other Matter paragraph .........................................................................591 40. Comparative information .......................................................................593 40.1 Overview.................................................................................................596 40.2 Audit procedures ....................................................................................597 40.3 Corresponding gures ...........................................................................598 40.4 Comparative nancial report ..................................................................599 How to use the CD ........................................................................................606
How to use the Manual

The purpose of this Manual is to provide practical guidance to practitioners conducting audit engagements for small- and medium-sized entities (SMEs). However, no material in the Manual should be used as a substitute for: > Reading and understanding the ASAs It is assumed that practitioners have read the text of the Australian Auditing Standards issued by the Auditing and Assurance Standards Board which apply to reporting periods commencing on or after 1 January 2010. ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards, paragraph 19 states that the auditor shall have an understanding of the entire text of an ASA, including its application and other explanatory material, to understand its objectives and to apply its requirements properly. > Use of professional judgement Professional judgement is required based on the particular facts and circumstances involved in the rm and each particular engagement, and where interpretation of a particular standard is required. While it is expected that small- and medium-sized practices (SMPs) will be a signicant user group, this Manual is intended to help all practitioners to implement ASAs on small- and medium-sized entities (SME) audits. The Manual offers a practical how-to audit approach that practitioners may use when undertaking a risk-based audit of an SME. This Manual can be used to: > Develop a deeper understanding of an audit conducted in compliance with the ASAs > Develop a staff manual (supplemented as necessary for a rms procedures) to be used for day-to-day reference and as a basis for training sessions and individual study and discussion, and > Ensure that staff adopt a consistent approach to planning and performing an audit. This Manual often refers to an audit team, which implies that more than one auditor is involved in conducting the audit engagement. However, the same general principles also apply to audit engagements performed exclusively by one person (the practitioner).
xx
Content and organisation

Rather than just summarise each ASA in turn, the Manual has been organised into two parts as follows: > Part A Core concepts > Part B Practical guidance The rst part provides an overview of the entire audit and a discussion of the key audit concepts such as materiality, assertions, internal control, risk assessment procedures and the use of further audit procedures in responding to assessed risks. It also includes a summary of ASA requirements with respect to: > Specic areas such as accounting estimates, related parties, subsequent events, going concern and others > Documentation requirements, and > Forming an opinion on the nancial report. The second part focuses on how to apply the concepts outlined in Part A. It follows the typical stages involved in performing an audit, starting with client acceptance, planning, risk assessment and then the risk response, evaluating audit evidence obtained and forming an appropriate audit opinion. To avoid repetition, Part B has not repeated the requirements of ASAs that address specic audit issues such as estimates, related parties, subsequent events, going concern and various other ASAs. Part A summarises these requirements in separate chapters or as part of Chapter 13, which is entitled Summary of other ASA requirements.
Summary of organisation
Each chapter in this Manual has been organised in the following format: > Chapter title > Audit process chart extract Most chapters contain an extract from the audit process chart (where applicable) to highlight the particular activities addressed in the chapter. > Chapter content This outlines the content and purpose of the chapter. > Relevant ASAs Most chapters in this Manual begin with some extracts from the ASAs that are relevant to the chapter content. These extracts include relevant requirements and, in some cases, the objectives (sometimes highlighted
xxi
separately if/when a chapter focuses primarily on one particular ASA), selected denitions and application material. The inclusion of these extracts is not meant to imply that other material in the ASA not specically mentioned or other ASAs that relate to the subject matter do not need to be considered. The extracts in the Manual are based solely on the judgement of the authors as to what is relevant for the content of each particular chapter. For example, the requirements of ASAs 200, 220 and 300 apply throughout the audit process but have only been addressed specically in one or two chapters. > Overview and chapter material The overview in each chapter provides: Extracts from applicable ASAs, and An overview of what is addressed in the chapter. The overview is followed by a more detailed discussion of the subject matter and practical step-by-step guidance/methodology on how to implement the relevant ASAs. This can include some cross-references to the applicable ASAs. > Consider points A number of consider points are included throughout the Manual. These consider points provide practical guidance on audit matters that can easily be overlooked or areas where practitioners often have difculty in understanding and implementing certain concepts. > Australian pronouncements The Manual includes the relevant requirements of the Corporations Act 2001. The Manual also makes reference to, but does not outline, the requirements of the APES 110 Code of Ethics for Professional Accountants issued by the APESB and the requirements of ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, and Other Assurance Engagements. In addition, users should be mindful of the Institutes Quality Control Guide. > Illustrative case studies To demonstrate how the ASAs can be applied in practice, Part B of the Manual includes two case studies. At the end of many chapters within Part B, two possible approaches to documenting the application of the ASA requirements are discussed. Please refer to Part B, Chapter 17 of this Manual for details about the case studies. The purpose of the case studies and the documentation presented are purely illustrative. The documentation provided is a small extract from a typical audit le and it outlines just one possible way of complying with the
xxii
ASA requirements. The data, analysis and commentary provided represent only some of the circumstances and considerations that the auditor will need to address in a particular audit. As always, the auditor must exercise professional judgement. The rst case study is based on a ctional entity called ONeal Furniture. This is a local, family-owned furniture manufacturer with 10 full-time employees. The entity has a simple governance structure, few levels of management and straightforward transaction processing. The accounting function uses an offthe-shelf, standard software package. The second case study is based on another ctional entity called Kane & Co. This is a micro-sized entity with two full-time staff plus the owner and one parttime bookkeeper.
Glossary of terms
The Manual uses many of the terms as dened by the AUASB glossary included in the Institute of Chartered Accountants in Australia Auditing and Assurance Handbook 2010 Volume 2. Both partners and staff must be aware of these denitions. The Manual also uses the following terms:
Anti-fraud controls
These are controls designed by management to prevent or detect and correct frauds. With respect to management override, these controls may not prevent a fraud from occurring but would act as a deterrent and make perpetrating a fraud more difcult to conceal. Typical examples are: > Policies and procedures that provide additional accountability, such as signed approval for journal entries > Improved access controls for sensitive data and transactions > Silent alarms > Discrepancy and exception reports > Audit trails > Fraud contingency plans > Human resource procedures such as identifying/monitoring individuals with above-average fraud potential (for example, an excessively lavish lifestyle), and > Mechanisms for reporting potential frauds anonymously.
xxiii
Entity-level controls
Entity-level controls address pervasive risks. They set the tone at the top of an organisation and establish expectations for the control environment. They are often less tangible than controls that operate at the transaction level but have a pervasive and signicant impact and inuence over all other internal controls. As such, they form the all-important foundation upon which other internal controls (if any) are built. Examples of entity level controls include managements commitment to ethical behaviour, attitudes toward internal control, hiring and competence of staff employed, and anti-fraud and periodend nancial reporting. These controls will have an impact on all other business processes within the entity.
Management
The person(s) with executive responsibility for the conduct of the entitys operations. For some entities, management includes some or all of those charged with governance; for example, executive members of a governance board, or an owner-manager.
Those charged with governance

The person(s) or organisation(s) (for example, a corporate trustee) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the nancial reporting process. For some entities, those charged with governance may include management personnel, for example, executive members of a governance board of a private or public sector entity, or an owner-manager. In some smaller entities, however, one person may be charged with governance, for example, the owner-manager where there are no other owners, or a sole trustee. When governance is a collective responsibility, a subgroup, such as an audit committee or even an individual, may be charged with specic tasks to assist the governing body in meeting its responsibilities. Alternatively, a subgroup or individual may have specic, legally identied responsibilities that differ from those of the governing body.
Owner-manager
This refers to the proprietors of an entity involved in the running of the entity on a day-to-day basis. In most instances, the owner-manager will also be the person charged with governance of the entity.
xxiv
Small- and medium-sized accounting practices/rms (SMP)

Accounting practices/rms that generally exhibit the following characteristics: > Its clients are mostly small- and medium-sized entities (SMEs) > External sources are used to supplement limited in-house technical resources, and > It employs a limited number of professional staff.
Acronyms used in the Manual

AASB AGS APESB ASAs ASAEs ASRE Assertions (combined) Australian Accounting Standards Board Auditing and Assurance Guidance Statements issued by the former AuASB Accounting Professional & Ethical Standards Board Australian Auditing Standards issued by the AUASB Standards on Assurance Engagements issued by the AUASB Standards on Review Engagements issued by the AUASB C E A V AUASB CAATs F/R GS HR IAASB IC = Completeness = Existence = Accuracy and cut off = Valuation
Auditing and Assurance Standards Board Computer-assisted audit techniques Financial report Guidance Statements issued by the AUASB Human resources International Auditing and Assurance Standards Board Internal Control. The ve major components of internal control are as follows: CA CE IS MO RA = Control activities = Control environment = Information systems = Monitoring = Risk assessment
IFAC IFRS Institute ISAs IT R&D RAPs
International Federation of Accountants International Financial Reporting Standards Institute of Chartered Accountants in Australia International Standards on Auditing Information technology Research and development Risk assessment procedures
xxv
RMM SME SMP TCWG TOC
Risks of material misstatement Small- and medium-sized entities Small- and medium-sized (accounting) practices Those charged with governance Tests of controls
xxvi
Claried ASAs
Internationally, 2009 saw a complete reissue of the Auditing Standards, following the completion of the IAASBs Clarity project, which started in 2004. The project involved the application of new drafting conventions to all ISAs, either as part of a substantive revision or through a limited redrafting, to reect the new conventions and matters of clarity generally. The complete set of ISAs was effective for audits of nancial statements for periods beginning on, or after, 15 December 2009. The AUASB has adopted the Clarity standards as issued by the IAASB and, where necessary, adapted them to Australian requirements. The AUASB Clarity project involved a revision of all existing ASAs based on the new ISAs. The complete suite of Clarity ASAs was issued by the AUASB at the end of October 2009, and is operative for nancial reporting periods commencing on or after 1 January 2010. Practitioners are reminded that for audit engagements for nancial reporting periods commencing prior to 1 January 2010 the Clarity standards should not be adopted. In this Manual all extracts and references to ASAs are from the Clarity standards as issued October 2009. ASA 101 Preamble to Australian Auditing Standards As the ASAs are legally enforceable, the AUASB considered it necessary for an interpretive document to form part of the suite of standards. The purpose of ASA 101 is to deal with matters that are additional to those dealt with elsewhere in the Australian Auditing Standards. ASA 101 sets out the authority of paragraphs in the ASAs, lists those parts of the Corporations Act 2001 to which the Application paragraph in each Auditing Standard refers and describes the circumstances when an auditor need not document the reasons why a requirement is not relevant. ASA 101 relates to the Australian legislative environment and accordingly, there is no equivalent ISA.
Structure of claried standards

The claried ASAs have a common structure as outlined below.
ASA element Introduction Comments An explanation of the purpose and scope of the ASA, including how it relates to other ASAs, the subject matter of the ASA, specic expectations on the auditor and others, and the context in which the ASA is set.
Claried ASAs
xxvii
ASA element Objectives
Comments The objective to be achieved by the auditor as a result of complying with the requirements of the ASA. To achieve the overall objectives of the auditor, the auditor is required to use the objectives stated in relevant ASAs in planning and performing the audit, keeping in mind the interrelationships among the ASAs. ASA 200.21 (a) requires the auditor to: > Determine whether any audit procedures in addition to those required by the Australian Auditing Standards are necessary in pursuance of the objectives stated in the Australian Auditing Standards, and > Evaluate whether sufcient appropriate audit evidence has been obtained.
Denitions
A description of the meanings attributed to certain terms for purposes of the ASAs. These are provided to assist in the consistent application and interpretation of the ASAs. They are not intended to override denitions that may be established for other purposes, such as those contained in laws or regulations. Unless otherwise indicated, these terms carry the same meanings throughout the ASAs. This section outlines the specic auditor requirements. Each requirement contains the word shall. For example, ASA 200.15 contains the following requirement: The auditor shall plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the nancial report to be materially misstated.
Requirements
Application and other explanatory material
The application and other explanatory material provides further explanation of the requirements of an ASA and guidance for carrying them out. In particular, it may: > Explain more precisely what a requirement means or is intended to cover > Where applicable, include considerations specic to smaller entities > Include examples of procedures that may be appropriate in the circumstances. However, the actual procedures selected by the auditor require the use of professional judgement based on the particular circumstances of the entity and the assessed risks of material misstatement. While such guidance does not in itself impose a requirement, it is relevant to the proper application of the requirements of an ASA. The application and other explanatory material may also provide background information on matters addressed in an ASA.
Conformity with International Standards on Auditing
In accordance with Australias international harmonisation commitments, the AUASB has drafted the claried ASAs using the equivalent ISAs as the base. Each ASA contains explanatory material describing how the ASA differs from the equivalent ISA, which is primarily to enable the standards to conform to the Australian regulatory environment and statutory requirements. Appendices form part of the application and other explanatory material. The purpose and intended use of an appendix are explained in the body of the related ASA or within the title and introduction of the appendix itself.
Appendices
xxviii
ASA index and cross-references

The ASA framework is illustrated below.
Foreword to AUASB pronouncements AUASB glossary
Framework for assurance engagements
ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports, Other Financial Information, and Other Assurance Engagements*
Audits and reviews of historical financial information
Assurance engagements other than audits or reviews of historical financial information
Australian Auditing Standards ASA 100-800* ASA 805 ASA 810
Standards on Review Engagements ASRE 2400 ASRE 2405 ASRE 2410* ASRE 2415*
Standards on Assurance Engagements ASAE 3000- 3500
Guidance Statements, other guidance AUASB Bulletins
* Made under section 336 of the Corporations Act 2001.
The following table cross-references the ASAs (relevant to SME auditing) and ASCQ 1 to the corresponding chapters in the Manual. Note that many ASAs (such as the use of analytical procedures) apply at various stages of the audit. This table only includes cross-references to the principal chapters in the
Claried ASAs
xxix
Manual in which the requirements are addressed. Some of the material in the ASAs is also addressed in other chapters, in recognition of the fact that many of the ASA requirements have some (but not primary) application in many chapters (such as the use of professional judgement).
ASA/ASQC reference ASQC 1 Primary Manual chapter Quality Control for Firms that Perform Audits and Reviews of Part A, 2, 14 Financial Reports and Other Financial Information, and Other Part B, 19 Assurance Engagements Preamble to Australian Auditing Standards Compliance with Ethical Requirements when Performing Audits, Reviews and Other Assurance Engagements Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards Agreeing the Terms of Audit Engagements Quality Control for an Audit of a Financial Report and Other Historical Financial Information Audit Documentation Claried ASAs Part A, 2 Part A ,1, 2
ASA 101 ASA 102 ASA 200
ASA 210 ASA 220 ASA 230 ASA 240
Part B, 19 Part A, 14 Part B 19, 36 Part A, 2, 14 Part B, 33
The Auditors Responsibilities Relating to Fraud in an Audit of Part A, 6, 7, 14 a Financial Report Part B, 22, 23, 24, 25 Consideration of Laws and Regulations in an Audit of a Financial Report Communication with Those Charged with Governance Communicating Deciencies in Internal Control to Those Charged with Governance and Management Planning an Audit of a Financial Report Part A, 13 Part B, 31, 37 Part B, 28 Part A, 7, 14 Part B, 19, 20, 22, 25, 31
ASA 250 ASA 260 ASA 265 ASA 300
ASA 315
Identifying and Assessing the Risks of Material Misstatement Part A, 1, 3, 4, through Understanding the Entity and Its Environment 6, 14 Part B, 22, 23, 24, 25, 26, 27, 29 Materiality in Planning and Performing an Audit The Auditors Responses to Assessed Risks Audit Considerations Relating to an Entity Using a Service Organisation Evaluation of Misstatements Identied during the Audit Audit Evidence Part A, 5 Part B, 21 Part A, 1, 7, 9, 14 Part B, 31, 32, 36 Part A, 13 Part B, 21, 36, 37 Part A, 7 Part B, 31, 32, 33
ASA 320 ASA 330 ASA 402 ASA 450 ASA 500
xxx
ASA/ASQC reference ASA 501 ASA 502 ASA 505 ASA 510 ASA 520 ASA 530 ASA 540 ASA 550 ASA 560 ASA 570 ASA 580 ASA 600 ASA 610 ASA 620 ASA 700 ASA 705 ASA 706 ASA 710 ASA 720 ASA 800 ASA 805 Audit Evidence Specic Considerations for Inventory and Segment Information Audit Evidence Specic Considerations for Litigation and Claims External Conrmations Initial Audit Engagements Opening Balances Analytical Procedures Audit Sampling Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures Related Parties Subsequent Events Going Concern Written Representations Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors) Using the Work of Internal Auditors Using the Work of an Auditors Expert Forming an Opinion and Reporting on a Financial Report Modications to the Opinion in the Independent Auditors Report
Primary Manual chapter Part A, 13 Part A, 13 Part A, 8 Part A, 13 Part A, 8 Part B, 36 Part B, 32 Part A, 9 Part B, 36 Part A, 10 Part A, 11 Part A, 12 Part B, 34 Part A, 13 Part A, 13 Part A, 13 Part A, 1, 15 Part B, 38
Emphasis of Matter Paragraphs and Other Matter Paragraphs Part B, 39 in the Independent Auditors Report Comparative Information Corresponding Figures and Comparative Financial Reports Part B, 40
The Auditors Responsibilities Relating to Other Information in Part A, 13 Documents Containing an Audited Financial Report Special Considerations Audits of Financial Reports Prepared in Accordance with Special Purpose Frameworks Special Considerations Audits of Single Financial Statements and Specic Elements, Accounts or Items of a Financial Statement Engagements to Report on Summary Financial Statements Part A, 15 Not addressed
ASA 810
Not addressed
ASAs 805 and 810 were considered to have limited application in the audits of SMEs at the present time so this edition of the Manual does not specically address them. The following table cross-references the Manuals chapters to the principal ASA chapters addressed.
Claried ASAs
xxxi
Note: This table provides a general cross-reference only. Many chapters in this Manual cover aspects addressed by more than one particular ASA.
Chapter Part A, 1 Part A, 2 Part A, 3 Part A, 4 Part A, 5 Part A, 6 Part A, 7 Part A, 8 Part A, 9 Part A, 10 Part A, 11 Part A, 12 Part A, 13 Title The risk-based audit overview Ethics, ASAs and quality control Internal control purpose and components Financial report assertions Materiality and audit risk Risk assessment procedures Responding to assessed risks Further audit procedures Accounting estimates Related parties Subsequent events Going concern Summary of other ASA requirements ASA reference Multiple ASQC 1, 102, 200, 220 315 315 320 240, 315 240, 300, 330, 500 330, 505, 520 540 550 560 570 250, 402, 501, 502, 510, 600, 610, 620, 720 ASQC 1, 220, 230, 240, 300, 315, 330 700, 800 ASQC 1, 210, 220, 300 300 320, 450 240, 300, 315 240, 315 240, 315 240, 315, 300 315 315 265 315 260, 300, 330, 500 330, 500, 530
Part A, 14
Audit documentation
Part A, 15 Part B, 19 Part B, 20 Part B, 21 Part B, 22 Part B, 23 Part B, 24 Part B, 25 Part B, 26 Part B, 27 Part B, 28 Part B, 29 Part B, 31 Part B, 32
Forming an opinion on a nancial report Engagement, acceptance and continuance Overall audit strategy Determining and using materiality Audit team discussions Inherent risks identication Inherent risk assessment Signicant risks Understanding internal control Evaluating internal control Communicating deciencies in internal control Concluding the risk assessment phase The responsive audit plan Determining the extent of testing
xxxii
Chapter Part B, 33 Part B, 34 Part B, 36 Part B, 37 Part B, 38 Part B, 39 Part B, 40
Title Documenting work performed Written representations Evaluating audit evidence Communicating with those charged with governance Modications to the auditors report Emphasis of matter and other matter paragraphs Comparative information
ASA reference 230, 500 580 220, 330, 450, 520, 540 260, 450 705 706 710
xxxiii
The audit process

The audit approach outlined in this Manual has been divided into three phases risk assessment, risk response and reporting. The following chart illustrates the nature of each phase and the interrelationships between the activities and phases.
Activity
Perform preliminary engagement activities
Purpose
Decide whether to accept engagement
Documentation1
Listing of risk factors Independence Engagement letter
Volume 1 Core Concepts
Risk assessment
Plan the audit
Develop an overall audit strategy and audit plan2
Materiality Audit team discussions Overall audit strategy
Perform risk assessment procedures
Identify/assess RMM3 through understanding the entity
Business and fraud risks including significant risks
Design/implementation of relevant internal controls Assessed RMM3 at: > F/R level > Assertion level
Risk response
Design overall responses and further audit procedures
Develop appropriate responses to the assessed RMM3
Update of overall strategy Overall responses Audit plan that links assessed RMM3 to further audit procedures
Implement responses to assessed RMM3
Reduce audit risk to an acceptably low level
Work performed Audit findings Staff supervision Working paper review
Evaluate the audit evidence obtained
Determine what additional audit work (if any) is required
Reporting
Yes
Is additional work required?
New/revised risk factors and audit procedures Changes in materiality Communications on audit findings Conclusions on audit procedures performed
No Prepare the auditors report Form an opinion based on audit findings Significant decisions Signed audit opinion
Notes: 1. Refer to ASA 230 for a more complete list of documentation required. 2. Planning (ASA 300) is a continual and iterative process throughout the audit. 3. RMM = Risks of material misstatement.
Part A
Core concepts
1.
The risk-based audit overview

Relevant ASAs
Chapter content Auditor objectives, basic elements and approach to performing a risk-based audit.
Multiple
PART A
Exhibit 1.0-1
Risk assessment Risk response
Design further audit procedures Evaluate the audit evidence obtained
Perform further audit procedures
Reporting
Plan the audit
Prepare the auditors report
Paragraph # 200.11
ASA objective(s) In conducting an audit of a nancial report, the overall objectives of the auditor are: (a) To obtain reasonable assurance about whether the nancial report as a whole is free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the nancial report is prepared, in all material respects, in accordance with an applicable nancial reporting framework; and (b) To report on the nancial report, and communicate as required by the Australian Auditing Standards, in accordance with the auditors ndings.
Paragraph # 200.3
Relevant extracts from ASAs The purpose of an audit is to enhance the degree of condence of intended users in the nancial report. This is achieved by the expression of an opinion by the auditor on whether the nancial report is prepared, in all material respects, in accordance with an applicable nancial reporting framework. In the case of most general purpose frameworks, that opinion is on whether the nancial report is presented fairly, in all material respects, or gives a true and fair view in accordance with the framework. An audit conducted in accordance with Australian Auditing Standards and relevant ethical requirements enables the auditor to form that opinion. (Ref: Para. A1)
Paragraph # 200.5
Relevant extracts from ASAs As the basis for the auditors opinion, Australian Auditing Standards require the auditor to obtain reasonable assurance about whether the nancial report as a whole is free from material misstatement, whether due to fraud or error. Reasonable assurance is a high level of assurance. It is obtained when the auditor has obtained sufcient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses an inappropriate opinion when the nancial report is materially misstated) to an acceptably low level. However, reasonable assurance is not an absolute level of assurance, because there are inherent limitations of an audit which result in most of the audit evidence on which the auditor draws conclusions and bases the auditors opinion being persuasive rather than conclusive. (Ref: Para. A28-A52) The risks of material misstatement may exist at two levels: > The overall nancial report level, and > The assertion level for classes of transactions, account balances, and disclosures.
200.A34
200.A40
The Australian Auditing Standards do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the risks of material misstatement. However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages, or in non-quantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made. The auditor is not expected to, and cannot, reduce audit risk to zero and cannot therefore obtain absolute assurance that the nancial report is free from material misstatement due to fraud or error. This is because there are inherent limitations of an audit, which result in most of the audit evidence on which the auditor draws conclusions and bases the auditors opinion being persuasive rather than conclusive. The inherent limitations of an audit arise from: > The nature of nancial reporting > The nature of audit procedures, and > The need for the audit to be conducted within a reasonable period of time and at a reasonable cost.
200.A45
1.1
Overview
The auditors overall objectives in a risk-based audit are: > To obtain reasonable assurance about whether the nancial report as a whole is free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the nancial report is prepared, in all material respects, in accordance with an applicable nancial reporting framework, and > To report on the nancial report and communicate, as required by the ASAs, in accordance with the auditors ndings.
Core concepts
Reasonable assurance
ASAs require the auditor to obtain reasonable assurance about whether the nancial report as a whole is free from material misstatement, whether due to fraud or error. Reasonable assurance is a high but not absolute level of assurance. It is obtained when the auditor has obtained sufcient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses an inappropriate opinion when the nancial report is materially misstated) to an acceptably low level. The auditor cannot provide absolute assurance due to the inherent limitations in the work carried out. This results from the majority of audit evidence (on which the auditor draws conclusions and bases the auditors opinion) being persuasive rather than conclusive.
PART A
Inherent limitations of an audit

The following exhibit outlines some of the inherent limitations of audit work performed.
Exhibit 1.1-1
Limitations The nature of nancial reporting Reasons The preparation of a nancial report involves: > Judgement by management in applying the applicable nancial reporting framework, and > Subjective decisions or assessments (such as estimates) by management involving a range of acceptable interpretations or judgements. Nature of audit evidence available Most of the auditors work in forming the auditors opinion consists of obtaining and evaluating audit evidence. This evidence tends to be persuasive in character rather than conclusive. Audit evidence is primarily obtained from audit procedures performed during the course of the audit. It may also include information obtained from other sources such as: > Previous audits > A rms quality control procedures for client acceptance and continuance > The entitys accounting records, and > Audit evidence prepared by an expert employed or engaged by the entity.
Limitations The nature of audit procedures
Reasons Audit procedures, however well designed will not detect every misstatement. Consider the following: > Any sample of less than 100% of a population introduces some risk that a misstatement will not be detected > Management or others may not provide, intentionally or unintentionally, the complete information required. Fraud may involve sophisticated and carefully organised schemes designed to conceal it, and > Audit procedures used to gather audit evidence may not detect that some information is missing.
Timeliness of nancial reporting
The relevance/value of nancial information tends to diminish over time so a balance needs to be struck between the reliability of information and its cost. Users of nancial reports expect that the auditor will form their opinion within a reasonable period of time and at a reasonable cost. Consequently, it is impracticable to address all information that may exist or to pursue every matter exhaustively on the assumption that information is in error or fraudulent until proved otherwise.
Scope of an audit
The scope of the auditors work and the opinion provided are usually conned to whether the nancial report is prepared, in all material respects, in accordance with the applicable nancial reporting framework. As a result, an unmodied auditors report does not provide any assurance about the future viability of the entity, nor the efciency or effectiveness with which management has conducted the affairs of the entity. Any extension of this basic audit responsibility, such as that required by local laws or securities regulations, would require the auditor to undertake further work and to modify or expand the auditors report accordingly.
Material misstatements
A material misstatement (the aggregate of all uncorrected misstatements and missing/misleading disclosures in the nancial report, including omissions) has occurred when they could reasonably be expected to inuence the economic decisions of users made on the basis of the nancial report.
Assertions
Assertions are representations by management, explicit or otherwise, that are embodied in the nancial report. They relate to the recognition, measurement, presentation and disclosure of the various elements (amounts and disclosures) in the nancial report. For example, the completeness assertion relates to all transactions and events that should have been recorded having been
Core concepts
recorded. They are used by the auditor to consider the different types of potential misstatements that may occur.
1.2
Audit risk
PART A
Audit risk is the risk of expressing an inappropriate audit opinion on the nancial report that is materially misstated. The objective of the audit is to reduce this audit risk to an acceptably low level. Audit risk has two key elements, as illustrated below.
Exhibit 1.2-1
Risk Inherent and control risks Detection risk Nature The nancial report may contain a material misstatement. The auditor may fail to detect a material misstatement in the nancial report. Source Entity objectives/operations and managements design/implementation of internal control. Nature and extent of the procedures performed by the auditor.
To reduce audit risk to an acceptably low level, the auditor is required to: > Assess the risks of material misstatement, and > Limit detection risk. This may be achieved by performing procedures that respond to the assessed risks of material misstatement, both at the nancial report level and at the assertion level for classes of transactions, account balance and disclosures.
Audit risk components

The major components of audit risk are described in the exhibit below.
Exhibit 1.2-2
Nature Inherent risk Description The susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. Commentary This includes events or conditions (internal or external) that could result in a misstatement (error or fraud) in the nancial report. The sources of risk (often categorised as business or fraud risks) can arise from the entitys objectives, the nature of its operations/ industry, the regulatory environment in which it operates and its size and complexity.
Nature Control risk
Description The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entitys internal control.
Commentary Management designs controls to mitigate a specied inherent (business or fraud risk) factor. An entity assesses its risks (risk assessment) and then designs and implements appropriate controls to reduce its risk exposure to a tolerable (acceptable) level. Controls may be: > Pervasive in nature such as managements attitude toward control, commitment to hiring competent people and prevention of fraud. These are generally called entity-level controls, and > Specic to the initiation, processing or recording of a particular transaction. These are often called business process, activity-level or transaction controls.
Detection risk
The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
The auditor assesses the risks of material misstatement (inherent and control risk) at the nancial report and assertion levels. Audit procedures are then developed to reduce audit risk to an acceptably low level. This includes consideration of the potential risk of: > Selecting an inappropriate audit procedure > Misapplying an appropriate audit procedure, or > Misinterpreting the results from an audit procedure.
Note: The ASAs dene the risk of material misstatement at the assertion level as consisting of two components; inherent risk and control risk. Consequently, the ASAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the risks of material misstatement. However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations.
Core concepts
Consider point
Many inherent risks can result in both business and fraud risks. Where this occurs, list and assess the fraud risk factors separately from the business risk factors. Otherwise it is possible that the audit response will only address the business risk element and not the fraud risk. Separating the fraud risk element from a business risk also enables the fraud to be assessed in relation to all the other fraud risks identied. This may help to reveal an unusual pattern of events/transactions for investigation or an individual(s) with the motive opportunity and rationalisation to commit fraud. For example, a new accounting system may create potential for errors (business risk) but may also provide an opportunity for someone to manipulate nancial results or misappropriate funds (fraud risk). PART A
High
Summary of the audit risk components Exhibit 1.2-3

Entity objective
Prepare financial report that is not materially misstated Low risk Moderate risk High risk
Inherent risk
Business/fraud risks that would prevent objective being achieved
Control risk Risk of material misstatement

Managements residual risk
Low
Managements response: Internal controls that mitigate the risks identified
Risk exposure to fraud and error
Note: The length of the bars in the chart would vary based on the particular circumstances and risk prole of the entity.
10
Exhibit 1.2-4
Auditors objective
Determine whether entitys financial report is free from material misstatement Low risk Inherent risk Moderate risk High risk
Where could material misstatements in the financial report occur?
Control risk
Assessed risk of misstatement
Do managements internal controls mitigate the inherent risks identified?
Risks of material misstatement
Audit procedures designed to respond to risks of misstatement identified

Audit risk reduced to an acceptably low level
Low
High
Note: The length of the bars in the chart would vary based on the particular circumstances and risk prole of the entity and the nature of the auditors response.
1.3
200.15
How to perform a risk-based audit

Relevant extracts from ASAs The auditor shall plan and perform an audit with professional scepticism, recognising that circumstances may exist that cause the nancial report to be materially misstated. (Ref: Para. A18-A22) The auditor shall exercise professional judgement in planning and performing an audit of a nancial report. (Ref: Para. A23-A27) To obtain reasonable assurance, the auditor shall obtain sufcient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditors opinion. (Ref: Para. A28-A52) To achieve the overall objectives of the auditor, the auditor shall use the objectives stated in relevant Australian Auditing Standards in planning and performing the audit, having regard to the interrelationships among the Australian Auditing Standards, to: (Ref: Para. A67-A69) (a) Determine whether any audit procedures in addition to those required by the Australian Auditing Standards are necessary in pursuance of the objectives stated in the Australian Auditing Standards, and (Ref: Para. A70) (b) Evaluate whether sufcient appropriate audit evidence has been obtained. (Ref: Para. A71)
Paragraph #
200.16 200.17
200.21
Core concepts
11
A risk-based audit has three key steps, as illustrated below.
Exhibit 1.3-1
Steps (Phases) Risk assessment Risk response Description Performing risk assessment procedures to identify and assess the risks of material misstatement in the nancial report. Designing and performing further audit procedures that respond to identied and assessed risks of material misstatement at both the nancial report and assertion levels. This involves: (a) Forming an opinion based on the audit evidence obtained, and (b) Preparing and issuing a report that is appropriate to the conclusions reached.
Reporting
A simple way of describing the three elements is illustrated below.
Exhibit 1.3-2
Risk assessment
Reporting
What events*
could occur that would cause a material misstatement in the financial report?
Risk response
Did the events* identified occur and result in a material misstatement in the financial report?
What audit opinion,

based on the evidence obtained, is appropriate on the financial report?
An event is simply a business or fraud risk factor (see descriptions in Exhibit 1.2-2) that, if it actually occurred, would adversely affect the entitys ability to achieve its objective of preparing a nancial report that does not contain material misstatements resulting from error and fraud. This would also include risks resulting from the absence of internal control to mitigate the potential for material misstatements in the nancial report.
The various tasks involved in each of these three phases are outlined below. Each phase is addressed in more detail in subsequent chapters of this Manual.
Risk assessment
Paragraph # 315.3 ASA objective(s) The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the nancial report and assertion levels, through understanding the entity and its environment, including the entitys internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
PART A
12
Exhibit 1.3-3
Activity
Purpose
Documentation1
Risk assessment
Plan the audit
An effective risk assessment phase would include the following:
Exhibit 1.3-4
Requirements Up-front involvement of senior team members Description The engagement partner and other key members of the engagement team need to be actively involved in planning the audit and in planning and participating in the discussion among engagement team members. This will ensure the audit plan takes advantage of their experience and insight. Note that ASAs usually refer to the term auditor as the person(s) performing the engagement. Where an ASA intends a requirement or responsibility be fullled by the engagement partner, the term engagement partner rather than auditor is used. The auditor cannot be expected to disregard past experience of the honesty and integrity of the entitys management and those charged with governance. Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional scepticism or allow the auditor to be satised with less-than-persuasive audit evidence when obtaining reasonable assurance.
An emphasis on professional scepticism
Core concepts
13
Requirements Planning
Description The time spent in audit planning (developing the overall audit strategy and audit plan) will ensure that audit objectives are properly met and that the work of audit staff is always focused on gathering evidence on the most critical areas of potential misstatement.
> Informing staff about the client in general and discussing potential risk areas > Discussing the effectiveness of the overall audit strategy and the audit plan and then making changes as necessary > Brainstorming how fraud could occur and then designing an appropriate response, and > Allocating audit responsibilities and setting timeframes. Ongoing communication among the audit team throughout the engagement is also important, the better to discuss and address audit issues as they arise, any unusual activities noted or possible indicators of fraud. This will enable timely communications to management and, where necessary changes to the audit strategy and audit procedures.
Focus on risk identication
The most important step in a risk assessment process is to identify all the relevant risks. If business and fraud risk factors are not identied by the auditor, they will not be assessed or documented and an appropriate audit response (if required) will not be designed. This is why well-designed risk assessment procedures are so important to the effectiveness of the audit. These risk assessment procedures also need to be performed by the appropriate level of staff. A key step in the risk assessment process is to evaluate the effectiveness of managements responses (that is, managements control design/implementation), if any, to mitigate the identied risks of material misstatement in the nancial report. In smaller entities, more reliance will likely be placed on the control environment and monitoring of controls and less on the traditional control activities. The ASA audit requirements require the use and then documentation of signicant judgements made by the auditor throughout the audit. Typical examples of tasks throughout the risk assessment process include: > Deciding to accept or continue with the client > Developing the overall audit strategy > Establishing materiality > Assessing risks of material misstatement, including the identication of signicant risks and other areas, where special audit consideration may be necessary, and > Developing expectations for use when performing analytical procedures.
Ability to evaluate managements response(s) to risk
Use of professional judgement
PART A
Team discussions and ongoing communication
A team planning a discussion/meeting with the engagement partner present provides an excellent forum for:
14
Risk response
Paragraph # 330.3 ASA objective(s) The objective of the auditor is to obtain sufcient appropriate audit evidence regarding the assessed risks of material misstatement, through designing and implementing appropriate responses to those risks.
Exhibit 1.3-5
Activity
Purpose
Documentation1
Update of overall strategy Overall responses2 Audit plan that links assessed RMM3 to further audit procedures
Risk response
In this phase, the auditor considers the reasons (inherent and control risks) for the risk assessments at the nancial report level and at the assertion level (for each class of transactions, account balance, and disclosure), and develops responsive audit procedures. The auditors response to the assessed risks of material misstatement is documented in an audit plan that: > Contains an overall response to the risks identied at the nancial report level > Addresses the material nancial report areas, and > Contains the nature, extent and timing of specic audit procedures tailored to respond to the assessed risks of material misstatement at the assertion level. The overall responses address assessed risks of material misstatement at the nancial report level. Such responses would include the assignment and supervision of appropriate personnel, need for professional scepticism, the extent of corroboration required for managements explanations/ representations, consideration of the audit procedures to be performed and what documentation would be examined in support of material transactions. Further audit procedures generally consist of substantive procedures such as tests of details, analytical procedures and tests of controls (where there is
Core concepts
15
an expectation that such controls have been operating effectively during the period). Some of the matters the auditor should consider when planning the appropriate mix of audit procedures to respond to identied risks include the following: > Use of tests of controls Identify relevant internal controls that, if tested, would reduce the need/ scope for other substantive procedures. As a general rule, the sample size for testing controls is often signicantly less than that of a substantive test of a transaction stream. Assuming that the relevant controls operate consistently and control deviations are unlikely, the use of tests of controls can often result in less work being performed. However, there is no requirement that the operating effectiveness of internal controls (direct or indirect) be tested Identify any assertions that cannot be addressed by substantive procedures alone. For example, this can often apply to completeness of sales in a small entity and situations where there is highly automated processing of transactions (such as internet sales) with little or no manual intervention. > Substantive analytical procedures These are procedures for which the total amount of a transaction stream can be reliably predicted based on available evidence. This expectation is compared to the actual amount in the accounting records and the extent of any misstatement readily identied (See Part A, Chapter 8). In some cases, if the assessed risk for a particular assertion is low (without considering related controls), the auditor may determine that substantive analytical procedures alone would provide sufcient appropriate audit evidence. > Unpredictability The need to incorporate an element of unpredictability in procedures performed. A typical example would be procedures to address possible fraud. > Management override The need for specic audit procedures to address the potential for management override. > Signicant risks The audit response to signicant risks that have been identied. (See Part B, Chapter 25)
PART A
16
Reporting
Paragraph # 700.6 ASA objective(s) The objectives of the auditor are: (a) To form an opinion on the nancial report based on an evaluation of the conclusions drawn from the audit evidence obtained, and (b) To express clearly that opinion through a written report that also describes the basis for that opinion.
Exhibit 1.3-6
Back to risk assessment2
Activity
Purpose
Documentation
Reporting
Yes
No Prepare the auditors report Form an opinion based on audit findings Significant decisions Signed audit opinion
Notes: 1. Refer to ASA 230 for a more complete list of documentation required. 2. Planning (ASA 300) is a continual and iterative process throughout the audit.
The nal phase of the audit is to assess the audit evidence obtained and determine whether it is sufcient and appropriate to reduce audit risk to an acceptably low level. It is important during this phase of the audit to determine: > Any change in the assessed level of risk > Whether conclusions drawn from the work performed are appropriate > If any suspicious circumstances have been encountered, and > That additional risks (not previously identied) have been appropriately assessed and further audit procedures performed as required.
Core concepts
17
A team debrieng meeting (towards or at the end of the eldwork) is not a specic requirement of the ASAs, but can be useful for staff to discuss the audit ndings, identify any indications of fraud and determine the need (if any) to perform any further audit procedures. When all procedures have been performed and conclusions reached:
PART A
> Audit ndings should be reported to management and those charged with governance, and > An audit opinion should be formed and a decision made on the appropriate wording for the auditors report.
1.4
Documentation
Sufcient audit documentation is required to enable an experienced auditor, having no previous connection with the audit, to understand: > The nature, timing and extent of the audit procedures performed > The results of performing those procedures and the audit evidence obtained > Signicant matters arising during the audit and the conclusions reached thereon, and > Signicant professional judgements made in reaching those conclusions. Audit documentation for a smaller entity is generally less extensive than that for the audit of a larger entity. For example, various aspects of the audit could be recorded together in a single document, with cross-references to supporting working papers as appropriate. It is not necessary for the auditor to document: > Every minor matter considered, or every professional judgement made, in an audit, and > Compliance with matters for which compliance is demonstrated by documents included within the audit le. For example, an audit plan on le demonstrates that the audit was planned and a signed engagement letter demonstrates that the auditor has agreed to the terms of the audit engagement.
18
1.5
Benets of the risk-based audit
Some of the benets of the risk-based approach are summarised in the exhibit below.
Exhibit 1.5-1
Benets Time exibility when audit work needs to be performed Description Risk assessment procedures can often be performed earlier in the entitys scal period than was possible before risk-based auditing was introduced. Because risk assessment procedures do not involve the detailed testing of transactions and balances, they can be performed well before the period end, assuming no major operational changes are anticipated. This can help in balancing the workload of audit staff more evenly throughout the period. It may provide the client with time to respond to identied (and communicated) weaknesses in internal control and other requests for assistance before the commencement of period-end audit eldwork. However, where interim nancial information is not readily available, the analytical risk assessment procedures may have to be performed at a later date. By understanding where the risks of material misstatement can occur in the nancial report, the auditor can direct the audit teams effort toward high-risk areas and perhaps reduce work in lower risk areas. This will also help to ensure that audit staff resources are used effectively. Further audit procedures are designed to respond to assessed risks. Consequently, tests of details that only address risks in general terms may be signicantly reduced or even eliminated. The required understanding of internal control enables the auditor to make informed decisions on whether to test the operating effectiveness of internal control. Tests of controls (for which some controls may only require testing every three years) will often result in much less work being required than performing extensive tests of details. (See Part B, Chapter 32.) The improved understanding of internal control may enable the auditor to identify weaknesses in internal control (such as in the control environment and general IT controls) that were not previously recognised. Communicating these weaknesses to management on a timely basis will enable them to take appropriate action, which is to their benet. This may also save time in performing the audit.
Audit teams effort focused on key areas
Audit procedures focused on specic risks Understanding of internal control
Timely communication of matters of interest to management
1.6
200.A63
ASAs for smaller audits

Relevant extracts from application material in ASAs When appropriate, additional considerations specic to audits of smaller entities and public sector entities are included within the application and other explanatory material of an Auditing Standard. These additional considerations assist in the application of the requirements of the Auditing Standard in the audit of such entities. They do not, however, limit or reduce the responsibility of the auditor to apply and comply with the requirements of the Australian Auditing Standards.
Paragraph #
Core concepts
19
Paragraph # 200.A64
Relevant extracts from application material in ASAs For purposes of specifying additional considerations to audits of smaller entities, a smaller entity refers to an entity which typically possesses qualitative characteristics such as: (a) Concentration of ownership and management in a small number of individuals (often a single individual either a natural person or another enterprise that owns the entity provided the owner exhibits the relevant qualitative characteristics); and (b) One or more of the following: (i) (ii) Straightforward or uncomplicated transactions; Simple record-keeping;
(iii) Few lines of business and few products within business lines; (iv) Few internal controls; (v) Few levels of management with responsibility for a broad range of controls; or (vi) Few personnel, many having a wide range of duties. These qualitative characteristics are not exhaustive, they are not exclusive to smaller entities and smaller entities do not necessarily display all of these characteristics. 200.A65 The considerations specic to smaller entities included in the Australian Auditing Standards have been developed primarily with unlisted entities in mind. Some of the considerations, however, may be helpful in audits of smaller listed entities. The Australian Auditing Standards refer to the proprietor of a smaller entity who is involved in running the entity on a day-to-day basis as the owner-manager.
200.A66
ASAs do not distinguish the audit approach required for a one-person entity from that required for a national entity employing thousands of people. An audit is an audit. Consequently, the basic approach to an audit does not change just because the entity is small. The word audit is intended to convey a clear message to users of the nancial report. That message is that the auditor has obtained reasonable assurance that the nancial report is free from material misstatements, regardless of the size or type of the entity that has been audited.
IAASB publication on use of Auditing Standards on all types and sizes of entities
This issue of proportionality was addressed by IAASB staff in a staff questions and answers document, entitled Applying ISAs Proportionately with the Size and Complexity of an Entity,1 issued in August 2009. Its purpose was to assist auditors in applying the claried ISAs in a cost-effective manner. The response
1
Applying ISAs Proportionately with the Size and Complexity of an Entity is at: http://web.ifac.org/publications/internationalauditing-and-assurance-standards-board/practice-alerts-and-q-as#applying-isas-proportionate.
PART A
20
to the question How do ISAs address the different characteristics of a small entity from a larger, more complex entity? was as follows:
The auditors objectives are the same for audits of entities of different sizes and complexities. This, however, does not mean that every audit will be planned and performed in exactly the same way. The ISAs recognise that the specic audit procedures to be undertaken to achieve the auditors objectives and to comply with the requirements of the ISAs may vary considerably depending on whether the entity being audited is large or small and whether it is complex or relatively simple. The requirements of the ISAs, therefore, focus on matters that the auditor needs to address in an audit and do not ordinarily detail the specic procedures that the auditor should perform. The ISAs also explain that the appropriate audit approach for designing and performing further audit procedures depends on the auditors risk assessment. For example, based on the required understanding of the entity and its environment, including its internal control and the assessed risks of material misstatement, the auditor may determine that a combined approach using both tests of controls and substantive procedures is an effective approach in the circumstances in responding to the assessed risks. In other cases, for example, in the context of an SME audit where there are not many control activities in the SME that can be identied by the auditor, the auditor may decide that it is efcient to perform further audit procedures that are primarily substantive procedures. It is also important to note that the ISAs acknowledge that the appropriate exercise of professional judgement is essential to the proper conduct of an audit. Professional judgement is necessary, in particular, regarding decisions about the nature, timing, and extent of audit procedures used to meet the requirements of the ISAs and gather audit evidence. However, while the auditor of an SME needs to exercise professional judgement, this does not mean that the auditor can decide not to apply a requirement of an ISA except in exceptional circumstances and provided that the auditor performs alternative audit procedures to achieve the aim of the requirement.
The key points in the excerpt above can be summarised as follows: > Audit objectives are the same for any size of audit > The specic audit procedures required may vary considerably depending on the size of entity and the assessed risks > The ISAs (ASAs in Australia) focus on matters the auditor needs to address not on the details of specic procedures > The design of further audit procedures depends on the auditors risk assessment > The appropriate exercise of professional judgement is essential in tailoring the procedures to respond appropriately to the assessed risks, and > Professional judgement cannot be used to avoid compliance with any ASA requirements except in exceptional circumstances. In addition, the ASAs contain a number of special paragraphs that address
Core concepts
21
considerations specic to audits of SMEs. This material provides useful guidance material in applying specic ASA requirements in the context of an SME audit. Some suggestions for successfully implementing Auditing Standards on smaller engagements are included in the following exhibit:
Exhibit 1.6-1
1. Take time to read the claried Auditing Standards and to train staff. Failure to understand the requirements can lead to: > The entire risk assessment phase of the audit becoming an add on to the other substantive audit work performed. It should be the risk assessment that drives the selection of audit procedures to be performed, not a standardised listing of procedures that could be applied to any entity. The purpose of the risk assessment is to focus the audit effort on areas where there is a greater risk of material misstatement in the nancial report and away from less risky areas. > Turning what should be a simple audit into a complex and time-consuming project. This can arise if efforts are focused on completing needless standard audit forms and checklists rather than using professional judgement to scale the work according to the size and complexity of the entity being audited and the risks involved. > Failure to comply with an Auditing Standard (the auditor shall) requirement. 2. Take time to plan well no matter how small the engagement. It has been said an hour spent in planning can save many more in execution. Effective audit planning is often the difference between a quality audit within budget and a poor quality audit that goes over budget. This does not necessarily mean holding dedicated team meetings in the ofce. On very small engagements, planning can be achieved through brief discussions at the start of the engagement and as the audit progresses. Key areas to address in planning: > Encourage staff to identify areas where the usual audit procedures seem excessive in relation to the risk of misstatement being addressed. > Take time to ensure that each staff member understands the necessity and purpose of the documentation they are required to complete. Countless hours can be lost by staff attempting to complete forms they do not understand. > Discuss the potential for fraud. Encourage staff to be sceptical and inquisitive and empower them to raise issues, observations, or unexplained matters. > Discuss known related parties and the nature/size of transactions. > Consider whether the audit documentation prepared in previous periods can simply be updated for changes that have occurred rather than be prepared all over again. Documentation and assessment of risk factors and relevant internal controls should be sufcient to enable auditors in subsequent periods to leverage their understanding of the entity and focus attention on new industry trends, key operational changes, new inherent risks and revised internal controls.
PART A
22
3. Evaluate the control environment Take time to understand the pervasive internal controls that are part of the control environment. Pervasive controls are quite different from transactional controls; they address such matters as integrity and ethics, corporate governance, employee competence, managements attitudes toward control, fraud prevention, risk management and control monitoring. If the tone at the top is poor, management override can easily occur and even the very best transactional controls over processes such as purchases and sales could be undermined. 4. Aim for continual improvement There is a tendency for some auditors to blindly follow the example of the previous auditor, resulting in a le that mirrors that of the previous year. A much better approach is to continually review/challenge the work performed in previous years and identify changes that will make the audit more efcient and effective.
Core concepts
23
2.
Ethics, ASAs and quality control

Relevant ASAs/ASQCs
Chapter content Matters to be addressed in a rms system of quality control to ensure compliance with relevant ethical (including independence) requirements and the ASAs.
ASQC 1, ASAs 102, 200, 220

PART A
Exhibit 2.0-1
Firms values and goals Leadership (roles, assignments and accountability)
Ethics and independence
Client acceptance and continuance
Engagement performance
Staff management
Documentation and ongoing monitoring

(Firms QC system and engagement files)
Paragraph # ASQC 1.11
ASQC/ASA objective(s) The objective of the rm is to establish and maintain a system of quality control to provide it with reasonable assurance that: (a) The rm and its personnel comply with AUASB Standards, relevant ethical requirements and applicable legal and regulatory requirements; and (b) Reports issued by the rm or engagement partners are appropriate in the circumstances.
ASA 102.3
The objective of the auditor, assurance practitioner, engagement quality control reviewer and rm is to comply with relevant ethical requirements, including those pertaining to independence, relating to audits, reviews and other assurance engagements. The objective of the auditor is to implement quality control procedures at the engagement level that provide the auditor with reasonable assurance that: (a) The audit complies with Australian Auditing Standards, relevant ethical requirements and applicable legal and regulatory requirements; and (b) The auditors report issued is appropriate in the circumstances.
ASA 220.6
Relevant extracts from ASAs/ASQC1 Personnel within the rm responsible for establishing and maintaining the rms system of quality control shall have an understanding of the entire text of this Standard, including its application and other explanatory material, to understand its objective and to apply its requirements properly.
24
Relevant extracts from ASAs/ASQC1 The rm shall establish policies and procedures designed to promote an internal culture recognising that quality is essential in performing engagements. Such policies and procedures shall require the rms chief executive ofcer (or equivalent) or, if appropriate, the rms managing board of partners (or equivalent), to assume ultimate responsibility for the rms system of quality control. (Ref: Para. A4-A5) The rm shall establish policies and procedures such that any person or persons assigned operational responsibility for the rms system of quality control by the rms chief executive ofcer or managing board of partners has sufcient and appropriate experience and ability, and the necessary authority, to assume that responsibility. (Ref: Para. A6) The rm shall establish policies and procedures designed to provide it with reasonable assurance that it has sufcient personnel with the competence, capabilities and commitment to ethical principles necessary to: (a) Perform engagements in accordance with AUASB Standards, relevant ethical requirements, and applicable legal and regulatory requirements; and (b) Enable the rm or engagement partners to issue reports that are appropriate in the circumstances. (Ref: Para. A24-A29)
ASQC 1.19
ASQC 1.29
ASQC 1.32
The rm shall establish policies and procedures designed to provide it with reasonable assurance that engagements are performed in accordance with AUASB Standards, relevant ethical requirements, and applicable legal and regulatory requirements, and that the rm or the engagement partner issue reports that are appropriate in the circumstances. Such policies and procedures shall include: (a) Matters relevant to promoting consistency in the quality of engagement performance; (Ref: Para. A32-A33) (b) Supervision responsibilities; and (Ref: Para. A34) (c) Review responsibilities. (Ref: Para. A35)
ASQC 1.48
The rm shall establish a monitoring process designed to provide it with reasonable assurance that the policies and procedures relating to the system of quality control are relevant, adequate and operating effectively. This process shall: (a) Include an ongoing consideration and evaluation of the rms system of quality control including, on a cyclical basis, inspection of at least one completed engagement for each engagement partner; (b) Require responsibility for the monitoring process to be assigned to a partner or partners or other persons with sufcient and appropriate experience and authority in the rm to assume that responsibility; and (c) Require that those performing the engagement or the engagement quality control review are not involved in inspecting the engagements. (Ref: Para. A64-Aus A68.1)
ASQC 1.57
The rm shall establish policies and procedures requiring appropriate documentation to provide evidence of the operation of each element of its system of quality control. (Ref: Para. A73-A75)
Core concepts
25
Paragraph # ASA 102.5
Relevant extracts from ASAs/ASQC1 The auditor, assurance practitioner, engagement quality control reviewer and rm shall comply with relevant ethical requirements, including those pertaining to independence, when performing audits, reviews and other assurance engagements.
200.14
200.15
The auditor shall plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the nancial report to be materially misstated. (Ref: Para. A18-A22) The auditor shall exercise professional judgement in planning and performing an audit of nancial report. (Ref: Para. A23-A27) On or before the date of the auditors report, the engagement partner shall, through a review of the audit documentation and discussion with the engagement team, be satised that sufcient appropriate audit evidence has been obtained to support the conclusions reached and for the auditors report to be issued. (Ref: Para. A18-A20) The engagement partner shall: (a) Take responsibility for the engagement team undertaking appropriate consultation on difcult or contentious matters; (b) Be satised that members of the engagement team have undertaken appropriate consultation during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the rm; (c) Be satised that the nature and scope of, and conclusions resulting from, such consultations are agreed with the party consulted; and (d) Determine that conclusions resulting from such consultations have been implemented. (Ref: Para. A21-A22)
200.16 220.17
220.18
220.19
For audits of nancial reports of listed entities, and those other audit engagements, if any, for which the rm has determined that an engagement quality control review is required, the engagement partner shall: (a) Determine that an engagement quality control reviewer has been appointed; (b) Discuss signicant matters arising during the audit engagement, including those identied during the engagement quality control review, with the engagement quality control reviewer; and (c) Not date the auditors report until the completion of the engagement quality control review. (Ref: Para. A23-A25)
2.1
Overview
Performing quality work begins with strong leadership within the rm and engagement partners committed to the highest ethical standards.
PART A
The auditor shall comply with relevant ethical requirements, including those pertaining to independence, relating to nancial report audit engagements. (Ref: Para. A14-A17)
26
This chapter focuses on developing the system of quality control within a rm. It provides some practical guidance on matters that need to be considered whenever a rm decides to perform audit engagements. The provision of quality audits and related services is vital to: > Safeguarding the public interest > Maintaining client satisfaction > Delivering value for money > Ensuring compliance with professional standards, including relevant ethical requirements, and > Establishing and maintaining a professional reputation. The Institutes Quality Control Guide can help rms meet the requirements of APES 320 Quality Control for Firms and ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports, Other Financial Information, and Other Assurance Engagements.

The principles of independence and objectivity impose obligations on auditors to be fair, honest and free from conicts of interest. In accordance with ASA 102 Compliance with Ethical Requirements when Performing Audits, Reviews and Other Assurance Engagements, the objective of the auditor (and the engagement team) is to comply with relevant ethical requirements. In Australia, this effectively requires all members of the professional accounting bodies involved with assurance engagements to maintain the fundamental principles of professional ethics as described in APES 110 Code of Ethics for Professional Accountants. These fundamental principles are: > Integrity > Objectivity > Professional competence and due care > Condentiality, and > Professional behaviour. In addition, for audits and reviews undertaken in accordance with the Corporations Act 2001, the independence requirements of Division 3, Part 2M.4 may apply. Independence is fundamental to the principles of integrity and objectivity. An auditor has a signicant responsibility to uphold the public interest when performing assurance services. An auditors independence, integrity and
Core concepts
27
objectivity are crucial to maintaining condence in the audited nancial reports. APES 110 section 290, deals primarily with the potential threats to the independence requirements for assurance engagements. Because APES 110 adopts a conceptual framework rather than a rules-based approach, section 290 must be read in light of specic legislative requirements, such as the Corporations Act 2001. Compliance with the fundamental principles may be threatened by a broad range of circumstances, but for APES 110 these are categorised as: > Self-interest > Self-review > Advocacy > Familiarity, and > Intimidation. Section 290 contains examples that illustrate the application of the conceptual framework; it does not provide clear determinations of which situations do or do not create a threat to independence. All members are expected apply the framework rather than merely complying with the examples in section 290.
2.2 Quality control systems

The system of quality control in an accounting rm could be mapped to the ve internal control elements that auditors are required to evaluate as part of understanding any entity being audited. In a rm, these ve internal control elements would also be applicable to control systems in place (other than quality control), such as time and billing, ofce workow, expense control and marketing activities. The following diagram maps the quality control elements outlined in ASQC 1 and ASA 220 to the ve internal control components contained in ASA 315, which are applicable to entities being audited. Each of these ve control elements is more fully addressed in Part A, Chapter 3 of this Manual.
PART A
28
Exhibit 2.2-1
Internal control elements (ASA 315) Control environment (tone at the top) Firm level QC elements (ASQC 1) > Leadership responsibilities for quality within the rm > Relevant ethical requirements > Human resources. Risk assessment (what could go wrong?) > Acceptance and continuance of client relationships and specic engagements. Engagement level QC elements (ASA 220) > Leadership responsibilities for quality on audits > Relevant ethical requirements > Assignment of engagement teams. > Acceptance and continuance of client relationships and audit engagements > Risks that the report might not be appropriate in the circumstances. Information systems (tracking performance) Control activities (prevent and detect/ correct controls) Monitoring (are the rms/ engagements objectives being met?) > Quality control system documentation. > Engagement performance. > Audit documentation. > Engagement performance.
> Ongoing monitoring of the rms quality control policies and procedures.
> Applying results of ongoing monitoring to specic audit engagements.
2.3
The control environment
Delivery of high-quality and cost-effective services is the principal driver of success for professional audit rms. Quality service is also vital in relation to the public-interest responsibilities of professional accountants. The provision of quality services should always be a key objective in the rms business strategy; that needs to be communicated to all personnel on a regular basis and the results monitored. This requires leadership and accountability for promised actions. Poor quality control can lead to inappropriate opinions, poor client service, lawsuits and loss of reputation. In smaller rms, some of the hindrances to a strong tone at the top could include matters set out below.
Core concepts
29
Exhibit 2.3-1
Hindrance Poor attitudes Description A poor attitude is at the heart of most hindrances to quality. It includes such attitudes (but not necessarily this extreme) as the following: > Firm continually operates in a crisis mode > Poorly planned engagements and activities are the norm > Poor commitment to quality or compliance with the highest ethical standards > Not caring about the expectations of quality by the public and other stakeholders > Regarding changes in Auditing Standards as only applicable to big entities. Some practices and terminology may get changed to demonstrate compliance on the surface but in substance the old audit practices continue as before > Belief that there is no risk to the rm in small audits, so work performed should be minimal > Audit work tailored to the fee received, not the risk involved > Clients considered totally trustworthy by the control partner > Minimising or avoiding the need for engagement quality control reviews > Belief that, because the clients pay the bill, they must get what they want > Partners keeping (or accepting) an audit client (for the fees generated) even though it is (would be) highly risky for the rm > Unwillingness to adopt standard rm policies on quality control. A partner wants les and working papers to be prepared in their way without regard for what others do, and > Asking staff to follow the rms policies but not complying personally (ie.do what I say, not what I do). Unwillingness to invest in training or development Conducting a quality audit is dependent on retaining qualied and competent people to perform the work. This requires ongoing professional development and performance appraisals for all partners and professional staff (every period). Lack of investment in staff also leads to staff turnover. A failure to discipline partners or staff when the rms policies are contravened sends a very clear message to personnel that written policies are really not that important. This undermines compliance with all of the rms policies and increases the risk to the rm.
Lack of discipline
A healthy tone at the top can be set by the rms management and engagement partners through the activities outlined in the following exhibit.
PART A
30
Exhibit 2.3-2
Setting the tone Establish the rms objectives, priorities and values Description This could include: > An unwavering commitment to quality and high ethical standards > Investment in staff learning, training and skills development > Investment in the required technological, human and nancial resources > Policies to ensure sound engagement and scal management, and > Risk tolerances for use in decision-making. Communicate regularly Reinforce the rms values and commitments by communicating regularly (verbally and in writing) with staff. Communications would address the need for integrity, objectivity, independence, professional scepticism, staff development and accountability to the public. Communications could be made through the performance appraisal system, partner updates, emails, ofce meetings and internal newsletters. Each period, update the rms quality control policies and procedures to address weaknesses and any new requirements. Assign clear responsibilities and accountabilities for quality control functions (such as independence issues, consultation, le review, etc.). Develop staff through: > Clear job descriptions and documented annual performance appraisals that make quality of work a priority > Providing incentives/rewards for delivering quality work, and > Taking disciplinary action when the rms policies are contravened. Continually improve Take prompt action to correct deciencies when identied, such as through the rms engagement le monitoring, including the cyclical inspection of completed engagement les. Provide staff with a role model in the positive example set by partners in their day-to-day behaviour. For example, if a policy emphasises the need for quality work, a staff member should then not be criticised for legitimately going over the budgeted time.
Update the quality control manual Hold people accountable Develop staff competence and reward quality work
Set an example
2.4
Firm risk assessment
Risk management is an ongoing process that helps a rm anticipate negative events, develop a framework for effective decision-making and protably deploy the rms resources. Some form of risk management occurs in most rms and it is often informal and undocumented. Individual partners typically identify risks and respond to them based on their direct involvement with the rm and with their clients. Formalising and documenting the process for the rm as a whole is a proactive and effective approach to risk assessment. This does not have to be timeconsuming or cumbersome to implement. Notably, effectively managing the
Core concepts
31
rms risk assessment can result in less stress for partners and staff, savings in time and costs and improved chances of achieving the rms goals. A simple risk assessment process can be used in any rm size, even a sole proprietorship. It consists of the activities set out below.
PART A
Exhibit 2.4-1
Activity Establish the risk tolerances for the rm Description These tolerances could be quantitative amounts such as allowable write-offs of work in progress or qualitative factors, such as characteristics of clients that would not be acceptable to the rm. Once established, these tolerances provide partners and staff with a useful reference point for decision-making (eg. write-offs and client acceptance, etc.). Identify the events (that is, the risk factors or exposures) that could prevent the rm from achieving its stated goals. This step implies that the rm has already established clear objectives and a commitment to performing quality work. Using the risk tolerances established above, prioritise the events identied based on an assessment of likelihood and impact. Develop an appropriate response to the assessed risks to reduce the potential impact to within the rms acceptable tolerances. Potential events (risks) with the highest priority would be addressed rst. For all risks that require action or monitoring, assign someone with the responsibility to take the appropriate action and to manage the risk on a day-to-day basis. Require periodic (simple) reports from each person assigned to manage risks on behalf of the rm (this could address matters such as compliance with the rms quality control procedures, training requirements, staff appraisals and independence issues addressed).
Identify what can go wrong
Prioritise risks What is the response needed? Assign responsibility Monitor progress
A sample of a rms risk assessment worksheet could be as shown in the exhibit below.
32
Firm _______________________________________
Prepared by ____________________________
Date prepared ___________________________________

Inher ent r isk assessm ent
Combined Impact
Exhibit 2.4-2
Ev ent r isk fac t o r What would prevent the firm's goals being # achieved
Likelihood to occur
Lik ely c o nseq uenc e 4 Managing Partner Low 4 16 QC manual sets out criteria and managing partner must approve all new clients. None QC manual sets out rules. Staff sign annual declaration and Jack Billing addresses any issues raised. Jack Billing Low None
score
Firm's response to mitigate/manage risk
Who is reponsible?
A d d it io nal ac t io n r eq uir ed Resid ual r isk ( H, M, L) What? Who?
1 A high-risk client is accepted by firm
Unbillable time and/or litigation.
2 Independence issue may not be identified on new/existing client
Inappropriate to give an opinion, the result of which could be a loss of reputation in the community.
3 Audit engagements are not properly planned 4 5 20 Joe Gisp
Time wasted by staff. Missed risk factors (that is, fraud) and inadequate audit response. A planning meeting required on all audits. Cindy keeps a list of clients and records planning dates. Joe Gisp follows up with partners. Joe Gisp
Low
None
4 Staff unaware of new Clarity Standards coming into force 4 5 20
Poor quality work that does not comply with ASA Standards.
Joe Gisp enrolls staff in training courses appropriate to their needs.
Medium
Joe to develop process for tracking if staff actually attend courses.
Joe Gisp by 1/1/xx
Notes:
Assess likelihood to occur on a scale of 1-5 (Remote = 1 Unlikely = 2 Possible = 3 Likely = 4 Almost certain = 5)
Assess the impact on a scale of 1-5 (Immaterial = 1 Minor = 2 Moderate = 3 Major = 4 Material = 5)
Assess the residual risk as low, moderate or high. This is the remaining risk after the firm response has been applied
Core concepts
33
2.5
Information systems
Information systems should also be designed to address the risks identied and assessed as part of the rms risk assessment process. Aspects of quality control that merit documentation and ongoing review include keeping track of the matters set out below.
Exhibit 2.5-1
Keep track of Firms risk exposure and staffs commitment to quality Description > Client acceptance/continuance assessments > Reports from all persons responsible for some aspect of quality. This could include minutes of committee meetings (ie. quality control), issues addressed or simply that there is nothing to report > Firm-wide communications on the subject of quality > Most recent monitoring report and the specic action steps required for each deciency found or recommendation made (who, what, when, etc.). Also track dates when action steps are completed and send out reminders when necessary > Details of any client or third party complaints about the rms work or the behaviour of the rms personnel. Also track how these complaints were investigated, the results and communication with the complainant and any actions taken. Ethics and independence > List of prohibited investments > Details on what ethical (including independence) threats were identied and the relevant safeguards that have been applied to eliminate, or at least mitigate, such threats. > Offer of employment > Evidence of reference checks performed on new employees > Actions to mentor, guide and train new recruits > Copy and date of the annual staff conrmations on independence and staff knowledge of the rms quality control manual > Evidence of staff appraisals, including the date and any actions resulting, such as attending training etc. > Staff scheduling with comparisons of planned scheduling to actual > Dates of internal and external training sessions, the topics covered and the names of those who attended > Details of any disciplinary actions taken.
Personnel
PART A
Most rms have well-developed information systems for keeping track of clients, time and billing, expenditures, staff and engagement le management. However, information systems that track the quality of work produced and compliance with the rms quality control manual are often not as well developed.
34
Keep track of Engagement management
Description > Dates the team planning meeting was scheduled and when it actually took place for all audit engagements > What les require engagement quality control reviews, who is assigned and the planned date. Then match the plan to who actually performed the review, when it occurred and issues raised and their resolution > Reasons for any departures from any applicable ASA requirement and the alternative audit procedures performed to achieve the aim of that requirement > Details of consultations with others and resolution of audit/ accounting issues raised, or reasons alternative courses of action were taken > Reasons for engagement delays and how such delays were addressed and resolved. These could include changes in staff personnel, delays in obtaining information, unavailability of client staff, scope restrictions and any disagreements with client management > Dating of the auditors report and compliance with the 60-day recommendation for assembly of nal engagement les > How monitors comments on the le were addressed.
2.6
Control activities
Control activities are designed to ensure compliance with the rms established policies and procedures. One possible way to design, implement and monitor quality control is to follow the PDCA (plan-do-check-act) process. Each of the elements is described in the exhibit following.
Exhibit 2.6-1
Step Plan Do Check Act Description Establish the objectives and quality control processes necessary to deliver the required outputs. Implement the new processes, often on a small scale if possible. Measure the new processes and compare the results against the expected results to ascertain any differences. Analyse the differences to determine their cause. Each will be part of either one or more of the P-D-C-A steps. Determine where to apply changes that include improvement.
For example, a rm objective may be not to release the audit report until all queries and outstanding items have been cleared. The required policy is that the nal engagement report may not be released, led or otherwise distributed until certain specied approvals have been obtained. Implementation of the
Core concepts
35
policy could be controlled through a nal release process wherein a person veries that all approvals have, in fact, been obtained and documented. The effectiveness of the policy could be checked by periodic inspections of the approval sign-offs. If deviations are identied, the reasons would be investigated and appropriate action, such as discipline, training or changes in the policy would be considered. Control activities to address all policies and procedures would not be possible or cost-effective. Firms should use professional judgement and their assessment of risk to determine what controls need to be implemented. Control activities could be considered for: > All the policies and procedures documented in the rms quality control manual > Ofce workow policies > Operational policies and procedures, and > Other personnel-related policies and procedures. The scope for control-activity design would address all the quality control, ethical and independence requirements and the rms compliance with ASAs relevant to the audit.
PART A
Exhibit 2.6-2
Scope of possible control activities: Firms values and goals Firm level
Leadership and assigning of QC responsibilities Risk assessment Staff development, management and discipline Information systems (independence, scheduling, clients, staff, etc.) Documenting the QC system QC monitoring and continual improvement
Leadership
Professional judgement
Professional scepticism
Supervision and file reviews
Engagement level
Client acceptance
Complying with ASAs relevant to the audit

Consultation and use of experts
Assign staff responsibilities
Documentation
Release of audit report
36
2.7
Monitoring
An important element of a control system is the monitoring of its tness and operational effectiveness. This can be achieved through an independent review of the operating effectiveness of the rm-level and engagement-level policies/procedures and inspection of completed engagement les. An effective monitoring process helps to develop a culture of continual improvement wherein partners and staff are committed to quality work and rewarded for improving performance. A rms monitoring process could be divided into two parts as follows: > Ongoing monitoring (other than the cyclical le inspections) An ongoing (suggest annual) consideration and evaluation of the rms system of quality control helps to ensure that the policies and procedures in place are relevant, adequate and operating effectively. When performed and documented on an annual basis, this monitoring will support the requirement to communicate with staff each year about the rms plans to improve engagement quality. This scope of ongoing monitoring addresses each of the quality control elements and includes an assessment of whether: The rms quality control manual has been updated for new requirements and developments Those assigned quality control responsibilities in the rm (if any) have actually fullled their roles Written conrmations (by partners and staff) have been obtained to ensure each individuals compliance with the rms policies and procedures on independence and ethics There is ongoing professional development for partners and staff Decisions related to acceptance and continuance of client relationships and specic engagements are in compliance with the rms policies and procedures The code of ethics has been followed Suitably qualied people were assigned as the engagement quality control reviewers and completion of such reviews occurred before the audit report was dated Communication has been made to the appropriate personnel about deciencies that have been identied, and Appropriate follow-up has been made to ensure identied deciencies in quality have been addressed on a timely basis.
Core concepts
37
> Cyclical completed le inspections The ongoing consideration and evaluation of the rms system of quality control includes a cyclical inspection of at least one completed engagement le for each partner. This is required to ensure compliance with professional/ legal requirements and that assurance reports being issued are appropriate in the circumstances. Cyclical inspections help identify deciencies and training needs and enable the rm to make necessary changes on a timely basis. Upon completion of the review, the monitor would prepare a report that, after discussion with the partners, would be communicated to all managers and professional staff along with the action steps to be taken.
Who can be appointed as monitor?

> Monitoring of rm-level policies The review of compliance with the rms policies would be performed by a suitably qualied person who ideally is not also responsible for managing or developing quality control within the rm. However, ASQC 1 recognises that this may not always be possible in smaller rms, so self-monitoring is acceptable. Alternatively, an individual external to the rm, with the competence and capabilities to act as an engagement partner, could be appointed. This would enhance the independence and objectivity of the rm. > Completed le inspections The person appointed to inspect completed engagement les must be suitably qualied and must not have been involved in performing the engagement or the engagement quality control review on the le.
2.8
200.18
Compliance with relevant ASAs

Relevant extracts from ASAs The auditor shall comply with all Australian Auditing Standards relevant to the audit. An Auditing Standard is relevant to the audit when the Auditing Standard is in effect and the circumstances addressed by the Auditing Standard exist. (Ref: Para. A53-A57) Subject to paragraph Aus 23.1 of this Auditing Standard, the auditor shall comply with each requirement of an Auditing Standard unless, in the circumstances of the audit: (a) The entire Auditing Standard is not relevant; (b) The requirement is not relevant because it is conditional and the condition does not exist; or (Ref: Para. A72-A73) Aus 22.1 Application of the requirement(s) would relate to classes of transactions, account balances or disclosures that the auditor has determined are immaterial.
Paragraph #
200.22
PART A
38
Paragraph # 200 Aus 23.1
Relevant extracts from ASAs Where in rare and exceptional circumstances, factors outside the auditors control prevent the auditor from complying with an essential procedure contained within a relevant requirement, the auditor shall: (a) If possible, perform appropriate alternative audit procedures; and (b) In accordance with ASA 230, document in the working papers: (i) The circumstances surrounding the inability to comply; (ii) The reasons for the inability to comply; and (iii) Justication of how alternative audit procedures achieve the objectives of the requirement. When the auditor is unable to perform the appropriate alternative audit procedures, the auditor shall consider the requirement in paragraph 24 of this Auditing Standard. (Ref: Para. A74-Aus A74.1)
230 Aus 12.1
Where, in rare and exceptional circumstances, factors outside the auditors control prevent the auditor from complying with an essential procedure contained within a relevant requirement, the auditor shall document: (Ref: Para. A18-A19) (a) The circumstances surrounding the inability to comply; (b) The reasons for the inability to comply; and (c) Justication of how alternative audit procedures achieve the objectives of the requirement.
The ASAs set out the responsibilities and requirements of auditors in conducting an audit. As stated in ASA 200.18, .22 and Aus 23.1, each relevant requirement (set out in the requirements section of the ASAs) is to be followed by the auditor, except in exceptional circumstances, where alternative audit procedures would be performed to achieve the aim of that particular requirement. Note the following:
Exhibit 2.8-1
ASAs Status Description The ASAs, taken together, provide the standards for the auditors work in fullling the overall objectives of the auditor. The ASAs deal with the general responsibilities of the auditor, as well as the auditors further considerations relevant to the application of those responsibilities to specic topics.
Core concepts
39
ASAs Relevance
Description Some ASAs (and therefore all of their requirements) may not be relevant in the circumstances (eg. internal audit or group accounts). Some ASAs contain conditional requirements. These requirements are relevant when the circumstances envisioned apply and the condition exists. Some classes of transactions, account balances or disclosures may be considered immaterial by the auditor. These requirements would not be relevant. Departures from relevant ASA requirements need to be documented along with the alternative audit procedures performed and the reasons for the departure.
Local laws
Auditors may be required (in addition to the ASAs) to comply with certain legal or regulatory requirements or other auditing standards of a specic jurisdiction. The scope, effective date and any specic limitation of the applicability of a specic ASA is made clear in the ASA.
Other
PART A
40
3.
Internal control purpose and components

Relevant ASA
Chapter content To outline the purpose, scope and nature of internal control over nancial reporting including the ve components to be evaluated by the auditor.
315
Exhibit 3.0-1
Entity objective = Prepare the financial report that is not materially misstated
Identify business/fraud risks that would prevent objective being achieved Mangements response: internal controls that mitigate the risks identified Managements residual risk
Low

Relevant extracts from ASAs
High
Paragraph # 315.4(c)
Internal control means the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entitys objectives with regard to reliability of nancial reporting, effectiveness and efciency of operations, and compliance with applicable laws and regulations. The term controls refers to any aspects of one or more of the components of internal control. The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to nancial reporting, not all controls that relate to nancial reporting are relevant to the audit. It is a matter of the auditors professional judgement whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A42-A65) When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to enquiry of the entitys personnel. (Ref: Para. A66-A68)
315.12
315.13
3.1
Overview
Internal control is designed, implemented and maintained by those charged with governance, management and other personnel to address identied business and fraud risks that threaten the achievement of stated objectives such as the reliability of nancial reporting. Note: A control is always designed to respond (mitigate) to a possible risk. A control that does not address a risk is obviously redundant.
Core concepts
41
The rst step in evaluating control design is to identify the risks that require mitigation by control. The second step is then to identify what controls are in place to address those risks.
3.2
Internal control objectives

PART A
Internal control is managements response intended to mitigate an identied risk factor or achieve a control objective. There is a direct relationship between an entitys objectives and the internal control it implements to ensure their achievement. Once objectives are set, it is possible to identify and assess potential events (risks) that would prevent the achievement of the objectives. Based on this information, management can develop appropriate responses, which will include the design of internal control. Internal control objectives can be broadly grouped into four categories: > Strategic, high-level goals that support the mission of the entity > Financial reporting (internal control over nancial reporting) > Operations (operational controls), and > Compliance with laws and regulations. Internal control relevant to an audit primarily pertains to nancial reporting. This addresses the entitys objective of preparing the nancial report for external purposes. Operational controls, such as production and staff scheduling, quality control and employee compliance with health and safety requirements would not normally be relevant to the audit, except where: > The information produced is used to develop an analytical procedure, or > The information is required for disclosure in the nancial report. For example, if production statistics were used as a basis for an analytical procedure, the controls to ensure the accuracy of such data would be relevant. If non-compliance with certain laws and regulations has a direct and material effect on the nancial report, the controls for detecting and reporting on such non-compliance would be relevant.
Internal control components

The term internal control as used in ASA 315 is broader than just control activities such as segregation of duties, authorisations and account reconciliations etc. Internal control encompasses ve key components: > The control environment
42
> The entitys risk assessment process > The information system, including the related business processes, relevant to nancial reporting and communication > Control activities relevant to the audit, and > Monitoring of internal control. The way in which these components relate to an entitys nancial reporting objectives are illustrated below.
The ve components of internal control Exhibit 3.2-1
trol Con ent ronm envi
Risk asses smen
Mo
nito
ring
Control activities
The division of internal control into these ve components provides a useful framework for auditors in understanding the different aspects of an entitys internal control system. However, it should be noted that: > The way in which the internal control system is designed and implemented will vary based on the entitys size and complexity. Smaller entities often use less formal means and simpler processes and procedures to achieve their objectives. The ve components of internal control may not be so clearly distinguished; however, their underlying purposes are equally valid. For example, an owner-manager may (and, in the absence of additional staff, should) perform functions belonging to several of the components of internal control
Inf or sy mat ste ion m
Financial reporting objectives
Core concepts
43
> Different terminology or frameworks from those used in ASA 315 can be used to describe the various aspects of internal control and their effect on the audit, but all ve components are to be addressed in the audit > The auditors primary consideration is whether, and how, a specic control prevents, or detects and corrects, material misstatements in classes of transactions, account balances or disclosures, and their related assertions A summary of the ve internal control components follows.
3.3
315.14
The control environment

Relevant extracts from ASAs The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether: (a) Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour; and (b) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by control environment weaknesses. (Ref: Para. A69-A78)
Paragraph #
The control environment is the foundation for effective internal control, providing discipline and structure for the entity. It sets the tone of an organisation, inuencing the control consciousness or awareness of its people. The control environment addresses the governance and management functions. It also addresses the attitudes, awareness and actions of those charged with governance and management concerning the entitys internal control and its importance within the entity. Note: Control environment controls are generally pervasive in nature. They will not directly prevent, or detect and correct, a material misstatement. Instead, they form an important foundation upon which all other controls will be built.
PART A
44
Exhibit 3.3-1
em e
Mana g
Govern
an
f authority/re spo ent o ns nm ig ibi ss isational structur lity an A e rg O sophy and o lo pe p hi ra ts n tructure and s p ce
Communication of entity values and commitment to competence
Human resources policies and procedures
Control environment controls will inuence the auditors evaluation of the effectiveness of other specic control activities that may address specic areas such as sales and purchase transactions. For example, if management has a negative attitude toward control in general, this will undermine the effectiveness of other controls (such as sales etc.) no matter how well they were designed. The auditors evaluation of the design of the entitys control environment would include the elements set out below.
tyle gs tin es ctic ra
Exhibit 3.3-2
Key elements to address Communication and enforcement of integrity and other ethical values Commitment to competence Description Integrity and ethical values are essential (foundational) elements, which inuence the effectiveness of the design, administration and monitoring of other controls. Managements consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.
Core concepts
45
Key elements to address Participation by those charged with governance
Description Attributes of those charged with governance such as: > Their independence from management > Their experience and stature
> The appropriateness of their actions, including the degree to which difcult questions are raised and pursued with management, and their interaction with internal and external auditors. Managements philosophy and operating style Organisational structure Assignment of authority and responsibility Human resources policies and practices Managements approach to taking and managing business risks and managements attitudes and actions toward nancial reporting, information processing, accounting functions and personnel. The framework within which an entitys activities for achieving its objectives are planned, executed, controlled and reviewed. How authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established. Recruitment, orientation, training, evaluating, counselling, promoting, compensating and remedial actions.
The controls outlined above are pervasive to the entire entity and are often more subjective to evaluate than the traditional control activities (such as segregation of duties). Therefore, the auditor will exercise professional judgement in this evaluation. Control environment strengths can compensate or even replace weak transactional controls in some situations. However, control environment weaknesses can undermine and even negate good design in other components of internal control. For example, if a culture of honesty and ethical behaviour did not exist, the auditor would have to consider carefully what types of (additional) audit procedures would be effective in nding material misstatements in the nancial report. In some cases, the auditor may conclude that internal control has broken down to such an extent that the only option is to withdraw from the engagement.
The control environment in smaller entities

The control environment within small entities will differ from larger entities but is just as important. This is particularly true when the entity does not have the staff or resources to implement traditional control activities such as segregation of duties.
PART A
> The extent of their involvement and the information they receive, and the scrutiny of activities, and
46
In smaller entities the active involvement of a competent owner-manager (a control environment strength) may well reduce the need for other control activities such as segregation of duties. Consequently, control environment strengths can serve to indirectly prevent or detect and correct certain types of misstatement. For example, when the owner-manager reviews and approves individual transactions before they are completed, it may serve to prevent or detect and correct certain specic errors or fraud. However, this control environment strength would not mitigate other risks such as management override of controls. In smaller entities, there will typically be less documentation available to support control environment controls. Consequently, the attitudes, awareness and actions of management (such as owner-managers) will often form the basis for evaluating control design and implementation. For example, larger entities are likely to provide staff with a code of conduct that outlines acceptable behaviours and consequences for violating codes or rules. Smaller entities may communicate similar values and acceptable behaviours through oral communications and by management example. Where there is no supporting documentation for a particular control, the auditor would prepare a memorandum for the le. For example, in addressing whether there is communication and enforcement of integrity and ethical values the auditor could: > Identify the entitys values, acceptable behaviours and enforcement actions through discussions with management. The auditor would then assess whether they are sufcient to address the control design > Ask one or two employees what they believe are the entitys values, acceptable behaviours and enforcement actions. These interviews would address whether managements values and acceptable behaviours have been communicated and enforced. This would address control implementation. Consider point
Small entities are often reluctant to document internal controls which operate informally. However, there can often be benets to management in taking the time to document some of the more important policies and procedures. Such policies and procedures could be provided to staff joining the entity and audit time may be saved versus having to make enquiries each period. In the example cited above even the smallest entity could prepare a simple statement of values and acceptable behaviours that could be provided to employees and then referred to when an issue arises.
In smaller entities, some of the key areas to address in assessing the control environment are outlined in the following exhibit.
Core concepts
47
Exhibit 3.3-3
Control element Communication and enforcement of integrity and ethical values The key question What management actions serve to eliminate or mitigate incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts? Possible controls > Management continually demonstrates, through words and actions, a commitment to high ethical standards
> A code of conduct or equivalent exists that sets out expected standards of ethical and moral behaviour > Employees clearly understand what behaviour is acceptable and unacceptable and know what to do when they encounter improper behaviour > Enforcement actions are taken when required.
Commitment to competence
Do personnel have the knowledge and skills necessary to accomplish their tasks?
> Management takes the necessary steps to ensure that personnel have the requisite knowledge and skills required for their jobs > Job descriptions exist and are effectively used > Management provides personnel with access to training programs on relevant topics > Initial and ongoing matching of staff skills to their job descriptions.
Participation by those charged with governance (TCWG) other than where management are TCWG
How effective is the governance (if any) being provided over entity operations?
> A majority of TCWG are independent of management > TCWG have the appropriate experience, stature and nancial expertise > Signicant issues and nancial results are communicated to TCWG in a timely manner > TCWG provide effective oversight over managements activities. This includes raising difcult questions and pursuing answers > TCWG meet on a regular basis and minutes of meetings are circulated on a timely basis.
PART A
> Management removes or reduces incentives or temptations that might cause personnel to engage in dishonest or unethical acts
48
Control element Managements philosophy and operating style
The key question What are managements attitudes and actions toward nancial reporting?
Possible controls > Management demonstrates positive attitudes and actions toward: Sound internal control over nancial reporting (including management override and other fraud) Appropriate selection/application of accounting policies Information processing controls, and The treatment of accounting personnel > Management has established procedures to prevent unauthorised access to or destruction of assets, documents and records > Management analyses business risks and takes appropriate action.
Organisational structure
Has a relevant organisational structure been established?
> The organisational structure is appropriate to facilitate achievement of entity objectives, operating functions and regulatory requirements > Management clearly understands its responsibility and authority for business activities and possesses the requisite experience and levels of knowledge to properly execute its positions > The entity structure facilitates the ow of reliable and timely information to the appropriate people for planning and controlling activities > Incompatible duties are segregated to the extent possible.
Assignment of authority and responsibility
Have key areas of authority and responsibility been appropriately assigned?
> There are policies and procedures for authorisation and approval of transactions > Appropriate lines of reporting and accountability exist (appropriate to the entitys size and nature of activities) > Job descriptions include control-related responsibilities.
Core concepts
49
Control element Human resources policies and practices
The key question What standards are in place to ensure: > Recruitment of the most competent and trustworthy people? > Training is provided to ensure people can perform their job? > Promotions are driven by performance appraisals?
Possible controls > Management establishes/enforces standards for hiring the most qualied individuals > Recruiting practices include employment interviews, background checks, communication of values, expected behaviours and managements operating style > Job performance is periodically evaluated, the results reviewed with each employee and appropriate action taken > Training policies address prospective roles and responsibilities, expected levels of performance and evolving needs.
3.4
315.15
Risk assessment
Relevant extracts from ASAs The auditor shall obtain an understanding of whether the entity has a process for: (a) Identifying business risks relevant to nancial reporting objectives; (b) Estimating the signicance of the risks; (c) Assessing the likelihood of their occurrence; and (d) Deciding about actions to address those risks. (Ref: Para. A79)
Paragraph #
315.16
If the entity has established such a process (referred to hereafter as the entitys risk assessment process), the auditor shall obtain an understanding of it, and the results thereof. If the auditor identies risks of material misstatement that management failed to identify, the auditor shall evaluate whether there was an underlying risk of a kind that the auditor expects would have been identied by the entitys risk assessment process. If there is such a risk, the auditor shall obtain an understanding of why that process failed to identify it, and evaluate whether the process is appropriate to its circumstances or determine if there is a signicant deciency in internal control with regard to the entitys risk assessment process. If the entity has not established such a process or has an ad hoc undocumented process, the auditor shall discuss with management whether business risks relevant to nancial reporting objectives have been identied and how they have been addressed. The auditor shall evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances, or determine whether it represents a signicant deciency in internal control. (Ref: Para. A80)
315.17
PART A
50
R assesisk smen
A risk assessment process provides management with the information needed to determine what business/fraud risks should be managed and the actions (if any) to be taken. Management may initiate plans, programs or actions to address specic risks or it may decide to accept a risk because of cost or other considerations. If the entitys risk assessment process is appropriate to the circumstances, it will assist the auditor in identifying risks of material misstatement. A risk assessment process would normally address such matters as: > Changes in operating environment > New senior personnel > New or revamped information systems > Rapid growth > New technology > New business models, products or activities > Corporate restructurings (including divestitures and acquisitions) > Expanded foreign operations, and > New accounting pronouncements. In smaller entities where a formal risk assessment process is unlikely to exist, the auditor would discuss with management how business risks are identied and how they are addressed. Matters the auditor should consider are how management: > Identify risks relevant to nancial reporting > Estimates the signicance of the risks > Assess the likelihood of their occurrence, and > Decide upon actions to manage them. If the auditor identies risks of material misstatement that management failed to identify, they should consider:
Core concepts
51
> Why managements processes failed > Whether the processes are appropriate to the circumstances. If a signicant deciency exists in the entitys risk assessment process (or there is no process at all), it would be communicated to management and those charged with governance.
Conditions and events that may indicate risks of material misstatement

Appendix 2 of ASA 315 contains a useful list of possible conditions and events that may indicate the existence of risks of material misstatement.
3.5
Information system
(including the related business processes relevant to nancial reporting and communication)
Paragraph # 315.18 Relevant extracts from ASAs The auditor shall obtain an understanding of the information system, including the related business processes, relevant to nancial reporting, including the following areas: (a) The classes of transactions in the entitys operations that are signicant to the nancial report; (b) The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the nancial report; (c) The related accounting records, supporting information and specic accounts in the nancial report that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form; (d) How the information system captures events and conditions, other than transactions, that are signicant to the nancial report; (e) The nancial reporting process used to prepare the entitys nancial report, including signicant accounting estimates and disclosures; and (f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments. (Ref: Para. A81-A85) 315.19 The auditor shall obtain an understanding of how the entity communicates nancial reporting roles and responsibilities and signicant matters relating to nancial reporting, including (Ref: Para. A86-A87): (a) Communications between management and those charged with governance; and (b) External communications, such as those with regulatory authorities.
PART A
52
Management (and those charged with governance) require reliable information to: > Manage the entity (such as planning, budgeting, monitoring performance, allocating resources, pricing and preparing the nancial report for reporting purposes) > Achieve objectives, and > Identify, assess and respond to risk factors. This requires pertinent information to be identied, captured and communicated/distributed on a timely basis to personnel (at all levels of the entity) who need it for decision-making. An information system consists of infrastructure (physical and hardware components), software, people, procedures and data. Many information systems make extensive use of information technology (IT). They identify, capture, process and distribute information supporting the achievement of nancial reporting and internal control objectives. An information system relevant to nancial reporting objectives includes the entitys business processes and accounting system, as set out following.
Exhibit 3.5-1
Business processes (sales, purchases, payroll, etc.) Accounting system Business processes are structured sets of activities designed to produce a specied output. They result in transactions being recorded, processed and reported by the information system. This includes accounting software, electronic spreadsheets and the policies and procedures used to prepare periodic nancial reports and the period-end nancial report and disclosures.
An information system has procedures, policies and records (manual and automated) designed to address the matters set out below.
Inf o sy rma ste tio m n
Core concepts
53
Exhibit 3.5-2
Inputs
Business processes
Transactions, events and conditions

> Initiate, record, process and report transactions (including events/ conditions) and maintain accountability (safeguard, classify, measure, etc.) for related assets, liabilities and equity > Resolve incorrect processing of transactions > Process and account for system overrides or bypasses to controls
> Transfer information from transaction-processing systems to general ledger > Capture information for relevant events/conditions other than transactions (amortisation of assets, valuation of inventory, receivables, etc.) > Accumulate, record, process, summarise and appropriately report other information required to be disclosed in the financial report > Use of standard and other journal entries to record transactions, estimates and adjustments
s Outputs
Accounting systems
Financial reports (including disclosures)
In larger companies, information systems can be complex, automated and highly integrated. Smaller companies will often rely on manual or stand-alone information technology applications. Consider point
Many mainstream accounting software packages (even smaller ones) come with a variety of built-in application controls that could be used to improve control over nancial reporting. These controls include automated reconciliations, reporting of exceptions for management review and ensuring general consistency over nancial reporting.
In obtaining an understanding of the information system (including business processes), the auditor would address (in addition to Exhibit 3.5-2 above) the matters outlined in the following exhibit.
PART A
54
Exhibit 3.5-3
Identify Sources of information used Address What classes of transactions are signicant to the nancial report? How do transactions originate within the entitys business processes? What accounting records (electronic or manual) exist? How does the system capture events and conditions (other than classes of transactions) that are signicant to the nancial report? How information is captured and processed What are the nancial reporting processes used to: > Initiating, recording, processing and reporting transactions and non-standard transactions (such as related party transactions, etc.)? > Preparing the nancial report, including signicant accounting estimates and disclosures? What procedures address: > Risks of material misstatement associated with inappropriate override of controls, including use of standard and non-standard journal entries? > Override or suspension of automated controls? > Identication of exceptions and reporting the actions that have been taken to remedy these? How the information produced is used How does the entity communicate nancial reporting roles, responsibilities and signicant matters relating to nancial reporting? What reports are regularly produced by the information system and how are they used to manage the entity? What information is provided by management to those charged with governance (if different from management) and to external parties such as regulatory authorities?
Communication
Communication is a key component of successful information systems. Consequently, if information is to be used in decision-making and to facilitate the functioning of internal control, it needs to be communicated on a timely basis (both internally and externally) to the appropriate people. Effective internal communication helps the entitys personnel clearly understand internal control objectives, the business processes in use, and their individual roles and responsibilities. It also helps them understand the extent to which their activities relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. The means of communication may be informal (verbal) or formal, (ie. documented in policy and nancial reporting manuals).
Core concepts
55
Internal communication between top management and employees is often easier and less formal in smaller companies, due to fewer levels and smaller numbers of personnel and the greater availability and presence of senior management. Effective external communication ensures that matters affecting the achievement of nancial reporting objectives are communicated with relevant outside parties such as key stakeholders, nancial institutions, regulators and government agencies.
Lack of IT systems documentation

Smaller entities may have less sophisticated and less thoroughly documented information and communication systems. If management does not have extensive descriptions of accounting procedures, sophisticated accounting records, or written policies, the understanding required by the auditor will be obtained more by enquiry and observation than by review of documentation.
3.6
315.20
Control activities
Relevant extracts from ASAs The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks. An audit does not require an understanding of all the control activities related to each signicant class of transactions, account balance, and disclosure in the nancial report or to every assertion relevant to them. (Ref: Para. A88-A94) In understanding the entitys control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT. (Ref: Para. A95-A97)
Paragraph #
315.21
Control activities
Control activities are the policies and procedures that help ensure that managements directives are carried out. Examples include controls to ensure that goods are not shipped to a bad credit risk or that only authorised purchases are made. These controls address risks that, if not mitigated, would threaten the achievement of the entitys objectives. Control activities (whether within information or manual systems) are designed to mitigate the risks involved in everyday activities such as transaction
PART A
56
processing (business processes such as sales, purchases and payroll) and safeguarding of assets. Business processes are structured sets of activities designed to produce a specied output. Business process controls can generally be classied as preventive, detective and corrective, compensating or steering, as outlined in the exhibit below.
Exhibit 3.6-1
Controls classication Preventive controls Detective controls Compensating controls Steering controls (eg. policies) Description Avoid errors or irregularities. Identify errors or irregularities after they have occurred so corrective action can be taken. Provide some assurance where resource limitations may preclude other more direct controls. Guide actions towards the desired objectives.
The nature of business process controls will vary based on the risks involved and the specic application. Typical controls at the business process level would include the matters set out below.
Exhibit 3.6-2
Controls Segregation of duties Description These controls can reduce the opportunities for a person to be in a position to both perpetrate and conceal errors or fraud. These controls dene who has the authority to approve various routine and non-routine transactions and events. Examples The employee responsible for the accounts receivable processing has no access to cash receipts. Assigning responsibility to authorise: > Hiring of new employees > Making investments > Ordering goods and services, and > Extending credit to a customer. Account reconciliations This includes preparing and reviewing account reconciliations on a timely basis and taking any necessary corrective actions. Reconciliations of bank accounts, sales transactions, intercompany balances, suspense accounts etc.
Authorisation controls
Core concepts
57
Controls IT application controls
Description These controls are programmed into IT applications such as sales or purchases. They include fully automated and partially automated controls. These controls involve the regular review and analyses of actual results versus budgets, forecasts and prior-period performance. It also involves relating different sets of data (operating or nancial) to one another and comparing internal data with external sources of information. Unexpected variations would be investigated and corrective actions taken. These controls relate to the physical security of assets and permitted access to entity premises, accounting records, computer programs and data les.
Examples Checking the arithmetical accuracy of records, pricing of invoices, edit checks of input data, numerical sequence checks and production of exception reports for manager review.
Actual results reviews
Physical controls
Such controls consist of asset security (door locks and restricted access to inventory/records) and comparing the results of periodic cash, security and inventory counts with accounting records.
Smaller entities
Control activities are designed to directly prevent a material misstatement from occurring or detecting and then correcting a misstatement after it has occurred. In smaller entities, the concepts underlying control activities are likely to be similar to larger entities but their relevance to the auditor may vary considerably. Consider the following:
Exhibit 3.6-3
Control activities in small entities Informal and limited documentation Comments Many controls may operate informally and may not be well documented. For example, granting credit to a customer may be more reliant on the judgement and knowledge of the manager than on a preestablished credit limit. Control activities (to the extent they exist) are likely to relate to the main transaction cycles such as revenues, purchases and employment expenses.
Limited scope
PART A
Analysis of operating results, comparing actual results to budget and investigating variances.
58
Control activities in small entities Risks may be mitigated by the control environment (see Part A, Chapter 3.3)
Comments Certain types of control activities may not be relevant because of controls applied by senior management. For example, managements approval of signicant transactions can provide strong control over important account balances and transactions, lessening or removing the need for more detailed control activities. Some transactional misstatements (usually addressed by control activities in larger entities) could be mitigated by: > A corporate culture that emphasises the importance of control > Employing highly competent staff > Monitoring revenues and expenditures against an established budget > Requiring senior managements approval of all major transactions > Monitoring of key performance indicators, and > Assigning responsibilities among staff so as to maximise the segregation of duties.
Control activities, relevant to the audit, would potentially mitigate risks such as: > Signicant risks Identied and assessed risks of material misstatement that, in the auditors judgement, require special audit consideration. (Refer to Part B, Chapter 25.) > Risks that cannot easily be addressed by substantive procedures These are identied and assessed risks of material misstatement for which substantive procedures alone would not provide sufcient appropriate audit evidence. > Other risks of material misstatement. The auditors judgement about whether a control activity is relevant to the audit is inuenced by: > Knowledge about the presence/absence of control activities identied in other components of internal control. If a particular risk has already been adequately addressed (such as by the control environment, information system, etc.), there is no need to identify any additional controls that may exist > The existence of multiple control activities that achieve the same objective. It is unnecessary to obtain an understanding of each of the control activities related to such an objective > Increased audit efciency that will be gained from testing the operating effectiveness of certain key controls. This could occur when: Obtaining audit evidence through a test of the operating effectiveness of controls may be more cost efcient than performing substantive
Core concepts
59
Substantive procedures alone would not provide sufcient appropriate audit evidence at the assertion level. For example, the completeness assertion for sales revenue can be difcult (and sometimes impossible) to address by substantive procedures alone. In these situations, it would be worthwhile to identify any internal controls that address the risk and assertion involved. If the internal controls are expected to work effectively, the necessary audit evidence could be obtained through a test of the operating effectiveness of those controls.
3.7
Understanding IT risks and controls
Most entities today use information technology (IT) to manage, control and report on at least some of their activities. IT operations are often managed by a central support team that ensures the day-to-day users (staff) have appropriate access to the hardware, software and applications required to perform their responsibilities. In smaller entities, IT management may be the responsibility of just one or even a part-time or outsourced person. Regardless of the entitys size, there are a number of risk factors relating to IT management and applications that, if not mitigated, could result in a material misstatement in the nancial report. There are two types of IT controls that need to work together to ensure complete and accurate information processing: > General IT controls These controls operate across all applications and usually consist of a mixture of automated controls (embedded in computer programs) and manual controls (such as the IT budget and contracts with service providers), and > IT application controls These controls are automated controls that relate specically to applications (such as sales processing or payroll). There is also a third kind of control which has a manual and an IT element. These controls can be called IT-dependent controls. The control is performed manually but its effectiveness relies on information produced by an IT application. For example, the nancial manager may review the monthly/
PART A
procedures. Tests of controls typically result in smaller sample sizes than substantive tests. If the controls are automated, a sample size of just one item (assuming good general IT controls) may be all that is required. In addition, if the control system and personnel involved have not changed from previous years, it may be possible (under certain conditions) to limit the test of operating effectiveness of controls to once every three years (See Part B, Chapter 32.)
60
quarterly nancial report (generated by the accounting system) and investigate variances. The following exhibit outlines the scope of general IT controls.
Exhibit 3.7-1
General IT controls Standards, planning, policies, etc. (the IT control environment) > The IT governance structure > How IT risks are identied, mitigated and managed > The required information system, strategic plan (if any) and budget > IT policies, procedures and standards > The organisational structure and segregation of duties > Contingency planning. Security over data, the IT infrastructure and daily operations > Acquisitions, installations, congurations, integration and maintenance of the IT infrastructure > Delivery of information services to users > Management of third-party providers > Use of system software, security software, database management systems and utility programs > Incident tracking, system logging and monitoring functions. Access to programs and application data > Issuance/removal and security of user passwords and IDs > Internet rewalls and remote access controls > Data encryption and cryptographic keys > User accounts and access privilege controls > User proles that permit or restrict access. Program development and program changes > Acquisition and implementation of new applications > System development and quality assurance methodology > The maintenance of existing applications, including controls over program changes. Monitoring of IT operations > Policies, procedures, inspections and exception reports, ensuring: That information users are receiving accurate data for decisionmaking Ongoing compliance with general IT controls, and That IT is serving the entitys needs and aligned with the business requirements.
IT application controls
IT application controls relate to a particular software application used at the business process level. Application controls can be preventive or detective in nature and are designed to ensure the integrity of the accounting records.
Core concepts
61
Typical application controls relate to procedures used to initiate, record, process and report transactions or other nancial data. These controls help ensure that transactions occurred, are authorised and are completely and accurately recorded and processed. Examples include edit checks of input data with correction at the point of data entry and numerical sequence checks with manual follow-up of exception reports.
3.8
315.22
Monitoring
Relevant extracts from ASAs The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over nancial reporting, including those related to those control activities relevant to the audit, and how the entity initiates remedial actions to deciencies in its controls. (Ref: Para. A98-A100) The auditor shall obtain an understanding of the sources of the information used in the entitys monitoring activities, and the basis upon which management considers the information to be sufciently reliable for the purpose. (Ref: Para. A104)
Paragraph #
315.24
Mo
nito
ring
Monitoring assesses the effectiveness of the internal controls performance over time. The objective is to ensure that the controls are working properly and, if not, to take necessary corrective actions. Monitoring provides feedback to management on whether the internal control system they have designed to mitigate risks is: > Effective in addressing the stated control objectives > Properly implemented and understood by employees > Being used and complied with on a day-to-day basis, and > In need of modication or improvement to reect changes in conditions. Management accomplishes the monitoring of controls through ongoing activities, separate evaluations or a combination of these two. Ongoing monitoring activities in smaller entities are informal and are usually built into the normal recurring activities of an entity. This includes regular management and supervisory activities and the review of exception reports that may be produced by the information system. Where management is
PART A
62
closely involved in operations, they will often identify signicant variances from expectations and inaccuracies in nancial data and take corrective action to modify or improve the control. Periodic monitoring (separate evaluations of specic areas within the entity, such as those performed by an internal audit function in a much larger company) is not common in smaller entities. However, periodic evaluations of critical processes could be conducted by qualied employees not directly involved in those processes or by hiring an external and suitably qualied person. Managements monitoring activities may also include the use of information received from external parties that indicates problems or highlights areas in need of improvement. Examples of this could include: > Complaints from customers > Comments from governing bodies such as franchisors, nancial institutions and regulators, and > Communications relating to internal control from external auditors and consultants.
Sources of information used for monitoring

Much of the information used in monitoring will be produced by the entitys information system. Management may tend to assume that this information is accurate. If this information is not accurate, there is a risk that management could reach incorrect conclusions and, as a result, make poor decisions. Accordingly, when the auditor is evaluating the monitoring of controls, an understanding is required of: > The sources of the information related to the entitys monitoring activities, and > The basis upon which management considers the information to be sufciently reliable for the purpose.
3.9
Understanding of internal controls relevant to the audit
The following table summarises the steps involved in obtaining an understanding of internal controls relevant to the audit.
Core concepts
63
Exhibit 3.9-1
Identify Specic risks of material misstatement requiring mitigation Address The potential risks of material misstatement (related to signicant classes of transactions, account balances and nancial report disclosures) that exist at the assertion level. For example:
> Fraud risks (such as management override and asset misappropriation) > Disclosure risks (incomplete or missing information) > Signicant risks > Non-routine risks (such as implementing a new accounting system), and > Judgemental risks (estimates, valuations, etc.). Managements response to the identied risks of material misstatement What specic (manual or IT application) control activities (individually or in combination with others) prevent, or detect and correct, material errors and fraud. This step does not require the auditor to identify all the control activities that may exist. For example, an entity may have implemented 15 control procedures to address a particular risk. If the auditor concluded that the rst three control procedures identied were sufcient to mitigate the risk involved, there is no need to carry on work to identify and document the other 12 control procedures. Failure by management to mitigate a risk of material misstatement would likely result in a signicant deciency. These would be reported to management and an audit response developed. This involves procedures (in addition to enquiry of the clients personnel) to determine that relevant controls identied actually exist and are in use by the entity. This can be carried out at a point in time such as tracing one transaction through the system on a particular day. This is not a test of controls, which is designed to evaluate whether a control operated effectively throughout the period covered by the audit.
Signicant deciencies
Implementation of relevant controls
3.10
Manual versus automated controls
For most entities, the system of internal control will consist of a mixture of manual and automated controls. The risks and benets associated with the different types of control are outlined below.
PART A
> Regular day-to-day transactional risks
64
Exhibit 3.10-1
Benets Manual controls > Used to monitor the effectiveness of automated controls > Suited to areas where judgement and discretion are required over large, unusual or non-recurring transactions > Benecial when errors are difcult to dene, anticipate or predict > Changing circumstances may require a control response outside the scope of an existing automated control. Automated controls > Consistently apply predened business rules and perform complex calculations in processing large volumes of transactions or data > Enhance the timeliness, availability and accuracy of information > Facilitate the additional analysis of information > Enhance the ability to monitor the performance of the entitys activities and its policies and procedures > Reduce the risk that internal control will be circumvented > Enhance the ability to achieve effective segregation of duties by implementing appropriate system access restrictions in applications, databases and operating systems. Risks Manual controls > Less reliable than automated controls as performed by people > More easily bypassed, ignored or overridden > Prone to simple errors and mistakes > Consistency of application cannot be assumed > Less suitable for high volume or recurring transactions where automated controls would be more efcient > Less suitable for activities where specic ways to perform the control can be adequately designed and automated. Automated controls > Reliance can be placed on systems or programs that are inaccurately processing data, processing inaccurate data, or both > Unauthorised access to data may result in destruction of data or improper changes to data, including the recording of unauthorised or nonexistent transactions, or inaccurate recording of transactions (particular risks may arise where multiple users access a common database) > The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down the segregation of duties > Unauthorised changes to data in master les > Unauthorised changes to systems or programs > Failure to make necessary changes to systems or programs > Inappropriate manual intervention > Potential loss of data or inability to access data as required.
Core concepts
65
3.11
Pervasive controls
Consider point
When the entity has a mix of manual and automated controls, always identify who is responsible for the operation of each control. For example, suppose a warehouse manager is responsible for shipping goods. The warehouse manager manually inputs the data into a sales system that has an application control to match the shipment to the original order. If something went wrong in the matching process, is it the responsibility of the warehouse manager, the IT department or the accounting department? Unless one person is assigned responsibility for the entire process, people will inevitably blame each other when errors are made. Where responsibility has not been assigned, consider: > The likelihood and magnitude of potential misstatements that could occur in the nancial report > The appropriate audit response, and > Whether the matter should be reported to management.
Paragraph # 315.14 (b)
Relevant extracts from ASAs The auditor shall evaluate whether: (b) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by control environment weaknesses. (Ref: Para. A69-A78)
This chapter has now addressed each of the ve components of internal control. Some of these controls are pervasive in nature and only indirectly serve to prevent a misstatement from occurring or to detect and correct it after it has occurred. Other controls relate to particular transaction risks (such as payroll, sales and purchases) and are designed specically to prevent or detect and correct misstatements. The following table shows the interaction of the two levels of control over transactions as they journey from initiation and processing (transactional level) through the accounting records (entity level) and nally to the nancial report. Notice that at least three of the ve internal control components consist primarily of pervasive controls.
PART A
66
Exhibit 3.11-1
Significant F/R accounts and disclosures
Pervasive controls
Risk asses smen
on
ito
rin
General IT controls
Includes controls over: > Fraud (management override) > Centralised processing > Period-end financial reporting process p g
g
Transactional controls
Specific controls
Control activities
Transactions
Notes: > The above illustration is a general guide. In some instances, pervasive controls can be designed to operate at a level of precision that would prevent or detect specic misstatements at the business process level. For example, a detailed budget approved by those charged with governance may be used by management to detect unauthorised administration expenditures. In other instances, there may be control activities and parts of the information system that relate to entity level activities. > Entity level controls (such as the commitment to competence) may be less tangible than those at the business process level (such as matching goods received to a purchase order) but are just as critical in preventing and detecting fraud and error. > The period-end nancial reporting process includes procedures to: Enter transaction totals into the general ledger Select and apply accounting policies Initiate, authorise, record and process journal entries in the general ledger
Core concepts
67
Record recurring and non-recurring adjustments to the nancial report, and Prepare the nancial report and related disclosures. > General IT controls are similar to entity level controls except that they focus on how IT operations (such as organisation, stafng, data integrity) are managed across the entity. > IT application controls are similar to transaction controls. They relate to how specic transactions are processed at the business process level. Pervasive controls form the basis from which specic transactional controls are built. They set the tone at the top and establish expectations for the organisations control environment in general. Poorly designed pervasive controls may actually encourage all types of error and fraud to take place. For example, an entity may have a highly controlled and effective sales process. However, if senior management has a poor attitude toward control and has sometimes overridden these controls, a material error could still occur in the nancial report. Management override and poor tone at the top are common themes in corporate wrongdoing. Pervasive controls also include the monitoring controls that assess whether the actual tone at the top is what was intended and how well control expectations are being fullled. The pervasive controls (sometimes called entity-level controls) could include: > Controls related to the control environment > Controls over management override > The entitys risk assessment process > Controls to monitor results of operations and other controls > Controls over the period-end nancial reporting process, and > Policies that address signicant business control and risk management practices.
Smaller entities
In smaller entities, the lack of specic business process controls (due to limited staff and resources) is often offset by a high degree of involvement by management (such as the owner manager) in performing controls. In fact, some pervasive controls in smaller entities can often operate at a level of precision that actually serves to prevent or detect specic misstatements. However, the increased involvement of senior management also increases the
PART A
68
risk of management override. This could be addressed through further audit procedures or the design of suitable anti-fraud controls. (See Part A, Chapter 3.12.)
Pervasive control deciencies

Although weaknesses in pervasive controls do not generally result in an immediate deciency or errors in the nancial report, they still have a signicant inuence on the likelihood of misstatements resulting at the business process control level. The absence of good pervasive controls may seriously undermine other business process controls and, consequently, signicant deciencies in these controls would be reported to management and those charged with governance.
3.12
Anti-fraud controls
In the last few years a new type of internal control has begun to emerge, sometimes called anti-fraud control. Since the vast majority of sizeable frauds tend to involve senior management, the establishment of strong anti-fraud programs and controls is considered a healthy part of the control environment in larger entities. Anti-fraud controls can be likened to speed bumps on a road that are designed to slow down trafc but not stop it altogether. Anti-fraud controls are designed to deter bad behaviour before it happens but can never stop it entirely. Anti-fraud controls are particularly relevant for larger entities but can also be designed to discourage fraud in smaller entities. They may not prevent frauds from occurring, but they do provide a powerful disincentive. They cause the perpetrators to think carefully about the repercussions of their actions. Anti-fraud controls can be designed to address all ve internal control components. However, in relation to risks of material misstatement in the nancial report, special emphasis is placed on the tone set at the top of the entity. This addresses the attitudes and actions of management toward control and is part of the control environment (see Part A, Chapter 3.3) which inuences the control consciousness of all personnel. A good tone at the top is considered by far the most effective anti-fraud control of all. Two examples of anti-fraud controls applicable for smaller entities include: > Journal entries Non-routine journal entries have often been used by managers to commit fraud. A policy that non-routine journal entries (over a specied amount) must be supported by an explanation and managers signature (indicating approval) is a simple anti-fraud control that can be implemented in any size of entity. Such a policy empowers the entitys accountant to always ask the manager (requesting an entry) for an explanation and approval. This will not
Core concepts
69
necessarily stop a senior manager from demanding an inappropriate entry to be made but the thought of having to physically document the approval and provide an explanation may be enough to deter the request from ever being made in the rst place. If it does not deter the request, the auditor may notice that the entry was not approved and ask why. This could then lead to further investigation. > Segregation of duties In smaller entities, the accountant or bookkeeper is often in a trusted position with minimal supervision and therefore ample opportunity to commit fraud. One possible (but somewhat costly) anti-fraud control would be to hire a part-time bookkeeper to take over that persons job for at least one or more week per year, such as when the accountant is on holiday or performing other tasks. The policy of employing a replacement could deter the bookkeeper from committing fraud at all and if fraud is already taking place, the replacement might provide an opportunity to detect it.
PART A
70
4.
Financial report assertions

Relevant ASA
Chapter content Use of managements assertions in auditing.
315
Exhibit 4.0-1
Combined assertions
Completeness (missing transactions)
Extent of monetary error

Correctly stated amount for transaction/balance
Existence (invalid transactions)
Accuracy and cutoff (inaccurate; recording, cutoff or rights/obligations)
Valuation (recorded at incorrect value)
Understated
Overstated
4.1
315.4(a)
Overview
Relevant extracts from ASAs Assertions mean representations by management and those charged with governance, explicit or otherwise, that are embodied in the nancial report, as used by the auditor to consider the different types of potential misstatements that may occur.
Paragraph #
When management makes a representation to the auditors such as the nancial report as a whole is presented fairly in accordance with the applicable nancial reporting framework it actually contains a number of embedded assertions. These embedded assertions (by management) relate to the recognition, measurement, presentation and disclosure of the various elements (amounts and disclosures) in the nancial report.
Core concepts
71
Examples of managements assertions include: > All the assets in the nancial report exist > All sales transactions have been recorded in the appropriate period > Inventories are stated at appropriate values > Payables represent proper obligations of the entity > All recorded transactions occurred in the period under review, and > All amounts are properly presented and disclosed in the nancial report. These assertions are often summarised by a single word such as completeness, existence, occurrence, accuracy, valuation, et al. For example, management may assert to the auditor that the sales balance in the accounting records contains all the sales transactions (completeness assertion), the transactions took place and are valid (occurrence assertion) and transactions have been properly recorded in the accounting records and in the appropriate accounting period (accuracy and cut-off assertion).
PART A
4.2
Description of assertions
Paragraph A111 of ASA 315 describes the categories of assertions that can be used by the auditor to consider the different types of potential misstatements. These categories are described in the exhibit below.
Exhibit 4.2-1
Assertion Classes of transactions and events for the period under audit Occurrence Completeness Accuracy Description Transactions and events that have been recorded, have occurred and pertain to the entity. All transactions and events that should have been recorded have been recorded. Amounts and other data relating to recorded transactions and events have been recorded appropriately. Transactions and events have been recorded in the correct accounting period. Transactions and events have been recorded in the proper accounts.
Cut-off Classication
72
Assertion Account balances at the period end Existence Rights and obligations Completeness Valuation and allocation
Description Assets, liabilities and equity interests exist. The entity holds or controls the rights to assets and liabilities are the obligations of the entity. All assets, liabilities and equity interests that should have been recorded have been recorded. Assets, liabilities and equity interests are included in the nancial report at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. Description Disclosed events, transactions and other matters have occurred and pertain to the entity. All disclosures that should have been included in the nancial report have been included. Financial information is appropriately presented and described, and disclosures are clearly expressed. Financial and other information is disclosed fairly and at appropriate amounts.
Assertion Presentation and disclosure Occurrence, rights and obligations Completeness Classication and understandability Accuracy and valuation
The applicability of assertions to the nancial report areas is summarised below.
Exhibit 4.2-2
Assertions Existence/occurrence Completeness Rights and obligations Accuracy/classication Cut-off Classication and understandability Valuation/allocation Classes of transactions Account balances Presentation and disclosure
4.3
Combined assertions
ASA 315 allows the auditor to use the assertions exactly as described above or to express them differently, provided all aspects described above have been covered. To make the use of assertions slightly easier to apply for auditing smaller
Core concepts
73
entities, this Manual has combined a number of the assertions so that they may apply across all three categories (ie. balances, transactions and disclosure). The four combined assertions and the individual assertions they address are illustrated in the following exhibit.
Exhibit 4.3-1
Combined assertions Completeness (C) Existence (E) Accuracy and cut-off (A) Classes of transactions > Completeness > Occurrence > Accuracy > Cut-off > Classication Account balances > Completeness > Existence > Rights and obligations Presentation and disclosure > Completeness > Occurrence > Accuracy > Rights and obligations > Classication and understandability Valuation (V) > Valuation and allocation > Valuation
Note: When the auditor chooses to use combined assertions, such as those outlined above, it is important to remember that the accuracy and cut-off assertion also includes rights and obligations, as well as classication and understandability. The following exhibit provides a description of the four combined assertions used in this Manual.
Exhibit 4.3-2
Combined assertion Completeness (C) Description Everything that should be recorded or disclosed in the nancial report has been included. There are no unrecorded or undisclosed assets, liabilities, transactions or events; there are no missing or incomplete nancial report notes. Existence (E) Everything that is recorded or disclosed in the nancial report exists at the appropriate date and should be included. Assets, liabilities, recorded transactions and other matters included in the nancial report notes exist, have occurred and pertain to the entity. Accuracy and cut-off (A) All liabilities, revenues, expense items and rights to assets (in the form of a hold or control) are the property or obligation of the entity and have been recorded at the proper amount and allocated (cut-off) to the proper period. This also includes proper classication of amounts and disclosures in the nancial report.
PART A
74
Combined assertion Valuation (V)
Description Assets, liabilities and equity interests are recorded in the nancial report at the appropriate amount (value). Any valuation or allocation adjustments required by their nature or applicable accounting principles have been appropriately recorded.
4.4
315.25
Using assertions in auditing

Relevant extracts from ASAs The auditor shall identify and assess the risks of material misstatement at: (a) The nancial report level; and (Ref: Para. A105-A108) (b) The assertion level for classes of transactions, account balances, and disclosures (Ref: Para. A109-A113) to provide a basis for designing and performing further audit procedures.
Paragraph #
As previously stated, the nancial report contains a number of embedded assertions. Assertions can be used by the auditor in assessing risks at the nancial report level and the assertion level.
Exhibit 4.4-1
Assessing risks at Financial report level Commentary The risks of material misstatement at the nancial report level tend to be pervasive and therefore address all the assertions. For example, if the senior accountant is not competent enough for the assigned tasks, it is quite possible that errors could occur in the nancial report. However, the nature of such errors will not often be conned to a single account balance, transaction stream or disclosure. In addition, the error will not likely be conned to a single assertion such as the completeness of sales. It could just as easily relate to other assertions such as accuracy, existence and valuation. Risks at the assertion level relate to individual account balances at a point in time (ie. the period end), classes of transactions (for the scal period) and presentation and disclosure in the nancial report. The relevance of each assertion to an individual account balance (or class of transactions or presentation and disclosure) will vary based on the characteristics of the balance and the potential risks of material misstatement. For example, when considering the valuation assertion, the auditor might assess the risk of error in payables as low; however, for inventory where obsolescence is a factor, the auditor would assess the valuation risk as high. Another example is a situation in which the risks of material misstatement due to completeness (missing items) in the inventory balance are low, but high in relation to the sales balance.
Assertion level
The difference between the two levels of risk assessment is illustrated in partial form in the following exhibit.
Core concepts
75
Exhibit 4.4-2
Financial report level
Pervasive risks that could apply to many assertions
Financial report (overall)

Low
Account balances Classes of transactions Presentation and disclosure Relevant assertions

(assess risk for each assertion)
Inventory
Cash
Payables
Revenues
Expenses
Commitments
C E A V
Low Mod Low High
Related parties
Note: This chart uses the combined assertions described in Part A, Chapter 4.3. Assertions are used by the auditor to form a basis for: > Considering the different types of potential misstatements that may occur > Assessing the risks of material misstatement, and > Designing further audit procedures that are responsive to the assessed risks.
Exhibit 4.4-3
Use of assertions Considering types of potential misstatement Procedures This would include performing risk assessment procedures to identify possible risks of material misstatement. For example, the auditor might ask questions such as the following: > Does the asset exist? (Existence) > Does the entity own it? (Rights and obligations) > Are all the sales transactions properly recorded? (Completeness) > Has the inventory balance been adjusted for slow-moving and obsolete items? (Valuation) > Does the payable balance include all known liabilities at the period end? (Completeness) > Were transactions recorded in the right period? (Cut-off) > Are amounts properly presented and disclosed in the nancial report? (Accuracy)
PART A
Assertion level (partial)
76
Use of assertions Assessing risks of material misstatement
Procedures The risk of material misstatement is a combination of inherent risk and control risk. The assessment process includes: > Inherent risk Identify potential misstatements and the assertions involved then assess the likelihood of the risks occurrence and possible magnitude. > Control risk Identify and evaluate any relevant internal controls in place that mitigate the assessed risks and address the underlying assertions.
Designing audit procedures
The nal step is to design audit procedures to be responsive to the assessed risks by assertion. For example, if the risk is high that receivables are overstated (existence assertion), the audit procedures should be designed to specically address the existence assertion. If sales completeness is a risk, the auditor can design a test of controls that addresses the completeness assertion.
Core concepts
77
5.
Materiality and audit risk

Relevant ASA
Chapter content Applying the concept of materiality appropriately in planning and performing the audit.
320
PART A
Paragraph # 320.8
ASA objective(s) The objective of the auditor is to apply the concept of materiality appropriately in planning and performing the audit.
Exhibit 5.0-1
Use of materiality in the audit
Risk assessment
Determining: > Materiality for the financial report as a whole > Performance materiality. Planning what risk assessment procedures to perform. Identifying and assessing the risks of material misstatement.
Risk response
Determining the nature, timing, and extent of further audit procedures. Revisions to materiality as a result of a change in circumstances during the audit.
Reporting
Paragraph # 320.9
Evaluating the effect of uncorrected misstatements. Forming the opinion in the auditors report.
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, performance materiality means the amount or amounts set by the auditor at less than materiality for the nancial report as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the nancial report as a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures.
78
Paragraph # 320.10
Relevant extracts from ASAs When establishing the overall audit strategy, the auditor shall determine materiality for the nancial report as a whole. If, in the specic circumstances of the entity, there is one or more particular classes of transactions, account balances or disclosures for which misstatements of lesser amounts than materiality for the nancial report as a whole could reasonably be expected to inuence the economic decisions of users taken on the basis of the nancial report, the auditor shall also determine the materiality level or levels to be applied to those particular classes of transactions, account balances or disclosures. (Ref: Para. A2-A11) The auditor shall determine performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing and extent of further audit procedures. (Ref: Para. A12)
320.11
5.1
Overview
Materiality addresses the signicance of nancial report information to economic decisions made by users on the basis of the nancial report. The concept of materiality recognises that some matters, either individually or in the aggregate, are important to people making an economic decision based on the nancial report. This could include decisions such as whether to invest in, purchase, do business with, or lend money to, an entity. This chapter addresses the use of materiality in auditing in general. See Part B, Chapter 21 of this Manual for additional guidance on establishing specic materiality amounts. When a misstatement (or the aggregate of all misstatements) is signicant enough to change or inuence the decision of an informed person, a material misstatement has occurred. Below this threshold, the misstatement is generally regarded as not material. This threshold, above which the nancial report would be materially misstated, is called materiality for the nancial report as a whole. For the purposes of this Manual this term has been shortened to overall materiality. Note: The determination of materiality for the nancial report as a whole (overall materiality) is not based on any assessment of audit risk. It is determined entirely in relation to the users of the nancial report. It would typically be the same as that used by the preparer of the nancial report. Lets assume that the decision of a nancial report user group would be inuenced by a misstatement of $10,000 in the nancial report. This would be the materiality for the nancial report as a whole (or overall materiality) for both the preparer and the auditor. Any individual misstatement or aggregate of individually immaterial misstatements that exceeds the $10,000 amount would result in the nancial report being materially misstated. The responsibility of the auditor is to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in
Core concepts
79
Performance materiality enables the auditor to establish materiality amounts (based upon but lower than overall materiality) that reect the risk assessments for the various nancial report areas. These lower amounts provide a safety buffer between the materiality (performance materiality) used for determining the nature and extent of audit procedures to be performed and the overall materiality. In the example above, the auditor using professional judgement may decide that a performance materiality of $6,000 would be used in designing the extent of the audit procedures to be performed. The buffer of $4,000 ($10,000 $6,000) between performance materiality and overall materiality provides a safety margin for any undetected misstatements that may exist.
5.2
Financial report users
Materiality is used in both preparing and auditing the nancial report. Materiality for the nancial report as a whole (overall materiality) is often explained (such as in nancial reporting frameworks) in the terms below.
Exhibit 5.2-1
Inuence on making economic decisions Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to inuence the economic decisions of users taken on the basis of the nancial report. Judgements about materiality are made in light of surrounding circumstances and are affected by the size or nature of a misstatement or a combination of both. Judgements about matters that are material to users of the nancial report are based on a consideration of the common nancial information needs of users as a group. The possible effect of misstatements on specic individual users, whose needs may vary widely, is not considered.
Surrounding circumstances
Common needs of users
The auditor determines materiality based on their perception of the needs of users. In applying their professional judgement, it is reasonable for the auditor to assume that users of the nancial report:
PART A
the nancial report exceeds the materiality for the nancial report as a whole. If the auditor simply planned to perform audit procedures that would identify individual misstatements exceeding $10,000 there is a risk that the aggregate of individually immaterial misstatements not identied during the audit, would result in the $10,000 materiality threshold being exceeded. So the auditor needs to perform some additional work that is sufcient to allow for a margin or buffer for possible undetected misstatements. The purpose of performance materiality is to provide such a buffer.
80
> Have a reasonable knowledge of business, economic activities, and accounting and have a willingness to study the information in the nancial report with reasonable diligence > Understand that nancial report is prepared and audited to levels of materiality > Recognise the uncertainties inherent in the measurement of amounts based on the use of estimates, judgement and the consideration of future events, and > Make reasonable economic decisions on the basis of the information in the nancial report.
5.3
Nature of misstatements
Misstatements may arise from a number of causes and can be based on the following. > Size the monetary amount involved (quantitative) > Nature of the item (qualitative), and > Circumstances surrounding the occurrence.
Exhibit 5.3-1
Typical misstatements > Errors and fraud identied in the preparation of the nancial report > Departures from the applicable nancial reporting framework > Fraud perpetrated by employees or management > Management error > Preparation of inaccurate or inappropriate estimates, or > Inappropriate or incomplete descriptions of accounting policies or note disclosures.
Materiality is not an absolute number. It represents a grey area between what is very likely not material and what is very likely material. Consequently, the assessment of what is material is always a matter of professional judgement. In some situations, a matter well below the quantitative materiality level may be determined as material based on the nature of the item or the circumstances related to the misstatement. For example, the information that there are a number of transactions with related parties may be very signicant to a person making a decision based on the nancial report. Finally, a series of immaterial items may well become material when aggregated together.
Core concepts
81
Exhibit 5.3-2
Extent of misstatements
(Quantitative and qualitative)
Misstatements are material

Financial report
Decision would be changed or influenced
Materiality threshold
Misstatements are immaterial
Decision would not be changed or influenced
5.4
Materiality and audit risk
Materiality (as discussed above) and audit risk are related and are considered together throughout the audit process. Audit risk is the possibility that an auditor expresses an inappropriate audit opinion on the nancial report that is materially misstated.
Exhibit 5.4-1
Audit risk components Risks of material misstatement (RMM) The risk that the nancial report is materially misstated prior to the start of any audit work. These risks are considered at the nancial report level (often pervasive risks affecting many assertions) and at the assertion level, which relates to classes of transactions, account balances and disclosures. RMM is a combination of inherent risk (IR) and control risk (CR), which can be summarised as IR x CR = RMM The risk that the auditor fails to detect a misstatement that exists in an assertion that could be material. Detection risk (DR) is addressed through: > Sound audit planning > Performing audit procedures that respond to the risks of material misstatement identied > Proper assignment of audit personnel > The application of professional scepticism, and > Supervision and review of the audit work performed. Detection risk can never be reduced to zero because of the inherent limitations in the audit procedures carried out, the human judgements (professional) required and the nature of the evidence examined.
Detection risk
PART A
The subject matter information
Reasonable user
82
Audit risk (AR) can therefore be summarised as: AR = RMM x DR Materiality and audit risk are considered throughout the audit in: > Identifying and assessing the risks of material misstatement > Determining the nature, timing and extent of further audit procedures > Determining revisions to materiality (overall and performance) after becoming aware of new information during the audit which would have caused the auditor to have determined a different amount (or amounts) initially, and > Evaluating the effect of uncorrected misstatements, if any, on the nancial report and in forming the opinion in the auditors report. Using the simple analogy of a high jump in athletics, materiality would be equivalent to the height of the bar the athlete has to jump over. Audit risk is equivalent to the level of difculty inherent in the jump at that particular height (RMM), combined with the additional risk of making a mistake in jump strategy or execution (detection risk).
5.5
320.12
Materiality levels
Relevant extracts from ASAs The auditor shall revise materiality for the nancial report as a whole (and, if applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures) in the event of becoming aware of information during the audit that would have caused the auditor to have determined a different amount (or amounts) initially. (Ref: Para. A13) If the auditor concludes that a lower materiality for the nancial report as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures) than that initially determined is appropriate, the auditor shall determine whether it is necessary to revise performance materiality, and whether the nature, timing and extent of the further audit procedures remain appropriate. The auditor shall include in the audit documentation the following amounts and the factors considered in their determination: (a) Materiality for the nancial report as a whole (see paragraph 10 of this Auditing Standard); (b) If applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures (see paragraph 10 of this Auditing Standard); (c) Performance materiality (see paragraph 11 of this Auditing Standard); and (d) Any revision of (a)-(c) as the audit progressed (see paragraphs 12-13 of this Auditing Standard).
Paragraph #
320.13
320.14
Core concepts
83
Exhibit 5.5-1
Overall materiality Overall

Financial report level (for the financial report as a whole)
PART A
Overall performance materiality
Account balance,class of transactions and disclosures level
Specific materiality (for particular financial report areas) Specific perfomance materiality
Quantitative amount
Note: The terms overall and specic used in the chart above and in the text below are used for the purposes of this Manual and are not terms used in the ASAs. Overall materiality refers to materiality for the nancial report as a whole; specic materiality relates to materiality for particular classes of transactions, account balances or disclosures. At the start of the audit, the auditor makes judgements about the size and nature of misstatements that would be considered material. This includes establishing materiality amounts as set out in the following exhibit.
Establishing materiality amounts Exhibit 5.5-2

Overall materiality Overall materiality relates to the nancial report as a whole. It is based on what could reasonably be expected to inuence the economic decisions of the nancial report users, taken on the basis of the nancial report. It would be changed during the audit if the auditor becomes aware of information that would have caused them to have determined a different amount (or amounts) initially. Performance materiality is set at a lower amount than the overall materiality. Performance materiality enables the auditor to respond to specic risk assessments (without changing the overall materiality) and to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeding overall materiality. Performance materiality would be changed based on audit ndings (such as where a risk assessment was revised).
Overall performance materiality
84
Specic materiality
Specic materiality is established for classes of transactions, account balances or disclosures where misstatements of lesser amounts than overall materiality could reasonably be expected to inuence the economic decisions of users, taken on the basis of the nancial report. Specic performance materiality is set at a lower amount than the specic materiality. This enables the auditor to respond to specic risk assessments and to allow for the possible existence of undetected and immaterial misstatements aggregating to a material amount.
Specic performance materiality
Materiality for the nancial report as a whole

Materiality for the nancial report as a whole (overall materiality) is based on the auditors perception of the nancial information needs of users of the nancial report. This would typically be determined at an amount similar to that used by the nancial report preparer. Using professional judgement, the auditor would set materiality at the highest amount of misstatement that would not inuence the economic decisions of nancial report users. Once established, the overall materiality amount becomes one of the factors by which the ultimate success or failure of the audit will be judged. For example, assume overall materiality was set at an amount of $20,000. If as a result of performing audit procedures: > No misstatements were identied an unmodied opinion would be provided > Some small (immaterial) misstatements were identied and not corrected an unmodied opinion would be provided > Uncorrected misstatements exceeding materiality (of $20,000) were found and management was unwilling to make the necessary adjustments a qualied or adverse opinion is likely to be required > Uncorrected errors exceeding materiality (of $20,000) exist in the nancial report but were not detected by the auditor then it is possible an inappropriate unmodied audit opinion will be issued. Refer to Part B, Chapter 36 for guidance on how to use materiality in evaluating the audit evidence obtained. Auditors are sometimes tempted to lower the overall materiality amount when the risk of material misstatement is assessed as high. This would not be appropriate, however, as overall materiality addresses the needs of nancial report users, not the level of audit risk involved. If audit risk was a factor in setting overall materiality, a high-risk audit would end up with a lower overall materiality amount than that set for a similarsized entity where audit risk was low. Assuming that the information needs of nancial report users are the same, regardless of audit risk, setting the overall materiality amount at a lower level would result in:
Core concepts
85
> Providing nancial report users with an expectation that smaller misstatements in the nancial report (than is actually necessary) will be identied by the auditor, and > Additional audit work to ensure that audit risk has been reduced to an appropriately low level. Because overall materiality is set in relation to the needs of nancial report users, it would not be changed as a result of audit ndings and changes in assessed risks. Overall materiality is required to be updated when the auditor becomes aware of information that would have caused the initial determination of materiality to be a different amount (or amounts). At the conclusion of the audit, overall materiality will be used for evaluating the effect of identied misstatements on the nancial report and the appropriateness of the opinion in the auditors report.
PART A
Performance materiality
Performance materiality allows the auditor to address the risks of misstatement in account balances, classes of transactions and disclosures without having to change overall materiality. Performance materiality enables the auditor to establish materiality amounts that are based on the overall materiality but are set at lower amounts to reect the risk of not detecting misstatements and to reect risk assessments. This lower amount(s) establishes a safety buffer between the materiality used for determining the nature and extent of testing (performance materiality) and the materiality amount for the nancial report as a whole (overall materiality). Setting an appropriate amount for performance materiality will ensure that more work is performed which increases the likelihood that misstatements (if they exist) will be identied. For example, if overall materiality was $20,000 and audit procedures were planned to detect all errors in excess of $20,000, it is quite possible that an error of say $8,000 would go undetected. If three such errors existed, amounting to $24,000, the nancial report would be materially misstated. However, if performance materiality was set at $12,000, it would be much more likely that at least one or all of the $8,000 errors would be detected. Even if only one of the three errors was identied and corrected, the remaining misstatement of $16,000 would be less than the overall materiality and the nancial report as a whole would not be materially misstated. Setting an appropriate amount for performance materiality involves the exercise of professional judgement and is not a simple mechanical calculation such as a percentage (eg. 75%) of the overall materiality level. However, based on the particular circumstances of the entity being audited, it could be set as a single amount for the nancial report as a whole, or at individual amounts for particular balances, transactions and disclosures.
86
The determination of performance materiality involves the exercise of professional judgement based on factors that address audit risk such as the following: > Understanding of the entity and the results of performing risk assessment procedures > Nature and extent of misstatements identied in previous audits, and > Expectations of possible misstatements in the current period. Performance materiality as a whole or for individual balances, transactions and disclosures may have to be changed at any time during the audit (without impacting overall materiality) to reect revised risk assessments, audit ndings and new information obtained. At the conclusion of the audit, the overall materiality would be used for evaluating the effect of identied misstatements on the nancial report and determining the opinion to be expressed in the auditors report. (See Part B, Chapter 36 for further guidance.) Consider point
When a possible misstatement is identied, address the circumstances of occurrence and the impact on risk assessments/audit plans before reconsidering performance materiality.
Specic materiality
There are some situations where misstatements of lesser amounts than materiality for the nancial report as a whole could reasonably be expected to inuence the economic decisions of users, taken on the basis of the nancial report.
Exhibit 5.5-3
Decision inuencers Laws, regulations and accounting framework requirements Possible examples > Sensitive nancial report disclosures such as the remuneration of management and those charged with governance > Related party transactions > Non-compliance with loan covenants, contractual agreements, regulatory provisions and statutory/regulatory reporting requirements > Certain types of expenditures such as illegal payments or executives expenses. Key industry disclosures Disclosure of signicant events and important changes in operations > Reserves and exploration costs for a mining entity > Research and development costs for a pharmaceutical entity. > Newly acquired businesses or expansion of operations > Discontinued operations > Unusual events or contingencies (eg. lawsuits) > Introduction of new products and services.
Core concepts
87
The auditor would consider the existence of matters such as the above for one or more particular class of transaction, account balance or disclosure. The auditor may also nd it useful to obtain an understanding of the views and expectations of management and those charged with governance.
Specic performance materiality

This is the same as the performance materiality discussed above except that it relates to the amounts set for specic materiality. Specic performance materiality would be set at a smaller amount than specic materiality to ensure sufcient audit work is performed to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds the specic materiality. Consider point
Materiality considerations for smaller entities For smaller entities, the determination of materiality can be simplied so that only the minimum of two levels of materiality is used as required by ASA 320. These two levels are materiality for the nancial report as a whole and performance materiality, which is used for assessing the risks of material misstatement and determining the nature, timing and extent of audit procedures. This does not necessarily mean that there will only be two materiality amounts determined for each audit of a smaller entity; a performance materiality amount may be determined for each different type of audit procedure the auditor conducts on classes of transactions, account balances or disclosures based on the risks of material misstatement and the auditors understanding of the entity. PART A
5.6
320.14
Documentation of materiality
Relevant extracts from ASAs The auditor shall include in the audit documentation the following amounts and the factors considered in their determination: (a) Materiality for the nancial report as a whole (see paragraph 10 of this Auditing Standard); (b) If applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures (see paragraph 10 of this Auditing Standard); (c) Performance materiality (see paragraph 11 of this Auditing Standard); and (d) Any revision of (a)-(c) as the audit progressed (see paragraphs 12-13 of this Auditing Standard).
Paragraph #
Because materiality amounts are based on the auditors professional judgement, it is important that the factors and amounts involved in determining materiality at the various levels be properly documented. This would typically occur as follows:
88
> During the planning phase when decisions are made about the extent of work required > During the audit when based on audit ndings, revisions may be required to either overall materiality or performance materiality for particular classes of transactions, account balances or disclosures. Documentation would address: > The users of the nancial report > The factors used in determining: Materiality for the nancial report as a whole and, if applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures Performance materiality, and > Any revision of materiality amounts in the above point as the audit progressed.
Core concepts
89
6.
Risk assessment procedures

Relevant ASAs
Chapter content The nature and use of risk assessment procedures by an auditor to identify and assess the risks of material misstatement.
240, 315
PART A
The three risk assessment procedures are illustrated in the exhibit below.
Exhibit 6.0-1
Enquiries of management and others
Observation and inspection
Analytical procedures
Paragraph # 315.5
Relevant extracts from ASAs The auditor shall perform risk assessment procedures to provide a basis for the identication and assessment of risks of material misstatement at the nancial report and assertion levels. Risk assessment procedures by themselves, however, do not provide sufcient appropriate audit evidence on which to base the audit opinion. (Ref: Para. A1-A5) The risk assessment procedures shall include the following: (a) Enquiries of management and of others within the entity who, in the auditors judgement, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error. (Ref: Para. A6) (b) Analytical procedures. (Ref: Para. A7-A10) (c) Observation and inspection. (Ref: Para. A11)
315.6
90
Paragraph # 315.11
Relevant extracts from ASAs The auditor shall obtain an understanding of the following: (a) Relevant industry, regulatory and other external factors including the applicable nancial reporting framework. (Ref: Para. A17-A22) (b) The nature of the entity, including: (i) (ii) Its operations; Its ownership and governance structures;
(iii) The types of investments that the entity is making and plans to make, including investments in special-purpose entities; and (iv) The way that the entity is structured and how it is nanced to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the nancial report. (Ref: Para. A23-A27) (c) The entitys selection and application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entitys accounting policies are appropriate for its business and consistent with the applicable nancial reporting framework and accounting policies used in the relevant industry. (Ref: Para. A28) (d) The entitys objectives and strategies, and those related business risks that may result in risks of material misstatement. (Ref: Para. A29-A35) (e) The measurement and review of the entitys nancial performance. (Ref: Para. A36-A41) 315.12 The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to nancial reporting, not all controls that relate to nancial reporting are relevant to the audit. It is a matter of the auditors professional judgement whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A42-A65)
6.1
Overview
The purpose of risk assessment procedures is to identify and assess risks of material misstatement. This is achieved through understanding the entity and its environment, including internal control. Information may be obtained from external sources, such as the internet and trade publications, and from internal sources such as discussions with key personnel. This understanding of the entity becomes a continuous, dynamic process of gathering, updating and analysing information throughout the audit.
6.2
Audit evidence
Risk assessment procedures provide audit evidence to support the assessment of risks at the nancial report and assertion levels. However, this evidence does not stand alone. Evidence obtained from risk assessment procedures is supplemented by further audit procedures (that respond to the risks identied) such as tests of controls and/or substantive procedures.
Core concepts
91
Required procedures
The auditor uses professional judgement to determine the risk assessment procedures to be performed and the scope or depth of understanding of the entity that is required. In the rst year that the auditor conducts the audit for an entity, the work required to obtain and document this information will often require a signicant amount of time. However, if the information obtained is well documented in the rst year, the time required to update the information in subsequent years should be considerably less than that required in the rst year. The auditor needs to perform sufcient risk assessment procedures to identify the business and fraud risk factors that could result in material misstatement. This includes consideration of any events or conditions that may cast signicant doubt on the entitys ability to continue as a going concern. The required scope or depth for understanding the entity is set out in paragraphs 11 and 12 of ASA 315 (reproduced above). This depth of overall understanding by the auditor will be less than that possessed by management in managing the entity. Consider point
When designing the nature and extent of risk assessment procedures to be performed, remember that some ASAs outline specic matters to be considered. Some examples are included below:
ASA 240.16 Fraud in an Audit of a Financial Report When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entitys internal control, required by ASA 315, the auditor shall perform the procedures in paragraphs 17-24 of this Auditing Standard to obtain information for use in identifying the risks of material misstatement due to fraud.
PART A
92
ASA 540.8 Auditing Accounting Estimates When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entitys internal control, as required by ASA 315, the auditor shall obtain an understanding of the following in order to provide a basis for the identication and assessment of the risks of material misstatement for accounting estimates: (a) The requirements of the applicable nancial reporting framework relevant to accounting estimates, including related disclosures. (b) How management identies those transactions, events and conditions that may give rise to the need for accounting estimates to be recognised or disclosed in the nancial report. In obtaining this understanding, the auditor shall make enquiries of management about changes in circumstances that may give rise to new, or the need to revise existing, accounting estimates. (c) How management makes the accounting estimates, and an understanding of the data on which they are based, including: (i) (ii) The method, including, where applicable, the model, used in making the accounting estimate; Relevant controls;
(iii) Whether management has used an expert; (iv) The assumptions underlying the accounting estimates; (v) Whether there has been or ought to have been a change from the prior period in the methods for making the accounting estimates, and if so, why; and (vi) Whether and, if so, how management has assessed the effect of estimation uncertainty. ASA 550.11 Related Parties As part of the risk assessment procedures and related activities that ASA 315 and ASA 240 require the auditor to perform during the audit, the auditor shall perform the audit procedures and related activities set out in paragraphs 12-17 of this Auditing Standard to obtain information relevant to identifying the risks of material misstatement associated with related party relationships and transactions. ASA 570.10 Going Concern When performing risk assessment procedures as required by ASA 315, the auditor shall consider whether there are events or conditions that may cast signicant doubt on the entitys ability to continue as a going concern (balance of requirement omitted)
In smaller entities, the procedures required to identify these risks may be minimal, whereas in larger and more complex entities the procedures could be extensive.
6.3
The three risk assessment procedures
Each of the three risk assessment procedures should be performed during the audit, but not necessarily for each aspect of the understanding required. In many situations, the results from performing one type of procedure may lead to performing another. For example, in an interview with the sales manager, an unusual but signicant sales contract might be identied. This could be
Core concepts
93
followed up by an inspection of the actual sales contract and an analysis of the impact on sales margins. Alternatively, ndings from performing analytical procedures on preliminary operating results may trigger some questions for management. The answers to these questions may then lead to requests to inspect certain documents or observe some activities.
PART A
The nature and use of the three procedures are outlined below. See toolkit item 435: Risk assessment procedures Planning & Execution
6.4
Enquiries of management and others (including enquiries relating to fraud)
Enquiries of management and others
Paragraph # 240.17
Relevant extracts from ASAs The auditor shall make enquiries of management regarding: (a) Managements assessment of the risk that the nancial report may be materially misstated due to fraud, including the nature, extent and frequency of such assessments; (Ref: Para. A12-A13) (b) Managements process for identifying and responding to the risks of fraud in the entity, including any specic risks of fraud that management has identied or that have been brought to its attention, or classes of transactions, account balances or disclosures for which a risk of fraud is likely to exist; (Ref: Para. A14) (c) Managements communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity; and (d) Managements communication, if any, to employees regarding its views on business practices and ethical behaviour.
240.18
The auditor shall make enquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. (Ref: Para. A15-A17)
94
Paragraph # 240.20
Relevant extracts from ASAs Unless all of those charged with governance are involved in managing the entity, the auditor shall obtain an understanding of how those charged with governance exercise oversight of managements processes for identifying and responding to the risks of fraud in the entity and the internal control that management has established to mitigate these risks. (Ref: Para. A19-A21) Unless all of those charged with governance are involved in managing the entity, the auditor shall make enquiries of those charged with governance to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. These enquiries are made in part to corroborate the responses to the enquiries of management.
240.21
Enquiry is used by the auditor in conjunction with other risk assessment procedures to assist in identifying risks of material misstatement. The focus of the questions is to obtain an understanding of each of the required aspects as set out in paragraphs 11 and 12 of ASA 315 (reproduced above). Typically, most information from enquiries is obtained from management and those responsible for nancial reporting. However, enquiries of others within the entity and employees with different levels of authority can provide a different perspective and additional information that can be useful in identifying risks of material misstatement that may otherwise be missed. For example, a discussion with the sales manager might reveal that certain sales transactions (late in the period) were rushed through and not recorded in accordance with the entitys revenue recognition policies. Areas of enquiry are outlined in the chart following.
Exhibit 6.4-1
Interview Those charged with governance (if not involved in managing the entity) Enquire about > Environment in which the nancial report is prepared > Oversight of managements processes for identifying and responding to the risks of fraud or error in the entity and the internal control that management has established to mitigate these risks > Knowledge of any actual, suspected or alleged fraud affecting the entity > Considering attending a meeting of those charged with governance and reading the minutes of their past meetings.
Core concepts
95
Interview Management and those responsible for nancial reporting
Enquire about > Managements assessment of the risk that the nancial report may be materially misstated due to fraud or error, including the nature, extent and frequency of such assessments > Managements communication, if any, to employees regarding its views on business practices and ethical behaviour > The entitys culture (values and ethics) > Managements operating style > Management incentive plans > Potential for management override > Knowledge of fraud or suspected fraud > How estimates are prepared > The nancial report preparation and review process > Managements communication, if any, to those charged with governance.
Key employees (purchasing, payroll, accounting etc.)
> Business trends and unusual events > The initiating, processing or recording of complex or unusual transactions > The extent of management override (ie. have these employees ever been asked to override internal controls?) > The appropriateness/application of the accounting policies used.
Marketing or sales personnel
> Marketing strategies and sales trends > Sales performance incentives > Contractual arrangements with customers > The extent of management override (ie. have these employees ever been asked to override internal controls or revenue recognition accounting policies?).
Consider point
Do not conne your questions (especially in smaller audits) to the ownermanager and the accountant. Ask other employees (if any) in the entity (such as the sales manager, production manager or other employees) about trends, unusual events, major business risks, the functioning of internal control and any instances of management override. If a possible fraud involving senior management or those charged with governance is discovered, consult immediately with the engagement partner, and consider obtaining legal advice on how to proceed. The information should also be kept condential to ensure privacy and condentiality requirements are properly followed. Also check the code of ethics for any additional requirements and guidance.
PART A
96
6.5
Analytical procedures used as risk assessment procedures help identify matters that have nancial report and audit implications. Some examples are unusual transactions or events, amounts, ratios and trends. In addition to being a risk assessment procedure, analytical procedures can also be used as further audit procedures in: > Obtaining evidence about a nancial report assertion. This would be a substantive analytical procedure and is discussed in further detail in Part A, Chapter 8 of this Manual, and > Performing an overall review of the nancial report at, or near, the end of the audit. Most analytical procedures are not very detailed or complex. They often use data aggregated at a high level, which means the results can only provide a broad initial indication about whether a material misstatement may exist. The steps involved in performing analytical procedures are outlined in the exhibit following.
Exhibit 6.5-1
What to do Identify relationships within the data How to do it Develop expectations about plausible relationships among the various types of information that could reasonably be expected to exist. Where possible, seek to use independent sources of information (ie. not internally generated) sources of information. The nancial and non-nancial information could include: > The nancial report for comparable previous periods > Budgets, forecasts and extrapolations, including extrapolations from interim or annual data, and > Information regarding the industry in which the entity operates and current economic conditions.
Core concepts
97
What to do Compare Evaluate results
How to do it Compare expectations with recorded amounts or ratios developed from recorded amounts. Evaluate the results. Where unusual or unexpected relationships are found, consider potential risks of material misstatement.
The results of these analytical procedures should be considered along with other information gathered to: > Identify the risks of material misstatement related to assertions embodied in signicant nancial report items, and > Assist in designing the nature, timing and extent of further audit procedures. Note: Some smaller entities may not be able to provide the auditor with current nancial information, such as interim or monthly nancial information for performing analytical procedures. In these circumstances, some information may be obtained through enquiry, but detailed enquiries may need to wait until an early draft of the entitys nancial report is available.
6.6
Observation and inspection: > Support the enquiries made of management and others, and > Provide additional information about the entity and its environment. Observation and inspection procedures ordinarily include a procedure and an application, as outlined in the exhibit below.
PART A
98
Exhibit 6.6-1
Procedure Observation Potential application Consider observing: > How the entity operates and is organised > Entitys premises and plant facilities > Managements operating style and attitude toward internal control > Operation of various internal control procedures, and > Compliance with key policies. Inspection Consider inspecting documents such as: > Business plans, strategies and proposals > Industry studies and media reports on the entity > Major contracts and commitments > Regulations and correspondence with regulators > Correspondence with lawyers, bankers and other stakeholders > Accounting policies and records > Internal control manuals > Reports prepared by management (such as performance data and interim nancial reports), and > Other reports such as minutes from meetings of those charged with governance, reports from consultants, etc.
6.7
Design and implementation of internal controls
Risk assessment procedures also include the procedures involved in evaluating the design and implementation of relevant internal controls. These procedures are addressed in more detail in Part B, Chapter 26.
6.8
Other sources of information about risks
Other procedures performed by the auditor may be used for risk assessment purposes. Some typical examples are set out in the following exhibit.
Exhibit 6.8-1
Source Client acceptance or continuance Description Relevant information obtained from performing preliminary procedures.
Core concepts
99
Source Previous work
Description Relevant experience gained from previous engagements and other types of engagements performed for the entity. This could include: > Areas of concern in previous audits
> Changes in organisational structure, business processes and internal control systems, and > Past misstatements and whether they were corrected on a timely basis. External information > Enquiries of the entitys external legal counsel or valuation experts > Review of reports prepared by banks or rating agencies > Information on the industry and state of the economy obtained from internet searches, trade and economic journals and regulatory and nancial publications. Audit team discussions Results of team discussions (including the partner) about the susceptibility of the entitys nancial report to material misstatements, including fraud.
PART A
> Weaknesses in internal control
100
7.
Responding to assessed risks

Relevant ASAs
Chapter content Designing and implementing appropriate responses to assessed risks.
240, 300, 330, 500
Exhibit 7.0-1
Assessed risks
At financial report level At assertion level
Auditors response
Overall response
Examples include: > Professional scepticism > Level of staff assigned > Ongoing staff supervision > Evaluate accounting policies > Nature/extent/timing and unpredictability of planned procedures > Other further procedures
Further audit procedures
Substantive procedures
Tests of control
Tests of detail
Substantive analytical
Result
Sufficient appropriate audit evidence to reduce audit risk to an acceptably low level
Paragraph # 330.3 ASA objective(s) The objective of the auditor is to obtain sufcient appropriate audit evidence regarding the assessed risks of material misstatement through designing and implementing appropriate responses to those risks.
Paragraph # 300.9
Relevant extracts from ASAs The auditor shall develop an audit plan that shall include a description of: (a) The nature, timing and extent of planned risk assessment procedures, as determined under ASA 315. (b) The nature, timing and extent of planned further audit procedures at the assertion level, as determined under ASA 330. (c) Other planned audit procedures that are required to be carried out so that the engagement complies with the Australian Auditing Standards. (Ref: Para. A12)
Core concepts
101
Paragraph # 330.7
Relevant extracts from ASAs In designing the further audit procedures to be performed, the auditor shall: (a) Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each class of transactions, account balance and disclosure, including:
(ii)
Whether the risk assessment takes account of relevant controls (that is, the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and (Ref: Para. A9-A18)
(b) Obtain more persuasive audit evidence the higher the auditors assessment of risk. (Ref: Para. A19) 500.6 The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufcient appropriate audit evidence. (Ref: Para. A1-A25)
7.1
Overview
Risk assessment procedures (see Part A, Chapter 6) are designed to identify and assess risks at both the nancial report level and the assertion level for material classes of transactions, account balances and disclosures. Further audit procedures (see Part A, Chapter 8) are designed to be responsive to the assessed risks of material misstatement at the assertion level. Their purpose is to obtain sufcient appropriate audit evidence to reduce audit risk to an acceptably low level. The three main categories of audit procedures are illustrated below.
Exhibit 7.1-1
Overall responses
Evidence to support assessed risks
Evidence that will reduce audit risk to acceptably low level
To address assessed RMM at the F/R level
RMM = Risks of material misstatement F/R = Financial reports
PART A
(i)
The likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance or disclosure (that is, the inherent risk); and
102
Assessed risks at the nancial report level are pervasive in nature and require overall audit responses such as determining the experience of those assigned to perform the work, the level of supervision required and any required modication to the nature and extent of planned audit procedures. Assessed risks at the assertion level relate to particular account balances, classes of transactions and disclosures. The response is to perform further audit procedures such as tests of details, tests of controls and substantive analytical procedures The design of further audit procedures will be affected by: > Results of performing risk assessment procedures and the resulting assessments of risk at the assertion level, and > Overall responses developed by the auditor in relation to the assessed risks of material misstatement at the nancial report level.
7.2
330.5
Overall responses to risks at the nancial report level

Relevant extracts from ASAs The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the nancial report level. (Ref: Para. A1-A3)
Paragraph #
Risks of material misstatement at the nancial report level refer to risks that relate pervasively to the nancial report as a whole and potentially affect many assertions. As a result these risks (such as management having a poor attitude toward control) can contribute indirectly to material misstatements at the assertion level. For example, if the entitys accountant is not competent, many opportunities may arise for error or fraud in multiple nancial report balances, classes of transactions or disclosures. Consequently, risks at the nancial report level cannot often be addressed by performing specic audit procedures but require an overall response. ASAs 240 and 330 outline some possible overall responses to risks identied at the nancial report level. Some examples are set out below.
Exhibit 7.2-1
Possible overall responses to assessed risks at the nancial report level Engagement management Emphasise to the audit team the need to maintain professional scepticism. Assign more experienced staff or those with special skills such as forensic, valuation and IT specialists. Provide more ongoing supervision to staff as they perform the work.
Core concepts
103
Possible overall responses to assessed risks at the nancial report level Incorporate unpredictability in selection of further audit procedures Incorporate an element of unpredictability in the selection of the nature, timing and extent of further audit procedures to be performed. This is particularly important when addressing fraud risks because individuals within the entity may be familiar with audit procedures normally performed and therefore more able to conceal fraudulent nancial reporting. Unpredictability can be achieved by: > Performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk > Adjusting the timing of audit procedures from that otherwise expected > Using different sampling methods, and > Performing audit procedures at different locations or at locations on an unannounced basis (such as inventory counts). Revise the planned audit procedures Make changes to the nature, timing or extent of audit procedures. For example: > Perform substantive procedures at the period end instead of at an interim date > Perform a physical observation or inspection of certain assets > Perform further review of inventory records to identify unusual items, unexpected amounts and other items for follow-up procedures > Perform further work to evaluate the reasonableness of management estimates and the underlying judgements and assumptions > Increase sample sizes or perform analytical procedures at a more detailed level > Use computer-assisted audit techniques (CAATs) to: Gather more evidence about data contained in signicant accounts or electronic transaction les Perform more extensive testing of electronic transactions and account les Select sample transactions from key electronic les Sort transactions with specic characteristics, and Test an entire population instead of a sample. > Request additional information in external conrmations. For example, on a receivables conrmation, the auditor could ask for conrmation on the details of sales agreements, including date, any rights of return and delivery terms, and > Modify the nature and extent of audit procedures to obtain more substantive audit evidence.
PART A
104
Possible overall responses to assessed risks at the nancial report level Changes in the audit approach Consider the understanding obtained of the control environment. If the control environment is effective the auditor may have more condence in internal control and the reliability of audit evidence generated internally within the entity. This could mean: > More audit work conducted at an interim date rather than at the period end, and > An approach that uses tests of controls as well as substantive procedures (combined approach). If the control environment is ineffective it could result in: > Conducting more audit procedures as of the period end rather than at an interim date > Obtaining more extensive audit evidence from substantive procedures, and > Increasing the number of locations to be included in the audit scope. Review accounting policies being used Evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, may be indicative of fraudulent nancial reporting resulting from managements effort to manage earnings.
Consider point
Timing Overall responses can be developed at the planning stage and then incorporated into the overall audit strategy. In new engagements the overall responses can be developed on a preliminary basis during planning and later conrmed or changed based on the results of the risk assessment. Documentation Establishing the overall audit response and audit strategy in a small entity need not be a complex or time-consuming exercise. In some cases both steps could be completed by preparing a brief memorandum at the completion of the previous audit (assuming it covers all the required matters) which can be updated later based on discussions with management.
Core concepts
105
Management override
Paragraph # 240.32 Relevant extracts from ASAs Irrespective of the auditors assessment of the risks of management override of controls, the auditor shall design and perform audit procedures to: (a) Test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the nancial report. In designing and performing audit procedures for such tests, the auditor shall: (i) Make enquiries of individuals involved in the nancial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments; Select journal entries and other adjustments made at the end of a reporting period; and
(ii)
(iii) Consider the need to test journal entries and other adjustments throughout the period. (Ref: Para. A41-A44) (b) Review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud. In performing this review, the auditor shall: (i) Evaluate whether the judgements and decisions made by management in making the accounting estimates included in the nancial report, even if they are individually reasonable, indicate a possible bias on the part of the entitys management that may represent a risk of material misstatement due to fraud. If so, the auditor shall re-evaluate the accounting estimates taken as a whole; and Perform a retrospective review of management judgements and assumptions related to signicant accounting estimates reected in the nancial report of the prior year. (Ref: Para. A45-A47)
(ii)
(c) For signicant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual given the auditors understanding of the entity and its environment and other information obtained during the audit, the auditor shall evaluate whether the business rationale (or the lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent nancial reporting or to conceal misappropriation of assets. (Ref: Para. A48) 240.26 When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue, revenue transactions or assertions give rise to such risks. Paragraph 47 of this Auditing Standard species the documentation required where the auditor concludes that the presumption is not applicable in the circumstances of the engagement and, accordingly, has not identied revenue recognition as a risk of material misstatement due to fraud. (Ref: Para. A28-A30) The auditor shall determine whether, in order to respond to the identied risks of management override of controls, the auditor needs to perform other audit procedures in addition to those specically referred to above (that is, where there are specic additional risks of management override that are not covered as part of the procedures performed to address the requirements in paragraph 32 of this Auditing Standard).
240.33
PART A
106
Management override and fraudulent revenue recognition are presumed to be signicant risks (see Part B, Chapter 25) and are addressed as such. As a result, there are certain audit procedures that would be performed in every audit. These are outlined in the ASA extracts quoted above. Some additional comments are included in the following exhibit.
Exhibit 7.2-2
Procedures to address management override Journal entries Identify, select and test journal entries and other adjustments based on: > An understanding of the entitys nancial reporting process and design/implementation of internal control, andConsideration of the: Characteristics of fraudulent journal entries or other adjustments Presence of fraud risk factors that relate to specic classes of journal entries and other adjustments, and Enquiries of individuals involved in the nancial reporting process about inappropriate or unusual activity. Estimates Review estimates relating to specic transactions and balances to identify possible biases on the part of management. Further procedures could include: > Reconsidering the estimates taken as a whole > Performing a retrospective review of managements judgements and assumptions related to signicant accounting estimates made in the prior period, and > Determining whether the cumulative effect amounts to a material misstatement in the nancial report. Signicant transactions Obtain an understanding of the business rationale for signicant transactions that are unusual or outside the normal course of business. This includes an assessment as to whether: > Management is placing more emphasis on the need for a particular accounting treatment than on the underlying economics of the transaction > The arrangements surrounding such transactions are overly complex > Management has discussed the nature of, and accounting for, such transactions with those charged with governance > The transactions involve previously unidentied related parties or parties that do not have the substance or the nancial strength to support the transaction without assistance from the entity under audit > Transactions that involve non-consolidated related parties, including special purpose entities, have been properly reviewed and approved by those charged with governance, and > There is adequate documentation.
Core concepts
107
Procedures to address management override Revenue recognition Perform substantive analytical procedures. Consider computerassisted audit techniques to identify unusual or unexpected revenue relationships or transactions. Conrm with customers relevant contract terms (acceptance criteria, delivery and payment terms) and the absence of side agreements (right to return the product, guaranteed resale amounts etc.).
7.3
330.6
Response to assessed risks at the assertion level

Relevant extracts from ASAs The auditor shall design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4-A8)
Paragraph #
The auditors assessment of identied risks at the assertion level provides the starting point for: > Considering the appropriate audit approach, and > Designing and performing further audit procedures. Refer to Part A, Chapter 8 for a detailed description of further audit procedures.
An appropriate audit approach

The audit approach for designing and performing further audit procedures will be based on the assessment of the identied risks at both the nancial report level and the assertion level. Because assessed risks will differ between the material classes of transactions, account balances and disclosures, the most effective audit approach will vary. For example, it might be appropriate to test controls over sales completeness and use substantive procedures for the other assertions. For payables, a substantive approach could be applicable for all assertions. The key is to develop audit procedures that respond appropriately to the risks identied. The following exhibit outlines some of the considerations in developing the appropriate audit approach for an account balance or class of transactions.
PART A
108
Exhibit 7.3-1
Would substantive tests alone provide sufficient appropriate audit evidence at the assertion level? No Yes W Would it be more ef efficient to obtain the audit evidence through tests of controls (su (such as reducing the extent of substantive procedures)?
Tests of controls s
Yes
No
Note: In smaller entities reliable control activities may not exist or may be very limited. In these cases, a primarily substantive approach may be the only alternative.
Designing and performing further audit procedures

The nature, timing and extent of further audit procedures are based on, and are responsive to, the assessed risks of material misstatement at the assertion level. This provides a clear linkage between the auditors further audit procedures and the risk assessment. The rst step is to review the information obtained to date that will form the basis for the design of further audit procedures. This would include: > The nature and the reasoning for the assessed risks (such as business and fraud risks) at both the nancial report and assertion levels > The account balances, classes of transactions or disclosures that are material to the nancial report > The need (if any) to perform tests of controls. This would occur where substantive procedures alone cannot provide sufcient appropriate audit evidence at the assertion level > The auditors understanding of the control environment and control activities. In particular, have any relevant internal controls been identied that, if tested, would provide an effective response to the assessed risks of material misstatement for a particular assertion? And > The nature and extent of specic audit procedures that may be required by certain ASAs or by local rules and regulations.
Core concepts
109
Based on the information above, the auditor can design the nature and extent of the procedures to be performed. Some design considerations are addressed below.
Exhibit 7.3-2
Consider Nature of the assertion being addressed Impact on audit procedure design What is the most appropriate audit procedure to address the particular assertion? Consider: > Effectiveness Evidence for completeness of sales may best be obtained through a test of controls, whereas evidence to support the valuation of inventory will probably be obtained with substantive procedures, and > Reliability of evidence obtained Provide more reliable evidence for an assertion. A conrmation of receivables to determine existence may provide better evidence than simply examining invoices or performing some analytical procedures. Reasons for the assessed risk What are the underlying reasons for the risk assessments? This will include consideration of the characteristics of the nancial report area, the identied and assessed inherent risks and relevant internal controls. If the assessed risk appears to be low as a result of relevant internal controls having been designed and implemented, tests of controls could be considered to conrm the assessed risk and possibly to reduce the extent of substantive procedures that would otherwise be required. Is more reliable and relevant audit evidence required for some assessed risks? The scope of existing procedures may need to be expanded or some different types of audit procedures may need to be combined to provide the assurance necessary. For example, to ensure the existence of a high value inventory item, a physical inspection may be performed in addition to examining the supporting documents. Sources of information used Do the planned audit procedures rely on non-nancial information produced by the entitys information system? If so, evidence should be obtained about its accuracy and completeness. For example, in a high-rise apartment, the number of rental units multiplied by the monthly rent may be used to compare with total revenues. If so, it would be important to ensure that the number of rental units is factual and that the monthly rents agree to the signed lease contracts.
Assessed level of risk
PART A
110
Consider Potential for dual purpose tests
Impact on audit procedure design Would it be efcient to perform a test of controls concurrently with a test of details on the same transaction? For example, if an invoice was being examined for evidence of approval (tests of controls), it could also be examined at the same time to substantiate other aspects of the transaction (tests of details).
Use of assertions in selecting the population to be tested

When designing a procedure, the auditor would carefully consider the nature of the assertion for which evidence is being obtained. This will determine the type of evidence to be examined, the nature of the procedure and the population from which to select the sample. For example, evidence for the existence assertion would be obtained by selecting items that are already contained in a nancial report amount. Selecting receivable balances for conrmation will provide evidence that the receivable balance exists. However, selecting items that are already contained in a nancial report amount would not provide any evidence with respect to the completeness assertion. For completeness, items would be selected from evidence indicating that an item should be included in the relevant nancial report amount. To determine whether the sales are complete (that is, no unrecorded sales), the selection of shipping orders and matching them to sales invoices would (subject to the completeness of the shipping orders) provide evidence for omitted sales.
Timing of procedures
Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies.
Before or at the period end?

In most instances (particularly with small entities), audit procedures will be carried out at the period end and later. In addition, the higher the risks of material misstatement, the more likely it would be for substantive procedures to be performed nearer to, or after, the period end. In some situations, there can be some advantages to performing audit procedures before the period end. For example: > Helping to identify signicant matters at an early stage. This provides time for the issues to be addressed and further audit procedures to be performed > Balancing the audit rms workload by shifting some busy season procedures to a period when there is more time
Core concepts
111
> Balancing the clients workload by reducing the time required after the period end to answer audit enquiries and provide requested evidence and schedules, and > Performing procedures unannounced or at unpredictable times.
PART A
The following exhibit outlines the factors to consider when determining whether to perform procedures at an interim date.
Exhibit 7.3-3
Factors to consider Audit procedures performed before the period end How good is the overall control environment? Counting inventory at an interim date and then updating the count for movements (in and out) is unlikely to be enough if the control environment is poor. How good are the specic controls over the account balance or class of transactions being considered? Is the required evidence available to perform the test? Electronic les may subsequently be overwritten or procedures to be observed may occur only at certain times. Would a procedure before the period end address the nature and substance of the risk involved? Would the interim procedure address the period or date to which the audit evidence relates? How much additional evidence will be required for the remaining period between the date of procedure and the period end?
Part A, Chapter 8.5 provides further information on the timing of tests of controls. After period end Certain audit procedures can be performed only at, or after, the period end. This would include cut-off procedures (where there is minimal reliance on internal control), period-end adjustments and subsequent events.
112
8.

Relevant ASAs
Chapter content The characteristics and use of further audit procedures.
330, 505, 520
Exhibit 8.0-1
Tests of control
Tests of detail
Paragraph # 330.4
Relevant extracts from ASAs For purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Substantive procedure means an audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise: (i) (ii) Tests of details (of classes of transactions, account balances, and disclosures); and Substantive analytical procedures.
(b) Test of controls means an audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.
8.1
Overview
This chapter outlines the characteristics and use of further audit procedures designed in response to assessed risks at the assertion level. See toolkit item 608: Worksheet Further audit procedures.
Core concepts
113
Substantive procedures are performed by the auditor to: > Gather evidence regarding the underlying assertions (C, E, AC, V) that are embedded in the account balances and underlying classes of transactions, and > Detect material misstatements. Typical substantive procedures include selection of an account balance or a representative sample of transactions to: > Recalculate recorded amounts for accuracy > Conrm existence of balances (receivables, bank accounts, investments, etc.) > Ensure transactions are recorded in the right period (cut-off tests) > Compare amounts between periods or with expectations (analytical procedures) > Inspect supporting documentation (such as invoices or sales contracts) > Observe physical existence of recorded assets (inventory counts), and > Review the adequacy of allowances made for loss of value (doubtful accounts and obsolete inventory).
PART A
Tests of control
Tests of controls are performed by the auditor to gather evidence as to the operational effectiveness of internal control procedures that: > Address specic assertions where reliance on controls is planned, and > Prevent or detect/correct material errors or fraud from occurring. Typical tests of controls include the selection of a representative sample of transactions or supporting documentation to: > Observe the operation of an internal control procedure being performed > Inspect evidence that the control procedure was performed > Enquire about how and when the procedure was performed, and > Re-perform the operation of the control procedure (such as where the information system is computerised). Evidence on control operation may also be gathered using computer assisted audit techniques (CAATs).
114
8.2
330.18
Relevant extracts from ASAs Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance and disclosure. (Ref: Para. A42-A47) The auditor shall consider whether external conrmation procedures are to be performed as substantive audit procedures. (Ref: Para. A48-A51) The auditors substantive procedures shall include the following audit procedures related to the nancial report closing process: (a) Agreeing or reconciling the nancial report with the underlying accounting records; and (b) Examining material journal entries and other adjustments made during the course of preparing the nancial report. (Ref: Para. A52)
Paragraph #
330.19
330.20
330.21
If the auditor has determined that an assessed risk of material misstatement at the assertion level is a signicant risk, the auditor shall perform substantive procedures that are specically responsive to that risk. When the approach to a signicant risk consists only of substantive procedures, those procedures shall include tests of details. (Ref: Para. A53) Where the auditor plans to use audit evidence from the performance of substantive procedures in a prior audit, the auditor shall perform audit procedures during the current period to establish the continuing relevance of the audit evidence. (Ref: Para. A54) If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by performing: (a) Substantive procedures, combined with tests of controls for the intervening period; or (b) If the auditor determines that it is sufcient, further substantive procedures only that provide a reasonable basis for extending the audit conclusions from the interim date to the period end. (Ref: Para. A54-A57)
330 Aus 21.1
330.22
330.23
If misstatements that the auditor did not expect when assessing the risks of material misstatement are detected at an interim date, the auditor shall evaluate whether the related assessment of risk and the planned nature, timing, or extent of substantive procedures covering the remaining period need to be modied. (Ref: Para. A58)
Substantive procedures are designed by the auditor to detect material misstatements at the assertion level. There are two types of substantive procedures, as set out below.
Core concepts
115
Exhibit 8.2-1
Procedure Tests of details Description Procedures designed to gather evidence that will substantiate a nancial report amount. They are used to obtain audit evidence regarding assertions such as existence, accuracy and valuation. Procedures designed to substantiate a nancial report amount by using predictable relationships among both nancial and non-nancial data. They are mostly applicable to large volumes of transactions that tend to be predictable over time.
Tests of details
When designing substantive procedures to respond to assessed risks, the auditor would consider a number of matters, as set out below.
Exhibit 8.2-2
Address Each material account balance, class of transactions and disclosure Required audit procedures Description This is required irrespective of the assessed risks of material misstatement.
This would include any specic procedures necessary to comply with Australian Auditing Standards and any local requirements. A summary of some such procedures is contained in Part A, Chapters 9 to 13. Required procedures include: > Examining material journal entries and other adjustments made during the course of preparing the nancial report, and > Addressing management override (see Part A, Chapter 7.2) > Agreeing the nancial report to the underlying accounting records.
Need for external conrmation procedures
Consider the need to obtain external conrmations to address assertions associated with account balances and their elements (bank balances, investments, receivables etc.) or other matters such as: > Terms of agreements and contracts > Transactions between an entity and other parties, and > Evidence about the absence of certain conditions (such as no side agreement exists on a sales contract). Also see the discussion on external conrmations below.
Signicant risks
Design and perform substantive procedures (tests of detail) that are specically responsive to the identied risks and provide the high level of audit assurance required.
PART A
Substantive analytical procedures
116
Address Timing
Description If procedures are performed before the period end, the remaining period needs to be addressed by performing substantive procedures, combined with tests of controls or further substantive procedures that provide a reasonable basis for extending the audit conclusions from the interim date to the period end. If unexpected misstatements are identied at the interim date, modication to the planned remaining procedures needs to be considered.
In determining what substantive procedures are most responsive to the assessed risks, the auditor may perform: > Only tests of details, or > Where there is not a signicant risk of material misstatement, only substantive analytical procedures, or > A combination of tests of details and substantive analytical procedures. When substantive analytical procedures are performed, the auditor is required to establish the reliability of data from which the auditors expectation of recorded amounts or ratios was developed (such as non-nancial data).
Performing substantive procedures at an interim date

When substantive procedures are performed at an interim date, the auditor should perform further substantive procedures or substantive procedures combined with tests of controls to cover the remaining period. This provides a reasonable basis for extending the audit conclusions from the interim date to the period end and reduces the risk that misstatements existing at the period end are not detected. However, if substantive procedures alone would not be sufcient, tests of the relevant controls should also be performed.
Procedures to address the period between the interim date and period end
When procedures are performed at an interim date: > Compare information at the period end with comparable information at the interim date > Identify amounts that appear unusual. These amounts should be investigated by performing further substantive analytical procedures or tests of details for the intervening period > When substantive analytical procedures are planned, consider whether the period-end balances of the particular classes of transactions or account balances are reasonably predictable with respect to amount, relative signicance and composition, and
Core concepts
117
> Consider the entitys procedures for analysing and adjusting the classes of transactions or account balances at interim dates and for establishing proper accounting cut-offs. The substantive procedures related to the remaining period depend on whether the auditor has performed tests of controls.
Use of substantive procedures performed in prior periods

The use of audit evidence obtained from substantive procedures performed in prior periods may be useful in audit planning but (unless there is ongoing relevance to the current year such as the cost price of non-current assets or details of contracts) it usually provides little or no audit evidence for the current period.
8.3
505.5
External conrmations
ASA objective(s) The objective of the auditor, when using external conrmation procedures, is to design and perform such procedures to obtain relevant and reliable audit evidence. Relevant extracts from ASAs When using external conrmation procedures, the auditor shall maintain control over external conrmation requests, including: (a) Determining the information to be conrmed or requested; (Ref: Para. A1) (b) Selecting the appropriate conrming party; (Ref: Para. A2) (c) Designing the conrmation requests, including determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor; and (Ref: Para. A3-A6) (d) Sending the requests, including follow-up requests when applicable, to the conrming party. (Ref: Para. A7)
Paragraph #
Paragraph # 505.7
505.8
If management refuses to allow the auditor to send a conrmation request, the auditor shall: (a) Enquire as to managements reasons for the refusal, and seek audit evidence as to their validity and reasonableness; (Ref: Para. A8) (b) Evaluate the implications of managements refusal on the auditors assessment of the relevant risks of material misstatement, including the risk of fraud, and on the nature, timing and extent of other audit procedures; and (Ref: Para. A9) (c) Perform alternative audit procedures designed to obtain relevant and reliable audit evidence. (Ref: Para. A10)
PART A
118
Paragraph # 505.9
Relevant extracts from ASAs If the auditor concludes that managements refusal to allow the auditor to send a conrmation request is unreasonable, or the auditor is unable to obtain relevant and reliable audit evidence from alternative audit procedures, the auditor shall communicate with those charged with governance in accordance with ASA 260. The auditor also shall determine the implications for the audit and the auditors opinion in accordance with ASA 705. If the auditor identies factors that give rise to doubts about the reliability of the response to a conrmation request, the auditor shall obtain further audit evidence to resolve those doubts. (Ref: Para. A11-A16) If the auditor determines that a response to a conrmation request is not reliable, the auditor shall evaluate the implications on the assessment of the relevant risks of material misstatement, including the risk of fraud, and on the related nature, timing and extent of other audit procedures. (Ref: Para. A17) In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant and reliable audit evidence. (Ref: Para. A18-A19) If the auditor has determined that a response to a positive conrmation request is necessary to obtain sufcient appropriate audit evidence, alternative audit procedures will not provide the audit evidence the auditor requires. If the auditor does not obtain such conrmation, the auditor shall determine the implications for the audit and the auditors opinion in accordance with ASA 705. (Ref: Para. A20) The auditor shall investigate exceptions to determine whether or not they are indicative of misstatements. (Ref: Para. A21-A22) Negative conrmations provide less persuasive audit evidence than positive conrmations. Accordingly, the auditor shall not use negative conrmation requests as the sole substantive audit procedure to address an assessed risk of material misstatement at the assertion level unless all of the following are present: (Ref: Para. A23) (a) The auditor has assessed the risk of material misstatement as low and has obtained sufcient appropriate audit evidence regarding the operating effectiveness of controls relevant to the assertion; (b) The population of items subject to negative conrmation procedures comprises a large number of small, homogeneous, account balances, transactions or conditions; (c) A very low exception rate is expected; and (d) The auditor is not aware of circumstances or conditions that would cause recipients of negative conrmation requests to disregard such requests.
505.10
505.11
505.12 505.13
505.14 505.15
505.16
The auditor shall evaluate whether the results of the external conrmation procedures provide relevant and reliable audit evidence, or whether further audit evidence is necessary. (Ref: Para. A24-A25)
External conrmations are frequently used in relation to account balances (typically assets) and their components, but need not be restricted to these items.
Core concepts
119
Typical situations where external conrmation procedures provide relevant audit evidence include: > Bank balances and other information relevant to banking relationships > Accounts receivable balances and terms > Inventories held by third parties at bonded warehouses for processing or on consignment > Property title deeds held by lawyers or nanciers for safe custody or as security > Investments held for safekeeping by third parties, or purchased from stockbrokers but not delivered at the balance sheet date > Amounts due to lenders, including relevant terms of repayment and restrictive covenants, and > Accounts payable balances and terms. Matters the auditor would consider are set out below.
Exhibit 8.3-1
Address Dual purpose tests Conrming partys knowledge of the subject matter Ability/willingness of conrming party to respond Description Is there an opportunity to obtain audit evidence about other important matters at the same time (such as terms of a contract etc.)? Responses will be more reliable if provided by a person knowledgeable in the subject matter. Consider the reliability of the evidence obtained if there is possibility of the conrming party: > Not accepting responsibility > Viewing a response as too costly or time consuming > Having concerns about potential legal liability > Accounting for transactions in different currencies, or > Not treating the conrmation requests as signicant.
PART A
External conrmations are often used to provide audit evidence about completeness of a liability and existence of an asset. They can also provide evidence on whether the amount has been accurately recorded in the accounting records (accuracy) and in the appropriate period (cut-off). Conrmations are less relevant in addressing valuation issues such as the recoverability of accounts receivable or the obsolescence of inventory being held.
120
Address Objectivity of the conrming party
Description Consider the reliability of the evidence obtained if the conrming party is a related party. In such situations, consider: > Conrming additional details about the subject matter such as terms of sales agreements, including dates, any rights of return and delivery terms, and > Supplementing the conrmation with enquiries of non-nancial personnel regarding the subject matter such as changes in sales agreements and delivery terms.
Audit evidence is generally considered more reliable when it is obtained from independent sources outside the entity. For this reason, written responses to conrmation requests received directly from unrelated third parties may assist in reducing the risk of material misstatement for the related assertions to an acceptably low level. The conrmation requirements can be summarised as set out below.
Exhibit 8.3-2
Address Maintain control over conrmation process Description This includes: > Considering the information to be conrmed or requested > Selecting the appropriate conrming party > Evaluating reasons for any refusal by management to allow sending of conrmations. This includes consideration of the implications on assessed risks, the possibility of fraud and what further audit procedures will now be required > Designing the conrmation requests > Determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor, and > Sending the requests, including follow-up requests, when applicable, to the conrming party. Are responses reliable? If factors give rise to doubts about the reliability of the response: > Obtain further audit evidence to resolve or conrm doubts > Consider fraud and other impacts on assessed risks, and > Investigate exceptions to determine if these are indicative of misstatements. When no response is received Evaluate overall results Perform alternative audit procedures (if possible) to obtain relevant and reliable audit evidence. Did the results of the external conrmation procedures provide the relevant and reliable audit evidence required?
See toolkit item 630: Worksheet Summary of external conrmations.
Core concepts
121
8.4
520.5

Relevant extracts from ASAs When designing and performing substantive analytical procedures, either alone or in combination with tests of details, as substantive procedures in accordance with ASA 330, the auditor shall: (Ref: Para. A4-A5) (a) Determine the suitability of particular substantive analytical procedures for given assertions, taking account of the assessed risks of material misstatement and tests of details, if any, for these assertions; (Ref: Para. A6-A11) (b) Evaluate the reliability of data from which the auditors expectation of recorded amounts or ratios is developed, taking account of source, comparability, and nature and relevance of information available, and controls over preparation; (Ref: Para. A12-A14) (c) Develop an expectation of recorded amounts or ratios and evaluate whether the expectation is sufciently precise to identify a misstatement that, individually or when aggregated with other misstatements, may cause the nancial report to be materially misstated; and (Ref: Para. A15) (d) Determine the amount of any difference of recorded amounts from expected values that is acceptable without further investigation as required by paragraph 7 of this Auditing Standard. (Ref: Para. A16)
Paragraph #
Substantive analytical procedures involve a comparison of amounts or relationships in the nancial report with an expectation developed from information obtained from understanding the entity and other audit evidence. If the inherent risks are low for a class of transactions, substantive analytical procedures alone may provide sufcient appropriate audit evidence. However, if the assessed risk is low because of related internal controls, the auditor would also perform tests of those controls. Consequently for signicant risks identied, analytical procedures would always be used in combination with other substantive tests or tests of control. To use an analytical procedure as a substantive procedure, the auditor should design the procedure to reduce the risk of not detecting a material misstatement in the relevant assertion to an acceptably low level. This means that the expectation of what the recorded amount should be is precise enough to indicate the possibility of a material misstatement, either individually or in the aggregate. See toolkit item 524: Worksheet Analytical procedures. Consider point
For audit planning purposes, substantive analytical procedures may be grouped into three distinct levels based on the level of assurance obtained. These are described below.
PART A
122
Exhibit 8.4-1
Impact on reducing audit risk Highly effective (low level of risk that the recorded amount is misstated) Moderately effective Limited Description Procedure is intended to be the primary source of evidence regarding a nancial report assertion. It effectively proves the recorded amount. However, if the risk involved is signicant, it would be supplemented by other relevant procedures. Procedure is only intended to corroborate evidence obtained from other procedures. A moderate level of assurance is obtained. Basic procedures, such as comparing an amount in the current period to a previous period, are useful but only provide a limited level of assurance.
Techniques
There are a number of possible techniques that can be used to perform the analytical procedures. The objective is to select the most appropriate technique to provide the intended levels of assurance and precision. Techniques include: > Ratio analysis > Trend analysis > Break-even analysis > Pattern analysis, and > Regression analysis. Each technique has its particular strengths and weaknesses that the auditor needs to consider when designing the analytical procedures. A complex technique such as regression analysis may provide statistically reliable conclusions about a recorded amount. However, a simple technique such as multiplying the number of apartments by the approved rental rates (per leases) and adjusting the result for actual vacancies may provide a reliable and precise estimate of the rental revenue.
Core concepts
123
Exhibit 8.4-2
Factors to consider Designing substantive analytical procedures Suitability given the nature of the assertions. Reliability of the data (internal or external) from which the expectation of recorded amounts or ratios is developed. This will require tests on the accuracy, existence and completeness of the underlying information such as tests of controls or performing other specic audit procedures, possibly including the use of computer-assisted audit techniques (CAATs). Whether the expectation is sufciently precise to identify a material misstatement at the desired level of assurance. Amount of any difference in recorded amounts from expected values that would be acceptable. Questions to address Establishing meaningful relationships between information Are the relationships developed from a stable environment? > Reliable and precise expectations may not be possible in a dynamic or unstable environment. Are the relationships considered at a detailed level? > Disaggregation of amounts can provide more reliable and precise expectations than an aggregated level. Are there offsetting factors or complexity among highly summarised components that could obscure a material misstatement? Do the relationships involve items subject to management discretion? > If so, they may provide less reliable or less precise expectations.
The degree of reliability of data used to develop expectations needs to be consistent with the levels of assurance and precision intended to be derived from the analytical procedure. Other substantive procedures may also be required to determine whether the underlying data is sufciently reliable. Tests of controls may also be considered to address other assertions such as the datas completeness, existence and accuracy. Internal control over non-nancial information can often be tested in conjunction with other tests of controls.
PART A
124
Exhibit 8.4-3
Questions to address Is the data sufciently reliable for achieving the audit objective? Is the data obtained from sources within the entity or from independent sources outside the entity? > The reliability of audit evidence is increased (with some exceptions) when it is obtained from independent sources outside the entity. Is data from sources within the entity developed by persons not directly responsible for its accuracy? > If so, consider further procedures to check accuracy. Was the data developed under a reliable system with adequate internal control? Is broad industry data available for comparison with the entitys data? Was the data subject to audit testing in the current or prior periods? Were the auditors expectations regarding recorded amounts developed from a variety of sources?
To avoid unwarranted reliance on a source of data used, the auditor would perform substantive tests of the underlying data to determine whether it is sufciently reliable, or test whether internal controls over the datas completeness, existence and accuracy are operating effectively. In some cases, non-nancial data (for example, quantities and types of items produced) will be used in performing analytical procedures. Accordingly, the auditor needs an appropriate basis for determining whether the non-nancial data is sufciently reliable for the purposes of performing the analytical procedures.
Differences from expectations

When differences are identied between recorded amounts and the auditors expectations, the auditor would consider the level of assurance that the procedures are intended to provide and the auditors performance materiality. The amount of the acceptable difference without investigation would, in any event, need to be less than performance materiality. Procedures used for the investigation could include: > Reconsidering the methods and factors used in forming the expectation > Making enquiries of management regarding the causes of differences from the auditors expectations and assessing managements responses, taking into account the auditors understanding of the business obtained during the course of the audit, and > Performing other audit procedures to corroborate managements explanations.
Core concepts
125
As a result of this investigation, the auditor may conclude that: > Differences between the auditors expectations and recorded amounts do not represent misstatements, or > Differences may represent misstatements and further audit procedures need to be performed to obtain sufcient appropriate audit evidence as to whether a material misstatement does or does not exist.
Examples of effective substantive analytical procedures Exhibit 8.4-4

Financial report amount Sales Amortisation expenses Overhead element of inventory Payroll expense Commission expense Payroll accruals Relationship and procedure Selling price applied to the quantities shipped. Amortisation rate applied to capital asset balances, allowing for effect of additions and disposals. Relating actual overheads to actual direct labour or production volumes. Pay rates applied to number of employees. Commission rate applied to sales. Daily payroll applied to number of days accrued.
Other analytical procedures

Analysis can take the form of: > Detailed comparisons of current nancial report or nancial data with that of prior periods or with current operating budgets An increase in accounts receivable with no corresponding increase in sales could indicate that a problem exists in the collectability of accounts receivable. An increase in the number of employees in a professional organisation would lead the auditor to expect an increase in salary expense and a corresponding increase in professional fee revenue. > Comparative data on the various types of products sold or types of customers This could help explain month-to-month or period-to-period uctuations in sales. > Ratio analysis Ratios can provide support for the current nancial report (eg. comparable to industry norms or prior periods results) or raise points for discussion. Certain institutions, such as banks and trade associations, produce nancial statistics on an industry-wide basis. Such statistics can be useful
PART A
126
when compared to those of an entitys operation and enquiries made where differences from industry trends occur. > Graphs Finally, consider the use of graphs to portray the results of procedures. Graphs visually highlight signicant differences from month-to-month or period-to-period.
Use of analytical procedures in forming an opinion

Paragraph # 520.6 Relevant extracts from ASAs The auditor shall design and perform analytical procedures near the end of the audit that assist the auditor when forming an overall conclusion as to whether the nancial report is consistent with the auditors understanding of the entity. (Ref: Para. A17-A19)
Upon substantial completion of the audit, the auditor is required to use analytical procedures to assist in evaluating the overall nancial report presentation. The purpose of using analytical procedures at or near the end of the audit is to determine whether the nancial report as a whole is consistent with the auditors understanding of the entity. These procedures would address questions such as: > Do the conclusions drawn from such procedures corroborate the conclusions formed during the audit of individual components or elements of the nancial report? Analytical procedures may reveal that certain nancial report items differ from expectations formed by the auditor based on knowledge of the entitys business and other information accumulated during the audit. Such differences would need to be investigated using procedures such as those described above. This investigation may indicate the need for changes in presentation or disclosure in the nancial report. > Is there a risk of material misstatement that has not been previously recognised? If additional risks are identied, the auditor may need to re-evaluate the planned audit procedures to respond appropriately.
Core concepts
127
8.5
330.8
Tests of controls
Relevant extracts from ASAs The auditor shall design and perform tests of controls to obtain sufcient appropriate audit evidence as to the operating effectiveness of relevant controls if: (a) The auditors assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or (b) Substantive procedures alone cannot provide sufcient appropriate audit evidence at the assertion level. (Ref: Para. A20-A24)
Paragraph #
330.9
In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the greater the reliance the auditor places on the effectiveness of a control. (Ref: Para. A25) In designing and performing tests of controls, the auditor shall: (a) Perform other audit procedures in combination with enquiry to obtain audit evidence about the operating effectiveness of the controls, including: (i) (ii) How the controls were applied at relevant times during the period under audit; The consistency with which they were applied; and
330.10
(iii) By whom or by what means they were applied. (Ref: Para. A26-A29) (b) Determine whether the controls to be tested depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls. (Ref: Para. A30-A31) 330.11 The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those controls, subject to paragraphs 12 and 15 of this Auditing Standard, in order to provide an appropriate basis for the auditors intended reliance. (Ref: Para. A32) Note: (Refer later in this chapter for discussion of the requirements of paragraphs 12 and 15.)
Purpose
Tests of controls are tests designed to obtain audit evidence about the operating effectiveness of controls. Controls can prevent material misstatements at the assertion level from occurring altogether, or detect and then correct them after they have occurred. The controls selected for testing would be those that provide necessary audit evidence for a relevant assertion.
PART A
128
Consider point
A walk-through procedure to determine whether a control has been implemented is not a test of control. It is a risk assessment procedure, the result of which may determine whether test of control would be useful and, if so, how they would be designed.
Tests of controls are considered by the auditor when: > The risk assessment is based on an expectation that internal control operates effectively, or > Substantive procedures alone will not provide sufcient appropriate audit evidence at the assertion level. This might apply where sales are made over the internet and no documentation of transactions is produced or maintained, other than through the IT system. Selecting sample sizes for tests of controls is addressed in Part B, Chapter 32 on the extent of testing. Tests of controls are designed to obtain audit evidence about: > How internal control procedures were applied throughout, or at relevant times during, the period under audit. If substantially different controls were used at different times during the period, each control system should be considered separately > The consistency with which internal control procedures were applied, and > By whom or by what means controls were applied. Consider point
When auditing smaller entities, auditors often plan to perform substantive procedures on the assumption that tests of existing control activities would not be practical due to limited segregation of duties, etc. Before jumping to that conclusion, consider: > The strength of the control environment and other elements of internal control > Existence of control activities over assertions where it would be more efcient to gain evidence through tests of controls, and > Assertions where substantive procedures alone will not reduce the risks of material misstatement to an acceptably low level. For instance, this may be the case for the completeness of revenues.
Designing tests of controls

Tests of controls are used to gain evidence about the operating effectiveness of controls included in any of the ve elements of internal control. See the
Core concepts
129
illustration below and Part A, Chapter 3 for additional information on each of the ve internal control elements.
Exhibit 8.5-1
Pervasive controls
Risk asses smen
Entity level controls
on
ito
rin
General IT controls
Includes controls over: > Fraud (management override) > Centralised processing > Period-end financial p g reporting process
g
Specific controls
Control activities
Transactional controls
Transactions
Specic controls (such as control activities) directly address the prevention or detection and correction of misstatements, whereas pervasive controls provide the foundation for the specic controls and inuence their operation. In smaller entities, some pervasive controls (such as the control environment) may also serve to address specic risks of misstatement for a relevant assertion (eg. where senior management is directly involved in supervising and approving day-to-day transactions). In this case, if the pervasive controls were tested and found to operate effectively, there would be no need to test other controls (such as control activities) related to the particular risks involved.
PART A
130
Consider point
Domination of management by a single individual does not mean that internal control is weak or does not exist. In fact, the involvement of a competent owner-manager in the detailed day-to-day operations would be an important control environment strength. The opportunity for management override of internal control still exists, but can be reduced to some extent (in virtually any size of entity) by implementing some simple anti-fraud controls. (See Part A, Chapter 3.)
In other cases, the link between pervasive and specic controls may be more direct. For example, some monitoring controls may identify control breakdowns in specic (business process) controls. Testing these monitoring controls for effectiveness might reduce (but not eliminate) the need for testing more specic controls. Tests of pervasive controls (often referred to as entity level and general IT controls) tend to be more subjective (such as evaluating the commitment to integrity or competence) and therefore tend to be more difcult to document than specic internal control at the business process level (such as checking to see if a payment was authorised). As a result, the testing of entity level and general IT controls is often documented with memoranda to the le explaining the approach taken and the action steps (eg. staff interviews, assessments, review of employee les etc.), along with supporting evidence. This approach is illustrated in the following example.
Exhibit 8.5-2
Testing pervasive (entity level) controls
Control component = control environment Risk addressed Controls identied No emphasis is placed on need for integrity and ethical values. Management requires all new employees to sign a form stating their agreement with the rms fundamental values and understanding of the consequences for non-compliance. Read the form to be signed by employees and ensure it does indeed address integrity and ethical values. Review one employee le to ensure there is a signed form and consider what evidence exists (such as discipline) that employees actually practice the values. This could be based on a short interview with an employee. Select a sample of employee les and ensure there are agreement forms on le and they are signed by the employee. This would be supplemented by asking a sample of employees, some questions about the stated entity policies. Prepare a memo that provides details of the employee les selected and notes from interviews (including the name of the person and the date) along with the conclusions reached.
Control design Control implementation
Test of controls effectiveness
Documentation
Core concepts
131
Some key factors for the auditor to consider when designing a test of controls are listed below.
Exhibit 8.5-3
Address What risk of material misstatement and assertion is being addressed? Reliability of the controls Description Identify the risk of material misstatement and the related assertion that would be addressed by performing tests of control. Then consider whether audit evidence about the relevant assertion can be best be obtained by a performing tests of controls or through substantive procedures. As a general rule, it is not worth testing controls that may prove to be unreliable because the small sample sizes commonly used for testing controls are based on no deviations being found. If any of the following factors are signicant, it may be more effective to perform substantive procedures (if possible): > History of errors > Changes in the volume or nature of transactions > The underlying entity level and general IT controls are weak > Controls can be (or have been) circumvented by management > Infrequent operation of the control > Changes in personnel or competence of people performing the control > There is a signicant manual element in the control that could be prone to error > Complex operation and major judgements involved with its operation. Existence of indirect controls Does control depend on effective operation of other controls? This could include non-nancial information produced by a separate process, the treatment of exceptions and periodic reviews of reports by managers. Tests of controls usually involve a combination of the following: > Enquiries of appropriate personnel > Inspection of relevant documentation > Observation of the companys operations, and > Re-performance of the application of the control. Note that enquiry alone would not be sufcient evidence to support a conclusion about the effectiveness of a control. For example, to test the operating effectiveness of internal control over cash receipts, the auditor might observe the procedures for opening the mail and processing cash receipts. Because an observation is pertinent only at the point in time at which it is made, the auditor would supplement the observation with enquiries of entity personnel and inspection of documentation about the operation of such internal control at other times.
Nature of test to meet objectives
PART A
132
Consider point
Determine what constitutes a control deviation. When designing a test of control, spend time to dene exactly what constitutes an error or exception to the test. This will save time spent by audit staff in determining whether a seemingly minor exception (such as an incorrect telephone number) is, in fact, a control deviation.
Automated controls
There may be some instances where control activities are performed by a computer and supporting documentation does not exist. In these situations, the auditor may have to re-perform some controls to ensure the software application controls are working as designed. Another approach is to use computer assisted audit techniques (CAATs). One example of a CAAT is a software package that can import an entitys data le (such as sales or payables), which can then be tested. Such programs can analyse client data to provide the audit evidence needed. In addition, they provide the potential to perform much more extensive testing of electronic transactions and account les. Some possible uses of CAATs are outlined below.
Exhibit 8.5-4
Use of CAATs Typical types of procedures Extract specic records such as payments more than a specied amount or transactions before a given date. Extract top or bottom records in a database. Identify missing and duplicate records. Identify possible fraud (using Benfords Law). Select sample transactions from electronic les which match predetermined parameters or criteria. Sort transactions with specic characteristics. Test an entire population instead of a sample. Recalculate (add up) the total monetary amount of records in a le (such as inventory) and check extensions such as pricing. Stratify, summarise and age information. Match data across les.
Smaller entities often use off-the-shelf packaged accounting and other relevant software without modication. However, many software packages actually contain proven application controls that could be used by the entity to reduce the extent of errors and possibly deter fraud. Auditors might want to ask their clients whether these controls are being used and, if not, whether there would be value in using them.
Core concepts
133
Timing of tests of controls

Paragraph # 330.11 Relevant extracts from ASAs The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those controls, subject to paragraphs 12 and 15 of this Auditing Standard, in order to provide an appropriate basis for the auditors intended reliance. (Ref: Para. A32) If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor shall: (a) Obtain audit evidence about signicant changes to those controls subsequent to the interim period; and (b) Determine the additional audit evidence to be obtained for the remaining period. (Ref: Para. A33-A34) 330.15 If the auditor plans to rely on controls over a risk the auditor has determined to be a signicant risk, the auditor shall test those controls in the current period.
330.12
Tests of controls may provide evidence of effective operation: > At a particular point in time (ie. physical inventory count), or > Over a period of time such as the period under audit. When the tests of controls take place before the period end, the auditor would consider what additional evidence may be required to cover the remaining period. This evidence may be obtained by extending the tests to cover the remaining period or testing the entitys monitoring of internal control.
Exhibit 8.5-5
Factors to consider Gap between the tests of controls and period end Signicance of assessed risks of material misstatement at the assertion level. Specic controls that were tested during the interim period. Degree to which audit evidence about the operating effectiveness of those controls was obtained. Length of the remaining period. Extent to which the auditor intends to reduce further substantive procedures based on the reliance on internal control. The control environment. Any signicant changes in internal control, including changes in the information system, processes and personnel that occurred subsequent to the interim period.
PART A
134
Using audit evidence obtained in previous audits

Paragraph # 330.13 Relevant extracts from ASAs In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider the following: (a) The effectiveness of other elements of internal control, including the control environment, the entitys monitoring of controls and the entitys risk assessment process; (b) The risks arising from the characteristics of the control, including whether it is manual or automated; (c) The effectiveness of general IT controls; (d) The effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control noted in previous audits, and whether there have been personnel changes that signicantly affect the application of the control; (e) Whether the lack of a change in a particular control poses a risk due to changing circumstances; and (f) The risks of material misstatement and the extent of reliance on the control. (Ref: Para. A35) 330.14 If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specic controls, the auditor shall establish the continuing relevance of that evidence by obtaining audit evidence about whether signicant changes in those controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing enquiry combined with observation or inspection, to conrm the understanding of those specic controls, and: (a) If there have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit. (Ref: Para. A36) (b) If there have not been such changes, the auditor shall test the controls at least once in every third audit, and shall test some controls in each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit periods. (Ref: Para. A37-A39) 330.29 If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in previous audits, the auditor shall include in the audit documentation the conclusions reached about relying on such controls that were tested in a previous audit.
Rotational testing of controls

Assuming that the factors outlined in the exhibit below do not apply, it is possible that the tests of operating effectiveness of internal controls may only need to be performed once every third audit. The actual period of reliance will be based on professional judgement but cannot exceed two years.
Core concepts
135
Factors that would rule out the use of rotational testing are outlined below.
Exhibit 8.5-6
Use of control testing performed in prior years is NOT permitted when 1. Reliance on the control is required to mitigate a signicant risk; 2. The operation of the internal control has changed during the period or the risk being mitigated by the control has changed; 3. A weak control environment exists; 4. The ongoing monitoring of internal control operation is poor; 5. There is a signicant manual element to the operation of relevant controls; 6. Personnel changes have occurred that signicantly affect the application of the control; 7. Changing circumstances indicate the need for changes in the operation of the control; and/or 8. General IT controls are weak or ineffective.
Before audit evidence obtained in prior audits can be used, the continuing relevance of such evidence needs to be established each period. This will include conrming the understanding of those specic controls through: > Enquiry of management and others about changes, and > Observation or inspection of the internal control to determine its continuing implementation. When there are a number of controls where evidence could be used from prior audits, the reliance should be staggered so that some testing of internal control is performed during each audit. Testing at least a few controls each period also provides collateral evidence about the continuing effectiveness of the control environment. In general, the higher the risks of material misstatement or the greater the reliance placed on internal control, the shorter the time period should be between tests of controls.
PART A
136
9.
Accounting estimates
Relevant ASA
Chapter content Audit procedures relating to the audit of accounting estimates, including fair value accounting estimates and related disclosures in an audit of a nancial report.
540
Exhibit 9.0-1
Risk assessment
What estimates are required? How were the estimates prepared? How significant are the estimates? Is an auditors expert required? How accurate were the prior years estimates? Any evidence of management bias? Extent of estimation uncertainty involved?
Risk response
Have estimates been prepared properly using consistent methodology? Is the supporting evidence reliable? Any evidence of fraud?
Reporting
Paragraph # 540.6
Are financial report disclosures of accounting estimates in accordance with the financial reporting framework? If a significant risk, has disclosure been made of the estimation uncertainty? Obtain management representations.
ASA objective(s) The objective of the auditor is to obtain sufcient appropriate audit evidence about whether: (a) Accounting estimates, including fair value accounting estimates, in the nancial report, whether recognised or disclosed, are reasonable; and (b) Related disclosures in the nancial report are adequate, in the context of the applicable nancial reporting framework.
Core concepts
137
Paragraph # 540.7
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Accounting estimate means an approximation of a monetary amount in the absence of a precise means of measurement. This term is used for an amount measured at fair value where there is estimation uncertainty, as well as for other amounts that require estimation. Where this Auditing Standard addresses only accounting estimates involving measurement at fair value, the term fair value accounting estimates is used. (b) Auditors point estimate or auditors range means the amount, or range of amounts, respectively, derived from audit evidence for use in evaluating managements point estimate. (c) Estimation uncertainty means the susceptibility of an accounting estimate and related disclosures to an inherent lack of precision in its measurement. (d) Management bias means a lack of neutrality by management in the preparation of information. (e) Managements point estimate means the amount selected by management for recognition or disclosure in the nancial report as an accounting estimate. (f) Outcome of an accounting estimate means the actual monetary amount which results from the resolution of the underlying transaction(s), event(s) or condition(s) addressed by the accounting estimate.
9.1
Overview
When auditing estimates the objective is to obtain sufcient appropriate audit evidence about whether: > Accounting estimates, including fair value accounting estimates in the nancial report, whether recognised or disclosed, are reasonable, and > Related disclosures in the nancial report are adequate in the context of the applicable nancial reporting framework. Some nancial report items cannot be measured precisely and therefore have to be estimated. Such accounting estimates range from the straightforward (such as net realisable values for inventory and accounts receivable) to the more complex (such as calculating revenues to be recorded from longterm contracts and future liabilities on product warranties and guarantees). Estimates can often involve considerable analyses of historical and current data and the forecasting of future events such as sales transactions. The measurement of accounting estimates may vary based on the requirements of the applicable nancial reporting framework and the nancial item involved. For example, the measurement objective of an estimate may be to:
PART A
138
> Forecast the outcome of one or more transactions, events or conditions that gave rise to the accounting estimate, or > Determine the value of a current transaction or nancial report item based on conditions prevalent at the measurement date, such as estimated market price for a particular type of asset or liability. This would include fair value measurements. The risk of material misstatement arising from an estimate will often be based on the degree of estimation uncertainty involved. Some of the factors to consider are outlined in the following exhibit.
Exhibit 9.1-1
Level of estimation uncertainty involved Low level of uncertainty (Less RMM) Business activities that are not complex. High level of uncertainty (Higher RMM) Highly dependent upon judgement, such as the outcome of litigation or the amount and timing of future cash ows dependent on uncertain events many years in the future. NOT calculated using recognised measurement techniques. Results of the auditors review of similar accounting estimates made in the prior period nancial report indicate a substantial difference between the original accounting estimate and the actual outcome. Fair value accounting estimates for derivative nancial instruments are not publicly traded. Fair value accounting estimates for which a highly specialised entity-developed model is used or for which there are assumptions or inputs that cannot be observed in the marketplace
Relate to routine transactions. Derived from data (referred to as observable in the context of fair value accounting) that is readily available, such as published interest rate data or exchange-traded prices of securities. Method of measurement prescribed by the applicable nancial reporting framework is simple and applied easily Fair value accounting estimates where the model used to measure the accounting estimate is well-known or generally accepted, provided that the assumptions or inputs to the model are observable.
Note: The auditor (using professional judgement) is required to determine whether any of the identied accounting estimates (those having a high estimation uncertainty) give rise to signicant risks. If a signicant risk is identied, the auditor is also required to obtain an understanding of the entitys controls, including control activities. > When the audit evidence had been obtained the reasonableness of the estimates would be evaluated and the extent of any misstatement identied > Where the evidence supports a point estimate, the difference between the auditors point estimate and managements point estimate constitutes a misstatement.
Core concepts
139
> Where the auditor has concluded that using the auditors range of reasonableness provides sufcient appropriate audit evidence, a management point estimate that lies outside the auditors range would not be supported by audit evidence. In such cases, the misstatement is no less than the difference between managements point estimate and the nearest point of the auditors range. A difference between the outcome of an accounting estimate and the amount originally recognised or disclosed in the nancial report does not necessarily represent a misstatement of the nancial report. This is particularly the case for fair value accounting estimates, as any observed outcome is invariably affected by events or conditions subsequent to the date at which the measurement is estimated for purposes of the nancial report.
PART A
9.2
540.8
Risk assessment
Relevant extracts from ASAs When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entitys internal control, as required by ASA 315, the auditor shall obtain an understanding of the following in order to provide a basis for the identication and assessment of the risks of material misstatement for accounting estimates: (Ref: Para. A12) (a) The requirements of the applicable nancial reporting framework relevant to accounting estimates, including related disclosures. (Ref: Para. A13-A15) (b) How management identies those transactions, events and conditions that may give rise to the need for accounting estimates to be recognised or disclosed in the nancial report. In obtaining this understanding, the auditor shall make enquiries of management about changes in circumstances that may give rise to new, or the need to revise existing, accounting estimates. (Ref: Para. A16-A21) (c) How management makes the accounting estimates and an understanding of the data on which they are based, including: (Ref: Para. A22-A23) (i) (ii) The method, including where applicable the model, used in making the accounting estimate; (Ref: Para. A24-A26) Relevant controls; (Ref: Para. A27-A28)
Paragraph #
(iii) Whether management has used a management expert; (Ref: Para. A29-A30) (iv) The assumptions underlying the accounting estimates; (Ref: Para. A31-A36) (v) Whether there has been, or ought to have been, a change from the prior period in the methods for making the accounting estimates, and if so, why; and (Ref: Para. A37) (vi) Whether and, if so, how management has assessed the effect of estimation uncertainty. (Ref: Para. A38)
140
Paragraph # 540.9
Relevant extracts from ASAs The auditor shall review the outcome of accounting estimates included in the prior period nancial report or, where applicable, their subsequent re-estimation for the purpose of the current period. The nature and extent of the auditors review takes account of the nature of the accounting estimates, and whether the information obtained from the review would be relevant to identifying and assessing risks of material misstatement of accounting estimates made in the current period nancial report. However, the review is not intended to call into question the judgements made in the prior periods that were based on information available at the time. (Ref: Para. A39-A44) In identifying and assessing the risks of material misstatement, as required by ASA 315, the auditor shall evaluate the degree of estimation uncertainty associated with an accounting estimate. (Ref: Para. A45-A46) The auditor shall determine whether, in the auditors judgement, any of those accounting estimates that have been identied as having high estimation uncertainty give rise to signicant risks. (Ref: Para. A47-A51)
540.10
540.11
For smaller entities, the amount of work involved in preparing estimates will be less complex as their business activities are often limited and transactions are less complex. Often a single person, such as the owner-manager, will identify the need for accounting estimates and the auditor may focus the enquiries accordingly. However smaller entities will also be less likely to have a management expert available who would use their experience and competence to make the required point estimates. In these cases the risk of material misstatement might actually increase, unless of course such an expert is hired. See toolkit item 513: Worksheet Undertanding accounting estimates. Consider point
Where the use of a management expert would greatly assist the estimating process, discuss this need with entity management as early as possible in the audit process so that appropriate action can be taken.
The key areas for the auditor to address are outlined in the table below.
Exhibit 9.2-1
Address How is the need for an estimate identied? Description This could result from the accounting framework being used or from transactions, events and conditions that may give rise to the need for accounting estimates to be recognised or disclosed in the nancial report. In addition, the auditor would make enquiries of management about changes in circumstances that give rise to new, or the need to revise existing, accounting estimates.
Core concepts
141
Address Managements process for making estimates
Description Review and evaluate managements estimation processes including the development of the underlying assumptions, reliability of data used and any internal approval or review process. Where applicable, this could also include the use of a management expert. The need for a management expert may arise because of, for example: > The specialised nature of the matter requiring estimation > The technical nature of models required to meet requirements of the applicable nancial reporting framework, (such as certain measurements at fair value), and > The unusual or infrequent nature of the condition, transaction or event requiring an accounting estimate.
Outcomes of estimates prepared in previous periods
Review the outcome of the previous periods estimates and understand the reasons for differences between prior period estimates and the actual amounts. This will help to understand: > Effectiveness (or not) of managements estimation process > Existence of any possible management bias (a review of estimates for possible fraud is also required by ASA 240) > Existence of pertinent audit evidence, and > Extent of estimation uncertainty involved, which may be required to be disclosed in the nancial report.
Extent of estimation uncertainty Involved
Consider the following: > Extent of managements judgement involved > Sensitivity to changes in assumptions > Existence of recognised measurement techniques that mitigate the uncertainty > Length of the forecast period and relevance of data used > Availability of reliable data from external sources > Extent to which estimate is based on observable or unobservable inputs, and > Susceptibility to bias. Note: Determine whether the accounting estimates with a high estimation uncertainty are also signicant risks to be addressed by the auditor.
Signicance of the estimates
In assessing the risks of material misstatement, consider: > Matters addressed above in this table > Actual or expected magnitude of the estimate, and > Whether the estimate is a signicant risk. See extent of estimation uncertainty above.
PART A
142
9.3
540.12
Responses to assessed risks

Relevant extracts from ASAs Based on the assessed risks of material misstatement, the auditor shall determine: (Ref: Para. A52) (a) Whether management has appropriately applied the requirements of the applicable nancial reporting framework relevant to the accounting estimate; and (Ref: Para. A53-A56) (b) Whether the methods for making the accounting estimates are appropriate and have been applied consistently, and whether changes, if any, in accounting estimates or in the method for making them from the prior period are appropriate in the circumstances. (Ref: Para. A57-A58)
Paragraph #
540.13
In responding to the assessed risks of material misstatement, as required by ASA 330, the auditor shall undertake one or more of the following, taking account of the nature of the accounting estimate: (Ref: Para. A59-A61) (a) Determine whether events occurring up to the date of the auditors report provide audit evidence regarding the accounting estimate. (Ref: Para. A62-A67) (b) Test how management made the accounting estimate and the data on which it is based. In doing so, the auditor shall evaluate whether: (Ref: Para. A68-A70) (i) (ii) The method of measurement used is appropriate in the circumstances; and (Ref: Para. A71-A76) The assumptions used by management are reasonable in light of the measurement objectives of the applicable nancial reporting framework. (Ref: Para. A77-A83)
(c) Test the operating effectiveness of the controls over how management made the accounting estimate, together with appropriate substantive procedures. (Ref: Para. A84-A86) (d) Develop a point estimate or a range to evaluate managements point estimate. For this purpose: (Ref: Para. A87-A91) (i) If the auditor uses assumptions or methods that differ from managements, the auditor shall obtain an understanding of managements assumptions or methods sufcient to establish that the auditors point estimate or range takes into account relevant variables and to evaluate any signicant differences from managements point estimate. (Ref: Para. A92) If the auditor concludes that it is appropriate to use a range, the auditor shall narrow the range, based on audit evidence available, until all outcomes within the range are considered reasonable. (Ref: Para. A93-A95)
(ii)
540.14
In determining the matters identied in paragraph 12 of this Auditing Standard or in responding to the assessed risks of material misstatement in accordance with paragraph 13 of this Auditing Standard, the auditor shall consider whether specialised skills or knowledge in relation to one or more aspects of the accounting estimates are required in order to obtain sufcient appropriate audit evidence. (Ref: Para. A96-A101)
Core concepts
143
Paragraph # 540.15
Relevant extracts from ASAs For accounting estimates that give rise to signicant risks, in addition to other substantive procedures performed to meet the requirements of ASA 330, the auditor shall evaluate the following: (Ref: Para. A102) (a) How management has considered alternative assumptions or outcomes, and why it has rejected them, or how management has otherwise addressed estimation uncertainty in making the accounting estimate. (Ref: Para. A103-A106) (b) Whether the signicant assumptions used by management are reasonable. (Ref: Para. A107-A109) (c) Where relevant to the reasonableness of the signicant assumptions used by management or the appropriate application of the applicable nancial reporting framework, managements intent to carry out specic courses of action and its ability to do so. (Ref: Para. A110)
540.16
If, in the auditors judgement, management has not adequately addressed the effects of estimation uncertainty on the accounting estimates that give rise to signicant risks, the auditor shall, if considered necessary, develop a range with which to evaluate the reasonableness of the accounting estimate. (Ref: Para. A111-A112)
In smaller entities there is likely to be active management involvement in the nancial reporting process which includes accounting estimate preparation. As a result, controls over the estimating process may not exist, or if they do exist, may operate informally. For this reason, the auditors response to the assessed risks is likely to be substantive in nature, with the auditor performing one or more of the other responses outlined below. See toolkit item 635: Worksheet Accounting estimates (including fair values)
PART A
144
Exhibit 9.3-1
Address Have estimates been prepared appropriately? Description a) Test how management made the accounting estimate and the data on which it is based. Evaluate whether: The method of measurement used is appropriate in the circumstances, and The assumptions used by management are reasonable in light of the measurement objectives of the applicable nancial reporting framework. b) Test the operating effectiveness of the controls, if any, over how management made the accounting estimate, together with appropriate substantive procedures. c) Develop a point estimate or a range to evaluate managements point estimate. If the assumptions or methods used by the auditor differ from managements, obtain an understanding of managements assumptions or methods sufcient to establish that the auditors point estimate or range takes into account relevant variables. Also evaluate any signicant differences from managements point estimate. If it is appropriate to use a range, narrow the range, based on audit evidence available, until all outcomes within the range are considered reasonable. How reliable is the supporting evidence? Undertake one or more of the following procedures taking into account the nature of the accounting estimate, the nature of the evidence that will be obtained and the assessed risk of material misstatement, including whether the assessed risk is a signicant risk: > Review events subsequent to the period end to ensure they support managements estimates. This may be particularly relevant in some smaller owner-managed entities, where management does not have formalised control procedures over accounting estimates > Test the information, controls (if any), methods and assumptions used. > Based on available evidence and discussions with management, develop an independent point estimate or range of reasonableness for comparison with the entitys estimate. The amount by which managements estimate differs from the point estimate or falls outside the range of reasonableness would be considered as a misstatement. > When there is a longer period between the balance sheet date and the date of the auditors report, the auditors review of events in this period may be an effective response for accounting estimates other than fair value accounting estimates.
Core concepts
145
Address Possible management bias
Description > Identify whether there are indicators of possible management bias. This could include changes in the way estimates are calculated or the selection of a point estimate that indicates a pattern of optimism or pessimism. This could occur where estimates consistently lie at one boundary of the auditors range of reasonableness or where the bias moves from one boundary of the range to the other in successive periods. For example where management put the business up for sale and the earnings goal changes from tax minimisation to maximisation of earnings. > Consider the cumulative effect of bias in the preparation of managements accounting estimates.
Where the estimate is complex or involves specialised techniques, the auditor may determine it is necessary to use the work of an auditors expert (see Part A, Chapter 13.7 (ASA 620) for guidance on using the work of an auditors expert).
9.4
540.19
Reporting
Relevant extracts from ASAs The auditor shall obtain sufcient appropriate audit evidence about whether the disclosures in the nancial report related to accounting estimates are in accordance with the requirements of the applicable nancial reporting framework. (Ref: Para. A120-A121) For accounting estimates that give rise to signicant risks, the auditor shall also evaluate the adequacy of the disclosure of their estimation uncertainty in the nancial report in the context of the applicable nancial reporting framework. (Ref: Para. A122-A123)
Paragraph #
540.20
The nal step is to determine whether: > Sufcient appropriate evidence has been obtained. Where sufcient appropriate evidence is not available or the evidence refutes managements estimates, the auditor would discuss the ndings with management and consider the need to change the risk assessment and perform further audit procedures > The accounting estimates are either reasonable in the context of the applicable nancial reporting framework, or are misstated, and > Disclosures in the nancial report about the estimates: Are in accordance with the requirements of the applicable nancial reporting framework, and Adequately disclose their estimation uncertainty, if they give rise to signicant risks.
PART A
146
Written representations
The auditor would obtain written representations from management regarding the reasonableness of signicant assumptions. Also consider obtaining a written representation as to whether the assumptions appropriately reect managements intent and ability to carry out specic courses of action relevant to any fair value measurements or disclosures.
9.5
540.23
Documentation
Relevant extracts from ASAs The auditor shall include in the audit documentation: (a) The basis for the auditors conclusions about the reasonableness of accounting estimates and their disclosure that give rise to signicant risks; (b) Indicators of possible management bias, if any (Ref: Para. A128); and Aus 23.1. The auditors evaluation of any indicators of possible management bias in making accounting estimates, including whether the circumstances giving rise to the indicators of bias represent a risk of material misstatement due to fraud. (Ref: Para. A128)
Paragraph #
In order to demonstrate the basis for the auditors conclusions, documentation would normally address: > Managements process for making the estimates > The outcomes of estimates prepared in previous periods > The extent of estimation uncertainty involved > The signicance of the estimates > The reasonableness of managements accounting for the estimates > The risk of management bias including the risk of material misstatement due to fraud, and > The results of testing conducted from Exhibit 9.3-1 above.
Core concepts
147
10.
Related parties
Relevant ASA
Chapter content Audit procedures regarding related parties and transactions with such parties.
550
PART A
Exhibit 10.0-1
Identify related parties, including changes from previous periods. Understand nature, extent and purpose of transactions. Consider potential for fraud. Remain alert for related-party transactions throughout audit. Consider significant risks. Do any circumstances identified by the auditor suggest involvement of related parties? Obtain evidence to support managements assertions about the nature, extent and purpose of transactions If outside normal course of business, consider significance of transactions. Consider measurement and recognition of transactions and balances. Consider possible fraud.
Risk assessment
Reporting
Has sufficient appropriate evidence been obtained? Does a material misstatement exist? Is financial statement disclosure adequate? Obtain management representations. Report on any findings.
Paragraph # 550.9
ASA objective(s) The objectives of the auditor are: (a) Irrespective of whether the applicable nancial reporting framework establishes related party requirements, to obtain an understanding of related party relationships and transactions sufcient to be able: (i) To recognise fraud risk factors, if any, arising from related party relationships and transactions that are relevant to the identication and assessment of the risks of material misstatement due to fraud; and To conclude, based on the audit evidence obtained, whether the nancial report, insofar as it is affected by those relationships and transactions: a. b. Achieve fair presentation (for fair presentation frameworks); or Are not misleading (for compliance frameworks); and
(ii)
(b) In addition, where the applicable nancial reporting framework establishes related party requirements, to obtain sufcient appropriate audit evidence about whether related party relationships and transactions have been appropriately identied, accounted for and disclosed in the nancial report in accordance with the framework.
Risk response
148
Paragraph # 550.10
Relevant extracts from ASAs For purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Arms length transaction means a transaction conducted on such terms and conditions as between a willing buyer and a willing seller who are unrelated and are acting independently of each other and pursuing their own best interests. (b) Related party means a party that is either: (Ref: Para. A4-A7) (i) (ii) A related party as dened in the applicable nancial reporting framework; or Where the applicable nancial reporting framework establishes minimal or no related party requirements: a. A person or other entity that has control or signicant inuence, directly or indirectly through one or more intermediaries, over the reporting entity; Another entity over which the reporting entity has control or signicant inuence, directly or indirectly through one or more intermediaries; or Another entity that is under common control with the reporting entity through having: i. ii. iii. Common controlling ownership; Owners who are close family members; or Common key management.
b.
c.
However, entities that are under common control by a state (that is, a national, regional or local government) are not considered related unless they engage in signicant transactions or share resources to a signicant extent with one another.
10.1
Overview
As related parties are not independent of each other, there are often higher risks of material misstatement through the related party transactions than through transactions with unrelated parties. Consequently, nancial reporting frameworks often contain accounting and disclosure requirements regarding related-party transactions and balances. These requirements are intended to provide nancial report users with an understanding of the nature of these transactions/balances and the actual or potential effects. Some of the potential risk factors with regard to related party transactions are set out in the following exhibit.
Core concepts
149
Exhibit 10.1-1
Description Overly complex transactions Relationships and transactions not identied Related parties may operate through an extensive and complex range of relationships and structures. > Related party relationships may be concealed as they present a greater opportunity for collusion, concealment or manipulation by management > The entitys information systems may be ineffective at identifying or summarising transactions and outstanding balances between the entity and its related parties > Management may be unaware of the existence of all related party relationships and transactions. Not conducted in the normal course of business Related party transactions may not be conducted under normal market terms and conditions such as above, below fair values or even with no exchange of consideration at all.
Management is responsible for the identication and disclosure of related parties and accounting for the transactions. This responsibility requires management to implement adequate internal control to ensure that transactions with related parties are appropriately identied and recorded in the information system and disclosed in the nancial report. The auditor is responsible for maintaining an alertness for related party information when reviewing records or documents during the audit. This includes the inspection of certain key documents but does not require an extensive investigation of records and documents to specically identify related parties. In smaller entities, these procedures are likely to be less sophisticated and informal. Management may not readily have information about related parties (the accounting systems are unlikely to have been designed to identify related parties) so the auditor may need to make enquiries and review accounts with specic parties, etc. beyond the accounting records and disclosures in the accounts.
Financial reporting frameworks

Because related parties are not independent of each other, many nancial reporting frameworks establish specic accounting and disclosure requirements for related party relationships, transactions and balances. This enables the users of the nancial report to understand their nature and actual or potential effects on the nancial report. Where the applicable nancial reporting framework establishes requirements for related party accounting and disclosure, the auditor has a responsibility to perform audit procedures to identify, assess and respond to the risks
PART A
150
of material misstatement arising from the entitys failure to appropriately account for or disclose related party relationships, transactions or balances in accordance with the requirements of the framework. Where the applicable nancial reporting framework establishes minimal or no related party requirements, the auditor still needs to obtain a sufcient understanding of the entitys related party relationships and transactions sufcient to be able to conclude whether the nancial report, insofar as it is affected by those relationships and transactions: > Achieve fair presentation (for fair presentation frameworks), or > Are not misleading (for compliance frameworks). When information is identied that suggests the existence of related party relationships or transactions that were not previously identied or disclosed by management, the auditor is required to determine whether the underlying circumstances conrm the existence of such relationships or transactions. ASA 550 provides guidance on the auditors responsibility and audit procedures regarding related parties and transactions with such parties.
Exhibit 10.1-2
Auditor responsibility where Accounting framework establishes minimal or no requirements Description Obtain an understanding of the entitys related party relationships and transactions sufcient to: > Recognise fraud risk factors, if any, arising from related party relationships and transactions that are relevant to the identication and assessment of the risks of material misstatement due to fraud; and > Conclude, based on the audit evidence obtained, whether the nancial report, insofar as it is affected by those relationships and transactions, achieve fair presentation (for fair presentation frameworks); or are not misleading (for compliance frameworks). The applicable nancial reporting framework sets out the requirements In addition to the steps described above, obtain sufcient appropriate audit evidence to comply with the specic accounting and disclosure requirements for related party relationships, transactions and balances.
Core concepts
151
10.2
550.11
Risk assessment
Relevant extracts from ASAs As part of the risk assessment procedures and related activities that ASA 315 and ASA 240 require the auditor to perform during the audit, the auditor shall perform the audit procedures and related activities set out in paragraphs 12-17 of this Auditing Standard to obtain information relevant to identifying the risks of material misstatement associated with related party relationships and transactions. (Ref: Para. A8) The engagement team discussion that ASA 315 and ASA 240 require shall include specic consideration of the susceptibility of the nancial report to material misstatement due to fraud or error that could result from the entitys related party relationships and transactions. (Ref: Para. A9-A10) The auditor shall enquire of management regarding: (a) The identity of the entitys related parties, including changes from the prior period; (Ref: Para. A11-A14) (b) The nature of the relationships between the entity and these related parties; and (c) Whether the entity entered into any transactions with these related parties during the period and, if so, the type and purpose of the transactions.
Paragraph #
550.12
550.13
550.14
The auditor shall enquire of management and others within the entity, and perform other risk assessment procedures considered appropriate, to obtain an understanding of the controls, if any, that management has established to: (Ref: Para. A15-A20) (a) Identify, account for and disclose related party relationships and transactions in accordance with the applicable nancial reporting framework; (b) Authorise and approve signicant transactions and arrangements with related parties; and (Ref: Para. A21) (c) Authorise and approve signicant transactions and arrangements outside the normal course of business.
550.15
During the audit, the auditor shall remain alert, when inspecting records or documents, for arrangements or other information that may indicate the existence of related party relationships or transactions that management has not previously identied or disclosed to the auditor. (Ref: Para. A22-A23) In particular, the auditor shall inspect the following for indications of the existence of related party relationships or transactions that management has not previously identied or disclosed to the auditor: (a) Bank and legal conrmations obtained as part of the auditors procedures; (b) Minutes of meetings of shareholders and of those charged with governance; and (c) Such other records or documents as the auditor considers necessary in the circumstances of the entity.
PART A
152
Paragraph # 550.A22
Relevant extracts from ASAs During the audit, the auditor may inspect records of documents that may prove information about related party relationships and transactions, for example: > Third-party conrmations obtained by the auditor (in addition to bank and legal conrmations) > Entity income tax returns > Information supplied by the entity to regulatory authorities > Shareholder registers to identify the entitys principal shareholders > Statements of conicts of interest from management and those charged with governance > Records of the entitys investments and those of its superannuation plans > Contracts and agreements with key management or those charged with governance > Signicant contracts and agreements not in the entitys ordinary course of business > Specic invoices and correspondence from the entitys professional advisers > Life insurance policies acquired by the entity > Signicant contracts re-negotiated by the entity during the period > Internal auditors reports > Documents associated with the entitys lings with a securities regulator (for example, prospectuses).
550.16
If the auditor identies signicant transactions outside the entitys normal course of business when performing the audit procedures required by paragraph 15 of this Auditing Standard or through other audit procedures, the auditor shall enquire of management about: (Ref: Para. A24-A25) (a) The nature of these transactions; and (Ref: Para. A26) (b) Whether related parties could be involved. (Ref: Para. A27)
550.17 550.18
The auditor shall share relevant information obtained about the entitys related parties with the other members of the engagement team. (Ref: Para. A28) In meeting the ASA 315 requirement to identify and assess the risks of material misstatement, the auditor shall identify and assess the risks of material misstatement associated with related party relationships and transactions and determine whether any of those risks are signicant risks. In making this determination, the auditor shall treat identied signicant related party transactions outside the entitys normal course of business as giving rise to signicant risks. If the auditor identies fraud risk factors (including circumstances relating to the existence of a related party with dominant inuence) when performing the risk assessment procedures and related activities in connection with related parties, the auditor shall consider such information when identifying and assessing the risks of material misstatement due to fraud in accordance with ASA 240. (Ref: Para. A6 and A29-A30)
550.19
Core concepts
153
To identify and assess the risks of material misstatement associated with related party relationships and transactions, the auditor would consider the matters set out below. See toolkit item 515: Worksheet Understanding related parties.
PART A
Exhibit 10.2-1
Identifying risks Address existence/ nature/impact of related parties and transactions Description Enquire about the: > Identity of related parties, including changes from prior period > Nature of relationships between the entity and related parties > Type and purpose of any transactions with related parties > Controls, if any, that management has established to: Identify, account for and disclose related party relationships and transactions in accordance with the applicable nancial reporting framework Authorise and approve signicant transactions and arrangements with related parties, and Authorise and approve signicant transactions and arrangements outside the normal course of business. Consider possible fraud Discuss among the engagement team the susceptibility of the nancial report to material misstatement due to fraud or error resulting from related party relationships and transactions. Also consider whether domination of management occurs by a single person or a small group of persons without compensating controls. Indicators of dominant inuence include: > The related party has vetoed signicant business decisions made by management or those charged with governance > Signicant transactions are referred to the related party for nal approval > There is little or no debate among management and those charged with governance regarding business proposals initiated by the related party, and > Transactions involving the related party (or a close family member of the related party) are rarely independently reviewed and approved. Dominant inuence may also exist in some cases if the related party has played a leading role in founding the entity and continues to play a leading role in managing the entity. If fraud risk factors are identied, make an assessment of the risks of material misstatement. If a risk of material misstatement could occur, develop an appropriate audit response.
154
Identifying risks Remain alert when inspecting records or documents
Description When inspecting records or documents always remain alert to undisclosed related party relationships or transactions. In particular, inspect the following records and documents for related parties not previously identied or disclosed: > Bank and legal conrmations obtained > Minutes of meetings of shareholders and of those charged with governance, and > Such other records or documents as considered necessary in the circumstances. Always share information obtained about possible related parties with other team members.
Identify signicant risks
Signicant related party transactions outside the normal course of business would give rise to signicant risks.
Consider point
In smaller entities, the identication of related-party transactions can often be difcult. If the client uses a standard software package to record transactions, consider obtaining an electronic copy of the transactions and importing them into an electronic spreadsheet. By using the sort features and conguring the selection criteria, it may be possible to obtain information about customers/ suppliers with only a few, but large transactions, or those with signicant transactions of a size or nature that is unusual.
10.3
550.20
Risk response
Relevant extracts from ASAs As part of the ASA 330 requirement that the auditor respond to assessed risks, the auditor designs and performs further audit procedures to obtain sufcient appropriate audit evidence about the assessed risks of material misstatement associated with related party relationships and transactions. These audit procedures shall include those required by paragraphs 21-24 of this Auditing Standard. (Ref: Para. A31-A34) If the auditor identies arrangements or information that suggests the existence of related party relationships or transactions that management has not previously identied or disclosed to the auditor, the auditor shall determine whether the underlying circumstances conrm the existence of those relationships or transactions. (Ref: Para. Aus A34.1)
Paragraph #
550.21
Core concepts
155
Paragraph # 550.22
Relevant extracts from ASAs If the auditor identies related parties or signicant related party transactions that management has not previously identied or disclosed to the auditor, the auditor shall: (a) Promptly communicate the relevant information to the other members of the engagement team; (Ref: Para. A35) (b) Where the applicable nancial reporting framework establishes related party requirements: (i) (ii) Request management to identify all transactions with the newly identied related parties for the auditors further evaluation; and Enquire as to why the entitys controls over related party relationships and transactions failed to enable the identication or disclosure of the related party relationships or transactions;
(c) Perform appropriate substantive audit procedures relating to such newly identied related parties or signicant related party transactions; (Ref: Para. A36) (d) Reconsider the risk that other related parties or signicant related party transactions may exist that management has not previously identied or disclosed to the auditor, and perform additional audit procedures as necessary; and (e) If the non-disclosure by management appears intentional (and therefore indicative of a risk of material misstatement due to fraud), evaluate the implications for the audit. (Ref: Para. A37) 550.23 For identied signicant related party transactions outside the entitys normal course of business, the auditor shall: (a) Inspect the underlying contracts or agreements, if any, and evaluate whether: (i) The business rationale (or lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent nancial reporting or to conceal misappropriation of assets; (Ref: Para. A38-A39) The terms of the transactions are consistent with managements explanations; and
(ii)
(iii) The transactions have been appropriately accounted for and disclosed in accordance with the applicable nancial reporting framework; and (b) Obtain audit evidence that the transactions have been appropriately authorised and approved. (Ref: Para. A40-A41) 550.24 If management has made an assertion in the nancial report to the effect that a related party transaction was conducted on terms equivalent to those prevailing in an arms length transaction, the auditor shall obtain sufcient appropriate audit evidence about the assertion. (Ref: Para. A42-A45)
PART A
156
In responding to the identied risks of material misstatement associated with related party relationships and transactions, the auditor would consider the matters set out below.
Exhibit 10.3-1
Address Where auditor identies arrangements or information that suggests existence of related party relationships or transactions Description > Determine whether underlying circumstances conrm their existence > Promptly communicate the information to the engagement team > Request management to identify all transactions with the related party > If related party was not previously identied ask why. Consider: Failure of any related party identication controls, and Fraud (non-disclosure by management appears intentional) > Reconsider the risk that other undisclosed related parties or signicant related party transactions may exist and perform additional audit procedures as necessary, and > Perform appropriate substantive audit procedures. Signicant related party transactions outside normal course of business > Inspect underlying contracts or agreements, if any, and evaluate whether: Rationale suggests possible fraudulent nancial reporting or concealment of misappropriated assets Terms are consistent with managements explanations, and Transactions are accounted for and disclosed in accordance with the applicable nancial reporting framework, and > Ensure transactions have been appropriately authorised and approved. Managements assertions Obtain sufcient appropriate audit evidence about managements assertions about the nature and extent of related party transactions. Consider whether external conrmation of the balances would provide reliable evidence. Consider the collectability and valuation of period end balances.
See toolkit item 666: Worksheet Related-party transactions.
Core concepts
157
10.4
550.25
Reporting
Relevant extracts from ASAs In forming an opinion on the nancial report in accordance with ASA 700, the auditor shall evaluate: (Ref: Para. A46) (a) Whether the identied related party relationships and transactions have been appropriately accounted for and disclosed in accordance with the applicable nancial reporting framework; and (Ref: Para. A47) (b) Whether the effects of the related party relationships and transactions: (i) (ii) Prevent the nancial report from achieving fair presentation (for fair presentation frameworks); or Cause the nancial report to be misleading (for compliance frameworks).
Paragraph #
550.26
Where the applicable nancial reporting framework establishes related party requirements, the auditor shall obtain written representations from management and, where appropriate, those charged with governance that: (Ref: Para. A48-A49) (a) They have disclosed to the auditor the identity of the entitys related parties and all the related party relationships and transactions of which they are aware; and (b) They have appropriately accounted for and disclosed such relationships and transactions in accordance with the requirements of the framework.
550.27
Unless all of those charged with governance are involved in managing the entity, the auditor shall communicate with those charged with governance signicant matters arising during the audit in connection with the entitys related parties. (Ref: Para. A50) If the auditor is unable to: (a) Obtain sufcient appropriate audit evidence regarding related parties and related party transactions; or (b) Form a conclusion as to the completeness of the disclosure of related party relationships and transactions in accordance with the applicable nancial reporting framework; the auditor shall modify the auditors opinion in accordance with ASA 705.
550 Aus27.1
550 Aus 27.2 550.28
If the auditor concludes that the related party disclosures in the nancial report do not satisfy the requirements of the applicable nancial reporting framework, the auditor shall modify the auditors opinion in accordance with ASA 705. The auditor shall include in the audit documentation the names of the identied related parties and the nature of the related party relationships.
The auditor would consider the following matters.
PART A
158
Exhibit 10.4-1
Address Document and report Description > Document the names of the identied related parties and the nature of the related party relationships, and > Communicate with those charged with governance any signicant matters arising during the audit in connection with related parties. Obtain management representation Obtain written representations from management (and those charged with governance) that: > All related parties and transactions have been disclosed, and > Such relationships and transactions have been appropriately accounted for and disclosed in the nancial report. Determine if the audit opinion needs to be modied Modify the auditors report if: > It is not possible to obtain sufcient appropriate audit evidence concerning related parties and transactions or form a conclusion as to the completeness of the disclosure, or > Managements disclosure in the nancial report does not satisfy the applicable nancial reporting framework.
Core concepts
159
11.
Subsequent events
Relevant ASA
Chapter content Auditors responsibility regarding subsequent events.
560
PART A
Paragraph # 560.4
ASA objective(s) The objectives of the auditor are: (a) To obtain sufcient appropriate audit evidence about whether events occurring between the date of the nancial report and the date of the auditors report that require adjustment of, or disclosure in, the nancial report are appropriately reected in that nancial report in accordance with the applicable nancial reporting framework; and (b) To respond appropriately to facts that become known to the auditor after the date of the auditors report that, had they been known to the auditor at that date, may have caused the auditor to amend the auditors report.
Paragraph # 560.5
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Date of the nancial report means the date of the end of the latest period covered by the nancial reports. Date of approval of the nancial report means the date on which all the reports that comprise the nancial report, including the related notes, have been prepared and those with the recognised authority have asserted that they have taken responsibility for that nancial report. (Ref: Para. A2) (b) Date of the auditors report means the date the auditor dates the report on the nancial report in accordance with ASA 700. (Ref: Para. A3-Aus A3.1) (c) Date the nancial report is issued means the date that the auditors report and audited nancial report are made available to third parties. (Ref: Para. A4-A5) (d) Subsequent events means events occurring between the date of the nancial report and the date of the auditors report, and facts that become known to the auditor after the date of the auditors report.
11.1
Overview
This standard provides guidance on the auditors responsibility regarding subsequent events. Subsequent events occur after the date of the nancial report (the period-end date). Other key dates in the preparation, audit and release of the nancial report are outlined in the exhibit following. See toolkit item 650: Subsequent events.
160
Exhibit 11.1-1
Date of management approval of financial report Date of auditors report on financial report
Date of financial report
Date financial report is issued
Timelines
Obtain evidence about subsequent events Respond to new facts that become known
Subsequent events refers to: > Events occurring between the date of the nancial report and the date of the auditors report > Facts that become known to the auditor after the date of the auditors report.
Paragraph # 560.6 Relevant extracts from ASAs The auditor shall perform audit procedures designed to obtain sufcient appropriate audit evidence that all events occurring between the date of the nancial report and the date of the auditors report that require adjustment of, or disclosure in, the nancial report have been identied. The auditor is not, however, expected to perform additional audit procedures on matters to which previously applied audit procedures have provided satisfactory conclusions. (Ref: Para. A6) The auditor shall perform the procedures required by paragraph 6 of this Auditing Standard so that they cover the period from the date of the nancial report to the date of the auditors report, or as near as practicable thereto. The auditor shall take into account the auditors risk assessment in determining the nature and extent of such audit procedures, which shall include the following: (Ref: Para. A7-A8) (a) Obtaining an understanding of any procedures management has established to ensure that subsequent events are identied. (b) Enquiring of management and, where appropriate, those charged with governance as to whether any subsequent events have occurred which might affect the nancial report. (Ref: Para. A9) (c) Reading minutes, if any, of the meetings, of the entitys owners, management and those charged with governance, that have been held after the date of the nancial report and enquiring about matters discussed at any such meetings for which minutes are not yet available. (Ref: Para. A10) (d) Reading the entitys latest subsequent interim nancial report, if any.
560.7
Core concepts
161
Paragraph # 560.8
Relevant extracts from ASAs If, as a result of the procedures performed as required by paragraphs 6 and 7 of this Auditing Standard, the auditor identies events that require adjustment of, or disclosure in, the nancial report, the auditor shall determine whether each such event is appropriately reected in that nancial report in accordance with the applicable nancial reporting framework. The auditor shall request management and, where appropriate, those charged with governance, to provide a written representation in accordance with ASA 580 that all events occurring subsequent to the date of the nancial report and for which the applicable nancial reporting framework requires adjustment or disclosure have been adjusted or disclosed. The auditor has no obligation to perform any audit procedures regarding the nancial report after the date of the auditors report. However, if, after the date of the auditors report but before the date the nancial report is issued, a fact becomes known to the auditor that, had it been known to the auditor at the date of the auditors report, may have caused the auditor to amend the auditors report, the auditor shall: (Ref: Para. A11) (a) Discuss the matter with management and, where appropriate, those charged with governance. (b) Determine whether the nancial report needs amendment and, if so, (c) Enquire how management intends to address the matter in the nancial report.
560.10
560.11
If management amends the nancial report, the auditor shall: (a) Carry out the audit procedures necessary in the circumstances on the amendment. (b) Unless the circumstances in paragraph 12 of this Auditing Standard apply: (i) (ii) Extend the audit procedures referred to in paragraphs 6 and 7 of this Auditing Standard to the date of the new auditors report; and Provide a new auditors report on the amended nancial report. The new auditors report shall not be dated earlier than the date of approval of the amended nancial report.
560.12
Where law, regulation or the nancial reporting framework does not prohibit management from restricting the amendment of the nancial report to the effects of the subsequent event or events causing that amendment and those responsible for approving the nancial report are not prohibited from restricting their approval to that amendment, the auditor is permitted to restrict the audit procedures on subsequent events required in paragraph 11(b)(i) of this Auditing Standard to that amendment. In such cases, the auditor shall either: (a) Amend the auditors report to include an additional date restricted to that amendment that thereby indicates that the auditors procedures on subsequent events are restricted solely to the amendment of the nancial report described in the relevant note to the nancial report; or (Ref: Para. A12) (b) Provide a new or amended auditors report that includes a statement in an Emphasis of Matter paragraph or Other Matter paragraph that conveys that the auditors procedures on subsequent events are restricted solely to the amendment of the nancial report as described in the relevant note to the nancial report.
PART A
560.9
162
Relevant extracts from ASAs For an audit engagement conducted under the Corporations Act 2001, management, and those charged with governance, are prohibited from restricting an amendment of the nancial report to the effects of the subsequent event or events causing that amendment. Consequently, the auditor is prohibited from restricting audit procedures as required under paragraph 11(b) (i) of this Auditing Standard to such an amendment. In some jurisdictions, management may not be required by law, regulation or the nancial reporting framework to issue an amended nancial report and, accordingly, the auditor need not provide an amended or new auditors report. However, if management does not amend the nancial report in circumstances where the auditor believes they need to be amended, then: (Ref: Para. A13-A14) (a) If the auditors report has not yet been provided to the entity, the auditor shall modify the opinion as required by ASA 705 and then provide the auditors report; or (b) If the auditors report has already been provided to the entity, the auditor shall notify management and, unless all of those charged with governance are involved in managing the entity, those charged with governance, not to issue the nancial report to third parties before the necessary amendments have been made. If the nancial report is nevertheless subsequently issued without the necessary amendments, the auditor shall take appropriate action, to seek to prevent reliance on the auditors report. (Ref. Para. A15-A16)
560.13
560.14
After the nancial report has been issued, the auditor has no obligation to perform any audit procedures regarding such nancial report. However, if, after the nancial report has been issued, a fact becomes known to the auditor that, had it been known to the auditor at the date of the auditors report, may have caused the auditor to amend the auditors report, the auditor shall: (a) Discuss the matter with management and, where appropriate, those charged with governance. (b) Determine whether the nancial report needs amendment and, if so, (c) Enquire how management intends to address the matter in the nancial report.
560.15
If management amends the nancial report, the auditor shall: (Ref: Para. A17) (a) Carry out the audit procedures necessary in the circumstances on the amendment. (b) Review the steps taken by management to ensure that anyone in receipt of the previously issued nancial report together with the auditors report thereon is informed of the situation. (c) Unless the circumstances in paragraph 12 of this Auditing Standard apply: (i) Extend the audit procedures referred to in paragraphs 6 and 7 of this Auditing Standard to the date of the new auditors report, and date the new auditors report no earlier than the date of approval of the amended nancial report; and Provide a new auditors report on the amended nancial report.
(ii)
(d) When the circumstances in paragraph 12 of this Auditing Standard apply, amend the auditors report, or provide a new auditors report as required by paragraph 12 of the Auditing Standard.
Core concepts
163
Paragraph # 560.16
Relevant extracts from ASAs The auditor shall include in the new or amended auditors report an Emphasis of Matter paragraph or Other Matter(s) paragraph referring to a note to the nancial report that more extensively discusses the reason for the amendment of the previously issued nancial report and to the earlier report provided by the auditor. If management does not take the necessary steps to ensure that anyone in receipt of the previously issued nancial report is informed of the situation and does not amend the nancial report in circumstances where the auditor believes they need to be amended, the auditor shall notify management and, unless all of those charged with governance are involved in managing the entity, those charged with governance that the auditor will seek to prevent future reliance on the auditors report. If, despite such notication, management or those charged with governance do not take these necessary steps, the auditor shall take appropriate action to seek to prevent reliance on the auditors report. (Ref: Para. A18)
Date of the nancial report approval

This may be determined as shown in the exhibit below:
Exhibit 11.1-2
Date of the report The earlier date on which those with the recognised authority: > Determine that all the statements that comprise the nancial report, including the related notes, have been prepared > Have asserted that they have taken responsibility for that nancial report. The recognised authority > Individuals prescribed by law or regulation who follow the necessary nancial report approval procedures > Individuals specied by the entity itself who follow their own nancial report approval procedures. Need for shareholder approval Final approval by shareholders is not necessary for the auditor to conclude that sufcient appropriate audit evidence on which to base the auditors opinion on the nancial report has been obtained.
In determining the existence of subsequent events and assessing their impact, the auditor would carry out the steps set out below.
PART A
560.17
164
Exhibit 11.1-3
Procedure Identify any subsequent events Description Perform audit procedures to identify any subsequent events that would require adjustment of, or disclosure in, the nancial report. This would include: > Understanding management procedures (if any) to identify subsequent events > Making enquiries of management (and those charged with governance) about: New commitments, borrowings or guarantees Sales or acquisitions of assets that have occurred or are planned Increases in capital or issuance of debt instruments Agreements to merge or liquidate Assets that have been appropriated by government or destroyed (eg. by re or ood) Litigation, claims and contingencies Any unusual accounting adjustments made or contemplated Any events that have occurred, or are likely to occur, that will bring into question the appropriateness of the going-concern assumption or other accounting policies Any events relevant to the measurement of estimates or provisions in the nancial report, and Any events relevant to the recoverability of assets. > Reading minutes, if any, of the meetings (management and those charged with governance) held after the date of the nancial report and enquiring about matters discussed at meetings for which minutes are not yet available, and > Reading nancial reports produced after the period end, if any. Obtain written representations Consider whether written representations covering particular subsequent events may be necessary to support other audit evidence and thereby obtain sufcient appropriate audit evidence.
Core concepts
165
Procedure Facts become known to the auditor (after date of auditors report but before the nancial report is issued)
Description > Discuss the matter with management (and those charged with governance) > Determine whether the nancial report needs amendment and, if so: Enquire how management intends to address the matter in the nancial report Perform any further audit procedures required, and Issue a new auditors report on the amended nancial report. This could also include dual dating of the report, restricted to the amendment (see Part A, Chapter 11.2) or inclusion of an emphasis of matter paragraph. > Where management does not amend the nancial report, the auditor would issue a modied auditors opinion > If the auditors report has already been released, notify management (and those charged with governance) not to issue the nancial report to third parties before the necessary amendments have been made > If the nancial report is released despite the notication, take appropriate action (after consulting with legal counsel) to prevent reliance on the auditors report.
Facts become known to the auditor (after the nancial report has been issued)
> Discuss the matter with management (and those charged with governance) > Determine whether the nancial report needs amendment and, if so, enquire how management intends to address the matter in the nancial report > If management amends the nancial report: Extend the subsequent event audit procedures to the date of the new auditors report unless the auditors report is amended to include an additional date restricted to a particular amendment (see Part A, Chapter 11.2) Perform any further audit procedures required Review managements actions to ensure anyone in receipt of the previously issued nancial report and auditors report thereon is informed of the situation, and Provide a new auditors report on the amended nancial report. > Issue a new or amended auditors report that includes an Emphasis of Matter paragraph (see Part A, Chapter 11.2). If management does not take steps to ensure anyone in receipt of the previously issued nancial report is informed of the situation: Notify management (and those charged with governance) that the auditor will take appropriate action to seek to prevent reliance on the auditors report. > If, despite such notication, management (or those charged with governance) do not take the necessary steps, take appropriate action (such as consulting with legal counsel) to prevent reliance on the auditors report.
PART A
166
Consider point
It is in the interests of both the auditor and the client to complete the work necessary to issue the auditors report on a timely basis. This will minimise the extent of work involved to identify, assess and possibly disclose subsequent events in the nancial report.
11.2
Dual dating
Subsequent events that become known after the date of the auditors report often result in additional audit work being required that affects account balances, accounting estimates, provisions and other disclosures in the nancial report. In such situations a new auditors report would be issued that would not be dated earlier than the date of approval of the amended nancial report. For an audit engagement conducted under the Corporations Act 2001, ASA 560 Aus 12.1 makes it clear that the auditor is prohibited from restricting an amendment of the nancial report to the effects of the subsequent event(s) that are causing the amendment. Consequently dual dating of audit reports issued in connection with Corporations Act audits is not permitted. However, for certain subsequent events, the additional audit work required can be restricted solely to the amendment of the nancial report as described in the relevant note to the nancial report. In these situations, the original date of the auditors report would be retained but a new date is added (dual dating) to inform readers that the auditors procedures subsequent to the original date were restricted to the subsequent amendment. Note: Caution must be used when considering dual dating in Australia. The situation will depend greatly on the non-Corporations Act legislation or regulations under which the audit is being conducted. Situations such as this are likely to be rare. An example of a situation involving dual dating: > The original auditors report was dated September 15, 20xx, > On October 22, 20xx the entity announced the sale of a major part of its business. A new note (Y), describing the event was prepared by management for inclusion in the nancial report; and > The audit work performed on the details of note (Y) was completed on November 3, 20xx The revised wording for dual dating the auditors report would be as follows: September 15, 20xx except as to Note Y, which is as of November 3, 20xx.
Core concepts
167
12.
Going concern
Relevant ASA
Chapter content Auditors responsibility with respect to managements use of the going-concern assumption in the nancial report and managements assessment of the entitys ability to continue as a going concern.
570
PART A
Exhibit 12.0-1
Consider and ask management about existence of any events/conditions that may cast doubt on entity's ability to continue as a going concern. Review management assessment of possible events/conditions and any response/plans. Remain alert for possible conditions or events throughout audit. If events/conditions have been identified: > Ask management for their plan of action > Evaluate managements plan of action > Review reliability of data used and support for assumptions used in cash flow forecasts. Ask management about events/ conditions beyond managements assessment period. Consider any additional facts or information that has become available.
Risk assessment
Determine whether: > A material uncertainty exists in relation to the identified events/ conditions > The use of the going-concern assumption is appropriate. Does financial report fully describe any going-concern events/ conditions and disclose any material uncertainty? Obtain management representations.
Paragraph # 570.9
ASA objective(s) The objectives of the auditor are: (a) To obtain sufcient appropriate audit evidence regarding the appropriateness of managements use of the going concern assumption in the preparation of the nancial report; (b) To conclude, based on the audit evidence obtained, whether a material uncertainty exists related to events or conditions that may cast signicant doubt on the entitys ability to continue as a going concern; and (c) To determine the implications for the auditors report.
12.1
Overview
The going-concern assumption is fundamental to the preparation of the nancial report.
Reporting
Risk response
168
ASA 570 provides guidance on the auditors responsibility in the audit of the nancial report with respect to the going-concern assumption and managements assessment of the entitys ability to continue as a going concern.
Paragraph # 570.2 Relevant extracts from ASAs Under the going concern assumption, an entity is viewed as continuing in business for the foreseeable future. A general purpose nancial report is prepared on a going concern basis, unless management either intends to liquidate the entity or to cease operations, or has no realistic alternative but to do so. A special purpose nancial report may or may not be prepared in accordance with a nancial reporting framework for which the going concern basis is relevant (for example, the going concern basis is not relevant for some nancial reports prepared on a tax basis in particular jurisdictions). When the use of the going concern assumption is appropriate, assets and liabilities are recorded on the basis that the entity will be able to realise its assets and discharge its liabilities in the normal course of business. (Ref: Para. A1)
Under the going-concern assumption, an entity is ordinarily viewed as continuing in business for the foreseeable future with neither the intention nor the necessity of liquidation, ceasing trading or seeking protection from creditors pursuant to laws or regulations. Accordingly, assets and liabilities are recorded on the basis that the entity will be able to realise its assets and discharge its liabilities in the normal course of business.
12.2
570.10

Relevant extracts from ASAs When performing risk assessment procedures as required by ASA 315, the auditor shall consider whether there are events or conditions that may cast signicant doubt on the entitys ability to continue as a going concern. In so doing, the auditor shall determine whether management has already performed a preliminary assessment of the entitys ability to continue as a going concern, and: (Ref: Para. A2-A5) (a) If such an assessment has been performed, the auditor shall discuss the assessment with management and determine whether management has identied events or conditions that, individually or collectively, may cast signicant doubt on the entitys ability to continue as a going concern and, if so, managements plans to address them; or (b) If such an assessment has not yet been performed, the auditor shall discuss with management the basis for the intended use of the going concern assumption, and enquire of management whether events or conditions exist that, individually or collectively, may cast signicant doubt on the entitys ability to continue as a going concern.
Paragraph #
570.11
The auditor shall remain alert throughout the audit for audit evidence of events or conditions that may cast signicant doubt on the entitys ability to continue as a going concern. (Ref: Para. A6)
Core concepts
169
The requirements are summarised in the following exhibit:
Exhibit 12.2-1
Any events that may cast significant doubt on entity's ability to continue as a going concern? Has management performed a preliminary assessment of the entitys ability to continue as a going concern? No Discuss existence of any events/conditions with management and obtain their response. Evaluate managements plan of action and/or supporting documentation. Identify any events/ conditions and obtain managements action plans in response.
Ask
Yes
Remain alert throughout audit for evidence of events/ conditions that may cast significant doubt on entity's ability to continue as a going concern.
Conclude if a material uncertainty exists or if the use of the goingconcern assumption is inappropriate.
Examples of some events or conditions that, individually or collectively, may cast signicant doubt about the going-concern assumption are set out below.
Exhibit 12.2-2
Indicators Financial Descriptions > Net liability or net current liability position > Fixed-term borrowings approaching maturity without realistic prospects of renewal or repayment or excessive reliance on shortterm borrowings to nance long-term assets > Indications of withdrawal of nancial support by creditors > Negative operating cash ows indicated by historical or prospective nancial reports > Adverse key nancial ratios > Substantial operating losses or signicant deterioration in the value of assets used to generate cash ows > Arrears or discontinuance of dividends > Inability to pay creditors on due dates > Inability to comply with the terms of loan agreements > Change from credit to cash-on-delivery transactions with suppliers > Inability to obtain nancing for essential new product development or other essential investments.
PART A
170
Indicators Operating
Descriptions > Managements intentions to liquidate the entity or to cease operations > Loss of key management without replacement > Loss of a major market, key customer(s), franchise, licence or principal supplier(s) > Labour difculties > Shortages of important supplies > Emergence of a highly successful competitor.
Other
> Non-compliance with capital or other statutory requirements > Pending legal or regulatory proceedings against the entity that may, if successful, result in claims that the entity is unlikely to be able to satisfy > Changes in law or regulation or government policy expected to adversely affect the entity > Uninsured or underinsured catastrophes.
The signicance of the above events or conditions can often be mitigated by other factors. For example, the effect of an entity being unable to make its normal debt repayments may be counterbalanced by managements plans to maintain adequate cash ows by alternative means, such as by disposing of assets, rescheduling loan repayments or obtaining additional capital. Similarly, the loss of a principal supplier may be mitigated by the availability of a suitable alternative source of supply.
12.3
570.12
Evaluating managements assessment

Relevant extracts from ASAs The auditor shall evaluate managements assessment of the entitys ability to continue as a going concern. (Ref: Para. A7-A9; A11-A12) In evaluating managements assessment of the entitys ability to continue as a going concern, the auditor shall consider the relevant period, which may be the same or may differ from that used by management to make its assessment, as required by the applicable nancial reporting framework. If managements assessment of the entitys ability to continue as a going concern covers less than the relevant period, the auditor shall request management to correspond to the relevant period used by the auditor. (Ref: Para. A10-A12) Relevant period means the period of approximately 12 months from the date of the auditors current report to the expected date of the auditors report for: (a) The next annual reporting period in the case of an annual nancial report; or (b) The corresponding reporting period for the following year in the case of an interim reporting period.
Paragraph #
570 Aus 13.1
570 Aus 13.2
Core concepts
171
Paragraph # 570.14
Relevant extracts from ASAs In evaluating managements assessment, the auditor shall consider whether managements assessment includes all relevant information of which the auditor is aware as a result of the audit. The auditor shall enquire of management as to its knowledge of events or conditions beyond the period of managements assessment that may cast signicant doubt on the entitys ability to continue as a going concern. (Ref: Para. A13-A14)
570.15
Evaluating managements plans in smaller entities

Management of smaller entities may not have prepared a detailed assessment of the entitys ability to continue as a going concern. They may rely instead on their in-depth knowledge of the business and anticipated future prospects. The auditors typical evaluation procedures would include: > Discussing medium- and long-term nancing with management > Corroborating managements intentions with the understanding of the entity obtained and documentary evidence > Satisfying the requirement for management to correspond with the relevant period used by the auditor which is approximately 12 months from the date of the auditors report. This could be achieved through discussion, enquiry and inspection of supporting documentation and the results evaluated by the auditor as to their feasibility. For example, a prediction of future sales revenues could be supported by potential sales orders or sales contracts, and > Enquiring if management has knowledge of events/conditions beyond the period of managements assessment that would cast signicant doubt on the entitys ability to continue as a going concern. Particular factors that could cast signicant doubt on the entitys ability to continue as a going concern include: > The entitys ability to withstand adverse conditions Small entities may be able to respond quickly to exploit opportunities, but may lack reserves to sustain operations. > Availability of nancing This could include banks and other lenders ceasing to support the entity. It could also include a withdrawal or major alteration in the terms of a loan or loan guarantees from the owner-manager (or other related parties such as family members).
PART A
172
> Other major changes This could include the possible loss of a principal supplier, major customer, key employee or the right to operate under a licence, franchise or other legal agreement. The following exhibit sets out the auditors procedures in these situations.
Exhibit 12.3-1
Address Documentary evidence available Description Document: > Terms of any loans and nancing provided to the entity > Details of subordinated loans to a third party such as the bank > Details of nancing by third parties based on guarantees or personal assets pledged as collateral, and > Details of other changes that could cast signicant doubt on the entitys ability to continue as a going concern. Additional support available Evaluate the ability of the owner-manager or other related parties to: > Provide the necessary additional support such as loans or guarantees, and > Meet the obligations under the support arrangements Other major changes Request written conrmations Address the impact on operations of a major change such as loss of key customer, supplier, key employee or loss of sales revenue due to technical obsolescence, new competition etc. Request written conrmation of the: > Terms and conditions of the nancial support being provided, and > The owner-managers intentions or understanding with respect to the support being provided.
See toolkit item 525: Going concern Identifying events and conditions.
Core concepts
173
12.4
570.16
Risk response when events are identied

Relevant extracts from ASAs If events or conditions have been identied that may cast signicant doubt on the entitys ability to continue as a going concern, the auditor shall obtain sufcient appropriate audit evidence to determine whether or not a material uncertainty exists through performing additional audit procedures, including consideration of mitigating factors. These procedures shall include: (Ref: Para. A15) (a) Where management has not yet performed an assessment of the entitys ability to continue as a going concern, requesting management to make its assessment. (b) Evaluating managements plans for future actions in relation to its going concern assessment, whether the outcome of these plans is likely to improve the situation and whether managements plans are feasible in the circumstances. (Ref: Para. A16) (c) Where the entity has prepared a cash ow forecast, and analysis of the forecast is a signicant factor in considering the future outcome of events or conditions in the evaluation of managements plans for future action: (Ref: Para. A17-A18) (i) (ii) Evaluating the reliability of the underlying data generated to prepare the forecast; and Determining whether there is adequate support for the assumptions underlying the forecast.
Paragraph #
(d) Considering whether any additional facts or information have become available since the date on which management made its assessment. (e) Requesting written representations from management and, where appropriate, those charged with governance, regarding their plans for future action and the feasibility of these plans. Aus 16.1 If such events or conditions are identied, the auditor shall consider whether they affect the auditors assessment of the risks of material misstatement in accordance with ASA 315.
Where the auditor identies going-concern events/conditions, the next step is to perform additional procedures (including consideration of mitigating factors) to determine whether or not a material uncertainty exists.
Material uncertainty
Events or conditions may be identied that cast doubt on the entitys ability to continue as a going concern. A material uncertainty exists when the magnitude of its potential impact and likelihood of occurrence is such that, in the auditors judgement, appropriate disclosure of the nature and implications of the uncertainty is necessary for the fair presentation of the nancial report, or in the case of a compliance framework, the nancial report is not to be misleading. Managements action plans to address going-concern issues typically include one or more of the following strategies:
PART A
174
> Liquidating assets > Borrowing money or restructuring debt > Reducing or delaying expenditures > Restructuring operations including products and services > Seeking a merger or acquisition, or > Increasing capital. The following exhibit sets out the steps the auditor would take to address going-concern issues.
Exhibit 12.4-1
Address Obtaining managements assessment and plan Evaluating managements plans of action Description If not already provided, request management to make an assessment of the entitys ability to continue as a going concern.
Evaluate managements future actions to address the going-concern assessment. Address: > Whether outcome of plans improve the situation > Whether the plans are feasible under the circumstances > How reliable the prot/cash ow forecasts are and what support is there for the assumptions used > Identifying, discussing and obtaining evidence for other factors that may affect the entitys ability to continue as going concern, such as: Poor recent operating results Breaches in terms of debentures and loan agreements References in meeting minutes to nancing difculties Existence of litigation/claims and estimates of nancial implications Existence, legality and enforceability of arrangements to provide or maintain nancial support with related and third parties Financial ability of related and third parties to provide additional funds or loan guarantees Other subsequent events, and Indicators of fraud such as management override, ctitious transactions or concealment of material facts.
Core concepts
175
Address Evaluating managements plans of action (continued)
Description > Continued existence, terms and adequacy of borrowing facilities > Reports on regulatory actions > Adequacy of support for any planned disposals of assets. Also consider the impact of any additional facts or information since the date management made its assessment and plans.
Obtaining written conrmations
Request written representations from management (and those charged with governance) regarding their plans for future action and feasibility.
See toolkit item 625: Worksheet Going-concern evaluation.
12.5
570.17
Reporting
Relevant extracts from ASAs Based on the audit evidence obtained, the auditor shall conclude whether, in the auditors judgement, a material uncertainty exists related to events or conditions that, individually or collectively, may cast signicant doubt on the entitys ability to continue as a going concern. A material uncertainty exists when the magnitude of its potential impact and likelihood of occurrence is such that, in the auditors judgement, appropriate disclosure of the nature and implications of the uncertainty is necessary for: (Ref: Para. A19-Aus19.1) (a) In the case of a fair presentation nancial reporting framework, the fair presentation of the nancial report, or (b) In the case of a compliance framework, the nancial report not to be misleading.
Paragraph #
570.18
If the auditor concludes that the use of the going concern assumption is appropriate in the circumstances but a material uncertainty exists, the auditor shall determine whether the nancial report: (a) Adequately describes the principal events or conditions that may cast signicant doubt on the entitys ability to continue as a going concern and managements plans to deal with these events or conditions; and (b) Discloses clearly that there is a material uncertainty related to events or conditions that may cast signicant doubt on the entitys ability to continue as a going concern and, therefore, that it may be unable to realise its assets and discharge its liabilities in the normal course of business. (Ref: Para. A20)
570.19
If adequate disclosure is made in the nancial report, the auditor shall express an unmodied opinion and include an Emphasis of Matter paragraph in the auditors report to: (a) Highlight the existence of a material uncertainty relating to the event or condition that may cast signicant doubt on the entitys ability to continue as a going concern; and (b) Draw attention to the note in the nancial report that discloses the matters set out in paragraph 18 of this Auditing Standard. (Ref: Para. A21-A22)
570.20
If adequate disclosure is not made in the nancial report, the auditor shall express a qualied opinion or adverse opinion, as appropriate, in accordance with ASA 705. The auditor shall state in the auditors report that there is a material uncertainty that may cast signicant doubt about the entitys ability to continue as a going concern. (Ref: Para. A23-Aus A24.2)
PART A
176
Paragraph # 570.21
Relevant extracts from ASAs If the nancial report has been prepared on a going concern basis but, in the auditors judgement, managements use of the going concern assumption in the nancial report is inappropriate, the auditor shall express an adverse opinion. (Ref: Para. A25-A26) If management is unwilling to make or extend its assessment when requested to do so by the auditor, the auditor shall consider the implications for the auditors report. (Ref: Para. A27-Aus A27.2) Unless all those charged with governance are involved in managing the entity, the auditor shall communicate with those charged with governance events or conditions identied that may cast signicant doubt on the entitys ability to continue as a going concern. Such communication with those charged with governance shall include the following: (a) Whether the events or conditions constitute a material uncertainty; (b) Whether the use of the going concern assumption is appropriate in the preparation and presentation of the nancial report; and (c) The adequacy of related disclosures in the nancial report; and Aus 23.1 Whether management is unwilling to make or extend its assessment as described in paragraph 22 of this Auditing Standard.
570.22
570.23
570.24
If there is signicant delay in the approval of the nancial report by management or those charged with governance after the date of the nancial report, the auditor shall enquire as to the reasons for the delay. If the auditor believes that the delay could be related to events or conditions relating to the going concern assessment, the auditor shall perform those additional audit procedures necessary, as described in paragraph 16 of this Auditing Standard, as well as consider the effect on the auditors conclusion regarding the existence of a material uncertainty, as described in paragraph 17 of this Auditing Standard.
The nal step is to determine the impact of identied events/conditions on the audit report and communicate the decision to management and those charged with governance, where applicable. The following exhibit summarises the requirements.
Exhibit 12.5-1
Use of going-concern assumption appropriate but a material uncertainty exists Does the financial report fully describe events/ conditions and disclose existence of material uncertainty? No Express a qualified or adverse opinion, and state material uncertainty exists Yes Unmodified opinion plus Emphasis of Matter paragraph
Use of going-concern assumption Inappropriate
Express an adverse opinion
Core concepts
177
13.
Summary of other ASA requirements

Relevant ASAs
Chapter content A summary of audit requirements in specic ASAs that are not addressed elsewhere in this Manual.
13.1
Overview
This chapter contains a summary of the audit requirements contained in the ASAs that have not been specically addressed elsewhere in the Manual, as set out in the exhibit below.
Exhibit 13.1-1
ASA 250 402 501 502 510 600 610 620 720 Title Consideration of Laws and Regulations in an Audit of a nancial Report Audit Considerations Relating to an Entity Using a Service Organisation Audit Evidence Specic Considerations for Inventory and Segment Information Audit Evidence Specic Considerations for Litigation and Claims Initial Audit Engagements Opening Balances Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors) Using the Work of Internal Auditors Using the Work of an Auditors Expert The Auditors Responsibilities Relating to Other Information in Documents Containing an Audited Financial Report Chapter reference Part A, 13.2 Part A, 13.3 Part A, 13.4 Part A, 13.5 Part A, 13.6 Part A, 13.7 Part A, 13.8 Part A, 13.9 Part A, 13.10
PART A
250, 402, 501, 502, 510, 600, 610, 620, 720
178
13.2
ASA 250 Consideration of Laws and Regulations in an Audit of a Financial Report
Exhibit 13.2-1
Risk assessment
Understand: > Legal/regulatory framework and its industry/sector > How entity is complying with framework. Enquire about compliance with laws and regulations. Inspect correspondence with licensing and regulatory authorities. Determine instances of non-compliance through audit procedures such as reading documents, enquiring of management and substantive tests. Determine the nature of any noncompliance, discuss with management and evaluate impact on the financial statements.
Reporting
Have instances of material noncompliance been appropriately disclosed in the financial report? Report to management and those charged with governance. Obtain management representations.
Paragraph # 250.10
ASA objective(s) The objectives of the auditor are: (a) To obtain sufcient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the nancial report; (b) To perform specied audit procedures to help identify instances of noncompliance with other laws and regulations that may have a material effect on the nancial report; and (c) To respond appropriately to non-compliance or suspected non-compliance with laws and regulations identied during the audit.
Paragraph # 250.11
Relevant extracts from ASAs For the purposes of this Auditing Standard, the following term has the meaning attributed below: Non-compliance means acts of omission or commission by the entity, either intentional or unintentional, which are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity, or on its behalf, by those charged with governance, management or employees. Non-compliance does not include personal misconduct (unrelated to the business activities of the entity) by those charged with governance, management or employees of the entity.
Risk response
Core concepts
179
Non-compliance by the entity with laws and regulations could result in a material misstatement of the nancial report. The responsibility for the prevention and detection of non-compliance with laws and regulations rests with management and those charged with governance. Management actions to address these risks could include:
PART A
> Maintaining a register of signicant laws and a record of any complaints received > Monitoring legal requirements and designing procedures/internal controls to ensure compliance with these requirements > Engaging legal advisers to assist in monitoring legal requirements, and > Developing, publicising, implementing and following a code of conduct. When the auditor detects instances of non-compliance, the impact on the nancial report and other aspects of the audit (such as the integrity of management/employees) will need to be considered.
Risk assessment
Paragraph # 250.12 Relevant extracts from ASAs As part of obtaining an understanding of the entity and its environment in accordance with ASA 315, the auditor shall obtain a general understanding of: (a) The legal and regulatory framework applicable to the entity and the industry or sector in which the entity operates; and (b) How the entity is complying with that framework. (Ref: Para. A7) 250.14 The auditor shall perform the following audit procedures to help identify instances of non-compliance with other laws and regulations that may have a material effect on the nancial report: (Ref: Para. A9-A10) (a) Enquiring of management and, where appropriate, those charged with governance, as to whether the entity is in compliance with such laws and regulations; and (b) Inspecting correspondence, if any, with the relevant licensing or regulatory authorities.
Risk assessment procedures involve obtaining a general understanding of the legal and regulatory framework and how the entity complies with that framework. This general understanding could include the matters set out below.
180
Exhibit 13.2-2
Address Identifying laws and regulations relevant to the nancial report Description What laws and regulations address: > The form and content of the nancial report? > Industry-specic nancial reporting issues? > Accounting for transactions under government contracts? > The accrual or recognition of expenses for income tax or pension costs? Making enquiries of management > What other laws or regulations exist that may be expected to have a fundamental effect on the operations of the entity (eg. operating licences, bank covenants, environmental regulations, etc.)? > What policies and procedures are being used for: Ensuring compliance with laws and regulations? Identifying, evaluating and accounting for litigation claims? > What breaches (if any) of regulations and other laws have occurred and resulted in nes, litigation or other consequences? > What pending litigation or other actions exist for alleged noncompliance with laws and regulations? Inspecting correspondence Review correspondence, reports and other interactions with relevant licensing and regulatory authorities.
Risk response
Paragraph # 250.13 Relevant extracts from ASAs The auditor shall obtain sufcient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the nancial report. (Ref: Para. A8) During the audit, the auditor shall remain alert to the possibility that other audit procedures applied may bring instances of non-compliance or suspected non-compliance with laws and regulations to the auditors attention. (Ref: Para. A11-Aus A11-1) The auditor shall request management and, where appropriate, those charged with governance to provide written representations that all known instances of non-compliance or suspected non-compliance with laws and regulations whose effects should be considered when preparing nancial report have been disclosed to the auditor. (Ref: Para. A12) In the absence of identied or suspected non-compliance, the auditor is not required to perform audit procedures regarding the entitys compliance with laws and regulations, other than those set out in paragraphs 12-16 of this Auditing Standard.
250.15
250.16
250.17
Core concepts
181
The audit plan would address matters such as outlined in the following exhibit.
Exhibit 13.2-3
Address Are there instances of non-compliance? Description Audit procedures could include: > Reading minutes and relevant documents, correspondence, etc. > Enquiring of management and legal counsel concerning litigation, claims and assessments, and > Performing substantive tests of details of classes of transactions, account balances or disclosures. Obtain management representations Require management to conrm that all known instances of noncompliance or suspected non-compliance with laws and regulations have been disclosed.
Non-compliance identied or suspected

Paragraph # 250.18 Relevant extracts from ASAs If the auditor becomes aware of information concerning an instance of noncompliance or suspected non-compliance with laws and regulations, the auditor shall obtain (Ref: Para. A13): (a) An understanding of the nature of the act and the circumstances in which it has occurred; and (b) Further information to evaluate the possible effect on the nancial report (Ref: Para. A14). 250.19 If the auditor suspects there may be non-compliance, the auditor shall discuss the matter with management and, where appropriate, those charged with governance. If management or, as appropriate, those charged with governance do not provide sufcient information that supports that the entity is in compliance with laws and regulations and, in the auditors judgement, the effect of the suspected non-compliance may be material to the nancial report, the auditor shall consider the need to obtain legal advice. (Ref: Para. A15-A16) If sufcient information about suspected non-compliance cannot be obtained, the auditor shall evaluate the effect of the lack of sufcient appropriate audit evidence on the auditors opinion. The auditor shall evaluate the implications of non-compliance in relation to other aspects of the audit, including the auditors risk assessment and the reliability of written representations, and take appropriate action. (Ref: Para. A17-A18) Unless all of those charged with governance are involved in management of the entity, and therefore are aware of matters involving identied or suspected non-compliance already communicated by the auditor, the auditor shall communicate with those charged with governance matters involving noncompliance with laws and regulations that come to the auditors attention during the course of the audit, other than when the matters are clearly inconsequential. If, in the auditors judgement, the non-compliance referred to in paragraph 22 of this Auditing Standard is believed to be intentional and material, the auditor shall communicate the matter to those charged with governance as soon as practicable.
250.20
250.21
250.22
250.23
PART A
182
Paragraph # 250.24
Relevant extracts from ASAs If the auditor suspects that management or those charged with governance are involved in non-compliance, the auditor shall communicate the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or supervisory board. Where no higher authority exists, or if the auditor believes that the communication may not be acted upon or is unsure as to the person to whom to report, the auditor shall consider the need to obtain legal advice.
When instances of possible non-compliance with laws and regulations are suspected, the auditor would respond as set out below.
Exhibit 13.2-4
1. 2. Obtain an understanding of the nature of the act and the circumstances. This should be sufcient to evaluate the possible effect on the nancial report. Document the ndings and discuss them with management. If non-compliance is believed to be intentional and material, the auditor should communicate the nding without delay. When adequate information about suspected non-compliance and the potential effects on the nancial report cannot be veried, the auditor should consider the effect of the lack of sufcient appropriate audit evidence on the auditors report. 3. 4. Consider the implications of non-compliance in relation to other aspects of the audit. In particular, consider the reliability of management representations. Report the matter to the next higher level of authority if it involves senior management or those charged with governance. Where no higher authority exists, the auditor would consider the need to obtain legal advice. Express a qualied or an adverse opinion if non-compliance has a material effect on the nancial report, and has not been properly reected in the nancial report. (See Part B, Chapter 38.)
5.
Documentation
Paragraph # 250.29 Relevant extracts from ASAs The auditor shall include in the audit documentation identied or suspected non-compliance with laws and regulations and the results of discussion with management and, where applicable, those charged with governance and other parties outside the entity. (Ref: Para. A21)
Typical documentation will include: > Copies of relevant records or documents, and > Minutes of discussions held with management, those charged with governance or other parties outside the entity. See toolkit item 645: Litigation, claims and non-compliance.
Core concepts
183
13.3
ASA 402 Audit Considerations Relating to an Entity Using a Service Organisation

ASA objective(s) The objectives of the user auditor, when the user entity uses the services of a service organisation, are: (a) To obtain an understanding of the nature and signicance of the services provided by the service organisation and their effect on the user entitys internal control relevant to the audit, sufcient to identify and assess the risks of material misstatement; and (b) To design and perform audit procedures responsive to those risks.
Paragraph # 402.7
Exhibit 13.3-1
Risk assessment
What internal controls, relevant to the services provided, are in place? To what extent has reliance been placed on controls in place at the service organisation? Is a type 1 or 2 report available?
Risk response
What services (relevant to the audit) are provided by service organisations?
Can sufficient audit evidence be obtained from within the user entity? If not: > Arrange for procedures to be performed at service organisation or > Determine if reliance can be placed on a type 2 report, if available. Enquire about events such as fraud or non-compliance with laws and regulations.
Reporting
Do not make reference to work of a service auditor unless auditor's report has been modified. If insufficient appropriate audit evidence was obtained, modify the auditors report.
PART A
184
Paragraph # 402.8
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Complementary user entity controls means controls that the service organisation assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve control objectives, are identied in the description of its system. (b) Report on the description and design of controls at a service organisation (referred to in this Auditing Standard as a type 1 report) means a report that comprises: (i) A description, prepared by management of the service organisation, of the service organisations system, control objectives and related controls that have been designed and implemented as at a specied date; and A report by the service auditor with the objective of conveying reasonable assurance that includes the service auditors opinion on the description of the service organisations system, control objectives and related controls and the suitability of the design of the controls to achieve the specied control objectives.
(ii)
(c) Report on the description, design and operating effectiveness of controls at a service organisation (referred to in this Auditing Standard as a type 2 report) means a report that comprises: (i) A description, prepared by management of the service organisation, of the service organisations system, control objectives and related controls, their design and implementation as at a specied date or throughout a specied period and, in some cases, their operating effectiveness throughout a specied period; and A report by the service auditor with the objective of conveying reasonable assurance that includes: a. The service auditors opinion on the description of the service organisations system, control objectives and related controls, the suitability of the design of the controls to achieve the specied control objectives, and the operating effectiveness of the controls; and A description of the service auditors tests of the controls and the results thereof.
(ii)
b.
(d) Service auditor means an auditor who, at the request of the service organisation, provides an assurance report on the controls of a service organisation. (e) Service organisation means a third-party organisation (or segment of a thirdparty organisation) that provides services to user entities that are part of those entities information systems relevant to nancial reporting. (f) Service organisations system means the policies and procedures designed, implemented and maintained by the service organisation to provide user entities with the services covered by the service auditors report.
Core concepts
185
Paragraph #
Relevant extracts from ASAs (g) Subservice organisation means a service organisation used by another service organisation to perform some of the services provided to user entities that are part of those user entities information systems relevant to nancial reporting.
(i) User entity means an entity that uses a service organisation and whose nancial report is being audited.
Many entities (including very small ones) often outsource certain nancial processing activities such as: > Payroll > Internet sales > IT services > Asset management (inventory warehousing, investments, etc.), and > Bookkeeping services. This would include processing of transactions, maintaining accounting records and preparing nancial reports. These third-party organisations (providing services relevant to nancial reporting) are referred to as service organisations. Where service organisations are used, the auditor needs to consider the effect of such arrangements on the entitys internal control. This includes: > Obtaining sufcient information to assess the risks of material misstatement, and > Designing an appropriate response. In smaller entities the outsourced services may well be important to the ongoing operation of the entity, but may not be relevant to the audit. This would occur where there are sufcient internal controls within the entity to address the risks of material misstatement or where substantive audit procedures can be performed to address the identied risks. Consider point
Using a service organisation to prepare the draft nancial report does not relieve management (and those charged with governance) of their responsibilities for the nancial report.
PART A
(h) User auditor means an auditor who audits and reports on the nancial report of a user entity.
186
There are two types of reports that service organisations can provide to their users: > Type 1 reports description and design of controls at a service organisation These reports provide evidence about the design and implementation of controls but not their operating effectiveness. Such reports may be informative but are of limited use to the auditor in understanding whether the key controls, at the service organisation, operated effectively during the period being audited. > Type 2 reports description, design and operating effectiveness of controls These reports can be used by the auditor to consider whether: The controls tested by the service organisation auditor are relevant to the entitys transactions, account balances, disclosures and related assertions The service organisation auditors tests of controls and the results are adequate (ie. the length of the period covered by the service organisation auditors tests and the time elapsed since the performance of those tests).
Risk assessment
Paragraph # 402.9 Relevant extracts from ASAs When obtaining an understanding of the user entity in accordance with ASA 315, the user auditor shall obtain an understanding of how a user entity uses the services of a service organisation in the user entitys operations, including: (Ref: Para. A1-A2) (a) The nature of the services provided by the service organisation and the signicance of those services to the user entity, including the effect thereof on the user entitys internal control; (Ref: Para. A3-A5) (b) The nature and materiality of the transactions processed or accounts or nancial reporting processes affected by the service organisation; (Ref: Para. A6) (c) The degree of interaction between the activities of the service organisation and those of the user entity; and (Ref: Para. A7) (d) The nature of the relationship between the user entity and the service organisation, including the relevant contractual terms for the activities undertaken by the service organisation. (Ref: Para. A8-A11) 402.10 When obtaining an understanding of internal control relevant to the audit in accordance with ASA 315 the user auditor shall evaluate the design and implementation of relevant controls at the user entity that relate to the services provided by the service organisation, including those that are applied to the transactions processed by the service organisation. (Ref: Para. A12-A14)
Core concepts
187
Paragraph # 402.11
Relevant extracts from ASAs The user auditor shall determine whether a sufcient understanding of the nature and signicance of the services provided by the service organisation and their effect on the user entitys internal control relevant to the audit has been obtained to provide a basis for the identication and assessment of risks of material misstatement.
(a) Obtaining a type 1 or type 2 report, if available; (b) Contacting the service organisation, through the user entity, to obtain specic information; (c) Visiting the service organisation and performing procedures that will provide the necessary information about the relevant controls at the service organisation; or (d) Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organisation. (Ref: Para. A15-A20)
Where service organisations are used, the auditor would consider the matters set out in the exhibit below.
Exhibit 13.3-2
Address What services (relevant to the audit) are provided? Description > Identify: The nature of services provided Materiality of transactions processed, and Accounts or nancial reporting processes affected. > Review the terms of the contract or service level agreement between the user entity and the service organisation > Determine the degree of interaction (activities) between the service organisation and the entity > Review reports by service organisations, service auditors (including management letters), internal auditors or regulatory authorities on controls at the service organisation.
PART A
402.12
If the user auditor is unable to obtain a sufcient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures:
188
Address What relevant internal controls are in place?
Description > Are the controls at the service organisation relevant to the audit? If no, a substantive approach is sufcient. If yes, the auditor must get comfort that the controls at the service organisation are appropriately designed and implemented > Are there controls established by the user (that could be tested) that mitigate material processing risks regardless of controls at the service organisation? For example, user controls over payroll could include: Comparing data submitted to the service organisation with reports from the service organisation after data processing Re-computing a sample of the payroll amounts for clerical accuracy, and Reviewing the total amount of the payroll for reasonableness.
Extent of reliance placed on controls in place at service organisation?
> Obtain any type 1 or type 2 reports available. Contracts with service organisations often include the provision of such reports > Contact the service organisation to obtain specic information > Visit the service organisation and perform required procedures, or > Use another auditor to perform required procedures.
Consider point
Check the wording of service organisation reports for possible restrictions as to use. Such restrictions can apply to management, the service organisation and its customers, as well as the entitys auditors.
Risk response
Paragraph # 402.13 Relevant extracts from ASAs In determining the sufciency and appropriateness of the audit evidence provided by a type 1 or type 2 report, the user auditor shall be satised as to: (a) The service auditors professional competence and independence from the service organisation; and (b) The adequacy of the standards under which the type 1 or type 2 report was issued. (Ref: Para. A21) 402.14 If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditors understanding about the design and implementation of controls at the service organisation, the user auditor shall: (a) Evaluate whether the description and design of controls at the service organisation is at a date or for a period that is appropriate for the user auditors purposes; (b) Evaluate the sufciency and appropriateness of the evidence provided by the report for the understanding of the user entitys internal control relevant to the audit; and (c) Determine whether complementary user entity controls identied by the service organisation are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such controls. (Ref: Para. A22-A23)
Core concepts
189
Paragraph # 402.15
Relevant extracts from ASAs In responding to assessed risks in accordance with ASA 330, the user auditor shall: (a) Determine whether sufcient appropriate audit evidence concerning the relevant nancial report assertions is available from records held at the user entity; and, if not, (b) Perform further audit procedures to obtain sufcient appropriate audit evidence or use another auditor to perform those procedures at the service organisation on the user auditors behalf. (Ref: Para. A24-A28)
402.16
When the user auditors risk assessment includes an expectation that controls at the service organisation are operating effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from one or more of the following procedures: (a) Obtaining a type 2 report, if available; (b) Performing appropriate tests of controls at the service organisation; or (c) Using another auditor to perform tests of controls at the service organisation on behalf of the user auditor. (Ref: Para. A29-A30)
402.17
If, in accordance with paragraph 16(a) of this Auditing Standard, the user auditor plans to use a type 2 report as audit evidence that controls at the service organisation are operating effectively, the user auditor shall determine whether the service auditors report provides sufcient appropriate audit evidence about the effectiveness of the controls to support the user auditors risk assessment by: (a) Evaluating whether the description, design and operating effectiveness of controls at the service organisation is at a date or for a period that is appropriate for the user auditors purposes; (b) Determining whether complementary user entity controls identied by the service organisation are relevant to the user entity and, if so, obtaining an understanding of whether the user entity has designed and implemented such controls and, if so, testing their operating effectiveness; (c) Evaluating the adequacy of the time period covered by the tests of controls and the time elapsed since the performance of the tests of controls; and (d) Evaluating whether the tests of controls performed by the service auditor and the results thereof, as described in the service auditors report, are relevant to the assertions in the user entitys nancial report and provide sufcient appropriate audit evidence to support the user auditors risk assessment. (Ref: Para. A31-A39)
402.19
The user auditor shall enquire of management of the user entity whether the service organisation has reported to the user entity, or whether the user entity is otherwise aware of, any fraud, non-compliance with laws and regulations or uncorrected misstatements affecting the nancial report of the user entity. The user auditor shall evaluate how such matters affect the nature, timing and extent of the user auditors further audit procedures, including the effect on the user auditors conclusions and user auditors report. (Ref: Para. A41)
PART A
190
In responding to the assessed risks, the auditor would consider the following matters.
Exhibit 13.3-3
Address Can necessary evidence be obtained from within the entity? Description If yes, obtain sufcient appropriate audit evidence concerning the relevant nancial report assertions involved. If no, perform additional procedures to obtain evidence such as using another auditor to perform procedures at the service organisation on the user auditors behalf. > Consider the auditors professional competence and independence and adequacy of standards under which the report was issued > Evaluate whether the description and design of controls at the service organisation is at a date or for a period that is appropriate for the user auditors purposes > Evaluate the sufciency and appropriateness of the evidence provided by the report for the understanding of the user entitys internal control relevant to the audit, and > Determine whether complementary user entity controls identied by the service organisation are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such controls. Note that a type 1 report provides no evidence that the internal controls at the service organisation operated effectively over a period of time. If a type 2 report is not available it may be necessary for the auditor to perform tests of controls at the service organisation or use another auditor to perform such tests. Testing user records and controls Obtaining audit evidence from the service organisation Where possible, obtain sufcient appropriate audit evidence concerning the relevant nancial report assertions from the records held by the user entity. If user records are not sufcient, obtain audit evidence about the operating effectiveness of controls at the service organisation by: > Obtaining a type 2 report, if available > Performing appropriate tests of controls at the service organisation, or > Using another auditor to perform tests of controls at the service organisation on behalf of the user auditor. Making enquiries about signicant events (fraud, etc.) Enquire of management whether they have become aware (or received notice from the service organisation) of any fraud, non-compliance with laws and regulations or uncorrected misstatements that could affect the nancial report.
Determine extent of reliance that can be placed on the type 1 or type 2 report
Core concepts
191
Reporting
Paragraph # 402.20 Relevant extracts from ASAs The user auditor shall modify the opinion in the user auditors report in accordance with ASA 705 if the user auditor is unable to obtain sufcient appropriate audit evidence regarding the services provided by the service organisation relevant to the audit of the user entitys nancial report. (Ref: Para. A42) The user auditor shall not refer to the work of a service auditor in the user auditors report containing an unmodied opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the user auditors report shall indicate that the reference does not diminish the user auditors responsibility for the audit opinion. (Ref: Para. A43) If reference to the work of a service auditor is relevant to an understanding of a modication to the user auditors opinion, the user auditors report shall indicate that such reference does not diminish the user auditors responsibility for that opinion. (Ref: Para. A44)
402.21
402.22
When a type 1 or 2 report from a service organisation is used, the auditors report on the entity would not make reference to the service organisation report unless required by law. However, a modied auditors report is appropriate if sufcient appropriate audit evidence, relevant to the audit about the service organisation, could not be obtained.
13.4
ASA 501 Audit Evidence Specic Considerations for Inventory and Segment Information
ASA objective(s) The objective of the auditor is to obtain sufcient appropriate audit evidence regarding the: (a) Existence and condition of inventory; and (b) [Deleted by the AUASB. Refer ASA 502 Audit Evidence Specic Considerations for Litigation and Claims] (c) Presentation and disclosure of segment information in accordance with the applicable nancial reporting framework.
Paragraph # 501.3
PART A
192
Attendance at physical inventory count

Paragraph # 501.4 Relevant extracts from ASAs If inventory is material to the nancial report, the auditor shall obtain sufcient appropriate audit evidence regarding the existence and condition of inventory by: (a) Attendance at physical inventory counting, unless impracticable, to: (Ref: Para. A1-A3) (i) Evaluate managements instructions and procedures for recording and controlling the results of the entitys physical inventory counting; (Ref: Para. A4) Observe the performance of managements count procedures; (Ref: Para. A5)
(ii)
(iii) Inspect the inventory; and (Ref: Para. A6) (iv) Perform test counts; and (Ref: Para. A7-A8) (b) Performing audit procedures over the entitys nal inventory records to determine whether they accurately reect actual inventory count results. 501.5 If physical inventory counting is conducted at a date other than the date of the nancial report, the auditor shall, in addition to the procedures required by paragraph 4 of this Auditing Standard, perform audit procedures to obtain audit evidence about whether changes in inventory between the count date and the date of the nancial report are properly recorded. (Ref: Para. A9-A11) If the auditor is unable to attend physical inventory counting due to unforeseen circumstances, the auditor shall make or observe some physical counts on an alternative date and perform audit procedures on intervening transactions. If attendance at physical inventory counting is impracticable, the auditor shall perform alternative audit procedures to obtain sufcient appropriate audit evidence regarding the existence and condition of inventory. If it is not possible to do so, the auditor shall modify the opinion in the auditors report in accordance with ASA 705. (Ref: Para. A12-A14) If inventory under the custody and control of a third party is material to the nancial report, the auditor shall obtain sufcient appropriate audit evidence regarding the existence and condition of that inventory by performing one or both of the following: (a) Request conrmation from the third party as to the quantities and condition of inventory held on behalf of the entity. (Ref: Para. A15) (b) Perform inspection or other audit procedures appropriate in the circumstances. (Ref: Para. A16)
501.6
501.7
501.8
Core concepts
193
Where inventory is material to the nancial report, the auditor would address its existence and condition as set out below.
Exhibit 13.4-1
Procedure Attend the physical count Description
> Observe performance of managements count procedures > Inspect the inventory and perform test counts > Reconcile changes in inventory between the count date and period end, and > Perform alternative procedures if a physical count is impracticable. Conrm/inspect inventory held by others > Request conrmations as to quantities/condition of inventory held, and > Perform inspection or other appropriate audit procedures.
Segment information
Paragraph # 501.13 Relevant extracts from ASAs The auditor shall obtain sufcient appropriate audit evidence regarding the presentation and disclosure of segment information in accordance with the applicable nancial reporting framework by: (Ref: Para. A26) (a) Obtaining an understanding of the methods used by management in determining segment information, and: (Ref: Para. A27) (i) (ii) Evaluating whether such methods are likely to result in disclosure in accordance with the applicable nancial reporting framework; and Where appropriate, testing the application of such methods; and
(b) Performing analytical procedures or other audit procedures appropriate in the circumstances.
As segment information is often not applicable in the audit of SMEs, they have not been addressed any further in this Manual.
13.5
ASA 502 Audit Evidence Specic Considerations for Litigation and Claims
ASA objective The objective of the auditor is to obtain sufcient appropriate audit evidence regarding the completeness of litigation and claims involving the entity.
Paragraph # 502.3
PART A
> Evaluate managements instructions for recording/controlling count results
194
Enquiry regarding litigation and claims

Paragraph # 502.4 Relevant extracts from ASAs The auditor shall design and perform audit procedures in order to identify litigation and claims involving the entity which may give rise to a risk of material misstatement, including: (Ref: Para. A1-Aus A4.1) (a) Enquiry of management and, where applicable, others within the entity, including in-house legal counsel; (b) Reviewing minutes of meetings of those charged with governance and correspondence between the entity and its external legal counsel; and (c) Reviewing legal expense accounts. (Ref: Para. A4) 502.5 If the auditor assesses a risk of material misstatement regarding litigation or claims that have been identied, or when audit procedures performed indicate that other material litigation or claims may exist, the auditor shall endeavour to, in addition to the procedures required by other Australian Auditing Standards, seek direct communication with the entitys external legal counsel. The auditor shall do so through a letter of enquiry, prepared by management and sent by the auditor, requesting the entitys external legal counsel to communicate directly with the auditor. If law, regulation or the respective legal professional body prohibits the entitys external legal counsel from communicating directly with the auditor, the auditor shall perform alternative audit procedures. (Ref: Para. A5-A8) Where in-house legal counsel has the primary responsibility for litigation and claims and is in the best position to corroborate managements representations, the auditor shall endeavour to obtain a representation letter from the in-house legal counsel, seeking information similar to that sought from the entitys external legal counsel. (Ref: Para. Aus A8.1-Aus A8.2) If a response from the entitys external or internal legal counsel contains a material disagreement with managements original evaluation of a particular matter, the auditor shall seek discussions with management and the entitys legal counsel, unless management subsequently agrees with the legal counsels evaluation. (Ref: Para. Aus A8.3-Aus A8.6) If: (a) Management refuses to give the auditor permission to communicate or meet with the entitys external legal counsel, or the entitys external legal counsel refuses to respond appropriately to the letter of enquiry, or is prohibited from responding; and (Ref: Para. Aus 8.7-Aus 8.8) (b) The auditor is unable to obtain sufcient appropriate audit evidence by performing alternative audit procedures (Ref: Para. Aus 8.9-Aus 8.10) the auditor shall modify the opinion in the auditors report in accordance with ASA 705. (Ref: Para. Aus A8.11) 502.7 The auditor shall request management and, where appropriate, those charged with governance to provide written representations that all known actual or possible litigation and claims whose effects should be considered when preparing the nancial report have been disclosed to the auditor and accounted for and disclosed in accordance with the applicable nancial reporting framework. (Ref: Para. Aus A8.12-Aus A8.13)
502 Aus 5.1
502 Aus 5.2
502.6
Core concepts
195
To identify litigation and claims which may give rise to a risk of material misstatement, the auditor would perform the procedures set out below. See toolkit item 645: Litigation, claims and non-compliance.
Exhibit 13.5-1
Procedure Make enquiries and review relevant documents Description > Enquire of management and others > Review minutes of meetings of those charged with governance > Review correspondence between the entity and its legal counsel, and > Review legal expense accounts. Communicate with external legal counsel Where litigation or claims are identied or suspected, the auditor would request a letter of enquiry, prepared by management and sent by the auditor, requesting external legal counsel to communicate details of claims, etc. directly with the auditor. If this procedure is prohibited or where management refuses permission to contact external counsel, alternative procedures would be performed such as reviewing all the available documentation and making additional enquiries. If alternate procedures are insufcient, then the auditors opinion would be modied. Where primary responsibility for litigation and claims is with in-house counsel, the auditor shall endeavour to obtain a representation from the in-house counsel to corroborate managements representations. Request a written representation from management and those charged with governance that all known actual or possible litigation and claims have been disclosed and properly accounted for in the nancial report.
Communicate with in-house legal counsel Obtain management representation
13.6
ASA 510 Initial Audit Engagements Opening Balances

ASA objective(s) In conducting an initial audit engagement, the objective of the auditor with respect to opening balances is to obtain sufcient appropriate audit evidence about whether: (a) Opening balances contain misstatements that materially affect the current periods nancial report; and (b) Appropriate accounting policies reected in the opening balances have been consistently applied in the current periods nancial report, or changes thereto are appropriately accounted for and adequately presented and disclosed in accordance with the applicable nancial reporting framework.
Paragraph # 510.3
This standard provides guidance regarding opening balances when the nancial report is audited for the rst time or when the nancial report for the prior period was audited by another auditor. See toolkit item 408: Initial audit engagement Opening balances.
PART A
196
Paragraph # 510.5
Relevant extracts from ASAs The auditor shall read the most recent nancial report, if any, and the predecessor auditors report thereon, if any, for information relevant to opening balances, including disclosures. The auditor shall obtain sufcient appropriate audit evidence about whether the opening balances contain misstatements that materially affect the current periods nancial report by: (Ref: Para. A1A2) (a) Determining whether the prior periods closing balances have been correctly brought forward to the current period or, when appropriate, have been restated; (b) Determining whether the opening balances reect the application of appropriate accounting policies; and (c) Performing one or more of the following: (Ref: Para. A3A7) (i) Where the prior year nancial report was audited, reviewing the predecessor auditors working papers to obtain evidence regarding the opening balances; Evaluating whether audit procedures performed in the current period provide evidence relevant to the opening balances; or
510.6
(ii)
(iii) Performing specic audit procedures to obtain evidence regarding the opening balances. 510.7 If the auditor obtains audit evidence that the opening balances contain misstatements that could materially affect the current periods nancial report, the auditor shall perform such additional audit procedures as are appropriate in the circumstances to determine the effect on the current periods nancial report. If the auditor concludes that such misstatements exist in the current periods nancial report, the auditor shall communicate the misstatements with the appropriate level of management and those charged with governance in accordance with ASA 450. The auditor shall obtain sufcient appropriate audit evidence about whether the accounting policies reected in the opening balances have been consistently applied in the current periods nancial report, and whether changes in the accounting policies have been appropriately accounted for and adequately presented and disclosed in accordance with the applicable nancial reporting framework. If the prior periods nancial report was audited by a predecessor auditor and there was a modication to the opinion, the auditor shall evaluate the effect of the matter giving rise to the modication in assessing the risks of material misstatement in the current periods nancial report in accordance with ASA 315. If the auditor is unable to obtain sufcient appropriate audit evidence regarding the opening balances, the auditor shall express a qualied opinion or disclaim an opinion on the nancial report, as appropriate, in accordance with ASA 705. (Ref: Para. A8)
510.8
510.9
510.10
Core concepts
197
Paragraph # 510.11
Relevant extracts from ASAs If the auditor concludes that the opening balances contain a misstatement that materially affects the current periods nancial report, and the effect of the misstatement is not appropriately accounted for or not adequately presented or disclosed, the auditor shall express a qualied opinion or an adverse opinion, as appropriate, in accordance with ASA 705.
(a) The current periods accounting policies are not consistently applied in relation to opening balances in accordance with the applicable nancial reporting framework; or (b) A change in accounting policies is not appropriately accounted for or not adequately presented or disclosed in accordance with the applicable nancial reporting framework, the auditor shall express a qualied opinion or an adverse opinion as appropriate in accordance with ASA 705. 510.13 If the predecessor auditors opinion regarding the prior periods nancial report included a modication to the auditors opinion that remains relevant and material to the current periods nancial report, the auditor shall modify the auditors opinion on the current periods nancial report in accordance with ASA 705 and ASA 710. (Ref: Para. A9)
The requirements are summarised below.
Exhibit 13.6-1
Address Do opening balances contain misstatements that could affect the current period? Description > Read the most recent nancial report and predecessor auditors report (if any) > Determine that prior periods closing balances have been correctly brought forward and reect use of appropriate accounting policies > Review predecessor auditors working papers, and > Perform audit procedures in current period to obtain evidence regarding the opening balances. This is particularly important where the previous years nancial report was not audited. Determine impact on current period of identied misstatements > Perform such additional audit procedures as are appropriate > Evaluate any predecessor auditors modication to the audit opinion, and > Ensure accounting policies reected in opening balances have been consistently applied through the current period. Determine impact (if any) on audit opinion If the predecessor auditors modied audit opinion remains relevant or the opening balances contain a misstatement that materially affects the current periods nancial report (the effect of which was not appropriately accounted for, presented or disclosed), a qualied opinion or an adverse opinion would be necessary.
PART A
510.12
If the auditor concludes that:
198
13.7
ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors)
ASA objective(s) The objectives of the auditor are: (a) To determine whether to act as the auditor of the group nancial report; and (b) If acting as the auditor of the group nancial report: (i) To communicate clearly with component auditors about the scope and timing of their work on nancial information related to components and their ndings; and To obtain sufcient appropriate audit evidence regarding the nancial information of the components and the consolidation process to express an opinion on whether the group nancial report is prepared, in all material respects, in accordance with the applicable nancial reporting framework.
Paragraph # 600.8
(ii)
Paragraph # 600.9
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Component means an entity or business activity for which group or component management prepares nancial information that should be included in the group nancial report. (Ref: Para. A2-A4) (b) Component auditor means an auditor who, at the request of the group engagement team, performs work on nancial information related to a component for the group audit. (Ref: Para. A7) (c) Component management means management, or those charged with governance, responsible for the preparation of the nancial information of a component. (d) Component materiality means the materiality for a component determined by the group engagement team. (e) Group means all the components whose nancial information is included in the group nancial report. A group always has more than one component. (f) Group audit means the audit of a group nancial report. (g) Group audit opinion means the audit opinion on the group nancial report. (h) Group engagement partner means the partner or other person in the rm who is responsible for the group audit engagement and its performance, and for the auditors report on the group nancial report that is issued on behalf of the rm. Where joint auditors conduct the group audit, the joint engagement partners and their engagement teams collectively constitute the group engagement partner and the group engagement team. This Auditing Standard does not, however, deal with the relationship between joint auditors or the work that one joint auditor performs in relation to the work of the other joint auditor.
Core concepts
199
Paragraph #
Relevant extracts from ASAs (i) Group engagement team means partners, including the group engagement partner, and staff who establish the overall group audit strategy, communicate with component auditors, perform work on the consolidation process and evaluate the conclusions drawn from the audit evidence as the basis for forming an opinion on the group nancial report. (j) Group nancial report means nancial reports that include the nancial information of more than one component. The term group nancial report also refers to combined nancial reports aggregating the nancial information prepared by components that have no parent but are under common control. (k) Group management means management, or those charged with governance, responsible for the preparation of the group nancial report. (l) Group-wide controls means controls designed, implemented and maintained by group management over group nancial reporting. (m)Signicant component means a component identied by the group engagement team (i) that is of individual nancial signicance to the group, or (ii) that, due to its specic nature or circumstances, is likely to include signicant risks of material misstatement of the group nancial report. (Ref: Para. A5-A6)
This standard provides guidance on the special considerations that apply to group audits. It outlines responsibilities, communications and requirements for and between the: > Group engagement partners, group engagement teams, and > Component auditors who perform work (such as auditing a division, branch, subsidiary of the group) on behalf of the group engagement team and then report on the results. The requirements outlined may also be useful for other situations where an auditor involves another auditor in some part of the audit of the nancial report. (This could include observing an inventory count or performing specic procedures at a remote location.) See toolkit item 445: Group audit planning.
PART A
200
Consider point
The denition of a group component is broad. Before concluding that this standard is not applicable, ensure that a signicant component does not, in fact, exist. A component could result from the entitys organisation structure (such as subsidiaries, divisions, branches, joint ventures or investees accounted for by the equity or cost methods of accounting) or nancial reporting systems organised by function, product, service or geographical location. If a signicant component exists, this standard outlines a number of requirements relating to: > Responsibility of the group engagement partner > Audit planning and materiality > Risk assessment and response > Relationships between the group engagement team and component auditors > Nature and extent of communications > Group-wide controls and the consolidation process.
Note: On the assumption that group audits are not that common in the audit of SMEs, the following exhibit contains only extracts from the many requirements contained in the standard.
Exhibit 13.7-1
Summarised extracts from the requirements section Responsibility 600.11 > The group engagement partner is responsible for the direction, supervision and performance of the group audit engagement in compliance with professional standards > The auditors report on the group nancial report shall not refer to a component auditor. Acceptance/ continuance and planning 600.12-16 > The group engagement team shall obtain an understanding of the group, its components and their environments that is sufcient to identify components that are likely to be signicant components > The group engagement partner shall agree on the terms of the group audit engagement > The group engagement team shall establish an overall group audit strategy and shall develop a group audit plan. Understanding the group, its components and their environments 600.17-18 The group engagement team shall obtain an understanding that is sufcient to: > Conrm or revise its initial identication of components that are likely to be signicant > Assess the risks of material misstatement of the group nancial report, whether due to fraud or error.
Core concepts
201
Summarised extracts from the requirements section Understanding the component auditor 600.19-20 If the group engagement team plans to request a component auditor to perform work on the nancial information of a component, the group engagement team shall obtain an understanding of: > Whether the component auditor understands and will comply with the ethical requirements that are relevant to the group audit and, in particular, is independent > The component auditors professional competence > Whether the group engagement team will be able to be involved in the work of the component auditor to the extent necessary to obtain sufcient appropriate audit evidence, and > Whether the component auditor operates in a regulatory environment that actively oversees auditors. Materiality 600.21-23 The group engagement team shall determine: > Materiality for the group nancial report as a whole when establishing the overall group audit strategy > Lower amounts than group materiality, where applicable, for particular classes of transactions, account balances or disclosures > Component materiality for those components where component auditors will perform an audit or a review for purposes of the group audit, and > The threshold above which misstatements cannot be regarded as clearly trivial to the group nancial report. The group team shall also evaluate the appropriateness of performance materiality determined by the component auditor at the component level. Responding to assessed risks 600.24-31 The auditor is required to design and implement appropriate responses to address the assessed risks of material misstatement of the nancial report. The group engagement team shall: > Determine the type of work to be performed by the group engagement team, or the component auditors on its behalf, on the nancial information of the components > Evaluate the appropriateness of further procedures to respond to identied signicant risks of material misstatement of the group nancial report, and > Evaluate the appropriateness, completeness and accuracy of consolidation adjustments and reclassications, and shall evaluate whether any fraud risk factors or indicators of possible management bias exist. For a component that is signicant due to its individual nancial signicance to the group, the group engagement team, or a component auditor on its behalf, shall perform an audit of the nancial information of the component using component materiality.
PART A
202
Summarised extracts from the requirements section Consolidation process 600.32-37 The group engagement team shall design and perform further audit procedures on the consolidation process to respond to the assessed risks of material misstatement of the group nancial report arising from the consolidation process. This shall include evaluating whether all components have been included in the group nancial report. If the group nancial report includes the nancial report of a component with a nancial reporting period end that differs from that of the group, the group engagement team shall evaluate whether appropriate adjustments have been made to that nancial report in accordance with the applicable nancial reporting framework. Subsequent events 600.38-39 The group engagement team or the component auditors shall perform procedures designed to identify subsequent events that may require adjustment to or disclosure in the group nancial report. The group engagement team shall request the component auditors to notify the group engagement team if they become aware of subsequent events. Communication with the component auditor 600.40-41 The group engagement team shall communicate its requirements to the component auditor on a timely basis. This communication shall set out the work to be performed, the use to be made of that work and the form and content of the component auditors communication with the group engagement team. This would include: > Conrmation that the component auditor will cooperate with the group engagement team > Relevant ethical and independence requirements > Component materiality > Identied signicant risks of material misstatement of the group nancial report, due to fraud or error, that are relevant to the work of the component auditor, and > A list of related parties prepared by group management and the timely communication of related parties not previously identied by group management or the group engagement team. The group engagement team shall request the component auditor to communicate matters relevant to the group engagement teams conclusion with regard to the group audit. For example: > Compliance by component auditor with: Ethical requirements including independence and professional competence, and The group engagement teams requirements > What nancial information of the component is being reported upon > Instances of non-compliance with laws or regulations > A list of uncorrected misstatements
Core concepts
203
Summarised extracts from the requirements section Communication with the component auditor 600.40-41 (continued) > Indicators of possible management bias > Any identied signicant deciencies in internal control at the component level > Other signicant matters that the component auditor communicated or expects to communicate to those charged with governance of the component, including fraud or suspected fraud > Any other matters that may be relevant to the group audit, including exceptions noted in the written representations that the component auditor requested from component management, and > The component auditors overall ndings, conclusions or opinion. Evaluating the sufciency and appropriateness of audit evidence obtained 600.42-45 The group engagement team shall: > Discuss signicant matters arising from the evaluation of evidence with the component auditor, component management or group management, as appropriate, and > Determine whether it is necessary to review other relevant parts of the component auditors audit documentation. If the work of the component auditor is insufcient, the group engagement team shall determine what additional procedures are to be performed, and whether they are to be performed by the component auditor or by the group engagement team. The group engagement team shall evaluate whether sufcient appropriate audit evidence has been obtained from the audit procedures performed. The group engagement partner shall evaluate the effect on the group audit opinion of any uncorrected misstatements and any instances where there has been an inability to obtain sufcient appropriate audit evidence. Communication with group management and those charged with governance of the group 600.46-49 The group engagement team shall determine which identied deciencies in internal control to communicate to group management and those charged with governance. If fraud has been identied the group engagement team shall communicate this on a timely basis to the appropriate level of group management. The group engagement team shall communicate the following matters: > An overview of the type of work to be performed on the nancial information of the components > An overview of the nature of the group engagement teams planned involvement in the work to be performed by the component auditors on the nancial information of signicant components > Instances where the group engagement teams evaluation of the work of a component auditor gave rise to a concern about the quality of that auditors work
PART A
204
Summarised extracts from the requirements section Communication with group management and those charged with governance of the group 600.46-49 (continued) > Any limitations on the group audit, for example, where the group engagement teams access to information may have been restricted, and > Fraud or suspected fraud involving group management, component management, employees who have signicant roles in groupwide controls or others where the fraud resulted in a material misstatement of the group nancial report. The group engagement team shall include in the audit documentation the following matters: > An analysis of components, indicating those that are signicant, and the type of work performed on the nancial information of the components > The nature, timing and extent of the group engagement teams involvement in the work performed by the component auditors on signicant components including, where applicable, the group engagement teams review of relevant parts of the component auditors audit documentation and conclusions thereon, and > Written communications between the group engagement team and the component auditors about the group engagement teams requirements.
Documentation 600.50
13.8
610.6
ASA 610 Using the Work of Internal Auditors

ASA objective(s) The objectives of the external auditor, where the entity has an internal audit function that the external auditor has determined is likely to be relevant to the audit, are: (a) To determine whether, and to what extent, to use specic work of the internal auditors; and (b) If using the specic work of the internal auditors, to determine whether that work is adequate for the purposes of the audit.
Paragraph #
Core concepts
205
Exhibit 13.8-1
Determine planned effect of IA work on nature, timing or extent of external auditors procedures.
Will work of internal audit (IA) be adequate for audit purposes?
Yes
No Perform audit procedures on IA work to evaluate its adequacy for external auditor use.
Stop
Document conclusions reached.
Paragraph # 610.8
Relevant extracts from ASAs The external auditor shall determine: (a) Whether the work of the internal auditors is likely to be adequate for purposes of the audit; and (b) If so, the planned effect of the work of the internal auditors on the nature, timing or extent of the external auditors procedures.
610.9
In determining whether the work of the internal auditors is likely to be adequate for purposes of the audit, the external auditor shall evaluate: (a) The objectivity of the internal audit function; (b) The technical competence of the internal auditors; (c) Whether the work of the internal auditors is likely to be carried out with due professional care; and (d) Whether there is likely to be effective communication between the internal auditors and the external auditor. (Ref: Para. A4)
PART A
206
Paragraph # 610.10
Relevant extracts from ASAs In determining the planned effect of the work of the internal auditors on the nature, timing or extent of the external auditors procedures, the external auditor shall consider: (a) The nature and scope of specic work performed, or to be performed, by the internal auditors; (b) The assessed risks of material misstatement at the assertion level for particular classes of transactions, account balances and disclosures; and (c) The degree of subjectivity involved in the evaluation of the audit evidence gathered by the internal auditors in support of the relevant assertions. (Ref: Para. A5)
610.11
In order for the external auditor to use specic work of the internal auditors, the external auditor shall evaluate and perform audit procedures on that work to determine its adequacy for the external auditors purposes. (Ref: Para. A6) To determine the adequacy of specic work performed by the internal auditors for the external auditors purposes, the external auditor shall evaluate whether: (a) The work was performed by internal auditors having adequate technical training and prociency; (b) The work was properly supervised, reviewed and documented; (c) Adequate audit evidence has been obtained to enable the internal auditors to draw reasonable conclusions; (d) Conclusions reached are appropriate in the circumstances and any reports prepared by the internal auditors are consistent with the results of the work performed; and (e) Any exceptions or unusual matters disclosed by the internal auditors are properly resolved.
610.12
610.13
If the external auditor uses specic work of the internal auditors, the external auditor shall include in the audit documentation the conclusions reached regarding the evaluation of the adequacy of the work of the internal auditors, and the audit procedures performed by the external auditor on that work, in accordance with paragraph 11 of this Auditing Standard.
Overview
In larger entities, an internal audit department is often established to monitor the effectiveness of various aspects of internal control. The scope of internal audit activities could include: > Monitoring of certain elements of internal control > Examination of nancial and operating information > Review of operating activities > Review of compliance with laws and regulations > Risk management, and/or > Governance.
Core concepts
207
Summary of requirements
The following chart outlines a summary of the requirements.
Exhibit 13.8-2
Task Will internal audit work be adequate for external audit purposes? Considerations > What are the objectives and scope of the internal audit function? > How objective (independent) is the internal audit function? > Are the internal auditors technically competent? > Will their work be carried out with due professional care? > Is the communication between the internal and external auditors effective? What effect will reliance on internal audit work have on the external audit? Consider: > Nature and scope of specic work performed or to be performed by internal auditor > Assessed risks of material misstatement at the assertion level for particular classes of transactions, account balances and disclosures, andThe degree of subjectivity involved in the evaluation of the audit evidence gathered by the internal auditors in support of the relevant assertions. Evaluate the adequacy of internal work for external audit reliance > Did the internal auditors performing the work have adequate technical training and prociency? > Was the work properly supervised, reviewed and documented? > Was adequate audit evidence obtained to enable the internal auditors to draw reasonable conclusions? > Were the conclusions reached appropriate in the circumstances? > Were any reports prepared by the internal auditors consistent with the results of the work performed? > Were any exceptions or unusual matters disclosed by the internal auditors properly resolved? Document results > Conclusions reached on the evaluation of adequacy of internal auditors work, and > Description of audit procedures performed by the external auditor on that work.
PART A
Where the objectives and scope of internal audit work includes a review of internal controls over nancial reporting, the work of the internal auditor may (subject to its adequacy) be relied upon by the external auditor to modify the nature and extent of the external auditors procedures. However, because internal auditors are hired by the entity and form part of its internal control, they are not completely independent. Consequently, their work would not be relied upon to the same extent as that performed by the external audit team.
208
In some cases, the services of the internal audit group may be made available to the external auditor to speed up the audit process and reduce the costs of the external audit. In such situations, it would be useful to agree in advance (preferably in writing) on matters such as the following: > The timing and extent of the work delegated to internal audit > Materiality for the nancial report as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures) and performance materiality > Proposed methods of item selection > Documentation of the work performed, and > Review and reporting procedures.
Reporting
The external auditor has sole responsibility for the audit opinion expressed and that responsibility is not reduced by the external auditors use of the work of the internal auditors. Consequently, no reference would be made in the external auditors report to the work of the internal auditors.
13.9
620.5
ASA 620 Using the Work of an Auditors Expert

ASA objective(s) Objectives of the auditor are: (a) To determine whether to use the work of an auditors expert; and (b) If using the work of an auditors expert, to determine whether that work is adequate for the auditors purposes.
Paragraph #
Core concepts
209
Exhibit 13.9-1
Is an auditors expert needed to obtain audit evidence? If yes: > What procedures will be required? > Is expert selected competent, capable and objective? Can we understand the nature of work performed by the auditors expert? Agree on terms of engagement with the auditors expert.
Risk assessment
Risk response
Evaluate adequacy of work performed by the auditors expert including findings, conclusions, assumptions used and sources of data. Determine if any further audit work required.
Reporting
Do not make reference to work of an auditors expert unless auditor's report has been modified. If insufficient appropriate audit evidence was obtained, modify the auditors report.
Paragraph # 620.6
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Auditors expert means an individual or organisation possessing expertise in a eld other than accounting or auditing, whose work in that eld is used by the auditor to assist the auditor in obtaining sufcient appropriate audit evidence. An auditors expert may be either an auditors internal expert (who is a partner or staff, including temporary staff, of the auditors rm or a network rm) or an auditors external expert. (Ref: Para. A1-A3) Aus 6.1 Partner and rm should read as referring to their public sector equivalents where relevant.
(b) Expertise means skills, knowledge and experience in a particular eld. (c) Managements expert means an individual or organisation possessing expertise in a eld other than accounting or auditing, whose work in that eld is used by the entity to assist the entity in preparing the nancial report.
In some situations, the auditor may require expertise (other than accounting or auditing) to obtain sufcient appropriate audit evidence. This could involve using the work of an auditors expert who would provide audit evidence in the form of reports, opinions, valuations and statements. Some examples are included in the following exhibit.
PART A
Core concepts
199
Paragraph #
Relevant extracts from ASAs (i) Group engagement team means partners, including the group engagement partner, and staff who establish the overall group audit strategy, communicate with component auditors, perform work on the consolidation process and evaluate the conclusions drawn from the audit evidence as the basis for forming an opinion on the group nancial report. (j) Group nancial report means nancial reports that include the nancial information of more than one component. The term group nancial report also refers to combined nancial reports aggregating the nancial information prepared by components that have no parent but are under common control. (k) Group management means management, or those charged with governance, responsible for the preparation of the group nancial report. (l) Group-wide controls means controls designed, implemented and maintained by group management over group nancial reporting. (m)Signicant component means a component identied by the group engagement team (i) that is of individual nancial signicance to the group, or (ii) that, due to its specic nature or circumstances, is likely to include signicant risks of material misstatement of the group nancial report. (Ref: Para. A5-A6)
This standard provides guidance on the special considerations that apply to group audits. It outlines responsibilities, communications and requirements for and between the: > Group engagement partners, group engagement teams, and > Component auditors who perform work (such as auditing a division, branch, subsidiary of the group) on behalf of the group engagement team and then report on the results. The requirements outlined may also be useful for other situations where an auditor involves another auditor in some part of the audit of the nancial report. (This could include observing an inventory count or performing specic procedures at a remote location.) See toolkit item 445: Group audit planning.
PART A
Core concepts
211
Risk assessment
Paragraph # 620.7 Relevant extracts from ASAs If expertise in a eld other than accounting or auditing is necessary to obtain sufcient appropriate audit evidence, the auditor shall determine whether to use the work of an auditors expert. (Ref: Para. A4-A9) The nature, timing and extent of the auditors procedures with respect to the requirements in paragraphs 9-13 of this Auditing Standard will vary depending on the circumstances. In determining the nature, timing and extent of those procedures, the auditor shall consider matters including: (Ref: Para. A10) (a) The nature of the matter to which that experts work relates; (b) The risks of material misstatement in the matter to which that experts work relates; (c) The signicance of that experts work in the context of the audit; (d) The auditors knowledge of and experience with previous work performed by that expert; and (e) Whether that expert is subject to the auditors rms quality control policies and procedures. (Ref: Para. A11-A13) 620.9 The auditor shall evaluate whether the auditors expert has the necessary competence, capabilities and objectivity for the auditors purposes. In the case of an auditors external expert, the evaluation of objectivity shall include enquiry regarding interests and relationships that may create a threat to that experts objectivity. (Ref: Para. A14-A20) The auditor shall obtain a sufcient understanding of the eld of expertise of the auditors expert to enable the auditor to: (Ref: Para. A21-A22) (a) Determine the nature, scope and objectives of that experts work for the auditors purposes; and (b) Evaluate the adequacy of that work for the auditors purposes. 620.11 The auditor shall agree, in writing when appropriate, on the following matters with the auditors expert: (Ref: Para. A23-A26) (a) The nature, scope and objectives of that experts work; (Ref: Para. A27) (b) The respective roles and responsibilities of the auditor and that expert; (Ref: Para. A28-A29) (c) The nature, timing and extent of communication between the auditor and that expert, including the form of any report to be provided by that expert; and (Ref: Para. A30) (d) The need for the auditors expert to observe condentiality requirements. (Ref: Para. A31)
620.10
PART A
620.8
212
Exhibit 13.9-3
Is an auditors expert needed to obtain audit evidence? No
Yes
What procedures are required?

(Nature/timing/extent)
Is chosen expert competent, capable and objective? No
Yes
Do we (auditor) understand experts field of expertise? No
Yes
Agree on terms of engagement. No Plan alternative audit procedures appropriate to the circumstances.
Core concepts
213
Exhibit 13.9-4
Consider Is an auditors expert needed to obtain audit evidence? Discussion Consider need in relation to: > Obtaining an understanding of the entity, including internal control
> Determining/implementing overall responses to assessed risks at the nancial report level > Designing/performing further audit procedures to respond to assessed risks at the assertion level, and > Evaluating the sufciency/appropriateness of audit evidence obtained to form an opinion. What audit procedures are required? Consider: > The nature of the matter and the risks of material misstatement > The signicance of the experts work in the context of the audit > Previous work (if any) performed by that expert, and > Whether the expert is subject to the auditors rms quality control policies and procedures. Is the auditors chosen expert competent, capable and objective? > Competence relates to the nature and level of expertise of the auditors expert > Capability relates to the ability of the auditors expert to exercise that competence in the circumstances of the engagement (eg. geographic location and the availability of time and resources) > Objectivity relates to the possible effects that bias, conict of interest or the inuence of others may have on the professional or business judgement of the auditors expert. Other factors to consider include: > Personal experience with previous work of that expert > Discussions with that expert > Discussions with others familiar with that experts work > Knowledge of that experts qualications, membership of a professional body or industry association, licence to practice or other forms of external recognition > Published papers or books written by that expert, andThe auditors rms quality control policies and procedures. Does the auditor understand the experts eld of expertise? Is there sufcient understanding of the auditors experts eld of work to: > Plan the audit? And > Review the results of work performed?
PART A
> Identifying/assessing the risks of material misstatement
214
Agree on terms of engagement
In establishing the terms of engagement, consider factors such as the following: > Access of the auditors expert to sensitive or condential entity information > The respective roles or responsibilities of the auditor and the auditors expert > Any multi-jurisdictional, legal or regulatory requirements > The complexity of the work required > Previous experience by the auditors expert with the entity, and > The extent of the auditors experts work, and its signicance in the context of the audit. The written agreement would address the: > Nature, scope and objectives of the experts work > Respective roles and responsibilities > Nature, timing and extent of communication including the report format, and > Need for condentiality. Appendix to ASA 620 sets out matters that the auditor may consider for inclusion in any written agreement with an auditors external expert.
Evaluating the work performed

Paragraph # 620.12 Relevant extracts from ASAs The auditor shall evaluate the adequacy of the auditors experts work for the auditors purposes, including: (Ref: Para. A32) (a) The relevance and reasonableness of that experts ndings or conclusions, and their consistency with other audit evidence; (Ref: Para. A33-A34) (b) If that experts work involves use of signicant assumptions and methods, the relevance and reasonableness of those assumptions and methods in the circumstances; and (Ref: Para. A35-A37) (c) If that experts work involves the use of source data that is signicant to that experts work, the relevance, completeness and accuracy of that source data. (Ref: Para. A38-A39) 620.13 If the auditor determines that the work of the auditors expert is not adequate for the auditors purposes, the auditor shall: (Ref: Para. A40) (a) Agree with that expert on the nature and extent of further work to be performed by that expert; or (b) Perform additional audit procedures appropriate to the circumstances.
Core concepts
215
Exhibit 13.9-5
Evaluate relevance/reasonableness of: > Experts findings/conclusions and consistency with other audit evidence > Key assumptions and methods used in the circumstances > Source data including its accuracy. Agree with expert on nature/extent of any further work to be performed. If work not adequate, plan additional audit procedures appropriate to the circumstances. Evaluate adequacy of work performed by expert
If the results of the experts work are unsatisfactory or inconsistent with other evidence, the auditor should resolve the matter. This may involve: > Discussions with the entity and the expert > Applying additional audit procedures > Possibly engaging another expert, or > Modifying the auditors report.
Reporting
Paragraph # 620.14 Relevant extracts from ASAs The auditor shall not refer to the work of an auditors expert in an auditors report containing an unmodied opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the auditor shall indicate in the auditors report that the reference does not reduce the auditors responsibility for the auditors opinion. (Ref: Para. A41) If the auditor makes reference to the work of an auditors expert in the auditors report because such reference is relevant to an understanding of a modication to the auditors opinion, the auditor shall indicate in the auditors report that such reference does not reduce the auditors responsibility for that opinion. (Ref: Para. A42)
620.15
The auditors report would not refer to the work of an expert. Such a reference might be misunderstood to be a modication of the auditors opinion or a division of responsibility, neither of which is intended. However, if the auditor decides to issue a modied auditors report as a result of the experts involvement it may be appropriate, in explaining the nature of the modication, to refer to or describe the work of the expert, including the identity of the expert and the extent of the experts involvement. In these circumstances, the auditor would obtain the permission of the expert before making such a reference. If permission is refused and the auditor believes a reference is necessary, the auditor may need to seek legal advice.
PART A
216
13.10 ASA 720 The Auditors Responsibilities Relating to Other Information in Documents Containing an Audited Financial Report
Paragraph # 720.4 ASA objective(s) The objective of the auditor is to respond appropriately when documents containing an audited nancial report and the auditors report thereon include other information that could undermine the credibility of that nancial report and the auditors report. Relevant extracts from ASAs The auditor shall read the other information to identify material inconsistencies, if any, with the audited nancial report. The auditor shall make appropriate arrangements with management or those charged with governance to obtain the other information prior to the date of the auditors report. If it is not possible to obtain all the other information prior to the date of the auditors report, the auditor shall read such other information as soon as practicable. (Ref: Para. A5) If, on reading the other information, the auditor identies a material inconsistency, the auditor shall determine whether the audited nancial report or the other information needs to be revised. If revision of the audited nancial report is necessary and management refuses to make the revision, the auditor shall modify the opinion in the auditors report in accordance with ASA 705. If revision of the other information is necessary and management refuses to make the revision, the auditor shall communicate this matter to those charged with governance unless all of those charged with governance are involved in managing the entity; and: (a) Include in the auditors report an Other Matter(s) paragraph describing the material inconsistency in accordance with ASA 706; or (b) Withhold the auditors report; or (c) Withdraw from the engagements, where withdrawal is possible under applicable law or regulation. (Ref: Para. A6-A7) 720 Aus 10.1 Withholding the auditors report is not permitted under the Corporations Act 2001. 720.11 720.12 If revision of the audited nancial report is necessary, the auditor shall follow the relevant requirements in ASA 560. If revision of the other information is necessary and management agrees to make the revision, the auditor shall carry out the procedures necessary under the circumstances. (Ref: Para. A8) If revision of the other information is necessary, but management refuses to make the revision, the auditor shall notify those charged with governance, unless all of those charged with governance are involved in managing the entity, of the auditors concern regarding the other information and take any further appropriate action. (Ref: Para. A9)
Paragraph # 720.6 720.7
720.8
720.9
720.10
720.13
Core concepts
217
Paragraph # 720.14
Relevant extracts from ASAs If, on reading the other information for the purpose of identifying material inconsistencies, the auditor becomes aware of an apparent material misstatement of fact, the auditor shall discuss the matter with management. (Ref: Para. A10)
720.15
720.16
If the auditor concludes that there is a material misstatement of fact in the other information which management refuses to correct, the auditor shall notify those charged with governance, unless all of those charged with governance are involved in managing the entity, of the auditors concern regarding the other information and take any further appropriate action. (Ref: Para. A11)
Overview
Some entities, such as those with many stakeholders, will publish (on paper or electronically) an annual report or attach some additional information to the audited nancial report. Where this occurs, the auditor has a responsibility to read the other information to identify any information that could undermine the credibility of the nancial report and the auditors report. Should such information be found, the auditor needs to take appropriate steps to rectify the situation. A summary of some of the key requirements is outlined in the chart below.
PART A
If, following such discussions, the auditor still considers that there is an apparent material misstatement of fact, the auditor shall request management to consult with a qualied third party, such as the entitys legal counsel, and the auditor shall consider the advice received.
218
Exhibit 13.10-1
Is other information presented with the F/R? No Yes
Does a material inconsistency exist in other information? No
Yes
Does the audited F/R need to be revised? No Yes Does management refuse to make the revision(s)? No Yes
Does the other information need revision?
Proceed
Notify those charged with governance. Withhold audit report. Determine what other actions are appropriate.
Core concepts
219
14.
Audit documentation
Relevant ASQC and ASAs
Chapter content The various requirements associated with the documentation of audit planning, audit evidence obtained and its ultimate storage.
Paragraph # 230.5
ASA objective(s) The objective of the auditor is to prepare documentation that provides: (a) A sufcient and appropriate record of the basis for the auditors report; and (b) Evidence that the audit was planned and performed in accordance with Australian Auditing Standards and applicable legal and regulatory requirements.
Paragraph # 230.6
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Audit documentation means the record of audit procedures performed, relevant audit evidence obtained and conclusions the auditor reached (terms such as working papers or workpapers are also sometimes used). (b) Audit le means one or more folders or other storage media, in physical or electronic form, containing the records that comprise the audit documentation for a specic engagement. (c) Experienced auditor means an individual (whether internal or external to the rm) who has practical audit experience, and a reasonable understanding of: (i) (ii) Audit processes; Australian Auditing Standards and applicable legal and regulatory requirements;
(iii) The business environment in which the entity operates; and (iv) Auditing and nancial reporting issues relevant to the entitys industry. 230.7 The auditor shall prepare audit documentation on a timely basis. (Ref: Para. A1)
14.1
Overview
Audit le documentation (whether maintained on paper or electronically) plays a critical role in: > Assisting the engagement team in planning and performing the audit > Providing evidence to demonstrate that the planned audit procedures were, in fact, performed
PART A
ASQC 1, ASAs 220, 230, 240, 300, 315, 330
220
> Assisting engagement reviewers (including engagement quality control reviewers) in carrying out their responsibilities in accordance with professional standards > Recording the judgements involved in forming the audit opinion, and > Recording matters of continuing signicance for future audits of the entity. See toolkit item 370: Worksheet Matters for future consideration. Consider point
There is no need to provide documentation about ASA requirements that are not relevant in the circumstances. This would apply where the entire ASA is not relevant (such as ASA 610 when the entity has no internal audit function) or where the ASA requirement is conditional and the condition does not exist.
Good audit documentation is appropriately organised, provides a record of the work done, the audit evidence obtained, the signicant professional judgements applied and the conclusions reached.
Exhibit 14.1-1
The need for audit le documentation > Supports the basis for the auditors conclusions concerning every relevant nancial report assertion > Provides evidence that the engagement complies with professional standards > Provides evidence that the underlying accounting records agree or reconcile with the nancial report.
Audit documentation for smaller entities will generally be less extensive than that for larger entities. This particularly applies where: > The engagement partner performs all the audit work. Documentation would not include matters related to team discussions, allocation of responsibilities or supervision, and > Some matters are so straightforward that they can be more conveniently addressed in a single document with cross-references to supporting working papers. This could include one or more of the areas such as the understanding of the entity and its internal control, the overall audit strategy and audit plan, materiality, assessed risks, signicant matters noted and the conclusions reached. Many ASAs contain specic documentation requirements that serve to clarify the requirements of ASA 230. The following table provides a reference to the paragraphs in ASAs that outline specic documentation requirements. This does not imply that there are no documentation requirements in the ASAs that are not included in the list below.
Core concepts
221
Exhibit 14.1-2
ASA 210 220 230 240 250 260 300 315 320 330 450 540 550 600 610 Title Agreeing the Terms of Audit Engagements Quality Control for an Audit of a Financial Report and Other Historical Information Audit Documentation The Auditors Responsibilities Relating to Fraud in an Audit of a Financial Report Consideration of Laws and Regulations in an Audit of a Financial Report Communication with Those Charged with Governance Planning an Audit of a Financial Report Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment Materiality in Planning and Performing an Audit The Auditors Responses to Assessed Risks Evaluation of Misstatements Identied during the Audit Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures Related Parties Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors) Using the Work of Internal Auditors Paragraph 10 24-25 All 44-47 29 23 12 32 14 28-30 15 23 Aus 23.1 28 50 13
14.2
Audit le organisation
An area to be addressed by rm-wide policies is audit le organisation and indexing. A consistent approach using a standard index has a number of advantages such as the following: > Enables specic working papers to be easily located and shared among audit team members > Facilitates le review by the various reviewers such as the manager, engagement partner, engagement quality control reviewer and quality control monitors > Provides consistency between audit les in the rm, and > Assists with quality control functions such as checking for missing sign-offs, invalid cross-references and unclear review notes. Audit documentation is usually organised into logical divisions of work using an indexing system. If the le is electronic, the indexing can be in the form of folders and sub-folders. As each piece of audit documentation is created, it will be given a unique reference that ties directly into the overall le index.
PART A
222
Two examples of possible audit le indices are summarised in the exhibit below. The rst example groups documents according to the stage when documents are prepared in the audit process. Note that completion documents (on paper les) are usually led near the top of the le for easy reference. The second index groups documents by the nancial report area such as payables, receivables, sales, etc. In this le, all the documents relating to risk assessment and risk response for inventory would be maintained under the inventory chapter. A third alternative would be to combine the two approaches with some documents organised by the stage in the audit process and others by the nancial report area.
Exhibit 14.2-1
Index by audit phase (extracts from an index) 100-200 Financial report and auditors report 201-300 Tax returns, etc. 301-400 File completion such as memos on signicant decisions, checklists and management representation letters 401-500 Audit planning, including audit strategy and materiality 501-600 Risk assessment, including understanding the entity and internal control 601-700 Risk response, including detailed audit plans by nancial report area 701-799 Other supporting documents such as trial balances and reports 800 Financial reporting frameworks 12 15 A C D BB DD 20 30 40 50 100 120 150 Index by nancial report area (extracts from an index) 10 11 Financial report and auditors report File completion memos, checklists, etc. Overall audit strategy Materiality Cash Receivables Inventory Payables Long-term debt Revenues Purchases Payroll Taxation Subsequent events Contingencies Other supporting documents such as trial balances and reports
Core concepts
223
14.3
Common questions about audit documentation
Exhibit 14.3-1
Question Who owns the audit le? Are copies of entity records examined required to be kept on the audit le? Response Unless otherwise specied by legislation or regulation, audit documentation is the property of the audit rm. No. All that is required is some identifying characteristics of the transactions/procedure being examined so that the work could be replicated or exceptions investigated as necessary. Identifying characteristics include: > Dates and unique transaction numbers for a test of details > Scope of procedure and the population used (ie. all journal entries over a specied amount from the journal register) > Source, starting point and sampling interval for systematic samples > For staff enquiries, their names, job designations and dates of enquiry, and > For observations, the process or matter being observed, relevant individuals, their respective responsibilities and where/when the observation was carried out. However, abstracts or copies of the entitys records (such as signicant contracts and agreements) may be included if considered appropriate. Does each page of the audit le need to be initialled and dated by the preparer and then by the reviewer? No. The discipline of initialling working papers (as to who performed and reviewed the audit work) has the effect of holding the engagement team accountable, however, this does not mean that each page of the working paper le needs to be initialled and dated. For example, the evidence of preparation and review could be indicated for each section, module or unit in the le rather than the individual pages. The preparation of working papers (typically at assistant level) and their detailed review (typically at the manager level) would involve initialling every working paper section, module or unit, whereas a general review (at the partner level) might involve only looking at key sections of the le where signicant professional judgements were made. No. It is neither necessary nor practicable for the auditor to document every matter considered or professional judgement made. It is the signicant matters and signicant judgements made on those matters during the audit that need to be documented. Documentation of signicant matters and judgements explains the auditors conclusions and reinforces the quality of the judgements. This can often be achieved through the preparation of the signicant issues memorandum at the completion of the audit. No. There is no requirement to retain documentation that was incorrect or superseded.
Should all considerations and use of professional judgements be documented?
Are preliminary drafts of the nancial report required to be kept if materially inconsistent with the nal nancial report?
PART A
224
Question Is it necessary to document noncompliance with ASA requirements that are really not applicable to the audit?
Response No. Other than in exceptional circumstances, compliance is required with each ASA requirement that is relevant. An ASA is clearly not relevant when the entire ASA is not applicable or when an ASA requirement is conditional and the condition does not exist.
14.4
Specic documentation requirements
Risk assessment
Paragraph # 240.44 Relevant extracts from ASAs The auditor shall include the following in the audit documentation of the auditors understanding of the entity and its environment and the assessment of the risks of material misstatement required by ASA 315: (a) The signicant decisions reached during the discussion among the engagement team regarding the susceptibility of the entitys nancial report to material misstatement due to fraud; and (b) The identied and assessed risks of material misstatement due to fraud at the nancial report level and at the assertion level. 240.47 If the auditor has concluded that the presumption that there is a risk of material misstatement due to fraud related to revenue recognition is not applicable in the circumstances of the engagement, the auditor shall include in the audit documentation the reasons for that conclusion. The auditor shall include in the audit documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any signicant changes made during the audit engagement to the overall audit strategy or the audit plan, and the reasons for such changes. (Ref: Para. A16-19) 315.32 The auditor shall include in the audit documentation: (a) The discussion among the engagement team where required by paragraph 10 of this Auditing Standard, and the signicant decisions reached; (b) Key elements of the understanding obtained regarding each of the aspects of the entity and its environment specied in paragraph 11 of this Auditing Standard and of each of the internal control components specied in paragraphs 14-24 of this Auditing Standard; the sources of information from which the understanding was obtained; and the risk assessment procedures performed; (c) The identied and assessed risks of material misstatement at the nancial report level and at the assertion level as required by paragraph 25 of this Auditing Standard; and (d) The risks identied, and related controls about which the auditor has obtained an understanding, as a result of the requirements in paragraphs 27-30 of this Auditing Standard. (Ref: Para. A131 A134)
300.12
Core concepts
225
Typical audit documentation would include the items listed below.
Exhibit 14.4-1
Risk assessment phase > Pre-engagement (client acceptance) procedures > Independence and ethics assessments > Terms of engagement > Materiality considerations > Overall audit strategy > Audit team discussions, including possible causes of material misstatement due to fraud > Risk assessment procedures performed and the results > Assessed risks of material misstatement identied (at overall and assertion levels) based on the understanding of the entity obtained and related internal control (if any) > Signicant risks > Communications with management and those charged with governance. Comments Remember to update risk assessment documentation for: > Any new risks identied later in the audit; and > Changes needed in risk assessments or materiality identied as a result of performing further audit procedures.
Risk response
Paragraph # 230.9 Relevant extracts from ASAs In documenting the nature, timing and extent of audit procedures performed, the auditor shall record: (a) The identifying characteristics of the specic items or matters tested; (Ref: Para. A12) (b) Who performed the audit work and the date such work was completed; and (c) Who reviewed the audit work performed and the date and extent of such review. (Ref: Para. A13) 240.45 The auditor shall include the following in the audit documentation of the auditors responses to the assessed risks of material misstatement required by ASA 330: (a) The overall responses to the assessed risks of material misstatement due to fraud at the nancial report level and the nature, timing and extent of audit procedures, and the linkage of those procedures with the assessed risks of material misstatement due to fraud at the assertion level; and (b) The results of the audit procedures, including those designed to address the risk of management override of controls.
PART A
226
Paragraph # 330.28
Relevant extracts from ASAs The auditor shall include in the audit documentation: (a) The overall responses to address the assessed risks of material misstatement at the nancial report level and the nature, timing and extent of the further audit procedures performed; (b) The linkage of those procedures with the assessed risks at the assertion level; and (c) The results of the audit procedures, including the conclusions where these are not otherwise clear. (Ref: Para. A63)
330.30
The auditors documentation shall demonstrate that the nancial report agrees or reconciles with the underlying accounting records.
Typical audit documentation would include the following items.
Exhibit 14.4-2
Risk response phase > An audit plan that addresses: All material nancial report areas The assessed risks of material misstatement at the nancial report and assertion levels The nature, timing and extent of the further audit procedures performed that respond to the assessed risks, and Signicant risks identied > Nature and extent of consultations with others > Signicance and nature of the evidence obtained to the assertion being tested > A clear explanation of the results obtained from the test and how any exceptions or deviations were followed up. This includes: The basis for the test The choice of population The level of assessed risk,and The sampling intervals and choice of the starting point > Actions taken as a result of auditing procedures that indicate: The need to modify planned auditing procedures Material misstatements may exist Omissions in the nancial report, or The existence of signicant deciencies in internal control over nancial reporting Comments Audit documentation should stand by itself and not need be supplemented by oral explanations. See experienced auditor discussion below. Take care in choosing the right population for the assertion being tested. Copies of client records inspected are not necessary on le but some identifying characteristics such as a number or date etc. is required so that a person could re-perform the test if necessary.
Core concepts
227
Risk response phase > Changes, if any, required to the overall audit strategy > Use of signicant judgements applied on signicant matters in performing work and evaluating results > Discussions with management on signicant matters
Comments
> Cross-references to supporting documentation and evidence that the nancial report agrees or reconciles with the underlying accounting records.
Reporting
Paragraph # 230.10 Relevant extracts from ASAs The auditor shall document discussions of signicant matters with management, those charged with governance and others, including the nature of the signicant matters discussed and when and with whom the discussions took place. (Ref: Para. A14) If the auditor identied information that is inconsistent with the auditors nal conclusion regarding a signicant matter, the auditor shall document how the auditor addressed the inconsistency. (Ref: Para. A15) Where, in rare and exceptional circumstances, factors outside the auditors control prevent the auditor from complying with an essential procedure contained within a relevant requirement, the auditor shall document: (Ref: Para. A18-A19) (a) The circumstances surrounding the inability to comply; (b) The reasons for the inability to comply; and (c) Justication of how alternative audit procedures achieve the objectives of the requirement. 240.46 The auditor shall include in the audit documentation communications about fraud made to management, those charged with governance, regulators and others.
230.11
230 Aus12.1
The following chart lists the typical audit documentation that addresses the reporting or le completion phase.
PART A
> Memoranda, analysis, details of assumptions used and how the validity of the underlying information used was established
228
Exhibit 14.4-3
Reporting > Completed audit programs > Evidence of le reviews (that is, initials and checklists, etc.): Detailed (manager/supervisor review) Engagement partner review, and Engagement quality control review, where applicable > Information that is inconsistent with, or contradicts, the nal conclusions > Summary of nancial effect of unadjusted errors identied and managements response (that is, adjustments made) > Non-trivial uncorrected misstatements > Signicant matters arising: Actions taken to address them (including additional evidence obtained), and The basis for the conclusions reached See toolkit item 320: Notes on signicant audit decisions. > If assistance was provided (where permissible under independence requirements) in preparing the draft nancial report, describe the nature of discussions held with management to review the content of the report. This would include: Dates discussions were held Explanations provided on the application of complex accounting principles, and Major questions raised by management > Copy of the nancial report and the auditors report cross-referenced to the audit le chapters > Factors outside the auditors control that prevent compliance with an essential procedure the circumstances and the reasons, as well as how the alternative procedures performed achieve the aim of that requirement > Any engagement completion documents required by the rm > Copy of all communication with management and those charged with governance > Audit report date and the documentation completion date (see discussion on le completion below). Comments Take notes of verbal discussions with management on signicant matters and record their responses. This will help to ensure that audit documentation contains the reasoning for all signicant decisions made.
Include copies of relevant emails or text messages exchanged with the client that address signicant matters.
Core concepts
229
14.5
230.8
The experienced auditor

Relevant extracts from ASAs The auditor shall prepare audit documentation that is sufcient to enable an experienced auditor, having no previous connection with the audit, to understand: (Ref: Para. A2-A5, A16-A17)
Paragraph #
(b) The results of the audit procedures performed, and the audit evidence obtained; and (c) Signicant matters arising during the audit, the conclusions reached thereon, and signicant professional judgements made in reaching those conclusions. (Ref: Para. A8-A11)
The audit documentation should be such that an experienced auditor, who has had no previous connection with the audit, is able to understand (ie. without the need for verbal explanations): > The nature, timing and extent of the audit procedures performed to comply with the applicable legal, regulatory and professional requirements > The results of the audit procedures and the audit evidence obtained, and > The nature of signicant matters arising and the conclusions reached.
14.6
Electronic documents
Many accounting rms have replaced (or are in the process of replacing) paper-based engagement les with electronic les. In some cases, even though the work was performed and reviewed electronically, paper les are maintained as the permanent record of work performed. Documents/forms are initiated in digital form, client records are scanned electronically and all data is stored electronically. It is printed on paper only after all the work is completed and reviewed. There are two types of electronic documents: > Work-in-process, and > Static information.
Work-in-process
Work-in-process consists of dynamic information that is being developed and updated as the audit progresses. Examples include blank audit forms and letter templates, industry knowledge and key performance indicators, questionnaires, logic trees, the rms policies, diagnostics and the previous periods nancial data, information, assumptions, etc. that may be used
PART A
(a) The nature, timing and extent of the audit procedures performed to comply with the Australian Auditing Standards and applicable legal and regulatory requirements; (Ref: Para. A6-A7)
230
in performing this periods analytical procedures. This information is often contained within software applications and electronic audit tools.
Static information
Static information consists of nal le documents such as the nancial report and completed working papers that will not change and may well be required for reference in future years. Final or static documents must be retained in a format where information can be retrieved easily in later years.
Legacy software
Leaving the information in a format used by a software application can be problematic if the software application is updated with a new le format. The old le may not be capable of being opened unless a copy of the old software application is also maintained. To overcome this problem, many rms are now saving their nal le documents in a medium called portable document format (PDF). PDF has been accepted and used by government agencies and accounting rms around the world. The rms policies should state that nal documents are not to be edited.
Advantages of automation
Maintaining audit les in an electronic form enables some administrative functions to be automated and provides additional exibility for engagement team members. For example: > Specic working papers can be accessed directly from the index > Files and documents can be easily shared or reviewed with others in distant locations > New audit folders and documents can be created, renamed, moved, copied or deleted from the index > The detailed index can be collapsed to reveal its overall structure or expanded as needed, making it easier to see the big picture and locate key documents > Customised names can be given to important documents. This can help other team members to interpret the contents of a document from its name > Review functions can be automated such as checking all or part of the audit le for exceptions, outstanding review notes and preparer/reviewer sign-offs > Engagement team members can share le documents by using electronic check-in and check-out tools
Core concepts
231
> Certain documents can be password-protected for enhanced security, and > Access to les can be restricted to authorised personnel.
Using electronic tools in working papers

PART A
There are three important principles to note when using electronic tools in working paper preparation: > All the requirements of the ASAs still apply > Electronic les require electronic document management. This addresses matters such as accessibility (such as password access), data security, application management (including training), back-up routines, edit rights, storage locations, review procedures and decisions on what changes to les will be tracked to provide the necessary audit trail; and > Final documents (all documents that are required to be maintained to support the audit opinion) must be retained and be accessible in accordance with the rms le retention policies.
14.7
230.13
File completion
Relevant extracts from ASAs If, in exceptional circumstances, the auditor performs new or additional audit procedures or draws new conclusions after the date of the auditors report, the auditor shall document: (Ref: Para. A20) (a) The circumstances encountered; (b) The new or additional audit procedures performed, audit evidence obtained, and conclusions reached, and their effect on the auditors report; and (c) When and by whom the resulting changes to audit documentation were made and reviewed.
Paragraph #
230.14
The auditor shall assemble the audit documentation in an audit le and complete the administrative process of assembling the nal audit le on a timely basis after the date of the auditors report. (Ref: Para. A21-A22) After the assembly of the nal audit le has been completed, the auditor shall not delete or discard audit documentation of any nature before the end of its retention period. (Ref: Para. A23-Aus A23.2) In circumstances other than those envisaged in paragraph 13 of this Auditing Standard where the auditor nds it necessary to modify existing audit documentation or add new audit documentation after the assembly of the nal audit le has been completed, the auditor shall, regardless of the nature of the modications or additions, document: (Ref: Para. A24) (a) The specic reasons for making them; and (b) When and by whom they were made and reviewed.
230.15
230.16
232
Relevant extracts from ASAs The auditor shall adopt appropriate procedures for maintaining the condentiality, safe custody, integrity, accessibility and retrievability of the audit documentation. (Ref: Para. Aus A24.1)
The dating of the auditors report signies that the audit work is complete. After that date, there is no continuing responsibility to seek further audit evidence. After the audit report date, the nal assembly of audit les should take place on a timely basis. An appropriate time limit within which to complete the assembly of the nal audit le is ordinarily not more than 60 days after the date of the auditors report. This is illustrated in the exhibit below. Refer to ASQC 1 and ASA 230 for more details.
Exhibit 14.7-1
60 days Timeline 1 File storage 2
Audit report date
File assembly finalised
Making changes to the audit le Exhibit 14.7-2

Period 1 Dates Between the audit report date and documentation completion date Requirements For administrative changes: > Document the nature of audit evidence obtained, who prepared and reviewed each document and any additional memos to le that may be required > Delete or discard superseded documentation > Sort, collate and cross-reference working papers, and > Sign off any completion checklists relating to the le assembly process. For changes in the audit evidence or conclusions reached, additional documentation should be prepared that addresses three key questions: > When and by whom such additions were made and (where applicable) reviewed > The specic reasons for the additions, and > The effect, if any, of the additions on the audit conclusions.
Core concepts
233
Period 2
Dates After the documentation completion date
Requirements No documentation should be deleted or discarded from the audit le until the rms le retention period has expired. Where it is necessary to make additions (including amendments) to audit documentation after the documentation completion date, the three key questions about changes in audit evidence, outlined in Period 1 above, should be answered, regardless of the nature of the additions.
Storing and maintaining documentation

Policies and procedures should be established that maintain the condentiality, safe custody, integrity, accessibility and retrievability of engagement documentation.
Retaining documentation
ASQC 1 requires rms to establish policies and procedures for the retention of engagement documentation. The retention period for audit engagements ordinarily is no shorter than ve years from the date of the auditors report. Under section 307B of the Corporations Act 2001, the retention period is seven years after the date of the audit report. Retention procedures should also address: > File retrieval How will the rm retrieve and access documentation during the retention period? Consider electronic documentation where technology may have been upgraded or changed over time. > Recording of changes How can it be assured that a record will be kept of all additions including amendments made to the engagement documentation after the engagement le has been completed? > Access and review What are the procedures to enable authorised external parties to access and review specic engagement documentation for quality control or other purposes?
PART A
234
15.
Forming an opinion on a nancial report

Relevant ASAs
Chapter content The various requirements associated with the documentation of audit planning, audit evidence obtained and its ultimate storage.
700, 800
Exhibit 15.0-1
Activity
Purpose
Documentation1
Reporting
yes
Is additional work required? no Prepare the auditors report Form an opinion based on audit findings
Significant decisions Signed audit opinion
Paragraph # 700.6
ASA objective(s) The objectives of the auditor are: (a) To form an opinion on the nancial report based on an evaluation of the conclusions drawn from the audit evidence obtained; and (b) To express clearly that opinion through a written report that also describes the basis for that opinion.
800.5
The objective of the auditor, when applying Australian Auditing Standards in an audit of a nancial report prepared in accordance with a special purpose framework, is to address appropriately the special considerations that are relevant to: (a) The acceptance of the engagement; (b) The planning and performance of that engagement; and (c) Forming an opinion and reporting on the nancial report.
Core concepts
235
Paragraph # 700.7
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) General purpose nancial report means a nancial report prepared in accordance with a general purpose framework. (b) General purpose framework means a nancial reporting framework designed to meet the common nancial information needs of a wide range of users. The nancial reporting framework may be a fair presentation framework or a compliance framework. The term fair presentation framework is used to refer to a nancial reporting framework that requires compliance with the requirements of the framework and: (i) Acknowledges explicitly or implicitly that, to achieve fair presentation of the nancial report, it may be necessary for management to provide disclosures beyond those specically required by the framework; or Acknowledges explicitly that it may be necessary for management to depart from a requirement of the framework to achieve fair presentation of the nancial report. Such departures are expected to be necessary only in extremely rare circumstances.
(ii)
The term compliance framework is used to refer to a nancial reporting framework that requires compliance with the requirements of the framework, but does not contain the acknowledgements in (i) or (ii) above. (c) Unmodied opinion means the opinion expressed by the auditor when the auditor concludes that the nancial report is prepared, in all material respects, in accordance with the applicable nancial reporting framework. 700.8 Reference to nancial report in this Auditing Standard means a complete set of general purpose nancial statements, including the related notes and an assertion statement by those responsible for the nancial report. The related notes ordinarily comprise a summary of signicant accounting policies and other explanatory information. The requirements of the applicable nancial reporting framework determine the form and content of the nancial report. Reference to Australian Accounting Standards in this Auditing Standard means the Australian Accounting Standards issued by the Australian Accounting Standards Board, and reference to International Financial Reporting Standards means the International Financial Reporting Standards issued by the International Accounting Standards Board.
700 Aus 9.1
PART A
236
Paragraph # 800.6
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) [Deleted by the AUASB. Refer Aus 6.1] (b) Special purpose framework means a nancial reporting framework designed to meet the nancial information needs of specic users. The nancial reporting framework may be a fair presentation framework or a compliance framework. (Ref: Para. A1-A4) Aus 6.1 Special purpose nancial report means a complete set of nancial statements, including the related notes and an assertion statement by those responsible for the nancial report, prepared in accordance with a special purpose framework. The related notes ordinarily comprise a summary of signicant accounting policies and other explanatory information. The requirements of the applicable nancial reporting framework# determine the form and content of a nancial report prepared in accordance with a special purpose framework. (Ref: Para A4)
800.8
ASA 210 requires the auditor to determine the acceptability of the nancial reporting framework applied in the preparation of the nancial report. In an audit of a special purpose nancial report, the auditor shall obtain an understanding of: (a) The purpose for which the nancial report is prepared; (b) The intended users; and (c) The steps taken by management to determine that the applicable nancial reporting framework is acceptable in the circumstances. (Ref: Para. A5-A8)
15.1
Overview
The nal step in the audit process is to evaluate the audit evidence obtained, consider the impact of any misstatements identied, form an audit opinion and prepare an appropriately worded audit report. This chapter addresses: > A nancial report prepared in accordance with a reporting framework designed to meet the common nancial information needs of a wide range of users > Forming an opinion on a nancial report. This is based on an evaluation of the conclusions drawn from the audit evidence obtained, and > Expressing clearly that opinion through a written report that also describes the basis for that opinion. Chapters 38 and 39 of Part B of this Manual deal with situations where a modied opinion, Emphasis of Matter paragraph or Other Matter paragraphs are required in the auditors report.
Core concepts
237
For audits conducted in accordance with ASAs, the wording of the unmodied auditors report will contain a minimum number of elements. The wording will generally be standard except where additional paragraphs are added for an emphasis of a matter or other reporting matters. Consistency in the auditors report helps: > Promote credibility in the global marketplace by making more readily identiable those audits that have been conducted in accordance with globally recognised standards, and > Promote the users understanding and helps to identify unusual circumstances (such as modications to the auditors report) when they occur. Sometimes the laws or regulations governing the audit of a nancial report may prescribe different wording for the auditors opinion. However, the auditors responsibilities for forming the opinion remain the same. Where the wording differs signicantly from the ASAs, the auditor would consider the risk that users might misunderstand the assurance obtained. If such a risk exists, further explanation could be added to the auditors report.
PART A
15.2
Financial reporting frameworks
The auditors opinion on the nancial report will be made in the context of the applicable reporting framework. For an audit of a general purpose nancial report (GPFR), ASA 700 outlines the requirements of the auditors report. ASA 700 provides mandatory requirements and explanatory guidance on the form and content of the auditors report of an audit of a GPFR prepared in accordance with the Australian Accounting Standards, the applicable nancial reporting framework, designed to achieve fair presentation. For an audit of a special purpose nancial report (SPFR), ASA 800 is the relevant standard. ASA 800 provides mandatory requirements and explanatory guidance on the form and content of the auditors report issued in connection with an audit of a SPFR. It also requires an auditor to determine the applicability of the nancial reporting framework applied in the preparation of a SPFR. This has an impact on the content of the audit report, which is addressed in section 17.4.
GPFR or SPFR?
The reporting entity concept is generally applied to small- and medium-sized entities to determine whether a GPFR or SPFR is required to be prepared. Proprietary companies will prepare a GPFR if required by law, or if those charged with governance determine that it is necessary to meet the information
238
needs of users who are unable to command the preparation of reports tailored so as to satisfy, specically, all of their information needs (ie. it is a reporting entity). Small proprietary companies may prepare an SPFR for the purpose of fullling the directors nancial reporting requirements under the Corporations Act 2001 (the Act) if it is determined that there are no such users (ie. it is a non-reporting entity). The size tests for a proprietary company with regard to nancial reporting and annual audit requirements under the Act may assist in determining whether an entity prepares a GPFR or a SPFR. A small proprietary company satises two of the following three tests: > Consolidated revenue for the nancial year for the company and its controlled entities is less than $25 million > The value of consolidated gross assets at the end of the nancial year for the company and its controlled entities is less than $12.5 million > The company and its controlled entities have fewer than 50 employees for the nancial year. For companies limited by guarantee, the Act requires the following entities to prepare a nancial report: > Tier 2 companies with either annual revenue of less than $250,000 with deductible gift recipient status, or with annual revenue of between $250,000 and $1 million, irrespective of the deductible gift recipient status. The nancial report can be reviewed or audited. > Tier 3 companies with annual revenue of $1 million or more, irrespective of whether they are a deductible gift recipient. The nancial report must be audited. Once again, application of the reporting entity concept will determine whether a GPFR or an SPFR is prepared for a company limited by guarantee, regardless of which tier it is in. Typically though, entities in Tier 3 would have many users dependent on the nancial report, and would therefore be reporting entities. Under the AASBs Reduced Disclosure Regime (RDR), two types of GPFR are permitted, with the relevant AASBs being AASB 1053 Application of Tiers of Australian Accounting Standards and AASB 2010-2 Amendment to Australian Accounting Standards arising from Reduced Disclosure Requirements. The standards are operative for reporting periods beginning on or after 1 July 2013, but early adoption is permitted. Under these standards, Tier 1 entities, which are publicly accountable, apply full IFRS as adopted in Australia. All other preparers of general purpose
Core concepts
239
nancial reports fall into Tier 2, which are required to apply IFRS recognition, measurement and presentation requirements with substantially reduced disclosures. AASB 1053 implements the two-tier arrangement while AASB 2010-2 makes amendments to many of the existing AASB standards and interpretations to introduce the reduced disclosure requirements into these pronouncements. Public accountability refers to entities which trade securities in a public market or hold assets in a duciary capacity. Typical non-publicly accountable entities (ie. Tier 2) under the RDR include: > Unlisted public companies > Not-for-prot private sector entities > Public sector entities other than federal, state, territory and local governments. Entities in Tier 2 will not be able to claim compliance with IFRS, in spite of the fact that they are complying with all the recognition and measurement requirements. Compliance with IFRS means compliance with the whole IFRS standard, including all the disclosure requirements. Another consequence of adopting RDR is that if an entity using RDR wishes to move to full IFRS in the future, it will need to apply AASB 1 on transition, because under RDR it is unable to make an explicit and unreserved statement of such compliance [with IFRS] in the notes. The following exhibit summarises the nancial reporting requirements for common entities:
Exhibit 15.2-1
Entity type Small proprietary company Large proprietary company Company limited by guarantee Tier 2 Company limited by guarantee Tier 3 Source of reporting obligation Corporations Act Corporations Act GPFR or SPFR? Generally SPFR unless there are users Either depending on whether it is a reporting entity Either depending on whether it is a reporting entity Either depending on whether it is a reporting entity Does RDR apply? No, unless a GPFR is prepared Yes, if a GPFR is prepared Yes, if a GPFR is prepared Yes, if a GPFR is prepared
Corporations Act
Corporations Act
The discussion about reporting frameworks relates to the accounting framework that a nancial report is prepared under. For the purpose of meeting
PART A
240
the objective of an audit engagement, there are two types of general purpose frameworks: the fair presentation framework and the compliance framework, which are explained in the following exhibit.
Exhibit 15.2-2
Frameworks Fair presentation Description A nancial reporting framework (such as International Financial Reporting Standards) that requires compliance with the requirements of the framework and: (i) Acknowledges explicitly or implicitly that, to achieve fair presentation of the nancial report, it may be necessary for management to provide disclosures beyond those specically required by the framework, or (ii) Acknowledges explicitly that it may be necessary for management to depart from a requirement of the framework to achieve fair presentation of the nancial report. Such departures are expected to be necessary only in extremely rare circumstances. The auditor reports on whether the nancial report present fairly, in all material respects or give a true and fair view of the information that the nancial report is designed to present. Compliance A nancial reporting framework that requires compliance with the requirements of the framework, but does not contain the acknowledgements in (i) or (ii) above for fair presentation. The auditor is not required to evaluate whether the nancial report achieves fair presentation. An example would be a nancial reporting framework stipulated by a law or regulation which is designed to meet the nancial information needs of a wide range of users. The auditor reports on whether the nancial report is prepared, in all material respects, in accordance with, for example, the entitys constitution.
In Australia a compliance reporting framework may arise when federal or state legislation or regulations require reporting of only certain gures, in a prescribed format.
Core concepts
241
A decision tree for forming an opinion under the two general purpose frameworks is outlined below.
Exhibit 15.2-3
General purpose financial reporting frameworks
Fair presentation
Compliance
Is the F/R prepared in accordance with an applicable framework?
Is the F/R presented fairly?
No
Report issues to management and those charged with governance
No
Does the F/R comply with framework?
Yes
Yes
Standard audit opinion
Yes
Issue resolved?
Yes
Standard audit opinion
No
No
Modified audit opinion
Make changes to the auditors report
In some cases, the auditor may be required to conduct an audit in accordance with both frameworks. In these situations, the auditors opinion would refer to both the fair presentation framework and the applicable legal or regulatory requirements.
15.3
700.10
Forming the opinion

Relevant extracts from ASAs The auditor shall form an opinion on whether the nancial report is prepared, in all material respects, in accordance with the applicable nancial reporting framework.
Paragraph #
PART A
242
Paragraph # 700.11
Relevant extracts from ASAs In order to form that opinion, the auditor shall conclude as to whether the auditor has obtained reasonable assurance about whether the nancial report as a whole is free from material misstatement, whether due to fraud or error. That conclusion shall take into account: (a) The auditors conclusion, in accordance with ASA 330, whether sufcient appropriate audit evidence has been obtained; (b) The auditors conclusion, in accordance with ASA 450, whether uncorrected misstatements are material, individually or in aggregate; and (c) The evaluations required by paragraphs 12-15 of this Auditing Standard.
700.12
The auditor shall evaluate whether the nancial report is prepared, in all material respects, in accordance with the requirements of the applicable nancial reporting framework. This evaluation shall include consideration of the qualitative aspects of the entitys accounting practices, including indicators of possible bias in managements judgements. (Ref: Para. A1-A3) In particular, the auditor shall evaluate whether, in view of the requirements of the applicable nancial reporting framework: (a) The nancial report adequately discloses the signicant accounting policies selected and applied; (b) The accounting policies selected and applied are consistent with the applicable nancial reporting framework and are appropriate; (c) The accounting estimates made by management are reasonable; (d) The information presented in the nancial report is relevant, reliable, comparable and understandable; (e) The nancial report provides adequate disclosures to enable the intended users to understand the effect of material transactions and events on the information conveyed in the nancial report; and (Ref: Para. A4) (f) The terminology used in the nancial report, including the title of each nancial statement, is appropriate.
700.13
700.14
When the nancial report is prepared in accordance with a fair presentation framework, the evaluation required by paragraphs 12-13 of this Auditing Standard shall also include whether the nancial report achieves fair presentation. The auditors evaluation as to whether the nancial report achieves fair presentation shall include consideration of: (a) The overall presentation, structure and content of the nancial report; and (b) Whether the nancial report, including the related notes, represent the underlying transactions and events in a manner that achieves fair presentation.
700.15 700.16
The auditor shall evaluate whether the nancial report adequately refers to or describes the applicable nancial reporting framework. (Ref: Para. A5-A10) The auditor shall express an unmodied opinion when the auditor concludes that the nancial report is prepared, in all material respects, in accordance with the applicable nancial reporting framework.
Core concepts
243
Paragraph # 700.17
Relevant extracts from ASAs If the auditor: (a) Concludes that, based on the audit evidence obtained, the nancial report as a whole is not free from material misstatement; or (b) Is unable to obtain sufcient appropriate audit evidence to conclude that the nancial report as a whole is free from material misstatement, the auditor shall modify the opinion in the auditors report in accordance with ASA 705.
700.18
If the nancial report prepared in accordance with the requirements of a fair presentation framework does not achieve fair presentation, the auditor shall discuss the matter with management and, depending on the requirements of the applicable nancial reporting framework and how the matter is resolved, shall determine whether it is necessary to modify the opinion in the auditors report in accordance with ASA 705. (Ref: Para. A11) When the nancial report is prepared in accordance with a compliance framework, the auditor is not required to evaluate whether the nancial report achieves fair presentation. However, if in extremely rare circumstances the auditor concludes that such nancial report is misleading, the auditor shall discuss the matter with management and, depending on how it is resolved, shall determine whether, and how, to communicate it in the auditors report. (Ref: Para. A12) When forming an opinion and reporting on a special purpose nancial report, the auditor shall apply the requirements in ASA 700. (Ref: Para. A13)
700.19
800.11
When forming an opinion, the auditor evaluates whether the nancial report is prepared in accordance with the applicable nancial reporting framework, as shown in the exhibit below.
Exhibit 15.3-1
Considerations Forming an audit opinion Materiality Conclude whether: > Materiality remains appropriate in the context of the entitys actual nancial results > Uncorrected misstatements (including uncorrected misstatements related to prior periods), either individually or in aggregate, could result in a material misstatement. Audit evidence > Has sufcient appropriate audit evidence been obtained? > Are the accounting estimates made by management reasonable? > Did the analytical procedures performed at or near the end of the audit corroborate conclusions formed during the audit?
PART A
244
Considerations Forming an audit opinion (continued) Accounting policies > Does the nancial report adequately disclose the signicant accounting policies selected and applied? > Are the accounting policies consistent with the nancial reporting framework and appropriate in the circumstances? Financial report disclosures > Does the nancial report refer to or describe the applicable reporting framework? > Have all nancial report disclosures been made as required by the applicable nancial reporting framework? > Is the terminology used in the nancial report, including the title of each nancial report, appropriate? > Are there adequate disclosures to enable intended users to understand the effect of material transactions and events on the information conveyed in the nancial report? > Is the information presented relevant, reliable, comparable, understandable and sufcient? > Does the nancial report provide adequate disclosures to enable the intended users to understand the effect of material transactions and events on the information conveyed in the nancial report? Fair presentation frameworks > Do the overall presentation, structure and content (including the note disclosures) faithfully represent the underlying transactions and events in accordance with the applicable nancial reporting framework? If not, is there a need to provide disclosures beyond those specically required by the framework to ensure fair presentation? > Is the nancial report, after any adjustments made by management as a result of the audit process, consistent with the understanding obtained about the entity and its environment? Compliance frameworks > Is the nancial report misleading? This is likely only in extremely rare circumstances.
Based on the results of the evaluations outlined above, the auditor would determine what form of audit report (unmodied or modied) is appropriate in the circumstances.
Exhibit 15.3-2
Type of opinion Unmodied opinion Auditors conclusions The nancial report is prepared, in all material respects, in accordance with the applicable nancial reporting framework, and an unmodied opinion would be appropriate.
Core concepts
245
Type of opinion Modied opinion (qualied, adverse or disclaimer)
Auditors conclusions > Based on the audit evidence obtained, the nancial report as a whole is not free from material misstatement; or > Sufcient appropriate audit evidence could not be obtained to conclude that the nancial report as a whole is free from material misstatement. Part B, Chapter 38 of this Manual addresses the subject of modications to the auditors report.
15.4
700.20 700.21 700.22 700.23
Form and wording of the auditors report

Relevant extracts from ASAs The auditors report shall be in writing. (Ref: Para. A13-A14) The auditors report shall have a title that clearly indicates that it is the report of an independent auditor. (Ref: Para. A15) The auditors report shall be addressed as required by the circumstances of the engagement. (Ref: Para. A16) The introductory paragraph in the auditors report shall: (Ref: Para. A17-A19) (a) Identify the entity whose nancial report has been audited; (b) State that the nancial report has been audited; (c) Identify the title of each statement that comprises the nancial report; (d) Refer to the summary of signicant accounting policies and other explanatory information; and (e) Specify the date or period covered by each nancial statement comprising the nancial report.
Paragraph #
700.24
This section of the auditors report describes the responsibilities of those in the organisation who are responsible for the preparation of the nancial report. The auditors report need not refer specically to management, but shall use the term that is appropriate in the context of the legal framework in the particular jurisdiction. In some jurisdictions, the appropriate reference may be to those charged with governance. The auditors report shall include a section with the heading Managements [or other appropriate term] Responsibility for the Financial Report. The auditors report shall describe managements responsibility for the preparation of the nancial report. The description shall include an explanation that management is responsible for the preparation of the nancial report in accordance with the applicable nancial reporting framework, and for such internal control as it determines is necessary to enable the preparation of the nancial report that is free from material misstatement, whether due to fraud or error. (Ref: Para. A20-A23) Where the nancial report is prepared in accordance with a fair presentation framework, the explanation of managements responsibility for the nancial report in the auditors report shall refer to the preparation and fair presentation of these nancial report or the preparation of the nancial report that give a true and fair view, as appropriate in the circumstances.
700.25 700.26
700.27
PART A
246
Paragraph # 700.28 700.29 700.30
Relevant extracts from ASAs The auditors report shall include a section with the heading Auditors Responsibility. The auditors report shall state that the responsibility of the auditor is to express an opinion on the nancial report based on the audit. (Ref: Para. A24) The auditors report shall state that the audit was conducted in accordance with Australian Auditing Standards. The auditors report shall also explain that those standards require that the auditor comply with relevant ethical requirements and that the auditor plan and perform the audit to obtain reasonable assurance about whether the nancial report is free from material misstatement. (Ref: Para. A25-A26) The auditors report shall describe an audit by stating that: (a) An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the nancial report; (b) The procedures selected depend on the auditors judgement, including the assessment of the risks of material misstatement of the nancial report, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entitys preparation of the nancial report in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entitys internal control. In circumstances when the auditor also has a responsibility to express an opinion on the effectiveness of internal control in conjunction with the audit of the nancial report, the auditor shall omit the phrase that the auditors consideration of internal control is not for the purpose of expressing an opinion on the effectiveness of internal control; and (c) An audit also includes evaluating the appropriateness of the accounting policies used and the reasonableness of accounting estimates made by management, as well as the overall presentation of the nancial report.
700.31
700.32
Where the nancial report is prepared in accordance with a fair presentation framework, the description of the audit in the auditors report shall refer to the entitys preparation and fair presentation of the nancial report or the entitys preparation of the nancial report that gives a true and fair view, as appropriate in the circumstances. The auditors report shall state whether the auditor believes that the audit evidence the auditor has obtained is sufcient and appropriate to provide a basis for the auditors opinion. The auditors report shall include a section with the heading Opinion. When expressing an unmodied opinion on the nancial report prepared in accordance with a fair presentation framework, the auditors opinion shall, unless otherwise required by law or regulation, use one of the following phrases, which are regarded as being equivalent: (a) The nancial report presents fairly, in all material respects in accordance with [the applicable nancial reporting framework]; or (b) The nancial report gives a true and fair view of in accordance with [the applicable nancial reporting framework]. (Ref: Para. A27-A33)
700.33
700.34 700.35
Core concepts
247
Paragraph # 700.36
Relevant extracts from ASAs When expressing an unmodied opinion on the nancial report prepared in accordance with a compliance framework, the auditors opinion shall be that the nancial report is prepared, in all material respects, in accordance with [the applicable nancial reporting framework]. (Ref: Para. A27, A29-A33)
700.37
700 Aus 37.1
When an entity, in accordance with Accounting Standard AASB 101 Presentation of Financial Statements, has included in the notes to the nancial statements an explicit and unreserved statement of compliance with International Financial Reporting Standards (IFRS), and the auditor agrees with the entitys statement of compliance, the auditor shall state that in the auditors opinion, the nancial report complies with IFRS. (Ref: Para. Aus A33.1Aus A33.2) If the auditor addresses other reporting responsibilities in the auditors report on the nancial report that are in addition to the auditors responsibility under the Australian Auditing Standards to report on the nancial report, these other reporting responsibilities shall be addressed in a separate section in the auditors report that shall be subtitled Report on Other Legal and Regulatory Requirements, or otherwise as appropriate to the content of the section. (Ref: Para. A34-A35) If the auditors report contains a separate section on other reporting responsibilities, the headings, statements and explanations referred to in paragraphs 23-37 of this Auditing Standard shall be under the subtitle Report on the Financial Report. The Report on Other Legal and Regulatory Requirements shall follow the Report on the Financial Report. (Ref: Para. A36 and Aus A36.1) The auditors report shall be signed. (Ref: Para. A37 and Aus A37.1) The auditors report shall be dated as of the date the auditor signs that report. (Ref: Para. A38-A41) The auditors report shall be dated no earlier than the date on which the auditor has obtained sufcient appropriate audit evidence on which to base the auditors opinion on the nancial report, including evidence that: (Ref: Para. A38-A41) (a) All the statements that comprise the nancial report, including the related notes, have been prepared; and (b) Those with the recognised authority have asserted that they have taken responsibility for the nancial report.
700.38
700.39
700.40 700 Aus 40.1 700.41
700.42
The auditors report shall name the location in the jurisdiction where the auditor practices.
PART A
If the reference to the applicable nancial reporting framework in the auditors opinion is not to Australian Accounting Standards and, where applicable, Australian law or regulation, the auditors opinion shall identify the jurisdiction of origin of the framework.
248
Paragraph # 700.43
Relevant extracts from ASAs If the auditor is required by law or regulation of a specic jurisdiction to use a specic layout or wording of the auditors report, the auditors report shall refer to Australian Auditing Standards only if the auditors report includes, at a minimum, each of the following elements: (Ref: Para. A42) (a) A title; (b) An addressee, as required by the circumstances of the engagement; (c) An introductory paragraph that identies the nancial report audited; (d) A description of the responsibility of management (or other appropriate term, see paragraph 24 of this Auditing Standard) for the preparation of the nancial report; (e) A description of the auditors responsibility to express an opinion on the nancial report and the scope of the audit, that includes: A reference to Australian Auditing Standards and the law or regulation; and A description of an audit in accordance with those standards; (f) An opinion paragraph containing an expression of opinion on the nancial report and a reference to the applicable nancial reporting framework used to prepare the nancial report (including identifying the jurisdiction of origin of the nancial reporting framework that is not Australian Accounting Standards and, where applicable, Australian law or regulation); (g) The auditors signature; (h) The date of the auditors report; and (i) The auditors address.
700.44
An auditor may be required to conduct an audit in accordance with the auditing standards of a specic jurisdiction (other auditing standards), but may additionally have complied with the Australian Auditing Standards in the conduct of the audit. If this is the case, the auditors report may refer to Australian Auditing Standards in addition to the other auditing standards, but the auditor shall do so only if: (Ref: Para. A43-A44) (a) There is no conict between the requirements in the other auditing standards and those in Australian Auditing Standards that would lead the auditor (i) to form a different opinion, or (ii) not to include an Emphasis of Matter paragraph that, in the particular circumstances, is required by Australian Auditing Standards; and (b) The auditors report includes, at a minimum, each of the elements set out in paragraph 43(a)-(i) of this Auditing Standard when the auditor uses the layout or wording specied by the other auditing standards. Reference to law or regulation in paragraph 43(e) of this Auditing Standard shall be read as reference to the other auditing standards. The auditors report shall thereby identify such other auditing standards.
700.45
When the auditors report refers to both the other auditing standards and Australian Auditing Standards, the auditors report shall identify the jurisdiction of origin of the other auditing standards.
Core concepts
249
Paragraph # 700.46
Relevant extracts from ASAs If supplementary information that is not required by the applicable nancial reporting framework is presented with the audited nancial report, the auditor shall evaluate whether such supplementary information is clearly differentiated from the audited nancial report. If such supplementary information is not clearly differentiated from the audited nancial report, the auditor shall ask management to change how the unaudited supplementary information is presented. If management refuses to do so, the auditor shall explain in the auditors report that such supplementary information has not been audited. (Ref: Para. A45-A51) Supplementary information that is not required by the applicable nancial reporting framework but is nevertheless an integral part of the nancial report because it cannot be clearly differentiated from the audited nancial report due to its nature and how it is presented shall be covered by the auditors opinion. (Ref: Para A45-A51) ASA 700 requires the auditor to evaluate whether the nancial report adequately refers to, or describes, the applicable nancial reporting framework. In the case of a nancial report prepared in accordance with the provisions of a contract, the auditor shall evaluate whether the nancial report adequately describes any signicant interpretations of the contract on which the nancial report is based. ASA 700 deals with the form and content of the auditors report. In the case of an auditors report on a special purpose nancial report: (a) The auditors report shall also describe the purpose for which the nancial report is prepared and, if necessary, the intended users, or refer to a note in the special purpose nancial report that contains that information; and (b) If management has a choice of nancial reporting frameworks in the preparation of such a nancial report, the explanation of managements responsibility for the nancial report shall also make reference to its responsibility for determining that the applicable nancial reporting framework is acceptable in the circumstances.
700.47
800.12
800.13
800.14
The auditors report on the special purpose nancial report shall include an Emphasis of Matter paragraph alerting users of the auditors report that the nancial report is prepared in accordance with a special purpose framework and that, as a result, the nancial report may not be suitable for another purpose. The auditor shall include this paragraph under an appropriate heading. (Ref: Para. A14-A15)
The auditors report communicates the following information to the reader: > Responsibilities of management > Responsibilities of the auditor and a description of the audit > The audit was conducted in accordance with Australian Auditing Standards > The nancial reporting framework used, and > The auditors opinion on the nancial report.
PART A
250
The form of the auditors report will be affected by the nancial reporting framework used, any additional requirements required by law or regulation and the inclusion of any supplementary information. The auditors report is entitled the Independent Auditors Report and headings are required for each paragraph as follows: > Report on the Financial Report > Managements Responsibility for the Financial Report > Auditors Responsibility, and > Opinion. Other headings for paragraphs that may be used where applicable are: > Emphasis of a Matter, and > Report on Other Legal and Regulatory Requirements For the audit of an SPFR, an emphasis of matter paragraph is required to alert users that the nancial report is prepared in accordance with a special purpose framework and that, as a result, the nancial report may not be suitable for another purpose. The main components of the auditors report for a GPFR (which have to be in writing) are outlined in the exhibit below.
Exhibit 15.4-1
Component Title Comments Independent auditors report Using the word independent distinguishes the independent auditors report from reports issued by others. Addressee Those for whom the report is prepared (typically shareholders or those charged with governance) This may also be dictated by the circumstances of the engagement or local regulations. Introductory paragraph > Identies the entity whose nancial report has been audited > States that the nancial report has been audited > Identies the title of each of the nancial statements that comprise the nancial report > Refers to the summary of signicant accounting policies and other explanatory notes > Species the date and period covered by the nancial report. Where supplementary information is presented, explain whether it is covered by the audit opinion or clearly differentiate it as not being covered.
Core concepts
251
Component Managements [or other appropriate term] responsibility for the nancial report
Comments Explains that management is responsible for the preparation of the nancial report in accordance with the applicable nancial reporting framework. The report states that management is responsible for:
> Such internal control as management determines is necessary to enable the preparation of the nancial report that is free from material misstatement, whether due to fraud or error. Management responsibility includes: > Accepting responsibility for internal control necessary to enable the nancial report to be free from material misstatement, whether due to fraud or error > Selecting and applying appropriate accounting policies > Ensuring the information contained in the nancial report is relevant, reliable, comparable and understandable > Ensuring adequate disclosure to ensure material transactions are understood by users of the nancial report, and > Making accounting estimates that are reasonable in the circumstances. Auditors responsibility States that the responsibility of the auditor is to express an opinion on the nancial report based on the audit. This includes: > Stating that the audit was conducted in accordance with Australian Auditing Standards. The auditors report also explains that those standards require that the auditor comply with relevant ethical requirements and that the auditor plan and perform the audit to obtain reasonable assurance about whether the nancial report is free from material misstatement > Describing an audit by stating: An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the nancial report The procedures selected depend on the auditors judgement, including the assessment of the risks of material misstatement of the nancial report, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entitys preparation of the nancial report in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of the entitys internal control, and An audit also includes evaluating the appropriateness of the accounting policies used, the reasonableness of accounting estimates made by management as well as the overall presentation of the nancial report
PART A
> The preparation and fair presentation of the nancial report in accordance with the applicable nancial reporting framework, and
252
Component Auditors responsibility (continued)
Comments > Stating that the auditor believes that the audit evidence the auditor has obtained is sufcient and appropriate to provide a basis for the auditors opinion > Where the nancial report is prepared in accordance with a fair presentation framework, the description of the audit shall refer to the entitys preparation and fair presentation of the nancial report or the entitys preparation of the nancial report that gives a true and fair view, as appropriate in the circumstances.
Auditors opinion
Fair presentation frameworks States whether the nancial report presents fairly, in all material respects (or give a true and fair view of), in accordance with the applicable nancial reporting framework or such similar wording as required by law or regulation. Compliance frameworks States whether the nancial report is prepared in all material respects in accordance with the applicable nancial reporting framework. When Australian Accounting Standards are not used as the nancial reporting framework, the wording of the opinion should identify the jurisdiction or country of origin of the nancial reporting framework (eg. in accordance with accounting principles generally accepted in country X ).
Other reporting responsibilities
Certain standards, laws or generally accepted practice in a jurisdiction may require or permit the auditor to report on other responsibilities. Such matters would be addressed in a separate paragraph following the auditors opinion. The auditors signature will be based on what is appropriate for the particular jurisdiction. It could be the rm name or personal name of the auditor or both. It may also require the auditors professional accountancy designation or reference to the fact that the auditor/rm has been recognised by the appropriate licensing authority. This must be dated as of the date the auditor signs the report. This is no earlier than the date on which the auditor obtained sufcient appropriate audit evidence on which to base the opinion. This evidence includes: > All the nancial statements that comprise the nancial report have been prepared > Consideration of the effect of events and transactions (of which the auditor became aware) that occurred up to that date (refer to ASA 560), and > Assertions by those with the recognised authority that they have taken responsibility for the nancial report.
Auditors signature
Date of report
Auditors address
Indicate the name of the auditors location in the jurisdiction where the auditor practices.
Core concepts
253
Unmodied audit opinion general purpose under the Corporations Act 2001
The standard wording for an auditors report (ASA 700, [Aus] Illustration 1A) on a general purpose nancial report prepared in accordance with a fair presentation framework and expressing an unmodied opinion is illustrated below.
Exhibit 15.4-2
INDEPENDENT AUDITORS REPORT [Appropriate addressee] Report on the nancial report We have audited the accompanying nancial report of ABC Company Ltd, which comprises the statement of nancial position as at 30 June 20X1, the statement of comprehensive income, statement of changes in equity and statement of cash ows for the year then ended, notes compromising a summary of signicant accounting policies and other explanatory information and the directors declaration. Directors responsibility for the nancial report The Directors of the company are responsible for the preparation of the nancial report that gives a true and fair view in accordance with Australian Accounting Standards and the Corporations Act 2001, and for such internal control as the directors determine is necessary to enable the preparation of the nancial report that is free from material misstatement, whether due to fraud or error. In Note XX, the directors also state, in accordance with Accounting Standard AASB 101 Presentation of Financial Statements, that the nancial statements comply with International Financial Reporting Standards.* * Insert only where the entity has included in the notes to the nancial statements an explicit and unreserved statement of compliance with International Financial Reporting Standards in accordance with AASB 101.
Auditors responsibility Our responsibility is to express an opinion on the nancial report based on our audit. We conducted our audit in accordance with Australian Auditing Standards. Those standards require that we comply with relevant ethical requirements relating to audit engagements and plan and perform the audit to obtain reasonable assurance about whether the nancial report is free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the nancial report. The procedures selected depend on the auditors judgement, including the assessment of the risks of material misstatement of the nancial report, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entitys preparation of the nancial report that gives a true and fair view in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entitys internal control. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by the directors, as well as evaluating the overall presentation of the nancial report. We believe that the audit evidence we have obtained is sufcient and appropriate to provide a basis for our audit opinion.
PART A
254
Independence In conducting our audit, we have complied with the independence requirements of the Corporations Act 2001. We conrm that the independence declaration required by the Corporations Act 2001, which has been given to the directors of ABC Company Ltd, would be in the same terms if given to the directors as at the time of this auditors report. Opinion In our opinion: (a) The nancial report of ABC Company Ltd is in accordance with the Corporations Act 2001 including: (i) Giving a true and fair view of the companys nancial position as at 30 June 20X1 and of its performance for the year ended on that date; and (ii) Complying with Australian Accounting Standards and the Corporations Regulations 2001; and (b) The nancial report also complies with International Financial Reporting Standards as disclosed in Note XX.* [Auditors signature] [Date of the auditors report] [Auditors address] * Insert only where the entity has included in the notes to the nancial statements an explicit and unreserved statement of compliance with International Financial Reporting Standards in accordance with AASB 101 and the auditor agrees with the entitys statement. If the auditor does not agree with the statement, the auditor refers to ASA 705.
Unmodied audit opinion special purpose nancial report Corporations Act 2001
The standard wording for an auditors report on a special purpose nancial report prepared under the Corporations Act 2001 in accordance with a fair presentation framework and expressing an unmodied opinion is illustrated below. This example is Illustration 4 from Appendix 1 of ASA 800.
Exhibit 15.4-3
INDEPENDENT AUDITORS REPORT [Appropriate addressee] We have audited the accompanying nancial report, being a special purpose nancial report of ABC Company Ltd, which comprises the statement of nancial position as at 30 June 20X1, the statement of comprehensive income, statement of changes in equity and statement of cash ows for the year then ended, notes comprising a summary of signicant accounting policies and other explanatory information, and the directors declaration. Directors responsibility for the nancial report The directors of the company are responsible for the preparation of the nancial report and have determined that the basis of preparation described in Note X to the nancial report is appropriate to meet the requirements of the Corporations Act 2001 and is appropriate to meet the needs of the members.
Core concepts
255
The directors responsibility also includes such internal control as the directors determine is necessary to enable the preparation of a nancial report that is free from material misstatement, whether due to fraud or error. Auditors responsibility Our responsibility is to express an opinion on the nancial report based on our audit. We have conducted our audit in accordance with Australian Auditing Standards. Those standards require that we comply with relevant ethical requirements relating to audit engagements and plan and perform the audit to obtain reasonable assurance whether the nancial report is free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the nancial report. The procedures selected depend on the auditors judgement, including the assessment of the risks of material misstatement of the nancial report, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entitys preparation of the nancial report that gives a true and fair view in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entitys internal control. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by the directors, as well as evaluating the overall presentation of the nancial report. We believe that the audit evidence we have obtained is sufcient and appropriate to provide a basis for our audit opinion. Independence In conducting our audit, we have complied with the independence requirements of the Corporations Act 2001. We conrm that the independence declaration required by the Corporations Act 2001, which has been given to the directors of ABC Company Ltd, would be in the same terms if given to the directors as at the time of the auditors report. Opinion In our opinion the nancial report of ABC Company Ltd is in accordance with the Corporations Act 2001, including: (a) Giving a true and fair view of the companys nancial position as at 30 June 20X1 and of its performance for the year ended on that date; and
(b) Complying with Australian Accounting Standards to the extent described in Note X, and the Corporations Regulations 2001. Basis of accounting Without modifying our opinion, we draw attention to Note X to the nancial report, which describes the basis of accounting. The nancial report has been prepared for the purpose of fullling the directors nancial reporting responsibilities under the Corporations Act 2001. As a result, the nancial report may not be suitable for another purpose. [Auditors signature] [Date of the auditors report] [Auditors address]
PART A
256
Unmodied audit opinion special purpose nancial report Applicable State Act (Year)
The standard wording for an auditors report on a special purpose nancial report prepared for a not-for-prot incorporated association in accordance with a fair presentation framework and expressing an unmodied opinion is illustrated below. This example is Illustration 5 from Appendix 1 of ASA 800.
Exhibit 15.4-4
INDEPENDENT AUDITORS REPORT [Appropriate addressee] We have audited the accompanying nancial report, being a special purpose nancial report, of ABC Not-for-prot Incorporated, which comprises the statement of nancial position as at 30 June 20X1, the statement of comprehensive income for the year then ended, notes comprising a summary of signicant accounting policies and other explanatory information, and the ofcers assertion statement. Ofcers responsibility for the nancial report The ofcers of ABC Not-for-prot Incorporated are responsible for the preparation of the nancial report, and have determined that the basis of preparation described in Note X is appropriate to meet the requirements of the Applicable State Act and is appropriate to meet the needs of the members. The ofcers responsibility also includes such internal control as the ofcers determine necessary to enable the preparation of a nancial report that is free from material misstatement, whether due to fraud or error. Auditors responsibility Our responsibility is to express an opinion on the nancial report based on our audit. We have conducted our audit in accordance with Australian Auditing Standards. Those standards require that we comply with relevant ethical requirements relating to audit engagements and plan and perform the audit to obtain reasonable assurance whether the nancial report is free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the nancial report. The procedures selected depend on the auditors judgement, including the assessment of the risks of material misstatement of the nancial report, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the associations preparation of the nancial report that gives a true and fair view in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the associations internal control. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by the ofcers, as well as evaluating the overall presentation of the nancial report. We believe that the audit evidence we have obtained is sufcient and appropriate to provide a basis for our audit opinion. Opinion In our opinion, the nancial report presents fairly, in all material respects, (or gives a true and fair view of) the nancial position of ABC Not-for-prot Incorporated as at 30 June 20X1, and (of) its nancial performance and its cash ows for the year then ended in accordance with [the nancial reporting requirements of Applicable State Act (Year)].
Core concepts
257
Basis of accounting and restriction on distribution Without modifying our opinion, we draw attention to Note X to the nancial report, which describes the basis of accounting. The nancial report has been prepared to assist ABC Notfor-prot Incorporated to meet the requirements of the Applicable State Act. As a result, the nancial report may not be suitable for another purpose.
[Date of the auditors report] [Auditors address]
15.5
Reporting requirements under the Corporations Act 2001
The auditors responsibilities for an entity subject to the Corporations Act 2001 (the Act) are found in Division 3 of Part 2M.3 of the Act. The Act sets out the auditors obligations to form an opinion and to report to members, both in respect of the audit of an annual nancial report and the audit or review of a half-year nancial report. This exhibit provides a summary of the auditors responsibilities with regard to the audit of an annual nancial report.
Summary of audit reporting requirements under the Corporations Act 2001 Exhibit 15.5-1
Requirement Duty to form an opinion Detail Section 307 of the Act requires an auditor who conducts an audit of the nancial report for a nancial year or half-year to form an opinion about: > Whether the nancial report is in accordance with this Act, including: Section 296 or 304 (compliance with accounting standards) Section 297 or 305 (true and fair view) > If the nancial report includes additional information under paragraph 295(3)(c) or 303(3)(c) (information included to give true and fair view of nancial position and performance) whether the inclusion of that additional information was necessary to give the true and fair view required by section 297 or 305 > Whether the auditor has been given all information, explanation and assistance necessary for the conduct of the audit > Whether the company, registered scheme or disclosing entity has kept nancial records sufcient to enable a nancial report to be prepared and audited > Whether the company, registered scheme or disclosing entity has kept other records and registers as required by this Act.
PART A
[Auditors signature]
258
Duty to report annual nancial report
Section 308(1) of the Act states that an auditor who audits the nancial report for a nancial year must report to members on whether the auditor is of the opinion that the nancial report is in accordance with this Act, including: > Section 296 (compliance with accounting standards) > Section 297 (true and fair view). If not of that opinion the auditors report must say why. Non-compliance with accounting standards Section 308(2) of the Act requires that if the auditor is of the opinion that the nancial report does not comply with an accounting standard the auditors report must, to the extent practicable to do so, quantify the effect that non-compliance has on the nancial report. If it is not practicable to quantify the effect fully the report must say why. Defects or irregularities Section 308(3) requires that the auditors report must describe: > Any defect or irregularity in the nancial report > Any deciency, failure or shortcoming in respect of the matters referred to in paragraph 307(b), (c) or (d) (described above). Section 308(3AA) requires an auditor who reviews the nancial report for a company limited by guarantee must report to members on whether the auditor became aware of any matter in the course of the review that makes the auditor believe that the nancial report does not comply with Division 1. Section 308(3AB) requires that a report under subsection (3AA) must: > Describe any matter referred to in subsection (3AA), and > Say why that matter makes the auditor believe that the nancial report does not comply with Division 1. Auditing Standards disclosures Section 308(3A) requires that the auditors report must include any statements or disclosures required by the auditing standards. Information included to give true and fair view Section 308(3B) requires that if the nancial report includes additional information under paragraph 295(3)(c) (information included to give true and fair view of nancial position and performance), the auditors report must also include a statement of the auditors opinion on whether the inclusion of that additional information was necessary to give the true and fair view required by section 297. Other Section 308(4) of the Act requires that the report must specify the date on which it was made.
Core concepts
259
Auditors independence declaration
The Act contains general and specic provisions in relation to auditor independence. This section discusses the requirement of the auditor to prepare a written auditors independence declaration only. Section 307C provides that if an auditor conducts an audit or review of a nancial report for a full year or an audit or review of the nancial report for a half year, the auditor must give the directors of the company, registered scheme or disclosing entity: > A written declaration that, to the best of the auditors knowledge and belief, there have been: No contraventions of the auditor independence requirements of the Act in relation to the audit or review No contraventions of any applicable code of professional conduct in relation to the audit or review, or > A written declaration that, to the best of the individual auditors knowledge and belief, the only contraventions of: The auditor independence requirements of the Act in relation to the audit or review, or Any applicable code of professional conduct in relation to the audit or review are those contraventions details of which are set out in the declaration. Section 307C(5) of the Act requires that the declaration be given when the audit report is given to the directors of the company, registered scheme or disclosing entity and that the declaration must be signed by the person making the declaration. However, ASIC has issued Class Order 05/83 Timing of auditors independence declarations, which allows an auditors report to be signed after the auditors independence declaration is given to directors.
Signing the auditors report
Section 324AA of the Act states that, subject to part 2M.4 of the Act, the following may be appointed as auditor for a company or a registered scheme for the purposes of the Act: > An individual > A rm > An audit company. Section 324AB(3) of the Act requires that a report or notice that purports to be made or given by a rm appointed as auditor of a company or registered scheme is not taken to be duly made or given unless it is signed by a member of the rm who is a registered company auditor both: > In the rm name > In their own name.
PART A
260
Signing the auditors report (continued)
Section 324AD(1) of the Act requires that a report or notice that purports to be made or given by an audit company appointed as auditor of a company or registered scheme is not taken to be duly made or given unless it is signed by a director of the audit company or the lead auditor or review auditor for the audit both: > In the audit companys name, and > In their own name.
Reporting to ASIC
Section 311 of the Act contains specic provisions relating to the auditors obligation to notify ASIC of certain circumstances within 28 days after the auditor becomes aware of those circumstances. ASIC has issued [PN 34] Auditors Obligations: Reporting to ASIC that provides guidance to help auditors comply with their obligation under section 311 and 601 HG to report suspected contraventions of the Corporations Act 2001 to ASIC.
Exhibit 15.5-2
Discussion Additional reporting requirements The auditor may be required to comment on matters such as: > The adequacy of the entitys accounting records > Specic matters if they come to the auditors attention during the course of the audit, and > Results of performing additional specied procedures. Report under separate heading To ensure users understand these additional responsibilities, the auditor would report on them within a separate section in the auditors report (eg. under a new subheading such as Report on Other Legal and Regulatory Requirements).
15.6
Supplementary information presented with the nancial report
Supplementary information is information presented with the audited nancial report but not required by the applicable nancial reporting framework. Supplementary information may be required by law, regulation or standards or may be presented voluntarily. Supplementary information (not required by the applicable nancial reporting framework) needs to be clearly differentiated from the audited nancial report unless it is an integral part of the audited nancial report. If such supplementary information is not clearly differentiated, the auditor shall ask management to change how the unaudited supplementary information is presented. If management refuses to do so, the auditor shall explain in the auditors report that such supplementary information has not been audited.
Core concepts
261
Exhibit 15.6-1
Presenting supplementary information with the nancial report Clearly differentiate supplementary information > Clearly label the information as unaudited > Remove any cross-references from the nancial report to unaudited supplementary information > Place the unaudited supplementary information outside the nancial report > Identify the page numbers in the auditors report on which the audited nancial report is presented.
The fact that supplementary information is not audited does not relieve the auditor of the responsibility to ensure that the information is not misleading or inconsistent with the other information contained in the audited nancial report. (Refer to Part A Chapter 13.10 that addresses ASA 720 The Auditors Responsibilities Relating to Other Information in Documents Containing an Audited Financial Report).
15.7
Audits conducted in accordance with ASAs and other auditing standards
Where the auditor is required to report on compliance with other auditing standards and the ASAs, reference would be made to both sets of standards in the auditors report. A reference to both Australian Auditing Standards and other auditing standards is appropriate when the following conditions are met.
Exhibit 15.7-1
Conditions Refer to compliance with both ASAs and other standards > The auditors report complies with each of the ASAs relevant to the audit > All further audit procedures, necessary to comply with other standards, have been performed > The jurisdiction or country of origin of the auditing standards has been identied in the auditors report > All elements (see Exhibit 15.4-1) of the standard auditors report (even if using the layout and wording specied by national laws or regulations) have been included.
PART A
262
A reference to both Australian Auditing Standards and other auditing standards is not appropriate where a conict exists between the requirements in ASAs and those in the other auditing standards that would result in: > The auditor forming a different opinion on the other standards than that appropriate for the ASA standards, and > Omission of additional information such as an Emphasis of Matter paragraph that is required by the ASAs but not permitted under other standards.
15.8
Modied auditor reports
Refer to Part B, Chapter 38 of this Manual, which addresses modications to the auditors report.
Part B
Practical guidance
16.
How to use Part B
This second part of the Manual illustrates how the Auditing Standards may be applied in the conduct of typical audit engagements for small- and mediumsized entities (SMEs). However, no material in the Manual should be used as a substitute for reading and understanding all of the text of the Auditing Standards, and use of professional judgement.
PART B
266
17.
Introduction to the case studies
To illustrate how the various aspects of the audit process can be documented in practice, two case studies have been developed based on one ctional medium-sized entity and one ctional entity that is very small. The rst scenario (Case Study A) is a furniture company called ONeal Furniture Pty Ltd that employs 10 people. The second scenario (Case Study B) is Kane & Co., a small entity with two people. Kane & Co. primarily supplies goods to ONeal Furniture. Both organisations have decided to prepare accounts in accordance with Australian Accounting Standards. Readers are cautioned that these case studies are purely illustrative. The documentation provided is a small extract from a typical audit le and it illustrates just one possible way of complying with the ASA requirements. The data, analysis and commentary provided represent only some of the circumstances and considerations that the auditor will need to address in a particular audit. As always, the auditor must exercise professional judgement.
Case study A ONeal Furniture Pty Ltd

Background
ONeal Furniture Pty Ltd is a family-owned furniture manufacturing company. It produces various kinds of wooden household furniture, both ready-made and custom built. ONeal Furniture has an excellent reputation for producing quality products. The company has three major product lines: bedroom sets, dining room sets and tables of all sorts. Standard pieces of furniture can also be customised for specic needs. To tap into the power of the internet, the company recently set up a website where people can buy furniture directly and pay by credit card. During the last period, the company shipped custom orders as far as 900 kilometres away. The manufacturing facility is located on an acre of land adjacent to Sam ONeals house. An addition on the west side of Sams home acts as ONeal Furnitures shop. Major decisions are often made around the dining room table (which is the rst table Sam and his father built together). He likes the symbolism of sharing a meal on the product that produces his familys money for food.
Industry trends
Until recently ONeal Furniture had been growing rapidly. However, the furniture industry is currently experiencing challenging times due to: > A declining economy due to a world-wide recession
Practical guidance
267
> Potential customers limiting their spending on discretionary goods, including furniture > Competition > Pressure to reduce prices to attract sales, and > Some furniture parts manufacturers going out of business, thereby creating some production delays.
Governance
The company was started in 1952 by Sams father, Charles ONeal. Charles rst made wooden spindles and banisters in a small workshop next to the family home. The company does not have a formal governance structure. Charles and Sam prepare a business plan each period, then meet once a month with a successful local businessman, Ron James, to review their progress against the plan. They also pay Ron to comment on the practicality of their new dreams and ideas for the business, review the operating results and provide advice on how to deal with any specic issues that have arisen. Rons daughter, Paula (a lawyer by training), usually accompanies her father to the meetings with Sam and Charles. Paula offers some legal advice, but her true passion lies in marketing and promotion. It was Paulas idea that ONeal Furniture should expand its boundaries and start selling its products on the internet. She also pushed for expansion outside their local region and even to neighbouring countries. Perhaps by accessing additional markets, sales levels can be maintained despite the current economic downturn.
PART B
Personnel
ONeal Furniture has a full-time staff of 10 employees. About six of these employees are related in some way to the family. Most of the family members work in the production area (as needed) in addition to the roles outlined in the chart below. During busy periods, two to four temporary workers may be employed as necessary. A few of the temporary workers return regularly but, because of the lack of job security, turnover is quite high. As managing director, Sam ONeal oversees all aspects of the business. Alan Smith is in charge of sales and he is assisted by two full-time salespeople. Dan, Sams brother, looks after production, which includes ordering raw materials and managing the inventory. Because the facilitys space is limited, Sam and Dan are never too far away from the production process and they share the task of supervising the two staff members. Joel King (Sams cousin) is in charge of the nance function and information technology (IT), and has two staff in his group.
268
Sam ONeal Managing Director
Organisational Chart ONeal Furniture Pty Ltd
Alan Smith Sales
Joel King Finance & IT
Dan ONeal Production
Sales staff
Production staff
Ownership
Charles is the principal shareholder with a 50% interest in the company. He has plans to start transferring the shares to his son Sam, as long as Sam continues to manage the company on a full-time basis and the company remains protable as a result. Sam, his brother Dan and his sister Karen each hold a 10% interest. The remaining 20% is held by a family friend, Vin Stevens. Vin is a wealthy investor who has provided much of the capital needed to grow the company.
Ownership of ONeal Furniture Pty Ltd p Vin Stevens 20% Dan 10% Karen 10% Charles ONeal 50%
Sam 10%
Karen is a well-known singer who travels extensively. She is not involved in the operations of the company and relies on her father and brother to look after her interests. In September each year, Charles organises a more formal business meeting. The shareholders meet in the morning (primarily to review the nancial report) and, later in the afternoon, hold a party for all staff. Sam uses this occasion
Practical guidance
269
to tell the staff how well the business is doing and what the plans are for the future.
Operations
The company started out manufacturing chairs, tables and spindles for railings and banisters and has since expanded into making simple household furniture such as dressers, wardrobes and cabinets. ONeal Furniture has grown considerably through strategies such as: > Providing quality products at fair prices to local customers > Accepting larger furniture orders from national retailers. These large orders come with a rm delivery deadline (there are major penalties for late delivery) and the prot margins are much tighter than those for custommade furniture > Being the rst company in the region to sell (limited products) over the internet, and > Manufacturing parts such as spindles and round table legs for other local furniture manufacturers. This has enabled the company to purchase expensive lathes and specialised tools that other companies cannot afford. ONeal Furniture also sells scrap furniture and wood (pieces rejected in the quality control process) at the factory for cash only. Exporting furniture to neighbouring countries is also being considered. Sam recognises that this will mean higher shipping costs, dealing with customs, foreign currency exchange risk and the potential for damage during transport. Although selling to neighbouring countries means higher costs, it seems to be a small price to pay to access potential new customers. Also, Paula knows many people in local government and thinks she can help facilitate the extra paperwork involved.
PART B
Sales
The sales breakdown is approximately: > Standard furniture (from catalogue) from sales that are negotiated in person at the store: 40% > Sales to furniture retailers: 30% > Made-to-order (custom-built) furniture: 15% > Internet sales: 12% > Scrap sales from factory: 3%
270
Scrap 3% Custom 15% Store 40% Retailers 30%
Breakdown of sales
Internet 12%
Alan Smith is a great deal-maker. He is very persistent when negotiating with customers and usually gets the sale, although the prot margins can be slim. Despite the economic downturn, he recently bought a beautiful family home overlooking the valley. > Notes on the sales system Sales contracts are prepared for retail and specialised orders. Deposits of 15% of the order are required on all custom orders, which are recorded as sales revenue when received. Two of the large retailers require ONeal Furniture to keep 30 days of inventory on hand so that orders can be shipped quickly to the stores when needed. These contracts also have provisions for inventory to be returned to ONeal Furniture if it doesnt sell within a specied time period Sales orders are manually lled at the time of sale, except for furniture sold directly from the shop or other small items on hand. All orders over $500 or where the sale price is below the minimum sale price must be approved by Alan. Invoices are prepared when the items are shipped and sent to the customer For all sales out of the shop, invoices are prepared at the time of sale and entered into the accounting system, which automatically numbers each sales transaction and provides an order receipt upon request A summary of the days internet sales is downloaded from the website. Details of the items ordered are prepared and given to the production department. An invoice is prepared at the same time and recorded into revenue, as the item has already been paid for on the customers credit card. The invoice marked paid in full accompanies all internet orders that have been shipped
Practical guidance
271
Alan rarely performs credit checks on customers. He knows most of them. In the past, customers paid cash upon delivery; currently, credit is granted to match the terms that ONeal Furnitures competitors are providing. As a result, ONeal Furniture requires a line of credit from the bank. Each period, the number of bad debts seems to be growing At the end of each month, Sam reviews the sales and accounts receivable listing. He ensures that there are no obvious mistakes and personally calls every customer whose account is over 90 days Each member of the sales staff (including Alan) receives a commission of 15% on each sale in addition to a minimum base salary. To motivate the salespeople, their base salary is well below the salaries of most of the other employees. The computer system tracks sales made by each salesperson. Joel prints a report each month and prepares a listing of commissions that will be paid on the following weeks payroll. Either Sam or Dan reviews the listing of commissions and the sales to ensure that the staff are paid the correct amount. Alan receives by far the most sales commission.
Information technology
PART B
The system consists of six PCs and a server used to host the internet site. The internal system is mainly used for email, order taking and accounting. The company runs weekly back-ups of the accounting system on an external hard drive that is kept in the safe next to the computer room. Firewall protection and password protection have all been added in the last two periods. Last period, two PCs were stolen from the ofce. Access to the ofces is now better secured, the PCs are chained to desks and the server is locked in a separate and specially cooled ofce. Internet sales are managed by Joel. The company has an agreement with the bank to process the credit cards before any order is approved for shipping and pays the bank 7% on each order processed. The application program for internet sales provides the details of each sale, including the customers name, address and the items ordered. Internet transactions are downloaded daily from the website and sales orders are prepared and forwarded to the production department.
Human resources and payroll

All hiring decisions are made by Dan and Sam. Like his father, Sam is committed to hiring competent people and expects loyalty from his employees. Employees are paid in cash at the beginning of each week. One of Joels staff, Karla Winston, is responsible for payroll. She has a list of employees and
272
calculates the payroll and deductions based on timecard summaries that Dan provides to her. Sam reviews payroll each Monday morning before instructing Karla to hand the envelopes to employees. All employees sign a list when they pick up their envelope. The company does not keep formal employee records.
Purchasing and production

Dan is responsible for purchasing and production. Because the inventory system is not very sophisticated, he tends to over-order some items, which often results in inventory sitting in the warehouse gathering dust. This is considered better than under-ordering supplies, which results in production delays. > Notes on the purchasing function At least two quotes must be obtained before purchases over $5,000 are approved. The exception is wood supplied by the local wood mill where ONeal Furniture has negotiated a ve-year exclusive supply contract The company prepares purchase orders for all inventory or capital purchases over $1,000 Dan approves all new vendors and supplies the details to Joel, who then sets up the vendors in the system and enters details of invoices received.
Accounting and nance

Joel studied accounting at university and is well versed in accounting and nancial matters. When he joined ONeal Furniture two years ago, he quickly introduced the Sound Accounting software package by Accounting Plus with its integrated accounts payable, accounts receivable and capital assets modules. > Notes on the accounting and nance function At present, the company does not have a perpetual inventory system. Inventory is counted twice a period, once at period end and once halfway through the period. This ensures that prot margins on sales can be accurately calculated at least twice a period Joel has been frustrated by the lack of controls over inventory. He had suggested to Sam that inventory be counted at least four times per period to ensure that margins are reviewed throughout the period. Sam had overridden his recommendation, stating that it would be too disruptive to count inventory so often and it could cause the company to miss deadlines Although ONeal Furniture has been protable, the gross margins have been inconsistent. Joel does not have an explanation as to why inventory costs are not tracked by product line
Practical guidance
273
Sam gets very annoyed at having to pay any form of income tax and usually pressures Joel to ensure that accruals are more than adequate. Note: The following income statement and balance sheet were prepared by management. Other nancial information, such as a cash ow statement, has not been included.
Appendix A
ONeal Furniture Pty Ltd Income Statement Prepared by management For the year ended 30 June 20X2 ($) Sales Cost of goods sold Gross prot Distribution costs Administrative expenses Finance cost Depreciation 1,437,317 879,933 557,384 64,657 323,283 19,471 23,499 430,910 Prot before tax Income taxes Net income 126,474 31,619 94,855 20X1 ($) 1,034,322 689,732 344,590 41,351 206,754 19,279 21,054 288,438 56,152 14,038 42,114 20X0 ($) 857,400 528,653 328,747 39,450 197,248 15,829
262,870 65,877 16,469 49,408
PART B
10,343
274
Appendix B
ONeal Furniture Pty Ltd Balance Sheet Prepared by management As at 30 June 20X2 ($) ASSETS Current assets Cash and cash equivalents Trade and other receivables Inventories Prepayments and other 22,246 177,203 156,468 12,789 368,706 Non-current assets Property, plant and equipment 195,821 564,527 EQUITY AND LIABILITIES Current liabilities Bank indebtedness Trade and other payables Income tax payable Current portion of interest-bearing loan 123,016 113,641 31,618 10,000 278,275 Non-current liabilities Interest-bearing loan Capital and reserves Issued capital Accumulated prots 18,643 197,609 564,527 18,643 102,753 440,171 18,643 60,639 302,177 70,000 80,000 90,000 107,549 107,188 14,038 10,000 238,775 55,876 50,549 16,470 10,000 132,895 175,450 440,171 103,430 302,177 32,522 110,517 110,806 10,876 264,721 22,947 82,216 69,707 23,877 198,747 20X1 ($) 20X0 ($)
Case study B Kane & Co.

Background
Kane & Co. was started in 1990 by Robert Kane. It consists of two production personnel, Robert as the owner-manager and some part-time bookkeeping assistance. As a young boy, Robert learned the woodcrafting trade from his father, Stanley. When Stanley rst took young Robert under his wing, he saw that Robert also had a natural talent for woodworking, and that made him proud.
Practical guidance
275
After his father died in 1976, Robert decided to invest his small savings in opening his own furniture shop, which he called Kane & Co.
Business proposition
Roberts business was initially focused on producing small wooden household furniture. However, soon after starting the business, his cousin, Sam (of ONeal Furniture) approached him with a business proposition. Sam asked that Robert dedicate most of his time and attention to creating spindles and table legs for furniture the ONeal Furniture factory produced. The price ONeal Furniture was willing to pay for his products allowed him a greater prot margin than he could get with any of his other handiwork. Robert agreed. To encourage Robert to focus his business on serving ONeal Furnitures supply needs, ONeal Furniture purchased a 15% ownership stake in Kane & Co. This helped Kane & Co. purchase new tools to improve production efciency.
Industry trends
The furniture industry is currently facing a challenging economy. Kane & Co. has experienced healthy and steady growth, but if the demand for products from ONeal Furniture declines, Kane & Co.s sales will also be hurt. Robert still takes some custom furniture orders but ONeal Furniture constitutes approximately 90% of his business.
Production
Kane & Co. is an owner-managed company, with Robert owning 85% of the shares. There are two full-time production personnel in addition to Robert. He is used to long work days and works most weekends, simply to keep up with the orders from ONeal Furniture. In the current period, though, Robert is rarely in the ofce or workshop. He does the minimum required to meet demands but has not been nearly as involved in approving orders, supply purchases or record-keeping as he once was. Apparently he is dealing with some health issues his teenage son has developed. At the beginning of the period, Kane & Co. obtained new bank nancing to buy necessary raw materials and to replace some ageing equipment. The loan came with bank covenants that must be maintained or the funds could be recalled. Robert deals directly with ONeal Furniture personnel on orders and logs them in a notebook. The accountant then creates invoices and receives payments. He personally organises shipping and maintains an order/shipping log.
PART B
276
Robert maintains good records and keeps the following information updated: > Order/shipping log: date order was placed, amount, type, pricing, date promised, method of delivery, quantity sold/shipped, date shipped and if paid > Sales log: customer name, date shipped, order details (product type, quantity, type of wood, special requests, etc.), price, amount paid, and > Purchases log: segregated between materials and other items. Robert matches the shipping log to the sales log each week to ensure that no shipments are missed.
Accounting
Kane & Co.s part-time bookkeeper, Ruby, has been working with Robert for over 10 years and is very competent. She maintains the accounting records and creates the monthly and annual nancial report. However, she feels that Robert takes her services for granted. He has not increased her salary in the last three years. Ruby has two children who she wants to go to university but she is worried about how the fees will be paid.
Appendix A
Kane & Co. Income Statement Prepared by management For the year ended 30 June 20X2 ($) Sales Cost of goods sold Gross prot Distribution costs Administrative expenses Finance cost Depreciation 231,540 118,600 112,940 13,002 71,532 6,480 102,555 430,910 Prot before tax Income taxes Net income 10,385 5,765 4,620 20X1 ($) 263,430 122,732 140,698 19,450 91,318 0 117,639 288,438 23,059 6,420 16,639 20X0 ($) 212,818 100,220 112,598 12,890 68,101 0 86,011 262,870 26,587 8,988 17,599
Practical guidance
277
Appendix B
Kane & Co. Balance Sheet Prepared by management As at 30 June 20X2 ($) ASSETS Current assets Cash and cash equivalents Trade and other receivables Inventories 1,255 67,750 34,613 103,618 Non-current assets Property, plant and equipment 54,430 158,048 EQUITY AND LIABILITIES Current liabilities Trade and other payables Current portion of interest-bearing loan 53,100 4,000 57,100 Non-current liabilities Interest-bearing loan Capital and reserves Issued capital Accumulated prots 10,580 59,368 158,048 10,580 54,445 113,845 10,580 26,298 73,378 31,000 0 0 48,820 0 48,820 36,500 22,468 113,845 20,216 73,378 10,822 65,110 15,445 91,377 6,455 34,100 12,607 53,162 20X1 ($) 20X0 ($)
36,500
PART B
278
18.
Risk assessment overview

Activity
Purpose
Documentation1
Risk assessment
Plan the audit
Business and fraud risks including significant risks Design/implementation of relevant internal controls Assessed RMM3 at: > F/R level > Assertion level
Risk response
Update of overall strategy Overall responses Audit plan that links assessed RMM3 to further audit procedures Work performed Audit findings Staff supervision Working paper review
Reporting
yes
Practical guidance
279
Paragraph # 315.3
ASA objective(s) The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the nancial report and assertion levels, through understanding the entity and its environment, including the entitys internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
A simpler way of describing the three elements is illustrated below.
Exhibit 18.0-1
Risk assessment Risk response
Reporting
What events*
could occur that would cause a material misstatement in the financial report?
Did the events* identified occur and result in a material misstatement in the financial report?
What audit opinion,

based on the evidence obtained, is appropriate on the financial report?
An event is simply a business or fraud risk factor (see descriptions in Part A, Chapter 1, Exhibit 1.2-2) that, if it actually occurred, would adversely affect the entitys ability to achieve its objective of preparing a nancial report that does not contain material misstatements resulting from error and fraud. This would also include risks resulting from the absence of internal control to mitigate the potential for material misstatements in the nancial report.
Exhibit 18.0-2
Quality controls Ethics, independence, and ASAs Decide to accept/continue engagement Planning activities
Risk assessment
Determine materiality
Team planning meeting
Overall audit strategy

Identify and assess inherent risks Identify and assess control risks Communicate significant deficiencies Conclude: Assess RMM* (fraud and error) at report statement and assertion levels
Document findings and any changes to the plan

* RMM = Risks of material misstatement
PART B
The major steps involved in the risk assessment phase of the audit, in the order they would normally be performed, are outlined in the following exhibit.
280
The core concepts addressed in the risk assessment phase are set out below.
Core concepts risk assessment phase Internal control Financial report assertions Materiality and audit risk Risk assessment procedures Chapter Part A, Chapter 3 Part A, Chapter 4 Part A, Chapter 5 Part A, Chapter 6
Practical guidance
281
19.
Engagement acceptance and continuance

Relevant ASAs and ASQC
Chapter content Guidance on procedures required to: > Identify and assess risk factors relevant to deciding whether to accept or decline the audit engagement, and > Agree upon and document the terms of the engagement.
210, 220, 300 and ASQC 1
Exhibit 19.0-1
Activity
Purpose
Documentation
The major steps in the engagement acceptance/continuance process are outlined below.
PART B
Accept or continue? Yes Document procedures performed and how threats and issues were resolved No
Exhibit 19.0-2
Process to accept/continue with an audit engagement
Does the firm have resources, time and competence? Is the firm independent and free from conflict? Are the risks involved acceptable?
Stop
Are the audit preconditions present?1
1
Any scope limitations?
Agree on terms of engagement
Prepare/sign engagement letter
Refer to Chapter 19.3.
Paragraph # 210.3
ASA objective(s) The objective of the auditor is to accept or continue an audit engagement only when the basis upon which it is to be performed has been agreed, through: (a) Establishing whether the preconditions for an audit are present; and (b) Conrming that there is a common understanding between the auditor and management and, where appropriate, those charged with governance of the terms of the audit engagement.
282
Paragraph # 210.4
Relevant extracts from ASAs/ASQC 1 For the purposes of the Australian Auditing Standards, the following term has the meaning attributed below: Preconditions for an audit means the use by management of an acceptable nancial reporting framework in the preparation of the nancial report and the agreement of management and, where appropriate, those charged with governance to the premise on which an audit is conducted.
ASQC 1.26
The rm shall establish policies and procedures for the acceptance and continuance of client relationships and specic engagements designed to provide the rm with reasonable assurance that it will only undertake or continue relationships and engagements where the rm: (a) Is competent to perform the engagement and has the capabilities, including time and resources, to do so; (Ref: Para. A18, A23) (b) Can comply with relevant ethical requirements; and (c) Has considered the integrity of the client and does not have information that would lead it to conclude that the client lacks integrity. (Ref: Para. A19-A20, A23)
ASQC 1.27
Such policies and procedures shall require: (a) The rm to obtain such information as it considers necessary in the circumstances before accepting an engagement with a new client when deciding whether to continue an existing engagement, and when considering acceptance of a new engagement with an existing client. (Ref: Para. A21, A23) (b) If a potential conict of interest is identied in accepting an engagement from a new or an existing client, the rm to determine whether it is appropriate to accept the engagement. (c) If issues have been identied and the rm decides to accept or continue the client relationship or a specic engagement, the rm to document how the issues were resolved.
ASQC 1.28
The rm shall establish policies and procedures on continuing an engagement and the client relationship, addressing the circumstances where the rm obtains information that would have caused it to decline the engagement had that information been available earlier. Such policies and procedures shall include consideration of: (a) The professional and legal responsibilities that apply to the circumstances, including whether there is a requirement for the rm to report to the person or persons who made the appointment or, in some cases, to regulatory authorities; and (b) The possibility of withdrawing from the engagement or from both the engagement and the client relationship. (Ref: Para. A22-A23)
220.12
The engagement partner shall be satised that appropriate procedures regarding the acceptance and continuance of client relationships and audit engagements have been followed and shall determine that conclusions reached in this regard are appropriate. (Ref: Para. A8-A9)
Practical guidance
283
Paragraph # 220.13
Relevant extracts from ASAs/ASQC 1 If the engagement partner obtains information that would have caused the rm to decline the audit engagement had that information been available earlier, the engagement partner shall communicate that information promptly to the rm, so that the rm and the engagement partner can take the necessary action. (Ref: Para. A9) The auditor shall undertake the following activities prior to starting an initial audit: (a) Performing procedures required by ASA 220 regarding the acceptance of the client relationship and the specic audit engagement; and (b) Communicating with the predecessor auditor, where there has been a change of auditors, in compliance with relevant ethical requirements. (Ref: Para. A20)
300.13
19.1
Overview
One of the most important decisions that a rm can make is determining what engagements to accept or which client relationships to retain. A poor decision can lead to unbillable time, unpaid fees, additional stress on partners and staff, loss of reputation and, worst of all, potential lawsuits. ASQC 1 and ASA 220 require rms to develop, implement and document their quality control procedures in regard to their client acceptance and retention policies. Ideally, these policies and procedures should address the level of risk (risk tolerance) and the client characteristics (such as poor management integrity, a high-risk industry or a publicly-traded company) that would not be acceptable to the rm. For more information, refer to ASQC 1 and ASA 220 and to the Institutes Quality Control Guide (third edition). Before a rm decides to accept or retain an engagement, the auditor is required to: > Establish the acceptability of the proposed nancial reporting framework > Assess whether the rm can comply with relevant ethical requirements > Obtain the agreement of management that it acknowledges and understands its responsibility for: The preparation of the nancial report in accordance with the applicable nancial reporting framework Such internal control as management determines is necessary to enable the preparation of nancial report that is free from material misstatement, whether due to fraud or error, and
PART B
284
Providing the auditor with access to all relevant information and any additional information that the auditor may request plus unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence > Perform engagement acceptance or continuance procedures. These procedures would be similar to the risk assessment procedures outlined in Part A, Chapter 6. The results (assuming the engagement is accepted) can later be used as part of the risk assessment. The initial and subsequent years assessments of the engagement risk help to ensure that the rm is: > Independent and that no conicts of interest exist > Competent to perform the work with the required resources and time availability > Willing to accept the risks involved in performing the audit. This would include an assessment of managements integrity and attitudes toward internal control, industry trends, availability of appropriate audit evidence and other factors such as the ability of the client to pay the fees involved, and > Not aware of any new information about an existing client that would have caused the rm to decline the engagement if it had been known earlier. Consider point
There may be some very small entities requiring an audit where the ownermanager runs the entity, has few (if any) formal documented controls in place and can therefore override just about everything. In these situations, the auditor has to determine whether the absence of control activities or of other components of control may make it impossible to obtain sufcient appropriate audit evidence. If this is the case, the auditor would exercise professional judgement in determining whether the engagement should be declined or a modied opinion provided. Factors to consider include: > The entitys control environment. For example: is the owner-manager trustworthy, competent and do they have a good attitude toward internal control? > Is it possible to develop an overall response and further audit procedures that would respond appropriately to the assessed risk factors? For example, can substantive procedures be used to determine that all revenues and liabilities are properly recorded in the accounting records?
Once a decision has been reached to accept or continue with the client engagement, the next step is to:
Practical guidance
285
> Establish whether the preconditions for an audit are present, and > Conrm a common understanding between the auditor and management (and, where appropriate, those charged with governance) of the terms of the audit engagement.
19.2
Engagement acceptance
The rst step in the client acceptance or continuance process is to assess the auditing rms ability to perform the engagement and the risks involved. The following exhibit outlines some possible lines of enquiry. See toolkit item 405: New engagement Acceptance and 410: Existing engagement Continuance.
Exhibit 19.2-1
Consider The rms quality control requirements Line of enquiry What (rm and engagement-level) policies and procedures are in place to provide reasonable assurance that the rm will only undertake or continue relationships where: > The rm can comply with the ASA requirements? And
What work is required?
> What is the nature and scope of the audit? > What accounting framework will be used? > How will the auditors report and nancial report be used? > What is the deadline (if any) for completing the audit?
Does the rm have the competence, resources and time required?
> Does the rm have sufcient personnel with the necessary competence and capabilities? > Do the selected rm personnel have: Knowledge of relevant industries or subject matters? Experience with relevant regulatory or reporting requirements? Or Ability to gain the necessary skills and knowledge effectively? > Are experts available, if needed? > Where applicable, are there qualied persons available to perform the engagement quality control review? > Can the rm and the available staff (in light of timing requirements for other clients) complete the engagement within the reporting deadline?
PART B
> The engagement risks involved are within the rms tolerance for risk?
286
Consider Is the rm independent?
Line of enquiry > Can the rm and the engagement team comply with ethical and independence requirements? > Where conicts of interest, lack of independence or other threats have been identied: Has appropriate action been taken to eliminate those threats or reduce them to an acceptable level by applying safeguards? Or Have steps been taken to withdraw from the engagement? > If the entity being audited is a component of a larger group the group engagement team may request certain work to be performed on the nancial information of the component. In such cases the group engagement would rst obtain an understanding of the following: Whether the component auditor understands and will comply with the ethical (including independence) requirements that are relevant to the group audit The component auditors professional competence Whether the group engagement team will be able to be involved in the work of the component auditor to the extent necessary to obtain sufcient appropriate audit evidence and Whether the component auditor operates in a regulatory environment that actively oversees auditors.
Are the risks involved acceptable?
> For new engagements, has the rm communicated, as required by ASA 300.13, with the predecessor auditor to determine if there are any reasons for not accepting the engagement? > Has the rm conducted an internet search and had discussions with rm personnel and other third parties (such as bankers) to identify any reasons why the rm should not accept the engagement? > What are the values (tone at the top) and future goals of the entity? > How competent are the entitys senior management and staff? > Are there difcult or time-consuming issues to address (accounting policies, estimates, compliance with legislation, etc.)? > What changes have taken place this period that will impact the engagement (business trends and initiatives, personnel changes, nancial reporting, IT systems, purchase/sale of assets, regulations, etc.)? > Is there a high level of public scrutiny and media interest? > Is the entity in good nancial health and does it have the ability to pay the rms professional fees? > Will the entity provide help to the rm in obtaining information and preparing schedules, analysis of balances, providing data les, etc.?
Practical guidance
287
Consider Can the client be trusted?
Line of enquiry > Are there any scope limitations, such as unrealistic deadlines or an inability to obtain the required audit evidence? > Is there any reason (or recent event) that casts doubt on the integrity of the principal owners, senior management and those charged with governance of the entity? Consider the entitys operations, including business practices, the businesss reputation and history of any ethical or regulatory infringements. > Are there any indications that the entity might be involved in money laundering or other criminal activities? > What is the identity and business reputation of related parties? > Does management have a poor attitude toward internal control and an aggressive attitude toward interpretation of accounting standards? Consider corporate culture, organisational structure, risk tolerance, complexity of transactions, etc.
Background checks
To ensure the information obtained from the entity is accurate, consider what third party information could be obtained to validate key aspects of the risk assessment. This simple step could avert problems later on. Examples include information from sources such as previous nancial reports, income tax returns, credit reports and possibly (after receiving permission from the prospective client) discussions with key advisers such as bankers, etc. Consider point
Before contacting third parties and collecting information on a prospective client, take steps to ensure all partners and staff are aware of: > The rms policies to protect condential information maintained on clients > Requirements of any privacy legislation and > Requirements of the applicable code of ethics.
PART B
288
19.3
210.6
Pre-conditions for an audit

Relevant extracts from ASAs In order to establish whether the preconditions for an audit are present, the auditor shall: (a) Determine whether the nancial reporting framework to be applied in the preparation of the nancial report is acceptable; and (Ref: Para. A2-A10) (b) Obtain the agreement of management that it acknowledges and understands its responsibility: (Ref: Para A11-A14, A20-Aus A20.1) (i) For the preparation of the nancial report in accordance with the applicable nancial reporting framework including, where relevant, their fair presentation; (Ref: Para. A15) For such internal control as management determines is necessary to enable the preparation of nancial report that is free from material misstatement, whether due to fraud or error; and (Ref: Para. A16-A19)
Paragraph #
(ii)
(iii) To provide the auditor with: a. Access to all information of which management is aware that is relevant to the preparation of the nancial report such as records, documentation and other matters; Additional information that the auditor may request from management for the purpose of the audit; and Unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence.
b. c.
Exhibit 19.3-1
Consider Are the audit preconditions present? Line of enquiry Is the nancial reporting framework to be used in preparing the nancial report acceptable? Factors to consider include: > The nature of the entity (business, public sector or not-for-prot) > The purpose of the nancial report (common purpose or for specic users) > The nature of the nancial report (complete set of nancial reports or a single nancial report) > Whether law or regulation prescribes the applicable nancial reporting framework. Does management agree to and acknowledge/understand its responsibility for: > Preparing the nancial report in accordance with the applicable nancial reporting framework, including (where relevant) their fair presentation? > Such internal control as management determines necessary to enable the preparation of a nancial report that is free from material misstatement, whether due to fraud or error?
Practical guidance
289
Consider Are the audit preconditions present? (continued)
Line of enquiry > Providing the auditor with: Access to all relevant information such as records, documentation and other matters? Additional information requested from management for the purpose of the audit (such as written representations)? Unrestricted access to persons within the entity to obtain the necessary audit evidence?
Is there a scope limitation?
Has management or those charged with governance imposed any type of limitation on the scope of the audit? This could include unrealistic deadlines, not accepting certain rms staff to perform the work and denial of access to a facility, key personnel or relevant documents. If such a limitation would result in a disclaimer of opinion, the rm would decline the engagement unless the rm is required by law or regulation to proceed with the engagement.
Where management does not acknowledge its responsibilities or agree to provide the written representations, the auditor will not be able to obtain sufcient appropriate audit evidence. In such circumstances, or where the nancial reporting framework is not acceptable, the auditor is required by ASA 210.8 to decline the engagement unless required by law or regulation.
19.4
210.7
Agreeing the terms of engagement

Relevant extracts from ASAs If management or those charged with governance impose a limitation on the scope of the auditors work in the terms of a proposed audit engagement such that the auditor believes the limitation will result in the auditor disclaiming an opinion on the nancial report, the auditor shall not accept such a limited engagement as an audit engagement, unless required by law or regulation to do so. The auditor shall agree the terms of the audit engagement with management or those charged with governance, as appropriate. (Ref: Para. A21) Subject to paragraph 11 of this Auditing Standard, the agreed terms of the audit engagement shall be recorded in an audit engagement letter or other suitable form of written agreement and shall include: (Ref: Para. A22-A25) (a) The objective and scope of the audit of the nancial report; (b) The responsibilities of the auditor; (c) The responsibilities of management; (d) Identication of the applicable nancial reporting framework for the preparation of the nancial report; and (e) Reference to the expected form and content of any reports to be issued by the auditor and a statement that there may be circumstances in which a report may differ from its expected form and content.
Paragraph #
210.9 210.10
PART B
290
Paragraph # 210.11
Relevant extracts from ASAs If law or regulation prescribes in sufcient detail the terms of the audit engagement referred to in paragraph 10 of this Auditing Standard, the auditor need not record them in a written agreement, except for the fact that such law or regulation applies and that management acknowledges and understands its responsibilities as set out in paragraph 6(b) of this Auditing Standard. (Ref: Para. A22, A26-A27) If law or regulation prescribes responsibilities of management similar to those described in paragraph 6(b) of this Auditing Standard, the auditor may determine that the law or regulation includes responsibilities that, in the auditors judgement, are equivalent in effect to those set out in that paragraph. For such responsibilities that are equivalent, the auditor may use the wording of the law or regulation to describe them in the written agreement. For those responsibilities that are not prescribed by law or regulation such that their effect is equivalent, the written agreement shall use the description in paragraph 6(b) of this Auditing Standard. (Ref: Para. A26) On recurring audits, the auditor shall assess whether circumstances require the terms of the audit engagement to be revised and whether there is a need to remind the entity of the existing terms of the audit engagement. (Ref: Para. A28) The auditor shall not agree to a change in the terms of the audit engagement where there is no reasonable justication for doing so. (Ref: Para. A29-A31) If, prior to completing the audit engagement, the auditor is requested to change the audit engagement to an engagement that conveys a lower level of assurance, the auditor shall determine whether there is reasonable justication for doing so. (Ref: Para. A32-A33) If the terms of the audit engagement are changed, the auditor and management shall agree on and record the new terms of the engagement in an engagement letter or other suitable form of written agreement. If the auditor is unable to agree to a change of the terms of the audit engagement and is not permitted by management to continue the original audit engagement, the auditor shall: (a) Withdraw from the audit engagement where withdrawal is possible under applicable law or regulation; and (b) Determine whether there is any obligation, either contractual or otherwise, to report the circumstances to other parties, such as those charged with governance, owners or regulators.
210.12
210.13
210.14 210.15
210.16
210.17
Note: Paragraphs 18-22 of ASA 210 contain some additional considerations in engagement acceptance, such as where nancial reporting standards are supplemented by law or regulation and where the nancial reporting framework is prescribed by law or regulation. To ensure a clear understanding between management and the auditor on the terms of engagement, an engagement letter (or other suitable form of written agreement) is prepared and agreed with the appropriate representative of senior management. To avoid any potential misunderstanding, the engagement letter would be nalised and signed before the engagement work commences.
Practical guidance
291
A sample of an engagement letter based on the example contained in ASA 210 is provided in the case study materials that follow at the end of this section. The engagement letter would address the matters set out below.
Exhibit 19.4-1
Terms The objective, accounting framework, scope and form of auditors report resulting from the audit of the nancial report Description > The accounting framework to be used > Objective of the audit of nancial report and the anticipated form of auditors report or other communication. Also, the circumstances in which a report may differ from its expected form and content > The scope of the audit, including reference to applicable legislation, regulations and ASAs > Other parties to whom a report is required to be made, eg. a regulator. > To conduct the audit in accordance with the ASAs > Recognition that, due to the inherent limitations of an audit and the limitations of internal control, there is an unavoidable risk that some material misstatements may not be detected, even though the audit is properly planned and performed in accordance with ASAs. > The preparation of the nancial report in accordance with the applicable nancial framework and for designing and implementing such internal control as management determines is necessary to enable the preparation of a nancial report that is free from material misstatement, whether due to fraud or error > Accept the terms of the engagement as outlined in the engagement letter > Provide unrestricted access to any records, documentation and other information requested in connection with the audit > Provide unrestricted access to persons within the entity > Conrm auditors expectation of receiving written conrmation from management concerning representations made in connection with the audit > Agreement of management to inform the auditor of facts that may affect the nancial report, of which management may become aware during the period from the date of the auditors report to the date the nancial report is issued.
The responsibilities of the auditor
Other matters that could be included in the engagement letter are outlined below.
PART B
The responsibilities of management
292
Exhibit 19.4-2
Terms How the audit will be conducted, any dispute resolution, obligations and fee arrangements Description Address arrangements regarding: > The planning and performance of the audit, including the composition of the audit team and details of what (if any) draft nancial report or other working papers are to be prepared by the client along with the dates on which the auditor requires these > Involvement of other auditors and experts > Involvement of the predecessor auditor, if any, with respect to opening balances, and > Other matters: Any restrictions of the auditors liability where such possibility exists The basis on which fees are computed and any billing arrangements Any obligations by the rm to provide audit working papers to other parties, and Reference to any further agreements between the auditor and the client or other letters or reports the auditor expects to issue to the client. Client to conrm the terms of the engagement by acknowledging receipt of the engagement letter.
Updating the engagement letter

When no changes have occurred, the auditor is required to assess whether there is a need to remind the entity of the existing terms of the audit engagement. The terms of engagement may be reconrmed at the time of the auditors reappointment without the need to obtain a new letter each year. The engagement letter is required to be revised when the circumstances change. Matters that may constitute a change in circumstance include: > Any revised or special terms of the engagement > A recent change in senior management > A signicant change in ownership > A signicant change in the nature or size of the entitys business > A change in legal or regulatory requirements > A change in the nancial reporting framework adopted in the preparation of the nancial report > A change in other reporting requirements, and
Practical guidance
293
> Some indication that management misunderstand the objective and scope of the audit.
A change in the terms of the audit engagement

If management requests changes to the terms of the audit engagement, the auditor would consider whether there is reasonable justication for the request and the implications for the scope of the audit engagement. A reasonable justication could include a change in the clients circumstances or a misunderstanding of the nature of the original service requested. A change would not be reasonable if it is motivated by issues raised during the audit. This could include audit information that does not support management representations, an inability to obtain certain audit information (which would effectively limit the scope of the audit) or evidence that is otherwise unsatisfactory. An example might be where the auditor is unable to obtain sufcient appropriate audit evidence regarding inventory balances and the entity asks for the audit engagement to be changed to a review engagement to avoid a qualied opinion or a disclaimer of opinion. If the change in terms is reasonable, a revised engagement letter or other suitable form of written agreement would be obtained. If, however, the auditor is unable to agree to the proposed change in terms and is not permitted by management to continue the original audit engagement, the auditor is required to: > Withdraw from the audit engagement where possible under applicable law or regulation; and > Determine whether there is any obligation, either contractual or otherwise, to report the circumstances to other parties, such as those charged with governance, owners or regulators.
19.5
Case studies client acceptance and continuance
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. Assuming this is an ongoing audit engagement, the partner or senior manager in the audit rm would make some enquiries to identify and assess any new or revised risk factors relevant to deciding to continue with the audit engagement. Such enquiries could include the following.
PART B
294
Case Study A ONeal Furniture Pty Ltd Client acceptance and continuance
A questionnaire such as the following could be used.
> Have the audit preconditions been met? ONeal Furnitures nancial report will be prepared by management using Australian Accounting Standards. The engagement letter has been signed and management have acknowledged their responsibility to: > Make available all information as requested > Provide unlimited access to personnel > Design and implement such internal control as management determines is necessary to enable the preparation of nancial report that is free from material misstatement, whether due to fraud or error. > Have the acceptance/continuance requirements in the rms quality control manual been followed? > Any change in the terms of reference or requirements for the audit engagement? > Any independence issues or conicts of interest? Consider: family/personal relationships with key client people, non-audit services such as accounting, nancial interests and other business relationships. > Any circumstances that would cast doubt on the integrity of the clients owners? Consider convictions, regulatory proceedings/sanctions, suspicion or conrmation of illegal acts or fraud, police investigations and any negative publicity. > Does the engagement team have sufcient knowledge of accounting principles and industry practices to perform the engagement? > Are there areas where specialised knowledge is necessary? > Does the rm have the capacity in time, competencies and resources to complete the engagement in accordance with professional and rm standards? Yes. Refer to policies XX and YY of our QC manual No. Only matter noted was that one of our staff bought a lot of bedroom furniture from ONeal Furniture; he paid the catalogue price. This incident is not considered a threat to our independence. No. However, Paula (daughter of the clients business adviser) received some negative publicity in November. She was an adviser in a land deal where government ofcials were accused of receiving bribes from developers. This matter has also been noted on our listing of risk factors for the audit. Yes. We plan to use the same staff as last period to complete the engagement.
We will use David (who is knowledgeable in the IT area) to review controls over the internet sales. Yes. See the planned budget.
Practical guidance
295
> Are there any issues identied in previous audits and other engagements for this entity that need to be addressed? > Are there any new circumstances that increase our engagement risk? > Can the client continue to pay our fees?
Need for a review of the general IT controls in light of the decision to accept sales over the internet. No. Management has a good attitude toward internal control. Yes.
Conclusion Overall assessment of engagement risk = Low We should continue with this client Sang Jun Lee The terms of engagement would be included in a letter such as outlined below.
Engagement letter
Jamel, Woodwind and Wing Chartered Accountants 55 Kingston Street, Campbelltown, NSW 2560 [Date] Mr Sam ONeal, Managing Director ONeal Furniture Pty Ltd 2255 West Street North Parramatta NSW 2150 Dear Mr ONeal Objective and scope of audit You have requested that we audit the nancial report of ONeal Furniture Pty Ltd which comprises the statement of nancial position as at 30 June 20X2, and the statement of comprehensive income, statement of changes in equity and statement of cash ows for the year then ended, and notes comprising a summary of signicant accounting policies and other explanatory information, as well as the the directors declaration. We are pleased to conrm our acceptance and our understanding of this audit engagement by means of this letter. Our audit will be conducted with the objective of our expressing an opinion on the nancial report. Our responsibilities We will conduct our audit in accordance with Australian Auditing Standards. Those standards require that we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance about whether the nancial report is free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the nancial report. The procedures selected depend on the auditors judgement, including the assessment of the risks of material misstatement of the nancial report, whether due to fraud or error. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by management, as well as evaluating the overall presentation of the nancial report.
PART B
296
Because of the inherent limitations of an audit, together with the inherent limitations of internal control, there is an unavoidable risk that some material misstatements may not be detected, even though the audit is properly planned and performed in accordance with Australian Auditing Standards. In making our risk assessments, we consider internal control relevant to the entitys preparation of the nancial report in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entitys internal control. However, we will communicate to you in writing any signicant deciencies in internal control relevant to the audit of the nancial report that we have identied during the audit. Unless unanticipated difculties are encountered, our report will be substantially in the following form: [form and content of the auditors report has not been reproduced.] The form and content of our report may need to be amended in the light of our audit ndings. Managements responsibility Our audit will be conducted on the basis that management and those charged with governance acknowledge and understand that they have responsibility: (a) For the preparation of the nancial report that gives a true and fair view in accordance with the Corporations Act 2001 and Australian Accounting Standards; (b) For such internal control as [management] determines necessary to enable the preparation of the nancial report that is free from material misstatement, whether due to fraud or error; and (c) To provide us with: (i) Access to all information of which the directors and management are aware that is relevant to the preparation of the nancial report such as records, documentation and other matters; Additional information that we may request from the directors and management for the purpose of the audit; and
(ii)
(iii) Unrestricted access to persons within the entity from whom we determine it necessary to obtain audit evidence. As part of our audit process, we will request from management and, where appropriate, those charged with governance written conrmation concerning representations made to us in connection with the audit. We look forward to full cooperation from your staff during our audit. Independence We conrm that, to the best of our knowledge and belief, we currently meet the independence requirements of the Corporations Act 2001 in relation to the audit of the nancial report. In conducting our audit of the nancial report, should we become aware that we have contravened the independence requirements of the Corporations Act 2001, we shall notify you on a timely basis. As part of our audit process, we shall also provide you with a written independence declaration as required by the Corporations Act 2001.
Practical guidance
297
The Corporations Act 2001 includes specic restrictions on the employment relationships that can exist between the audited entity and its auditors. To assist us in meeting the independence requirements of the Corporations Act 2001, and to the extent permitted by law and regulation, we request you discuss with us: > The provision of services offered to you by Jamel, Woodwind and Wing Chartered Accountants prior to engaging or accepting the service > The prospective employment opportunities of any current or former partner or professional employee of Jamel, Woodwind and Wing Chartered Accountants prior to the commencement of formal employment discussions with the current or former partner or professional employee. Fees Our fees, which will be billed as work progresses, are based on the time required by the individuals assigned to the engagement plus out-of-pocket expenses. Individual hourly rates vary according to the degree of responsibility involved and the experience and skill required. This letter will be effective for future periods unless it is terminated, amended or superseded. Please sign and return the attached copy of this letter to indicate that it is in accordance with your understanding of the arrangements for our audit of the nancial report. Yours truly, __________________ Sang Jun Lee
Acknowledged on behalf of ONeal Furniture Pty Ltd by:
__________________ Sam ONeal Managing Director [Date]
PART B
Jamel, Woodwind & Wing Chartered Accountants
298
Case study B Kane & Co. Client acceptance and continuance

Assuming this is an ongoing audit engagement, the enquiries to identify and assess any new or revised risk factors could be documented in a memo as follows.
Client Continuance Memo Kane & Co. [Date] We spoke to the client, Robert Kane on [date] to determine whether we should accept this engagement. Matters arising: > Robert requires an audit opinion on the nancial report of Kane & Co. which is to be prepared in accordance with Australian Accounting Standards > We have not identied any threats to our independence > Nothing new happened that might raise concerns over the integrity of the owner > Operations are similar to the previous period although Roberts absence from day-to-day operations does create more opportunity for fraud to be committed. We should consider expanding our substantive procedures this year to address the potential fraud risks > No additional specialists are necessary and the same people as last period can perform the audit. Two possible concerns this period: > The company has experienced a drop in demand for products from its major customer, ONeal Furniture > Robert has diverted much of his focus to personal family matters. During our audit, we should ensure that books and records have been kept up-to-date and no undetected errors occurred. This could also create a fraud risk. Overall assessment of engagement risk = Moderate We will accept this engagement for the current period. Sang Jun Lee
The terms of engagement would be included in a letter that would be very similar to the example previously provided in Case Study A: ONeal Furniture Pty Ltd.
Practical guidance
299
20.

Relevant ASA
Chapter content Outline of steps involved in developing an overall plan and strategy for the audit.
300
Exhibit 20.0-1
Activity
Purpose
Documentation1
Risk assessment
Plan the audit
Paragraph # 300.4
ASA objective(s) The objective of the auditor is to plan the audit so that it will be performed in an effective manner. Relevant extracts from ASAs The engagement partner and other key members of the engagement team shall be involved in planning the audit, including planning and participating in the discussion among engagement team members. (Ref: Para. A4) The auditor shall establish an overall audit strategy that sets the scope, timing and direction of the audit, and that guides the development of the audit plan. In establishing the overall audit strategy, the auditor shall: (a) Identify the characteristics of the engagement that dene its scope; (b) Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required; (c) Consider the factors that, in the auditors professional judgement, are signicant in directing the engagement teams efforts; (d) Consider the results of preliminary engagement activities and, where applicable, whether knowledge gained on other engagements performed by the engagement partner for the entity is relevant; and (e) Ascertain the nature, timing and extent of resources necessary to perform the engagement. (Ref: Para. A8-A11)
Paragraph # 300.5
300.7 300.8
PART B
300
Paragraph # 300.9
Relevant extracts from ASAs The auditor shall develop an audit plan that shall include a description of: (a) The nature, timing and extent of planned risk assessment procedures as determined under ASA 315. (b) The nature, timing and extent of planned further audit procedures at the assertion level as determined under ASA 330. (c) Other planned audit procedures that are required to be carried out so that the engagement complies with the Australian Auditing Standards. (Ref: Para. A12)
300.10 300.11 200.15
The auditor shall update and change the overall audit strategy and the audit plan as necessary during the course of the audit. (Ref: Para. A13) The auditor shall plan the nature, timing and extent of direction and supervision of engagement team members and the review of their work. (Ref: Para. A14-A15) The auditor shall plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the nancial report to be materially misstated. (Ref: Para. A18-A22)
20.1
Overview
Planning is important to ensure that the engagement is performed in an efcient and effective manner and that audit risk has been reduced to an acceptably low level. Audit planning is not a discrete phase of the audit. It is a continual and iterative process that starts shortly after completion of the previous audit and continues until the completion of the current audit. The benets of audit planning are outlined in the exhibit below.
Exhibit 20.1-1
Benets of audit planning > Team members learn from the experience/insight of the partner and other key personnel. > The engagement is properly organised, staffed and managed. > Experience gained from previous periods engagements and other assignments is properly utilised. > Important areas of the audit receive the appropriate attention. > Potential problems are identied and resolved on a timely basis. > Audit le documentation is reviewed on a timely basis. > Work performed by others is coordinated (other auditors, experts, etc.).
Practical guidance
301
There are two levels of planning for the audit as illustrated in the following exhibit.
Audit planning
Risk assessment Risk response Reporting

Engagement characteristics Reporting objectives Significant factors and experience (materiality, risk factors, etc.) Nature, timing and extent of resources necessary
Continually update and change audit plans as required
Detailed audit plan

Nature, timing and extent of planned procedures Risk assessment procedures Further audit procedures
Communications with management and those charged with governance
Exhibit 20.1-2
Consider point
It is often said that an hour spent planning can save ve hours in execution. A well planned audit ensures that the audit effort is directed to addressing the high-risk areas, unnecessary audit procedures are scoped out and that audit staff know what is expected of them.
Development of the overall audit strategy begins at the commencement of the engagement and is completed and then updated based on the information obtained from: > Previous experience with the entity > Preliminary (client acceptance and continuation) activities > Discussions with the client on changes since last period and recent operating results > Other engagements performed for the client during the period > Audit team discussions and meetings
PART B
302
> Other external sources such as newspaper and internet articles, and > New information obtained, failed audit procedures or new circumstances encountered during the audit that will change previously planned strategies. The detailed audit plan will begin a little later when the specic risk assessment procedures are planned and when there is sufcient information about assessed risks to develop an appropriate audit response. The requirements for developing the detailed audit plan are addressed in Part B, Chapter 31. The time required to prepare an overall audit strategy will vary based on: > The size and complexity of the entity > The composition and size of the audit team. Smaller audits will also have smaller teams, making planning, coordination and communication easier > Previous experience with the entity, and > Circumstances encountered in performing the audit. Consider point
Small entity audits are often conducted by very small audit teams. This makes coordination and communication among the team members easier and development of the overall audit strategy can be straightforward. Documentation for small entities may be in the form of a brief memorandum that includes: > Nature of engagement and timing > Issues identied in the audit just completed > What has changed in the current period > Any revisions required in the overall audit strategy or in the detailed audit plan, and > Specic responsibilities of each member of the audit team. Planning for the current period can start with a brief memo prepared at the end of the previous audit. However, the memo needs to be updated for the current period, based on discussions with the owner-manager and the results of audit team meetings.
20.2
Developing the overall audit strategy
The overall audit strategy is a record of the key decisions considered necessary to properly plan the audit and to communicate signicant matters to the engagement team. The strategy will document the decisions arising from conducting the planning steps outlined in the exhibit below. Note that specic details of risk assessment and further audit procedures to be performed would be documented in the detailed audit plan.
Practical guidance
303
Exhibit 20.2-1
Basic steps Getting started Description > Perform preliminary activities (client acceptance/continuance and establish the terms of engagement) > Gather relevant information about the entity such as current operating results, results from previous engagements and signicant changes in the current period > Assign staff to the engagement including, where applicable, the engagement quality control reviewer and any experts required > Schedule the audit team meeting (including the engagement partner) to discuss the susceptibility of material misstatements (including fraud) in the nancial report > Determine the appropriate timeframes (dates) when each aspect of audit work will be undertaken (inventory counts, risk assessment procedures, external conrmations, the period-end visit and meetings to discuss audit results). Assessing risks and responses > Determine materiality for the nancial report as a whole and performance materiality > Determine the nature and extent of the required risk assessment procedures and who will perform them
> Communicate an overview of the planned scope and timing of the audit to those charged with governance > Update and change the strategy and audit plan as necessary in light of new circumstances.
When the risks of material misstatement have been identied and assessed, the overall strategy (including timing, stafng and supervision) can be nalised and the detailed audit plan developed. The detailed plan will set out the further audit procedures required at the assertion level that respond to the identied and assessed risks. As work commences, changes may be required to the overall strategy and detailed plans to respond to new circumstances, audit ndings and other information obtained. Any such changes are to be documented along with the reasons in the audit documentation such as the overall audit strategy or audit plan. The overall strategy documents relevant matters such as those listed in the following exhibit.
PART B
> When risk has been assessed at the nancial report level, develop an appropriate overall response (refer to Part A, Chapter 7). Also include the impact on the further audit procedures to be performed
304
Exhibit 20.2-2
Document Engagement characteristics Description > The nancial reporting framework to be used > Additional reports required such as stand-alone nancial and industry-specic requirements (by regulators, etc.) > Any need for specialised knowledge or expertise to address complex, specic and high-risk audit areas > Evidence required from service organisations > Use of evidence obtained in previous audits (such as risk assessment procedures and tests of controls) > Effect of information technology on audit procedures (availability of data and use of computer-assisted audit techniques) > Need to introduce some unpredictability in performing audit procedures > Availability of client personnel and data. Reporting objectives > Entitys timetable for reporting > Timing of meetings with management and those charged with governance to discuss: The nature, timing and extent of the audit work. This could include dates for inventory counts, external conrmations, and interim and other required procedures Status of audit work throughout the engagement, and The auditors report and other communications such as management letters > Timing of meetings/communications among engagement team members to discuss: Entity risk factors (business and fraud) Nature, timing and extent of work to be performed Review of work performed, and Other communications with third parties.
Practical guidance
305
Document Signicant factors
Description > Materiality (overall, individual nancial report areas and performance materiality) > Preliminary assessment of risk at the overall nancial report level and the impact on the audit > Preliminary identication of: Signicant and material classes of transactions, account balances and disclosures, and Areas where there may be a higher risk of material misstatement > How engagement team members will be reminded to maintain a questioning mind and to exercise professional scepticism in gathering and evaluating audit evidence > Relevant results of previous audits including identied control deciencies and action taken by management to address them > Discussions with rms personnel who provided other services to the entity > Evidence of managements attitude toward internal control and importance attached to internal control generally throughout the entity > Volume of transactions, which may determine whether it is more efcient for the auditor to rely on internal control.
Signicant changes and developments
> Signicant business developments affecting the entity, including changes in information technology and business processes, changes in key management and acquisitions, mergers and divestitures > Signicant industry developments, such as changes in industry regulations and new reporting requirements > Signicant changes in the nancial reporting framework, such as changes in accounting standards > Other signicant relevant developments such as changes in the legal environment affecting the entity.
Nature, timing and extent of resources required
> The engagement team (including, where necessary, the engagement quality control reviewer) > Assignment of audit work to the team members, including the assignment of appropriately experienced team members to areas where there may be higher risks of material misstatement > Engagement budgeting, including considering the appropriate amount of time to set aside for areas where there may be higher risks of material misstatement.
If the entity has components (such as subsidiaries or operating divisions), reference should be made to the additional planning considerations outlined in the Appendix to ASA 300 and to the requirements of ASA 600.
PART B
306
For smaller entities, a brief memorandum may serve as the documented overall strategy. For the audit plan, standard audit programs or checklists may be used, assuming there are few relevant control activities and provided that the programs are tailored to the circumstances of the engagement, including the auditors risk assessments. See toolkit item 430: Overall audit strategy.
20.3
Communicating the audit plan with management and those charged with governance
Relevant extracts from ASAs The auditor shall communicate with those charged with governance an overview of the planned scope and timing of the audit. (Ref: Para. A11-A15)
Paragraph # 260.15
An ongoing, two-way dialogue with management and those charged with governance can play an important role in the audit planning process. Good communication regarding the planned scope and timing of the audit may assist management and those charged with governance to: > Understand the consequences of the auditors work > Discuss issues of risk and the concept of materiality with the auditor, and > Identify any areas in which they may request the auditor to undertake additional procedures. This dialogue may also assist the auditor in developing a better understanding of the entity and its environment. Take care, though, not to compromise the effectiveness of the audit. For example, communicating the exact nature and timing of detailed audit procedures may reduce the effectiveness of those procedures by making them too predictable. Matters that the auditor may consider for communication include: > How the auditor proposes to address the signicant risks of material misstatement, whether due to fraud or error > The auditors approach to internal control relevant to the audit, and > The application of materiality in the context of an audit. Other planning matters that may be appropriate to discuss include: > The views of those charged with governance of: The allocation of responsibilities between those charged with governance and management
Practical guidance
307
The entitys objectives and strategies and the related business risks that may result in material misstatements Matters that those charged with governance consider warrant particular attention during the audit and any areas where they request additional procedures to be undertaken Signicant communications with regulators, and Other matters that those charged with governance consider may inuence the audit of the nancial report > The attitudes, awareness and actions of those charged with governance concerning: The entitys internal control and its importance in the entity, including how those charged with governance oversee the effectiveness of internal control, and The detection or possibility of fraud > The actions of those charged with governance in response to developments in accounting standards, corporate governance practices and other related matters, and > The responses of those charged with governance to previous communications with the auditor. Note: This two-way communication does not change the auditors sole responsibility to establish the overall audit strategy and the audit plan, including the nature, timing and extent of procedures necessary to obtain sufcient appropriate audit evidence. Further matters may be required to be communicated by law or regulation, by agreement with the entity or by additional requirements applicable to the engagement. Also note that ASA 265 sets out the requirements to communicate signicant deciencies identied in internal control.
PART B
20.4
300.12
Documentation
Relevant extracts from ASAs The auditor shall include in the audit documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any signicant changes made during the audit engagement to the overall audit strategy or the audit plan, and the reasons for such changes. (Ref: Para. A16-A19)
Paragraph #
308
The overall audit strategy and detailed audit plan, including details of any signicant changes made during the audit engagement, are required to be documented. The auditor may use a memorandum, standard audit programs or audit completion checklists, tailored as needed to reect the particular engagement circumstances. See toolkit item 310: Checklist Audit completion.
20.5
Case studies the overall audit strategy
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. Once the decision has been made to continue with the audit, the next step is to develop or update the overall audit strategy for conducting the engagement. This can be documented by some form of planning checklist or a brief structured memorandum (see the consider point above) such as the examples that follow.

ONeal Furniture Overall strategy memo Period end 30 June 20X2 Scope The scope of the audit has not changed this period. Audit to comply with applying ASAs to a nancial report prepared in accordance with Australian Accounting Standards. There have been no changes in Accounting Standards that affect ONeal Furniture this year. Entity changes ONeal Furniture is planning to make sales in foreign currencies. Internet sales are also increasing and ONeal Furnitures IT capabilities will be stretched. ONeal Furniture is now selling to Franks Furniture Warehouse, which is renowned for squeezing prot margins of suppliers in exchange for giving large orders. It also requires suppliers to maintain additional inventories of some products for instant delivery as required. Risk Our assessment of risk at the nancial report level is low (refer to W/P Ref. #). Management is not particularly sophisticated but there is a strong commitment to competence; it has introduced a code of ethics and, in general, has a good attitude toward internal control. Overall strategy > Materiality for the nancial report as a whole will be increased from $8,000 to $10,000 this period to reect the growth in sales and protability during the last period. Management bonuses of approximately $70,000 were added back to income for calculating materiality for the nancial report as a whole (refer to working paper on determining materiality Part B, Chapter 21). Performance materiality (based on our assessment of audit risk) has been set at $7,500, except for certain account balances as described on W/P ref. #
Practical guidance
309
> Use the same senior staff as last period and perform the work at the same time > Perform our risk assessment procedures at the end of [month]. There are no plans to change any systems at present > At our team planning meeting to be held on [date], we need to: Consider the susceptibility of the nancial report to fraud Emphasise use of professional scepticism by our staff Identify fraud scenarios by employees and management Focus on identication of related-party transactions that have been growing and expanding our testing, and > Attend the period-end inventory counts. There are still no ongoing inventory control procedures > Use David (who is knowledgeable about IT systems) to identify the risks of material misstatement relating to the internet sales and whether any relevant internal controls exist to mitigate such risks. He will also assess the general IT controls. Audit partner: (signed) Sang Jun Lee Date: [Date]

Kane & Co. Overall strategy memo Period end 30 June 20X2 Scope > Perform the statutory audit > Management wants to use Australian Accounting Standards. Risk > At the nancial report level is Moderate Risk (refer to W/P Ref. #). Changes > Lower sales due to fewer orders from ONeal Furniture > Could lead to unsaleable nished goods inventory and sales returns > Robert not as active in the business as in prior period which could increase the risk of fraud > New nancing resulting in new bank covenants to maintain. Overall strategy > Materiality for the nancial report as a whole will be decreased from $3000 to $2500 due to decline in sales and protability. Performance materiality (based on our assessment of audit risk) has been set at $1,800, except for certain account balances as described on W/P ref. # > Use the same staff as last period for continuity and audit efciency > Perform risk assessment procedures at end of [month]
PART B
310
> At our team planning meeting to be held on [date], we need to: Consider the susceptibility of the nancial report to fraud Discuss the potential for employee fraud and management override. The bookkeeper seems disgruntled and may have motivation and opportunity as Robert has not been as involved in reviewing the nancial report as he did in the past Focus on the growing related-party transactions to ONeal Furniture > Attend the period-end inventory count > Expand our testing with regard to related-party transactions. Audit partner: (signed) Sang Jun Lee [Date]
Practical guidance
311
21.
Determining and using materiality

Relevant ASAs
Chapter content Determination and use of materiality in an audit engagement.
320, 450
Exhibit 21.0-1
Activity
Risk assessment
Purpose
Documentation1
Plan the audit
Exhibit 21.0-2
Overall materiality Overall

Financial report level (for the financial report as a whole) Overall performance materiality
Account balance,class of transactions and disclosures level
Specific materiality (for particular financial report areas) Specific perfomance materiality
Quantitative amount
Note: The terms overall materiality and specic materiality used in the chart above and in the text below are used solely for the purposes of this Manual and are terms that are not used in the ASAs. Overall materiality refers to the nancial report as a whole and specic materiality relates to materiality of particular classes of transactions, account balances or disclosures.
PART B
312
Paragraph # 320.8 450.3
ASA objective(s) The objective of the auditor is to apply the concept of materiality appropriately in planning and performing the audit. The objective of the auditor is to evaluate: (a) The effect of identied misstatements on the audit; and (b) The effect of uncorrected misstatements, if any, on the nancial report.
Paragraph # 320.9
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, performance materiality means the amount or amounts set by the auditor at less than materiality for the nancial report as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the nancial report as a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures. When establishing the overall audit strategy, the auditor shall determine materiality for the nancial report as a whole. If, in the specic circumstances of the entity, there is one or more particular class of transactions, account balances or disclosures for which misstatements of lesser amounts than materiality for the nancial report as a whole could reasonably be expected to inuence the economic decisions of users taken on the basis of the nancial report, the auditor shall also determine the materiality level or levels to be applied to those particular classes of transactions, account balances or disclosures. (Ref: Para. A2-A11) The auditor shall determine performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing and extent of further audit procedures. (Ref: Para. A12) The auditor shall revise materiality for the nancial report as a whole (and, if applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures) in the event of becoming aware of information during the audit that would have caused the auditor to have determined a different amount (or amounts) initially. (Ref: Para. A13) If the auditor concludes that a lower materiality for the nancial report as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures) than that initially determined is appropriate, the auditor shall determine whether it is necessary to revise performance materiality, and whether the nature, timing and extent of the further audit procedures remain appropriate. The auditor shall include in the audit documentation the following amounts and the factors considered in their determination: (a) Materiality for the nancial report as a whole (see paragraph 10 of this Auditing Standard); (b) If applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures (see paragraph 10 of this Auditing Standard); (c) Performance materiality (see paragraph 11 of this Auditing Standard); and (d) Any revision of (a)-(c) as the audit progressed (see paragraphs 12-13 of this Auditing Standard).
320.10
320.11
320.12
320.13
320.14
Practical guidance
313
Paragraph # 450.6
Relevant extracts from ASAs The auditor shall determine whether the overall audit strategy and audit plan need to be revised if: (a) The nature of identied misstatements and the circumstances of their occurrence indicate that other misstatements may exist that, when aggregated with misstatements accumulated during the audit, could be material; or (Ref: Para. A4) (b) The aggregate of misstatements accumulated during the audit approaches materiality determined in accordance with ASA 320. (Ref: Para. A5)
21.1
Overview
Decisions made by the auditor on materiality will form the basis for risk assessments and for determining the extent of auditing procedures required. Determining materiality is a matter of professional judgement. It is based on the auditors perception of the common nancial information needs of users of the nancial report as a group. Overall materiality (which is a term used in this Manual to summarise materiality for the nancial report as a whole) is the total amount of misstatements in a nancial report, including omissions, which, if exceeded, could reasonably be expected to inuence the economic decisions of users. This differs from audit risk, which relates to an inappropriate audit opinion being issued on nancial report that is materially misstated. This chapter addresses the determination of overall and specic materiality and the auditors use of performance materiality to obtain sufcient and appropriate audit evidence. Materiality is used throughout the audit for audit planning, risk assessment, risk response and reporting. Additional information on materiality and audit risk is contained Part A, Chapter 5 of this Manual. There are two levels of materiality to consider overall materiality and specic materiality, as described in the following exhibit.
Exhibit 21.1-1
Level of materiality Overall materiality (for the nancial report as a whole) Description Materiality for the nancial report as a whole (overall materiality) is based on the auditors professional judgement as to the highest amount of misstatement(s) that could be included in the nancial report without affecting the economic decisions taken by a nancial report user. If the amount of uncorrected misstatements, either individually or in the aggregate, is higher than the overall materiality established for the engagement, it would mean that the nancial report is materially misstated. Overall materiality is based on the common nancial information needs of the various users as a group. Consequently, the possible effect of misstatements on specic individual users, whose needs may vary widely, is not considered.
PART B
314
Specic materiality (materiality level or levels for particular classes of transactions, account balances or disclosures)
In some cases, there may be a need to identify misstatements of lesser amounts than overall materiality that would affect the economic decisions of nancial report users. This could relate to sensitive areas such as particular note disclosures (ie. management remuneration or industry-specic data), compliance with legislation or certain terms in a contract, or transactions upon which bonuses are based. It could also relate to the nature of a potential misstatement.
In addition to the size of a misstatement, the auditor would consider the nature of potential misstatements and the particular circumstances of their occurrence, when evaluating their effect on the nancial report. The circumstances related to some misstatements may cause the auditor to evaluate them as material even if they are below materiality. Examples could include illegal acts, non-compliance with loan covenants and non-compliance with statutory/regulatory reporting requirements. However, it is not considered practicable to design audit procedures to detect misstatements that could be material solely because of their nature.
Performance materiality is used by the auditor to reduce the risk to an appropriately low level that the accumulation of uncorrected and unidentied misstatements exceeds materiality for the nancial report as a whole (overall materiality) or materiality levels established for particular classes of transactions, account balances or disclosures (specic materiality). Performance materiality is set at a lower amount (or amounts) than overall or specic materiality. The objective is to perform more audit work than would be required by the overall or a specic materiality to: > Ensure that misstatements less than overall or specic materiality are detected, and > Provide a margin or buffer for possible undetected misstatements. This buffer is between detected but uncorrected misstatements in the aggregate and the overall or specic materiality. This margin provides some assurance for the auditor that undetected misstatements, along with all uncorrected misstatements, are not likely to accumulate to an amount that would cause the nancial report to be materially misstated. The determination of performance materiality is not a simple mechanical calculation. It involves the exercise of professional judgement based on the specic risk factors identied, the auditors understanding of the entity and any matters the auditor has identied in previous audit engagements.
Practical guidance
315
Consider point
Materiality considerations for smaller entities For smaller entities, the determination of materiality can be simplied so that only the minimum of two levels of materiality is used as required by ASA 320. These two levels are materiality for the nancial report as a whole and performance materiality, which is used for assessing the risks of material misstatement and determining the nature, timing and extent of audit procedures. This does not necessarily mean however that there will only be two materiality amounts determined for each audit of a smaller entity; a performance materiality amount may be determined for each different type of audit procedure the auditor conducts on classes of transactions, account balances or disclosures based on the risks of material misstatement and the auditors understanding of the entity.
Performance materiality is set in relation to overall materiality or specic materiality. For example, a specic performance materiality can be set at a lower amount than overall performance materiality for testing repairs and maintenance expenses if there is a higher risk of assets not being capitalised. Specic performance materiality may also be used to perform additional work in areas that may be sensitive due to the nature of potential misstatements and their occurrence rather than their monetary size.
21.2
How to determine materiality
The following paragraphs address the determination and use of overall and specic materiality.
Overall materiality
Overall materiality is based on the auditors perceptions of the needs of nancial report users. Auditors can assume the following about nancial report users.
Exhibit 21.2-1
Assumptions Financial report users > Have a reasonable knowledge of business and economic activities and accounting > Have a willingness to study the information in the nancial report with reasonable diligence > Understand that the nancial report is prepared, presented and audited to levels of materiality > Recognise the uncertainties inherent in the measurement of amounts based on the use of estimates, judgement and the consideration of future events > Make reasonable economic decisions on the basis of the information in the nancial report.
PART B
316
A percentage numerical threshold (or benchmark) is often used as a starting point in the determination. The nature of the benchmark and the percentage to be applied are based on professional judgement. For example, in an ownermanaged business where the owner takes much of the prot before tax in the form of remuneration, a benchmark such as prot before remuneration and tax may be more relevant. Consider point
To provide some consistency, accounting rms may want to establish some rm-wide guidelines on how materiality will be initially determined including the use of appropriate benchmarks. However, the actual benchmark to be used would be based on professional judgement in light of the particular circumstances of the entity. This also applies to the use of performance materiality which is essentially a tool used by the auditor to address to the risk of material misstatement by catching misstatements that fall below a certain threshold. When identifying an appropriate benchmark to use, the auditor would consider the matters outlined in the exhibit below and obtain an understanding of the views and expectations of management and those charged with governance.
Exhibit 21.2-2
Consider Choosing the right benchmark to use Users Determine who are the likely users of the nancial report. This would include the entitys owners (and other shareholders) and those charged with governance, nancial institutions, franchisors, major funders, employees, customers, creditors and government agencies and departments. Specic user expectations Identify any specic user expectations such as the following: > Measurement or disclosure of items such as related-party transactions, management remuneration and compliance with sensitive laws and regulations > Industry-specic disclosures such as exploration costs in a mining company and research costs in a high technology or pharmaceutical company > Major events or contingencies. This could include disclosure of events such as an acquisition, divestiture, restructuring or signicant legal proceedings against the entity > Existence of covenants in loan agreements, particularly those where the entity is close to breaching a covenant. If a small uncorrected error would mean that a covenant had been violated, this could have a signicant effect on the nancial report and could, at worst, affect the appropriateness of using the going concern assumption in preparing the nancial report.
Practical guidance
317
Consider Choosing the right benchmark to use (continued) Relevant nancial report elements What are the major elements of the nancial report that will be of interest to users (for example, assets, liabilities, equity, income and expenses)? Nature of the entity Consider the nature of the entity, where the entity ts in the life cycle (growing, mature, declining, etc.) and the industry and economic environment in which the entity operates. Adjustments required Are adjustments required to normalise the benchmark base? For example, income from continuing operations could be adjusted for: > Unusual or non-recurring revenue/expense items, and > Items such as a management bonus, which may be based on prots before the bonus or simply paid out to reduce income left in the company. The primary focus of users What information in the nancial report will attract the most attention by users? For example, users interested in: > Evaluating nancial performance will focus on prots, revenues or net assets, and > The resources utilised to achieve certain goals or ends will focus on the nature and extent of revenues and expenditures. Financing How is the entity nanced? If nanced solely by debt (rather than equity capital), users may put more emphasis on the pledged assets and any claims than on the entitys earnings. Volatility How volatile is the proposed benchmark? For example, a benchmark based on earnings might normally be appropriate, but if the entity is operating close to break even each period (such as small prots or losses) or their results uctuate widely, it may not be the appropriate base for determining materiality. Alternatives Is an alternative benchmark necessary to address special circumstances? Alternative benchmarks could include current assets, net working capital, total assets, total revenues, gross prot, total equity and cash ow from operations.
Where overall and specic materiality is set in relation to the needs of the nancial report users, performance materiality is set at a lower amount. This will result in more audit work being performed (smaller misstatements may be identied) and audit risk being reduced to an appropriately low level.
PART B
318
If the audit was planned solely to detect individually material misstatements, there would be no margin of error to identify and account for immaterial misstatements that might exist. As a result, it could be possible for the aggregate of individually immaterial misstatements to cause the nancial report to be materially misstated. Performance materiality is designed to: > Ensure that immaterial misstatements less than overall or specic materiality are detected, and > Provide a margin or buffer for possible undetected misstatements. This buffer is between detected but uncorrected misstatements in the aggregate and the overall or specic materiality. The determination of performance materiality would not be a simple mechanical calculation such as 80% of overall materiality. This simplication would ignore specic risk factors that may be relevant to the entity. For example, if there was a high risk of errors in inventory pricing, performance materiality could be lowered so that additional work is performed to identify the extent of misstatements. Conversely, if the risk of misstatement in the receivables balance is assessed as low, the performance materiality could be raised, resulting in less substantive audit work on the balance. Performance materiality requires the auditor to exercise professional judgement and is affected by: > The auditors understanding of the entity, which is updated during the execution of the risk assessment procedures, and > The nature and extent of misstatements identied in previous audits.
Practical guidance
319
Consider point
Do not reduce the overall materiality level based on high audit risks Avoid the mistake of reducing the overall (nancial report) materiality level because of an audit risk assessed as high. Overall materiality is based on users information needs, not on how risky a particular balance might be to audit. Lowering the overall materiality threshold implies that: > The decision of a nancial report user is affected by audit risk rather than the information contained in the nancial report, and > Additional work will be performed by the auditor to ensure that no misstatements exist in the nancial report that individually or accumulated together exceed the overall materiality threshold. A better approach is to address audit risk by setting the performance materiality at the class of transaction or account balance level at a lower level. This will ensure that sufcient work is performed to detect any misstatements without having to reduce the overall materiality level. It also creates a safety buffer to cover unidentied misstatements in the work performed. Establish overall materiality level by reference to nancial report users and then establish performance materiality for the purpose of designing further audit procedures. Sensitive nancial report disclosures, balances and issues PART B Use a specic performance materiality for designing further audit procedures that address specic risks and balances in sensitive audit areas.
Summary
The materiality levels and use of performance materiality are summarised in the exhibit below.
Exhibit 21.1-2
Overall Purpose To establish the threshold for determining whether the nancial report is free from material misstatement, whether due to error or fraud. Specic To establish a threshold(s) (lower than overall materiality) to be applied to particular classes of transactions, account balances or disclosures where misstatements of lesser amounts than overall materiality for the nancial report could reasonably be expected to inuence the economic decisions of users. Performance To establish the threshold(s) (lower than overall or specic materiality) that ensures immaterial misstatements (less than overall or specic materiality) are identied and provide the auditor with a safety margin
320
Overall Basis of calculation What level of misstatement in the nancial report would be tolerable to users (ie. would not affect the economic decisions made by a nancial report user)?
Specic What level of misstatement relating to special circumstances in a particular class of transactions, account balances or disclosures could reasonably be expected to inuence the economic decisions of users? Establish a lower, specic materiality amount (based on professional judgement) for the audit of specic or sensitive nancial report areas.
Performance What amount of audit work will be required to: > Identify misstatements below overall or specic materiality? And > Leave a buffer for undetected misstatements? No specic guidance is provided in the ASA. Percentages range from 60% (of overall or specic materiality) where there is a higher risk of material misstatement, up to 85% where the assessed risk of material misstatement is less.
Rules of thumb
Materiality is a matter of professional judgement rather than a mechanical exercise. As a result, no specic guidance is provided in the ASA. However, in accordance with AASB 1031 Materiality, quantitative thresholds may be used as guidance for determining materiality. An amount equal to or greater than 10% of the appropriate base amount may be presumed to be material unless there is evidence or convincing argument to the contrary; and an amount equal to or less than 5% of the appropriate base amount may be presumed not to be material unless there is evidence, or convincing argument, to the contrary. As not-for-prot entities are primarily concerned with the achievement of objectives quantitative percentages may not be appropriate. In these cases the qualitative considerations of failing to meet these objectives may be more appropriate.
Practical guidance
321
Overall Use in the audit Determining whether uncorrected misstatements, individually or in aggregate, exceed overall materiality. > A change in circumstances that occurred during the audit such as the sale of part of the business > New information, or > A change in the auditors understanding of the entity and its operations, as a result of performing further audit procedures. For example; actual operating results being very different from expected.
Specic Determining whether uncorrected misstatements, individually or in aggregate, exceed the specic materiality. A change in the special circumstances.
Performance > Assessing the risks of material misstatement, and > Designing further audit procedures to respond to assessed risks. > Changes in assessed risks > Nature and extent of misstatements found when performing further audit procedures, or > Change in understanding of the entity.
Revision as audit progresses
21.3
Materiality in planning and risk assessment
Determining the various materiality levels is a key component of the planning process. This is not a discrete phase of an audit, but rather a continual and iterative process.
Exhibit 21.3-1
Materiality Planning (overall strategy and audit plans) Use materiality to: > Determine which nancial report areas require auditing > Set the context for the overall audit strategy > Plan the nature, timing and extent of specic audit procedures > Determine specic materiality for particular classes of transactions, account balances or disclosures where misstatements at lesser amounts than overall or performance materiality could reasonably be expected to inuence the economic decisions of users
PART B
322
Materiality Planning (overall strategy and audit plans) (continued) > Determine performance materiality for each specic materiality level as it may be necessary for the auditor to work using a performance materiality level for a particular class of transactions, account balance or disclosure, depending on the level of risk associated with that item > Evaluate later evidence to determine the need for any adjustment to any of the materiality levels. If so, the auditor would revise the nature, timing and extent of procedures accordingly. Risk assessment procedures > Identify what risk assessment procedures are necessary > Provide a context when evaluating the information obtained > Assess the magnitude (impact) of the risks identied > Assess results of risk assessment procedures. Team meetings > Ensure team members understand the identied users and what could reasonably be expected to change their economic decisions. This may help in the event a team member becomes aware of information during the audit that would have caused a different amount of materiality to be determined initially. Examples of such matters include: A decision to dispose of a major part of the entitys business New information or risk factors that would have affected the initial determination of materiality Change in the auditors understanding of the entity and its operations as a result of performing further audit procedures, such as when actual nancial results are substantially different from anticipated results > Establish overall audit strategy > Determine the extent of testing in relation to: Performance materiality Specic performance materiality > Identify critical audit issues and areas for signicant audit focus.
Consider point
The determination of overall performance and specic performance materiality levels requires the use of professional judgement. It is suggested (but not required) that teams discuss the judgements applied in determining materiality levels with the engagement partner and obtain their approval. Finally, record the judgements used in determining materiality in sufcient detail in the audit working papers.
Practical guidance
323
21.4
Materiality in performing audit procedures
Auditors should consider materiality when determining the nature, timing and extent of audit procedures.
Exhibit 21.4-1
Materiality Performing audit procedures Use materiality to: > Identify what further audit procedures are necessary > Determine which items to select for testing and whether to use sampling techniques > Assist with determining sample sizes (For example, sampling interval = precision (materiality) condence factor) > Evaluate representative sampling errors by extrapolating across population for likely misstatements > Evaluate the aggregate of total errors at the account level up to the nancial report level > Evaluate the aggregate of total errors including the net effect of uncorrected misstatements in opening retained earnings > Assess results of procedures.
> The nature of identied misstatements and the circumstances of their occurrence indicate that other misstatements may exist that, when aggregated with misstatements accumulated during the audit, could be material, or > The aggregate of misstatements accumulated during the audit approaches materiality. Consider point
Overall materiality is unlikely to change very often. However, it may need to be revised as the auditor becomes aware of new information or there is a change in the auditors understanding of the entity and its operations. If a change is required, ensure the audit team is informed of the impact on the audit plan. Performance materiality may change based on new risk factors or new audit ndings that may not impact overall materiality. Changes in performance materiality will result in the modication of the nature, timing and extent of audit procedures. Of course, if overall materiality changes, a corresponding change will likely be required in performance materiality.
PART B
Note: The overall audit strategy and audit plan will need to be revised where:
324
21.5
450.11
Materiality in reporting
Relevant extracts from ASAs The auditor shall determine whether uncorrected misstatements are material, individually or in aggregate. In making this determination, the auditor shall consider: (a) The size and nature of the misstatements, both in relation to particular classes of transactions, account balances or disclosures and the nancial report as a whole, and the particular circumstances of their occurrence; and (Ref: Para. A13-A17, A19-A20) (b) The effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances or disclosures and the nancial report as a whole. (Ref: Para. A18)
Paragraph #
450.12
The auditor shall communicate with those charged with governance uncorrected misstatements and the effect that they, individually or in aggregate, may have on the opinion in the auditors report, unless prohibited by law or regulation. The auditors communication shall identify material uncorrected misstatements individually. The auditor shall request that uncorrected misstatements be corrected. (Ref: Para. A21-A23)
Refer to Part B, Chapter 36 for more information on evaluating misstatements. Prior to issuing an opinion, the auditor would: > Conrm the materiality established for the nancial report as a whole > Evaluate the nature and the aggregate of uncorrected misstatements that are identied > Make an overall assessment as to whether the nancial report is materially misstated.
Exhibit 21.5-1
Materiality Reporting The auditor would use materiality to: > Evaluate the aggregate of total errors at the account level up to the nancial report level > Evaluate the aggregate of total errors, including the net effect of uncorrected misstatements, in opening retained earnings > Determine whether additional audit procedures should be performed when the aggregate misstatements are approaching overall or specic materiality > Request that management correct all identied misstatements > Consider rechecking areas of highest misstatement > Make judgements about the nature and sensitivity of the misstatements identied as well as their size > Determine whether the auditors report needs to be modied due to uncorrected material misstatements.
Practical guidance
325
The aggregate of misstatements is made up of: > Specic misstatements identied by the auditor as a result of their audit testing, and > An estimate of other misstatements identied that cannot otherwise be specically quantied. The auditor would then request management to record all the identied misstatements. > Refer to Part B, Chapter 36 for additional information on evaluating audit evidence obtained.
21.6
Other considerations
Other considerations include: > Communicating to management and those charged with governance > Updating materiality, and > Reducing materiality level from previous period.
Management and those charged with governance need to understand the limitations concerning the degree of precision that can be expected from an audit. They also need to be aware that it is not economically feasible to design audit procedures that will provide absolute assurance that the nancial report is not materially misstated. An audit can provide only reasonable assurance in this regard. When misstatements are identied by the auditor during the course of the audit, the rst step is to request from management that all the uncorrected misstatements be corrected. If management decides not to correct certain misstatements the auditor is then required to communicate with those charged with governance the following: > Details of uncorrected misstatements and the effect that they, individually or in aggregate, may have on the opinion in the auditors report > Material uncorrected misstatements individually, and > The effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances or disclosures and the nancial report as a whole.
PART B
Communicating with management and those charged with governance
326
Updating materiality
The preliminary assessment of overall and performance materiality may change from the initial audit planning to the time of evaluating the results of the audit procedures. This could result from a change in circumstances or from a change in the auditors knowledge as a result of performing audit procedures. For example, if audit procedures are performed prior to the period end, the auditor will anticipate the results of operations and the nancial position. If the actual results of operations and nancial position are substantially different, the assessments of materiality and audit risk may also change.
Reducing materiality level from previous period

When circumstances change from one period to the next, the auditor should consider the effect of any misstatement on the opening equity. For example, where sales and income are substantially less than the previous periods, a lower materiality is required. Errors could exist in opening gures as the audit was previously conducted using a higher materiality level. To reduce the risk of a material error occurring in the opening equity, the auditor may perform further audit procedures on the opening asset and liability balances. Consider point
New engagements When accepting a new audit engagement, enquire about the overall materiality used by the previous auditor. If available, this would help in determining whether further audit procedures may be required on the opening asset and liability balances. Use of management experts Ensure that any experts employed by the entity (to assist the entity in preparing the nancial report) or used by the audit team are instructed to use an appropriate materiality level in relation to the work they perform.
21.7
Documentation
Document the determination of the following and the factors considered in their determination: > Overall materiality > Where applicable, the specic materiality level(s) for particular classes of transactions, account balances or disclosures > Performance materiality, and > Any revision of the above factors as the audit progresses. See toolkit item 420: Materiality.
Practical guidance
327
21.8
Case studies determining and using materiality
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. Materiality is often documented on a worksheet that includes a summary of operating results and provides space for other materiality considerations such as qualitative factors.

ONeal Furniture (Excerpt) Materiality assessment The main users of the nancial report are the bank and the shareholders. The materiality gure used in last period was $8,000. See W/P Ref. # for possible materiality amounts based on prot before tax, as well as revenue. Using our professional judgement we decided to base our materiality on 5% of the prot before tax after adding back the management bonus of $70,000. Other bases for materiality such as revenues were also considered but it was felt that prot before tax was the most meaningful amount in relation to the identied nancial report users.
Using professional judgement, and the types of misstatements identied in previous audits, overall performance materiality has been set at $7,500. A specic materiality for the local sales taxes paid has been set at $1,000 as we are required to audit and report on this amount to the local government. Also see W/P 615 on quantitative analysis Prepared by: JF Reviewed by: LF [Date] [Date]
PART B
For this period, the plan is to use $10,000 as the overall materiality. The concept of materiality and its use in the audit has been discussed in general terms with the client.
328

Kane & Co. (Excerpt) Materiality assessment The main users of the nancial report are the bank and the owners. The materiality number used in the last period was $3,000. Based on consideration of user needs, we decided to base materiality at approximately 1% of revenue. In our judgement, revenue provides a more stable base for materiality than prot before tax. For this period, we plan to use $2,500 as the overall materiality. The concept of materiality and its use in the audit has been discussed in general terms with the client. Using professional judgement, which is largely based on the history of errors in previous periods, overall performance materiality has been set at $1,800. Other matters See W/P 615 for.. Prepared by: JF Reviewed by: LF [Date] [Date]
Practical guidance
329
22.
Audit team discussions

Relevant ASAs
Chapter content Purpose and nature of required discussions among the audit team about the susceptibility of the entitys nancial report to material misstatements.
240, 300, 315
Exhibit 22.0-1
Activity
Risk assessment
Purpose
Documentation1
Plan the audit
Paragraph # 315.10
Relevant extracts from ASAs The engagement partner and other key engagement team members shall discuss the susceptibility of the entitys nancial report to material misstatement, and the application of the applicable nancial reporting framework to the entitys facts and circumstances. The engagement partner shall determine which matters are to be communicated to engagement team members not involved in the discussion. (Ref: Para. A14-16) ASA 315 requires a discussion among the engagement team members and a determination by the engagement partner of which matters are to be communicated to those team members not involved in the discussion. This discussion shall place particular emphasis on how and where the entitys nancial report may be susceptible to material misstatement due to fraud, including how fraud might occur. The discussion shall occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity. (Ref: Para. A10-A11)
240.15
PART B
330
Paragraph # 240.44
Relevant extracts from ASAs The auditor shall include the following in the audit documentation of the auditors understanding of the entity and its environment and the assessment of the risks of material misstatement required by ASA 315: (a) The signicant decisions reached during the discussion among the engagement team regarding the susceptibility of the entitys nancial report to material misstatement due to fraud; and (b) The identied and assessed risks of material misstatement due to fraud at the nancial report level and at the assertion level.
22.1
Overview
A critical element in the success of any audit engagement is good communication among the audit team members. Communication starts with the assignment of team members, arranging the team meeting to plan the engagement and then continues throughout the engagement. The benets of good communication include those set out in the following exhibit. See toolkit item 425: Worksheet: Team planning discussions.
Exhibit 22.1-1
Benets Need for ongoing communication among the audit team members Audit productivity > Each person on the team will understand the entity being audited, the nancial reporting framework to be used, what their specic role will be in the audit and the expectations about how and when work will be performed > Potential for over and under auditing will be signicantly reduced. Audit effectiveness > Staff is provided insights into the client and audit expectations directly from senior personnel, such as the engagement partner > Team discussions on the susceptibility of the nancial report to material misstatements will help determine the business and fraud risks that need to be addressed > Better decisions will be made about the nature, timing and extent of risk assessment and further audit procedures > Open lines of communication enable quick reactions to new information in areas such as unusual transactions/events, related parties and reporting issues. Staff development > Best practices in auditing will be transferred from partners to staff > Staff will be encouraged to ask questions and reconsider the effectiveness of the previous periods responses to assessed risks.
Practical guidance
331
Effective ongoing communication requires: > Involvement by (and undivided attention of) the engagement partner and senior personnel, and > Willingness of senior personnel to listen to junior staff. This includes understanding the engagement from the perspective of junior staff, encouraging their questions and suggestions and then providing feedback.
Exhibit 22.1-2
Audit team communications

Assigning team members and roles
Consider: > Skills and experience > Need for experts > Need for engagement quality control reviewer.
Team planning meeting

Discuss: > Materiality > Insights based on knowledge of entity > Potential business and fraud risks > How/where the financial report might be susceptible to material misstatement > Audit plan including who, what, where and when > Supervision and review.
During and after the audit

Discuss: > Audit results, progress and issues identified > Changes in audit plan > New information > Unusual events/ transactions > Suggestions for next periods audit.
Consider point
Audit team discussions are critical to an effective audit. Avoid the temptation to rush through the agenda due to other time pressures. These discussions enable audit risks to be discussed, fraud scenarios to be developed and possible responses developed. It also provides an opportunity for staff to learn about the entitys business and what is expected from them on the audit. Staff can also be encouraged to put forward their ideas on how the audit could be improved.
22.2
Audit team planning meeting
On larger engagements, a planning meeting should be scheduled well in advance of the commencement of eldwork. This will provide the time necessary to prepare or make changes in the detailed audit plan. On very small engagements, planning may best be achieved through brief discussions at the start of the engagement and as the audit progresses.
PART B
332
Team members should be encouraged to come to the meeting with a questioning mind and be prepared to participate and share information with an attitude of professional scepticism. They should set aside any beliefs that management and those charged with governance are honest and have integrity. The extent of the discussion should be inuenced by the roles, experience and the information needs of the audit engagement team members. The three key areas to address are outlined in the exhibit below.
Exhibit 22.2-1
Key areas to address Share insights on the entity such as the people, operations and objectives Purpose: to have an open discussion The entity > History and business objectives > The corporate culture > Changes in operations, personnel or systems > Application of the applicable nancial reporting framework to the entitys facts and circumstances. Management > The nature/structure of the entity and management > The attitude toward internal control > Incentives to commit fraud > Unexplained changes in the behaviour or lifestyle of key employees > Any indications of management bias. Known risk factors > Experience from previous audit engagements > Signicant business risk factors > Opportunity for fraud to be perpetrated.
Practical guidance
333
Key areas to address Brainstorm
Purpose: to brainstorm ideas and possible audit approaches Potential for errors and fraud > Which nancial report areas may be susceptible to material misstatement (fraud and error)? This step is a requirement on all audits > How could management perpetrate and conceal fraudulent nancial reporting? It may be helpful to develop various fraud scenarios or, where possible, use the services of a forensic accountant. Consider journal entries, management bias in estimates/provisions, changes in accounting policies, etc. > How could assets be misappropriated or misused for personal purposes? > Are there non-selsh incentives (such as to maintain a funding source for a not-for-prot entity) to manipulate the nancial report? Response to risks > What possible audit procedures/approaches might be considered to respond to the risks identied above? > Consider whether an element of unpredictability will be incorporated into the nature, timing and extent of the audit procedures to be performed.
Key areas to address Audit planning
Purpose: to provide direction Specic areas to address Ensure that the specic requirements of all ASAs relevant to the audit are appropriately addressed in the audit plan. ASAs that include specic procedures to be performed include: ASA 240 ASA 402 ASA 540 ASA 550 The Auditors Responsibilities Relating to Fraud in an Audit of a Financial Report Audit Considerations Relating to an Entity Using a Service Organisation Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures Related Parties
Provide direction to the audit team > Determine materiality levels > Assign roles and responsibilities > Provide staff with an overview of the audit sections they are responsible for completing. Address the approach required, special considerations, timing, documentation required, the extent of supervision provided, le review and any other expectations > Stress the importance of maintaining professional scepticism throughout the audit.
PART B
334
Note: If some (junior) members of the audit team are not able (or are not invited) to attend the meeting, the engagement partner would determine which matters arising are to be communicated to them. Consider point
Emphasise the importance for staff to be alert for indications of dishonesty, but also to be careful not to jump to any conclusions, particularly when discussing ndings with the entitys management or staff. Indicate possible circumstances (red ags) that, if encountered, might indicate the possibility of fraud. Fraud is generally discovered by identifying patterns, exceptions and oddities in transactions and events. For example, a false claim in an expense account would be immaterial to the nancial report by itself but could be indicative of a much larger issue, such as lack of management integrity.
22.3
Communication during and at completion of the audit
Each member of the audit team will have a slightly different perspective on the entity. Some of the information gathered by a particular team member may not even make sense unless it is combined with information obtained by other team members. This is particularly true in relation to fraud, where it is the identication of small patterns, oddities and exceptions that may lead to its ultimate detection. A simple analogy is the jigsaw puzzle. Each part by itself does not enable a person to see the entire picture. It is only when all the pieces are put together that the big picture can be seen. The same is true in auditing. It is only when the individual knowledge/ndings of each auditor are shared with the team that the bigger picture emerges.
Practical guidance
335
Exhibit 22.3-1
Sharing ndings
Partner Senior
Junior Manager
Team discussions need not be conned to just the planning meeting. Audit team members should be encouraged to communicate and share the information that they obtain throughout the audit on any matters of relevance, particularly when it affects the assessment of risk and planned audit procedures.
PART B
336
Consider point
Hold short debrieng meetings at strategic times during the audit In addition to the audit planning discussions at the start of the engagement, it may be benecial (but not required) for the audit team (however small) to meet (or arrange a conference call) and discuss audit ndings after the following audit phases. Performing risk assessment procedures and further audit procedures These debrieng sessions do not need to be formal or long and enable audit team members to report verbally on their ndings, exceptions found and concerns noted. They can also report on any matters (however small) that seemed odd or did not make sense. It is often the small matters that, when combined with information obtained by other team members, point to a possible risk factor (such as fraud) that may require further work to be performed. Even when the audit team comprises only two people, these meetings can yield signicant results. Completing the audit Once the previous audit is complete, the temptation is always to move on and start the next engagement. As a result, a lot of knowledge that could be helpful for performing next periods audit can get lost. A short meeting or conference call after each audit could be used to obtain feedback from the audit team and determine what can be improved. This would include identifying: > Audit areas that might require additional or less attention in the future > Any other unexpected ndings, unusual transactions or nancial pressures on personnel that may be an indicator of fraud or an incentive to commit fraud > Any planned changes that will affect future engagements, such as key personnel changes, new nancing, an acquisition, new products or services, the installation of a new accounting system or other internal control changes > Areas where additional assistance could be provided by the entity such as an analysis of certain nancial report areas, and > Where signicant risk factors exist, the debrieng meeting could also address whether the rm wishes to continue with the client the following period. If the rm resigns right after the audit nishes, the reasons will be fresh in everyones mind and it would provide the entity with more time to nd another auditor. At the initial planning meeting, a time and date for these debrieng sessions can be scheduled.
Practical guidance
337
22.4
Case studies audit team discussions
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. The most recent nancial report, the listing of assessed risks from previous periods (or this period, if updated) and the audit response could usefully be circulated to engagement team members before the meeting. At the meeting, emphasise the need for professional scepticism and the need to immediately report any suspicious situations or possible warning signals of fraud. Documentation may be in the form of a standard agenda or a memo to le.

[Date of meeting] Agenda item 1. Materiality and signicant account balances. 2. Timing, key dates and availability of client personnel. Minutes of meeting Increase overall materiality to $10,000 based on growth in protability and sales, and performance materiality to $7500. Conrmed that last periods timing is appropriate and our requests for management help in preparing certain schedules are reasonable. Inventory internal control was poor last year and resulted in additional work. Client has indicated that this will be addressed before this period end. See newspaper clipping re: Paula. This may be isolated but we need to be cautious. Internet sales now account for 12% of sales. There are also plans for signicant growth. This will put a strain on cash resources, internal control and the operating systems. The current economic downturn puts additional pressure on the organisation to maintain sales levels despite the drop in demand and sales prices. Management bias and override to avoid tax liability are possible. Managements estimates, journal entries and related-party transactions are susceptible to manipulation. Also, Alan (the senior salesperson) lives an expensive lifestyle. We should also look at the bonus calculations and the sales revenue.
3. What can we learn from past experience such as issues/events that caused delays and areas of over/under auditing? 4. Any new concerns about management integrity, going concern, litigation etc.? 5. Changes this period in business operations and/or nancial condition, industry regulations, accounting policies used and people.
6. Susceptibility of the nancial report to fraud. In what possible ways could the entity be defrauded? Develop some possible scenarios and then plan procedures that would conrm or dispel any suspicions.
PART B
338
Agenda item 7. Signicant risks that require special attention. 8. Appropriate audit responses to the risks identied. 9. Consider the need for specialised skills or consultants, testing internal controls versus substantive procedures, the need to introduce unpredictability in some audit tests and work that could be completed by the client. 10.Audit team roles, scheduling and le reviews. Prepared by: FJ Reviewed by: LF [Date] [Date]
Minutes of meeting Defaulting on bank covenants. Sam says he is going to renegotiate the bank terms this period to provide some exibility. The detailed audit plan was reviewed in some detail with the staff member responsible and a number of efciencies were identied. IT specialist to look at internet sales and IT controls in general. Scheduled visit for July this period.
Overall and detailed audit plans have been updated.

Memo to le: Kane & Co. On [date] the audit team (partner and senior) met to plan the Kane & Co. audit engagement. We discussed the following: > Overall materiality has been decreased to $2500 based on decline in protability and sales. Performance materiality has been set at $1800 > Roberts focus has been diverted recently to personal family matters. The bookkeepers work may not be adequately reviewed. That leaves Ruby with a lot of control over the reported numbers. Any unintentional or intentional errors of Rubys could go undetected. This should be treated as a signicant fraud risk in the audit > Management bias and override could occur to avoid tax liability or bank covenant violations. Managements estimates have traditionally been conservative. The audit team was reminded to be alert for anything that appears unusual > We will pay careful attention to transactions and pricing of products with the related party, ONeal Furniture. Audit plan > Conrmed that last periods timing is appropriate and we will again request managements help in preparing certain schedules. However, since Kane & Co. had a difcult time getting the requested schedules for us on time last period, we will spend time this period with Ruby in advance and provide her with example schedules to ensure she understands what is needed and the required due dates > The detailed audit plan was reviewed in some detail. Procedures in some areas were expanded based on the assessed risk and a number of other procedures were eliminated where the assessed risk was low
Practical guidance
339
> We decided that it will be more efcient to perform substantive procedures than to perform tests of controls as there are no assertions where substantive procedures alone would not provide sufcient appropriate audit evidence. Prepared by: FJ Reviewed by: LF [Date] [Date]
PART B
340
23.
Inherent risks identication

Relevant ASAs
Chapter content How to identify risks of material misstatement in the nancial report.
240, 315
Exhibit 23.0-1
Activity
Purpose
Documentation 1
Listing of risk factors Independence engagement letter
Risk assessment
Plan the audit
Paragraph # 240.10
ASA objective(s) The objectives of the auditor are: (a) To identify and assess the risks of material misstatement of the nancial report due to fraud; (b) To obtain sufcient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud through designing and implementing appropriate responses; and (c) To respond appropriately to fraud or suspected fraud identied during the audit.
315.3
The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the nancial report and assertion levels, through understanding the entity and its environment, including the entitys internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
Practical guidance
341
Paragraph # 200.13
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (n) Risk of material misstatement means the risk that the nancial report is materially misstated prior to audit. This consists of two components, described as follows at the assertion level: (i) Inherent risk means the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. Control risk means the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entitys internal control.
(ii)
240.11
For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Fraud means an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. (b) Fraud risk factors means events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud.
240.12
In accordance with ASA 200, the auditor shall maintain professional scepticism throughout the audit, recognising the possibility that a material misstatement due to fraud could exist, notwithstanding the auditors past experience of the honesty and integrity of the entitys management and those charged with governance. (Ref: Para. A7- A8) Unless the auditor has reason to believe the contrary, the auditor may accept records and documents as genuine. If conditions identied during the audit cause the auditor to believe that a document may not be authentic or that terms in a document have been modied but not disclosed to the auditor, the auditor shall investigate further. (Ref: Para. A9) Where responses to enquiries of management or those charged with governance are inconsistent, the auditor shall investigate the inconsistencies. ASA 315 requires a discussion among the engagement team members and a determination by the engagement partner of which matters are to be communicated to those team members not involved in the discussion. This discussion shall place particular emphasis on how and where the entitys nancial report may be susceptible to material misstatement due to fraud, including how fraud might occur. The discussion shall occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity. (Ref: Para. A10-A11)
240.13
240.14 240.15
PART B
342
Paragraph # 240.17
Relevant extracts from ASAs The auditor shall make enquiries of management regarding: (a) Managements assessment of the risk that the nancial report may be materially misstated due to fraud, including the nature, extent and frequency of such assessments; (Ref: Para. A12-A13) (b) Managements process for identifying and responding to the risks of fraud in the entity, including any specic risks of fraud that management has identied or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist; (Ref: Para. A14) (c) Managements communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity; and (d) Managements communication, if any, to employees regarding its views on business practices and ethical behaviour.
240.18
The auditor shall make enquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. (Ref: Para. A15-A17) The auditor shall evaluate whether unusual or unexpected relationships that have been identied in performing analytical procedures, including those related to revenue accounts, may indicate risks of material misstatement due to fraud. The auditor shall consider whether other information obtained by the auditor indicates risks of material misstatement due to fraud. (Ref: Para. A22) The auditor shall evaluate whether the information obtained from the other risk assessment procedures and related activities performed indicate that one or more fraud risk factors are present. While fraud risk factors may not necessarily indicate the existence of fraud, they have often been present in circumstances where frauds have occurred and therefore may indicate risks of material misstatement due to fraud. (Ref: Para. A23-A27) The auditor shall include the following in the audit documentation of the auditors understanding of the entity and its environment and the assessment of the risks of material misstatement required by ASA 315: (a) The signicant decisions reached during the discussion among the engagement team regarding the susceptibility of the entitys nancial report to material misstatement due to fraud; and (b) The identied and assessed risks of material misstatement due to fraud at the nancial report level and at the assertion level.
240.22
240.23 240.24
240.44
Practical guidance
343
Paragraph # 315.11
Relevant extracts from ASAs The auditor shall obtain an understanding of the following: (a) Relevant industry, regulatory and other external factors, including the applicable nancial reporting framework. (Ref: Para. A17-A22) (b) The nature of the entity, including: (i) (ii) Its operations; Its ownership and governance structures;
(iii) The types of investments that the entity is making and plans to make, including investments in special-purpose entities; and (iv) The way that the entity is structured and how it is nanced to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the nancial report. (Ref: Para. A23-A27) (c) The entitys selection and application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entitys accounting policies are appropriate for its business and consistent with the applicable nancial reporting framework and accounting policies used in the relevant industry. (Ref: Para. A28) (d) The entitys objectives and strategies, and those related business risks that may result in risks of material misstatement. (Ref: Para. A29-A35)
23.1
Overview
Identication of risk is the foundation of the audit. It is based upon and forms an integral part of the auditors procedures to understand the entity and its environment. Without a solid understanding of the entity, the auditor may miss certain risk factors. For example, if a clients sales were increasing, it would be important for the auditor to know that the industry sales as a whole were actually in sharp decline. The objective of the risk assessment phase of the audit is to identify sources of risk and then to assess whether they could possibly result in a material misstatement in the nancial report. This provides the auditor with the information needed to direct audit effort to areas where the risk of material misstatement is the highest and away from less risky areas. Risk assessment has two distinct parts: > Risk identication (asking what can go wrong), and > Risk assessment (determining the signicance of each risk).
PART B
(e) The measurement and review of the entitys nancial performance. (Ref: Para. A36-A41)
344
Risk assessment is addressed in Part B, Chapter 24. Risk identication is illustrated below.
Exhibit 23.1-1
Risk identification
What could go wrong and result in a misstatement in the financial report?

Entity objectives, external factors, nature of entity, accounting policies, performance measures and internal control
List the business and fraud risk factors identified (1-5)
Consider point
First identify the risks You cannot assess a risk that has not rst been identied. Avoid the temptation to assume that because the entity is small, there are no relevant risks or that the risks of material misstatement will be the same as the previous period. New risks may now exist and the nature/signicance of some previously identied risks may have changed. After the rst engagement, focus on what has changed from previous period After the rst engagement, focus on what has changed within each of the six risk sources (ie. external nature of entity, etc.) as opposed to starting all over again. This will save time and focuses attention on the nature and effect of new risks that may now exist and revisions to risks previously identied.
23.2
Types of risk
There are two major classications of risk: > Business risk, and > Fraud risk. The difference between business risk and fraud risk is that fraud risk results from a persons deliberate actions. Note: In many instances a risk can be both a business and a fraud risk. For example, the introduction of a new accounting system creates uncertainty
Practical guidance
345
(errors could be made as personnel learn the new system) and would be classied as a business risk. However it could also be classied as a fraud risk because someone could take advantage of the uncertainty to misappropriate assets or manipulate the nancial report.
Exhibit 23.2-1
Low risk
Business risk
Moderate risk
High risk
Risks of material misstatement exist
Fraud risk
Risks of material misstatement exists that are intentional
Low
Risk exposure
High
Business risk
The term business risk encompasses more than just the risks of material misstatement in the nancial report. Business risks result from signicant conditions, events, circumstances, actions or inactions that could adversely affect the entitys ability to achieve its objectives and execute its strategies. This could also include the setting of inappropriate objectives and strategies. Business risk also includes events that arise from change, complexity or the failure to recognise the need for change. Change may arise, for example, from: > The development of new products that may fail > An inadequate market, even if new products are successfully developed, or > Flaws in the products that may result in liabilities and damage to the entitys reputation.
Fraud risk
Fraud risk relates to events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud. The auditors understanding of business and fraud risk factors increases the likelihood of identifying the risks of material misstatement. However, there is no responsibility for the auditor to identify or assess all of the possible business risks.
PART B
346
23.3
Sources of information about an entity
The rst step in the risk assessment process is to gather (or update) as much relevant information about the entity as possible. This information provides an important frame of reference for identifying and assessing possible risk factors. Information about the entity and its environment can be obtained from both internal and external sources. In many cases, the auditor will start with internal sources of information. This information can then be checked for consistency with information obtained from external sources such as trade association data and data about general economic conditions, which can often be obtained from the internet. The following exhibit shows some of the potential sources of information available.
Exhibit 23.3-1
Internal sources Financial information Financial report Budgets Reports Performance measures Tax returns Accounting policies in use Judgements and estimates External sources Information on the internet Industry information Competitive intelligence Credit rating agencies Creditors Government agencies Media and other external parties
Non-financial information
Vision, values, objectives and strategies Organisation structure Job descriptions Human resources files Performance indicators Policy and procedure manuals
Information on the internet Trade association data Industry forecasts Government agencies Media articles
Practical guidance
347
Consider point
A major source of information that is often overlooked is the auditors working paper les from previous periods engagements. They often contain valuable information on matters such as: > Considerations or issues to address in planning this periods audit > Evaluation and source of possible adjustments and uncorrected errors > Areas where there are recurring disagreements such as the assumptions used for accounting estimates > Areas which appear to be susceptible to error, and > Matters raised in the auditors communication with management and those charged with governance. The information gained from risk assessment procedures conducted before engagement acceptance or continuance can be used as part of the audit teams understanding of the entity.
23.4
The scope of the understanding required by the auditor for identifying risks is contained in six key areas, as follows.
Exhibit 23.4-1
A. External factors > Nature of industry > Regulatory environment > Financial reporting framework. B. Nature of entity > Operations and key personnel > Ownership and governance > Investment, structure and nancing. C. Accounting policies > Selection and application > Reasons for changes > Appropriateness to entity. D. Entity objectives and strategies > Business plans and strategies > Financial implications and risks undertaken.
PART B
Based on the information obtained about the entity, the auditor is now in a position to design the risk assessment procedures discussed in Part A, Chapter 6. These risk assessment procedures will be designed to obtain and document an understanding of the entity and its environment, including internal control.
348
E. Measurement/ review of nancial performance F. Internal control relevant to the audit
> What is measured > Who reviews nancial results. > Processes and relevant controls to mitigate risks at the entity level and at the transactional level.
The sufciency of information (depth of understanding) required by the auditor is a matter of professional judgement. The last section (F in the exhibit above), which relates to internal controls relevant to the audit, is discussed in Part A, Chapter 3 and Part B, Chapters 19, 26 and 27. Obtaining an understanding of the nature of the entity and its environment, including internal control, has a number of benets as outlined below.
Exhibit 23.4-2
Provides a frame of reference Benets obtained from understanding the entity Identifying risks and developing responses > Making judgements about the risk assessments > Developing appropriate responses to identied risks of material misstatement in the nancial report > Establishing materiality (refer to Part B, Chapter 21) > Developing expectations needed for performing analytical procedures > Designing/performing further audit procedures to reduce audit risk to an acceptably low level > Evaluating sufciency/appropriateness of audit evidence obtained (for example, appropriateness of assumptions used and managements oral and written representations). Financial report review > Assessing managements selection and application of accounting policies > Considering the adequacy of nancial report disclosures > Identifying audit areas for special consideration (for example, related-party transactions, unusual or complex contractual arrangements, going-concern or unusual transactions).
Consider point
Obtaining an understanding of the entity is not a discrete task that can be completed early in the audit and then put to one side. It is important to keep learning about the entity throughout the audit and be alert to risk factors not previously identied or where the original assessment of risk needs updating.
Practical guidance
349
23.5
Sources of risk
Errors and fraud in the nancial report arise from risk factors that have their origin in one or more of the six required areas of understanding the entity (see Part B, Exhibit 23.4-1). An example would be a new and complex tax being imposed on the entity. This would be an external risk factor. A risk of misstatement in the nancial report could be a misinterpretation of the new law, resulting in an incorrect calculation of tax payable and the amount owed. Note that the source (or cause) of the risk is the new tax that affects the entity and not the error in calculation which is the effect of the risk factor. As a consequence of the new tax the risk of a calculation error increases. The following chart shows the six areas of understanding as being potential sources of risk.
Exhibit 23.5-1
es Sourc of risk
PART B
External factors RMM* in the financial report Internal factors (nature of entity) Entity objectives and strategies
Internal control
Accounting policies
Industry performance indicators
* RMM = Risks of material misstatements
Examples of sources of risk (but not the effect on specic nancial report areas) are outlined in the following exhibit.
350
Exhibit 23.5-2
Sources of business and fraud risk Business objectives and strategies > Inappropriate, unrealistic or overly aggressive objectives and strategies > New products or services, or moving into new lines of business > Entering into business areas/transactions with which the entity has little experience > Inconsistencies between IT and business strategies > Response to rapid growth or decline in sales that can strain internal control systems and peoples skills > Use of complex nancing arrangements > Corporate restructurings > Signicant transactions with related parties. External factors > State of the economy and changes in government regulation > Declining demand for the entitys products or services > High degree of complex regulation > Changes in the industry > Inability to obtain required resources (materials or skilled personnel) > Deliberate sabotage of an entitys products or services > Constraints on the availability of capital and credit. Nature of entity > Poor corporate culture and governance > Incompetent personnel in key positions > Changes in key personnel, including departure of key executives > Complexity in operations, organisational structure or products > Product or service aws that may result in liabilities and reputation risk > Failure to recognise the need for change (skills required or technology) > Weaknesses in internal control, especially those not addressed by management > Poor relationships with external funders, such as banks > Going-concern and liquidity issues, including loss of signicant customers > Installation of new systems related to nancial reporting. Performance indicators > Performance measures not used by management to assess the entitys performance and achievement of objectives > Measures not used to improve operations or take corrective actions. Accounting policies > Inconsistent application of accounting policies > Inappropriate use of accounting policies.
Practical guidance
351
Sources of business and fraud risk Internal control > Inadequate management oversight of day-to-day operations > Poor or non-existent controls over entity level activities such as human resources, fraud and preparation of accounting information such as estimates and nancial reports > Poor or non-existent controls over transactions such as revenues, purchases, expenses and payroll > Poor safeguarding of assets.
23.6
Fraud risk
The term fraud refers to an intentional act by one or more individuals among management, those charged with governance, employees or third parties, involving the use of deception to obtain an unjust or illegal advantage. Fraud involving one or more members of management or those charged with governance is referred to as management fraud. Fraud involving only employees of the entity is referred to as employee fraud. In either case, there may be collusion within the entity or with third parties outside of the entity. The following exhibit outlines the types and characteristics of fraud.
PART B
Exhibit 23.6-1
Manipulation of financial report
(reporting a higher/lower level of earnings than actually occurred)
Who? Owners and management Personal benefit
(save taxes, sell business at inflated price or pay a bonus)
Misappropriation of assets
(converting assets to personal use)
Employees Personal benefit

(obtain a performancebased bonus, conceal losses or cover up stolen assets)
Owners and management Personal benefit or to help someone else in need
Employees
Why?
Justify an end
(stay in business, save jobs, maintain funding, serve the community)
Personal benefit or to help someone else in need
How?
Override of internal controls, false/incorrect transactions, collusion, manipulation of accounting policies, exploiting weaknesses in internal control
False or incorrectly recorded transactions, collusion, manipulation of accounting policies, exploiting weaknesses in internal control
Override internal controls, theft of inventory/assets, collusion, exploiting weakness in internal control
Theft of inventory or assets, collusion, exploiting weakness in internal control
How much?
Often large due to position of management in entity and their knowledge of internal control
Often smaller in size but can accumulate significantly over time if not detected
Often based on a particular need. Even if starts small will likely get bigger if not quickly detected
Often based on a particular need. Could be small but likely will get bigger if not quickly detected
352
Consider point
For each risk factor identied, consider whether it is a business risk, a fraud risk or both. Many sources of risk can result in both business and fraud risks. For example, a change in accounting personnel can result in errors being made (business risk) but may also provide an opportunity for someone to commit a fraud.
23.7
Types and characteristics of fraud
Although fraud can occur at any level in the organisation, it tends to be more serious (and involve higher monetary amounts) when senior management is involved. Some of the major conditions that create an environment for fraud include: > Ineffective corporate governance > Lack of leadership by management and poor tone at the top > High incentives provided for nancial performance > Taxes or other expenses that are considered very high or onerous > Complexity in the entitys rules, regulations and policies > Unrealistic expectations from bankers, investors or other stakeholders > Downward and unexpected shifts in protability > Unrealistic budget targets for staff to attain, and > Inadequate internal control, especially in the presence of organisational change. As can be determined from the above, the most effective anti-fraud internal control would be a strong commitment by those in governance and senior management positions to doing the right thing. This is evidenced through articulated entity values and a commitment to ethics that are modeled on a day-to-day basis. This is true for any size organisation.
23.8
The fraud triangle
There are three conditions that often provide clues to the existence of fraud. Forensic accountants often refer to this as the fraud triangle because when all three conditions are present, it is highly likely that fraud may be occurring. The conditions are: > Pressure This is often generated by immediate needs (such as having signicant personal debts or meeting an analysts or banks expectations for prot) that are difcult to share with others.
Practical guidance
353
> Opportunity A poor corporate culture and a lack of adequate internal control procedures can often create the condence that a fraud could go undetected. > Rationalisation Rationalisation is the belief that a fraud has not really been committed. For example, the perpetrator rationalises this is not a big deal or I am only taking what I deserve.
Exhibit 23.8-1
Ra tio
re
na
su
lis
Pr es
Opportunity
For example, an owner-manager in the construction business might be offered a job to build a signicant addition to a friends house as long as it is a cashonly transaction with no paperwork involved. Consider the three conditions. > The pressure on the owner-manager might be to reduce taxes that would otherwise be payable. > The opportunity is for the owner-manager to override the internal controls over revenue recognition and not record the revenue from the sale. > The rationalisation could be that the owner-manager is already paying far too much in taxes. Note: If any one of the three conditions is not present, the cash sale is unlikely to take place. In conducting risk assessment procedures, audit team members need to consider the existence of all three conditions and not just the opportunity for fraud. Consider the sources of fraud risk set out in the following exhibit.
PART B
at io n
354
Exhibit 23.8-2
Sources of fraud risk Incentives and pressures > Financial stability or protability is threatened by economic, industry or the entitys operating conditions > Excessive pressure exists for management to meet the requirements or expectations of third parties or those charged with governance (such as earnings targets or compliance with onerous environmental regulations, etc.) > Personal nancial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets > Adverse relationships between the entity and employees with access to cash or other assets. For example: Known or anticipated future employee layoffs Recent or anticipated changes to employee compensation or benet plans, and Promotions, compensation or other rewards inconsistent with expectations > The personal nancial situation of management or those charged with governance may be threatened by the entitys nancial performance (such as nancial interests, compensation, guarantees, etc.). Attitudes and rationalisations Rationalisations > Management is interested in employing inappropriate means to: Minimise reported earnings for tax-motivated reasons, and Increase reported earnings to avoid violating bank covenants, increase the sale price of the entity or meet targets set by a third party > Employee behaviour indicates displeasure or dissatisfaction with the entity > Low morale exists among senior management > Management is tolerant of some employee thefts. For example, no disciplinary action is taken when an employee is caught stealing > Management does not enforce the entitys values or ethical standards > Management disregards the need for monitoring or reducing risks related to the misappropriations of assets. Attitudes > Management has a known history of violations of laws and regulations or allegations of fraud > Management exhibits changes in behaviour or lifestyle that may indicate assets have been misappropriated > Senior managers demonstrate a poor ethical example (such as inating expense accounts and committing petty thefts, etc.)
Practical guidance
355
Sources of fraud risk Attitudes and rationalisations (continued) > Management has overridden existing controls > Management has failed to take appropriate remedial action on known deciencies in internal control > The owner-manager makes no distinction between personal and business transactions > Disputes exist between shareholders in a closely-held entity > Management makes recurring attempts to justify marginal or inappropriate accounting on the basis of materiality > The relationship between management and the current or predecessor auditor is strained. Opportunities Assets susceptible to misappropriation > Large amounts of cash on hand or processed > Inventory items that are small in size, of high value or in high demand > Easily convertible assets, such as bearer bonds, diamonds or computer chips > Property, plant and equipment are small in size, marketable or lack observable identication of ownership. Inadequate internal controls > Inadequate oversight by those charged with governance of managements processes for identifying and responding to the risks of fraud > Inadequate segregation of duties or checks > Inadequate oversight of senior management expenditures > Inadequate management oversight of employees responsible for assets > Inadequate job applicant screening for employees with access to assets > Inadequate record keeping with respect to assets > Inadequate authorisation and approval of transactions > Inadequate physical safeguards over cash, investments, inventory or property, plant and equipment > Lack of complete and timely reconciliations of assets > Lack of timely and appropriate documentation of transactions (for example, credits for merchandise returns) > Lack of mandatory vacations for employees performing key control functions > Inadequate management understanding of information technology, which enables information technology employees to perpetrate a misappropriation > Inadequate access controls over automated records, including controls over and review of computer systems event logs.
PART B
356
Sources of fraud risk Opportunities (continued) Specic areas of vulnerability > Management estimates, revenue recognition, use of journal entries, transactions with related parties, etc.
Consider point
Fraud is always intentional. It involves concealment of information from the auditor and deliberate misrepresentations. Consequently, fraud is discovered by looking for patterns, oddities and exceptions often in what might be considered very small monetary amounts. Fraud is unlikely to be detected through substantive procedures alone. For example, an auditor is unlikely to identify a missing transaction or determine that a transaction is invalid unless there is some additional understanding of the entity that can be used as a frame of reference.
Auditors, depending on their role and position on the audit team, may identify a fraud risk factor that relates to one or more of the triangle elements. However, it is less likely that any one auditor will identify all three conditions (opportunity, pressure and rationalisation) together. For this reason, it is important for the audit team to continually discuss their ndings throughout the engagement. The benets of audit team discussions are outlined in the exhibit below.
Exhibit 23.8-3
The audit partner finds that the owner-manager has occasionally strayed close to ethical boundaries.
The audit junior was told by a puzzled staff member that some material purchases had been shipped directly to friends.
The audit senior discovers in talking to the sales manager that the owner handles certain clients exclusively by himself.
In the absence of communication, it would be difcult for any single member of the above audit team to see the big picture. Ongoing audit team discussion enables the team to pull together small pieces of information so that the bigger picture can be seen.
Practical guidance
357
23.9
Professional scepticism
It is the responsibility of the auditor to maintain an attitude of professional scepticism at all times during the engagement. An attitude of professional scepticism involves matters outlined in the exhibit below.
Exhibit 23.9-1
Scepticism involves Recognising that management can always commit fraud Management is always in a position to override otherwise good internal control. Engagement team members are to set aside any beliefs that management and those charged with governance are honest and have integrity notwithstanding the auditors past experience of their honesty and integrity. Make critical assessments about the validity of audit evidence obtained. Does audit evidence contradict or bring into question the reliability of: > Documents and responses to enquiries? > Other information obtained from management and those charged with governance? Being careful Avoid: > Overlooking unusual circumstances > Over-generalising when drawing conclusions from audit observations > Using faulty assumptions in determining the nature, timing and extent of the audit procedures and evaluating the results thereof > Accepting less than persuasive audit evidence in a belief that management and those charged with governance are honest and have integrity > Accepting representations from management as a substitute for obtaining sufcient appropriate audit evidence.
A questioning mind Being alert
Consider point
Applying professional scepticism to an audit of a client you know and trust can be difcult. There is a natural human tendency to place trust in people, assuming there is no information to the contrary. Consequently, partners and staff need to be reminded on a regular basis to apply professional scepticism. Some practical suggestions for applying this concept include: > Create a ctional character (and name) of someone who has a bad attitude toward control and poor ethics. When the discussion around possible fraud scenarios and nancial report susceptibilities takes place, imagine this person (not your client) as being the client or the senior manager in charge > Inviting someone (ideally with some forensic experience) who does not know the entity to participate in the planning discussions about fraud.
PART B
358
23.10 How to identify inherent risk factors

The most effective way to avoid missing a relevant risk factor is to make risk identication an integral part of understanding the entity. The more that the auditor knows about the six areas of understanding, the more likely the auditor will be able to identify risk factors. Understanding the entity is also helpful when identifying and later responding to possible fraud scenarios. Remember that management override is always a possibility and fraud is thereby concealed (especially from the auditor). As information is gathered (or updated) about each of the required areas of understanding the entity, the existence of relevant business and fraud risk factors will be considered. For many of the business risks identied, there may also be a fraud risk to consider. For this reason, it is suggested that, where possible, fraud risks be listed separately from business risks and assessed separately. For example, if the sales outlook for an entitys products was poor (an external source of risk), consider what could go wrong (implications for) in the nancial report. Poor sales could result in excess inventory that may need to be written down, but it could also trigger a fraud risk if it provided an incentive for a salesperson to inate their sales to meet a bonus threshold. Consider point
The business and fraud risks (inherent risks) are identied before any consideration of any internal controls that might mitigate such risks. Internal control to mitigate risks is addressed in Part B, Chapters 26 and 27. This is also important for identifying any signicant risks that might exist (refer to Part B, Chapter 25).
The effect of some of the risk factors identied will relate to a specic nancial report area but other risk factors will be pervasive and will relate to many nancial report areas. For example, if the senior accountant is incompetent, errors will not likely be limited to one nancial report area. In addition, if someone took advantage of the situation to commit fraud, misstatements could occur in any number of asset or liability balances and could be covered up with additional misstatements in revenue and expense transactions. Pervasive risks often derive from a weak control environment and potentially affect many nancial report areas, disclosures and assertions. Pervasive risks will likely affect the assessment of risk at the nancial report level. Risks at the nancial report level will be addressed through an overall response by the auditor (such as more audit work performed, assigning more experienced staff members, etc.). As the audit progresses, additional risk factors may be identied. These should be added to the list of identied risks and appropriately assessed before making any decisions as to the impact on audit strategy and the audit plan, such as the nature and extent of further audit procedures required. This will ensure that, when
Practical guidance
359
planning takes place for the next period, the risk identication and assessment will be complete. A suggested three-step risk identication process is outlined below.
Exhibit 23.10-1
Risk Identication Step 1 Gather basic information about the entity The starting point is to obtain a basic understanding or frame of reference for designing the risk assessment procedures to be performed. Without this understanding, it would be difcult, if not impossible, to identify what errors and fraud could occur in the nancial report. > Obtain (or update) relevant basic information about the entity, its objectives, culture, operations, key personnel and the internal organisation and control. Step 2 Design, perform and document risk assessment procedures > Risk assessment procedures/activities (see Part A, Chapter 6) are required to be performed so that: The sources of risks of material misstatement are identied An appropriate understanding of the entity is obtained, and The necessary supporting audit evidence is obtained
> Hold discussions among the audit team regarding the susceptibility of the entitys nancial report to material misstatement, caused by error or fraud (see Part B, Chapter 22) > Make enquiries of management as to how they identify and manage risk factors (particularly fraud) and what risk factors have, in fact, been identied and managed. Also ask management if errors or fraud have actually occurred > Document all risk factors identied. Step 3 Relate (map) the risks identied to material nancial report areas For each risk factor (risk cause) identied, identify the effect (specic misstatements such as fraud and error) that could occur in the nancial report as a result. Note that a single risk factor can result in a number of differing types of misstatements that may affect more than just one nancial report area (See the consider point following for some examples.) > Identify the material account balances, class of transactions and disclosures in the nancial report > Relate or map the risks identied to the specic nancial report areas, disclosures and assertions affected. If the risk identied is pervasive, then relate it to the nancial report as a whole. Identifying the effect of risks by nancial report area helps in assessing risks at the assertion level. Identifying the effect of pervasive risks helps in assessing risks at the nancial report level.
PART B
> Using the basic understanding of the entity obtained in step 1 above, design and perform risk assessment procedures and related activities
360
Consider point
A natural tendency for auditors is to use the nancial report as the starting point for identifying risks. For example, inventory may be considered high risk because of the errors found in previous periods. However, this is equivalent to identifying the effect of a risk but not the underlying cause. Knowing inventory is high risk is important; however, it is even better to know the cause of the risk. If the cause of a risk is not identied, it is possible that some risk factors will be missed altogether. Consider the following: Missing balances or transactions Financial reports only summarise the results of business decisions and transactions that have been recorded. If transactions have not been recorded, or if assets have been misappropriated or contingencies are not disclosed, it is quite possible that the risk factors associated with such missing amounts or disclosures will not be identied or assessed. Fact gathering versus risk identication The process of understanding the entity can easily become focused on collecting facts about the entity rather than identifying sources of risk. When this occurs, new risk factors, events, transactions and fraud risks may be missed altogether. Cause and effect of misstatements The signicance of certain risk sources may be missed if attention is paid primarily to the effect or consequence of the risk factor (such as focusing on the errors in the inventory balance rather than the reasons for their occurrence in the rst place). The source of the risk is the event(s) that would cause errors to occur in the rst place. The source of errors in the inventory balance could be inadequate or poorly trained staff, an outdated system of internal control, misapplication of accounting policies such as revenue recognition, lack of security over inventory or outright fraud by employees, etc. A cause with multiple misstatement effects An individual risk source may often affect many nancial report balances. For example, a downturn in the economy may affect the valuation of inventory, the collectability of receivables, compliance with banking agreements, manipulation of sales transactions to achieve bonus thresholds and possibly even going-concern issues. Pervasive risks By focusing on one nancial report area at a time, certain pervasive risks and fraud risks may not be identied. For example, the introduction of a new accounting system could result in errors being made in many nancial report balances. In addition, someone could take advantage of the uncertainty created by the new system to commit a fraud.
Practical guidance
361
23.11 Documenting the risk identication process

The auditor should use professional judgement regarding the manner in which these matters are documented. For example, the documentation of the risk identication process following the three steps outlined above would consist of: > Information about the entity > Risk assessment procedures, and > Relating identied risks to possible errors and fraud in the nancial report. See toolkit item 510: Identifying risks through understanding the entity, 511: Worksheet Business and fraud risk identication and 512: Worksheet Enquiries about fraud.
Exhibit 23.11-1
Document Information about the entity Description Document information obtained under the appropriate area of understanding, such as the entitys objectives, external factors, nature of the entity, etc. Documentation may vary from very simple to complex, depending on the size of the entity and could include: > Client-prepared information (such as business plans and analysis) > External data (industry reports, internal staff communications, documented policies and procedures) > Relevant correspondence (legal, government agencies, etc.), emails, consultants reports, memoranda, and > Firms checklists. Risk assessment procedures Document details of the risk assessment procedures performed. This would include: > Discussions among the audit team regarding the susceptibility of the entitys nancial report to material misstatement caused by error or fraud and the results > Key elements of the understanding of the entity obtained including: Each of the aspects of the entity and its environment outlined above Each of the ve internal control components, as outlined in Part A, Chapter 3, and Sources of information from which the understanding was obtained > The identied and assessed risks of material misstatement at the nancial report level and assertion level.
PART B
362
Relate identied risks to possible errors and fraud in the nancial report
Document the material account balances, class of transactions and disclosures in the nancial report and then for each source of risk identied, indicate whether it is: > Pervasive to the nancial report as a whole, or > Conned to specic nancial report areas, disclosures and assertions.
There are a number of ways that identied risks can be documented. One way of documenting the risks identied is outlined below. The exhibit shows the risk source by area of understanding (external factors, nature of entity, etc.), the impact or possible consequence of the risk and the nancial report areas affected.
Exhibit 23.11-2
Impact of risk on the nancial report (errors or fraud) Financial report area affected or pervasive risk
Risk source Entitys objectives Introduction of a new product during the year
Errors in cost allocation and inventory valuation. New product costing and pricing methodologies/systems could create opportunities for fraud to occur. The new nancing required will make it difcult to comply with existing bank covenants. If the entity is in breach of covenants, the loan may actually be payable on demand. Management may be tempted to manipulate nancial report to ensure compliance with the bank covenants.
Inventory valuation Inventory accuracy
Note disclosures on nancing, debt covenants and loan classication Pervasive risk
Nature of the entity Senior accountant not trained properly Errors in the nancial report. Opportunity for fraud. Pervasive risk Pervasive risk
Practical guidance
363
Consider point
One location for risks Consider recording all the risk factors identied in a single document, single place or with a common le reference number in the working paper le. This has a number of advantages: > Ease of le review. All risk factors identied can be found in one place > Consistent assessment. When risks are reviewed together, a particular risk that has been assessed differently from others will be more evident > Risks can be sorted (using an electronic spreadsheet) enabling the most signicant risks to be at the top of the page. In this way, a le reviewer can check to ensure all the major risks identied have been addressed with an appropriate audit response. Separate lists of fraud and business risk factors List and assess fraud risks separately from business risk factors. Many business risks also create an opportunity or incentive for fraud to occur. If fraud is not separately considered, some fraud risk factors may be missed. For example, a new accounting system may create potential for errors (business risk) but may also provide an opportunity for someone to manipulate the nancial results or misappropriate assets (fraud risk). Another reason for keeping them separate is that the audit response to a fraud risk (identication of any patterns, exceptions or oddities that might exist) might be quite different from the response to a related business risk. Leave the assessment of risk until later Avoid the temptation to only list risk factors that are likely to be signicant or important. A key part of risk or event identication is to develop as complete a listing of risk factors as possible. Inconsequential risk factors can always be removed later after each risk is appropriately assessed. This will help to ensure that all material risks are indeed identied. Re-use documentation to extent possible Avoid having to re-document the risk factors identied and the understanding of the entity obtained each period. If information about risk assessment procedures performed and the risks identied is captured in a structured way (see one location for risks above), it can simply be updated each period. This may require more time initially (in the rst period) to prepare but will save time in subsequent periods. However, be sure that appropriate risk assessment procedures are carried out and documented each period and that any changes made can be identied. Also ensure each document records the fact that the information was updated. Impact of risks The most important, but also the most difcult, column to complete is impact of risk on nancial report (see previous exhibit). It is in this column that the auditor sets out the implication of the identied risk. Declining sales is a risk factor but, if recorded accurately by the entity, this would not result in risks of material misstatement. However, declining sales could result in inventories being obsolete or overvalued and receivables may become difcult to collect. It is the implication of each risk factor that the auditor needs to identify so that an appropriate audit response can be developed. PART B
364
Note: The risk sources identied in this example have multiple impacts, each of which has been considered separately. If the various impacts of risk sources are not broken out into discrete components, not only will the risk assessment process be more difcult but the auditor could easily miss some risk implications (such as fraud) altogether.
23.12 Case studies inherent risks identication

For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. > Understand the entity This can be documented in a memo that is similar to the one in Part B, Chapter 17 that outlines the details of these two case studies. > Identify risk factors One way of documenting the cause and effect of identied risks (both business and fraud) is to list them in a structured format, such as the risk assessment form outlined below. This will ensure all risks are recorded in one place and that the assessment of risks will be consistent. The alternative approach is to list the risks identied in a memo format. Avoid the temptation to combine business and fraud risk on one form. The assessment of and response to a business risk versus a fraud risk may be quite different. Outlined below is a structured format for ONeal Furniture and a memo approach for Kane & Co.

Business risks Risk event (source) Implication of risk factor What nancial report areas could be misstated and in what way? (that is, inventory overvalued) Downturn in economy Downturn in economy Inventory clerk known to make errors Continued growth (despite downturn) and poor inventory control Receivables may be difcult to collect Inventory write-downs may be required Inventory balances may be overstated/ understated and possibly impact valuation Breach of debt covenants Assertions PCAEV
V V CAEV
Practical guidance
365
Business risks Risk event (source) General IT controls are weak in a number of areas New sales being sought in other countries Implication of risk factor Data integrity may be compromised or data may even be lost Foreign exchange risks in receivables Assertions P
Assertions impacted are P = Pervasive (all assertions), C = Completeness, A= Accuracy E = Existence V = Valuation
Fraud risks Risk event (source) Implication of risk factor What nancial report areas could be misstated and in what way? (that is, ctitious sales) Pressures Minimise tax burden Management bias in estimates (such as valuation of inventory) to reduce income Unauthorised journal entries or manipulation of nancial report Financial report manipulation to avoid bank covenant being violated Inated sales to meet thresholds CAV Assertions PCAEV
Minimise tax burden Rapid growth putting pressure on nancing Salesmans bonus based on sales above certain thresholds Paying bribes to obtain contracts Opportunities Poor control over inventory Poor control over cash sales Transactions with related parties Signicant expansion in the use of related-party transactions
P P
Damage to reputation, overstatement of expenses, unaccrued nes
CAE
Goods stolen from inventory Goods stolen/cash stolen Sales/purchases may not be complete, properly valued or disclosed in the nancial report Sales/purchases could be undervalued/overvalued. Balances with related parties may not be collectable. Manipulation of nancial report could be achieved by transferring risky balances to a related party. This would replace a risky balance with a relatedparty balance.
E E P
PART B
366
Fraud risks Risk event (source) Rationalisation Low morale among temporary workers Goods or cash stolen E Implication of risk factor Assertions
Assertions impacted are P = Pervasive (all assertions), C = Completeness, A= Accuracy E = Existence V = Valuation

Memo to le Kane & Co. Inherent risk identication As a result of performing the risk assessment procedures outlined on working paper X.XX, which included potential sources of risk arising from the six areas of required understanding, we have identied the following risk factors: Business risks Robert s absence from operations a pervasive risk > The quality and accuracy of the accounting records could be compromised due to Roberts focus on personal family matters. The nancial report could be materially misstated. Risk assessment: Risk response: (to be addressed in Part B Chapter 24) (to be addressed in Part B Chapter 31)
> Robert used to inspect goods for quality before shipment. The quality of products sold could be compromised leading to greater returns and/or unsaleable inventory. (Valuation) Risk assessment: Risk response: (to be addressed in Part B Chapter 24) (to be addressed in Part B Chapter 31)
Downturn in economy and economic dependence > Kane & Co. is dependent on its primary customer, ONeal Furniture, which represents over 90% of its sales. In this economic downturn, ONeal Furniture could cancel orders. The impact could be bank covenant violations and overvalued assets. > A decline in sales and liquidity pressures may lead to nancial report manipulation to avoid bank covenant violations. > If the bank called their loan, the company may not be able to continue as a going concern. This could result in a material uncertainty that should be disclosed in the nancial report, and an evaluation of the basis (ie. the going concern assumption) on which the nancial report is prepared. This would affect all assertions. Risk assessment: Risk response: (to be addressed in Part B Chapter 24) (to be addressed in Part B Chapter 31)
Practical guidance
367
Fraud risks Tax minimisation > There may be a management bias to minimise the tax burden. There may be a bias in managements estimates or unauthorised journal entries could be used. (Completeness, Accuracy.) Risk assessment: Risk response: (to be addressed in Part B Chapter 24) (to be addressed in Part B Chapter 31)
Robert s absence from operations a pervasive risk > Robert s absence results in minimal oversight of Rubys work. In addition, Ruby appears to have low morale and personal nancial pressures. This creates incentive, opportunity and rationalisation for cash/goods being stolen (Existence) and/or nancial report manipulation. This should be treated as a fraud risk. Risk assessment: Risk response: Related parties > Transactions with related parties could be manipulated leading to sales being overvalued. (Valuation) Attention should also be paid to the possible existence of other related parties and the valuation/accuracy of balances with related parties at period end. (to be addressed in Part B Chapter 24) (to be addressed in Part B Chapter 31)
Risk response: Prepared by: Reviewed by: FJ LF
(to be addressed in Part B Chapter 31) [Date] [Date]
PART B
Risk assessment:
(to be addressed in Part B Chapter 24)
368
24.
Inherent risks assessment

Relevant ASAs
Chapter content How to assess the identied risks of material misstatement in the nancial report.
240, 315
Exhibit 24.0-1
Activity
Purpose
Documentation 1
Risk assessment
Plan the audit
Paragraph # 240.25
Relevant extracts from ASAs In accordance with ASA 315, the auditor shall identify and assess the risks of material misstatement due to fraud at the nancial report level, and at the assertion level for classes of transactions, account balances and disclosures. When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue, revenue transactions or assertions give rise to such risks. Paragraph 47 of this Auditing Standard species the documentation required where the auditor concludes that the presumption is not applicable in the circumstances of the engagement and, accordingly, has not identied revenue recognition as a risk of material misstatement due to fraud. (Ref: Para. A28-A30)
240.26
Practical guidance
369
Paragraph # 240.27
Relevant extracts from ASAs The auditor shall treat those assessed risks of material misstatement due to fraud as signicant risks and accordingly, to the extent not already done so, the auditor shall obtain an understanding of the entitys related controls, including control activities, relevant to such risks. (Ref: Para. A31-A32) The auditor shall identify and assess the risks of material misstatement at: (a) The nancial report level; and (Ref: Para. A105-A108) (b) The assertion level for classes of transactions, account balances, and disclosures (Ref: Para. A109-A113) to provide a basis for designing and performing further audit procedures.
315.25
315.26
For this purpose, the auditor shall: (a) Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances and disclosures in the nancial report; (Ref: Para. A114-A115) (b) Assess the identied risks and evaluate whether they relate more pervasively to the nancial report as a whole and potentially affect many assertions; (c) Relate the identied risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test; and (Ref: Para. A116-A118)
24.1
Overview
Risk identication, which was addressed in the previous chapter, involves: > Performing risk assessment procedures to identify sources (causes) of risk through understanding the entity > Determining the possible effects of the risk sources identied (potential misstatements in the nancial report) including the possibility of fraud, and > Relating the effects of risks to the nancial report area and assertions affected or determining that the risks are pervasive to the nancial report as a whole and potentially affect many assertions. The next step is to assess the identied risks and determine their signicance for the audit of the nancial report. Again, it is preferable to assess the inherent risks before considering any internal control that might mitigate such risks. Risk assessment involves consideration of two attributes about the risk: > What is the likelihood of a misstatement occurring as a result of the risk? > What would be the magnitude (monetary impact) if the risk did occur?
PART B
(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements and whether the potential misstatement is of a magnitude that could result in a material misstatement.
370
Likelihood of a misstatement occurring

What is the probability that the risk will occur? The auditor could evaluate this probability simply as high, medium or low, or could assign a numerical score, such as 1 to 5. A numerical score provides a slightly more precise assessment. The higher the score, the more likely the risk would occur.
Magnitude (monetary impact) if the risk did occur

If the risk occurred, what would be the monetary impact? This judgement needs to be assessed against a specied monetary amount, such as performance materiality. If not, different people (with different materiality amounts in mind) could come to entirely different conclusions. For audit purposes, the specied amount would relate to what constitutes a material misstatement for the nancial report as a whole. This assessment can also be evaluated simply as high, medium or low or by assigning a numerical score, such as 1 to 5. The higher the score is, the higher the magnitude of the risk. Consider point
If numeric scores are used to assess likelihood and magnitude, the numbers can be multiplied to provide a combined or overall risk assessment score. This calculation can be useful in considering whether signicant risks exist. In addition, if an electronic worksheet is used, the listing of risks may be ranked and sorted so that the most signicant identied risks are always at the top of the list. This can be useful information when reviewing the le and ensuring an appropriate response has been developed for the assessed risks. In smaller entities where the number of risk factors is small and the audit response has already been established, the two assessments (likelihood and magnitude) can still be considered separately but documented as one combined assessment.
The steps involved in risk assessment (using assessment criteria of high, medium or low) are illustrated below.
Practical guidance
371
Exhibit 24.1-1
Risk assessment
Listing of the business and fraud risk factors identified
Is the identified risk (misstatement) likely to occur? (High, medium, low) If risk (misstatement) did occur, how material would it be to the financial report?
(High, medium, low)
M M
L M
H H
H M
L L
Assessed level of risk

(High, medium, low)
The results of the risk assessment process can also be set out in a chart, as illustrated below. Some commercial software packages provide charting capabilities.
Exhibit 24.1-2
High impact Low likelihood
High impact High likelihood
Impact (magnitude) of risk
Low impact Low likelihood
Low impact High likelihood
Likelihood of risk occurring
PART B
372
Risks falling in the high impact (magnitude), high likelihood area of the chart clearly require management action to mitigate. In addition, these risks will likely be determined as being signicant, which will require special audit consideration (refer to Part B, Chapter 25). Consider point
Discussions with management When risk factors are documented and assessed by the auditor, it is important that the results are discussed with the entitys management. This discussion will help to ensure that a risk factor has not been overlooked and that the auditors assessment of risks (likelihood and impact) is reasonable. However, it is always important to use professional scepticism when evaluating managements input and responses.
24.2
Risk assessments performed by the entity
Risk assessment is one of the ve components of internal control (see Part A, Chapter 3) that should be addressed by the entitys management. In smaller entities, the risk assessment process is likely to be informal and unstructured. Risk in smaller entities is often recognised implicitly rather than explicitly. Management may be aware of risks related to nancial reporting through direct personal involvement with employees and outside parties. As a result, the auditor would make enquiries of management as to how it identies and manages risk and then what risks have actually been identied and managed. The auditor would document the results. As management understands the benets of a more formalised risk assessment process, it may decide to develop, implement and document its own processes. When this occurs, the auditor would evaluate: > Controls in place over managements processes > The completeness of the business and fraud risks identied. This is often recorded on what is commonly referred to as a risk register > Managements assessment of the magnitude of the risks and the likelihood of their occurrence, and > Managements responses to address the assessed risks. If management has failed to identify key risks, consideration should be given as to whether there is a signicant deciency in the entitys risk assessment process.
24.3
Documenting assessed risks
Professional judgement should be used regarding the manner in which risk factors are assessed.
Practical guidance
373
The assessment of the risks of material misstatement is made at the: > Financial report level, and > Assertion level for classes of transactions, account balances and disclosures. Documentation may be in the form of memoranda or a risk listing (for fraud) such as that outlined below. Note the following: > The rst two columns in the table below would be completed as part of risk identication as discussed in Part B, Chapter 23. > The assertion column is an assessment of: The specic assertions that relate to the nancial report area or disclosure impacted by the risk. This will help in the assessment of risks at the assertion level, and Pervasive risks that affect many assertions and would impact the assessment of risk at the nancial report level. > The risks being assessed are inherent risks. Control risk is addressed in Part B, Chapters 26 and 27. > The assessments of likelihood and magnitude (impact) used the numeric scale of 1 = low likelihood/magnitude and 5 = high likelihood/magnitude. These scores may be multiplied to provide a combined overall score. However, these risks could just as easily have been assessed as high, medium or low.
PART B
Exhibit 24.3-1
Period ended: 30 June 20X2 Materiality $50,000 Inherent risk assessment Assertions LikeliPervasive hood to occur Implication of risk factor CAEV Sales could be ctitious, recorded in the wrong period, overstated or at terms different from the standard terms and conditions in order to achieve bonus targets. Unauthorised journal entries to defer expense, bias in management estimates, etc. EA 4 $ Impact 4 Combined Score 16
Risk event (source) Salespersons compensation based on sales commissions
Failure to comply with debt covenants is covered up to avoid bank enquiries
10
374
Fictitious suppliers inserted by employees
Acme pays for expenses at inated prices or for which no services/goods were rendered. Revenue and expenses not recorded at FV (fair value).
EA
Related-party transactions not identied. Shareholders not involved in business could be disadvantaged Cash sales for parts and service may go unrecorded and undeposited
15
Revenue and assets are understated.
CAE
See toolkit item 520: Risk assessment Business/operating, 522: Risk assessment Fraud and 530: Pervasive (entity-level) controls Design/implementation. Consider point
When documenting risk factors, consider how they will be updated and used in subsequent periods. Recording information in one place and in a structured format (such as above) may take a little longer to prepare initially but will be much easier to update in the future. A structured format also helps to ensure: > Risks are not addressed more than once (which can occur if spread throughout the audit le) > A consistent assessment of each risk > Signicant risks are identied > Ease of review. Use of an electronic worksheet enables risks (scored numerically) to be sorted on their combined score or by likelihood or impact, and > The risk listing can be shared with the client (to obtain their input) or to request that the client prepare the listing of risk factors for the auditors review.
24.4
Case studies inherent risks assessment
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. Where a structured format is used to document the assessment, it can be completed using the same form as the one started in Part B, Chapter 23. The audit response column can be used to cross-reference the risk factors to the specic audit procedures or audit programs that address the identied risks. If a memo is to be used, the risk assessment and risk response could be added to the memo started in Part B, Chapter 23.
Practical guidance
375

Business risks Inherent risk assessment SigCom- nicant Likelihood $ bined risk? Y/N to occur Impact score
Risk event (source)
Implication Which nancial report areas could be misstated and in what way?
Assertions
PCAEV
Continued growth (despite downturn) and poor inventory control Inventory clerk known to make errors General IT controls are weak in a number of areas Downturn in economy
Breach of debt covenants
20
Inventory balances may be overstated Data integrity may be compromised or data may even be lost Inventory write-downs may be required Foreign exchange risks in receivables
15
15
Downturn in economy
Receivables may be difcult to collect (that is, overstated)
Assertions impacted are P = Pervasive (all assertions) C = Completeness A = Accuracy E = Existence V = Valuation Assess likelihood (probability) to occur on a scale of 1-5 (Remote = 1 Unlikely = 2 Likely = 3 Most likely = 4 Almost certain = 5) Assess the magnitude (monetary impact) in relation to materiality on a scale of 1-5 (Immaterial = 1 Minor = 2 Moderate = 3 Major = 4 Material = 5) As a guide, risk factors with a combined risk assessment (Likelihood x Impact) score of 20 or more should be considered as signicant audit risks.
Note: The possible violation of the bank covenants has a combined risk score of 20 and is therefore considered to be a signicant risk. Signicant risks require special audit consideration by the auditor including obtaining an understanding of the entitys related controls relevant to such risks.
PART B
New sales being sought in other countries
376
Fraud risks Risk event (source)
Implication Which nancial report areas could be misstated and in what way?
Assertions
Inherent risk assessment Combined score Signicant risk? Y/N
PCAEV
Likelihood to occur
$ Impact
Pressures Minimise tax burden Unauthorised journal entries/ nancial report manipulation Financial report manipulation to avoid bank covenant being violated Management bias in estimates to reduce income Inated sales to meet thresholds. However the bonus amounts are small. Damage to reputation, overstatement of expenses, unaccrued nes
CAV
20
Rapid growth putting pressure on nancing
20
Minimise tax burden Salesmans bonus based on sales above certain thresholds
Y CA 4 4 16
Paying bribes to obtain contracts
CAE
Opportunities Revenue recognition Signicant expansion in the use of related-party transactions Poor control over inventory Poor control over cash sales Inconsistent application of accounting policies Sales/purchases could be undervalued/ overvalued Goods stolen from inventory Goods stolen/cash stolen CAE 3 4 12 Y
20
E E
4 4
3 3
12 12
N N
Practical guidance
377
Fraud risks Risk event (source)
Implication Which nancial report areas could be misstated and in what way? Sales/purchases may not be complete, properly valued or disclosed in the nancial report
Assertions
Inherent risk assessment Combined score Signicant risk? Y/N
PCAEV
Likelihood to occur
$ Impact
Transactions with related parties
12
Rationalisation Low morale among temporary workers Goods or cash stolen
Assertions impacted are P = Pervasive (all assertions), C = Completeness, A = Accuracy E = Existence V = Valuation Assess likelihood (probability) to occur on a scale of 1-5 (Remote = 1 Unlikely = 2 Likely = 3 Most likely = 4 Almost certain = 5) Assess the magnitude (monetary impact) in relation to materiality on a scale of 1-5 (Immaterial = 1 Minor = 2 Moderate = 3 Major = 4 Material = 5)
signicant fraud risks.
Note: The possible management bias in estimates, unauthorised journal entries, the pressures to nance the rapid growth and related-party transactions have been assessed as signicant risks (where the combined score exceeded 16). Signicant risks require special audit consideration by the auditor including obtaining an understanding of the entitys related controls relevant to such risks. If no controls exist it is likely that a signicant deciency exists. Note that revenue recognition has a combined score of less than 16 but is presumed to be a signicant risk. (Refer to ASA 240.26)
PART B
As a guide, risk factors with a combined risk assessment (Likelihood x Impact) score of 16 or more should be considered as
378

Memo to le Kane & Co. Inherent risk identication Materiality = $2,500 As a result of performing the risk assessment procedures outlined on working paper X.XX, which included potential sources of risk arising from the six areas of required understanding, we have identied the following risk factors: Business risks Robert s absence from operations a pervasive risk > The quality and accuracy of the accounting records could be compromised due to Roberts focus on personal family matters. The nancial report could be materially misstated. Risk assessment: High likelihood of occurrence/High magnitude (in relation to materiality) = High Risk and also a signicant risk. See WP # X.X Risk response: (to be addressed in Part B Chapter 31) > Robert used to inspect goods for quality before shipment. The quality of products sold could be compromised leading to greater returns and/or unsaleable inventory. (Valuation) Risk assessment: Risk response: Low likelihood/low magnitude = low risk (to be addressed later)
Downturn in economy and economic dependence > Kane & Co. is dependent on their primary customer, ONeal Furniture, which represents over 90% of their sales. In this economic downturn, ONeal Furniture could cancel orders. The impact could be bank covenant violations and overvalued assets. If the bank called its loan, the company would be unable to continue. (Valuation) Risk assessment: Risk response: Fraud risks Revenue recognition > Possibility of inconsistent application of accounting policies Risk assessment: Moderate likelihood/moderate magnitude = moderate risk but this is presumed by ASA 240.26 to be a signicant risk and will be treated as such Risk response: Tax minimisation > There may be a management bias to minimise the tax burden. There may be a bias in managements estimates or unauthorised journal entries could be used. (Completeness, Accuracy) Risk assessment: High likelihood/moderate magnitude = moderate to high risk and should be considered a signicant risk Risk response: (to be addressed) (to be addressed later) Moderate likelihood/moderate magnitude = moderate risk (to be addressed in Part B Chapter 31)
Practical guidance
379
Downturn in economy and economic dependence > A decline in sales and liquidity pressures may lead to nancial report manipulation to avoid bank covenant violations. (All assertions) Risk assessment: Moderate likelihood/high magnitude = moderate to high risk and should be considered a signicant risk Risk response: (to be addressed)
Robert s absence from operations a pervasive risk > Roberts absence results in minimal oversight of Rubys work. In addition, Ruby appears to have low morale and personal nancial pressures. This creates incentive, opportunity and rationalisation for cash/goods being stolen (Existence) and/or nancial report manipulation. Risk assessment: Risk response: Related parties > Transactions with related parties could be manipulated leading to sales being overvalued. (Valuation) Risk assessment: Moderate likelihood/moderate magnitude = moderate risk and should be considered a signicant risk Risk response: (to be addressed) Moderate likelihood/moderate magnitude = moderate risk (to be addressed)
Note: Signicant risks require special audit consideration by the auditor including obtaining an understanding of the entitys related controls relevant to such risks. If no controls exist it is likely that a signicant deciency exists.
PART B
380
25.
Signicant risks
Relevant ASAs
Chapter content Guidance on the nature and determination of signicant risks and the consequences for the audit.
240, 315, 330
Exhibit 25.0-1
Activity
Purpose
Documentation1
Risk assessment
Plan the audit
Paragraph # 315.4
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (e) Signicant risk means an identied and assessed risk of material misstatement that, in the auditors judgement, requires special audit consideration.
315.25
The auditor shall identify and assess the risks of material misstatement at: (a) The nancial report level; and (Ref: Para. A105-A108) (b) The assertion level for classes of transactions, account balances, and disclosures (Ref: Para. A109-A113) to provide a basis for designing and performing further audit procedures.
Practical guidance
381
Paragraph # 315.27
Relevant extracts from ASAs As part of the risk assessment as described in paragraph 25 of this Auditing Standard, the auditor shall determine whether any of the risks identied are, in the auditors judgement, a signicant risk. In exercising this judgement, the auditor shall exclude the effects of identied controls related to the risk. When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue, revenue transactions or assertions give rise to such risks. Paragraph 47 of this Auditing Standard species the documentation required where the auditor concludes that the presumption is not applicable in the circumstances of the engagement and, accordingly, has not identied revenue recognition as a risk of material misstatement due to fraud. (Ref: Para. A28-A30) In exercising judgement as to which risks are signicant risks, the auditor shall consider at least the following: (a) Whether the risk is a risk of fraud; (b) Whether the risk is related to recent signicant economic, accounting or other developments and, therefore, requires specic attention; (c) The complexity of transactions; (d) Whether the risk involves signicant transactions with related parties; (e) The degree of subjectivity in the measurement of nancial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and (f) Whether the risk involves signicant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. (Ref: Para. A119-A123)
240.26
315.28
315.29
If the auditor has determined that a signicant risk exists, the auditor shall obtain an understanding of the entitys controls, including control activities, relevant to that risk. (Ref: Para. A124-A126) If the auditor has determined that an assessed risk of material misstatement at the assertion level is a signicant risk, the auditor shall perform substantive procedures that are specically responsive to that risk.When the approach to a signicant risk consists only of substantive procedures, those procedures shall include tests of details. (Ref: Para. A53) In meeting the ASA 315 requirement to identify and assess the risks of material misstatement, the auditor shall identify and assess the risks of material misstatement associated with related-party relationships and transactions and determine whether any of those risks are signicant risks. In making this determination, the auditor shall treat identied signicant related-party transactions outside the entitys normal course of business as giving rise to signicant risks. If the auditor identies fraud risk factors (including circumstances relating to the existence of a related party with dominant inuence) when performing the risk assessment procedures and related activities in connection with related parties, the auditor shall consider such information when identifying and assessing the risks of material misstatement due to fraud in accordance with ASA 240. (Ref: Para. A6, A29-A30)
330.21
550.18
550.19
PART B
382
25.1
Overview
After the business and fraud risks have been identied and assessed, consideration can be given to the existence of signicant risks. A signicant risk is where the assessed risk of material misstatement is so high that (in the auditors judgement) it will require special audit consideration. Signicant risks are assessed before consideration of any mitigating controls. Signicant risk is based on the inherent risk (before considering the related internal control) and not the combined risk (considering both inherent and internal control risks). For example, a company with a large inventory of diamonds would have a high inherent risk of theft. Managements response is to maintain secure facilities. The combined risks of material misstatement are therefore minimal. However, because the risk of loss (before considering internal control) is highly likely and its size would have a material impact on the nancial report, the risk would be determined as signicant. Consider point
When considering the existence of signicant risks, it can be difcult to ignore the mitigating effect of relevant internal control. This is particularly true when the people implementing the control are well known to the auditor and most likely highly competent in what they do. What is required is to separate the inherent risk from the controls in place. For example, an adult about to cross a busy street would not likely consider the activity to be very risky. This is because it is anticipated that adults use their eyes, ears and previous experience (in crossing streets) to cross safely. But such a risk assessment combines the inherent risk involved in crossing the street with a number of control activities (the use of the eyes, ears and previous experience). To assess whether crossing the street is a signicant risk (that is, before any controls), the person would have to be blindfolded, given earplugs and asked to walk across the street.
25.2
Examples
Examples of signicant risks are set out in the exhibit below.
Exhibit 25.2-1
Sources High-risk activities Examples Includes operations or events where a material misstatement could easily occur. For example, an inventory of high value diamonds or gold bars held by a jeweller or a new/complex accounting system being introduced.
Practical guidance
383
Sources Large non-routine transactions (size or nature)
Examples Identied signicant related-party transactions outside the entitys normal course of business are to be treated as giving rise to signicant risks. Includes infrequent and large transactions. For example: > Unusual volume of routine transactions with a related party > A major sales or supply contract > The purchase or sale of major business assets or business segments, and > Sale of the business to a third party. Routine non-complex transactions that are subject to systematic processing are less likely to give rise to signicant risks.
Matters requiring judgement or management intervention
Examples would include: > The assumptions and calculations used by management in developing major estimates > Complex calculations or accounting principles > Revenue recognition (presumed to be a signicant risk) that is subject to differing interpretation > Extensive manual data collection and processing, and
Potential for fraud
The risk of not detecting a material misstatement resulting from fraud (which is intentional and deliberately concealed) is higher than the risk of not detecting one resulting from error. In evaluating whether signicant risks could result from the identied fraud risk factors and possible scenarios and schemes (see Part B, Chapter 22), consider the following: > Skilfulness of the potential perpetrator > Relative size of individual amounts manipulated > Level of authority of management or employee to: Directly or indirectly manipulate accounting records, and Override control procedures > Frequency and extent of manipulation involved > Possible degree of collusion > Intentional misrepresentations being made to the auditor, and > Previous audit experience or concerns expressed by other persons. Signicant fraud risks may be identied at any stage in the audit as a result of new information being obtained.
PART B
> Where management intervention is required to specify the accounting treatment to be used.
384
25.3
Identifying signicant risks
If the risks of material misstatement have already been identied and assessed, all that is required is to review the ndings and then select (based on the use of professional judgement) those risks that are indeed signicant. For example, if the assessment of risks was charted as illustrated below (the stars represent assessed risks), it would be the two risks falling within the shaded area (risks with high magnitude and high likelihood) that would rst be considered as signicant risks.
Exhibit 25.3-1
High impact Low likelihood
High impact High likelihood
Impact (magnitude) of risk
Low impact Low likelihood
Low impact High likelihood
Likelihood of risk occurring

= Identified risk factor
Practical guidance
385
When considering whether signicant risks exist, the auditor would consider the matters set out below:
Considerations Factors that may indicate possible signicant risks > Risk of fraud. > Risks related to recent signicant economic, accounting or other developments and, therefore, require specic attention. > Complexity of transactions. > Signicant transactions with related parties. > The degree of subjectivity in the measurement of nancial information related to the risk, especially those involving a wide range of measurement uncertainty. > Signicant transactions that are outside the normal course of business for the entity or that otherwise appear to be unusual.
In smaller entities, signicant risks often relate to the matters outlined in the exhibit below.
Exhibit 25.3-2
Subject matter/ information Signicant nonroutine transactions Characteristics > High inherent risk (likelihood and impact) > Transactions that occur infrequently and are not subject to systematic processing > Unusual due to their size or nature (such as the acquisition of another entity) > Require management intervention: To specify accounting treatment, and For data collection and processing > Involve complex calculations or accounting principles > Nature of transactions makes it difcult for entity to implement effective internal control over the risks. Signicant judgemental matters > High inherent risk > Involve signicant measurement uncertainty (such as the development of accounting estimates) > Accounting principles involved may be subject to differing interpretation (such as preparation of accounting estimates or application of revenue recognition) > The required judgement by management may be subjective, complex or require assumptions about the effects of future events (such as judgements about fair value, valuation of inventory subject to rapid obsolescence, etc.).
PART B
386
Subject matter/ information Signicant transactional risks
Characteristics > There may be a small number of transactional risks relating to the major business processes (such as goods being shipped but not invoiced in a sales process) that would result in a material misstatement in the nancial report if not mitigated. Where these risks require special audit consideration, they would be regarded as signicant risks. If there were no internal controls in place to mitigate such risks, they would also be reported to management as being a signicant deciency. > Revenue recognition. This is a presumed signicant risk > Management override or bias in estimates, etc. > Major related-party transactions used to increase sales or purchases > Collusion with suppliers or customers such as price or bid rigging > Unrecorded or ctitious transactions.
Fraud
25.4
Responding to signicant risks
When a risk is classied as being signicant, the auditor should respond as outlined below.
Exhibit 25.4-1
Audit steps Evaluate internal control design and implementation over each signicant risk Description Has management designed and implemented internal control that mitigates the signicant risks? Consider the existence of direct controls, such as control activities and indirect (pervasive) controls which may be included in the control environment, risk assessment, information systems and monitoring elements. This information will be helpful in developing an effective audit response to the identied risks. Where signicant non-routine or judgemental matters are not subject to routine internal control (such as a one-off or an annual event), the auditor would evaluate managements awareness of the risks and the appropriateness of its response. For example, if the entity purchased the assets of another business, the entitys response might include: > Hiring an independent valuer for the acquired assets > Applying appropriate accounting principles, and > Proper disclosure of the transaction in the nancial report. Where the auditor determines that management has not appropriately responded (by implementing internal control over signicant risks), a signicant deciency would exist in the entitys internal control which would be communicated (as soon as possible) to those charged with governance.
Practical guidance
387
Audit steps Design an audit response to the identied signicant risks
Description Do the planned further audit procedures specically address the signicant risk? These procedures would be designed to obtain audit evidence with high reliability and could include tests of controls and substantive procedures. In many cases, the audit procedures may simply be an extension of procedures that would be performed in any event. For example, if the signicant risk related to potential management bias such as in the preparation of an estimate, the extended substantive procedures would include: > Assessing the validity of the assumptions used > Identifying the sources and reliability of the information used (both external and internal) > Considering the existence of any bias in the prior periods estimates as compared to actual facts, and > Reviewing the methods used (including formulas in electronic spreadsheets) in the estimate calculation.
No reliance can be placed on evidence obtained in previous periods Substantive analytical procedures alone are not sufcient
Where a test of operating effectiveness is planned for a control that mitigates a signicant risk, the auditor may not rely on audit evidence about the operating effectiveness of internal control obtained in prior audits. The use of substantive analytical procedures by themselves is not considered an appropriate response to address a signicant risk. When the approach to signicant risks consists only of substantive procedures, the audit procedures can consist of: > Tests of details alone, or > A combination of tests of details and substantive analytical procedures.
25.5
Documenting signicant risks
The identication of signicant risks and the proposed audit response would be documented. If all risks are documented in a single location, the documentation of signicant risks may simply be an extension of the information already documented. Note: If the auditor concludes that revenue recognition is not a signicant risk of material misstatement due to fraud, the reasons for that conclusion are to be included in the audit documentation.
PART B
388
25.6
Case studies signicant risks
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. Signicant risks can be identied from the listing of risk factors and their assessment. See the forms contained in the case studies discussion in Part B, Chapters 23 and 24. Such a form can also be used to cross-reference each signicant risk to the related detailed audit plan. For each signicant risk identied, managements response should be documented and appropriate audit procedures developed that respond to the specic risk.

(Excerpt)
Signicant risk Possible violation of terms of their banks nancing? Managements response Preparation and monitoring of cash ow forecasts. Renegotiate amount and terms of nancing. Audit response Look at the companys growth plans and whether the forecasted cash ows are realistic. Review and compare actual results and cash ows. Ensure the valuations of receivables and inventory (the security for the loans) are reasonable. Review the companys renancing submission to the bank. Review any response/ correspondence from the bank. Financial report None. Management does manipulation not see this as a risk at could occur to all. avoid the bank covenants being violated. Carefully review the assumptions used in the cash ow forecasts and the basis on which actual cash ow reports are prepared. Test that the basis for the valuations of receivables and inventory is valid and correct. Carefully test the existence and accuracy of sales, as there is pressure to maintain and grow sales levels despite the challenging economic environment. W/P reference (Not included)
Practical guidance
389
Signicant risk Inconsistent revenue recognition (a presumed fraud risk) Unauthorised journal entries
Managements response
Audit response
W/P reference
Sales contracts over $500 Review of major contracts (and are reviewed by the sales a sample of smaller contracts) manager. and discussion with sales manager to test that revenue was appropriately recognised in the period. Management has agreed to put policy in place requiring approval of all journal entries but it has not yet been implemented. Policy is that all relatedparty transactions are identied as such and conducted at the normal terms of sale. This includes any corporate assets or services provided for personal use by management or employees. Identify and review all journal entries over $1500 and all entries in the month before and after the period end.
Signicant expansion in the use of related-party transactions.
Review employees understanding of the policy through enquiry and inspection. Seek to ensure all relatedparty transactions have been identied and that the transactions, terms of sale, nature of transaction and the dates are indeed appropriate.
Prepared by:
FJ
[Date] [Date]
Reviewed by: LF
PART B
390

Memo to File: Kane & Co. Identication of signicant risks The following signicant risk areas, including managements response and the audit response, are identied below. Downturn in economy The company has not suffered too badly in the downturn. However Robert should periodically review bank covenant calculations, but he has not been attentive to this in the current period under audit. We will recalculate all ratios to see status against covenants. We will also perform more audit procedures for audit areas that are input into the calculation. The risk is heightened the closer the company is to violation, due to the possibility of nancial report manipulation. Tax minimisation There are no management controls that specically address this issue. The response to this risk will be to carefully review managements estimates and journal entries (see below). Unauthorised journal entries Robert should authorise all journal entries, but this has not been happening consistently. We will identify and review all journal entries over $500 and all entries in the month before and after period end. Related-party transactions Company policy is that all related-party transactions are identied as such and conducted at the normal terms of sale. We will review Roberts and Rubys understanding of the policy through enquiry and inspection. We will test that for all related-party transactions, the terms of sale, nature of transactions and the dates are indeed appropriate. We will also remain alert throughout the audit for transactions outside the normal course of business and that all related-party transactions have, in fact, been identied. Revenue recognition Revenue recognition policies on sales are fairly straightforward and the majority of sales made by Kane & Co are to ONeal Furniture The audit work performed on cut off and related-party transactions addressed any potential for fraud through inappropriate revenue recognition. Prepared by: FJ [Date] Reviewed by: LF [Date]
Practical guidance
391
26.
Understanding internal control

Relevant ASA
Chapter content Guidance on the steps involved in understanding internal control relevant to the audit: > Evaluating control design and implementation, and > Documentation using two possible approaches.
315
Exhibit 26.0-1
Activity
Purpose
Documentation 1
Risk assessment
Plan the audit
PART B
392
Paragraph # 315.4
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Assertions means representations by management, explicit or otherwise, that are embodied in the nancial report, as used by the auditor to consider the different types of potential misstatements that may occur. (b) Business risk means a risk resulting from signicant conditions, events, circumstances, actions or inactions that could adversely affect an entitys ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies. (c) Internal control means the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entitys objectives with regard to reliability of nancial reporting, effectiveness and efciency of operations, and compliance with applicable laws and regulations. The term controls refers to any aspects of one or more of the components of internal control.
315.12
The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to nancial reporting, not all controls that relate to nancial reporting are relevant to the audit. It is a matter of the auditors professional judgement whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A42-A65) The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether: (a) Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour; and (b) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by deciencies in the control environment. (Ref: Para. A69-A78)
315.14
315.15
The auditor shall obtain an understanding of whether the entity has a process for: (a) Identifying business risks relevant to nancial reporting objectives; (b) Estimating the signicance of the risks; (c) Assessing the likelihood of their occurrence; and (d) Deciding about actions to address those risks. (Ref: Para. A79)
Practical guidance
393
Paragraph # 315.18
Relevant extracts from ASAs The auditor shall obtain an understanding of the information system, including the related business processes, relevant to nancial reporting, including the following areas: (a) The classes of transactions in the entitys operations that are signicant to the nancial report; (b) The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the nancial report; (c) The related accounting records, supporting information and specic accounts in the nancial report that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form; (d) How the information system captures events and conditions, other than transactions, that are signicant to the nancial report; (e) The nancial reporting process used to prepare the entitys nancial report, including signicant accounting estimates and disclosures; and (f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments. (Ref: Para. A81-A85)
315.19
The auditor shall obtain an understanding of how the entity communicates nancial reporting roles and responsibilities and signicant matters relating to nancial reporting, including: (Ref: Para. A86-A87) (a) Communications between management and those charged with governance; and (b) External communications, such as those with regulatory authorities.
315.20
The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks. An audit does not require an understanding of all the control activities related to each signicant class of transactions, account balance and disclosure in the nancial report or to every assertion relevant to them. (Ref: Para. A88-A94) In understanding the entitys control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT. (Ref: Para. A95-A97) The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over nancial reporting, including those related to those control activities relevant to the audit and how the entity initiates remedial actions to deciencies in its controls. (Ref: Para. A98-A100)
315.21
315.22
PART B
394
26.1
Overview
This chapter addresses the scope of work required to understand internal control relevant to the audit. Part A, Chapter 3 addresses the nature of internal control and provides a detailed description of the ve components of internal control. Part B, Chapter 27 outlines a four-step approach to internal control evaluation. Internal control refers to the processes, policies and procedures designed by management to ensure reliable nancial reporting and the preparation of a nancial report in accordance with the applicable accounting framework. Internal control addresses such matters as managements attitude toward control, competence of key people, risk assessment, accounting and other nancial information systems in use as well as the traditional control activities. The auditor is required to obtain an understanding of internal control on all audit engagements. This applies to any size of entity, even where the auditor has already decided that an entirely substantive approach would be the appropriate response to the risks of material misstatement. Obtaining a sufcient understanding of internal control (relevant to the audit) involves the performance of risk assessment procedures to identify the controls that will directly or indirectly mitigate material misstatements. The information obtained will assist the auditor in: > Assessing the residual risk (inherent and control risk) of material misstatement at the nancial report and assertion levels, and > Designing further audit procedures that are responsive to the assessed risks. However, not all control activities are relevant to the audit and therefore do not require understanding. The auditor is only concerned with evaluating those controls that mitigate a risk of a material misstatement (caused by fraud or error) in the nancial report. Control activities that are not relevant can be scoped out of the audit altogether.
26.2
Risk and control
The relationship between risk and control can be illustrated as follows.
Practical guidance
395
Exhibit 26.2-1
Entity objective
To prepare the financial report free from error and fraud.
Inherent risk: Events that could lead to misstatements in the F/R
Control risk: Controls designed to mitigate misstatements Risk of material misstatement

Low
Risk exposure
High
Inherent business and fraud risks are identied during the risk identication and risk assessment phase. Management mitigates such risks by designing and implementing internal controls and procedures that will reduce such risks to an acceptably low level. The amount of risk left over (after internal controls have been designed and implemented) is the risk of material misstatement (sometimes referred to as residual risk). Ideally, management would design sufcient controls to ensure that the residual risk is reduced to an acceptably low level for both internal management purposes and for the external audit. In practice, some managers will tend to have a high tolerance for risk (ie. fewer controls are in place resulting in a higher residual risk) and some managers (often in the public sector) will tend to be conservative and design controls to reduce risk to almost nothing. Consider point
The sole purpose of a control is to mitigate risk. A control without a risk to mitigate is obviously redundant. So, a risk has to exist before it can be mitigated by a management control. However, some auditors ignore this fact. They start their evaluation of internal control by documenting the system and controls that exist before taking the time to identify what risks actually require mitigation. This approach can result in a lot of unnecessary work in documenting processes and controls that may later prove to be totally irrelevant to the audit objectives. PART B
26.3
Pervasive and specic internal controls
Internal controls can be broadly categorised as pervasive (or entity-level) controls that address pervasive risks and specic (transactional) controls that address specic risks. The differences between these controls are illustrated below:
396
Exhibit 26.3-1
Entitys objectives Financial report and assertions
(entity-level)
Pervasive
Pervasive
Governance Leadership/management Information systems Purchasing Payroll processes processes Other processes
Inherent risks
Controls
Specific
Specific
Revenue processes
Transactions
Exhibit 26.3-2
Description Pervasive (entitylevel) controls Pervasive (entity-level) controls address governance and general management and serve to establish the overall control environment or tone at the top. Typical control processes include human resources, fraud, risk assessment (management override), general IT management, preparation of nancial information (including the nancial report and underlying estimates, etc.) and the ongoing monitoring of operations. In small entities, these controls will refer primarily to managements attitudes toward integrity and control. A solid understanding of the pervasive elements of internal control provides an important foundation for assessing relevant controls over nancial reporting at the transactional (business process) level. For example, if there are poor controls over data integrity at the entity level, this will impact the reliability of all information produced by systems such as sales, purchases and payroll.
Practical guidance
397
Description Specic (transactional) controls Transactional (business process) controls are specic processes/ controls that are designed to ensure: > Transactions are appropriately recorded for the preparation of nancial report > Accounting records are maintained in reasonable detail to accurately and fairly reect all the transactions and dispositions of assets > Receipts and expenditures are made only in accordance with the authorisations of management, and > Unauthorised acquisition, use or disposition of assets would be prevented or detected on a timely basis. Transactional control processes include routine transactions (such as revenues, purchases and payroll) and non-routine transactions (such as purchasing equipment or the costs involved in starting a new line of business).
26.4
The ve internal control components
The various types of internal control that exist within an entity have been divided into ve key components as illustrated below. Each of these components is to be addressed by the auditor as: > Part of the understanding of the internal control (over nancial reporting), and > Information for considering how the different aspects of internal control may affect the audit.
PART B
Exhibit 26.4-1
trol Con ent nm nviro
Risk asses smen
Mo
nito
ring
Control activities
Financial reporting objectives
398
The interrelationships of the ve components between the pervasive (entity level) controls and the specic transactional (business process) controls are illustrated below.
Exhibit 26.4-2
Pervasive controls
Risk asses smen
on
ito
rin
General IT controls
Includes controls over: > Fraud (management override) > Centralised processing > Period-end financial p g reporting process
g
Transactional (business process) controls
Specific controls
Control activities
Transactions
Pervasive entity level controls collectively provide the appropriate foundation for all the other components of internal control because poor entity level controls can render even the best business process controls ineffective. For example, an entity may have an effective purchasing system but if the bookkeeper/ accountant is incompetent (ie, it is a poor control environment), a wide variety of errors could occur and possibly result in a material misstatement in the nancial report. Management override and poor tone at the top (that primarily occur at the entity level) are common themes in bad corporate behaviour. Consider point
How an entity actually designs and implements its internal control will vary with an entitys size and complexity. In smaller entities, the owner-manager may perform functions that address several of the components of internal control.
Practical guidance
399
26.5
Internal control in smaller entities
In smaller entities, there are often few employees, which may limit the extent to which: > Segregation of duties is practicable, and > An appropriate paper trail of documentation is available. Internal control in such entities often derives from the control environment (managements commitment to ethical values, competence, attitude toward control and its day-to-day actions) as opposed to specic controls over transactions. Evaluating the control environment is quite different from traditional control activities as it involves an assessment of the behaviour, attitudes, competence and actions of management. Such assessments are often documented in a memo or with a questionnaire. The presence of a highly involved owner-manager is often an internal control strength and a control weakness. The control strength is that the person (assuming their competence) will be knowledgeable about all aspects of operations and it is highly unlikely that material misstatements will be missed. The control weakness is the opportunity provided for that person to override the internal control for their own benet. Consider point
Identify the pervasive (entity-level) controls In the audit of small entities, there is a temptation to assume that internal control is non-existent and, therefore, not worth understanding. However, any entity that wants to continue operating will have some form of internal control. For example, what business manager does not care whether the cash receipts are deposited in the bank or that goods shipped are invoiced? Consider how the pervasive (entity-level) controls could be evidenced In cases where the owner-manager or equivalent approves transactions and carefully reviews nancial results, the control can have the effect of preventing or detecting misstatements occurring at the assertion level. If reliance on such a control would reduce the need for other substantive procedures, consider whether such controls could be evidenced such as by a signature on a report or a reconciliation to indicate review or approval. Such evidence could then be used to test the operating effectiveness of the control. PART B
26.6
Absence of internal control
In virtually all entities, there is some form of internal control, such as the competence of the owner-manager (control environment). It may be informal and unsophisticated, but it is still internal control. An entity that does not mitigate any of the major risks it faces (through control components such as the control environment, risk assessment, information systems, control activities or monitoring) is unlikely to stay in business for long.
400
Where there are not many control activities that can be identied, the auditor would consider whether: > It is possible to address the relevant assertions by performing further audit procedures that are primarily substantive procedures, or > The absence of control activities or of other components of control (in rare cases) makes it impossible to obtain sufcient appropriate audit evidence. Other matters that would raise questions as to whether the audit should be conducted would include: > Concerns about managements integrity, non-ethical behaviour or a poor attitude toward internal control. Deciencies in the control environment tend to undermine controls that exist in other control components. It also raises the risk of management misrepresentation and fraud, and > Concerns about the condition and reliability of an entitys records that make it unlikely that sufcient appropriate audit evidence will be available to support an unqualied opinion. If these or similar concerns are present, the auditor should consider the need to modify the auditors report or withdraw from the engagement altogether. If withdrawal is chosen, the auditor would consider their professional and legal responsibilities, including any requirement to report to the persons who made the audit appointment and to regulatory authorities. The auditor would also discuss the withdrawal and the reasons with the appropriate level of management and those charged with governance.
26.7
Controls to prevent fraud (anti-fraud controls)
Management override can often be mitigated or slowed down in small entities by establishing and then documenting key policies and procedures. For example, a written policy that says all non-routine journal entries require approval would empower the bookkeeper to ask the manager to approve proposed journal entries. It would not prevent management override from occurring but would act as a deterrent. If anti-fraud policies and procedures are not in operation, the risk of management override will need to be addressed by the auditor through performing other audit procedures. Note: Controls that address compliance with regulations that are not relevant to the audit (where non-compliance would not result in a material misstatement in the nancial report) do not need to be addressed in the audit.
Practical guidance
401
26.8
Internal controls relevant to the audit (the scope of understanding)
Not all controls are relevant to the audit and require understanding. The auditor is only concerned with understanding and evaluating those controls that would mitigate a risk of a material misstatement (due to fraud or error) in the nancial report. This means that certain types of controls can be scoped out of the audit altogether. These are controls that: > Do not drive nancial reporting (such as operational controls and controls that address compliance with regulations), and > Even if non-existent, a material misstatement in the nancial report would be unlikely.
Exhibit 26.8-1
Controls relevant to the audit

Financial reporting:
(significant F/R accounts and disclosures)
Controls NOT relevant to the audit

Operational and compliance objectives
PART B
Entity-level controls and general IT controls
Application/ transactional (business process) controls
In some cases, there may be some overlap between nancial controls and controls relating to operations and compliance objectives. Examples include controls that pertain to data the auditor evaluates or uses in applying other audit procedures such as: > Data required for analytical procedures (for example, production statistics) > Controls that detect non-compliance with laws and regulations > Safeguarding of asset controls that pertain to nancial reporting, and > Controls over the completeness and accuracy of information produced that may form the basis for calculating key performance measures.
402
Controls that would always be relevant to the audit include those that mitigate the following risks.
Exhibit 26.8-2
Description Signicant risks Signicant risks are identied and assessed risks of material misstatement that, in the auditors judgement, require special audit consideration. These are identied and assessed risks of material misstatement for which substantive procedures alone would not provide sufcient appropriate audit evidence. These are identied and assessed risks of material misstatement that in the judgement of the auditor could potentially result in material misstatements occurring.
Risks that cannot easily be addressed by substantive procedures Other risks of material misstatement
The auditors judgement about whether a particular control is relevant to the audit is inuenced by: > Knowledge about the presence/absence of controls identied in other components of internal control. If a particular risk has already been addressed (such as by the control environment, information system, etc.), there is no need to identify any additional controls that may exist > The existence of multiple control activities that achieve the same objective. It is unnecessary to obtain an understanding of each of the control activities related to such objective > The need to test the operating effectiveness of certain key controls. For example, if there is not a practical way to test sales completeness (ie. by performing substantive procedures) a test of the operating effectiveness of controls would be required, and > The impact that testing the operating effectiveness of controls would have on the extent (ie. the reduction) of substantive testing required. Professional judgement is required to determine whether an internal control, individually or in combination with others, is, in fact, relevant.
Practical guidance
403
Consider point
Top down and risk-based The auditors approach to understanding internal control should be from the top down. The rst step is to identify the relevant entity level and transactional risks and then determine whether managements response is appropriate. A solid understanding of entity level controls provides an important basis for assessing relevant controls over nancial reporting at the transactional (business process) level. For example, if there are poor controls over data integrity at the entity level, this will impact the reliability of all information produced by systems such as sales, purchases and payroll. Example The top down and risk-based approach to understanding internal control involves: > Identifying the business processes involved (including accounting) for each signicant account balance > Determining for each process identied whether a material misstatement in the nancial report could possibly occur or whether other factors exist that would make it relevant, and > Scoping out of the audit those processes and controls that are not relevant. PART B For example, a biscuit production company may have the following processes that drive the sales revenue gure: > The main sales order system captures details and the progress of each order received by telephone. This accounts for 70% of sales > Window sales are where customers can buy broken biscuits from a small shop at the back of the production facility. These account for 2% of sales > Internet sales where orders are placed online and paid by credit card; these account for 28% of sales > The accounting system captures details of all types of sales. In this situation, the window sales are unlikely to result in a material misstatement in the nancial report and may therefore be scoped out of the audit. However, before this decision is made, it would still be prudent to either: > Enquire about the existence of controls over the window sales to ensure all such sales are recorded and that there is no deliberate breaking of biscuits for sale at reduced prices to related parties. > Perform an analytical review of the breakdown of sales, to ensure window sales have not deviated from the expected 2% of sales.
404
26.9
Case studies identifying relevant controls
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. Since not all business processes and controls are relevant to the audit, it is important to understand which nancial report areas and controls could have a material impact on the nancial report. Determining which nancial report areas and related business processes are in scope involves using overall materiality as a guide to identify: > What nancial report areas are, or could be, material, and > What entity level controls and business processes are relevant. Immaterial balances, transactions, business processes and controls where no material misstatements are likely to result can be scoped out of any further consideration in the audit. However, before scoping an area out, consider: > The possible accumulation of immaterial misstatements that could, in the aggregate, add up to a material misstatement, and > Whether the nancial report area is understated due to fraud or error.

# Financial report level Pervasive risks identied Entity level and general IT controls Cash and cash equivalent Identify any processes that mitigate the risks (ie. governance board) Annual business planning cycle, management/owner monthly meetings, including nancial report review, IT budgets, day-to-day involvement of management in operations. Receivables, receipts process, investment of short-term (30-60 day) deposits at bank, bank reconciliation and cash management. Revenue, receivables, receipts process, valuation of overdue accounts, asset sales. Purchases, payables, payments process, inventory management, stock taking, valuation of obsolete inventory. Purchases, payables, payments process, calculation of amortisation, capitalisation of assets, asset sales. Receivables, receipts process, bank reconciliation and cash management. Purchases, payables, payroll, payments process, calculation or amortisation, capitalisation or assets. Income tax provision preparation. Finance charges, bank reconciliation process. Issuance/redemption of capital, dividends.
Trade and other receivables Inventories Property, plant and equipment Bank indebtedness Trade and other payables Income tax payable Interest-bearing loan Capital and reserves
Practical guidance
405
Financial report level Pervasive risks identied Sales Cost of goods sold Distribution costs Administrative costs Depreciation Finance cost Income taxes
Identify any processes that mitigate the risks (ie. governance board) Revenue, receivables, receipts process (including cash scrap sale, internet sales, catalogue and custom sales orders). Purchases, payables, payroll, payments process, inventory adjustments. Purchases, payables, payroll, payments. Purchases, payables, payroll, payments. Depreciation and amortisation calculations. Finance charges, bank reconciliation process. Income tax provision preparation.
Prepared by:
FJ
[Date] Reviewed by:
LF
[Date]

Memo to le: Scoping material nancial report areas (FRAs) and processes Entity level and general IT > Robert prepares an annual budget each period for the bank > Robert communicates with the bank manager quarterly, and when the nancial report is sent to the bank > Robert usually reviews these with Sam and Joel since ONeal Furniture is a shareholder, but also because Robert appreciates their input and Joels accounting and nancial knowledge. There is no formal IT structure or process. Robert decides what software and hardware to replace on an as-needed basis. Although Robert ensures that Ruby backs up the accounting data weekly, there is no disaster recovery plan or documented IT process. Material nancial report areas With the exception of cash and cash equivalents, which seem to uctuate from period to period, all FRAs on the nancial report are material and in scope. Therefore, the following business processes will need to be examined as part of our audit:
PART B
406
Business process Receivables/receipts Valuation of overdue accounts receivable Sales process (cash sales, sales orders) Purchases, payables, payments
Material nancial report areas affected Revenue, trade receivables and other, cash and cash equivalents Trade receivables and bad debt expense Revenue Trade payables and other, property, plant and equipment, inventories, income statement expense categories Payroll expenses Income, payroll and sales taxes Purchases and inventories Cash and cash equivalents, interest-bearing loan, interest expense Property, plant and equipment and depreciation/amortisation expense. [Date] [Date]
Payroll Taxes payable and remittances Inventory valuation and management Bank account reconciliations Calculation of depreciation and amortisation Prepared by: Reviewed by: FJ LF
Practical guidance
407
27.
Evaluating internal control

Relevant ASA
Chapter content Guidance on the four key steps involved in evaluating control design and implementation and on documenting the results.
315
Exhibit 27.0-1
Activity
Purpose
Documentation1
Risk assessment
Plan the audit
PART B
Business and fraud risks, including significant risks
408
Exhibit 27.0-2
1 Risk identification
What risks, if not mitigated by internal controls, could result in material misstatements in the financial report?
2 Evaluate control design

Are there controls capable of effectively preventing, or detecting and correcting, the material misstatements identified in step 1?
Yes No
3&4 Evaluate control implementation and document operation

Do the controls exist and is the entity using them?
No Yes
Report significant deficiencies in control to management and those charged with governance
Document the results and conclusions reached
Paragraph # 315.13

When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to enquiry of the entitys personnel. (Ref: Para. A66-A68) If the auditor has determined that a signicant risk exists, the auditor shall obtain an understanding of the entitys controls, including control activities, relevant to that risk. (Ref: Para. A124-A126)
315.29
Practical guidance
409
Paragraph # 315.32

The auditor shall include in the audit documentation: (a) The discussion among the engagement team where required by paragraph 10 of this Auditing Standard, and the signicant decisions reached; (b) Key elements of the understanding obtained regarding each of the aspects of the entity and its environment specied in paragraph 11 of this Auditing Standard and of each of the internal control components specied in paragraphs 14-24 of this Auditing Standard; the sources of information from which the understanding was obtained; and the risk assessment procedures performed; (c) The identied and assessed risks of material misstatement at the nancial report level and at the assertion level as required by paragraph 25 of this Auditing Standard; and (d) The risks identied, and related controls about which the auditor has obtained an understanding, as a result of the requirements in paragraphs 27-30 of this Auditing Standard. (Ref: Para. A131-A134)
27.1
Overview
Exhibit 27.1-1
Description Step 1 What risks require mitigation? Step 2 Do the controls designed by management mitigate the risk? Identify the inherent risks of material misstatement (business and fraud risks) and whether they are pervasive risks affecting all assertions or specic risks that affect particular nancial report areas and assertions. > Identify what business processes are in place (if any) > Interview entity personnel to identify what controls mitigate the risks identied in Step 1 above > Review results and assess whether the controls do, in fact, mitigate the risks > Communicate any signicant deciencies identied in the entitys internal control to management and those charged with governance. In larger entities, this step may require reference to or preparation of some system documentation (see Step 3 below) to provide some context regarding the operation of certain controls.
PART B
Regardless of whether tests of controls will ultimately be performed to gather audit evidence, it is still necessary for the auditor on every engagement to evaluate control design and implementation. This involves a four-step process, which can be summarised as follows.
410
Description Step 3 Are the controls that mitigate the risk factors in operation? Step 4 Have the operation of relevant controls been documented? Observe or inspect the operation of relevant internal controls to test they have indeed been implemented. Note that enquiry of management is not sufcient to evaluate whether a relevant control has in fact been implemented. This step can often be combined with Step 2 above. This step can consist of a simple narrative description of the major proceses (prepared by the entitys management or auditor), describing the operation of the relevant internal controls identied. This documentation does not have to include: > A detailed description of the business process or the way paper ows through the entity, or > Internal controls that may exist but are not relevant to the audit.
Note: Regardless of how well a control is designed and implemented, it can only provide reasonable assurance about the achievement of an entitys objectives with regard to reliability of nancial reporting due to certain inherent limitations. These are described below.
Exhibit 27.1-2
Description Internal control limitations > Human judgements and simple human failures such as errors or mistakes > Circumvention of internal control by the collusion of two or more people > Inappropriate management override of internal control, such as revising the terms of a sales contract or overriding a customers credit limit.
Part B, Chapter 26 addresses the understanding of internal control required. Part A, Chapter 3 addresses the nature of internal control and provides a detailed description of the ve components of internal control.
27.2
Step 1 what risks require mitigation?
Exhibit 27.2-1
A risk assessment procedure What risks exist (pervasive or specific) that, if not mitigated by controls, could cause a material misstatement to occur?
Identify what risks require mitigation
Practical guidance
411
Before the auditor begins to document the controls that may exist, the rst step is to identify and then assess the signicant and other risk factors that are present. Otherwise, the internal control evaluation will take place without an understanding of what risks need to be mitigated by internal control. The identication of risks has been addressed in Part B, Chapter 23. Risks requiring mitigation can be pervasive, relating to many nancial report areas and assertions, or specic relating to particular nancial report areas and assertions. The following exhibit summarises some typical sources of risk and the types of control that could mitigate such risks.
Exhibit 27.2-2
What can go wrong? Sources of risk
External industry factors Nature of entity Accounting policies Objectives and goals Performance measures Fraud Accounting estimates Provisions Accounting policies Use of spreadsheet Non-routine transactions Journal entries, reconciliations Information neccessary for financial report disclosures Identification/recording of authorised transactions Transaction classification Measurement, cut-off Safeguarding of assets
Mitigating controls
Entity-level controls and processes General IT controls Transactional controls
Unreliable financial reports (pervasive risks)
Misstatements arising from financial report preparation (pervasive risks)
Entity-level controls General IT controls Transactional controls
Transactions not processed or recorded accurately (specific risks)
Transactional controls IT application controls Some specific entity-level controls
When a listing of risk factors (by business process) has been prepared, it would be useful (but not required) to: > Eliminate any risk factor that would be unlikely to result in a material misstatement even if it was not mitigated at all. Controls that address such risks would not be relevant to the audit > Customise the wording of the risk factors to make it relevant for the particular entity > Ensure all relevant assertions have been addressed, and > Consider whether there are any additional risks (entity and transactional level) that could result in a material misstatement if not mitigated.
PART B
412
27.3
Step 2 do the controls designed by management mitigate the risk?
Exhibit 27.3-1
Assess control design
Identify/assess controls to mitigate risks Address each of the five control components Do significant control deficiencies exist?
Evaluating whether a control has been designed properly by management involves an assessment of whether the controls identied (individually or in combination with other controls) will actually mitigate the risk factor. This involves considering whether the control(s) is/are capable of effectively: > Preventing material misstatements from occurring in the rst place, or > Detecting and correcting material misstatements after they have occurred. It is recommended that an evaluation of control design begin with the pervasive controls. These types of controls form the all-important foundation for assessing the design and operation of specic (transactional) controls. At this point some auditors (particularly when auditing larger and more complex entities) may nd it helpful to obtain some information (preferably prepared by the entity) that describes the business process, the way paper ows through the entity and where controls exist. However, this is not a specic requirement in the ASA. There are two common ways to match internal controls to the risk factors (or control objectives) that they are designed to mitigate. For the purposes of this Manual, these approaches have been called: > One-risk-to-many controls; and > Many-risks-to-many controls.
One-risk-to-many controls
Under this approach, each risk factor is considered by itself. All the controls that address that particular risk factor are identied. This approach is particularly useful for mapping the pervasive (entity-level) risk factors to controls. The approach is illustrated below.
Practical guidance
413
Exhibit 27.3-2
Risk/control objective 1. Risk factor Assertion C Mitigating controls 1. Control procedure A 2. Control procedure B 3. Control procedure C 4. Control procedure D 1. Control procedure E 2. Control procedure F 3. Control procedure G 4. Control procedure H 1. Control procedure I 2. Control procedure J 3. Control procedure K 4. Control procedure L 1. Control procedure M 2. Control procedure N 3. Control procedure O 4. Control procedure P
2. Risk factor
EA
3. Risk factor
4. Risk factor
CA
The following example illustrates how the one-risk-to-many controls approach can work. An objective of the control environment is the need for management, with the oversight of those charged with governance, to create and maintain a culture of honesty and ethical behaviour. This objective stated as a risk factor could mean that management has not created or maintained a culture of honesty and ethical behaviour. Some of the controls that management may design and implement to address this pervasive risk could include: > Management continually demonstrates, through words and actions, a commitment to high ethical standards > Management removes or reduces incentives or temptations that might cause personnel to engage in dishonest or unethical acts > A code of conduct or equivalent exists that sets out expected standards of ethical and moral behaviour > Employees clearly understand what behaviour is acceptable and unacceptable and know what to do when they encounter improper behaviour, and > Employees are always disciplined for improper behaviour.
PART B
This one-risk-to-many controls approach has often been used for mapping all types of control, including transactional controls. However, because a single transactional control can often address more than one risk (and therefore get repeated many times in this approach), the many-to-many matrix (outlined below) is generally considered more effective for transactional controls.
414
The auditor would rst read the risk or control objective and then identify, possibly from a list such as that above, what, if any, controls exist to mitigate the risk. The resulting documentation could take the following form. Note: The column on control design outlines the steps the auditor could take to assess control design.
Exhibit 27.3-3
Internal control (IC) component Control environment Risk factor No emphasis on integrity or ethics. Control identied Code of conduct is signed by employees each year and enforced through staff discipline. Required knowledge and skills specied for each employee position. Control design Read the code of condct and determine if it does emphasise need for integrity and ethics. Review the job specications for key positions, including accounting, and assess whether they appear to be acceptable. Review the business plan and ascertain if risks have been identied, updated and assessed.
Incompetent employees could be hired.
Risk assessment
Management often surprised by predictable events
Business risks are identied and assessed each year as part of business planning.
Once the controls have been identied, the auditor would use professional judgement to conclude whether the control design is sufcient to address the risk factor. When forming a conclusion on the control environment, the auditor is required by ASA 315.14 to evaluate whether: > Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour, and > The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by deciencies in the control environment. This wording could be used as the overall conclusion by the auditor on all entity level controls. Such a conclusion will also have a major impact on the auditors assessment of risk at the nancial report level.
Many-risks-to-many controls
For specic and transactional risks, the most common approach to evaluating design is through the use of what is sometimes called a control design matrix.
Practical guidance
415
These matrices enable the auditor to see at a glance: > The many-to-many relationships that exist between risks and controls > Where internal control is strong > Where internal control is weak, and > The key controls that address many risks/assertions and could be tested for operating effectiveness. An example of a simple control design matrix is illustrated below.
Exhibit 27.3-4
Process = sales Material risk factors Assertions Controls Procedure #1 Procedure #2 Procedure #3 Procedure #4 Procedure #5 Procedure #6 Procedure #7 Internal control component Control environment Information systems Control activity Monitoring Control activity Control activity Information systems D Yes D Yes No D Yes P D P P Yes D D P P Yes Risk A C Risk B EA Risk C AC Risk D CE Key controls
Is control design OK? (Will the identied controls mitigate the risk factors?)
P = Prevent control D = Detect and correct control
Note: The aforementioned matrix contains the following information: > Risk factors that, if not mitigated, could result in a material misstatement in the nancial report > The assertions addressed by the risk factors, and > Where the internal control procedure addresses (intersects with) the risk on the matrix, it is recorded as either preventing (P) a misstatement or detecting (D) and then correcting a misstatement after it has occurred. Such a matrix can also be expanded to include other information including: > The frequency the control is operated, for example continuous, weekly or monthly > Whether the control is manual or automated, and
PART B
416
> The expected reliability of the internal control over a period of time. This could include, for example, assessing the competence (and independence from other functions) of the person who performs the control, whether the control is performed on a timely basis and any history of errors occurring. Consider point
Multiple control procedures Note that any one control procedure by itself is unlikely to mitigate a key risk factor. Often, a combination of control activities, working together with other components of internal control (such as the control environment), will be sufcient to address the risk factor. Start with the risks Avoid the temptation to list all the known controls and then match them to risks. Risks come rst, then controls to mitigate the risks. It is more efcient to address each risk (or control objective) in turn and then identify what controls exist to address that risk. Once enough controls have been identied to address the risk, there is no point spending more time to identify any additional controls.
Matching controls with risks not only helps to evaluate control design but will also identify key controls (over relevant assertions) that could potentially be tested. It will also help the auditor identify control deciencies that may require: > Communication to management and those charged with governance about the signicant deciency on a timely basis so that corrective action can be taken, and > Development of an appropriate audit response. The control design matrix (see Part B, Exhibit 27.3-4) can be used to identify both control strengths and control deciencies. This process is described in the following exhibit.
Exhibit 27.3-5
Identify Internal control deciencies Description using the control design matrix Look down each risk column (in the control design matrix, previous) to see what internal control procedures exist to mitigate the risks. If sufcient controls exist, then there is no control deciency. Where few or no internal control procedures exist to mitigate the risk, a signicant internal control deciency may exist. Refer to Risk C in the matrix above, where it appears that a signicant deciency exists. In this case, the auditor would: > Enquire about any other internal control procedures or compensating internal control procedures that might exist. If none exists, a signicant deciency may exist that would be communicated to management and those charged with governance as soon as possible so that corrective action may be taken, and > Consider what further audit procedures may be necessary to respond to the risk identied.
Practical guidance
417
Identify Internal control deciencies (continued)
Description using the control design matrix Compensating controls may be activities that indirectly impact on the risk factor. For example, the risk of shipping goods but not invoicing for them could be detected by the sales manager when he reviews sales results each quarter. Such a control would obviously not be sufcient by itself to mitigate the risk. Look across the rows of the control design matrix above to identify internal control procedures that would prevent or detect and correct misstatements arising from a number of risk factors. Note that control procedure 3 in the aforementioned example matrix addresses three risks and three assertions. This is an example of a type of control (often referred to as a key control) that, if considered reliable, could be considered for testing operational effectiveness, particularly where this testing could be used to reduce other more detailed tests.
Internal control strengths
See toolkit item 570: Worksheet Internal control documentation and implementation.
27.4
How to identify internal controls
Exhibit 27.4-1
Action Identify the inherent risks Ask about internal control procedures (if any) that address the inherent risk Address each risk factor one at a time. Description Identify the pervasive (entity level) and specic (transactional) risks that require mitigation through internal control to prevent or detect and correct material misstatements. Ask the owner-manager or the responsible person what internal control procedures exist in the entity to mitigate each particular risk factor one by one. Document the controls identied in the words of the person being interviewed. When (based on professional judgement) enough controls have been identied to effectively mitigate the risk, stop asking for any more controls. There is no need to list all of the other controls that may exist to mitigate the risk, unless specically requested for another purpose.
PART B
Controls are usually identied through discussion (interviews) with the person(s) who are responsible for managing the risk or the particular process. In smaller entities, this will often be the owner-manager or the senior manager. A typical approach for identifying controls would be as follows.
418
Action Document the results
Description The controls identied can be documented in a number of ways. They can be listed under each risk factor they address or listed on a control matrix and linked to all the various risk factors they address. The key is to ensure the control procedures identied are linked to the risk factor that they were designed to mitigate. This enables an assessment to be made as to whether the controls identied do actually mitigate the risk. If the control matrix is used: > Record the internal control procedures identied directly onto the matrix and indicate (where they intersect with the risk) whether they would prevent or detect and correct potential misstatements for risk factors, and > Consider whether the control would also be effective in mitigating other risk factors. It is quite possible that some internal control procedures will prevent or detect a number of the risk factors. Where controls have not been identied to address a risk, the auditor would immediately alert management to the control deciency (likely signicant) that may need to be addressed.
Consider point
Avoid using generic controls Avoid the temptation to use generic lists of internal control activities that are appropriate for the so-called typical entity. Listings of standard or typical controls can take time to read and understand and are often too complex or simply irrelevant for smaller entities. Instead, use them as a reference source but only when needed. It is much better to document the nature of each control identied using the clients own description. Multi-task Evaluating control design can be combined with control documentation (see Step 3 following) and with the inspection/observation of documents to support control implementation (see Step 4 following). For example, if there is a policy identied that no non-routine journal entries can be made without authorisation, ask to see the actual policy (assess control design) and some journal entries for evidence of approval (control implementation). Risk management Many entities assign risk management responsibilities by process (such as sales or purchasing) instead of by risk. As a result, there may be a number of important risk factors that fall between departments (such as sales, purchasing and accounting) and no one is directly accountable. If risks are not specically identied and responsibility assigned to someone, there is often a lot of nger pointing when something goes wrong. Staff may blame each other by saying something like I thought that risk was being managed by Mary or Jack, or the accounting, IT or sales department, etc..
Practical guidance
419
Concluding on control design

The nal step in assessing control design is to draw a conclusion on whether the controls identied actually mitigate the particular risk factor. This requires the use of professional judgement. For each relevant assertion or risk factor, consider whether managements response is sufcient to reduce the risk of material misstatement to an acceptably low level. If the control design matrix approach is used, the bottom row of the matrix could be used to document the conclusion as to whether the controls are sufcient or not to mitigate each risk factor. A summary of the overall control evaluation (that addresses the ve control components) is set out in the exhibit below.
Exhibit 27.4-2
Entity-level processes
Key financial reporting risks are identified Accounting policies are applied consistently Staff are competent and knowledgeable Clear lines of authority and responsibility exist Control activities are appropriately designed and implemented Anti-fraud controls exist to address fraud risks Information systems provide reliable data Controls are monitored
Sales process
Purchasing process
Payroll process
Notes:
White = the underlying risks have been appropriately mitigated. Grey = some problems may exist. Black = potentially signicant deciencies.
PART B
420
Consider point
For smaller entities, there is an even simpler way of assessing transactional controls. First identify the risk factors (see Step 1 above) and the assertion(s) affected. Then instead of mapping identied controls to each individual risk factor, identify controls that address the assertions affected by the risk. If no controls are identied for a particular assertion, a substantive audit response would need to be developed. If the controls identied are expected to operate reliably, the audit response could include a test of relevant key controls. For example, the risk of unrecorded sales addresses the completeness assertion. Identication of relevant controls could be limited to those that address the completeness assertion in general, rather than the one specic risk.
27.5
Step 3 are controls that mitigate the risk factors in operation?
Exhibit 27.5-1
Access control implementation
A risk assessment procedure Ensure identified (relevant) controls are actually operating as designed
Enquiry of management alone is not sufcient to evaluate the design of internal control procedures or to determine whether they have been implemented. This is because people may genuinely believe or hope that certain controls exist when in fact they do not. A documented description of controls (however good) that do not exist or do not operate is of no value to the audit. Some of the reasons for observing internal control in action are: > Change Processes change over time resulting from revised/new products or services, efciencies in operation, changes in personnel and implementation of new supporting IT applications > Wishful thinking The entitys personnel may explain to the auditor how a system should operate rather than how it actually operates in practice, and > Lack of knowledge Some aspects of the system may have been inadvertently overlooked in obtaining the understanding of internal control.
Practical guidance
421
Consider point
If there is any doubt about whether some controls identied in Step 2 above have not in fact been implemented, do not assess control design and document the operation of the controls until some work has been performed to determine they exist and operate. Alternatively, do not take time to assess controls that are unlikely to be relevant to the audit or have been inappropriately designed.
Risk assessment procedures required to obtain audit evidence about control implementation would include those listed below.
Exhibit 27.5-2
Description Assessing control implementation > Enquiring of entity personnel > Observing or re-performing the application of specic controls > Inspecting documents and reports, and > Tracing one or two transactions through the information system relevant to nancial reporting. This is often called a walk-through.
Note: A walk-through is not a test of the operating effectiveness of a control. Implementation of controls provides evidence about whether a control was actually in operation at a particular point in time. It does not address operating effectiveness throughout the period being audited. Evidence of operating effectiveness (if this is part of the audit strategy being developed) would be achieved through a test of controls that gathers evidence about control operation over a period of time, such as a year. Only when it has been established that the internal control relevant to the audit has been properly designed and implemented is it worth considering: > What tests of the operating effectiveness of controls (if any) will reduce the need for other substantive testing, andand > What controls require testing because there is no other way of obtaining sufcient appropriate audit evidence.
PART B
422
Consider point
Ensure the audit team has a clear understanding of the difference between control design, control implementation and tests of controls. These are summarised as follows: Control design Have controls been designed that will mitigate the inherent risks? Control implementation Are the designed controls actually in operation? Control implementation procedures should be performed each period to identify any system changes. Tests of controls Did the controls operate effectively over a specied period of time? There is no requirement to test the operating effectiveness of controls unless there is no alternative way (such as in a highly-automated and paperless system) to gain the necessary audit evidence. The decision to test the operating effectiveness of controls is therefore a matter of professional judgement. Do not ignore the linkage between control design and implementation If there is any doubt about whether some of the controls identied in Step 2 above have, in fact, been implemented, do not assess control design until some work has been performed to determine if they exist and operate. Also, if the auditor concludes that control design is inadequate, there is no point going on and evaluating the control implementation. It is likely that a signicant deciency already exists. Assess implementation every period After the initial audit engagement, rst evaluate the control implementation to determine what has changed. Use the control design documentation already obtained in the previous period as the starting point. If a change in internal control is identied, consider whether the revised or new controls continue to mitigate the risk factor or whether there are now new risks that have to be mitigated.
27.6
Step 4 has the operation of relevant controls been documented?
Exhibit 27.6-1
Document relevant controls
Document operation of relevant controls Provide context for the operation of controls from inception to financial reporting
The purpose of this step is to provide some information about the operation of the relevant controls identied in Step 2 above. The extent of documentation required is determined by professional judgement.
Practical guidance
423
The resulting documentation will help the auditor to: > Understand the nature, operation (initiation, processing, recording, etc.) and context (such as who performs the control, where the control is performed, how often and the resulting documentation) of the identied controls, and > Determine whether the controls are likely to be reliable and operate effectively. If so, they could be tested as part of the audit response to assessed risks. If a decision is made to test the operating effectiveness of controls, this documentation will also help the auditor in designing the test, such as what population to use in selecting the sample, what control attributes to examine, who performs the control and where the necessary documentation may be found. Some of the matters to be considered when documenting relevant internal controls are:
Exhibit 27.6-2
Documenting relevant internal controls > How signicant transactions are initiated, authorised, recorded, processed and reported > The ow of transactions in sufcient detail to identify the points at which material misstatements caused by error or fraud could occur > Internal controls over the period-end nancial reporting process, including signicant accounting estimates and disclosures.
The most common forms of documentation prepared by management or the auditor are: > Narrative descriptions or memoranda > Flowcharts > A combination of ow charts and narrative descriptions, and > Questionnaires and checklists. The nature and extent of the documentation required is a matter of professional judgement. Factors to consider include: > The nature, size and complexity of the entity and its internal control > Availability of information from the entity, and > Audit methodology and technology used in the course of the audit. The extent of documentation may also reect the experience and capabilities of the audit team. An audit undertaken by a less experienced team may require more detailed documentation to assist them in obtaining an appropriate understanding of the entity than a team composed of more experienced individuals.
PART B
424
See toolkit items 540: Control design/implementation [Blank], 545: Control design/implementation Revenues, receivables, receipts, 550: Control design/implementation Purchases, payables payments, 555: control design/implementation Payroll, 560: Control design/ implementation Financial reporting and 565: Worksheet Control implementation Business process controls
27.7
Updating control documentation in subsequent periods
The auditor may use documentation prepared or obtained in a prior audit period when planning the audit of a subsequent period. This will involve the following documentation.
Exhibit 27.7-1
Description Updating control documentation prepared in previous periods > Make a copy of the previous periods working papers on controls as the starting point for updating in the current year. If nothing has changed, evaluate control implementation before design. If the control has been implemented and the risk did not change the design will be acceptable > Update the listing of risks that require mitigation by control > Identify changes in internal control at the entity and transactional levels. This is achieved by procedures that address control implementation > Where changes are identied (risk or controls), determine whether new internal controls have been designed and implemented > Update the linkage of internal controls with the appropriate risk factor, and > Update the conclusions on control risk.
Where the audit strategy is likely to involve reliance on the effective operation of certain controls (such as through tests of controls) and control changes have occurred, there will be a need to walk through transactions that were processed both before and after the change took place. Consider point
Changes in pervasive (entity-level) controls When updating control documentation, carefully consider the changes in pervasive (entity-level) controls. These changes could have a signicant impact on the effectiveness of other specic (transactional) controls and may affect the audit response to assessed risks. For example, managements decision to hire a qualied professional to prepare the nancial report may considerably reduce the risk of errors in the nancial information and enhance the effectiveness of transactional controls that might previously have been undermined. Alternatively, managements failure to replace an incompetent IT manager or commit sufcient resources to address IT security risks may undermine other internal control procedures in effect. In either case, these changes could trigger a signicant change in the appropriate audit response.
Practical guidance
425
27.8
Written representations about internal control
Written representations should be obtained from management acknowledging its responsibility for such internal control as management determines is necessary to enable the preparation of nancial report that is free from material misstatement, whether due to fraud or error.
27.9
Case studies internal control evaluation
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. The following extracts from internal control documentation provide an example of the information that would be obtained from using the four-step process described above.
Case study A ONeal Furniture Pty Ltd Entity level controls

This form addresses all four steps described above. It outlines the risks to be addressed and provides for documentation of the controls identied, how the controls operate and how they are implemented.
Describe the nature of supporting documentation Describe enquiries/ (if any) or management observations to test controls actions identied were implemented
Control environment
Control exists?
1. Risk: No emphasis is placed on need for integrity and ethical values Possible controls (choose those that apply): (a) Management continually demonstrates, through words and actions, a commitment to high ethical standards. (b) Management removes or reduces incentives or temptations that might cause personnel to engage in dishonest or unethical acts. Yes Sam and the management team consistently reinforce the need for adherence to safety and ethical standards through daily communication with employees. Sam accepted our recommendation last period and prepared a code of conduct outlining expected behaviours by staff. Interviewed two employees, Jon and Amad, who conrmed.
Yes
Employees have been given a copy of the code of conduct and attended a meeting on May 13, where the guidelines were explained.
PART B
426
Control environment (c) A code of conduct or equivalent exists that sets out expected standards of ethical and moral behaviour. (d) Employees clearly understand what behaviour is acceptable and unacceptable and know what to do when they encounter improper behaviour. (e) Employees are always disciplined for improper behaviour. (f) Other (explain).
Control exists? Yes
Describe the nature of supporting documentation Describe enquiries/ (if any) or management observations to test controls actions identied were implemented See response to (b) above Reviewed code of conduct.
Yes
Employees have been disciplined in the past for improper behaviour.
Sam res people immediately if they are caught stealing or acting unethically. Two such cases occurred last year among temporary workers.
Yes
Sam will not tolerate illegal or unethical behaviour among employees, customers or suppliers.
Noted that a new employee was quickly red after being caught stealing ofce supplies.
No
2. Risk: Incompetent employees may be hired or retained Possible controls (choose those that apply):
Practical guidance
427
Control environment (a) Company personnel have the competence and training necessary for their assigned duties. (b) Management species the requisite knowledge and skills required for employee positions. (c) Job descriptions exist and are effectively used. (d) Management provides personnel with access to training programs on relevant topics. (e) Adequate stafng levels are maintained to effectively perform required tasks. (f) Initial and ongoing matching of staff skills to their job descriptions. (g) Staff are compensated and rewarded for good performance. (h) Other (explain).
Control exists? Yes
Describe the nature of supporting documentation Describe enquiries/ (if any) or management observations to test controls actions identied were implemented All staff are trained on the job and adequately supervised. Interviewed two employees, Jon and Amad, who: > Clearly understood their roles and responsibilities in the absence of a written job description > Indicated they receive instruction whenever a machine or process changes > Receive praise when things go better than expected and are told immediately when a job was not done well. Enquiries of admin staff (Mirelli and Cliff) indicated that stafng levels remained constant during the period.
Yes
Management is skilled in manufacturing, sales and administration. Ron and Paula offer advice on business, marketing and legal issues.
No
No
Yes
There were no vacancies during year in any of the positions that affect nancial reporting.
No
No
Employees are encouraged when they do a good job. There is no bonus structure other than for salespeople.
No
3. Risk: Management has a poor attitude toward internal control and/or managing business risks Possible controls (choose those that apply): Management demonstrates positive attitudes and actions toward:
PART B
428
Control environment (a) The establishment and maintenance of sound internal control over nancial reporting, (including management override and other fraud): Appropriate selection/ application of accounting policies Information processing controls The treatment of accounting personnel. (b) Management emphasises appropriate behaviour to operating personnel. (c) Management has established procedures to prevent unauthorised access to, or destruction of, assets, documents and records.
Control exists? Yes
Describe the nature of supporting documentation Describe enquiries/ (if any) or management observations to test controls actions identied were implemented Management is very responsive to recommendations that are not costly or disruptive to implement and has a good attitude towards internal control. Reviewed the business plan which included: > Sales and cash ow forecast > Anticipated capital expenditures > Discussion of how recession may affect their business in terms of sales and the possibility of one supplier going bankrupt. Our management letter recommendations have always been accepted if they were feasible.
Yes
See comments above on attitudes and the code of conduct.
Based on our employee interviews (see Step 2), employees understand what is required and that rules should be followed.
Yes
(d) Management Some analyses business risks and takes appropriate action.
Although risk management is informal, business risks are discussed at management meetings and reected in the business plan.
During our interview with Joel, he indicated that Sam was open to discussing issues and that he did not feel pressured to manipulate the nancial report. In Sams words, the numbers are what they are, whether they are good this month or bad.
Control design matrix Receivables, receipts Entity:_____ONeal Furniture___________ Process:________Receivable/receipts______________

Risk factors: what can go wrong
Internal control component
Receipts are partially or not deposited or recorded
Cash sales are partially recorded or not recorded
Recorded receipts are credited to the wrong customer account (fraud or error)
Receipts are recorded in the wrong period Overdue receivables are not followed up on a timely basis
Assertions: C=Completeness E=Existence A=Accuracy V=Valuation
Type of control: P=Prevent D=Detect
Assertion addressed by risk factor CA CA CA CA CA I&C MO P D P P D P P
CAE
CAE
CAE
AV
Karla prepares the deposit slips but Joel makes the cash deposit to ensure functions are segregated.
When opening the mail, cheques are stamped for deposit only with ONeals account number. Bank is instructed not to cash cheques
Cheques received are listed, totaled and reviews before deposit.
Accounts over 90 days are investigated by Sam and Joel and actions taken documented.
Cut-off procedures exist to ensure receipts are recorded in the correct period.
An aged accounts receivable listing is prepared regularly and distributed monthly to Sam and Joel.
Regular review of aged accounts receivable and follow-up of overdue accounts by Sam. Accounts in default put on COD terms.
8 No No
Do the control procedures mitigate the risk factor? Y=risk mitigated, S=come mitigation, No = material weakness exists.
10
11
Weaknesses identied
Practical guidance
12
Since statement are not sent to customers, a weakness exists that a wrong customers account could be credited.
13
Control tested (Y/N)
W/P ref
Internal control (IC) component: CE=Control environment CA=Control activities IS=Information and communication MO=Monitoring
429
Since most showrooms sales are for cash and receipts are given when requested, a risk exists that not all cash sales are recorded.
PART B
430
Business process or transactional controls

The above control design matrix addresses two of the four steps. It matches the transactional risks with identied controls and could also be used to crossreference work on implementation.
Step 3 assessing control implementation is addressed below

Extract from the revenue/receivables walk-through Make enquiries of the personnel processing the transaction. Persons interviewed: Karla Dan Maria Date Date Date
System works as described in the systems documentation. See W/P 530 for copies of documents that demonstrate the internal controls in action. However, we noted Maria is a new employee and knows little about the system at present. There is a handover from sales to accounting. Based on the walk-through, the transfer worked well. Noted on the control design matrix. General IT controls are minimal due to small size of entity.
Describe the procedures performed related to the transaction. Address initiation, authorisation, recording in the accounting records and reporting in the nancial report.
Describe the process for any information transfers from one person (process owner) to the next. Note the frequency and timing of the internal control procedures performed. Identify any general IT controls required to protect the transaction data les and ensure the proper functioning of application internal controls. Document the procedures in place to cover illnesses and vacations of personnel. If vacations have not been taken in last 12 months, document why. Ask about the extent and nature of errors found in the past period. Ask whether any person has been required to deviate from documented procedures.
There was a sales clerk vacancy for four months during the period before Maria was hired. This meant less segregation of duties during that time. Most errors were due to mistakes in pricing, which is mostly a manual process at present. One request made by the sales manager to substantially reduce the price on a bedroom set for a friend was denied.
Practical guidance
431
Step 4 control documentation is addressed below

Extract from Business Process Documentation Using a Narrative Approach ONeal Furniture Note: the controls are identied in bold type. Business process revenue/receivables/receipts system Sales contracts Sales contracts for the retail and specialised orders are prepared by Alan as they involve extensive work. The contracts are all based on a template that contains the estimated quantities, types of furniture, special requests as well as standard delivery and payment terms and conditions. Payment terms and conditions can vary by customer. A 15% deposit is required on all custom orders and is recorded as revenue at the time of sale. All contracts are reviewed and signed for approval by Sam prior to being given to the customer for signature. When the contract is signed by the customer for approval, the order is entered into the accounting system, which automatically assigns the order a sequential number. When the order is ready for shipment, a shipping document is prepared, entered into the system and matched with the order. Karla then prepares an invoice from the accounting system, which automatically assigns a sequential number. It is a strict rule that no shipments can be made without the shipping document number being entered into the system. The system can then track which orders have been lled and which ones are still pending by delivery date. Regular sales orders Sales orders are prepared for each order received and entered into the accounting system, which automatically assigns the order a sequential number. The only exception is furniture sold directly from the shop or other small items on hand. All orders over $500, or where the sales price is below the minimum sales price, must be approved by Alan. When items are assembled and ready for shipment, Karla prepares an invoice that is sent along with the order to the customer. Alan does not do a credit check on customers unless he does not know them or the order is large. When granting credit, he relies mostly on his previous experience with the customer. Shop sales For all sales out of the shop, invoices are prepared at the time of sale and entered into the accounting system. The system automatically generates an invoice number for each sale. Invoices are usually given to customers.
PART B
432
The majority of the shop sales are for cash, so there is little credit risk. Internet sales A summary of the days internet sales is downloaded from the website by Karla. She prepares sales orders that are given to the production department. An invoice is prepared at the same time and recorded as prepaid revenue since the item has been paid for. The invoice marked paid in full accompanies all internet orders shipped. Accounts receivable Karla opens all of the mail and segregates the payments received for deposit. Joel usually goes to the bank on his way home and makes the deposit. Karla then enters the payments into the accounting system and applies the payment to the invoices indicated. Joel prepares an aged accounts receivable listing and gives the listing to Sam for his review. Accounts over 90 days are followed up each month and comments are made on the listing as to when the customer has agreed to pay the balance. For customers who are over 90 days and have not made alternative payment arrangements, future sales are made on a cash-on-delivery basis.
Case study B Kane & Co. Entity level and general IT

This form addresses all four steps described above. It outlines the risks to be addressed and provides for documentation of the controls identied, how the controls operate and how they are implemented.
Entity level controls Risks to consider Control environment: > No emphasis placed on importance/need for integrity and ethical values > No commitment to employee competence > Ineffective management oversight by those charged with governance > Management has a poor attitude toward internal control and/or managing business risks > Ineffective/inappropriate organisational structure for planning, controlling and achieving objectives > No policies/procedures to ensure effective HR management. Robert continually communicates the need for integrity and ethical dealings in day-today communications with employees and his actions. He has a good attitude for internal control has implemented audit recommendations in past that were feasible. No formal governance structure, but Robert meets with Sam and Joel (ONeal Furniture) regularly. Relevant controls
Practical guidance
433
Entity level controls Risks to consider Do controls mitigate the risk factors? Describe enquiries/observations to test controls identied were implemented. Relevant controls Yes Interviewed Ruby who conrmed Roberts commitment to treating suppliers and customers ethically and fairly. Reviewed the minutes from the last meeting which had been prepared by Joel. Risks assessment: > Management is often surprised by events that were not previously identied/assessed or is continually reacting to events rather than planning ahead. Do controls mitigate the risk factors? Describe enquiries/observations to test controls identied were implemented. Business plan prepared annually. Robert monitors monthly cash ows and sales trends.
Yes Reviewed a copy of the business plan which did highlight the potential for the economy to impact sales. Reviewed a folder containing monthly cash ows given to Robert. Evidence of Roberts review by comments on the documents and changes requested.
> Events and conditions (other than transactions) that are signicant to the nancial report may not be captured or recorded > Poor oversight/control over nancial reporting, journal entries and preparation of signicant estimates/disclosures could result in material misstatements in the nancial report > Signicant matters relating to nancial reporting may not be communicated to the board of directors or external parties such as bankers or regulators. Do controls mitigate the risk factors?
Robert meets with Sam and Joel (ONeal Furniture) to review the nancial report and business plans. Robert reviews the nancial report but only reviews journal entries when he has time. (Risk increased by lack of segregation of duties and gives Ruby ability to book entries undetected.)
No. Control weaknesses include the risk of management override and the lack of segregation of duties in such a small entity Reviewed a folder containing the monthly nancials given to Robert. However no evidence seen that Robert actually reviewed the monthly nancial information.
Describe enquiries/observations to test controls identied were implemented.
Fraud prevention: > Management has not considered or assessed the risks of fraud occurring (including management override). Robert keeps cash and valuables locked. Robert is involved in every step of the operations, including production, so oversight of all operations minimises fraud risk.
PART B
Financial reporting risks:
434
Entity level controls Risks to consider Do controls mitigate the risk factors? Relevant controls No. Valuables are kept safe but Robert was absent quite a bit this year which reduced the extent of management oversight. In addition, the bookkeeper is known to have personal nancial problems Inspected where the cash is kept locked and veried that only Robert has the key.
Describe enquiries/observations to test controls identied were implemented.
IT general controls Risks to consider Risks to consider: > No policies/procedures exist to ensure effective IT management or IT staff supervision > No alignment exists between business objectives, risks and IT plans > Reliance is placed on systems/programs that are inaccurately processing data or processing inaccurate data > Unauthorised access to data. Possible destruction of data, improper changes, unauthorised or non-existent transactions or inaccurate recording of transactions. Do controls mitigate the risk factors? Describe enquiries/observations to test controls identied were implemented. Yes, given small size of operations. Reviewed the annual budget with an IT expense line. No major capital purchases were planned for the period. Relevant controls No IT policies and procedures. IT expenses and capital purchases part of annual budget (if foreseen). Robert ensures software is up to date and that Ruby runs a back-up of the data.
Business process or transactional controls

This form (revenue, receivables, receipts) addresses two of the four steps in the process. It matches the transactional risks by assertion with identied controls. It could also be used to cross-reference work on the implementation of controls.
Entity Kane & Co Period ended December 31, 20XX
1. Identify any transaction risks that if not controlled could result in a material misstatement in the F/R. Step 1 Identify material transaction risks (remove risks below that are not material) 1 2 3 4 Goos shipped/services performed, not invoiced. Revenues partially or not recorded (ie. cash sales). Fictitious sales/sales credits recorded in accounts. Revenue recognition policies not followed. Assertion risks C C CE CEA
Practical guidance
435
Step 1 Identify material transaction risks (remove risks below that are not material) 5 6 7 8 Revenue/receipts recorded in wrong accounting period. Receipts are partially/not deposited or recorded. No allowance for doubtful or uncollectable balances. Related parties are not identied.
Assertion risks A CA V VA
2. Identify relevant internal control procedures (RICPs) (if any) (manual and automated) that miticate (P prevent or D detect and correct) the assertion risks identied (1-0) in step 1 above. Then assess, for each assertion, whether the RICPs identied mitigate the assertion risk.
Step 2 Identify relevant RIPs Control procedures 1 Order/shipping log is prepared listing: order details, delivery information, quantity sold/shipped, date shipped and if paid. Sales log is prepared listing: customer name, date shipped, order details, price, amount paid. Robert matches the shipping log to the sales log each week to ensure that no shipments are missed. Robert reviews monthly sales, F/R and cash receipts journals (few customers, majority of sales to ONeal Furniture). All sales to ONeal furniture and related companies are recorded in separate accounts. Y Y C D E D A D V
2 4 5
D D D D
D Y Y
Do the control procedures mitigate the assertion risk? Y=risk mitigated, S=some mitigation, No=material weakness exists Step 3 audit response ref. Tests of control Substantive X X X X X X X X
PART B
436
Step 3 control implementation is addressed below

Transactional control implementation Extract from the revenue/receivables walk-through Persons interviewed: Ruby Robert Date Date
System works as described in the systems documentation. See W/P 535 for copies of documents that demonstrate the internal controls in action. There is a hand-over from sales to accounting. Based on the walk-through, the transfer worked well. Noted on the control design matrix. General IT controls are minimal due to small size of entity.
Describe the procedures performed related to the transaction. Address initiation, authorisation, recording in the accounting records and reporting in the nancial report. Describe the process for any information transfers from one person (process owner) to the next. Note the frequency and timing of the internal control procedures performed. Identify any general IT controls required to protect the transaction data les and ensure the proper functioning of application internal controls. Document the procedures in place to cover illnesses and vacations of personnel. If vacations have not been taken in last 12 months, document why. Ask about the extent and nature of errors found in the past period.
As a part-time employee, Ruby catches up on all record-keeping whenever she gets back to the ofce. Due to the minimal number of transactions, this has been sufcient. Most errors were due to mistakes in quantities of items ordered and shipped. The sales and order log matching is Roberts control to catch those errors and appears to be working effectively in our walk-through testing. None noted.
Ask whether any person has been required to deviate from documented procedures.
Step 4 internal control documentation is addressed below

Note: the controls are identied in bold type.
Extract from business process documentation using a narrative approach Kane & Co.
Business process revenue/receivables/receipts system Sales orders Sales orders are prepared for each order received and entered into the accounting system, which automatically assigns the order a sequential
Practical guidance
437
number. The only exception is furniture sold directly from the shop or other small items on hand. Robert maintains an order log that tracks the date of the order, the amount, the type of product, date promised, price, etc. He also maintains a sales log with customer name, order details, price, etc. Robert matches and reviews the order and sales logs at the end of the month for accuracy. When items are assembled and ready for shipment, Ruby prepares an invoice, which is sent along with the order to the customer. Shop sales For all sales out of the shop, invoices are prepared at the time of sale by Robert and are entered into the accounting system. The system automatically generates an invoice number for each sale. Invoices are given to customers. The majority of the shop sales are for cash, so there is little credit risk. Accounts receivable Ruby opens all of the mail and segregates the payments received for deposit. Robert goes to the bank on his way home and makes the deposit. Ruby then enters the payments into the accounting system and applies the payment to the invoices indicated. Ruby prepares an aged accounts receivable listing and gives the listing to Robert for review. Accounts over 90 days are followed up by Ruby each month and comments are made on the listing as to when the customer has agreed to pay the balance.
PART B
438
28.
Communicating deciencies in internal control

Relevant ASA
Chapter content Guidance on communicating deciencies identied in internal control that, in the auditors professional judgement, merit the attention of management and those charged with governance.
265
Exhibit 28.0-1
Activity
Purpose
Documentation1
Risk assessment
Plan the audit
Practical guidance
439
Paragraph # 260.10
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Those charged with governance means the person(s) or organisation(s) (for example, a corporate trustee) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the nancial reporting process. For some entities in some jurisdictions, those charged with governance may include management personnel, for example, executive members of a governance board of a private or public sector entity, or an owner-manager. For discussion of the diversity of governance structures, see paragraphs A1-A8. (b) Management means the person(s) with executive responsibility for the conduct of the entitys operations. For some entities in some jurisdictions, management includes some or all of those charged with governance, for example, executive members of a governance board, or an owner-manager.
265.6
For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Deciency in internal control means: (i) A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the nancial report on a timely basis; or
(b) Signicant deciency in internal control means a deciency or combination of deciencies in internal control that, in the auditors professional judgement, is of sufcient importance to merit the attention of those charged with governance. (Ref: Para. A5) 265.7 The auditor shall determine whether, on the basis of the audit work performed, the auditor has identied one or more deciencies in internal control. (Ref: Para. A1-A4) If the auditor has identied one or more deciencies in internal control, the auditor shall determine, on the basis of the audit work performed, whether, individually or in combination, they constitute signicant deciencies. (Ref: Para. A5-A11) The auditor shall communicate in writing signicant deciencies in internal control identied during the audit to those charged with governance on a timely basis. (Ref: Para. A12-A18, A27) The auditor shall also communicate to management at an appropriate level of responsibility on a timely basis: (Ref: Para. A19, A27) (a) In writing, signicant deciencies in internal control that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances; and (Ref: Para. A14, A20-A21) (b) Other deciencies in internal control identied during the audit that have not been communicated to management by other parties and that, in the auditors professional judgement, are of sufcient importance to merit managements attention. (Ref: Para. A22-A26)
265.8
265.9
265.10
PART B
(ii) A control necessary to prevent, or detect and correct, misstatements in the nancial report on a timely basis is missing.
440
Paragraph # 265.11
Relevant extracts from ASAs The auditor shall include in the written communication of signicant deciencies in internal control: (a) A description of the deciencies and an explanation of their potential effects; and (Ref: Para. A28) (b) Sufcient information to enable those charged with governance and management to understand the context of the communication. In particular, the auditor shall explain that: (Ref: Para. A29-A30) (i) The purpose of the audit was for the auditor to express an opinion on the nancial report; (ii) The audit included consideration of internal control relevant to the preparation of the nancial report in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control; and Aus 11.1 In circumstances when the auditor has a responsibility to express an opinion on the effectiveness of internal control in conjunction with the audit of the nancial report, the auditor shall omit the phrase that the auditors consideration of internal control is not for the purpose of expressing an opinion on the effectiveness of internal control; and (iii) The matters being reported are limited to those deciencies that the auditor has identied during the audit and that the auditor has concluded are of sufcient importance to merit being reported to those charged with governance.
28.1
Overview
During the course of the audit, deciencies in internal control may be identied. This may occur as a result of understanding and evaluating internal control (see Part B, Chapters 26 and 27), in making risk assessments, performing audit procedures or from other observations made at any stage of the audit process. There is no restriction on what control deciencies can be communicated with those charged with governance and with management. However, where an identied deciency is assessed by the auditor as being signicant, the auditor would rst discuss it with management and is then required to communicate it (and any other signicant deciencies) in writing to those charged with governance. Some of the more common control deciencies are listed in the following exhibit.
Practical guidance
441
Exhibit 28.1-1
Potential internal control deciencies Pervasive (entity level) controls Weak control environment (entity level) controls such as ineffective oversight, poor attitude toward internal control or instances found of management override or fraud. Changes in personnel that have resulted in key positions being unlled or where current personnel (such as in accounting) are not competent to perform the required tasks. Deciencies identied in general IT controls. Inadequate controls implemented to address signicant non-routine events such as the introduction of a new accounting system, the automation of a system such as sales or the acquisition of a new business. Inability by management to oversee the preparation of the nancial report. This could include the lack of: > General monitoring controls (such as oversight of nancial accounting personnel) > Controls over the prevention and detection of fraud > Controls over the selection and application of signicant accounting policies
> Controls over signicant transactions outside the entitys normal course of business, and > Controls over the period-end nancial reporting process (such as controls over non-recurring journal entries). Signicant deciencies previously communicated to management or those charged with governance remain uncorrected after some reasonable period of time. Specic (transactional) controls An ineffective management response to identied signicant risks (for example, absence of controls over such a risk). Misstatements were detected by the auditor when they should have been prevented, or detected and corrected, by the entitys internal control. The existing internal controls were not: > Sufcient to mitigate the risk (poor design), and/or > Operating as designed (poor implementation). This could result from poor training, lack of staff competence or inadequate resources to perform the required tasks.
28.2
Fraud
If evidence is obtained that fraud exists or may exist, the matter should be brought to the attention of the appropriate level of management as soon as is practicable. This should be done even if the matter might be considered inconsequential.
PART B
> Controls over signicant transactions with related parties
442
The appropriate level of management is a matter of professional judgement but would be at least one level above the persons who appear to be involved with the suspected fraud. It would also be affected by the likelihood of collusion and the nature and magnitude of the suspected fraud. Where the fraud involves senior management, communication is also required with those charged with governance. This may be made orally or in writing. Consider point
Fraud perpetrated by the owner-manager or those charged with governance When fraud occurs at the very top of an organisation, there is no one within the entity to whom it can be reported. In these situations, the auditor may obtain legal advice to determine the appropriate course of action in the circumstances. The purpose of obtaining such advice is to ascertain what steps (if any) are necessary in considering the public interest aspects of the identied fraud. The auditors professional duty is to maintain the condentiality of client information. This may preclude reporting fraud to an external party. However, the auditors legal responsibilities vary by jurisdiction and, in certain circumstances, the duty of condentiality may be overridden by statute, the law or courts of law. The auditor needs to be cognisant of the statutory requirements under which the audit is being conducted. In Australia, as auditor you are required by the Corporations Act 2001 to notify ASIC if you are aware of certain circumstances. ASIC Regulatory Guide 34 Auditors obligations: reporting to ASIC (December 2007), provides guidance to comply with the obligations, under sections 311, 601HG and 990K of the Act, to report contraventions, and suspected contraventions, of the Act to ASIC.
28.3
Assessing the severity of a deciency
A signicant deciency is dened as a deciency or combination of deciencies in internal control that, in the auditors professional judgement, is of sufcient importance to merit the attention of those charged with governance. In evaluating internal control (see Part B, Chapter 27), it is suggested that risk factors that are unlikely to result in a material misstatement in the nancial report be eliminated (scoped out) from the auditors understanding of internal control. If this guidance is followed, most of the control deciencies identied by the auditor are likely to be signicant. The criteria for determining whether a deciency is signicant or not is similar to that for any other risk (see Part B, Chapter 24). Professional judgement is used to assess the likelihood that a misstatement could occur and the potential magnitude of the misstatement if it did occur. If a misstatement has, in fact, occurred, the assessment would be based on the extent of the actual misstatement.
Practical guidance
443
Less serious or even minor control deciencies may also be identied during the course of the audit. These could result from interviews with management and staff, observation of internal controls in operation, performing further audit procedures and any other information that may be obtained. It is a matter of professional judgement whether these matters are of sufcient importance to be reported to management and those charged with governance. Some matters that could be considered by the auditor in assessing the severity of a deciency are outlined below.
Exhibit 28.3-1
Identifying a signicant deciency Deciency assessment criteria > Likelihood of deciencies leading to material misstatements in the nancial report in the future. > The susceptibility of an asset or liability to loss or fraud. > The subjectivity and complexity of determining estimated amounts, such as fair value accounting estimates. > The nancial report amounts exposed to the deciencies. > The volume of activity that has occurred or could occur in the account balance or class of transactions exposed to the deciency or deciencies. > The importance of the controls to the nancial reporting process. > The cause and frequency of the exceptions detected as a result of the deciencies in the controls. > The interaction of the deciency with other deciencies in internal control.
28.4
Smaller entities
When assessing control deciencies in smaller entities, the auditor would pay attention to the following factors.
Exhibit 28.4-1
Consider Control in a small entity > Controls may operate with less formality and with less evidence of their performance than in larger entities. > Certain types of control activities may not be necessary at all. The risks may be mitigated through the controls applied by senior management (for example, entity level controls, such as the control environment, that would prevent or detect a specic error from occurring).
PART B
444
Consider Control in a small entity (continued) > There will be fewer employees, which may limit the extent to which segregation of duties is practicable. This can be offset by the owner-manager exercising more effective oversight (for example, entity level controls such as the control environment) than is possible in a larger entity. > Greater potential exists for management override of controls.
In addition, the communication of deciencies with those charged with governance may be less structured than in the case of larger entities.
28.5
Documenting control deciencies
There are no specic requirements in the ASAs as to how control deciencies are to be documented. The extent of documentation is a matter requiring professional judgement. A possible approach to documenting deciencies as they are identied is outlined below. This documentation can be used for: Discussing deciencies with management Assessing the severity of the deciencies Considering the need for any additional audit procedures to respond to the unmitigated risk, and Preparing the required communication to management and those charged with governance.
An example of such documentation is illustrated below (without the references to supporting and other working papers).
Exhibit 28.5-1
What is the risk factor or assertion affected? Management has not considered or assessed the risks of fraud occurring. Describe the deciency identied Members of the management team trust each other and are reluctant to introduce costly policies, etc. that address the risk of fraud. What is the potential effect on the nancial report? Management could override controls and materially manipulate the nancial report. Signicant deciency? (Yes/no) Yes
Audit response See the specic procedures performed on journal entries, related parties and revenue recognition.
Practical guidance
445
What is the risk factor or assertion affected? Sales/services recorded in wrong accounting period.
Describe the deciency identied There are no controls to prevent this from occurring and we found a number of cut-off errors in our tests of details. The client provides virtually no back-up documents to support their estimates.
What is the potential effect on the nancial report? Revenues could be materially misstated in the nancial report.
Signicant deciency? (Yes/no) Yes
Audit response See the additional procedures performed relating to cut-off.
Poor oversight and documentation to support the preparation of estimates.
Given the size of the estimates, an error could result in a material error in the nancial report.
Yes
Obtain evidence to support the assumptions and perform the calculations again.
Consider point
Record deciencies in a single place Designate one particular audit form to record pertinent details of control deciencies as they are identied. This will ensure all identied deciencies are recorded on a consistent basis and in one place. If scattered through the le, deciencies could be missed. This could result in an incomplete audit response to the risks involved and an incomplete communication to management and those charged with governance. Describe the implications When documenting deciencies, take time to describe the implications of the deciency (what could go wrong) and the proposed audit response (if any) to the unmitigated risk. What is the recommended course of action? It is useful when recording deciencies to also consider and document what improvements could be recommended to the management. At this stage, all the relevant facts are known and a meaningful recommendation can be made. If this action is left until later, it may lead to additional time being incurred to become reacquainted with the facts again. PART B
See toolkit item 575: Worksheet Internal control deciencies identied.
28.6
Oral discussions with management
Before issuing a written communication, it is generally considered best practice to discuss the ndings orally (such as a discussion based on a draft letter) with the appropriate person or level of management and possibly
446
with those charged with governance. The appropriate person is the one who can evaluate the deciencies and take the necessary remedial action. This step helps the auditor to ensure that the ndings are factually correct and appropriately worded in the circumstances. It may also enable the auditor to obtain a preliminary indication of managements response to the ndings. For signicant deciencies, the appropriate level of management would be the highest in the entity, such as the owner-manager, chief executive ofcer or chief nancial ofcer (or equivalent). For other deciencies, the appropriate level may be operational management with direct involvement in the control areas affected. Note that if all of those charged with governance are also involved in managing the entity, communication with the most senior management may not adequately inform all those with governance responsibilities. If the deciency is directed at management directly (for example, a question about its integrity or competence), it would not be appropriate to discuss this with management directly. The discussion of such ndings would normally be with those charged with governance. Consider point
If a signicant deciency is directed at the conduct or competence of the owner-manager or those charged with governance, there is no higher level in the entity to report the ndings. In these situations, the auditor would consider their ability to continue performing the audit. This may involve the auditor in seeking legal advice.
The discussion with management provides an opportunity to discuss the ndings and obtain managements reaction before the ndings are nalised and communicated in writing:
Practical guidance
447
Exhibit 28.6-1
Benets Discussions with management Alerts management, on a timely basis, to the existence of deciencies. Opportunity to obtain relevant information for further consideration, such as: > Conrmation that the description of the deciency and related facts (such as the extent of an actual misstatement) is accurate > Existence of other possibly compensating controls > Managements reaction and understanding of the actual or suspected causes of the deciencies, and > Existence of exceptions arising from the deciencies that management has noted. Obtain a preliminary management response to the ndings.
28.7
Written communications
Signicant deciencies are to be reported in writing. This reects the importance attached to such matters and may assist management and those charged with governance in fullling their various responsibilities. The requirement to communicate signicant deciencies in writing applies to all sizes of entity, including owner-managed and very small entities. Communicating such matters in writing ensures that those charged with governance have indeed been informed of the problems. As soon as practicable after concluding that signicant deciencies exist, the auditor would discuss them with management and then communicate them in writing to those charged with governance. Although not required, the communication letter may also contain some suggested recommendations for remedial action. By taking these steps, management can take corrective action on a timely basis.
PART B
28.8
Managements response to the communication
It is the responsibility of management and those charged with governance to respond appropriately to the auditors communication about signicant deciencies in internal control and any recommendations for remedial action. This may take the form of: > Initiating remedial action to correct the deciencies identied by the auditor > A decision not to take any action. Management may already be aware of the signicant deciencies and has chosen not to remedy them because of the costs or other considerations, or
448
> No action at all. This may be indicative of a poor attitude toward internal control, which has implications for assessing risk at the nancial report level. In some situations, such non-action may constitute a signicant deciency in itself. Regardless of what action is taken by management, the auditor is required to communicate all signicant deciencies in writing. This includes signicant deciencies already reported in prior periods. It is not the auditors role to determine whether the cost of mitigating a deciency outweighs the benet to be obtained. However, some consideration of proportionality to the size of the entity and the application of common sense in the circumstances is appropriate. If a previously communicated signicant deciency remains, the current periods communication may repeat the description or simply refer to the previous communication. If the deciency is not signicant, there is no need to put it in writing or to repeat the communication in the current period. However, it may be appropriate for the auditor to re-communicate the other deciencies if there has been a change in management or if new information has come to the auditors attention.
Content of communication
The communication of signicant deciencies would normally include: > A description of the nature of each signicant deciency and the potential effects. There is no need to quantify those effects > Suggestions for remedial action on the deciencies > Managements actual or proposed responses, and > A statement as to whether or not the auditor has undertaken any steps to verify whether managements responses have been implemented. Signicant deciencies may be grouped together for reporting purposes where it is appropriate to do so. As additional context for the communication, the letter would also include the following: > An indication that if the auditor had performed more extensive procedures on internal control, the auditor might have identied more deciencies to be reported or concluded that some of the reported deciencies need not in fact have been reported, and > An indication that such communication has been provided for the purposes of those charged with governance and that it may not be suitable for other purposes.
Practical guidance
449
28.9
Timing of the written communication
The auditor is required to communicate in writing signicant deciencies in internal control identied during the audit to those charged with governance on a timely basis. Factors to consider include: > Would undue delay in the reporting of information cause it to lose its relevance? > Would the information be an important factor in enabling those charged with governance to discharge their oversight responsibilities? The latest date that a written communication may be issued is before the date of the auditors report or shortly thereafter. This enables the auditor to complete the assembly of the nal audit le on a timely basis. Consider point
Where possible, communicate deciencies in internal control well before the period-end audit work commences. Early notication could enable management to take corrective action that may assist the auditor by lowering the assessed risk of material misstatement at the nancial report or assertion level. For example, a recommendation to replace or redeploy an incompetent accountant/bookkeeper could signicantly reduce the work required in reviewing the preparation of the period-end nancial report.
28.10 Case studies communicating deciencies in internal control

For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. Deciencies in internal control are identied throughout all phases of the audit (risk assessment, risk response and reporting) and the auditor must accumulate them for subsequent reporting to management. Signicant internal control deciencies (both in design and operation) would be reported to management using a letter such as the ones below.
PART B
450

Jamel, Woodwind and Wing Chartered Accountants 55 Kingston Street, Campbelltown, NSW 2560 [Date] Mr Sam ONeal ONeal Furniture Pty Ltd 2255 West Street North Parramatta NSW 2150 Re: Audit of 20X2 nancial report Dear Sam, The objective of our audit was to obtain reasonable assurance that the nancial report was free of material misstatement. Our audit was not designed for the purpose of identifying matters to communicate. Accordingly, our audit would not usually identify all such matters that may be of interest to you and it is inappropriate to conclude that no such matters exist. During the course of our audit of ONeal Furniture Pty Ltd for the period ended 30 June 20X2, we identied the following deciencies in internal control that, in our opinion, are signicant. A signicant deciency or combination of deciencies in internal control is one that, in our professional judgement, is of sufcient importance to merit the attention of those charged with governance. Unauthorised journal entries There are currently no controls over manual journal entries made throughout the period. Without any segregation of duties and review controls over entries made, errors or misstatements can go undetected. Although our audit found no such material errors or misstatements, this current unrestricted and unmonitored access by all company personnel presents a risk to accuracy of the nancial report. We recommend that proper segregation of duties be allocated based on roles and responsibilities. Further, a formalised review process should be established. All signicant entries should be approved prior to entry and a secondary review should be conducted by management on a monthly basis. Poor inventory controls There are currently very limited controls over inventory. Without proper controls, inventory could be incomplete, improperly valued or stolen. We recommend ONeal Furniture implement formalised controls over the tagging and periodic counting of inventory. Inventory records should be compared to actual products in the warehouse on a monthly basis. A visual inspection on a monthly basis of obsolete and damaged goods should also be performed to ensure any inventory write-downs are recorded as required. This communication is prepared solely for the information of management and is not intended for any other purpose. We accept no responsibility to a third party who uses this communication. Yours truly, Jamel, Woodwind & Wing Chartered Accountants
Practical guidance
451

Jamel, Woodwind and Wing Chartered Accountants 55 Kingston Street, Campbelltown, NSW 2560 [Date] Robert Kane Kane & Co. 2255 East Street North Parramatta NSW 2150 Re: Audit of 20X2 nancial report Dear Robert, The objective of our audit was to obtain reasonable assurance that the nancial report was free of material misstatement. Our audit was not designed for the purpose of identifying matters to communicate. Accordingly, our audit would not usually identify all such matters that may be of interest to you and it is inappropriate to conclude that no such matters exist. During the course of our audit of Kane & Co. for the period ended 30 June 20X2, we identied the following deciency in internal control that, in our opinion, is signicant. A signicant deciency or combination of deciencies in internal control is one that, in our professional judgement, is of sufcient importance to merit the attention of those charged with governance. Lack of segregation of duties There is currently a lack of segregation of duties at Kane & Co. The part-time bookkeeper has total access to and control over all the record-keeping at Kane & Co. Without separating duties across multiple employees, there is a risk that the bookkeeper may make unintentional or intentional errors that go undetected. We recommend that Kane & Co. consider hiring another part-time staff member to split functions with the bookkeeper. Given the small size of the organisation and cost restraints, if that is not practicable, we recommend that Robert become more involved in the recordkeeping aspect of the business to provide adequate oversight of the bookkeepers work. This communication is prepared solely for the information of management and is not intended for any other purpose. We accept no responsibility to a third party who uses this communication. Yours truly, Jamel, Woodwind & Wing Chartered Accountants
PART B
452
29.
Concluding the risk assessment phase

Relevant ASA
Chapter content Concluding the risk assessment phase of the audit by documenting the assessed risks at the nancial report and assertion levels.
315
Exhibit 29.0-1
Activity
Purpose
Documentation1
Risk assessment
Plan the audit
Business and fraud risks including significant risks Design/implementation of relevant internal controls Assessed RMM3 at: > F/R level > Assertion level
Paragraph # 315.25
Relevant extracts from ASAs The auditor shall identify and assess the risks of material misstatement at: (a) The nancial report level; and (Ref: Para. A105-A108) (b) The assertion level for classes of transactions, account balances and disclosures (Ref: Para. A109-A113) to provide a basis for designing and performing further audit procedures.
Practical guidance
453
Paragraph # 315.26
Relevant extracts from ASAs For this purpose, the auditor shall: (a) Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances and disclosures in the nancial report; (Ref: Para. A114-A115) (b) Assess the identied risks and evaluate whether they relate more pervasively to the nancial report as a whole and potentially affect many assertions; (c) Relate the identied risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test; and (Ref: Para. A116-A118) (d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is of a magnitude that could result in a material misstatement.
315.32
The auditor shall include in the audit documentation: (a) The discussion among the engagement team where required by paragraph 10 of this Auditing Standard, and the signicant decisions reached; (b) Key elements of the understanding obtained regarding each of the aspects of the entity and its environment specied in paragraph 11 of this Auditing Standard and of each of the internal control components specied in paragraphs 14-24 of this Auditing Standard; the sources of information from which the understanding was obtained and the risk assessment procedures performed; (c) The identied and assessed risks of material misstatement at the nancial report level and at the assertion level as required by paragraph 25 of this Auditing Standard; and (d) The risks identied, and related controls about which the auditor has obtained an understanding, as a result of the requirements in paragraphs 27-30 of this Auditing Standard. (Ref: Para. A131-A134)
29.1
Overview
The nal step in the risk assessment phase of the audit is to review the results of the risk assessment procedures performed and then assess (or, if already assessed, summarise) the risks of material misstatements at: > The nancial report level, and > The assertion level for classes of transactions, account balances and disclosures. The resulting list of assessed risks will form the foundation for the next phase in the audit, which is to determine how to respond appropriately to the assessed risks through the design of further audit procedures. The two levels of risk assessment are illustrated in the following exhibit:
PART B
454
Exhibit 29.1-1
Pervasive risks that could apply to many assertions
Financial reports (overall)

Low
Assertion level (partial) Account balances Classes of transactions Presentation and disclosure Relevant assertions
(assess risk for each assertion)
Inventory
Cash
Payables
Revenues
Expenses
Commitments
C E A V
Low Mod Low High
Related parties
29.2
Audit evidence obtained to date
The evidence obtained to date, by performing risk assessment procedures, consists of identication and assessment of inherent risks and the design and implementation of internal controls that address those risks. What is left is the risk of material misstatement. This is simply the remaining risk after taking into account the effect of internal controls put in place to mitigate the inherent risks. This is illustrated in the exhibit below.
Exhibit 29.2-1
Low risk Moderate risk High risk
Inherent risk Control risk

(response to inherent risks)
Business and fraud risk factors that could result in a material misstatment
Pervasive (entity-level) controls Specific (transactional) controls

Risks of material misstatement
Risk of material misstatement
Sales, purchases, payroll, etc.
Governance Culture/values Competence Attitudes to control High
Low
Note: The length of the horizontal bars in this exhibit is purely for illustrative purposes and would vary from entity to entity.
Practical guidance
455
Sources of audit evidence that may be relevant in summarising and assessing risks at the two levels are listed below.
Exhibit 29.2-2
Audit evidence The overall audit strategy Materiality and identication of material nancial report areas and disclosures Audit team discussions Results of performing risk assessment procedures Inherent risk identication and assessment Signicant risks Understanding and evaluation of internal control Signicant deciencies identied Relevant chapters Part B, 20 Part B, 21 Part B, 22 Part A, 2 and Part B, 18-29 Part B, 23-24 Part B, 25 Part B, 26-27 Part B, 28
29.3
Summarising the various risk assessments

PART B
The purpose of assessing risks is to provide the foundation and a reference point for what is needed to respond appropriately with well-designed and efcient further audit procedures. If risks identied to date have already been documented and assessed in a consistent manner, it will be relatively straightforward to review and summarise them. The summary of assessed risks brings together the inherent risk factors identied and the evaluation of any internal control designed to mitigate such risks. This is illustrated below in Exhibit 29.3-1. Note: There is a moderate level of risk at the nancial report level which is mitigated by good entity level and possibly other controls. The result is a low assessed risk at the nancial report level. The summary of assessed risks at the assertion level is a combination of the assessment of inherent and control risks that apply to individual nancial report balances, transactions and disclosures. In the case below, the inherent risks are moderate and there are no relevant internal controls so the control risk is high. The result is therefore a moderate residual risk for this particular assertion.
456
Exhibit 29.3-1
Inherent risk assessment Control risk assessments Risk of material misstatement
Risks at F/R level

Assessment of pervasive risks
Assessment of mitigating controls
Risks at assertion level

Assessment of specific risks by F/R area disclosure and assertion
Assessment of mitigating controls
F/R = Financial report
H = High risk
M = Moderate risk
L = Low risk
Notes: > Before concluding there are no particular risks for a nancial report area or disclosure, consider the existence of other relevant factors, such as history of known errors, susceptibility of the asset/liability to fraud, potential for management override and the previous periods experience > If the auditor plans to rely on a control risk that has been assessed as low (for example, reduce the extent of substantive procedures), there needs to be tests of the operational effectiveness of the controls to support such an assessment > In some cases, the entity may have some internal controls but the auditor has deemed them not relevant to the audit and therefore no assessment has been made. In these cases, the control risk would be assessed as high > Specic (transactional) controls generally work (resulting in a low assessed risk) or do not work (resulting in a high assessed risk). This would imply that there is no assessment of control risk as being moderate. However, some auditors assess control risk as moderate when a control may not be totally reliable in operation but is expected to work most of the time. This can often be the case in smaller entities > The determination of residual risk resulting from the combination of inherent and control risk is a matter of professional judgement. The exhibit below shows various combinations of risk but is not a substitute for professional judgement based on the particular circumstances.
Practical guidance
457
Exhibit 29.3-2
Inherent risk H H H M M M L L L
H = High M = Moderate L = Low
Control risk H M L H M L H M L
Risk of material misstatement H M M or L M M L M/L L L
Consider point
Document the reasoning behind risk assessments When summarising assessed risks, be sure to provide a short description of the reasons for each assessment or a cross-reference to where they can be found. This is often more important than the assessment itself because it helps to design tailored and cost-effective responses. Assessing inherent risks Remember that the assessment of inherent risk is always completed before any consideration of controls that may mitigate the risk. Assuming most nancial report areas to be audited will exceed overall materiality, it is likely (in most instances) that the inherent risk of misstatement (before internal control) for most assertions will be high. Low risk for all assertions When a nancial report area has been assessed as low risk for all assertions, there is no need to repeat the same reasoning for each individual assertion. However, the reason why all the assessments are low would be documented. PART B
29.4
Revision of risk assessments
The assessment of risk does not end at a point in time. New information may be gained as the audit progresses and the performance of audit procedures may identify additional risks or that internal control is not operating as intended. When this occurs, the original risk assessment should be revised and the impact on the nature and extent of further audit procedures considered.
458
29.5
Documentation
The summary of assessed risks can be documented in a number of ways. Three possible approaches are outlined below: > A standalone document A separate document that summarises the inherent and control assessments, and the key reasons for the combined risk assessments. This document could also be used for outlining (in general terms) the risk response > Include with the overall audit strategy and audit plan The rst part of each section of the audit plan (such as for receivables, payables etc.) could outline the risk assessments and the impact on the planned audit procedures > Incorporate risk assessments as part of the auditors documentation of further procedures In this case, the risk assessments, audit plans and the results of work performed could all be documented in one comprehensive working paper for each nancial report area. The form and extent of the documentation supporting risk assessments would be inuenced by: > The nature, size and complexity of the entity and its internal control > The availability of information from the entity, and > The audit methodology and technology used in the course of the audit. Other factors to consider when designing documentation include: > Ease of understandability > Cross-references to the design and implementation of an appropriate audit response > Ability to facilitate updating in subsequent periods, and > Ease of review. A reviewer should be able to determine whether key risks have been identied and that the resulting audit response was appropriate. A well-documented summary of assessed risks will also be useful in the team planning meetings in subsequent periods where the nature of the risks and the audit response can be discussed. An approach using a standalone document but closely linked to the audit plan is illustrated below. Note that this illustration uses the four combined assertions (used for the purposes of this Manual), as dened in Part A, Chapter 4.
Practical guidance
459
Exhibit 29.5-1 Assessed levels of risk

As IR CR Comb. Document the key risks and other RMM contributing factors to risk assessment The industry is in a general decline as new technologies emerge. However sales are still strong and the entity is investing in R&D. Financial report level P M L L Managements attitude to internal control is good. Competent people ll the key positions. Management override possible but new policies in place should deter the most common practices. The governance board is made up of family members. Assertion level FRA or nancial report disclosure 1 Sales C E H M L L M L Owner wants to save taxes. Revenue recognition has been inconsistent.
A V 2 Receivables C E A V 3 Inventory C E A V
M NA L H L H L H L H
L L L M L M L H L H
L NA L M L M L H L H
Relevant internal controls were identied and there has been no history of errors.
Relevant controls were identied and there has been no history of errors. Salespersons bonuses are based on recorded sales. Relevant internal controls were identied and there has been no history of errors. Recovery of receivables could be an issue in declining industry. Relevant controls were identied and there has been no history of errors. Inventory theft and poor physical internal control in warehouse. Relevant controls were identied and there has been no history of errors. New technology will make some parts and even whole products obsolete.
H = High M = Moderate L = Low As = Assertion NA = Not applicable IR = Inherent risk CR = Internal control risk Comb. RMM = Combined risks of material misstatement FRA = Financial report area P = Pervasive risks C = Completeness E = Existence A = Accuracy V=Valuation
PART B
Relevant internal controls were identied. Tests of internal control for this assertion are a possibility.
460
Documentation of assessed risks could also make reference to: > Details of signicant risks that require special attention, and > Risks for which substantive procedures alone will not provide sufcient appropriate audit evidence.
29.6
Case studies concluding the risk assessment phase
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. The nal step in the risk assessment process is to assess the combined risks of material misstatement at the nancial report and assertion levels. The risk assessments can be summarised using an approach such as outlined below. Supporting information (where the assessments of inherent and control risk were documented) has not been shown. In practice cross references would be made to the supporting data.
Case study A ONeal Furniture Pty Ltd Assessed levels of risk

ASS IR CR Comb. RMM Document the key risks and other contributing factors to risk assessment Managements attitude to internal control is good and competent people ll the key positions. Financial report level P M L L Management override is possible but we have not found any instances where this occurred and managements attitude toward control is good. The monthly meeting to review performance provides some accountability to management. Assertion level FRA or nancial report disclosure 1 Sales C E H L L L M L Revenue recognition policies are inconsistent. Revenue recognition policies are inconsistent. Pressure to inate sales due to sales bonuses and market pressures. Sales system operates well. ASS IR CR
A V 2 Receivables C
L NA L
L L L
L NA L
No signicant risks identied.
Practical guidance
461
ASS E A V
IR H L H
CR M L M
Comb. RMM M L M
Document the key risks and other contributing factors to risk assessment Salespersons bonuses are based on recorded sales.
Large retailer receivables collection could be an issue if there is concern over product quality or returns made. Additionally, despite the declining economy, no credit checks are performed before credit is granted.
H = High M = Moderate L = Low As = Assertion NA = Not applicable IR = Inherent risk CR = Internal control risk Comb. RMM = Combined risks of material misstatement FRA = Financial report area P = Pervasive risks C = Completeness E = Existence A = Accuracy V=Valuation
At this point, it would be good practice to prepare a communication for management that outlines the signicant weaknesses identied in internal control.
Case study B Kane & Co. Assessed levels of risk

Comb. RMM Document the key risks and other contributing factors to risk assessment
Management override is possible due to pressures to meet bank covenants and minimise taxes. The bookkeepers work was not reviewed by Robert on a consistent basis throughout the period. The bookkeeper appears disgruntled and may have opportunity to misstate the gures. Therefore, both unintentional error and intentional fraud could go undetected. The monthly meeting to review performance provides some accountability to management.
Assertion level FRA or nancial report disclosure 1 Sales
ASS
IR
CR
C E
H H
L L
M M
Relevant internal controls were identied for this assertion. Relevant internal controls were identied for this assertion but related-party transactions are of concern.
PART B
Managements attitude to internal control is good and competent people ll the key positions.
462
Comb. RMM A H L M
Document the key risks and other contributing factors to risk assessment Relevant internal controls were identied for this assertion but related-party transactions are of concern. Potential for sales returns due to state of industry. Majority of receivable balance is with ONeal Furniture. No other specic risks identied. Majority of receivable balance is with ONeal Furniture. No other specic risks identied. Majority of receivable balance is with ONeal Furniture. No other specic risks identied. The smaller customers may have difculty paying their bills in these tougher economic times.
V 2 Receivables C
M H
M L
M M
H = High M = Moderate L = Low As = Assertion NA = Not applicable IR = Inherent risk CR = Internal control risk Comb. RMM = Combined risks of material misstatement FRA = Financial report area P = Pervasive risks C = Completeness E = Existence A = Accuracy V = Valuation
At this point, it would be good practice to prepare a communication for management that outlines the signicant weaknesses identied in internal control that were.
Practical guidance
463
30.
Risk response an overview
Exhibit 30.0-1
Activity
Purpose
Documentation1
Risk assessment
Plan the audit
Risk response
Reporting
yes
PART B
464
Paragraph # 330.5
Relevant extracts from ASAs The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the nancial report level. (Ref: Para. A1-A3) The auditor shall design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4-A8)
330.6
The risk response phase includes the steps outlined below:
Exhibit 30.0-2
Design further audit procedures
Risk response
Update overall audit strategy
Develop response to assessed risks
Brief team on audit plans as required
Perform further audit procedures
Perform planned procedure
Assess results and evidence obtained
Document findings and conclusions
The basic concepts addressed in the risk response phase are listed out below.
Chapter Responding to assessed risks Further audit procedures Accounting estimates Related parties Subsequent events Going concern Summary of other ASA requirements Audit documentation Part A, 7 Part A, 8 Part A, 9 Part A, 10 Part A, 11 Part A, 12 Part A, 13 Part A, 14
Practical guidance
465
31.
The responsive audit plan

Relevant ASAs
Chapter content How to plan an effective audit response to assessed risks.
260, 300, 330, 500
Exhibit 31.0.-1
Activity
Purpose
Documentation
Risk response
Notes: 1. RMM = Risks of material misstatement.
300.9
The auditor shall develop an audit plan that shall include a description of: (a) The nature, timing and extent of planned risk assessment procedures, as determined under ASA 315. (b) The nature, timing and extent of planned further audit procedures at the assertion level, as determined under ASA 330. (c) Other planned audit procedures that are required to be carried out so that the engagement complies with the Australian Auditing Standards. (Ref: Para. A12)
300.10 300.11
The auditor shall update and change the overall audit strategy and the audit plan as necessary during the course of the audit. (Ref: Para. A13) The auditor shall plan the nature, timing and extent of direction and supervision of engagement team members and the review of their work. (Ref: Para. A14-A15) The auditor shall include in the audit documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any signicant changes made during the audit engagement to the overall audit strategy or the audit plan, and the reasons for such changes. (Ref: Para. A16-A19)
300.12
330.5
The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the nancial report level. (Ref: Para. A1-A3)
PART B
Paragraph #
466
Paragraph # 330.6
Relevant extracts from ASAs The auditor shall design and perform further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4-A8) In designing the further audit procedures to be performed, the auditor shall: (a) Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each class of transactions, account balance, and disclosure, including: (i) The likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance or disclosure (that is, the inherent risk); and (ii) Whether the risk assessment takes account of relevant controls (that is, the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and (Ref: Para. A9-A18) (b) Obtain more persuasive audit evidence the higher the auditors assessment of risk. (Ref: Para. A19)
330.7
330.8
The auditor shall design and perform tests of controls to obtain sufcient appropriate audit evidence as to the operating effectiveness of relevant controls if: (a) The auditors assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or (b) Substantive procedures alone cannot provide sufcient appropriate audit evidence at the assertion level. (Ref: Para. A20-A24)
330.9
In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the greater the reliance the auditor places on the effectiveness of a control. (Ref: Para. A25) In designing and performing tests of controls, the auditor shall: (a) Perform other audit procedures in combination with enquiry to obtain audit evidence about the operating effectiveness of the controls, including: (i) How the controls were applied at relevant times during the period under audit. (ii) The consistency with which they were applied. (iii) By whom or by what means they were applied. (Ref: Para. A26-A29) (b) Determine whether the controls to be tested depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls. (Ref: Para. A30-A31)
330.10
330.15
If the auditor plans to rely on controls over a risk the auditor has determined to be a signicant risk, the auditor shall test those controls in the current period.
Practical guidance
467
Paragraph # 330.18
Relevant extracts from ASAs Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance and disclosure. (Ref: Para. A42-A47) The auditor shall consider whether external conrmation procedures are to be performed as substantive audit procedures. (Ref: Para. A48-A51) The auditors substantive procedures shall include the following audit procedures related to the nancial report closing process: (a) Agreeing or reconciling the nancial report with the underlying accounting records; and (b) Examining material journal entries and other adjustments made during the course of preparing the nancial report. (Ref: Para. A52)
330.19 330.20
330.21
If the auditor has determined that an assessed risk of material misstatement at the assertion level is a signicant risk, the auditor shall perform substantive procedures that are specically responsive to that risk. When the approach to a signicant risk consists only of substantive procedures, those procedures shall include tests of details. (Ref: Para. A53) Where the auditor plans to use audit evidence from the performance of substantive procedures in a prior audit, the auditor shall perform audit procedures during the current period to establish the continuing relevance of the audit evidence. (Ref: Para. A54)
330 Aus 21.1
(a) Substantive procedures, combined with tests of controls for the intervening period; or (b) If the auditor determines that it is sufcient, further substantive procedures only that provide a reasonable basis for extending the audit conclusions from the interim date to the period end. (Ref: Para. A54-A57) 260.15 330.24 The auditor shall communicate with those charged with governance an overview of the planned scope and timing of the audit. (Ref: Para. A11-A15) The auditor shall perform audit procedures to evaluate whether the overall presentation of the nancial report, including the related disclosures, is in accordance with the applicable nancial reporting framework. (Ref: Para. A59) The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufcient appropriate audit evidence. (Ref: Para. A1-A25) When designing and performing audit procedures, the auditor shall consider the relevance and reliability of the information to be used as audit evidence. (Ref: Para. A26-A33) When designing tests of controls and tests of details, the auditor shall determine means of selecting items for testing that are effective in meeting the purpose of the audit procedure. (Ref: Para. A52-A56)
500.6
500.7
500.10
PART B
330.22
If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by performing:
468
31.1
Overview
In the risk response phase of the audit, the objective is to obtain sufcient appropriate audit evidence regarding the assessed risks. This is achieved by designing and implementing appropriate responses to the assessed risks of material misstatement at the nancial report and assertion levels. The auditor would approach this task in various ways, such as: > Addressing each assessed risk in turn according to its nature (ie. a downturn in the economy) and designing the appropriate audit response in the form of further audit procedures > Addressing the assessed risks by material nancial report area or disclosure affected. The auditor would then design an appropriate response in the form of further audit procedures, or > Starting with a standard list of audit procedures for each material nancial report area and assertion and tailoring it (adding, modifying and eliminating procedures) to design an appropriate response to the assessed risks. Responding to assessed risks implies more than using a standard (one size ts all) audit program which may address each assertion, but has not been tailored to address the assessed risk for the nancial report area by assertion for a particular entity. Audit programs should generally be tailored (to the extent necessary) to the entitys level of risk and its particular circumstances.
31.2
The starting point
The starting point for designing an effective audit response is the listing of assessed risks that was developed at the conclusion of the risk assessment phase of the audit (see Part B, Chapter 29). Risks will have been identied and assessed at: > The nancial report level, and > The assertion level for nancial report areas and disclosures. Smaller nancial report areas could be grouped together and treated as one larger area for developing an appropriate audit response. Part A, Chapter 7 outlines possible responses to risks assessed at the two levels. The types of response required are summarised in the following exhibit.
Practical guidance
469
Exhibit 31.2-1
Assessed risks...
At the financial report level At the assertion level
Auditors response
Overall response
Examples include: > Professional scepticism > Level of staff assigned > Ongoing staff supervision > Evaluate accounting policies > Nature/extent/timing and unpredictability of planned procedures > Other further procedures.
Tests of control
Tests of detail
Result
PART B
Sufficient appropriate audit evidence to reduce audit risk to an acceptably low level
31.3 Overall responses

Pervasive risks at the nancial report level (risks such as a decient control environment and/or the potential for fraud that could affect many assertions) are addressed through the design and implementation of an overall response by the auditor. Refer to Part B, Chapter 23 for additional information on pervasive risks. Areas that the auditor would address in developing an overall response include determining: > The extent that the audit team needs to be reminded about the use of professional scepticism > Which staff to assign, including those with special skills or whether to use experts > The extent of supervision required throughout the audit > The need for incorporating some elements of unpredictability in the selection of further audit procedures to be performed
470
> Any general changes that need to be made to the nature, timing or extent of audit procedures. These could include the timing of procedures (interim or period end) or new/extended procedures to address specic risk factors such as fraud. See toolkit item 605: Worksheet Overall responses.
Exhibit 31.3-1
Risk assessment An effective control environment Possible overall response This allows the auditor to have more condence in internal control and the reliability of audit evidence generated internally within the entity. An overall response could include some audit procedures being performed at an interim date rather than at the period end. An ineffective control environment (deciencies exist) This will likely require the auditor to perform some additional work such as : > Assigning more experienced audit staff > Conducting more audit procedures at the period end rather than at an interim date > Obtaining more extensive audit evidence from substantive procedures > Making changes to the nature, timing or extent of audit procedures to be performed.
Consider point
Where possible, develop an initial assessment of risk at the nancial report level at the planning stage. This will enable an initial overall response to be developed that addresses matters such as what staff to assign (including those with specialist skills), the level of supervision needed and what audit procedures are to be performed. This initial assessment of risk would require updating as the audit progresses and corresponding changes would be made in the overall response. However, this may not be possible in smaller entities that do not have interim or monthly nancial information available for performing analytical procedures and identifying/assessing the risks of material misstatement. Unless limited analytical procedures can be performed or information can be obtained through enquiry to plan the audit, the auditor may need to wait until an early draft of the entitys nancial report is available.
31.4
Use of assertions in test design
An assessment of the risks of material misstatement is required at the nancial report and assertion levels. The objective in designing an appropriate audit response is to obtain evidence that addresses the risk assessments developed for each relevant assertion. Refer to Part A, Chapter 4 for more information about assertions.
Practical guidance
471
When developing a response to specic transaction streams, the auditor would note that the assertions also provide the common link between internal control testing and substantive procedures. This is important for identifying when a combination of tests of controls and substantive procedures may be appropriate to reduce the risks of material misstatement to an acceptably low level. For example, audit procedures for existence of inventory will focus on testing the validity of items already recorded as part of the inventory balance and the testing of controls that would mitigate the risk of there being non-existent items in the inventory balance. A test of completeness of inventory would focus on testing items not included in the inventory balance but would provide possible evidence of missing items. This could include purchase orders for goods and testing controls that would mitigate the risk of missing inventory.
31.5
Use of materiality in test design
A key factor in considering the extent of an audit procedure deemed necessary is the performance materiality that has been established. Performance materiality is based on the materiality established for the nancial report as a whole but may be modied to address particular risks relating to an account balance, transaction stream or nancial report disclosure. The extent of audit procedures judged necessary is determined after considering the performance materiality, the assessed risk and the degree of assurance the auditor plans to obtain. In general the extent of audit procedures (such as a sample size for a test of details or the level of detail necessary in a substantive analytical procedure) would increase as the risk of material misstatement increases. However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specic risk. See Part A, Chapter 5 and Part B, Chapters 21 and 32 for more information on the use of materiality in test design.
PART B
31.6
The auditors toolbox
In developing the detailed audit plan, the auditor would use their professional judgement to select the appropriate types of possible audit procedures. Refer to Part A, Chapters 8 to 13 for a more detailed description of further audit procedures. An effective audit program will be based on an appropriate mix of procedures that collectively reduce audit risk to an acceptably low level. For the purposes of this Manual, the various types of audit procedures available to the auditor have been categorised as illustrated in the following exhibit.
472
Exhibit 31.6-1
Substantive procedures Basic*
Substantive procedures Extended*
Tests of controls
* The terms basic and extended are used solely for the purposes of this Manual.
Exhibit 31.6-2
Procedure type Substantive basic Description The term basic has been used for the typical substantive procedures that are required by paragraph 18 of ASA 330 to be performed for each material class of transactions, account balance and disclosure irrespective of the assessed risks of material misstatement (RMM). These basic procedures reect the fact that: > The auditors assessment of risk is judgemental and so may not identify all risks of material misstatement, and > There are inherent limitations to internal control, including management override. Where the RMM is very low, these basic types of procedures may well be all that is required to obtain sufcient and appropriate evidence for a particular assertion. Examples of basic substantive procedures would be: > Obtain a complete list of items that make up a period-end balance > Compare the current periods balance with that of the preceding period > Obtain reasons for uctuations, and > Perform some period end cut-off procedures.
Practical guidance
473
Procedure type Substantive extended
Description The term extended is used in this Manual to highlight the nature and extent of the additional audit work (beyond the basic procedures) required to respond to situations where the assessed risks for a particular assertion are moderate or high. This would occur where specic or signicant risks exist. An extended procedure would include: > Procedures tailored to respond to specic risk factors (such as management override), other types of fraud or signicant risk, and > Procedures that are similar to basic procedures but where the extent of the procedure has been increased (such as an enlarged sample size in a test of details) to obtain the appropriate level of risk reduction. See Part B, Chapter 25 for a more detailed description of signicant risks and the appropriate audit response.
Tests of controls
Where key controls are in place (that are likely to operate effectively) to address certain assertions, tests of controls may be performed to obtain the necessary evidence about an assertion. Tests of controls performed to reduce risk to a low level (requiring a larger sample size) may provide the majority of evidence required for a particular assertion. Alternatively, tests of controls could be performed to reduce risk to a moderate level (requiring a slightly smaller sample size). In this latter case, to obtain the required evidence, the auditor would supplement the tests of controls with substantive procedures that address the same assertion. Under certain criteria, internal controls need only be tested every third audit. Refer to the discussion on tests of controls in Part A, Chapter 8.5.
Substantive analytical procedures involve evaluations of nancial information through analysis of plausible relationships among both nancial and non-nancial data. They require the development of precise expectations for certain amounts (such as sales) that, when compared to actual recorded amounts, would be sufcient to identify a misstatement. Analytical procedures can be categorised as follows: > Simple comparisons of data that would typically be included in basic substantive procedures. These procedures would normally be combined with other tests of details at the assertion level. They would not provide sufcient audit evidence by themselves > Predictive models that by themselves (or in combination with tests of controls or other substantive procedures) would be sufcient to reduce audit risk to an acceptably low level. For example, if an entity had six employees at xed rates of pay throughout the period, it could be possible to estimate the total payroll costs for the period with a high degree of accuracy. Assuming the number of employees and the rates of pay were accurate, this procedure could provide the entire audit evidence for payroll. There may be no need for other substantive procedures (basic or extended) to be performed. Note: When addressing a signicant risk, the auditor is required to combine the substantive analytical procedures with other substantive procedures that include tests of details.
PART B
474
31.7
Developing the responsive audit plan
Professional judgement and careful thought are required to develop an audit plan that responds appropriately to the assessed risks. The time spent developing an appropriate plan will almost certainly result in a more effective and efcient audit and less time being spent by staff. There are three general steps the auditor would take in developing the plan: > Respond to assessed risks at the nancial report level (the overall response) > Identify any specic procedures required for material nancial report areas, and > Determine what audit procedures (tools from the toolbox) and the extent of testing are required.
Step 1 respond to assessed risks at the nancial report level

The rst step is to develop an appropriate overall response to assessed risks at the nancial report level. Because these risks are pervasive, a moderate or high level of risk assessment will generally result in additional work being required for virtually every nancial report area. Refer to the discussion on overall responses in Part B, Chapter 31.3.
Step 2 identify specic procedures required for material nancial report areas
Before developing the detailed response to assessed risks, the auditor may nd it helpful to consider (for each material nancial report area) the questions set out in the exhibit below.
Exhibit 31.7-1
For each material or potentially material nancial report area Questions to consider when developing an appropriate audit response Are there assertions that cannot be addressed by substantive tests alone? If so, tests of controls will be required. This may occur when: > There is no documentation to provide audit evidence about an assertion such as sales completeness; or > An entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system. Are internal controls over related transaction streams/processes expected to be reliable? If so, a test of controls may be possible unless the number of transactions is so small that substantive procedures would still be more efcient. Are substantive analytical procedures available (such as on related transaction streams)?
Practical guidance
475
For each material or potentially material nancial report area Questions to consider when developing an appropriate audit response (continued) Is an element of unpredictability required (to address fraud risks, etc.)? Are there signicant risks (ie. fraud, related parties etc.) to be addressed that require special consideration?
Step 3 determine the nature and extent of audit procedures required

The third step is to use professional judgement to choose the appropriate mix of procedures and extent of testing required to respond appropriately to the assessed risks at the assertion level. Outlined below is one possible approach for determining the appropriate mix of procedures to address the existence of receivables at low, moderate and high levels of assessed risk. Receivables low level of assessed risk Performance materiality = $12,000 Planned audit response
Assessed risk for existence assertion Substantive procedures basic Low Comments These procedures would be considered adequate by themselves to address the assessed risk. They would include the typical tests of details and simple analytical procedures that would be performed in virtually any audit of receivables. These procedures would often be included in a standard audit program for receivables.
Receivables moderate level of assessed risk Performance materiality = $10,000 Planned audit response
Assessed risk for existence assertion Substantive procedures basic Substantive procedures extended Moderate Comments These procedures would be performed to address the existence risk in general. These procedures would be designed to: > Address the specic risks identied in relation to the existence of receivables (such as a fraud risk), and > Perform sufcient tests of detail to reduce the assessed risk to an acceptably low level.
PART B
476
If the entity had internal controls (such as over sales) that addressed the existence of receivables, an alternative to performing the extended procedure would be a test of the operating effectiveness of such controls. Receivables high level of assessed risk Performance materiality = $10,000 Planned audit response
Assessed risk for existence assertion receivables Substantive procedures basic Substantive procedures extended High Comments
These procedures would be performed to address the existence risk in general. These procedures would be designed to: > Address the specic risks identied in relation to the existence of receivables (such as a fraud risk), and > Perform sufcient tests of details for a moderate risk reduction that, combined with the evidence obtained from testing internal control (see below), would reduce the assessed risk to an acceptably low level.
Tests of controls (operating effectiveness)
To reduce the sample size required for a test of details that would have reduced risk to a low level, the internal controls that address existence would be tested to obtain a moderate level of risk reduction. This combined with the tests of details outlined above will reduce the assessed risk to an acceptably low level
In the above example, it may also be possible to obtain the majority of required evidence from performing a test of controls that reduces the risk to an acceptably low level. This may eliminate the need for certain extended substantive procedures. When developing an audit strategy on particular account balances or transactions, the auditor would always consider the work performed on other parts of the transaction stream. Another example is the completeness of sales for an entity that owns an apartment building and rents out the units. Receivables moderate level of assessed risk Performance materiality = $6,000
Practical guidance
477
Planned audit response

Assessed risk for completeness assertion Substantive procedures basic Moderate Comments
In light of the substantive analytical procedures outlined below, these procedures may not be necessary at all or limited to obtaining evidence about the assumptions used. The known number of rental units is 64 and the rent is $1,000 a month for the 46 two-bedroom suites and $800 for the 18 one-bedroom suites. The predicted rental income can be calculated as $724,800. Actual income recorded in the accounting records was $718,800, a difference of $6,000 The difference was veried as being due to six of the two bedroom units being vacant for a month during the year.
Consider point
Avoid defaulting to generic or standard audit procedures where possible PART B The most effective audit procedures are those that specically address the causes of the assessed risks. Multiple assertions Where possible, choose audit procedures that address multiple assertions. This will reduce the need for other tests of detail. Low risk areas Use the information obtained from assessing the risks of material misstatement to reduce the need for substantive procedures in low risk areas. Consider using tests of controls Use the information obtained about internal control to identify key controls that could be tested for operating effectiveness. Testing controls (some of which may only require testing once every three years) can often result in much less work than performing extensive tests of detail. Do not ignore IT controls The sample size for testing an automated control can be as little as one item, because an automated control is likely to operate in the same manner every time, making it representative of all other items in the population. However, this would be based on the assumption that the entity has effective general IT controls in operation.
478
Consider point
Dual purpose tests Where tests of control are planned on the same class of transactions as substantive tests, consider the potential for dual purpose tests. This is where a test of controls is performed concurrently with a test of details on the same transaction. Although the purpose of a test of controls is different from a test of details, both objectives may be accomplished concurrently. For example, an invoice could be examined to determine whether it has been approved (a test of control) and whether the transaction was properly recorded in the accounting records (a test of details). Consider work performed on all parts of a transaction stream Take credit for work performed on other parts of the transaction stream. For example, a test of controls over sales completeness would provide evidence for the completeness of receivables. Decide on audit strategy and procedures at the planning phase > Where possible, develop the nature and extent of audit procedures during the planning phase of the audit, a time at which the team can agree on the approach to be followed. This avoids junior staff having to design audit procedures by themselves or simply performing the same procedures as last year. > Remember to use analytical procedures Analytical procedures are used in each phase of the audit. At the beginning of the audit, analytical procedures are used as a risk assessment procedure During the audit, analytical procedures are performed to analyse variances in data and to substantiate certain transaction streams and account balances Near the end of the audit, analytical procedures are performed to determine whether the nancial report is consistent with the auditors understanding of the entity or to indicate a previously unrecognised risk of material misstatement due to fraud.
31.8
Responding to the risk of fraud
The risk of fraud (including management override) can exist in virtually any entity and needs to be addressed when developing the audit plan. The rst step is to assess the potential risk from fraud and then to design an appropriate overall and detailed response. Note: The auditor is required to treat assessed risks of material misstatement due to fraud as signicant risks. A signicant risk requires the auditor to: > Obtain an understanding of the entitys related controls, including control activities, relevant to such risks, and > Perform substantive procedures that are specically responsive to that risk.
Practical guidance
479
When the approach to a signicant risk consists only of substantive procedures, those procedures shall include tests of details. In assessing the potential risk and appropriate response to fraud, the auditor would consider the following: > Overall responses already developed to address risks assessed at the nancial report level > Specic responses already developed in relation to other risks assessed at the assertion level > The fraud scenarios (if any) developed during the planning discussions > Fraud risks (opportunities, incentives and rationale) identied as a result of performing risk assessment procedures > Susceptibility of certain nancial report balances and transactions to fraud > Any known instances of actual fraud in the past or in the current period, and > Risks relating to management override. The following exhibit outlines some possible responses to the risks identied above.
PART B
Exhibit 31.8-1
Overall responses to fraud Pervasive risks at the nancial report level Consider need for: > Heightened professional scepticism when examining certain documentation or corroborating signicant management representations > People with specialised skills/knowledge, such as information technology (IT) > Development of specic audit procedures to identify the existence of fraud, and > An element of unpredictability in the selection of audit procedures to be used. Consider adjusting the timing of certain audit procedures, using different sampling methods or performing procedures on an unannounced basis. Specic responses to potential fraud risks Specic risks at the assertion level Consider: > Changing the nature, timing and extent of the auditing procedures to address the risk. Examples include the following: Obtain more reliable and relevant audit evidence or additional corroborative information to support managements assertions Perform a physical observation or inspection of certain assets Observe inventory counts on an unannounced basis, and
480
Specic responses to potential fraud risks Specic risks at the assertion level (continued) Perform further review of inventory records to identify unusual items, unexpected amounts and other items for follow-up procedures > Performing further work to evaluate the reasonableness of managements estimates and the underlying judgements and assumptions > Increasing sample sizes or performing analytical procedures at a more detailed level > Use computer assisted audit techniques (CAATs). For example: Gather more evidence about data contained in signicant accounts or electronic transaction les Perform more extensive testing of electronic transactions and account les Select sample transactions from key electronic les Sort transactions with specic characteristics, and Test an entire population instead of a sample > Requesting additional information in external conrmations. For example, on a receivables conrmation, the auditor could ask for conrmation on the details of sales agreements, including the date of the agreement, any rights of return and the delivery terms. However, consider whether a request for additional information might delay the response time signicantly > Changing the timing of substantive procedures from an interim date to one near the period end. However, if a risk of intentional misstatement or manipulation exists, audit procedures to extend audit conclusions from an interim date to the period end would not be effective. Risks related to management override Source of risk Journal entries Considering identifying, selecting and testing journal entries and other adjustments based on the following: > An understanding of the entitys nancial reporting process and design/implementation of internal control > Consideration of the: Characteristics of fraudulent journal entries or other adjustments Presence of fraud risk factors that relate to specic classes of journal entries and other adjustments, and Enquiries of individuals involved in the nancial reporting process about inappropriate or unusual activity. See toolkit item 670: Use of journal entries.
Practical guidance
481
Risks related to management override Managements estimates Consider reviewing estimates relating to specic transactions and balances to identify possible biases on the part of management. Further procedures could include the following: > Reconsidering the estimates taken as a whole > Performing a retrospective review of managements judgements and assumptions related to signicant accounting estimates made in the prior period, and > Determining whether the cumulative effect of bias in managements estimates amount to a material misstatement in the nancial report. Signicant transactions Consider obtaining an understanding of the business rationale for signicant transactions that are unusual or outside the normal course of business. This includes an assessment as to whether: > Management is placing more emphasis on the need for a particular accounting treatment than on the underlying economics of the transaction > The arrangements surrounding such transactions appear overly complex > Management has discussed the nature of, and accounting for, such transactions with those charged with governance > The transactions involve previously unidentied related parties or parties that do not have the substance or the nancial strength to support the transaction without assistance from the entity under audit > Transactions that involve non-consolidated related parties, including special purpose entities, have been properly reviewed and approved by those charged with governance, and > There is adequate documentation. Related-party transactions Obtain an understanding of the business relationships that related parties may have established directly or indirectly with the entity through: > Enquiries of, and discussions with, management and those charged with governance > Enquiries of the related party > Inspection of signicant contracts with the related party, and > Appropriate background research, such as through the internet or specic external business information databases. Based on the ndings above: > Identify and assess the risks of material misstatement associated with related-party relationships > Treat identied signicant related-party transactions outside the entitys normal course of business as giving rise to signicant risks, and > Determine the need for substantive audit procedures that are responsive to the risks identied.
PART B
482
Risks related to management override Revenue recognition Performing substantive analytical procedures. Consider computer assisted audit techniques (CAATs) to identify unusual or unexpected revenue relationships or transactions. Conrming the relevant contract terms with customers (acceptance criteria, delivery and payment terms) and the absence of side agreements (such as offering a customer the right to return the goods immediately after the period end).
31.9
Risk of misstatements in presentation and disclosure
Some assessed risks may arise from nancial report presentation and disclosures in accordance with the applicable nancial reporting framework. As a result, specic procedures may need to be designed to respond appropriately to the risks involved. These audit procedures would address whether: > The individual nancial report is presented in a manner that reects the appropriate classication and description of nancial information > The presentation of nancial report includes adequate disclosure of material matters and uncertainties. This includes the form, arrangement and content of the nancial reports and their appended notes (including terminology used), the amount of detail given, the classication of items in the statements and the bases of amounts set forth, and > Management has disclosed particular matters in light of the circumstances and facts of which the auditor is aware at the time of signing the auditors report.
31.10 Determining whether the audit plan is complete

Before concluding that the audit is complete, the auditor would consider whether the following factors have been appropriately addressed.
Exhibit 31.10-1
Procedure type Have all material nancial report areas been addressed? Description Substantive procedures are required to be designed and performed for all material classes of transactions, account balances and disclosures. This is irrespective of the assessed risks of material misstatement.
Practical guidance
483
Procedure type Is there a need for external conrmations?
Description Consider whether external conrmation procedures are to be performed as substantive audit procedures. Examples could include: > Bank balances > Receivables > Inventories and investments held by third parties > Amounts due to lenders > Terms of agreements > Contracts, and > Transactions between the entity and other parties. External conrmation may also be used to address the absence of certain conditions. For example, there are no side agreements on sales that could affect revenue cut-off.
Can evidence obtained in prior periods be used?
Assuming the evidence does not address a signicant risk and certain other criteria apply (such as no change in controls and no signicant manual element in the control operation), the tests of operating effectiveness may only need to be performed once every third audit (see Part A, Chapter 8.5 for more information). Is expertise in a eld other than accounting or auditing required to obtain sufcient appropriate audit evidence?
Is there a need for an auditors expert? Has the nancial report closing process been addressed?
> Agreeing or reconciling the nancial report with the underlying accounting records, and > Examining material journal entries and other adjustments made during the course of preparing the nancial report.
Have signicant risks been addressed?
For each risk assessed as signicant, the auditor is required to design and perform substantive procedures (possibly supplemented by tests of controls). Substantive analytical procedures cannot be used alone and would be supplemented with tests of details. Where reliance is placed on internal controls over a signicant risk, the auditor is required to test those controls in the current period.
Has evidence obtained from interim testing been updated?
Update interim substantive procedures by covering the remaining period. This would include: > Substantive procedures combined with tests of controls for the intervening period, or > Further substantive procedures that provide a reasonable basis for extending the audit conclusions from the interim date to the period end.
Have the potential risks of fraud been addressed?
For example, heightened professional scepticism, an element of unpredictability in the design of audit procedures, etc. (See Part B, Chapter 31.8.)
PART B
The following substantive procedures are required in relation to the nancial report closing process:
484
31.11 Documenting the overall response and detailed audit plans

The overall responses may be documented as a stand-alone document or, more typically, as part of the overall audit strategy. The detailed plan is often documented in the form of an audit program that outlines the nature and extent of procedures and the assertion(s) being addressed. Space can then be provided to record details about who performed each step and the ndings. See toolkit item 606: Worksheet Audit plan. Consider point
Timing Consider whether some of the planned further audit procedures can be carried out at the same time as the risk assessment procedures. Changes to plan If planned procedures need to be modied as a result of audit evidence or other information obtained, update the overall strategy and audit plan and provide the reasons for the change. Review Ensure that audit procedures and related working papers are signed and dated by the preparer and the reviewer prior to the completion of the audit.
31.12 Communication of the audit plan

The overall audit strategy, overall responses and the audit plan are entirely the auditors responsibility. However, it is often useful to discuss some elements of the detailed audit plan (such as timing) with management. Such discussions often result in minor changes to the plan to coordinate timing and facilitate the performance of certain procedures. The exact nature, timing and scope of the planned procedures would not be discussed in detail with management or changed or scaled back to accommodate a management request. Such requests could compromise the effectiveness of the audit, make audit procedures too predictable and could constitute a scope limitation. ASA 260 sets out a number of matters that the auditor is required to communicate with those charged with governance. Refer to Part B, Chapter 20.3 for a listing of such matters. These requirements are designed to ensure an effective two-way communication between the auditor, management and those charged with governance.
Practical guidance
485
Consider point
Auditors should consider having periodic, regular status updates with management to inform them of any preliminary ndings, request any additional documentation or request any assistance required and/or discuss other issues. Any signicant changes to the audit plan should also be communicated to management and those charged with governance.
31.13 Case studies the responsive audit plan

For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. The following case study examples outline the considerations and possible audit procedures that could be used in developing a detailed audit plan for accounts receivable. Since the purpose of the audit plan is to reduce the risk of a material misstatement to an acceptably low level, it is important to review the risks identied in the risk assessment phase for the revenue/receivables/ receipts cycle.

According to the risk assessment in Part B, Chapter 29.6 Concluding the risk assessment phase, the assessed risks were:
Assessed risks at nancial report level (high, moderate or low) Assertions (Completeness, Existence, Accuracy and Valuation) Assessed risks at assertion level (high, moderate or low) Changes in assessed risks from the previous period. None Low C L E M A L V M
Questions to be considered in developing the receivables audit plan:

Planning considerations 1. Are there assertions that cannot be addressed by substantive tests alone? Response Completeness of sales will be addressed through a combination of tests of controls and analytical procedures. Note for next year if the internet sales continue to grow, additional tests of controls may be required due to the loss of paper trail. Tests of controls could be used to reduce the level of risk reduction required from other substantive procedures (conrmations) in accounts receivable. But we are not totally certain as to the reliability of control operation so only substantive procedures will be used.
2. Is internal control over related transaction streams/processes expected to be reliable? If so, could the controls be tested to reduce need/scope for other substantive procedures?
PART B
486
Planning considerations 3. Are there substantive analytical procedures available that would reduce need/scope for other audit procedures? 4. Is there a need to incorporate an element of unpredictability or further audit procedures (such as to address fraud, risk, etc.)? 5. Are there signicant risks that require special attention?
Response No.
Some extended audit procedures will be performed to address the risks identied for management override. There are some possible fraud risks (Part B, Chapter 24) in relation to revenue recognition. These will be addressed by substantive extended procedures. Valuation of accounts receivable is a specic risk requiring special attention. Additional analysis and review of subsequent payments will be done. Need to be mindful of undisclosed relatedparty transactions outside of the normal course of business throughout the audit.
Based on the auditors professional judgement, an appropriate mix of procedures is required to reduce the risks of material misstatement (RMM) to an acceptably low level for relevant assertions (applicable to the receivable balance). The following is a sample audit response to the assessed level of risk for accounts receivable.
Summary of proposed audit response (check the applicable boxes under CEAV) A. Substantive procedures basic B. Substantive procedures extended (sampling, fraud, signicant risks, etc.) C. Substantive analytical procedures (proof in total, etc.) D. Tests of controls (operating effectiveness) Based on professional judgement, are the procedures outlined above sufcient to address the assessed risks? (Yes/no) If no, explain below. Comments: x Yes Yes Yes Yes C x E x x A x V x x
A sample audit program that responds to the risks identied is outlined in the case study notes for Part B, Chapter 32.7.
Practical guidance
487

According to the risk assessment in Part B, Chapter 29.6 Concluding the risk assessment phase, the assessed risks were:
Assessed risks at nancial report level (high, moderate or low) Assertions (Completeness, Existence, Accuracy and Valuation) Assessed risks at assertion level (high, moderate or low) Changes in assessed risks from the previous period. None Increased risks related to related-party transactions and possible fraud resulting from Robert s absence. Moderate C L E M A M V L
Questions to be considered in developing the receivables audit plan:

Planning considerations 1. Are there assertions that cannot be addressed by substantive tests alone? 2. Is internal control over related transaction streams/processes expected to be reliable? If so, could the controls be tested to reduce need/scope for other substantive procedures? 3. Are there substantive analytical procedures available that would reduce need/scope for other audit procedures? 4. Is there a need to incorporate an element of unpredictability or further audit procedures (such as to address fraud, risk, etc.)? 5. Are there signicant risks that require special attention? Response The completeness of sales will be addressed by a combination of analytical review and extended substantive testing. Due to the small size of the company, there are limited controls. We obtained an understanding of internal control but we will not test controls or place any reliance on them. No.
Not considered necessary as the receivables balance at year end relates primarily to ONeal Furniture. The possibility of inconsistent revenue recognition or fraud will be addressed through substantive extended procedures. Need to be mindful of undisclosed relatedparty transactions outside of the normal course of business throughout the audit.
The following is a sample audit response to the assessed level of risk for accounts receivable.
Summary of proposed audit response (check the applicable boxes under CEAV) A. Substantive procedures basic B. Substantive procedures extended (sampling, fraud, signicant risks, etc.) C. Substantive analytical procedures (proof in total, etc.) D. Tests of controls (operating effectiveness) C x x E x x A x x V x
PART B
488
Based on professional judgement, are the procedures outlined above sufcient to address the assessed risks? (Yes/no) If no, explain below. Comments: none
Yes
Yes
Yes
Yes
A sample audit program that responds to the risks identied is outlined in the case study notes for Part B, Chapter 32.7.
Practical guidance
489
32.
Determining the extent of testing

Relevant ASAs
Chapter content Guidance on determining the extent of testing required to be responsive to the assessed risks of material misstatement.
330, 500, 530
Exhibit 32.0-1
Activity
Purpose
Documentation
Risk response
Paragraph # 530.5
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Audit sampling (sampling) means the application of audit procedures to less than 100% of items within a population of audit relevance such that all sampling units have a chance of selection in order to provide the auditor with a reasonable basis on which to draw conclusions about the entire population. (b) Population means the entire set of data from which a sample is selected and about which the auditor wishes to draw conclusions. (c) Sampling risk means the risk that the auditors conclusion based on a sample may be different from the conclusion if the entire population were subjected to the same audit procedure. Sampling risk can lead to two types of erroneous conclusions: (i) In the case of a test of controls, that controls are more effective than they actually are, or in the case of a test of details, that a material misstatement does not exist when in fact it does. The auditor is primarily concerned with this type of erroneous conclusion because it affects audit effectiveness and is more likely to lead to an inappropriate audit opinion. (ii) In the case of a test of controls, that controls are less effective than they actually are, or in the case of a test of details, that a material misstatement exists when in fact it does not. This type of erroneous conclusion affects audit efciency as it would usually lead to additional work to establish that initial conclusions were incorrect. (d) Non-sampling risk means the risk that the auditor reaches an erroneous conclusion for any reason not related to sampling risk. (Ref: Para A1)
PART B
490
Paragraph #
Relevant extracts from ASAs (e) Anomaly means a misstatement or deviation that is demonstrably not representative of misstatements or deviations in a population. (f) Sampling unit means the individual items constituting a population. (Ref: Para A2) (g) Statistical sampling means an approach to sampling that has the following characteristics: (i) Random selection of the sample items; and (ii) The use of probability theory to evaluate sample results, including measurement of sampling risk. A sampling approach that does not have characteristics (i) and (ii) is considered non-statistical sampling. (h) Stratication means the process of dividing a population into subpopulations, each of which is a group of sampling units which have similar characteristics (often monetary value). (i) Tolerable misstatement means a monetary amount set by the auditor in respect of which the auditor seeks to obtain an appropriate level of risk reduction that the monetary amount set by the auditor is not exceeded by the actual misstatement in the population. (Ref: Para A3) (j) Tolerable rate of deviation means a rate of deviation from prescribed internal control procedures set by the auditor in respect of which the auditor seeks to obtain an appropriate level of risk reduction that the rate of deviation set by the auditor is not exceeded by the actual rate of deviation in the population.
330.12
If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor shall: (a) Obtain audit evidence about signicant changes to those controls subsequent to the interim period; and (b) Determine the additional audit evidence to be obtained for the remaining period. (Ref: Para. A33-A34)
330.13
In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider the following: (a) The effectiveness of other elements of internal control, including the control environment, the entitys monitoring of controls, and the entitys risk assessment process; (b) The risks arising from the characteristics of the control, including whether it is manual or automated; (c) The effectiveness of general IT controls; (d) The effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control noted in previous audits, and whether there have been personnel changes that signicantly affect the application of the control; (e) Whether the lack of a change in a particular control poses a risk due to changing circumstances; and (f) The risks of material misstatement and the extent of reliance on the control. (Ref: Para. A35)
Practical guidance
491
Paragraph # 330.14
Relevant extracts from ASAs If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specic controls, the auditor shall establish the continuing relevance of that evidence by obtaining audit evidence about whether signicant changes in those controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing enquiry combined with observation or inspection, to conrm the understanding of those specic controls, and: (a) If there have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit. (b) If there have not been such changes, the auditor shall test the controls at least once in every third audit, and shall test some controls each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit periods. (Ref: Para. A37-A39)
32.1
Overview
Sufcient appropriate audit evidence may be obtained by selecting and examining the following.
Selecting and examining All items (100% examination) This is appropriate when: > The population constitutes a small number of large value items > There is a signicant risk and other means do not provide sufcient appropriate audit evidence, and > CAATs can be used in a larger population to electronically test a repetitive calculation or other process. Specic items This is appropriate for: > High value or key items that could individually result in a material misstatement > All items over a specied value > Any unusual or sensitive items or nancial report disclosures > Any items that are highly susceptible to misstatement > Items that will provide information about matters such as the nature of the entity, the nature of transactions and internal control, and > Items to test the operation of certain control activities.
PART B
Exhibit 32.1-1
492
Selecting and examining Representative sample of items from the population This is appropriate for reaching a conclusion about an entire set of data (population) by selecting and examining a representative sample of items within the population. Sampling enables the auditor to obtain and evaluate audit evidence about specied characteristics. The determination of sample size may be made using either statistical or non-statistical methods.
The decision as to which approach to use will depend on the circumstances. The application of any one or a combination of the above means may be appropriate in particular circumstances. Choosing sampling as the most efcient method of obtaining the necessary risk reduction for an assertion has a number of advantages as illustrated below.
Exhibit 32.1-2
Benets Use of representative samples > Valid conclusions can be drawn. The auditors objective is obtaining reasonable risk reduction and not absolute certainty. > Results can be combined with results from other tests. > Evidence obtained from one source can be corroborated by evidence obtained from another source to provide increased risk reduction. > An examination of all of the data would not provide absolute certainty. For example, unrecorded transactions will never be detected. > Cost savings. The cost of examining every entry in the accounting records and all supporting evidence would be uneconomical.
Part A, Chapter 8 outlines the nature and use of further audit procedures. This chapter focuses on the extent of testing and use of sampling techniques.
Sampling techniques
Sampling does not have to be selected as an audit procedure but where it is used all the sampling units in a population (such as sales transactions or receivables balances) are required to have a chance of selection. This is necessary to enable the auditor to draw reasonable conclusions about the entire population. In any sample of less than 100% of the population, there is always the risk that a misstatement may not be identied and that it might exceed the tolerable level of misstatement or deviation. This is called sampling risk. Sampling risk can be reduced by increasing the sample size, while non-sampling risk can be reduced by proper engagement planning, supervision and review. There are two types of sampling commonly used in auditing, as set out below.
Practical guidance
493
Exhibit 32.1-3
Sample attributes Statistical sampling Sample is selected on a random basis. This means that every item in the population has a known (statistically appropriate) chance of being selected. Results can be mathematically projected. Probability theory can be used to evaluate the sample results, including measurement of sampling risk. Non-statistical or A sampling approach that does not have the characteristics outlined judgemental sampling above for statistical sampling.
In determining the sample size, the auditor would determine the tolerable rate of deviation (exceptions) that would be acceptable. > Substantive procedures Performance materiality (whether overall or for a specic item) is set in relation to overall materiality (whether overall or for a specic item, respectively). The tolerable misstatement level is set in relation to performance materiality (either overall or for the specic item, as the case may be). The higher the tolerable misstatement level is set, the smaller the sample size. The lower the tolerable level of misstatement is set, the larger the sample size. Note that the tolerable level of misstatement will often be the same as performance materiality. > Tests of controls For tests of controls, the tolerable rate of deviation is likely to be very small, often allowing for no deviations or possibly only one. Tests of controls provide evidence as to whether the controls work or not. Consequently, they would only be used where the operation of the control was expected to be reliable.
32.2
530.6
Use of sampling
Relevant extracts from ASAs When designing an audit sample, the auditor shall consider the purpose of the audit procedure and the characteristics of the population from which the sample will be drawn. (Ref: Para. A4-A9) The auditor shall determine a sample size sufcient to reduce sampling risk to an acceptably low level. (Ref: Para. A10-A11) The auditor shall select items for the sample in such a way that each sampling unit in the population has a chance of selection. (Ref: Para. A12-A13) The auditor shall perform audit procedures, appropriate to the purpose, on each item selected. If the audit procedure is not applicable to the selected item, the auditor shall perform the procedure on a replacement item. (Ref: Para. A14)
Paragraph #
530.7 530.8 530.9 530.10
PART B
494
Paragraph # 530.11
Relevant extracts from ASAs If the auditor is unable to apply the designed audit procedures, or suitable alternative procedures, to a selected item, the auditor shall treat that item as a deviation from the prescribed control, in the case of tests of controls, or a misstatement, in the case of tests of details. (Ref: Para. A15-A16) The auditor shall investigate the nature and cause of any deviations or misstatements identied, and evaluate their possible effect on the purpose of the audit procedure and on other areas of the audit. (Ref: Para. A17) In the extremely rare circumstances when the auditor considers a misstatement or deviation discovered in a sample to be an anomaly, the auditor shall obtain a high degree of certainty that such misstatement or deviation is not representative of the population. The auditor shall obtain this degree of certainty by performing additional audit procedures to obtain sufcient appropriate audit evidence that the misstatement or deviation does not affect the remainder of the population. For tests of details, the auditor shall project misstatements found in the sample to the population. (Ref: Para. A18-A20) The auditor shall evaluate: (a) The results of the sample; and (Ref: Para. A21-A22) (b) Whether the use of audit sampling has provided a reasonable basis for conclusions about the population that has been tested. (Ref: Para. A23)
530.12
530.13
530.14 530.15
Building a foundation
Whenever statistical or non-statistical sampling techniques are being considered, the auditor would address and document the following matters.
Exhibit 32.2-1
Factors to consider Purpose of test? Primary source of evidence? Previous experience? What population? Comments The starting point for the test design is to establish the purpose of the test and what assertions will be addressed. What is the primary source of evidence for each assertion to be addressed and what is secondary? This differentiation will help to ensure audit effort is directed to the right place. What was the experience (if any) in performing similar tests in previous periods? Consider the effectiveness of the test and the existence and disposition of deviations (errors), if any, found in the samples selected. Ensure the population of items to be tested is appropriate to achieve the test objectives. Sampling will not identify or test items that are not already included within the population. For example, a sample of receivable balances may be used to test the existence of receivables but such a population would not be appropriate for testing the completeness of receivables. Also consider the size of the population. In some cases, a statistical conclusion may not be drawn if the population to be tested is too small to sample.
Practical guidance
495
Factors to consider What sampling unit to use?
Comments Consider the purpose of the test and the assertion being addressed. This decision will determine what items will be selected to test. Examples include sales invoices, sales orders and customer account balances. Statistical conclusions can be drawn from statistical samples. Conclusions based on professional judgement can be made from judgemental non-statistical samples. Non-statistical samples are often used in combination with other audit procedures that address the same assertion. Failure to properly dene a deviation will result in time wasted by staff in reviewing minor exceptions that may not constitute a deviation. Also, determine how the reasons and implications of deviations found will be followed up by audit staff. If there are larger transactions or balances in the population that can be evaluated separately, it may result in smaller sample sizes from remaining items in the population. In some cases, the evidence gained from testing the larger transactions or balances may be sufcient to eliminate the need for sampling altogether. Could computer-assisted audit techniques (CAATs) provide a better or more efcient result? For many tests, 100% of the population can be tested by CAATs (as opposed to just a sample) and custom reports can be prepared that identify unusual items for follow up. Consider whether the population can be stratied by dividing it into discrete subpopulations which have an identifying characteristic. For example, if a population contained a number of high-value transactions, the population (for a test of details) could be stratied by monetary value. This allows greater audit effort to be directed to the larger value items, as these items may contain the greatest potential misstatement in terms of overstatement. A population may also be stratied according to a particular characteristic that indicates a higher risk of misstatement. When testing the adequacy of the allowance for doubtful accounts (valuation of accounts receivable), the receivable balances may be stratied by age. Where subpopulations are tested separately, the misstatements will be projected for each stratum separately. Projected misstatements for each stratum can then be combined to consider the possible effect of misstatements on the account balance or class of transactions.
Statistical or non-statistical?
Denition of a deviation?
Any high-value items to exclude?
Use of CAATs
Any stratication possible?
What precision is required?
Performance materiality is often used as the basis for tolerable misstatement. This also represents the precision for a statistical test. Performance materiality would be set at an amount that allows for the possible existence of undetected and immaterial misstatements aggregating to a material amount.
PART B
496
Factors to consider What condence level is required?
Comments Condence is the level of acceptable risk (detection risk) that the test will not produce accurate results. Is a high level of condence (resulting in a larger sample) or a lower condence level (resulting in a smaller sample) required? The condence level required in a particular test will be based on factors such as: > Evidence obtained from other sources such as analytical review, other substantive procedures and testing the operational effectiveness of related controls, and > The importance of the nancial report assertion or line item compared with overall materiality. For example, a 95% level of condence indicates that if a particular test was performed 100 times (selecting representative transactions at random), the results would be accurate (within the margin of misstatement) 95 times out of the 100 tests. There is a risk that ve tests out of the 100 will produce inaccurate results.
When statistical sampling is planned, the tolerable misstatement or deviation rate would also be addressed.
Exhibit 32.2-2
Factors to consider What is the tolerable misstatement or tolerable deviation rate? Comments Tolerable misstatement is used in sampling tests of details to address the risk that the aggregate of individually immaterial misstatements may cause the nancial report to be materially misstated and to provide a margin for possible undetected misstatements. Tolerable misstatement is the application of performance materiality to a particular sampling procedure. Tolerable misstatement may be the same amount as or an amount lower than performance materiality. Tolerable rate of deviation is used for tests of controls where the auditor sets a rate of deviation from prescribed internal control procedures to obtain an appropriate level of assurance. The auditor seeks to obtain an appropriate level of assurance that the set rate of deviation is not exceeded by the actual rate of deviation in the population.
32.3
Extent of substantive procedures (using statistical sampling)
The greater the risks of material misstatement, the greater the extent of substantive procedures required. The extent of substantive procedures may be reduced by testing the operating effectiveness of internal control. However, if the results are unsatisfactory, the extent of substantive procedures may actually need to be increased.
Practical guidance
497
Determining sample sizes monetary unit sampling

The most common method of sampling for tests of details is monetary unit sampling. Under this method, the probability of an item (for example, an accounts receivable balance) being selected for testing is directly proportional to the monetary value of the item. Thus, an accounts receivable balance of $6,000 is three times as likely to be selected as an accounts receivable balance of $2,000. Under this method, it would not be appropriate to select physical units such as every ftieth invoice or transaction. Although monetary unit sampling may be the most common form of sampling used by auditors, there are a number of other sampling methods which could be more appropriate in certain circumstances. Discussion of these other sampling methods has not been included in this Manual.
Selection of condence factors

When designing a substantive test, the auditor may nd it useful to use three levels of risk reduction such as high, moderate and low. The difference between the levels can be based on the condence factor used for selecting the sample. The higher the condence factor, the higher the sample size and the level of risk reduction obtained. This is illustrated in the following exhibit which provides typical condence levels to achieve high, moderate and low risk reductions.
Exhibit 32.3-1
Risk reduction required High Moderate Low Condence level 95% 80-90% 65-75% Condence factor 3.0 1.6 2.3 1.1 1.4
An effective set of audit procedures designed to respond to assessed risks and specic assertions may contain a mixture of tests of controls and substantive procedures. The following table gives a partial list of condence factors for various condence levels. For example if a 90% condence level is required, the condence factor to be used would be 2.3.
Exhibit 32.3-2
Condence level 50% 55% 60% 65% Condence factor 0.7 0.8 0.9 1.1
PART B
498
Condence level 70% 75% 80% 85% 90% 95% 98% 99%
Condence factor 1.2 1.4 1.6 1.9 2.3 3.0 3.7 4.6
Selecting the sample Exhibit 32.3-3

Monetary unit Sample selection process Description > Remove the high-value and key items from the population. > Compute the sampling interval. > Select a random starting point for selecting the rst item. The random starting point can range from $1 to the sampling interval. Each successive selection is made on the value of the previous selection plus one sampling interval.
Note: Ensure that the sample selection process, including the basis for selecting the random starting point (from a random number generator or using professional judgement), is appropriately documented.
Step 1 calculate the sampling interval

The formula is as follows.
Sampling interval = performance materiality/tolerable misstatement condence factor
If the sampling interval was $17,391, the rst account to be selected could be randomly chosen as the one containing the $10,000th. The second account selected would be the account containing the cumulative amount of $27,391st (starting point + sampling interval = $10,000 + $17,391). The third account selected would be the account that contained the cumulative amount of $44,782nd ($27,391 + $17,391). This process would continue to the end of the population.
Practical guidance
499
Step 2 calculate the sample size

Sample sizes for the monetary unit sampling of representative items are usually determined by the following formula.
Sample size = population to be tested sampling interval
The population to be tested should exclude any specic items removed for separate evaluation.
Step 3 select the sample

Remove any high-value and key items from the population (for separate consideration) and compute the sampling interval (refer to Step 1 previous). Then select a random starting point for selecting the rst item. The random starting point can range from $1 to the sampling interval. Each successive selection is made on the value of the previous selection plus one sampling interval. The following three examples illustrate this process.
Example 1 sampling accounts receivable balances Exhibit 32.3-4

Question Purpose of test Response To verify the existence of accounts receivable by selecting a sample of receivable balances and sending conrmation letters. Existence = high risk Accounts receivable balances at period end. $177,203 $38,340 None. Limited. No other sources of risk reduction so 95% or 3.0 will be used. $15,000 None
Risks of material misstatement in the relevant assertions Population to be tested Monetary value of population Specic items subject to separate evaluation Risk reduction obtained from testing controls Risk reduction from other procedures such as risk assessment procedures Condence factor to be used (reduce for risk reduction gained from other sources) Performance materiality Expected deviations in sample
Sampling interval = Sample size =
$15,000 / 3.0 = $5,000 ($177,203 $38,340) / $5,000 = 28
PART B
500
In this example, the sampling interval was $5,000. Therefore, if the rst item chosen randomly was $436, the next item would be in the transaction or balance that contained the cumulative amount of $5,436. The third item would be in the transaction or balance that contained the cumulative amount of $10,436 and so on until the 28 items have been selected. Note: It is likely that the higher value items will be selected for testing (refer to the partial population of accounts receivable balances below).
Exhibit 32.3-5
Accounts receivable balance ($) Customer A Customer B Customer C Customer D Customer E Customer F 4,750 3,500 1,800 2,700 950 2,580 Cumulative total ($) 4,750 8,250 10,050 12,750 13,700 16,280 Sampling interval ($) 436 5,436 10,436 10,436 15,436 15,436 Include in sample? Yes Yes No Yes No Yes
Example 2 sampling accounts receivable balances Exhibit 32.3-6

Question Purpose of test? Response To verify the existence of receivables by selecting a sample of accounts receivable balances and sending conrmation letters. Existence = moderate risk Accounts receivable balances at period end. $177,203 $38,340 A low level of control risk has been established over related controls. Limited. In light of other sources of evidence, a condence factor of 70% (1.2) will be used. $15,000 None.
Risks of material misstatement in the relevant assertions? Population to be tested? Monetary value of population? Specic items subject to separate evaluation? Risk reduction obtained from testing controls? Risk reduction from other procedures such as risk assessment procedures? Condence factor to be used (reduce for risk reduction gained from other sources)? Performance materiality? Expected deviations in sample?
$15,000 / 1.2 = $12,500 ($177,203 - $38,340) / $12,500 = 12
Practical guidance
501
Example 3 sampling purchase invoices Exhibit 32.3-7

Question Purpose of test? Response To verify the existence and accuracy of purchases by selecting a sample of purchase invoices. Existence = Low risk Accuracy = Low risk Purchase invoices for period. $879,933 $46,876 None. Moderately effective substantive analytical procedures. In light of the other sources of evidence, a condence factor of 80% (1.6) will be used.
Risks of material misstatement in the relevant assertions? Population to be tested? Monetary value of population? Specic items subject to separate evaluation? Risk reduction obtained from testing controls? Risk reduction from other procedures such as risk assessment procedures? Condence factor to be used (reduce for risk reduction gained from other sources)? Performance materiality? Expected deviations in sample?
None.
$15,000 / 1.6 = $9,375 ($879,933 $46,876) / $9,375 = 89
As illustrated above, the sample sizes for substantive tests can become very large when examining transaction streams. It is often more efcient to test internal controls (where the sample size is smaller) or perform other types of audit procedures to obtain the required evidence.
Projecting misstatements
The process is set out in the following exhibit.
PART B
$15,000
502
Exhibit 32.3-8
Projecting the extent of misstatements Describe the nature and extent of misstatements identied 1. Calculate the percentage of misstatement in each item. If the amount was found to be $50 but should have been $60, the misstatement is $10 or 17% of the total. 2. Add up the misstatement percentages, netting overstatements and understatements. 3. Calculate the average percentage misstatement per item sampled by dividing the total misstatement percentages by the number of all items sampled (with and without misstatement). 4. Multiply the average percentage misstatement by the total representative population monetary value (excluding high-value and key items). This results in the projected misstatement for the sample. Obviously, this excludes any misstatements found in highvalue and key items previously removed from the sample.
For example, a sample of 50 items selected from a population of $250,000 contained the following three misstatements.
Exhibit 32.3-9
Correct value ($) 500 350 600 Audited value ($) 400 200 750 Misstatement ($) 100 150 (150) Misstatement (%) 20.00 42.86 (25.00) 37.86 0.7572 $1893
Total % error (sum of misstatement percentages) Average % misstatement: Projected misstatement: 37.86% 50 (sample size) = 0.7572% $250,000 (population) =
The projected misstatement is sometimes called most likely error (MLE). See toolkit item 610: Worksheet Sampling Tests of details.
Practical guidance
503
Consider point
Anomalies There may be a temptation to regard some misstatements/deviations (discovered in a sample) to be an anomaly (not representative of the population) and exclude them when projecting misstatements in the population. However, additional audit work is required, regardless of whether the misstatement/deviation is or is not representative of the population: > If the deviation is representative of the population, the auditor shall investigate the nature and cause and evaluate their possible effect on the purpose of the audit procedure and on other areas of the audit. > If the deviation is considered an anomaly, the auditor shall obtain a high degree of certainty that such misstatement or deviation is not representative of the population. This requires performing further audit procedures to obtain sufcient appropriate audit evidence that the misstatement or deviation does not affect the remainder of the population. Note that ASA 530.13 states that anomalies only occur in extremely rare circumstances.
32.4
Extent of substantive analytical procedures
Part A, Chapter 8 outlines the two levels of risk reduction that can be gained from performing substantive analytical procedures. This risk reduction is highly effective (ie. the primary test) and moderately effective. Simple analytical procedures (such as a comparison of last years results to this year) may help to identify an issue that needs to be followed up but provide little further audit evidence. This type of analytical procedure can be used in understanding the entity, performing risk assessment procedures and reviewing the nal nancial report. When designing substantive analytical procedures, the auditor would: > Develop the amount of difference from the expectation that can be accepted without further investigation. This should be inuenced primarily by materiality and consistency with the desired level of risk reduction > Consider the possibility that a combination of misstatements in the specic account balance, class of transactions or disclosure could aggregate to an unacceptable amount, and > Increase the desired level of risk reduction as the risks of material misstatement increase. See toolkit item 614: Worksheet Substantive analytcial procedures.
PART B
Substantive analytical procedures will either be the primary test of the account balance or they will be used in combination with other tests of details that have been appropriately reduced in extent.
504
Exhibit 32.4-1 Example of a substantive analytical procedure

Questions Describe the procedure to be performed and the expected outcome. Response Multiply the rent charges per unit with the number of rental units to predict the revenue from apartments and then compare result with the revenue recorded in the entitys accounting records. $278,000 Completeness, existence and accuracy. $10,000 1% Low. Describe the procedures performed W/P to evaluate the reliability of each ref data element used (consider source, comparability, nature, relevance, and controls over preparation). We reviewed the oor plans and physically inspected the building for major changes. We reviewed a sample of lease contracts to determine the rent payable.
What is the value of the recorded amount or ratio? What assertions will be addressed? What performance materiality will be used? What amount of difference (between recorded amounts and expected values) is acceptable? Remaining risk of material misstatement after procedure performed (ie. moderate or low). Describe details of each data element used in calculating the expected outcome (ie. nancial and non-nancial).
1. Rental units
2. Rent per unit
3. 4. Provide details of the calculation, the expected outcome and results of the comparison to the recorded amount or ratio: Number of rental units = 26 Rent per unit = $12,000 per year
Calculation = 26 X $12,000 = $312,000. The difference to the recorded amount is $34,000. Where the difference (between recorded amounts and expected values) exceeds the acceptable value, explain what investigation was performed and the results ie. enquiries of management, obtaining additional evidence and performing other audit procedures). We enquired about the difference and veried that on average two units were vacant (not the same ones) each month during the year and one unit was not rented and used for meeting purposes and as an occasional accommodation for visitors. This accounts for $36,000 of the difference leaving $2,000 unexplained. This is below the acceptable level described above. Conclusion: Test was successfully completed.
Practical guidance
505
Consider point
The use of non-nancial data in a substantive analytical procedure can often enhance the result. Non-nancial data could include information such as headcounts, square footage for a retail store or the number of specic products shipped. When performing analytical procedures, it is imperative to set expectations (for example, relationship with related balances, changes from prior period, etc.) and then compare those expectations to the nancial report information. Avoid the opposite approach of starting with the nancial information and then attempting to explain variances using knowledge of the client and its environment. Analytical procedures are much stronger when they are created by expectations based on an understanding of the entity and its environment. However, the reliability of any non-nancial data used needs to be established before its use in a substantive analytical procedure.
32.5
Tests of control operating effectiveness
Audit procedures used to test controls consist of one or more of the four types outlined below.
Exhibit 32.5-1
Tests of internal control over operating effectiveness Types of procedures > Enquiries of appropriate personnel (remember though that enquiry alone is not sufcient to test the operating effectiveness of controls). > Inspection of relevant documentation. > Observation of the entitys operations. > Re-performance of the application of the control.
Pervasive (entity level) controls

Paragraph# 315.14 Relevant extracts from ASAs The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether: (a) Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour; and (b) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by deciencies in the control environment. (Ref: Para. A69-A78)
Testing of the pervasive controls that exist at the entity level tends to be more subjective (such as testing the commitment to competence or understanding of entity policies on acceptable behaviours) than testing specic transactional controls. Yet these controls collectively provide the appropriate foundation for the other components of internal control.
PART B
506
The exhibit below sets out some possible methods for testing pervasive (entity level) controls.
Exhibit 32.5-2
Control environment Communication and enforcement of integrity and ethical values Commitment to competence Possible tests of controls > Read statement on the entitys website and any code of conduct or equivalent > Review communications to staff > Conduct interviews with a sample of staff. > Review hiring and ring policies > Review job descriptions and documentation contained on selected employee les. > Review any self-assessments made > Review qualications of board members and minutes of meetings > Attend a meeting as an observer. Managements philosophy and operating style Organisational structure Assignment of authority and responsibility Human resources policies and practices > Review any documentation > Conduct interviews with a sample of staff. > Review structure in light of best practices for nature of entity. > Review any documentation such as job descriptions.
Participation by those charged with governance
> Review policies and practices and compliance > Review employee les for staff evaluations, training programs attended, etc.
Similar types of tests of controls could be designed to address other pervasive (entity level) controls such as: > Risk assessment > Information systems > Monitoring > The period-end close process, and > Anti-fraud controls. The results of performing tests of pervasive controls can also be more difcult to document than internal control at the business process level (such as checking to see if a payment was authorised, which can be documented with a simple yes/no response). As a result, the evaluation of pervasive (entity level and general IT) controls is often documented with memorandums to the le along with supporting evidence.
Practical guidance
507
For example, to test whether management communicates the need for integrity and ethical values to all personnel, and enforces its policies, a sample of employees could be selected for interviews. The employees could be asked about communications they have received from management, what relevant policies and procedures exist, what values they see demonstrated on a dayto-day basis by management and whether the policies are indeed enforced. If the common response among the employees is that management has indeed communicated the need for integrity and ethical values and there are instances of where policies were enforced, then the test would be a success. Details of each employees interview and supporting documentation (such as the entitys policies, communications and enforcement actions) would then be recorded in a memo to le with the conclusions reached. See toolkit item 618: Worksheet Tests of controls Pervasive controls. Consider point
Timing It is preferable to test the pervasive (entity level) controls early in the audit process. The results of testing these controls could impact the nature and extent of other planned audit procedures. For example, if it is found that managements attitude towards controls is not as good as expected, further procedures will be required in relation to account balances and classes of transactions. Planning Take time to determine the most appropriate way to test the pervasive (entity-level) controls. Consider using an appropriate combination of enquiry, observation, re-performance and inspection tests. Ask open-ended questions Avoid asking yes/no questions. Instead ask questions that may illicit information that you may not already know. For example, ask have you ever been asked to depart from an established accounting policy or do something that made you feel uncomfortable?. Also remember to listen carefully to the persons response and watch the body language for signs of unease or distress giving answers. Follow up on outstanding matters If management or a staff member refuses to supply requested information or you obtain unexpected information, ensure it is appropriately followed up and changes made if necessary in the overall audit strategy and planned procedures. Monitoring controls in larger entities Some larger entities have developed entity level monitoring controls that provide evidence of the ongoing operation of entity level controls. Where this occurs, consider whether reliance can be placed on these controls to reduce the overall extent of other testing required.
PART B
508
Although most pervasive (entity level and general IT) controls will be tested through the exercise of professional judgement and objectively applied to the circumstances, there are some situations where use of a representative sample may be applicable. An example would be the availability of evidence that monthly nancial reports were reviewed and appropriate action taken.
Transactional controls attribute sampling

Tests of controls provide evidence that a control is operating effectively throughout the period of reliance, which will be a specied period such as a year. Because transactional controls either operate effectively or not, it is not worth testing the operation of controls that could ultimately prove unreliable. Unreliable controls are those where there is a likelihood that deviation will be found. Sample sizes for tests of controls are often small because they are based on no exceptions being found. Otherwise the sample sizes required would be much larger. Some of the factors to consider in assessing the reliability of controls are outlined below.
Exhibit 32.5-3
Test of controls design Factors to consider > Is it possible for the established procedures to have been circumvented by management (ie. management override)? > Is there a signicant manual element involved in the control that could be prone to error? > Is there a weak control environment? > Are general IT controls poor? > Is the ongoing monitoring of internal control poor? > Have personnel changes occurred during the period that signicantly affect the application of the control? > Does the small number of staff involved in the control operation make meaningful segregation of duties impractical? > Have changing circumstances necessitated the need for changes in the operation of the control?
Reliance on indirect internal controls

Consider the need to obtain audit evidence supporting the effective operation of signicant indirect internal controls. These are controls upon which other controls depend, such as non-nancial information produced by a separate process, the treatment of exceptions and periodic reviews of reports by managers. Where signicant, evidence of the operating effectiveness of the
Practical guidance
509
indirect internal controls would be required. If any of the above factors are signicant, it may be more effective to perform substantive procedures. In designing tests of controls, the auditor should focus on the evidence that will be obtained with respect to the relevant assertions addressed (the points where misstatements could occur in the nancial report) as opposed to nature of the control itself. Controls are designed to mitigate risks and ensure, for example, the completeness of sales. There are also a number of practical advantages in designing tests of controls that focus rst on the assertion to be addressed. For example: > The controls tested can be linked directly to the risks of material misstatements in the nancial report > Because the test objective is not dependent on specic controls, other controls that address the same risks (or control objectives) can be tested. This enables unpredictability or variation in the testing to be used, and > It makes it easier to evaluate and test new controls introduced by the entity that address the same assertions. Tests of controls are often designed to provide either a low or a moderate level of control risk (high or moderate level of risk reduction (condence)) that the control being tested is operating effectively. When designing tests of controls, the auditor may nd it useful to consider the two levels of condence to be gained from tests of controls: > A high level of condence (low level of risk remaining). This applies where the primary evidence is coming from tests of controls, and > A moderate level of condence (moderate level of risk remaining). This applies where the tests of controls will be combined with other substantive procedures to address a particular assertion. Attribute sampling is often used to test controls. This technique uses the smallest sample size capable of providing a specied chance of detecting a deviation rate that exceeds the tolerable rate of deviation. See toolkit item 615: Worksheet Sampling Tests of controls.
PART B
510
Exhibit 32.5-4
Advantages Attribute (or discovery) sampling Ideal for testing the operating effectiveness of internal controls that have already been assessed as highly reliable during the evaluation of control design and implementation. If any level of deviation is expected in the performance of a control, it is recommended that alternative approaches to gathering audit evidence be considered. If no deviations are found in such a test of controls sample, the auditor can assert that the control is operating effectively. If a deviation is found, it is usually more efcient to stop the procedure and perform alternative substantive audit procedures instead. Just one control deviation will likely cause a revision to the assessed level of control risk. To continue with a test after nding a deviation would require a signicant extension of the sample size and possibly no further deviations would be found.
Determining the sample size

Sample sizes are determined as illustrated below.
Sample size = condence factor tolerable deviation rate
For testing the operating effectiveness of controls with minimal reliance on other work performed, a 90% condence level (related condence factor = 2.3) is often used (see Exhibit 32.3-2 for the condence factor table). The maximum tolerable deviation rate could be 10%. The smallest sample size in this case would be 23, calculated as follows.
Condence factor (2.3) tolerable deviation rate (0.1) = sample size of 23
Where other evidence (such as evidence from substantive audit procedures) has been obtained for a particular assertion, the condence factor could be reduced so that only a moderate level of risk reduction is obtained through testing the operational effectiveness of a control. In such a case, a condence level of 80% (related condence factor = 1.61) could be used, resulting in the smallest sample size of 8. Some rms use slightly higher condence factors, resulting in the smallest sample size of 10 items for a moderate level of risk reduction and 30 for a higher level of risk reduction.
Selecting the sample

Sample selection is set out below.
Practical guidance
511
Exhibit 32.5-5
Steps to take Selecting the sample 1. Determine the purpose of the procedure and the evidence it will provide in relation to the assertions underlying the control attributes to be tested. 2. Select the appropriate population of items to achieve the test objective. This may differ based on the underlying assertion being addressed. For example, invoices might be selected for testing sales existence but these documents would not provide evidence on sales completeness. In this instance, the better choice might be tracing order entry or shipping documents to an invoice and then into the accounts receivable. 3. Determine the smallest sample size necessary to provide the required level of risk reduction. This could be either moderate or high levels of risk reduction. 4. Use a random number generator or other appropriate method to select the individual items to be checked. Every item in the population should have an equal chance of being selected.
Control procedures that operate less than daily

PART B
For selecting samples where the control does not operate daily, the following guidelines may be of assistance. However, the actual sample sizes used should always be based on professional judgement.
Exhibit 32.5-6
Control operates Weekly Monthly Quarterly Yearly Suggested minimum sample 10 2-4 2 1 Coverage percentage of test 19% 25% 50% 100%
512
Consider point
When statistical sampling is used for testing the operating effectiveness of internal control, the sample size required does not increase as the size of the population grows. A random sample of as little as 30 items with no deviation found can provide a high level of condence that the control is operating effectively. When designing tests of controls, spend time to dene exactly what constitutes an error or exception to the test. This will save time during the performance of the test or the evaluation of the results and avoid doubts in determining what a control deviation is. If any level of deviation is expected in the operating effectiveness of a control, it is recommended that alternative approaches to gathering audit evidence be considered. A simple plan that can be used for attribute sampling is as follows: Based on a 95% condence rate (a 5% deviation rate), it is suggested that: > A sample of 10 items with no deviations will provide a moderate level of risk reduction. If a deviation is found, no risk reduction can be gained > A sample of 30 items with no deviations will provide a high level of risk reduction. If a single deviation is found, only a moderate level of risk reduction can be gained. If more than one deviation is found, no risk reduction can be gained, and > A sample of 60 items and up to one deviation will provide a high level of risk reduction. If two deviations are found, only a moderate level of risk reduction can be gained. If more than two deviations are found, no risk reduction can be gained from testing of controls.
32.6
Evaluating deviations
The process for evaluating deviations as set out below.
Exhibit 32.6-1
Steps to take Evaluating deviations 1. Identify deviations. Place each sample item into one of two classications: deviation or no deviation. 2. The nature and cause of each deviation should be carefully considered. For example, is there an indication of management override or possible fraud or was the problem simply a result of the person responsible being on vacation? 3. Consider sampling risk. If deviations have been found, consider if reliance on control effectiveness should be reduced, the sample size extended (see below) or alternative procedures performed.
Practical guidance
513
The results of the sample can be evaluated by comparing the maximum tolerable deviation rate to what is called the upper deviation limit. The upper deviation limit is approximated by the formula below.
Upper deviation limit = adjusted condence factor sample size
An adjusted condence factor could be based on the number of deviations found, as illustrated in the exhibit below.
Exhibit 32.6-2
Adjusted condence factor for number of deviations found Condence level required 95% 90% 80% 70% 1 4.7 3.9 3.0 2.4 2 6.3 5.3 4.3 3.6 3 7.8 6.7 5.5 4.7 4 9.2 8.0 6.7 5.8 5 10.5 9.3 7.9 7.0
Adjusted condence factor (from the table above) 5.3 sample size (30) = 17%
The result at 17% is much higher than the maximum tolerable deviation rate of 10%, which would mean that reliance on control effectiveness would have to be reduced. If, however, it was decided to increase the sample size, it would have to be extended to 60 items and no further deviations found. This would reduce the upper deviation limit (as calculated below) to an acceptable level (ie. close to the original limit of 10%).
Adjusted condence factor 5.3 sample size (60) = 9%
However, if a further deviation was found, it would require yet another extension in the sample to try for the desired results. This would probably not be an effective use of audit time as yet another deviation could well be found.
Adjusted condence factor 6.7 sample size (75) = 9%
PART B
For example, lets assume a sampling of 30 items (using a 90% condence level and 10% maximum tolerable deviation rate) and two deviations were found. The upper deviation limit would be calculated as follows.
514
32.7
Case studies extent of testing
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies.
Case study A ONeal Furniture Pty Ltd Determining the extent of testing Designing further procedures accounts receivable
The following is an outline of an audit program for accounts receivable. This program includes a statistical sample of accounts receivable. ONeal Furniture Accounts receivable audit procedures Client: ONeal Furniture
Work completed by: (initials)
Assertions addressed Procedures 1. Analytical procedures Develop expectations for the period-end accounts receivable balances based on information obtained from understanding the entity. Investigate signicant changes or trends in the: > Accounts receivable balance > Ageing of accounts receivable by customer > Days sales in accounts receivable > Credit balances in accounts receivable > Other unexpected variations. Explain > Other (non-trade receivables) > Document ndings. CEA
W/P Ref.
Comments
MAG
C.120
Accounts receivables have increased by 60% from the prior period. Debtors days in accounts receivable have also increased from 39 days to 45 days.
Practical guidance
515
Assertions addressed 2. Listing Obtain a detailed (and aged) listing of receivables at the period end: (a) Check arithmetic accuracy and agree to general ledger (b) Check names and amounts to subsidiary ledger (c) Ask staff dealing with receivables about any instances where: A customer has been given preferential treatment The terms of sale have been modied Transactions have occurred with related parties Internal credit limits have been signicantly overridden. E E A
Work completed by: (initials) MAG
W/P Ref. C.110
Comments
MAG MAG
Per discussion with Alan and Karla, the sales terms do vary between customers but are approved by Alan.
Verify that the allowance for doubtful accounts relates to specic accounts and is adequate: (a) Review the aged accounts receivable trial balance and compare it to preceding periods (b) Review payments received subsequent to period end (if possible, obtain an aged trial balance as at the period-end date with subsequent collections posted on it). AV MAG
Review listing of overdue accounts with Alan and obtain details of allowance.
PART B
3. Allowance for doubtful accounts
CV
MAG
C.120
Accounts receivable over 60 days have increased as a percentage of sales from the prior period.
516
Assertions addressed 4. Cut-off Perform and document cut-off procedures A
W/P Ref. C.115
Comments Obtain listing of sales returns since as part of cut-off testing. There were several large returns last year. Conditions for returns on contract sales reviewed as part of sales testing. See W/P 503.1 All journal entries around period end reviewed on W/P 626
Substantive procedures sampling S1.Extended conrmation Select 15 conrmations of accounts as outlined in accounts receivable conrmation checklist. Summarise the results and investigate differences by examining supporting documentation and enquiry. Tests of controls Extended procedures for specic fraud risks identied E1.Accounts receivable conrmations (fraud risk) (a) Verify a sample of names, addresses and fax/telephone numbers of customers selected to telephone or business directories to test that they are valid businesses (b) Consider reviewing websites or other online information about customers in addition to sending a conrmation to verify account details and sales terms/conditions. Ask about any side deals or special terms (c) Consider accepting only original (signed) copies of conrmations. EA MAG C.200 Veried ve names, addresses, fax numbers from the conrmation selected. No exceptions noted. Called two customers to verify and conrm details and the contract terms for contract sales. No exceptions noted. None EA MAG C.200
Practical guidance
517
Assertions addressed E2.Allowance for doubtful accounts (a) Test a sample of 10 subsequent payments to bank deposits (b) Review all credit memos issued after period end. Consider reviewing customer les or supporting documentation as appropriate (c) Review all write-offs of accounts receivable after period end to test these were not doubtful in the prior period. V
W/P Ref. C.121
Comments No exceptions noted. There were two credit memos issued after period end but these were not material. The customers returned the items since they were damaged upon arrival. It is not clear whether they were damaged in transport or already damaged when leaving the factory.
W/P Ref. = working paper reference
Substantive procedures sampling

The following illustrates the test design of a statistical sample for determining the existence and accuracy of the receivable balances. Invoices have been chosen as the source document for the customers chosen for conrmation, as certain retailers have indicated they will not conrm actual period-end balances. A statistical sample (using monetary unit sampling) will be performed to determine the existence and accuracy of receivables.
Question Purpose of test Response To verify the existence and accuracy of receivables by selecting a sample of receivable balances and sending conrmation letters. Existence = moderate risk Accuracy = low risk Population to be tested Monetary value of population Specic items subject to separate evaluation Accounts receivable balances at period end. $177,203 $38,340
RMM in the relevant assertions
PART B
518
Question Risk reduction obtained from testing the operational effectiveness of internal control Risk reduction from other procedures such as risk assessment procedures Condence factor to be used (reduced for risk reduction gained from other sources) Materiality Expected deviations in sample
Response Moderate. Limited. Test of controls planned for revenue/ receivables/receipts; therefore, a condence interval of 75% or 1.4, will be used. $15,000 None.
Estimating the sample size

Specic items will be tested separately. There are two related-party receivables of $28,340 and $10,000 from Karen ONeal and Vin Stevens respectively that should be conrmed separately. The remaining trade receivables balance of $138,863 ($177,203 $38,340) will need to be tested for existence and accuracy using accounts receivable conrmations. Since some customers cannot conrm balances after the fact, accounts receivable conrmations will be based on conrming invoices and: > Sampling interval: Precision (materiality) condence factor $15,000 1.4 (75%) = $10,714 > Sample size: Population to be tested sampling interval Exclude specic items removed for separate evaluation $138,863 $10,714 = 13 Since the sampling units in this population are invoices, the sample consists of 13 invoices to be selected for conrmation plus the two related-party transaction balances identied above.
Selecting invoices to be tested

To select the invoices and customers for conrmation, the invoices will be chosen using monetary unit sampling. For the remaining trade receivables balance of $138,863, a starting point of $913 was chosen. Using the sampling interval of $10,714, the 13 invoices were selected.
Practical guidance
519
Case study B Kane & Co. Determining the extent of testing Designing further procedures accounts receivable
Audit procedures program for Kane & Co: Balance accounts receivable (A/R) Basic procedures:
Work completed by and W/P ref: C.110 LP
Procedure Analytical procedures Perform analytical procedures on the A/R balance, ageing, key ratios and compare trends and result to prior period.
Assertion(s) CEA
Comments Days sales in A/R have increased to 106 days from 58 days two years ago. Majority of increase seems to be due to increases in ONeal Furniture A/R.
Listing Obtain aged listing of A/R and check arithmetic accuracy, agree to general ledger and review the listing with Ruby for related-party balances. Check the accuracy of the ageing by judgementally selecting ve invoices and trace the appropriateness of the ageing to the ageing report. Allowance Obtain details for allowance with Robert and review the ageing. Discuss the collectability of accounts over 90 days. Obtain a listing of subsequent payments to the end of our subsequent events testing.
C.105 LP
C.105 LP
No evidence noted.
C.120 LP
Reviewed listing with Robert. Only two accounts are over 90 days. Invoices over 90 days from ONeal Furniture totalled $10,590. Per Robert, these are all collectible and will be paid soon. Some of the invoices were paid subsequent to period end. No errors noted here and revenue testing regarding cut-off. All journal entries around period end reviewed on W/P 626
Cut-off Review a sample of 10 invoices before and after period end and document other cut-off procedures to ensure transactions were recorded in the correct period. Examine evidence that the goods were shipped prior to period end for transactions selected.
C.122 LP
PART B
Listing agrees to general ledger and no errors found on the aging and arithmetic checks.
520
Procedure Conrmations Conrm all related-party accounts. Judgementally select account receivable balances (excluding related-party balances above) for 60% coverage. Check accuracy of company information by selecting a sample of names and addresses before sending conrmation. Followup conrmations faxed back to us with a phone call to verify the conrmation details. Perform alternative procedures for conrmations not returned.
Assertion(s) EA
Work completed by and W/P ref: C.130 LP
Comments Conrmed ONeal Furniture receivable and also agreed balance to ONeal Furniture working paper le. Accounts receivable conrmations only had a 45% response rate, so alternative procedures were performed.
Substantive procedures sampling

The sample of conrmations was extended for moderate level of risk. Reliance was placed on substantive procedures.
Extended/other substantive procedures

Given the risk of management override, names and addresses were checked for a sample of conrmations sent. For any conrmation returned by fax, the conrmation details were conrmed with a telephone call to verify their accuracy.
Practical guidance
521
33.
Documenting work performed

Relevant ASAs
Chapter content Guidance on proper and adequate documentation of the auditors risk response in the audit working paper le.
230, 500
Exhibit 33.0-1
Activity
Purpose
Documentation
Risk response
230.7 230.8
The auditor shall prepare audit documentation on a timely basis. (Ref: Para. A1) The auditor shall prepare audit documentation that is sufcient to enable an experienced auditor, having no previous connection with the audit, to understand: (Ref: Para. A2-A5, A16-A17) (a) The nature, timing and extent of the audit procedures performed to comply with the Australian Auditing Standards and applicable legal and regulatory requirements; (Ref: Para. A6-A7) (b) The results of the audit procedures performed and the audit evidence obtained; and (c) Signicant matters arising during the audit, the conclusions reached thereon, and signicant professional judgements made in reaching those conclusions. (Ref: Para. A8-A11)
230.9
In documenting the nature, timing and extent of audit procedures performed, the auditor shall record: (a) The identifying characteristics of the specic items or matters tested; (Ref: Para. A12) (b) Who performed the audit work and the date such work was completed; and (c) Who reviewed the audit work performed and the date and extent of such review. (Ref: Para. A13)
230.10
The auditor shall document discussions of signicant matters with management, those charged with governance and others, including the nature of the signicant matters discussed and when and with whom the discussions took place. (Ref: Para. A14)
PART B
Paragraph #
522
Paragraph # 330.16
Relevant extracts from ASAs When evaluating the operating effectiveness of relevant controls, the auditor shall evaluate whether misstatements that have been detected by substantive procedures indicate that controls are not operating effectively. The absence of misstatements detected by substantive procedures, however, does not provide audit evidence that controls related to the assertion being tested are effective. (Ref: Para. A40) The auditor shall conclude whether sufcient appropriate audit evidence has been obtained. In forming an opinion, the auditor shall consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the nancial report. (Ref: Para. A62) If the auditor has not obtained sufcient appropriate audit evidence as to a material nancial report assertion, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufcient appropriate audit evidence, the auditor shall express a qualied opinion or disclaim an opinion on the nancial report. If information to be used as audit evidence has been prepared using the work of a managements expert, the auditor shall, to the extent necessary, having regard to the signicance of that experts work for the auditors purposes: (Ref: Para. A34-A36) (a) Evaluate the competence, capabilities and objectivity of that expert; (Ref: Para. A37-A43) (b) Obtain an understanding of the work of that expert; and (Ref: Para. A44-A47) (c) Evaluate the appropriateness of that experts work as audit evidence for the relevant assertion. (Ref: Para. A48)
330.26
330.27
500.8
500.9
When using information produced by the entity, the auditor shall evaluate whether the information is sufciently reliable for the auditors purposes, including as necessary in the circumstances: (a) Obtaining audit evidence about the accuracy and completeness of the information; and (Ref: Para. A49-A50) (b) Evaluating whether the information is sufciently precise and detailed for the auditors purposes. (Ref: Para. A51)
33.1
Overview
File documentation plays a critical role in the planning and performance of the audit. It provides the record that work was in fact performed and it forms the basis for the auditors report. It will also be used for quality control reviews, monitoring of compliance with ASAs and applicable legal and regulatory requirements, as well as possibly inspections by third parties. The specic requirements and nature of audit documentation have been extensively addressed in Part A, Chapter 14 and are not repeated here. This chapter provides a checklist of some of the matters that would be addressed in completing the le.
Practical guidance
523
Exhibit 33.1-1
Documentation considerations Has compliance with the rms documentation requirements, as set out in the rms quality control manual, been documented? Is the audit documentation well organised and complete, including clear links to where signicant matters were addressed? Does le documentation indicate: > Who performed the audit work and the date such work was completed? > Who reviewed the audit work performed and the date and extent of such review? > Results of discussions of signicant matters with management, those charged with governance and others, including the nature of the signicant matters discussed, and when and with whom the discussions took place? Could an experienced auditor, who has had no previous connection with the audit, understand: > The nature, timing and extent of the audit procedures performed to comply with the applicable legal, regulatory and professional requirements? > The results of the audit procedures and the audit evidence obtained? > The nature of signicant matters arising, the conclusions reached and signicant professional judgements made in reaching those conclusions? Does the le contain documentation that addresses: > The presence of the audit preconditions and the decision to accept or continue with the engagement? > The overall audit strategy? > Discussion among the engagement team? > Key elements of the understanding of the entity obtained and of each of the ve internal control components including the sources of the information obtained? > Results of performing risk assessment procedures? > Identied and assessed risks of material misstatement at the nancial report level and at the assertion level? > The detailed audit plan that responds to the assessed risks? > Results of performing audit procedures including the relevance and reliability of evidence obtained and the treatment of exceptions found, including any changes required in assessed risks? > Information and procedures performed to address any indicators of fraud identied during the audit? > Changes in materiality as a result of new information obtained? > Enough information to re-perform each procedure if that was ever necessary? > Signicant changes made during the audit engagement to the overall audit strategy or the audit plan, and the reasons for such changes? > Details of signicant matters and their resolution such as material uncertainties, concerns with management estimates, subsequent events and other matters that could result in a modied audit opinion? Yes/no
PART B
524
Documentation considerations Have consultations within the rm and with experts hired by the auditor and management been documented? Where an expert was used, has the appropriateness of the experts work as audit evidence been documented? Has compliance with the requirements of ASA 600 with regard to communications with component auditors been documented? Have all the documentation requirements of each relevant ASA been addressed? (See Part A, Chapter 14 for a list of ASAs with specic documentation requirements.)
Yes/no
File ownership
Unless otherwise specied by legislation or regulation, audit documentation is the property of the audit rm.
Copies of entitys records

Abstracts or copies of the entitys records (for example, signicant and specic contracts and agreements) may be included as part of audit documentation if considered appropriate. However, copies of the entitys accounting records are not a substitute for appropriate audit documentation. Consider point
Timeliness of preparation Preparing audit documentation on a timely basis helps to enhance the quality of the audit and facilitates the effective review and evaluation of the audit evidence obtained and conclusions reached before the auditors report is nalised. Documentation prepared after the audit work has been performed is likely to be less accurate than documentation prepared at the time such work is performed. Can the audit le stand by itself? Where possible, audit documentation should be clear and understandable without the need for additional oral explanations. Oral explanations on their own do not represent adequate support for the work performed or conclusions reached. They may be used though to explain or clarify information contained in the audit documentation. Inconsistencies If audit evidence is obtained that is inconsistent with the nal conclusion regarding a signicant matter, ensure documentation is added to the le that explains how the auditor addressed the inconsistency. This does not imply that the auditor needs to retain documentation that is incorrect or superseded.
Practical guidance
525
34.
Relevant ASA
Chapter content Guidance on obtaining written conrmation of management representations.
580
Exhibit 34.0-1
Activity
Purpose
Documentation
Risk response
Implement responses to assesseda RMM1
Paragraph # 580.6
ASA objective(s) The objectives of the auditor are: (a) To obtain written representations from management and, where appropriate, those charged with governance that they believe that they have fullled their responsibility for the preparation of the nancial report and for the completeness of the information provided to the auditor; (b) To support other audit evidence relevant to the nancial report or specic assertions in the nancial report by means of written representations if determined necessary by the auditor or required by other Australian Auditing Standards; and (c) To respond appropriately to written representations provided by management and, where appropriate, those charged with governance, or if management or, where appropriate, those charged with governance do not provide the written representations requested by the auditor.
Paragraph # 580.9
Relevant extracts from ASAs The auditor shall request written representations from management with appropriate responsibilities for the nancial report and knowledge of the matters concerned. (Ref: Para. A2-A6) The auditor shall request management to provide a written representation that it has fullled its responsibility for the preparation of the nancial report in accordance with the applicable nancial reporting framework, including where relevant their fair presentation, as set out in the terms of the audit engagement. (Ref: Para. A7-A9, A14, A22)
580.10
PART B
526
Paragraph # 580.11
Relevant extracts from ASAs The auditor shall request management to provide a written representation that: (a) It has provided the auditor with all relevant information and access as agreed in the terms of the audit engagement; and (b) All transactions have been recorded and are reected in the nancial report. (Ref: Para. A7-A9, A14, A22)
580.12
Managements responsibilities shall be described in the written representations required by paragraphs 10 and 11 of this Auditing Standard in the manner in which these responsibilities are described in the terms of the audit engagement. Other Auditing Standards require the auditor to request written representations. If, in addition to such required representations, the auditor determines that it is necessary to obtain one or more written representations to support other audit evidence relevant to the nancial report or one or more specic assertions in the nancial report, the auditor shall request such other written representations. (Ref: Para. A10-A13, A14, A22) The date of the written representations shall be as near as practicable to, but not after, the date of the auditors report on the nancial report. The written representations shall be for all nancial report and period(s) referred to in the auditors report. (Ref: Para. A15-A18) The written representations shall be in the form of a representation letter addressed to the auditor. If law or regulation requires management to make written public statements about its responsibilities, and the auditor determines that such statements provide some or all of the representations required by paragraphs 10 or 11 of this Auditing Standard, the relevant matters covered by such statements need not be included in the representation letter. (Ref: Para. A19-A21) If the auditor has concerns about the competence, integrity, ethical values or diligence of management, or about its commitment to or enforcement of these, the auditor shall determine the effect that such concerns may have on the reliability of representations (oral or written) and audit evidence in general. (Ref: Para. A24-A25) If management does not provide one or more of the requested written representations, the auditor shall: (a) Discuss the matter with management; (b) Reevaluate the integrity of management and evaluate the effect that this may have on the reliability of representations (oral or written) and audit evidence in general; and (c) Take appropriate actions, including determining the possible effect on the opinion in the auditors report in accordance with ASA 705, having regard to the requirement in paragraph 20 of this Auditing Standard.
580.13
580.14
580.15
580.16
580.19
Practical guidance
527
Paragraph # 580.20
Relevant extracts from ASAs The auditor shall disclaim an opinion on the nancial report in accordance with ASA 705 if: (a) The auditor concludes that there is sufcient doubt about the integrity of management such that the written representations required by paragraphs 10 and 11 of this Auditing Standard are not reliable; or (b) Management does not provide the written representations required by paragraphs 10 and 11 of this Auditing Standard. (Ref: Para. A26-A27)
34.1
Overview
One of the responsibilities of management when they sign the engagement letter (See Part B, Chapter 19) is to conrm the auditors expectation of receiving written conrmation concerning the representations made in connection with the audit. During the course of the audit, management will make a number of verbal representations to the auditor, which can be used as audit evidence to complement other audit procedures. At the end of the engagement, these verbal representations are to be included in a written representation letter obtained from management and, where appropriate, those charged with governance. Note: A number of ASAs contain specic requirements for the auditor to request written representations. The written representation letter would include specic representations required and managements belief that: > It has fullled its responsibilities for the preparation of the nancial report, and > The information provided to the auditor was complete. The written representation letter would be obtained as near as practicable to, but not after, the date of the auditors report on the nancial report. Written representations would cover the nancial report and period(s) referred to in the auditors report. Written management representations are not to be used as: > A substitute for performing other audit procedures, or > As the sole source of evidence on signicant audit matters.
PART B
528
Consider point
Who signs the letter? For engagements deemed to be high risk, consider obtaining more than one signature on the representation letter. For example, the representation letter could be signed by the owner-manager and other key members of the management team. Representations as evidence Written representations do not provide sufcient appropriate audit evidence on their own about any of the matters with which they deal. Nor does the fact that management has provided reliable written representation affect the nature or extent of other audit evidence that the auditor obtains about the fullment of managements responsibilities, or about specic assertions.
34.2
Subject matter
Management representations may be: > Verbal, whether solicited or unsolicited Such representations are typically obtained during the audit engagement. > Written At the end of the engagement, the auditor is required to request a written statement from management conrming certain matters such as: The verbal representations referred to above Management has fullled its responsibility for the preparation of the nancial report in accordance with the applicable nancial reporting framework All transactions have been recorded and are reected in the nancial report, and Other representations as necessary to support the audit evidence obtained.
Exhibit 34.2-1
Forms of management representations > Matters communicated in discussions. > Matters communicated electronically, such as emails, recorded telephone messages or text messages. > Schedules, analyses and reports prepared by the entity, and managements notations and comments therein. > Internal and external memoranda or correspondence. > Minutes of meetings of those charged with governance and compensation committees. > Signed copy of the nancial report. > Representation letter from management.
Practical guidance
529
34.3
Considerations in performing the audit
Exhibit 34.3-1
Evaluating management representations Matters to consider Can the person making the representation be expected to be objective and knowledgeable on the subject matter? Is the representation reasonable in light of: > The auditors understanding of the entity and its environment? > Other evidence obtained, including other representations obtained from management? > Other evidence obtained through the performance of audit procedures to achieve other audit objectives? What further audit procedures are required to corroborate the representations? For corroborating management intent, consider sources of evidence such as board minutes, minutes of investment committees, legal documents or internal correspondence and emails. For example, as part of the auditors consideration of going concern, substantiating evidence would include inspection of board minutes, legal documents and availability of funding information, etc. Where corroborating evidence is not available, is there a scope limitation?
> Is there reason to doubt managements honesty and integrity? If yes, the auditor would discuss the matter with those charged with governance and consider the impact on the risk assessment and the need for further audit procedures. > Is continued reliance on any other of managements representations appropriate and justied? Consider the most appropriate means of documenting the representation. For example: > A memorandum created by the auditor; > A written memorandum created by the entitys management; and > Inclusion in the management representation letter.
34.4
Written representations are an important source of audit evidence for reasons such as the following: > If management modies or does not provide the requested written representations, it may alert the auditor to the possibility that one or more signicant issues may exist. > A request for written, (rather than oral representations) may prompt management to consider such matters more rigorously, thereby enhancing the quality of the representations.
PART B
Where management representations have been contradicted by other audit evidence obtained:
530
Written representations are requested from those responsible for the preparation and presentation of the nancial report and knowledge of the matters concerned. Often this will be the entitys chief executive ofcer and the chief nancial ofcer or other equivalent persons such as the owner-manager. The auditor is required to request management to provide a written representation that: > It has fullled its responsibility for the preparation of the nancial report in accordance with the applicable nancial reporting framework > It has provided the auditor with all relevant information and access as agreed in the terms of the audit engagement > All transactions have been recorded and are reected in the nancial report, and > It supports other audit evidence relevant to the nancial report (such as required by other ASAs) or one or more specic assertions in the nancial report. Particular ASAs that may require written representations are outlined below.
Exhibit 34.4-1
ASA 240 250 450 502 540 550 560 570 710 Title The Auditors Responsibilities Relating to Fraud in an Audit of a Financial Report Consideration of Laws and Regulations in an Audit of a Financial Report Evaluation of Misstatements Identied during the Audit Audit Evidence Specic Considerations for Litigation and Claims Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures Related Parties Subsequent Events Going Concern Comparative Information Corresponding Figures and Comparative Financial Reports Paragraph 39 16 14 7 22 26 9 16(e) 9
Written representations address matters such as those set out below.
Practical guidance
531
Exhibit 34.4-2
Management has Managements responsibilities 1. Fullled its responsibility for the preparation of the nancial report in accordance with the applicable nancial reporting framework (including, where relevant, its fair presentation, as set out in the terms of the audit engagement) and for the completeness of the information provided to the auditor; and 2. In some cases (such as where the terms of engagement were agreed by other parties), management may also be asked to reconrm its acknowledgement and understanding of those responsibilities in written representations. 3. Provided the auditor with all relevant information and access as agreed in the terms of the audit engagement. 4. Recorded all transactions in the accounting records and reected those transactions in the nancial report.
Exhibit 34.4-3
Management represents that Specic representations 1. The selection and application of accounting policies are appropriate and are in accordance with the applicable nancial reporting framework. 2. The following matters, where relevant under the applicable nancial reporting framework, have been recognised, measured, presented or disclosed in accordance with that framework: > Plans or intentions that may affect the carrying value or classication of assets and liabilities > Liabilities, both actual and contingent > Title to, or control over, the assets > Liens or encumbrances on assets and assets pledged as collateral, and > Aspects of laws, regulations and contractual agreements that may affect the nancial report, including non-compliance. 3. It has communicated all known deciencies in internal control of which management is aware. 4. All of the entitys reasons for choosing a particular course of action have been communicated. 5. Its intentions in relation to (specify matter) are as follows: (describe the entitys plans or intentions).
PART B
532
Other considerations Exhibit 34.4-4

Comments Qualifying language In some cases, management may include qualifying language to the effect that representations are made to the best of its knowledge and belief. Such wording can be accepted if the auditor is satised that the representations are being made by those with appropriate responsibilities and knowledge of the matters included in the representations. Trivial misstatements Date of letter Address letter to auditor Report to those charged with governance Management enquiries of others When obtaining representations about misstatements, a threshold amount could be established below which individual misstatements may be regarded as trivial. The auditors report would not be dated before the date of the written representations, as the representations are part of the audit evidence. The required written representations would be included in a letter addressed to the auditor. ASA 260 requires the auditor to communicate with those charged with governance the written representations which the auditor has requested from management. If management does not have sufcient knowledge on which to base the written representations it may decide to make enquiries of others who participated in preparing/presenting the nancial report and assertions therein. This would include individuals who have specialised knowledge.
Doubts about representations provided or not provided

If there are doubts as to the reliability of written representations or requested written representations have not been provided, the auditor would consider the nature of the concern and act accordingly.
Practical guidance
533
Exhibit 34.4-5
Doubts Requested representations not provided Auditors required response > Discuss the matter with management > Re-evaluate the integrity of management and evaluate the effect that this may have on the reliability of representations (oral or written) and audit evidence in general > Take appropriate actions, including determining the possible effect on the opinion in the auditors report > Consider any reliance placed on other representations made by management during the audit, and any additional implications of the refusal on the auditors report > For audits conducted in accordance with Part 2M.3 of the Corporations Act 2001, direct those charged with governance or management to section 310 of the Corporations Act 2001 which gives: A right of access at all reasonable times to the books of a company, registered scheme or disclosing entity A right to request from any ofcer to give the auditor information and explanations or other assistance for the purposes of the audit or review
Inconsistencies identied
> Perform additional audit procedures to attempt to resolve the matter > If the matter remains unresolved, reconsider the assessment of the competence, integrity, ethical values or diligence of management (see point below), or of its commitment to or enforcement of these, and determine the effect that this may have on the reliability of representations (oral or written) and audit evidence in general. Determine the effect that such concerns may have on the reliability of representations (oral or written) and audit evidence in general. The auditor would disclaim an opinion on the nancial report where: > The auditor concludes that there is sufcient doubt about the integrity of management such that the required written representations are not reliable, or > Management does not provide the written representations required
Management incompetence, lack of integrity or ethical values
Supplementary/additional representations
In addition to the required written representations the auditor may consider it necessary to request: > Supplementary representations about the nancial report Such written representations may supplement, but do not form part of, the written representation required by ASA 580.10. Examples could include:
PART B
> Consider the implications of the refusal under section 307(b) of the Corporations Act 2001, which requires the auditor to form an opinion as to whether all information, explanations and assistance necessary for the conduct of the audit have been given.
534
Whether the selection and application of accounting policies are appropriate, and Whether matters such as the following have been recognised, measured, presented or disclosed in accordance with that framework: Plans or intentions that may affect the carrying value or classication of assets and liabilities Liabilities, both actual and contingent Title to, or control over, assets, the liens or encumbrances on assets and assets pledged as collateral, and Aspects of laws, regulations and contractual agreements that may affect the nancial report, including non-compliance. > Additional written representations In addition to the written representation required by ASA 580.11 the auditor may consider it necessary to request written representations such as: Conrmation that management has communicated all deciencies in internal control of which management is aware Specic assertions In some cases it may not be possible to obtain sufcient appropriate audit evidence without a written representation from management conrming the reasons, judgements or intentions with respect to specic assertions in the nancial report. Matters to consider include: The entitys past history in carrying out its stated intentions The entitys reasons for choosing a particular course of action The entitys ability to pursue a specic course of action The existence or lack of any other information that might have been obtained during the course of the audit that may be inconsistent with managements judgement or intent. Consider point
Take some time to meet with management to explain the nature of requested representations and to ensure they are fully aware of what they are agreeing to sign.
34.5
Example of written representations
The example of a management representation letter contained in the case study materials follows the format contained in ASA 580.
Practical guidance
535
34.6
Case study management representations
Case study A ONeal Furniture Pty Ltd Management representations

The following are examples of management representations by Sam and some further audit procedures that could apply.
Management representation There is no impairment in the tools that have been superseded by new machinery. This is because the machines break down and therefore the older ones will be required on occasion while the other machine is repaired. There is no additional provision required for the slightly damaged goods identied during the inventory count. Evaluation Make enquiries of the production manager and others to determine whether the tools and equipment, new or old, are currently in use and still operable. This could be established by physical examination and review of maintenance records. Check whether the damaged goods were in fact sold after period end. Enquire with the production manager whether damaged goods are sold as is or repaired (if so, at what cost) or sold for a discounted price.
At the conclusion of the audit, important representations would be documented in a management representation letter that would be signed by Sam ONeal and Joel King. Such representations might be included in a letter as follows.
PART B
536
ONeal Furniture Pty Ltd letterhead [Date] Sang Jun Lee Jamel, Woodwind and Wing Chartered Accountants 55 Kingston Street Campbelltown, NSW 2560 Dear Mr Lee, This representation letter is provided in connection with your audit of the nancial report of ONeal Furniture Pty Ltd for the year ended 30 June 20X2 for the purpose of expressing an opinion as to whether the nancial report is presented fairly [or gives a true and fair view], in all material respects, in accordance with Australian Accounting Standards. We conrm that: Financial report > We have fullled our responsibilities, as set out in the terms of the audit engagement dated [date], for the preparation of the nancial report in accordance Australian Accounting Standards; in particular the nancial report is fairly presented in accordance therewith > Signicant assumptions used by us in making accounting estimates, including those measured at fair value, are reasonable > Related-party relationships and transactions have been appropriately accounted for and disclosed in accordance with the requirements of Australian Accounting Standards > All events subsequent to the date of the nancial report and for which Australian Accounting Standards require adjustment or disclosure have been adjusted or disclosed > The effects of uncorrected misstatements are immaterial, both individually and in the aggregate, to the nancial report as a whole. A list of the uncorrected misstatements is attached to the representation letter > The Company has complied with all aspects of contractual agreements that could have a material effect on the nancial report in the event of non-compliance > There has been no non-compliance with requirements of regulatory authorities that could have a material effect on the nancial report in the event of non-compliance > The Company has satisfactory title to all assets and there are no liens or encumbrances on the companys assets, except for those that are disclosed in Note X in the nancial report > We have no plans to abandon lines of product or other plans or intentions that will result in any excess or obsolete inventory, and no inventory is stated at an amount in excess of net realisable value > There has been no impairment in the net realisable value of xed assets (tools) whose functionality has now been superseded by new machinery Information provided > We have provided you with: Access to all information of which we are aware that is relevant to the preparation of the nancial report such as records, documentation and other matters Additional information that you have requested from us for the purpose of the audit Unrestricted access to persons within the entity from whom you determined it necessary to obtain audit evidence
Practical guidance
537
> All transactions have been recorded in the accounting records and are reected in the nancial report > We have disclosed to you the results of our assessment of the risk that the nancial report may be materially misstated as a result of fraud > We have disclosed to you all information in relation to fraud or suspected fraud that we are aware of and that affects the entity and involves: Management Employees who have signicant roles in internal control, or Others where the fraud could have a material effect on the nancial report > We have disclosed to you all information in relation to allegations of fraud, or suspected fraud, affecting the entitys nancial report communicated by employees, former employees, analysts, regulators or others > We have disclosed to you all known instances of non-compliance or suspected non-compliance with laws and regulations whose effects should be considered when preparing nancial report > We have disclosed to you the identity of the entitys related parties and all the related-party relationships and transactions of which we are aware > We have provided you with all requested information, explanations and assistance for the purposes of the audit > We have provided you with all information required by the Corporations Act 2001 [where applicable].
Yours truly, Sam ONeal
Joel King
PART B
538
Case study B Kane & Co. Management representations

The following are examples of management representations by Robert and some further audit procedures that could apply.
Management representation No additional allowance for doubtful accounts is necessary. The ONeal Furniture account is fully collectable and other A/R is not signicant enough to estimate an allowance. Evaluation Send A/R conrmation to Deptha. Make enquiries of Robert and Ruby to understand the various A/R customer accounts and their history of payments, and look for any trends. Validate that the proportion of non-ONeal Furniture A/R is not signicant, as the client is suggesting. Review subsequent payments to support collectability of account. Consider any relevant information from the audit of ONeal Furniture. ONeal Furniture continues to be satised with the quality of the goods we sell them. Review the history of sales returns and look for any trends. Review the results of the A/R conrmations to ONeal Furniture for any commentary on quality of goods or the collectability of amounts. Conduct inventory observation and look for obsolete items and non-moving inventory. Make enquiries to Ruby as to the quality of the goods and any communications she may have received from ONeal Furniture regarding quality of the goods they have purchased to date.
At the conclusion of the audit, important representations would be documented in a management representation letter that would be signed by Robert. Such representations might be included in a letter as previously illustrated in Case study A ONeal Furniture
Practical guidance
539
35.
Reporting overview
Exhibit 35.0-1
Activity
Purpose
Documentation 1
Risk assessment
Plan the audit
Design/implementation of relevant internal controls Assessed RMM3 at: > F/S level > Assertion level
Risk response
Reporting
yes
Is additional work required? no
Form an opinion based on audit findings
PART B
540
Paragraph # 200.11
Relevant extracts from ASAs In conducting an audit of a nancial report, the overall objectives of the auditor are: (a) To obtain reasonable assurance about whether the nancial report as a whole is free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the nancial report is prepared, in all material respects, in accordance with an applicable nancial reporting framework; and (b) To report on the nancial report, and communicate as required by the Australian Auditing Standards, in accordance with the auditors ndings.
200.12
In all cases when reasonable assurance cannot be obtained and a qualied opinion in the auditors report is insufcient in the circumstances for purposes of reporting to the intended users of the nancial report, the Australian Auditing Standards require that the auditor disclaim an opinion or withdraw (or resign) from the engagement, where withdrawal is possible under applicable law or regulation. In Australian Auditing Standards only the term withdrawal is used.
200 Aus 12.1
The nal phase of the audit involves the following.
Exhibit 35.0-2
Evaluate evidence obtained
Complete all required file reviews Consider misstatements identified Resolve any issues with management Communicate audit findings with TCWG*
Reporting

Complete audit documentation Document significant decisions Form an opinion Issue the auditors opinion
*TCWG = those charged with governance
Basic concepts addressed in the reporting phase are as follows.

Exhibit 35.0-3
Chapter Subsequent events Going concern Audit documentation Communicating audit ndings The auditors report Part A, 11 Part A, 12 Part A, 14 Part B, 34 Part A, 15
Practical guidance
541
36.
Evaluating audit evidence

Relevant ASAs
Chapter content Guidance on evaluating the sufciency and appropriateness of audit evidence so that reasonable conclusions can be made on which to base the audit opinion.
220, 330, 450, 520, 540
Exhibit 36.0-1
Activity
Purpose
Documentation1
Reporting
yes
no Prepare the auditors report Form an opinion based on audit findings Significant decisions Signed audit opinion
Paragraph # 220.15
Relevant extracts from ASAs The engagement partner shall take responsibility for: (a) The direction, supervision and performance of the audit engagement in compliance with Australian Auditing Standards, relevant ethical requirements and applicable legal and regulatory requirements; and (Ref: Para. A13-A15, A20) (b) The auditors report being appropriate in the circumstances.
220.16
The engagement partner shall take responsibility for reviews being performed in accordance with the rms review policies and procedures. (Ref: Para. A16-A17, A20)
PART B
542
Paragraph # 220.17
Relevant extracts from ASAs On or before the date of the auditors report, the engagement partner shall, through a review of the audit documentation and discussion with the engagement team, be satised that sufcient appropriate audit evidence has been obtained to support the conclusions reached and for the auditors report to be issued. (Ref: Para. A18-A20) The engagement partner shall: (a) Take responsibility for the engagement team undertaking appropriate consultation on difcult or contentious matters; (b) Be satised that members of the engagement team have undertaken appropriate consultation during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the rm; (c) Be satised that the nature and scope of, and conclusions resulting from, such consultations are agreed with the party consulted; and (d) Determine that conclusions resulting from such consultations have been implemented. (Ref: Para. A21-A22)
220.18
220.19
For audits of nancial reports of listed entities, and those other audit engagements, if any, for which the rm has determined that an engagement quality control review is required, the engagement partner shall: (a) Determine that an engagement quality control reviewer has been appointed; (b) Discuss signicant matters arising during the audit engagement, including those identied during the engagement quality control review, with the engagement quality control reviewer; and (c) Not date the auditors report until the completion of the engagement quality control review. (Ref: Para. A23-A25)
220.20
The engagement quality control reviewer shall perform an objective evaluation of the signicant judgements made by the engagement team and the conclusions reached in formulating the auditors report. This evaluation shall involve: (a) Discussion of signicant matters with the engagement partner; (b) Review of the nancial report and the proposed auditors report; (c) Review of selected audit documentation relating to the signicant judgements the engagement team made and the conclusions it reached; and (d) Evaluation of the conclusions reached in formulating the auditors report and consideration of whether the proposed auditors report is appropriate. (Ref: Para. A26-A27, A29-A31)
36.1
Overview
After the planned audit procedures have been performed, an evaluation of the results will take place. This would include a review of the audit documentation and discussions with the engagement team and any changes to the audit plans as a result of the procedures performed. Some of the key considerations are set out below.
Practical guidance
543
Exhibit 36.1-1
Quality control It is the responsibility of the engagement partner to ensure the le reviews are being performed in accordance with the rms review policies and procedures and that the auditors opinion is appropriate. The engagement partner is responsible to ensure: > The engagement team sought appropriate consultation (both internally within the rm and externally with third parties) on difcult or contentious matters, and > Conclusions resulting from such consultations have been documented and implemented. File quality review (or EQCR) When rm policy requires an engagement quality control review (EQCR), the engagement partner shall: > Ensure that an appropriately-qualied EQC reviewer has been appointed > Discuss signicant audit issues with the EQC reviewer, and > Not date the auditors report until completion of the EQCR.
Consultation
The goal for the auditor is to be satised that sufcient appropriate audit evidence has been obtained to support the conclusions reached and for an appropriately worded auditors report to be issued. The evaluation of the audit evidence obtained would address the matters set out below.
PART B
Exhibit 36.1-2
Materiality Are the amounts established for overall and performance materiality still appropriate in the context of the entitys actual nancial results? If a lower overall materiality (for the nancial report as a whole) than that initially determined is appropriate, the auditor is required to determine: > Whether it is necessary to revise performance materiality, and > Whether the nature timing and extent of the further audit procedures remain appropriate. Risk In light of the audit ndings, are assessments of risks of material misstatement at the assertion level still appropriate? If not, the risk assessments would be revised and further planned audit procedures modied.
544
Misstatements
Has the effect on the audit of identied misstatements and uncorrected misstatements been considered? Has the reason for misstatements/deviations been considered? They may indicate an unidentied risk or a signicant deciency in internal control. Does the overall audit strategy and audit plan need to be revised? This would apply when: > The nature of identied misstatements and the circumstances of their occurrence indicate that other misstatements may exist that, when aggregated with misstatements accumulated during the audit, could be material, or > The aggregate of misstatements accumulated during the audit approaches materiality Have additional audit procedures been performed to determine whether misstatements remain (in classes of transactions, account balance or disclosures) where management was asked to correct misstatements?
Fraud
Does information obtained from performing other risk assessment procedures and related activities indicate that one or more fraud risk factors are present? Did the analytical procedures performed near the end of the audit, indicate a previously unrecognised risk of material misstatement due to fraud? Have identied misstatements been evaluated to determine whether such a misstatement is indicative of fraud? If so, evaluate the implications of the misstatement in relation to other aspects of the audit, particularly the reliability of management representations. An instance of fraud is unlikely to be an isolated occurrence. Is there any reason to believe that that management could be involved in the identied misstatements whether material or not, as a result of fraud? If so, re-evaluate the assessment of the risks of material misstatement due to fraud and its resulting impact on the nature, timing and extent of audit procedures to respond to the assessed risks. Also consider whether circumstances or conditions indicate possible collusion involving employees, management or third parties when reconsidering the reliability of evidence previously obtained. If fraud risks have been identied, it is possible to conrm that the nancial report is not materially misstated as a result of fraud. If not possible, determine the implications for the audit including whether it brings into question the ability to continue performing the audit.
Evidence
Has sufcient appropriate evidence been obtained to reduce the risks of material misstatement in the nancial report to an acceptably low level? Consider the need for further procedures to be performed.
Practical guidance
545
Did the analytical procedures performed at the nal review stage of the audit: > Corroborate the audit ndings, or > Identify previously unrecognised risks of material misstatement?
36.2
450.10
Reassess materiality
Relevant extracts from ASAs Prior to evaluating the effect of uncorrected misstatements, the auditor shall reassess materiality determined in accordance with ASA 320 to conrm whether it remains appropriate in the context of the entitys actual nancial results. (Ref: Para. A11-A12)
Paragraph #
Before the auditor evaluates the results of performing procedures and any misstatements arising, the rst step is to reassess the amounts established for overall and performance materiality. This is necessary because the initial determination of materiality will often be based on estimates of the entitys nancial results and the actual results may be different. Factors that would lead to a change include: > Initial determination of materiality is no longer appropriate in the context of the entitys actual nancial results > New information becomes available (such as user expectations) that would have caused the auditor to determine a different amount (or amounts) initially, and > Unexpected misstatements that may cause the materiality amount for that particular class of transactions, account balance or disclosure to be exceeded. Whenever a revision is necessary, the auditor is required to consider and document the impact on the assessed risks and the nature, timing and extent of further audit procedures required. If a lower materiality is required for the nancial report as a whole, also determine if it is necessary to revise performance materiality. If so, determine whether the nature, timing and extent of the further audit procedures remain appropriate. Consider point
If materiality has to be revised, do not wait until the end of the audit to make the change. If materiality is lowered, it may well require changes in risk assessments and the performance of additional or further audit procedures.
PART B
546
36.3
330.25
Changes in risk assessments

Relevant extracts from ASAs Based on the audit procedures performed and the audit evidence obtained, the auditor shall evaluate before the conclusion of the audit whether the assessments of the risks of material misstatement at the assertion level remain appropriate. (Ref: Para. A60-A61)
Paragraph #
The assessment of risk at the assertion level will often be based on audit evidence available before performing further audit procedures. During the time these procedures are being performed, new information may be obtained that will require the original risk assessment to be modied. For example, in the audit of inventories, the assessed level of risk for the completeness assertion may be low, based on an expectation that internal control is operating effectively. If a test of controls nds that internal control is not effective, the risk assessment would need to change and further audit procedures performed to reduce the risk to an acceptably low level. The same is true for any audit procedures performed where the results do not match the expectations. Some points to consider in determining whether the original assessment of risk has changed or not are outlined in the exhibit below.
Exhibit 36.3-1
Internal control Tests of controls > Do the results of performing tests of controls support the planned level of risk reduction based on their operating effectiveness? Management override > Is there any evidence of management override of existing internal control? Control deciencies > Does a potential misstatement(s) result from a deciency in internal control that should be immediately brought to managements attention? Nature of audit evidence obtained New risk factors > Does the evidence identify any new business risks, fraud risk factors or management override? Contradictory evidence > Does the evidence obtained contradict other sources of information available? Conicting evidence > Does the evidence obtained conict with the current understanding of the entity?
Practical guidance
547
Nature of audit evidence obtained (continued)
Accounting policies > Is there evidence that the entitys accounting policies are not always consistently applied? Unpredictable relationships > Does the evidence substantiate the relationships among nancial and non-nancial data? Fraud > Is there evidence of any patterns, oddities, exceptions or deviations found in performing tests that could be indicative of possible fraud (including management override) occurring? Reliability of representations > Is there evidence that questions the reliability of representations made by management or those charged with governance?
Bias in estimates > Could misstatements found in accounting estimates and fair value measurements indicate a possible pattern of bias by management? Misstatements > Do misstatements either individually or combined with all other uncorrected misstatements constitute a material misstatement in the nancial report taken as a whole?
Where the original assessment of risk has changed, the details should be documented and a revised assessment of risk determined. There should also be details of how the detailed audit plan has been changed to address the revised risk assessment. This may be a modication to the nature, timing or extent of other planned audit procedures or performance of further audit procedures. Consider point
Allocate time in the audit budget for the audit engagement team to discuss their ndings (as a group) immediately after the work is completed. The matters outlined in the above exhibit could form the agenda. Remember that the detection of fraud often comes from piecing together information about small and seemingly insignicant matters.
36.4
450.3
Evaluating the effect of misstatements

ASA objective(s) The objective of the auditor is to evaluate: (a) The effect of identied misstatements on the audit; and (b) The effect of uncorrected misstatements, if any, on the nancial report.
Paragraph #
PART B
548
Paragraph # 450.5 450.6
Relevant extracts from ASAs The auditor shall accumulate misstatements identied during the audit, other than those that are clearly trivial. (Ref: Para. A2-A3) The auditor shall determine whether the overall audit strategy and audit plan need to be revised if: (a) The nature of identied misstatements and the circumstances of their occurrence indicate that other misstatements may exist that, when aggregated with misstatements accumulated during the audit, could be material; or (Ref: Para. A4) (b) The aggregate of misstatements accumulated during the audit approaches materiality determined in accordance with ASA 320. (Ref: Para. A5)
450.7
If, at the auditors request, management has examined a class of transactions, account balance or disclosure and corrected misstatements that were detected, the auditor shall perform additional audit procedures to determine whether misstatements remain. (Ref: Para. A6) The auditor shall communicate on a timely basis all misstatements accumulated during the audit with the appropriate level of management, unless prohibited by law or regulation. The auditor shall request management to correct those misstatements. (Ref: Para. A7-A9) If management refuses to correct some or all of the misstatements communicated by the auditor, the auditor shall obtain an understanding of managements reasons for not making the corrections and shall take that understanding into account when evaluating whether the nancial report as a whole is free from material misstatement. (Ref: Para. A10) The auditor shall determine whether uncorrected misstatements are material, individually or in aggregate. In making this determination, the auditor shall consider: (a) The size and nature of the misstatements, both in relation to particular classes of transactions, account balances or disclosures and the nancial report as a whole, and the particular circumstances of their occurrence; and (Ref: Para. A13-A17, A19-A20) (b) The effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances or disclosures, and the nancial report as a whole. (Ref: Para. A18)
450.8
450.9
450.11
450.12
The auditor shall communicate with those charged with governance uncorrected misstatements and the effect that they, individually or in aggregate, may have on the opinion in the auditors report, unless prohibited by law or regulation. The auditors communication shall identify material uncorrected misstatements individually. The auditor shall request that uncorrected misstatements be corrected. (Ref: Para. A21-A23) The auditor shall also communicate with those charged with governance the effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances or disclosures, and the nancial report as a whole.
450.13
Practical guidance
549
Paragraph # 450.14
Relevant extracts from ASAs The auditor shall request a written representation from management and, where appropriate, those charged with governance whether they believe the effects of uncorrected misstatements are immaterial, individually and in aggregate, to the nancial report as a whole. A summary of such items shall be included in or attached to the written representation. (Ref: Para. A24) The auditor shall evaluate, based on the audit evidence, whether the accounting estimates in the nancial report are either reasonable in the context of the applicable nancial reporting framework, or are misstated. (Ref: Para. A116-A119)
540.18
The objective of evaluating misstatements is to determine the effect on the audit and whether there is a need to perform additional audit procedures. Revisions to the audit strategy and detailed audit plans may be required when: > The nature or circumstances of identied misstatements indicate that other misstatement(s) may exist that, when aggregated with known misstatements, could exceed performance materiality, or > The aggregate of identied and uncorrected misstatements comes close to or exceeds performance materiality. Consider point
Remember that there will always be a risk of undetected misstatements in the nancial report. This is because of the inherent limitations of an audit outlined in Part A, Chapter 1.1 of this Manual. PART B
Misstatements can arise in areas set out in the following exhibit.
Exhibit 36.4-1
Source Inaccuracies or fraud Description Mistakes may be made by the entitys personnel in gathering or processing data upon which the nancial report is prepared. This would also include errors made in cut-off at the period end. In addition to identifying specic misstatements, the auditor may also: > Quantify the mistakes in a particular population (such as sales) through monetary sampling. A likely aggregate of misstatements can be projected when a representative sample is used, and > Consider the nature of identied misstatements. If there are numerous misstatements affecting a particular balance or business location, it may be indicative of a risk of material misstatement due to fraud. Omissions or fraud Some transactions may not be recorded either by mistake or deliberately, the latter of which would constitute fraud.
550
Source Signicant transactions Journal entries
Description A lack of business rationale for signicant transactions (unusual or outside the normal course of business) could be intended to manipulate the nancial report or to conceal misappropriation of assets. Inappropriate or unauthorised journal entries may have occurred throughout the period or at period end. These could be used to manipulate amounts reported in the nancial report. Management estimates may calculate incorrectly, overlook or misinterpret certain facts, use faulty assumptions or contain some element of bias if the entitys estimate falls outside an acceptable range. Estimates could also be deliberately misstated to manipulate the nancial report results. There may be disagreements with managements judgements with respect to the fair value of certain assets, liabilities and components of equity required to be measured or disclosed at fair values in accordance with the nancial framework. There may be disagreements with management with regard to the selection and use of certain accounting policies. Uncorrected misstatements from prior periods would be reected in opening equity. If not adjusted, they may also cause a misstatement in the current period nancial report. Overstatement or understatement of revenues. For example, premature revenue recognition, recording ctitious revenues or improperly shifting revenues to a later period. Misstatements could result from unexpected deciencies in internal control. These would be discussed or reported to management and consideration would be given to performing additional work to identify other misstatements that may exist. Certain nancial report disclosures required by the accounting framework may be omitted, incomplete or inaccurate.
Errors in estimates
Errors in fair values
Selection and application of accounting policies Uncorrected misstatements in opening equity Revenue recognition
Internal control weaknesses
Financial report presentation or disclosures
Aggregating identied misstatements

Misstatements identied during the audit, other than those that are clearly trivial, should be aggregated. They can also be distinguished between factual misstatements, judgemental misstatements and projected misstatements. Consider point
Most quantitative misstatements can be aggregated so that the overall impact on the nancial report can be evaluated. However, some misstatements (such as incomplete or inaccurate nancial report disclosures) and qualitative ndings (such as the possible existence of fraud) cannot be aggregated. These misstatements should be documented and evaluated on an individual basis.
Practical guidance
551
To enable the aggregate effect of uncorrected misstatements to be evaluated, they can be documented on a centrally maintained working paper. This will provide a summary of all non-trivial uncorrected misstatements that have been identied. See toolkit item 335: Worksheet Summary of identied misstatements. There are a number of stages in the aggregation process where the impact of aggregated misstatements can be considered. These include the following:
Exhibit 36.4-2
Impact of aggregated misstatements Consider impact of uncorrected misstatements on > Each particular account balance or class of transactions. > Total current assets and current liabilities. > Total assets and liabilities. > Total revenues and expenses (pre-tax income). > Net income.
A possible approach to the aggregation of misstatements is illustrated in the exhibit below.

PART B
Note: The level of misstatements ($100) has been deemed trivial and will therefore not be accumulated.
Exhibit 36.4-3 Summary of identied misstatements

Amount of over (under) statement Description Failure to accrue for rent liability Unrecorded sales Receivables netted with payables Capital equipment expensed Circumstances of occurrence Factual resulting from oversight Projection from representative sample Factual classication error Judgement error in applying accounting policy (12,500) W/P ref. Assets Liabilities (5,500) Pre-tax income 5,500 Equity 4,125 Corrected? Yes
(12,500)
(9,375)
Yes
(5,500)
(5,500)
Yes
(13,500)
(13,500)
(10,125)
Yes
552
Amount of over (under) statement
Total of identied misstatements during the audit Misstatements corrected by management Total uncorrected misstatements
(31,500) 31,500 0
(11,000) 11,000 0
(20,500) 20,500 0
(15,375) 15,375 0
Identied misstatements are to be discussed with management on a timely basis, along with the request to correct them. Corrections could affect balances in the nancial report or rectify inadequate nancial report disclosures. The steps involved in addressing identied misstatements are set out below.
Exhibit 36.4-4
Addressing identied misstatements Re-evaluate materiality Consider the reasons and impact on audit plan Consider whether it may be necessary to revise the overall materiality prior to evaluating the effect of uncorrected misstatements, based on the actual nancial results. Consider the reasons for the misstatements identied during the audit. This includes: > Potential indicators of fraud > Possible for the existence of other misstatements > Existence of an unidentied risk, or > A signicant deciency in internal control. In light of the ndings above determine whether the overall audit strategy and audit plan need to be revised. This would be necessary when: > Other misstatements may exist that, when aggregated with misstatements accumulated during the audit, could be material, or > The aggregate of misstatements accumulated during the audit approaches materiality. Request management to make corrections Ask management to perform additional procedures Ask management to correct all identied misstatements, other than those that are clearly trivial. If the precise amount of misstatement in a population is not known (such as in a projection of misstatements identied in an audit sample) ask management to perform procedures to determine the amount of the actual misstatement and then to make appropriate adjustments to the nancial report. Where this occurs some additional audit procedures will be necessary to determine whether any misstatements remain.
Practical guidance
553
Management refuses to correct
If management refuses to correct some or all of the misstatements: > Obtain an understanding of managements reasons for not making the corrections and take this understanding into account when evaluating whether the nancial report is materially misstated > Communicate uncorrected misstatements with those charged with governance including their effect on the opinion in the auditors report (unless prohibited by law or regulation), and > Request that those charged with governance correct the misstatements that remain uncorrected by management.
In forming a conclusion as to whether the uncorrected misstatements (individually or in aggregate) would cause the nancial report as a whole to be materially misstated, the auditor would consider the factors listed in the exhibit below.
Exhibit 36.4-5
Consider Is there a material misstatement? The size and nature of misstatements, in relation to: > The nancial report as a whole
> The particular circumstances of their occurrence. The limitations inherent in judgemental or statistical testing. There is always the possibility that some misstatements may not be found. How close is the likely level of aggregate uncorrected misstatements to materiality level(s)? The risks of material misstatement increase as the likely aggregate misstatement approaches the materiality threshold. Quantitative considerations or the possibility of fraud where misstatements of a relatively small amount could have a material effect on the nancial report. The effect of uncorrected misstatements related to prior periods.
It is managements responsibility to adjust the nancial report to correct material misstatements (including inadequate disclosures) and to implement any other actions required.
Qualitative considerations
Some misstatements may be evaluated as material (individually or when considered together with other misstatements accumulated during the audit), even if they are lower than overall materiality. Examples of such matters are set out below.
PART B
> Particular classes of transactions, account balances and disclosures, and
554
Exhibit 36.4-6
Misstatements that Affect compliance Mask changes Increase management compensation Impact other parties Affect users understanding Are immaterial now but signicant in the future Bank covenants Affect performance ratios Description Non-compliance with regulatory requirements, debt covenants or other contractual requirements. For example, change in earnings or other trends, especially in the context of general economic and industry conditions. Misstatement that would ensure the requirements for bonuses or other compensation incentives is satised. For example, external and related parties. Omission of information (not specically required) but in the judgement of the auditor is important to the users understanding of the nancial position, nancial performance or cash ows of the entity. Incorrect selection or application of an accounting policy that has an immaterial effect on the current periods nancial report but is likely to have a material effect on future periods nancial report. A relatively small amount could be highly material to the entity if it resulted in the breach of a banking or loan covenant. Affects ratios used to evaluate the entitys nancial position, results of operations or cash ows.
Managements responsibility is to be evidenced by obtaining a written representation from management. This representation will state that any uncorrected misstatements (attach or include a list) are, in managements opinion, immaterial both individually and in the aggregate. If management disagrees with the assessment of misstatements, it may add to its written representation words such as: We do not agree that items ... and ... constitute misstatements because [description of reasons]. Note: When the auditor communicates ndings with those charged with governance, there is a requirement to identify material uncorrected misstatements individually. Where uncorrected misstatements by management are reported to those charged with governance and corrections are still not made, the auditor is required to obtain a similar representation. This would state that those charged with governance also believe that the effects of uncorrected misstatements are immaterial, individually and in aggregate, to the nancial report as a whole. A summary of such items is also to be included in or attached to the written representation.
Practical guidance
555
36.5
330.26
Sufcient appropriate audit evidence

Relevant extracts from ASAs The auditor shall conclude whether sufcient appropriate audit evidence has been obtained. In forming an opinion, the auditor shall consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the nancial report. (Ref: Para. A62) If the auditor has not obtained sufcient appropriate audit evidence as to a material nancial report assertion, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufcient appropriate audit evidence, the auditor shall express a qualied opinion or disclaim an opinion on the nancial report.
Paragraph #
330.27
The overall objective is to obtain sufcient appropriate evidence to reduce the risks of material misstatement in the nancial report to an acceptably low level. What constitutes sufcient appropriate audit evidence is ultimately a matter of professional judgement. It will primarily be based on the satisfactory performance of further audit procedures designed to address the assessed risks of material misstatement. This includes any additional or modied procedures that were performed to address changes identied in the original assessment of risk. Some of the factors to consider in evaluating the sufciency and appropriateness of audit evidence include the factors outlined in the exhibit below.
Exhibit 36.5-1
Evaluating the sufciency and appropriateness of audit evidence Factors to consider Materiality of misstatements > How signicant is a misstatement in the assertion being addressed and what is the likelihood of it having a material effect (individually or aggregated with other potential misstatements) on the nancial report? Management responses > How responsive is management to audit ndings and how effective is the internal control in addressing risk factors? Previous experience > What has been the previous experience in performing similar procedures and were any misstatements identied? Results of performed audit procedures > Do the results of performed audit procedures support the objectives and is there any indication of fraud or error? Quality of information > Are the source and reliability of the available information appropriate for supporting the audit conclusions?
PART B
556
Evaluating the sufciency and appropriateness of audit evidence Factors to consider (continued) Persuasiveness > How persuasive (convincing) is the audit evidence? Understanding the entity > Does the evidence obtained support or contradict the results of the risk assessment procedures (which were performed to obtain an understanding of the entity and its environment including internal control)?
If it is not possible to obtain sufcient appropriate audit evidence, the auditor would express a qualied opinion or a disclaimer of opinion.
36.6
520.6
Final analytical procedures

Relevant extracts from ASAs The auditor shall design and perform analytical procedures near the end of the audit that assist the auditor when forming an overall conclusion as to whether the nancial report is consistent with the auditors understanding of the entity. (Ref: Para. A17-A19)
Paragraph #
In addition to performing analytical procedures for the purposes of risk assessment and then later as a substantive procedure, the auditor is required to apply analytical procedures at, or near the end of, the audit when forming an overall conclusion (ASA 520). The objectives for carrying out these nal analytical procedures are to: > Identify a previously unrecognised risk of material misstatement > Ensure the conclusions formed during the audit on individual components or elements of the nancial report can be corroborated, and > Assist in arriving at the overall conclusion as to the reasonableness of the nancial report. If new risks or unexpected relationships between data are identied, the auditor may need to re-evaluate the audit procedures planned or performed.
36.7
Signicant ndings and issues
The nal step in the evaluation process is to record all signicant ndings or issues in an engagement completion document. This document may include: > All information necessary to understand the signicant ndings or issues, or > Cross-references, as appropriate, to other available supporting audit documentation.
Practical guidance
557
This document would also include conclusions about information the auditor has identied relating to signicant matters that are inconsistent with, or contradict, the auditors nal conclusions. However, this requirement does not extend to retention of documentation that is incorrect or superseded, such as drafts of the nancial report that may have been incomplete.
36.8
Case studies evaluating audit evidence
For details of the case studies, refer to Part B, Chapter 17 Introduction to the case studies. As a result of performing the planned audit procedures, the following unadjusted misstatements and matters were noted.

[Date]
Extract from the summary of possible adjustments ONeal Furniture

Amount of over (under) statement Description Errors in inventory valuation calculation. Personal expenses paid through ONeal Furniture and not added to shareholder account. Customer account over 90 days and no subsequent payments received. Circumstances of occurrence New clerk made some mistakes. Found during expense testing. This prompted some additional work to nd similar items. W/P Ref. D.300 Assets (19,000) Liabilities Pre-tax income (19,000) Equity (15,200) Corrected? Yes
550.8
(4,800)
(4,800)
(3,840)
Yes
Review of ageing and subsequent payments.
C.305
12,000
12,000
9,600
Yes
Total of identied misstatements during the audit
(7,000)
(4,800)
(11,800)
(9,440)
PART B
558
Amount of over (under) statement Misstatements corrected by management Total uncorrected misstatements (7,000) 0 (4,800) 0 (11,800) 0 (9,440) 0
A cross reference would also be provided in the listing above to where additional work has been performed to ensure other similar misstatements do not exist or that the misstatement is not indicative of a more serious issue such as management override.
Extract from the memo to le regarding evaluation of audit evidence

Audit nding A number of clerical errors in the inventory valuation resulted in an understatement of $19,000 worth of inventory. Planned response The nature of the errors should be reviewed to identify any area of weakness in internal control. Additional work should be performed to identify if any other signicant errors have not been discovered. Include comment in management letter. During expense testing, it was discovered that $4800 of equipment maintenance expenses were related to the service costs of Sams personal Mercedes-Benz SUV. Additional work should be performed to identify any other unidentied transactions that relate to personal use. If others are found, consider whether this is a lapse in managements integrity and an indicator of possible fraud. Continue to monitor cash receipts to the date of the subsequent events work. Review the collection history of the clients in the past and try to obtain more information about the companies.
During the accounts receivable testing, we noted that some accounts were greater than 90 days and no payments had been received on these accounts during our accounts receivable testing. Although Sam assured us these accounts are collectable (since the customer has conrmed the balance), collection seems unlikely. Recorded as an unadjusted error. Some of the tools and equipment in the accounting records do not seem to be used anymore. Machines have been purchased that do the same work in a fraction of the time. Management still feels the assets have value, as they would still be used in the event of a machine breakdown.
Enquire whether the tools and equipment were, in fact, used in the past period. Determine the capital cost of the tools and equipment and whether a write-down is required.
Practical guidance
559
Case study B Kane & Co. Extract from memo on summary of possible adjustments
Inventory Inventory listing from our inventory count did not tie into the nal listing understated inventory by $1,800 and income by $1,800; see WP D.108. Audit response Error was caused by Ruby not using the nal inventory listing. Our substantive procedures will be expanded to test that all adjustments discussed at the count have been reected in the nal listing. Accounts payable cut-off error Ruby did not accrue for a major repair and service to the lathe. Caught during subsequent payments testing. See WP CC.110. Affects liabilities and pre-tax income by $900. Audit response Should expand scope of our cut-off testing since it appears Ruby was too busy this period to keep a listing of all expenses paid subsequent to period end that related to scal 20X2. Threshold for testing lowered to $400 Management has agreed to correct these misstatements. Prepared by: FJ [Date] Reviewed by: LF [Date]
PART B
560
37.
Communicating with those charged with governance

Relevant ASAs
Chapter content Guidance on how to promote an effective two-way communication between the auditor and those charged with governance and what audit ndings and other matters are to be communicated.
260, 265,450
Exhibit 37.0-1
Activity
Purpose
Documentation 1
Reporting
Yes
Is additional work required? No
Paragraph # 260.9
ASA objective(s) The objectives of the auditor are: (a) To communicate clearly with those charged with governance the responsibilities of the auditor in relation to the nancial report audit, and an overview of the planned scope and timing of the audit; (b) To obtain from those charged with governance information relevant to the audit; (c) To provide those charged with governance with timely observations arising from the audit that are signicant and relevant to their responsibility to oversee the nancial reporting process; and (d) To promote effective two-way communication between the auditor and those charged with governance.
Practical guidance
561
Paragraph # 260.10
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Those charged with governance mean the person(s) or organisation(s) (for example, a corporate trustee) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the nancial reporting process. For some entities in some jurisdictions, those charged with governance may include management personnel, for example, executive members of a governance board of a private or public sector entity, or an owner-manager. For discussion of the diversity of governance structures, see paragraphs A1-A8. (b) Management means the person(s) with executive responsibility for the conduct of the entitys operations. For some entities in some jurisdictions, management includes some or all of those charged with governance, for example, executive members of a governance board or an owner-manager.
260.11 260.12
The auditor shall determine the appropriate person(s) within the entitys governance structure with whom to communicate. (Ref: Para. A1-A4) If the auditor communicates with a subgroup of those charged with governance, for example, an audit committee or an individual, the auditor shall determine whether the auditor also needs to communicate with the governing body. (Ref: Para. A5-A7) In some cases, all of those charged with governance are involved in managing the entity, for example, a small business where a single owner manages the entity and no one else has a governance role. In these cases, if matters required by this Auditing Standard are communicated with person(s) with management responsibilities, and those person(s) also have governance responsibilities, the matters need not be communicated again with those same person(s) in their governance role. These matters are noted in paragraph 16(c) of this Auditing Standard. The auditor shall nonetheless be satised that communication with person(s) with management responsibilities adequately informs all of those with whom the auditor would otherwise communicate in their governance capacity. (Ref: Para. A8) The auditor shall communicate with those charged with governance the responsibilities of the auditor in relation to the nancial report audit, including that: (a) The auditor is responsible for forming and expressing an opinion on the nancial report that has been prepared by management with the oversight of those charged with governance; and (b) The audit of the nancial report does not relieve management or those charged with governance of their responsibilities. (Ref: Para. A9-A10)
260.13
260.14
260.15
The auditor shall communicate with those charged with governance an overview of the planned scope and timing of the audit. (Ref: Para. A11-A15)
PART B
562
Paragraph # 260.16
Relevant extracts from ASAs The auditor shall communicate with those charged with governance: (Ref: Para. A16) (a) The auditors views about signicant qualitative aspects of the entitys accounting practices, including accounting policies, accounting estimates and nancial report disclosures. When applicable, the auditor shall explain to those charged with governance why the auditor considers a signicant accounting practice, that is acceptable under the applicable nancial reporting framework, not to be most appropriate to the particular circumstances of the entity; (Ref: Para. A17) (b) Signicant difculties, if any, encountered during the audit; (Ref: Para. A18) (c) Unless all of those charged with governance are involved in managing the entity: (i) Signicant matters, if any, arising from the audit that were discussed, or subject to correspondence with management; and (Ref: Para. A19) (ii) Written representations the auditor is requesting; and (d) Other matters, if any, arising from the audit that, in the auditors professional judgement, are signicant to the oversight of the nancial reporting process. (Ref: Para. A20)
260.17
In the case of listed entities the auditor shall communicate with those charged with governance: (a) A statement that the engagement team and others in the rm as appropriate, the rm and, when applicable, network rms have complied with relevant ethical requirements regarding independence; and (b) (i) All relationships and other matters between the rm, network rms, and the entity that, in the auditors professional judgement, may reasonably be thought to bear on independence. This shall include total fees charged during the period covered by the nancial report for audit and nonaudit services provided by the rm and network rms to the entity and components controlled by the entity. These fees shall be allocated to categories that are appropriate to assist those charged with governance in assessing the effect of services on the independence of the auditor; and (ii) The related safeguards that have been applied to eliminate identied threats to independence or reduce them to an acceptable level. (Ref: Para. A21-A23) Aus 17.1 In the case of entities audited in accordance with the Corporations Act 2001, the auditor shall communicate with those charged with governance a statement that the engagement team and others in the rm as appropriate, the rm, and, when applicable network rms, have complied with the independence requirements of section 307C of the Corporations Act 2001.
260.18
The auditor shall communicate with those charged with governance the form, timing and expected general content of communications. (Ref: Para. A28-A36)
Practical guidance
563
Paragraph # 260.19
Relevant extracts from ASAs The auditor shall communicate in writing with those charged with governance regarding signicant ndings from the audit if, in the auditors professional judgement, oral communication would not be adequate. Written communications need not include all matters that arose during the course of the audit. (Ref: Para. A37-A39) Aus 19.1 If the auditor is concerned that a written report intended for those charged with governance has not been, or may not be, distributed to all members of that group, the auditor shall endeavour to ensure all members are appropriately informed of the contents of the report.
260.21 260.22
The auditor shall communicate with those charged with governance on a timely basis. (Ref: Para. A40-A41) The auditor shall evaluate whether the two-way communication between the auditor and those charged with governance has been adequate for the purpose of the audit. If it has not, the auditor shall evaluate the effect, if any, on the auditors assessment of the risks of material misstatement and ability to obtain sufcient appropriate audit evidence, and shall take appropriate action. (Ref: Para. A42-A44) Where matters required by this Auditing Standard to be communicated are communicated orally, the auditor shall include them in the audit documentation, and when and to whom they were communicated. Where matters have been communicated in writing, the auditor shall retain a copy of the communication as part of the audit documentation. (Ref: Para. A45) The auditor shall communicate in writing signicant deciencies in internal control identied during the audit to those charged with governance on a timely basis. (Ref: Para. A12-A18, A27) The auditor shall communicate with those charged with governance uncorrected misstatements and the effect that they, individually or in aggregate, may have on the opinion in the auditors report, unless prohibited by law or regulation. The auditors communication shall identify material uncorrected misstatements individually. The auditor shall request that uncorrected misstatements be corrected. (Ref: Para. A21-A23) The auditor shall also communicate with those charged with governance the effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances or disclosures, and the nancial report as a whole.
260.23
265.9
450.12
450.13
37.1
Overview
Effective two-way communication between the auditor and those charged with governance is an important element of every audit. This enables: > The auditor to communicate required and other matters > Those charged with governance to provide the auditor with information that might not otherwise have been available. This information could be helpful to the auditor in planning and evaluating the results.
PART B
564
37.2
Governance
Governance structures can vary by entity depending on the legal structure, size and ownership characteristics. In most entities, governance is the collective responsibility of a governing body, such as a board of directors, a supervisory board, partners, proprietors, a committee of management, a council of governors, trustees or equivalent persons. In smaller entities, one person may be charged with governance, for example, the owner-manager where there are no other owners, or a sole trustee. In these cases, if matters are required to be communicated with management, they need not be communicated again with those same person(s) in their governance role. However, where there is more than one person charged with governance of the entity (such as other family members), the auditor would take steps to ensure that every person is adequately informed. In other entities, where governance is a collective responsibility, the auditors communications may be directed to a subgroup of those charged with governance, such as an audit committee. In these cases, the auditor would determine whether there is also a need to communicate with the entire governing body. This determination would be based on: > The respective responsibilities of the subgroup and the governing body > The nature of the matter to be communicated > Relevant legal or regulatory requirements, and > Whether the subgroup has the authority to take action in relation to the information communicated and can provide further information and explanations the auditor may need. Where the appropriate person(s) with whom to communicate may not be clearly identiable from the applicable legal framework or other engagement circumstances, the auditor may need to discuss and agree with the engaging party the relevant person(s) with whom to communicate. In deciding with whom to communicate, the auditors understanding of an entitys governance structure and processes would be relevant. The appropriate person(s) with whom to communicate may also vary depending on the matter to be communicated. When the entity is a component of a group, the appropriate person(s) with whom the component auditor communicates depends on the engagement circumstances and the matter to be communicated. In some cases, a number of components may be conducting the same businesses within the same system of internal control and using the same accounting practices. Where those charged with governance of those components are the same (for example, common board of directors), duplication may be avoided by dealing with these components concurrently for the purpose of communication.
Practical guidance
565
37.3
Matters to be communicated
Audit matters of governance interest include: > Auditors responsibilities in relation to the nancial report audit > Planned scope and timing of the audit, and > Signicant ndings arising from the audit. The auditor is not required to design audit procedures for the specic purpose of identifying matters of governance interest. Consider point
Take the time to develop constructive working relationships with those charged with governance. This will help to improve the effectiveness of communications between the parties.
See toolkit item 340: Matters to be communicated with those charged with governance.
Those charged with governance are to be informed about signicant matters relevant to their role of overseeing the nancial reporting process. This includes communicating that: > The audit of the nancial report does not relieve management or those charged with governance of their responsibilities, and > The auditors responsibilities include: Forming and expressing an opinion on the nancial report that has been prepared by management with the oversight of those charged with governance, and Communicating signicant matters arising from the audit of the nancial report. This requirement can often be met by providing those charged with governance with a copy of the audit engagement letter. This will inform those charged with governance about the matters set out below.
PART B
Auditors responsibilities
566
Exhibit 37.3-1
Nature of communication Provide a copy of audit engagement letter The auditors responsibility for performing the audit in accordance with ASAs. The ASA requires that signicant matters arising from the audit, relevant to those charged with governance in overseeing the nancial reporting, will be communicated. ASAs do not require the auditor to design procedures for the purpose of identifying supplementary matters to communicate with those charged with governance. The auditors responsibility (where applicable) for communicating particular matters required by law or regulation, by agreement with the entity or by additional requirements applicable to the engagement (for example, the standards of a national professional accountancy body).
Planned scope and timing of the audit

The purpose of discussing audit planning is to promote two-way communication between the auditor and those charged with governance. However, care must be taken not to provide detailed information (such as the nature and timing of specic audit procedures) that could compromise the effectiveness of the audit. This is of particular concern where some or all of those charged with governance are involved in managing the entity. Matters to be discussed would include matters set out following.
Exhibit 37.3-2
Description The audit plan > General details of the audit plan, scope and timing. > The application of the concept of materiality in the audit. > How signicant risks of material misstatement, whether due to fraud or error, will be addressed. > Approach to internal control relevant to the audit. > Signicant changes in accounting standards and the likely impact. Obtain input from those charged with governance (that may impact audit plans) > Discussion about the entitys objectives and strategies, any signicant communications with regulators and the related business risks that may result in material misstatements. > Description of the oversight exercised over: Adequacy of internal control including the risks of fraud Competency and integrity of management, and Responses to previous communications with the auditor. > Matters that warrant particular attention during the audit. > Requests for the auditor to undertake additional procedures. > Other matters that may inuence the audit of the nancial report.
Practical guidance
567
Signicant ndings from the audit

Except where a matter relates to managements competence or integrity, the auditor would initially discuss audit matters of governance interest with management. These initial discussions serve to clarify the facts and issues and give management an opportunity to provide further information. An appendix to ASA 260 (reproduced below) provides a list of specic matters requiring communication with those charged with governance. These requirements have been addressed in other parts of the Manual.
Exhibit 37.3-3
ASA # ASQC 1 ASA title Quality Control for Firms That Perform Audits and Reviews of Financial Reports and Other Financial Information, and Other Assurance Engagements The Auditors Responsibilities Relating to Fraud in an Audit of a Financial Report Consideration of Laws and Regulations in an Audit of a Financial Report Communicating Deciencies in Internal Control to Those Charged with Governance and Management Evaluation of Misstatements Identied during the Audit External Conrmations Initial Audit Engagements Opening Balances Related Parties Subsequent Events Going Concern Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors) Modications to the Opinion in the Independent Auditors Report Emphasis of Matter and Other Matter Paragraphs in the Independent Auditors Report Comparative Information Corresponding Figures and Comparative Financial Reports The Auditors Responsibilities Relating to Other Information in Documents Containing an Audited Financial Report Paragraph 30(a)
ASA 240 ASA 250 ASA 265 ASA 450 ASA 505 ASA 510 ASA 550 ASA 560 ASA 570 ASA 600 ASA 705 ASA 706 ASA 710 ASA 720
21, 38(c)(i) 40-42 14,19 22-24 9 12-13 9 7 27 7(b)-(c),10(a), 13(b), 14(a) 17 23 49 12,14, 19(a) 28 9 18 10,13,16
Some of the more common matters of governance interest that may be communicated (preferably in writing) are outlined below.
PART B
568
Exhibit 37.3-4
Audit matters Accounting policies Communication considerations The selection of (or changes in) signicant accounting policies and practices that have or could have a material effect on the entitys nancial report. Matters of governance interest previously communicated that could have an effect on the current periods nancial report. The potential effect on the nancial report of any material risks (such as pending litigation) that require disclosure in the nancial report. Material uncertainties related to events and conditions that may cast signicant doubt on the entitys ability to continue as a going concern. Business conditions affecting the entity and its business plans and strategies that may affect the risks of material misstatement. Concerns about managements consultations with other accountants on accounting or auditing matters. Signicant difculties encountered This could include: > Resolution of difcult accounting or audit issues > Unavailable documents required for the audit > Personnel unable to answer questions > Scope limitations and how they were resolved, and > Disagreements with management about matters that, individually or in aggregate, could be signicant to the entitys nancial report or the auditors report. Comments on entity management Questions regarding managements competence: > Signicant deciencies in internal control > Questions regarding managements integrity > Signicant transactions with related parties > Illegal acts, and > Fraud involving management. Audit adjustments Uncorrected misstatements Uncorrected audit adjustments that have or could have a material effect on the entitys nancial report. Uncorrected misstatements that were determined by management to be immaterial (other than trivial amounts), both individually and in the aggregate, to the nancial report taken as a whole. Outline the reasons for any expected modications to the auditors report. Any other matters agreed upon in the terms of the audit engagement. A statement that the engagement team and others have complied with the independence requirements. Other matters, if any, arising from the audit that in the auditors professional judgement are signicant to the oversight of the nancial reporting process.
Prior period communications Risks of material misstatement Material uncertainties Concerns
The auditors report Agreed-upon matters Independence Other matters
Practical guidance
569
Consider point
Communicate signicant matters in writing where possible. A letter or report provides a document shared by both parties that outlines the matters to be communicated. If the required matters are communicated verbally, take minutes of the meeting which can be shared with the entity to form an appropriate record that the communication took place.
Documentation
Where matters required to be communicated by an ASA are communicated orally, prepare notes for the le describing when and to whom these matters were communicated. Where matters have been communicated in writing, retain a copy of the communication as part of the audit documentation. See toolkit item 455: Worksheet Notes on meeting with management and others.
Timeliness
Ensure that audit matters of interest are communicated on a timely basis so that those charged with governance can take appropriate action.
PART B
37.4
Case studies communicating with those charged with governance
Case study A ONeal Furniture Pty Ltd Audit matters of governance interest
The following is an extract from the letter sent to management and those charged with governance.
[Date] Mr Sam ONeal ONeal Furniture Pty Ltd 2255 West Street North Parramatta NSW 2150 Dear Sam, The matters raised in this report arise from our nancial report audit and relate to matters that we believe need to be brought to your attention.
570
We have substantially completed our audit of ONeal Furnitures nancial report in accordance with professional standards. We expect to release our audit report dated [date] as soon as we obtain the signed letter of representation. Our audit is performed to obtain reasonable assurance whether the nancial report is free of material misstatements. Absolute assurance is not possible due to the inherent limitations of an audit and of internal control, resulting in the unavoidable risk that some material misstatements may not be detected. In planning our audit, we consider internal control over nancial reporting to determine the nature, extent and timing of audit procedures. However, a nancial report audit does not provide assurance on the effective operation of internal control at ONeal Furniture. However, if in the course of our audit, certain deciencies in internal control come to our attention, these will be reported to you. Please refer to Appendix A to this letter (not included). Because fraud is deliberate, there are always risks that material misstatements, fraud and other illegal acts may exist and not be detected by our audit of the nancial report. The following is a summary of ndings resulting from the performance of the audit. 1. We did not identify any material matters (other than the identied misstatements already discussed with you and have now been corrected) that need to brought to your attention 2. We received good cooperation from management and employees during our audit. To the best of our knowledge, we also had complete access to the accounting records and other documents that we needed in order to carry out our audit. We did not have any disagreements with management, and we have resolved all auditing, accounting and disclosure issues to our satisfaction. We would also like to draw the following matters to your attention: > Changes during the period in professional pronouncements. See Appendix B (not included). > Other matters identied that may be of interest to management. See Appendix C (not included). Please note that Australian Auditing Standards do not require us to design procedures for the purpose of identifying supplementary matters to communicate with those charged with governance. Accordingly, an audit would not usually identify all such matters. This communication is prepared solely for the information of management and is not intended for any other purpose. We accept no responsibility to a third party who uses this communication. Yours truly,
Sang Jun Lee Jamel, Woodwind & Wing Chartered Accountants
Practical guidance
571

Memo to le: Communication to those charged with governance Audit adjustments and ndings We discussed the adjustments to the inventory balance and the accounts payable accruals with Robert. He indicated that because of his family issues, he had not spent as much time supervising Ruby and approving transactions this period, so he was not surprised that things were missed. He did promise to ensure that Ruby tracks accounts paid subsequent to the period end for accrual purposes better next period. We indicated that except for the adjustments found, we had not found any other material issues during our audit and that Ruby had been very helpful. Other recommendations During our IT control discussion, we had become aware that Ruby has never tested the backup for the accounting package and recommended that Robert test the back-up to make sure that the accounting records could be backed up. In the event of a crash, a loss of accounting records would have a signicant impact on our ability to perform an audit. Prepared by: SL [Date]
PART B
572
38.
Modications to the auditors report

Relevant ASAs
Chapter content Guidance on how to express an appropriately modied opinion on the nancial report when necessary.
705
Exhibit 38.0-1
Activity
Purpose
Documentation1
Reporting
yes
Is additional work required? no
Paragraph # 705.4
ASA objective(s) The objective of the auditor is to express clearly an appropriately modied opinion on the nancial report that is necessary when: (a) The auditor concludes, based on the audit evidence obtained, that the nancial report as a whole is not free from material misstatement; or (b) The auditor is unable to obtain sufcient appropriate audit evidence to conclude that the nancial report as a whole is free from material misstatement.
Practical guidance
573
Paragraph # 705.5
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Pervasive means a term used, in the context of misstatements, to describe the effects on the nancial report of misstatements or the possible effects on the nancial report of misstatements, if any, that are undetected due to an inability to obtain sufcient appropriate audit evidence. Pervasive effects on the nancial report are those that, in the auditors judgement: (i) Are not conned to specic elements, accounts or items of the nancial report; (ii) If so conned, represent or could represent a substantial proportion of the nancial report; or (iii) In relation to disclosures, are fundamental to users understanding of the nancial report. (b) Modied opinion means a qualied opinion, an adverse opinion or a disclaimer of opinion.
705.6
The auditor shall modify the opinion in the auditors report when: (a) The auditor concludes that, based on the audit evidence obtained, the nancial report as a whole is not free from material misstatement; or (Ref: Para. A2-A7) (b) The auditor is unable to obtain sufcient appropriate audit evidence to conclude that the nancial report as a whole is free from material misstatement. (Ref: Para. A8-A12)
705.7
The auditor shall express a qualied opinion when: (a) The auditor, having obtained sufcient appropriate audit evidence, concludes that misstatements, individually or in the aggregate, are material, but not pervasive, to the nancial report; or (b) The auditor is unable to obtain sufcient appropriate audit evidence on which to base the opinion, but the auditor concludes that the possible effects on the nancial report of undetected misstatements, if any, could be material but not pervasive.
705.8
The auditor shall express an adverse opinion when the auditor, having obtained sufcient appropriate audit evidence, concludes that misstatements, individually or in the aggregate, are both material and pervasive to the nancial report. The auditor shall disclaim an opinion when the auditor is unable to obtain sufcient appropriate audit evidence on which to base the opinion, and the auditor concludes that the possible effects on the nancial report of undetected misstatements, if any, could be both material and pervasive. The auditor shall disclaim an opinion when, in extremely rare circumstances involving multiple uncertainties, the auditor concludes that, notwithstanding having obtained sufcient appropriate audit evidence regarding each of the individual uncertainties, it is not possible to form an opinion on the nancial report due to the potential interaction of the uncertainties and their possible cumulative effect on the nancial report.
705.9
705.10
PART B
574
Paragraph # 705.11
Relevant extracts from ASAs If, after accepting the engagement, the auditor becomes aware that management has imposed a limitation on the scope of the audit that the auditor considers likely to result in the need to express a qualied opinion or to disclaim an opinion on the nancial report, the auditor shall request that management remove the limitation. If management refuses to remove the limitation referred to in paragraph 11 of this Auditing Standard, the auditor shall communicate the matter to those charged with governance, unless all of those charged with governance are involved in managing the entity, and determine whether it is possible to perform alternative procedures to obtain sufcient appropriate audit evidence. If the auditor is unable to obtain sufcient appropriate audit evidence, the auditor shall determine the implications as follows: (a) If the auditor concludes that the possible effects on the nancial report of undetected misstatements, if any, could be material but not pervasive, the auditor shall qualify the opinion; or (b) If the auditor concludes that the possible effects on the nancial report of undetected misstatements, if any, could be both material and pervasive so that a qualication of the opinion would be inadequate to communicate the gravity of the situation, the auditor shall: (i) Withdraw from the audit, where practicable and possible under applicable law or regulation; or (Ref: Para. Aus A12.1-A14) (ii) If withdrawal from the audit before issuing the auditors report is not practicable or possible, disclaim an opinion on the nancial report.
705.12
705.13
705.14
If the auditor withdraws as contemplated by paragraph 13(b)(i) of this Auditing Standard, before withdrawing, the auditor shall communicate to those charged with governance any matters regarding misstatements identied during the audit that would have given rise to a modication of the opinion. (Ref: Para. A15-Aus A15.1) When the auditor considers it necessary to express an adverse opinion or disclaim an opinion on the nancial report as a whole, the auditors report shall not also include an unmodied opinion with respect to the same nancial reporting framework on a single nancial report or one or more specic elements, accounts or items of a nancial report. To include such an unmodied opinion in the same report in these circumstances would contradict the auditors adverse opinion or disclaimer of opinion on the nancial report as a whole. (Ref: Para. A16) When the auditor modies the opinion on the nancial report, the auditor shall, in addition to the specic elements required by ASA 700, include a paragraph in the auditors report that provides a description of the matter giving rise to the modication. The auditor shall place this paragraph immediately before the opinion paragraph in the auditors report and use the heading Basis for Qualied Opinion, Basis for Adverse Opinion or Basis for Disclaimer of Opinion, as appropriate. (Ref: Para. A17)
705.15
705.16
Practical guidance
575
Paragraph # 705.17
Relevant extracts from ASAs If there is a material misstatement of the nancial report that relates to specic amounts in the nancial report (including quantitative disclosures), the auditor shall include in the basis for modication paragraph a description and quantication of the nancial effects of the misstatement, unless impracticable. If it is not practicable to quantify the nancial effects, the auditor shall so state in the basis for modication paragraph. (Ref: Para. A18) If there is a material misstatement of the nancial report that relates to narrative disclosures, the auditor shall include in the basis for modication paragraph an explanation of how the disclosures are misstated. If there is a material misstatement of the nancial report that relates to the non-disclosure of information required to be disclosed, the auditor shall: (a) Discuss the non-disclosure with those charged with governance; Aus 19.1 Request management and/or those charged with governance to correct the non-disclosure in the nancial report; (Ref: Para. Aus A19.1)
705.18
705.19
(b) Describe in the basis for modication paragraph the nature of the omitted information; and (c) Unless prohibited by law or regulation, include the omitted disclosures, provided it is practicable to do so and the auditor has obtained sufcient appropriate audit evidence about the omitted information. (Ref: Para. A19) Aus 19.2 Where, under paragraph 19(c) of this Auditing Standard, the omitted disclosures are not included in the basis of modication paragraph, the auditor shall include the reasons for the omission from the basis of modication paragraph.
705.20
If the modication results from an inability to obtain sufcient appropriate audit evidence, the auditor shall include in the basis for modication paragraph the reasons for that inability. Even if the auditor has expressed an adverse opinion or disclaimed an opinion on the nancial report, the auditor shall describe in the basis for modication paragraph the reasons for any other matters of which the auditor is aware that would have required a modication to the opinion, and the effects thereof. (Ref: Para. A20)
705.21
38.1
Overview
The auditor is required to clearly express an appropriately modied opinion on the nancial report in situations such as those set out in the following exhibit.
PART B
576
Exhibit 38.1-1
Situations Modied report necessary (qualied, adverse or disclaimer of opinion) Financial report is materially misstated Based on the audit evidence obtained, the nancial report as a whole is not free from material misstatement. This would include uncorrected misstatements that are material, the appropriateness or application of accounting principles and the failure to disclose information that results in a material misstatement. Inability to obtain sufcient appropriate audit evidence Unable to obtain sufcient appropriate audit evidence to conclude that the nancial report as a whole is free from material misstatement. This could include: > Circumstances beyond the control of the entity, such as a re that damaged accounting records > Circumstances relating to the nature or timing of the auditors work, such as an inability to attend an inventory count, or > Limitations imposed by management such as management not allowing the auditor to obtain an external conrmation of certain receivables.
38.2
Modications to the audit opinion
A modied audit opinion is required where the auditor concludes that: > Based on the audit evidence obtained, the nancial report as a whole is not free from material misstatement, or > It is not possible to obtain sufcient appropriate audit evidence that the nancial report as a whole is free from material misstatement. There are three types of modied opinions. These are qualied, adverse and a disclaimer of opinion. The exhibit below (reproduced from ASA 705.A1) illustrates how the type of opinion to be expressed is affected by the auditors judgement about: > The nature of the matter giving rise to the modication, and > The pervasiveness of its effects or possible effects on the nancial report.
Exhibit 38.2-1
Nature of matter giving rise to the modication Financial report is materially misstated Auditors judgement about the pervasiveness of the effects or possible effects on the nancial report Material but not pervasive Qualied opinion Material and pervasive Adverse opinion
Practical guidance
577
Inability to obtain sufcient appropriate audit evidence
Qualied opinion
Disclaimer of opinion
The appropriate use of the three types of modications is described in the exhibit below.
Exhibit 38.2-2
Type Qualied opinion Applicability When the effect is not material and pervasive enough to require an adverse or disclaimer of opinion. This applies where: > Sufcient appropriate audit evidence was obtained but the auditor concludes that misstatements exist, individually or in the aggregate, that are material but not pervasive to the nancial report, or > The auditor is unable to obtain sufcient appropriate audit evidence on which to base the opinion. The auditor concludes that the possible effects on the nancial report of undetected misstatements, if any, could be material but not pervasive. Worded as In our opinion, except for the effects (or the possible effects) of the matter described in the Basis for Qualied Opinion paragraph, the nancial report presents fairly, in all material respects [or gives a true and fair view of] When the effects of misstatements are both material and pervasive. This applies where sufcient appropriate audit evidence was obtained but the auditor concludes that misstatements, individually or in the aggregate, are both material and pervasive to the nancial report. In our opinion, because of the signicance of the matter discussed in the Basis for Adverse Opinion paragraph, the nancial report does not present fairly [or does not give a true and fair view of] When the possible effect of undetected misstatements, if any, could be both material and pervasive. This applies where the auditor is unable to obtain sufcient appropriate audit evidence on which to base the opinion and concludes that the possible effects of undetected misstatements, if any, could be both material and pervasive. This also applies to extremely rare circumstances where it is not possible to form an opinion due to the potential interaction of multiple uncertainties and their possible cumulative effect on the nancial report. This applies even where the auditor has obtained sufcient audit evidence regarding each of the individual uncertainties. Worded as Because of the signicance of the matter described in the Basis for Disclaimer of Opinion paragraph, we have not been able to obtain sufcient appropriate audit evidence to provide a basis for an audit opinion. Accordingly, we do not express an opinion on the nancial report.
Adverse opinion
Worded as
Disclaimer of opinion
PART B
578
The only alternative to issuing an adverse or disclaimer of opinion would be withdrawing from the audit altogether (where permissible) and not issuing an opinion. When a modication is required, the details would be provided in a basis for modication as paragraph described below.
Exhibit 38.2-3
Basis for modication paragraph Purpose Sets out details of the modication in a separate paragraph (uniformly worded to the extent possible) preceding the opinion or disclaimer of opinion on the nancial report. The paragraph would be headed Basis for Qualied Opinion, Basis for Adverse Opinion, or Basis for Disclaimer of Opinion. Wording The paragraph would include: > The substantive reasons for qualication > Unless impracticable, quantication of the possible effect(s) on the nancial report of modications involving specic amounts in the nancial report (including quantitative disclosures). This would include quantication of the effects on the account balances, classes of transactions and disclosures affected plus the effect on income before taxes, net income and equity > When applicable, a statement that it is not practical to quantify the nancial effects > Where the material misstatement relates to narrative disclosures, an explanation of how the disclosures are misstated > Nature of omitted information unless disclosures are not readily available, not prepared by management or would be unduly voluminous in the report, and > A description of all identied matters that would have required a modication of the auditors opinion. An adverse or disclaimer of opinion relating to one specic matter does not justify the omission of other matters that would have required a modied auditors report. Notes to the nancial report The auditors report may make reference to a more extensive discussion in a note to the nancial report.
Practical guidance
579
38.3
450.4
Financial report is materially misstated

Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Misstatement means a difference between the amount, classication, presentation or disclosure of a reported nancial report item and the amount, classication, presentation or disclosure that is required for the item to be in accordance with the applicable nancial reporting framework. Misstatements can arise from error or fraud. (Ref: Para. A1) When the auditor expresses an opinion on whether the nancial report is presented fairly, in all material respects, or gives a true and fair view, misstatements also include those adjustments of amounts, classications, presentation, or disclosures that, in the auditors judgement, are necessary for the nancial report to be presented fairly in all material respects, or to give a true and fair view. (b) Uncorrected misstatements misstatements that the auditor has accumulated during the audit and that have not been corrected.
Paragraph #
This applies where sufcient appropriate audit evidence has been obtained but the auditor concludes that misstatements, individually or in the aggregate, are material (requiring a qualied opinion) or material and pervasive (requiring an adverse opinion) to the nancial report. This could result from: > The auditors evaluation of uncorrected misstatements > The appropriateness of the selected accounting policies > The application of the selected accounting policies, or > The appropriateness or adequacy of disclosures in the nancial report. Examples of material misstatements are set out below.
PART B
580
Exhibit 38.3-1
Inappropriate selection of accounting policies Evaluation = material but not pervasive Response = qualied opinion Framework = Australian Accounting Standards Independent auditors report [Appropriate addressee] We have audited Managements responsibility for the nancial report Management is responsible for Auditors responsibility Our responsibility is to Basis for qualied opinion As discussed in Note X to the nancial report, no depreciation has been provided in the nancial report, which practice, in our opinion, is not in accordance with AASB 116 Property, Plant and Equipment. The provision for the period ended 30 June 20X1, should be xxx based on the straight-line method of depreciation using annual rates of 5% for the building and 20% for the equipment. Accordingly, the property, plant and equipment should be reduced by accumulated depreciation of xxx and the loss for the period and accumulated decit should be increased by xxx and xxx, respectively. Qualied opinion In our opinion, except for the effects of the matter described in the Basis for Qualied Opinion paragraph, the nancial report presents fairly, in all material respects, (or gives a true and fair view of) the nancial position of ABC Company as at 30 June 20X1, and (of) its nancial performance and its cash ows for the period then ended in accordance with Australian Accounting Standards.
Practical guidance
581
Exhibit 38.3-2
Inadequate disclosure of a nancial instrument Evaluation = material but not pervasive Response = qualied opinion Framework = Australian Accounting Standards Independent auditors report [Appropriate addressee] We have audited ... Managements responsibility for the nancial report Management is responsible for Auditors responsibility Our responsibility is to Basis for qualied opinion On 15 July 20XX, the Company issued debentures in the amount of xxx for the purpose of nancing plant expansion. The debenture agreement restricts the payment of future cash dividends to earnings after 30 June 20XX. In our opinion, disclosure of this information is required by... Qualied opinion
PART B
In our opinion, except for the effects of the matter described in the Basis for Qualied Opinion paragraph, the nancial report presents fairly, in all material respects, (or gives a true and fair view of) the nancial position of ABC Company as at
582
Exhibit 38.3-3
Non-consolidation of a subsidiary Evaluation = material and pervasive Response = adverse opinion Framework = Australian Accounting Standards Independent auditors report [Appropriate addressee] We have audited ... Managements responsibility for the nancial report Management is responsible for Auditors responsibility Our responsibility is to Basis for adverse opinion As explained in Note X, the company has not consolidated the nancial report of subsidiary XYZ Company it acquired during 20X1 because it has not yet been able to ascertain the fair values of certain of the subsidiarys material assets and liabilities at the acquisition date. This investment is therefore accounted for on a cost basis. Under Australian Accounting Standards, the subsidiary should have been consolidated because it is controlled by the company. Had XYZ been consolidated, many elements in the accompanying nancial report would have been materially affected. The effects on the nancial report of the failure to consolidate have not been determined. Adverse opinion In our opinion, because of the signicance of the matter discussed in the Basis for Adverse Opinion paragraph, the consolidated nancial report does not present fairly (or does not give a true and fair view of) the nancial position of ABC Company and its subsidiaries as at December 31, 20X1, and (of) their nancial performance and cash ows for the period then ended in accordance with Australian Accounting Standards.
Practical guidance
583
Exhibit 38.3-4
Inadequate disclosure of material uncertainty Evaluation = material and pervasive Response = adverse opinion Framework = Australian Accounting Standards Independent auditors report [Appropriate addressee] We have audited ... Managements responsibility for the nancial report Management is responsible for Auditors responsibility Our responsibility is to Basis for adverse opinion The Companys nancing arrangements expired and the amount outstanding was payable on 30 June 20X1. The Company has been unable to renegotiate or obtain replacement nancing and is considering ling for bankruptcy. These events indicate a material uncertainty that may cast signicant doubt on the Companys ability to continue as a going concern and therefore it may be unable to realise its assets and discharge its liabilities in the normal course of business. The nancial report does not disclose this fact. Adverse opinion In our opinion, because of the omission of the information mentioned in the Basis for Adverse Opinion paragraph, the nancial report does not present fairly (or does not give a true and fair view of) the nancial position of the Company as at December 31, 20X1, and of its nancial performance and its cash ows for the period then ended in accordance with Australian Accounting Standards.
38.4
Inability to obtain sufcient appropriate audit evidence
This applies when the auditor is unable to obtain sufcient appropriate audit evidence on which to base the opinion and concludes that the possible effects on the nancial report of undetected misstatements, if any, could be material (qualied opinion) or material and pervasive (disclaimer of opinion). The auditors inability to obtain sufcient appropriate audit evidence (also referred to as a limitation on the scope of the audit) may arise from: > Circumstances beyond the control of the entity, such as when the entitys accounting records have been destroyed (such as through re, water, theft or computer data loss) or seized by a government authority > Circumstances relating to the nature or timing of the auditors work. This could occur where the auditors appointment is such that the auditor is unable to observe the counting of the physical inventories, the accounting records are not complete at the time of the audit, or where the auditor determines that performing substantive procedures alone is not sufcient but the entitys controls are not effective, or
PART B
584
> Limitations imposed by management, such as not allowing external conrmation of certain receivables or restricting access to key personnel, accounting records or operating locations. Where this occurs, there may be other audit implications such as the assessment of fraud risks and whether to continue with the engagement. If the limitation is known before the engagement is accepted, the auditor would ordinarily not accept such a limited engagement. Before concluding that a modied opinion is required, the auditor would attempt to obtain sufcient appropriate audit evidence by performing alternative procedures and discuss the matter with management and those charged with governance to determine if the issue can be resolved. If the matter cannot be resolved, the auditor would then communicate the intention to modify the audit opinion and the proposed wording.
Exhibit 38.4-1
Limitation on scope, unable to observe the counting of inventories Evaluation = material but not pervasive Response = qualied opinion Framework = Australian Accounting Standards Independent auditors report [Appropriate addressee] We have audited... Managements responsibility for the nancial report Management is responsible for Auditors responsibility Our responsibility is to Basis for qualied opinion We did not observe the counting of the physical inventories as of 30 June 20XX, since that date was prior to the time we were initially engaged as auditors for the Company. Owing to the nature of the Companys records, we were unable to satisfy ourselves as to physical inventory quantities by other audit procedures. Accordingly, we were unable to determine whether any adjustments might have been found necessary to the balances in the nancial report. Qualied opinion In our opinion, except for the possible effects of the matter described in the Basis for Qualied Opinion paragraph, the nancial report presents fairly, in all material respects, (or gives a true and fair view of) the nancial position of ABC Company as at
Practical guidance
585
Exhibit 38.4-2
Limitation on scope management, placed limitations on scope of audit work Evaluation = material and pervasive Response = disclaimer of opinion Framework = Australian Accounting Standards Independent auditors report [Appropriate addressee] We have audited ... Managements responsibility for the nancial report Management is responsible for Auditors responsibility Our responsibility is to express an opinion on the nancial report based on conducting the audit in accordance with Australian Auditing Standards. Because of the matter described in the Basis for Disclaimer of Opinion paragraph, however, we were not able to obtain sufcient appropriate audit evidence to provide a basis for an audit opinion. Basis for disclaimer of opinion We were not able to observe all physical inventories and conrm accounts receivable due to limitations placed on the scope of our work by the Company. We were unable to satisfy ourselves by alternative means concerning the inventory quantities and accounts receivable held at 30 June 20XX which are stated in the balance sheet at xxx and xxx respectively. As a result of these matters, we were unable to determine whether any adjustments might have been found necessary in respect of recorded or unrecorded inventories and accounts receivable, and the elements making up the statement of comprehensive income, statement of changes in equity and statement of cash ows balance. Disclaimer of opinion Because of the signicance of the matters described in the Basis for Disclaimer of Opinion paragraph, we have not been able to obtain sufcient appropriate audit evidence to provide a basis for an audit opinion. Accordingly, we do not express an opinion on the nancial report.
PART B
586
39.
Emphasis of Matter and Other Matter paragraphs

Relevant ASAs
Chapter content Guidance on additional communication in the auditors report to draw nancial report users attention to certain matters.
706
Activity
Purpose
Documentation 1
Reporting
yes
Exhibit 39.0-1
Paragraph # 706.4 ASA objective(s) The objective of the auditor, having formed an opinion on the nancial report, is to draw users attention, when in the auditors judgement it is necessary to do so, by way of clear additional communication in the auditors report, to: (a) A matter, although appropriately presented or disclosed in the nancial report, that is of such importance that it is fundamental to users understanding of the nancial report; or (b) As appropriate, any other matter that is relevant to users understanding of the audit, the auditors responsibilities or the auditors report.
Practical guidance
587
Paragraph # 706.5
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Emphasis of Matter paragraph means a paragraph included in the auditors report that refers to a matter appropriately presented or disclosed in the nancial report that, in the auditors judgement, is of such importance that it is fundamental to users understanding of the nancial report. (b) Other Matter paragraph means a paragraph included in the auditors report that refers to a matter other than those presented or disclosed in the nancial report that, in the auditors judgement, is relevant to users understanding of the audit, the auditors responsibilities or the auditors report.
706.6
If the auditor considers it necessary to draw users attention to a matter presented or disclosed in the nancial report that, in the auditors judgement, is of such importance that it is fundamental to users understanding of the nancial report, the auditor shall include an Emphasis of Matter paragraph in the auditors report provided the auditor has obtained sufcient appropriate audit evidence that the matter is not materially misstated in the nancial report. Such a paragraph shall refer only to information presented or discussed in the nancial report. (Ref: Para. A1-Aus A2.1) Aus 6.1 In addition to the requirements in paragraph 6 of this Auditing Standard, the auditor shall include an Emphasis of Matter paragraph in the auditors report where required by other Auditing Standards. (Ref: Appendix 1)
706.7
When the auditor includes an Emphasis of Matter paragraph in the auditors report, the auditor shall: (a) Include it immediately after the Opinion paragraph in the auditors report; (b) Use the heading Emphasis of Matter, or other appropriate heading; (c) Include in the paragraph a clear reference to the matter being emphasised and to where relevant disclosures that fully describe the matter can be found in the nancial report; and (d) Indicate that the auditors opinion is not modied in respect of the matter emphasised. (Ref: Para. A3-A4)
PART B
588
Relevant extracts from ASAs When the nancial report has been prepared in accordance with Australian Accounting Standards but additional disclosures have been made in the nancial report: > On the basis that, or which imply that, application of a particular Accounting Standard has resulted in the nancial report being potentially misleading or > That, in the opinion of those charged with governance, are necessary to present a true and fair view and > The auditor is of the opinion that: (a) It is likely, in the absence of the additional disclosures, that users would be misled when making evaluations or decisions about the allocation of scarce resources; and (b) The additional disclosures contain all, and only, relevant and reliable information, and are presented in such a manner as to ensure the nancial report as a whole is comparable and understandable in meeting the objectives of the nancial report, (c) The auditor shall include in the auditors report an Emphasis of Matter paragraph headed Application of Australian Accounting Standard AASB ... or an appropriate alternative which: (i) Draws attention to the additional disclosures; (ii) Where relevant, states that in the auditors opinion application of the particular Accounting Standard has, in this instance, resulted in the nancial report being potentially misleading; (iii) States the specic reasons why the auditor believes the additional disclosures are necessary to ensure the nancial report as a whole is not misleading (the auditors reasons are to be stated in the auditors report itself rather than only by reference to the reasons included in the nancial report); and (iv)States that, in the auditors opinion, the additional disclosures are relevant and reliable in meeting the objectives of the nancial report. (Ref: Para. Aus A4.1)
706.8
If the auditor considers it necessary to communicate a matter other than those that are presented or disclosed in the nancial report that, in the auditors judgement, is relevant to users understanding of the audit, the auditors responsibilities or the auditors report and this is not prohibited by law or regulation, the auditor shall do so in a paragraph in the auditors report, with the heading Other Matter, or other appropriate heading. The auditor shall include this paragraph immediately after the Opinion paragraph and any Emphasis of Matter paragraph, or elsewhere in the auditors report if the content of the Other Matter paragraph is relevant to the Other Reporting Responsibilities section. (Ref: Para. A5-A11) In addition to the requirements in paragraph 8 of this Auditing Standard, the auditor shall include an Other Matter paragraph in the auditors report where required by other Auditing Standards. (Ref: Appendix 2)
706 Aus 8.1
Practical guidance
589
Paragraph # 706.9
Relevant extracts from ASAs If the auditor expects to include an Emphasis of Matter or an Other Matter paragraph in the auditors report, the auditor shall communicate with those charged with governance regarding this expectation and the proposed wording of this paragraph. (Ref: Para. A12)
39.1
Overview
In certain situations, the auditor may want to draw the users attention to certain matters in the auditors report that are fundamental to the users understanding of the nancial report or of the audit itself and the auditors responsibilities. This can be achieved by adding an extra paragraph to the auditors report. The two types of paragraphs that can be added are outlined below.
Exhibit 39.1-1
Paragraph Emphasis of a matter Applicability Attention is drawn to important matters relating to the nancial report already disclosed in the nancial report. Matter(s) presented/disclosed in the nancial report that are of such importance that they are fundamental to users understanding of the nancial report. Examples A special purpose nancial report, uncertainty relating to exceptional litigation or regulatory action, subsequent events, a major catastrophe, other signicant uncertainties and inconsistencies and early application (where permitted) of a new Accounting Standard. Matters relevant to users understanding of the audit function but not disclosed in the nancial report Any matter(s) (other than those presented or disclosed in the nancial report) that are relevant to the users understanding of the audit, the auditors responsibilities and/or the auditors report. Examples Inability of the auditor to withdraw from the engagement, additional responsibilities of the auditor and any restrictions on the distribution of the auditors report.
Other matters
An Emphasis of Matter paragraph is not a substitute for: > Modifying the audit opinion when required, or > Management making required disclosures in the nancial report When the auditor expects to include an Emphasis of Matter or an Other Matter paragraph, the auditor would communicate with management and those charged with governance on: > The need for the paragraph, and > The proposed wording.
PART B
590
39.2
Emphasis of Matter paragraph
An Emphasis of Matter paragraph is intended to highlight important matters (already disclosed in the nancial report) that will enhance the users understanding of the nancial report. The key requirements for using an Emphasis of Matter paragraph are set out below.
Exhibit 39.2-1
Conditions Matter is already fully disclosed in the nancial report No material misstatement exists Placed immediately after the audit opinion Is not a modication to opinion Comments The Emphasis of Matter paragraph refers to matters already presented or disclosed in the nancial report and is not a substitute for such disclosure. The paragraph would not include more detail than is already presented in the nancial report. The auditor has to obtain sufcient appropriate audit evidence that the matter is not materially misstated in the nancial report. The paragraph follows the auditors opinion paragraph but comes before the section on any other reporting responsibilities. The paragraph is headed Emphasis of Matter or other appropriate heading. The paragraph indicates that the auditors opinion is not modied in respect of the matter emphasised.
The following ASAs require the auditor, under specied circumstances, to include an Emphasis of Matter paragraph in the auditors report.
Exhibit 39.2-2
ASA 210 560 570 800 Title Agreeing the Terms of Audit Engagements Subsequent Events Going Concern Special Considerations Audits of Financial Reports Prepared in Accordance with Special Purpose Frameworks Paragraph 19 (b) 12 (b), 16 19 14
Sample wording is set out in the following exhibit.
Practical guidance
591
Exhibit 39.2-3
Material uncertainty going concern Assuming the adequacy of the note disclosure in the nancial report, the wording of the paragraph could be as follows: Emphasis of matter Without qualifying our opinion, we draw attention to Note X in the nancial report which indicates that the Company incurred a net loss of ZZZ during the year ended 30 June 20X1 and, as of that date, the Companys current liabilities exceeded its total assets by YYY. These conditions, along with other matters as set forth in Note X, indicate the existence of a material uncertainty, which may cast signicant doubt about the Companys ability to continue as a going concern, and therefore may be unable to realise its assets and discharge its liabilities in the normal course of business. Other signicant uncertainties a lawsuit Assuming the adequacy of the note disclosure in the nancial report, the wording of the paragraph could be as follows: Emphasis of matter Without qualifying our opinion, we draw attention to Note X to the nancial report. The Company is the defendant in a lawsuit alleging infringement of certain patent rights and claiming royalties and punitive damages. The Company has led a counter action and preliminary hearings and discovery proceedings on both actions are in progress. The outcome of the matter cannot presently be determined and no provision for any liability that may result has been made in the nancial report. Special purpose nancial report Assuming the adequacy of the note disclosure in the nancial report, the wording of the paragraph could be as follows: Basis of accounting Without modifying our opinion, we draw attention to Note X to the nancial report, which describes the basis of accounting. The nancial report has been prepared for the purpose of fullling the directors nancial reporting responsibilities under the Corporations Act 2001. As a result, the nancial report may not be suitable for another purpose.
39.3
Other Matter paragraph
An Other Matter paragraph may be necessary to highlight matters not already disclosed in the nancial report that would be relevant to the users understanding of the audit, the auditors responsibilities and/or the auditors report. Other Matter paragraphs can be used to highlight matters such as: > Restriction on distribution of the auditors report since a nancial report (using a general purpose framework) is sometimes prepared for a specic purpose, an Other Matter paragraph could state that the auditors report is intended solely for the intended users and should not be distributed to or used by other parties
PART B
592
> Highlight additional responsibilities specic law or regulation may require or permit the auditor to elaborate on the auditors responsibilities, and > Inability to withdraw from the engagement if the auditor is unable to withdraw or resign, an Other Matter paragraph could explain why it is not possible.
Exhibit 39.3-1
Conditions Matter is not already disclosed in the nancial report Disclosure is not prohibited Disclosure relevant to users No contradictions Comments Refers to a matter other than those already presented or disclosed in the nancial report. In addition, an Other Matter paragraph would not include information required to be provided by management. The disclosure would not be prohibited by law, regulation or other professional standards such as standards relating to condentiality of information. The disclosure is relevant to the nancial report users understanding of the audit, the auditors responsibilities or the auditors report. The information presented would not contradict the opinion or items disclosed or presented in the nancial report. The Other Matter paragraph does not affect the auditors opinion. The paragraph would immediately follow after the Opinion paragraph and any Emphasis of Matter paragraph, or elsewhere in the auditors report if the content of the Other Matter paragraph is relevant to the Other Reporting Responsibilities section. The content of an Other Matter paragraph would indicate the matter is not required to be presented and disclosed in the nancial report.
Placed immediately after the audit opinion State that such disclosure not required
The following ASAs refer to situations where an Other Matter paragraph may be included.
Exhibit 39.3-2
ASA 560 710 Title Subsequent Events Comparative Information Corresponding Figures and Comparative Financial Reports Paragraph 12 (b), 16 13-14, 16-17, 19
Practical guidance
593
40.
Comparative information
Relevant ASA
Chapter content Guidance on obtaining sufcient appropriate audit evidence on comparative information and the auditors reporting responsibilities.
710
Exhibit 40.0-1
Activity
Purpose
Documentation1
Reporting
yes
Paragraph # 710.5
ASA objective(s) The objectives of the auditor are: (a) To obtain sufcient appropriate audit evidence about whether the comparative information included in the nancial report has been presented, in all material respects, in accordance with the requirements for comparative information in the applicable nancial reporting framework; and (b) To report in accordance with the auditors reporting responsibilities.
PART B
594
Paragraph # 710.6
Relevant extracts from ASAs For the purposes of the Australian Auditing Standards, the following terms have the meanings attributed below: (a) Comparative information means the amounts and disclosures included in the nancial report in respect of one or more prior periods in accordance with the applicable nancial reporting framework. (b) Corresponding gures means comparative information where amounts and other disclosures for the prior period are included as an integral part of the current period nancial report, and are intended to be read only in relation to the amounts and other disclosures relating to the current period (referred to as current period gures). The level of detail presented in the corresponding amounts and disclosures is dictated primarily by its relevance to the current period gures. (c) Comparative nancial reports means comparative information where amounts and other disclosures for the prior period are included for comparison with the nancial report of the current period but, if audited, are referred to in the auditors opinion. The level of information included in those comparative nancial reports is comparable with that of the nancial report of the current period. Aus 6.1 In accordance with the applicable nancial reporting framework of the Corporations Act 2001 and Australian Accounting Standards, comparative information refers to corresponding gures.
For purposes of this Auditing Standard, references to prior period should be read as prior periods when the comparative information includes amounts and disclosures for more than one period. 710.7 The auditor shall determine whether the nancial report includes the comparative information required by the applicable nancial reporting framework and whether such information is appropriately classied. For this purpose, the auditor shall evaluate whether: (a) The comparative information agrees with the amounts and other disclosures presented in the prior period or, when appropriate, have been restated; and (b) The accounting policies reected in the comparative information are consistent with those applied in the current period or, if there have been changes in accounting policies, whether those changes have been properly accounted for and adequately presented and disclosed. 710.8 If the auditor becomes aware of a possible material misstatement in the comparative information while performing the current period audit, the auditor shall perform such additional audit procedures as are necessary in the circumstances to obtain sufcient appropriate audit evidence to determine whether a material misstatement exists. If the auditor had audited the prior periods nancial report, the auditor shall also follow the relevant requirements of ASA 560. If the prior period nancial report is amended, the auditor shall determine that the comparative information agrees with the amended nancial report. As required by ASA 580, the auditor shall request written representations for all periods referred to in the auditors opinion. The auditor shall also obtain a specic written representation regarding any restatement made to correct a material misstatement in the prior period nancial report that affect the comparative information. (Ref: Para. A1)
710.9
Practical guidance
595
Paragraph # 710.10
Relevant extracts from ASAs When corresponding gures are presented, the auditors opinion shall not refer to the corresponding gures except in the circumstances described in paragraphs 11, 12, and 14 of this Auditing Standard. (Ref: Para. A2) If the auditors report on the prior period, as previously issued, included a qualied opinion, a disclaimer of opinion, or an adverse opinion and the matter which gave rise to the modication is unresolved, the auditor shall modify the auditors opinion on the current periods nancial report. In the Basis for Modication paragraph in the auditors report, the auditor shall either: (a) Refer to both the current periods gures and the corresponding gures in the description of the matter giving rise to the modication when the effects or possible effects of the matter on the current periods gures are material; or (b) In other cases, explain that the audit opinion has been modied because of the effects or possible effects of the unresolved matter on the comparability of the current periods gures and the corresponding gures. (Ref: Para. A3-A5)
710.11
710.12
If the auditor obtains audit evidence that a material misstatement exists in the prior period nancial report on which an unmodied opinion has been previously issued, and the corresponding gures have not been properly restated or appropriate disclosures have not been made, the auditor shall express a qualied opinion or an adverse opinion in the auditors report on the current period nancial report, modied with respect to the corresponding gures included therein. (Ref: Para. A6) If the nancial report of the prior period was audited by a predecessor auditor and the auditor is not prohibited by law or regulation from referring to the predecessor auditors report on the corresponding gures and decides to do so, the auditor shall state in an Other Matter paragraph in the auditors report: (a) That the nancial report of the prior period was audited by the predecessor auditor; (b) The type of opinion expressed by the predecessor auditor and, if the opinion was modied, the reasons therefore; and (c) The date of that report. (Ref: Para. A7-Aus A7.1)
710.13
710.14
If the prior period nancial report was not audited, the auditor shall state in an Other Matter paragraph in the auditors report that the corresponding gures are unaudited. Such a statement does not, however, relieve the auditor of the requirement to obtain sufcient appropriate audit evidence that the opening balances do not contain misstatements that materially affect the current periods nancial report. When comparative nancial reports are presented, the auditors opinion shall refer to each period for which a nancial report is presented and on which an audit opinion is expressed. (Ref: Para. Aus A7.2-A9) When reporting on prior period nancial report in connection with the current periods audit, if the auditors opinion on such prior period nancial report differs from the opinion the auditor previously expressed, the auditor shall disclose the substantive reasons for the different opinion in an Other Matter paragraph in accordance with ASA 706. (Ref: Para. Aus A7.2-A10)
710.15
710.16
PART B
596
Paragraph # 710.17
Relevant extracts from ASAs If the nancial report of the prior period was audited by a predecessor auditor, in addition to expressing an opinion on the current periods nancial report, the auditor shall state in an Other Matter paragraph: (a) That the nancial report of the prior period was audited by a predecessor auditor; (b) The type of opinion expressed by the predecessor auditor and, if the opinion was modied, the reasons therefore; and (c) The date of that report, unless the predecessor auditors report on the prior periods nancial report is reissued with the nancial report. (Ref: Para Aus A7.2)
710.18
If the auditor concludes that a material misstatement exists that affects the prior period nancial report on which the predecessor auditor had previously reported without modication, the auditor shall communicate the misstatement with the appropriate level of management and, unless all of those charged with governance are involved in managing the entity, those charged with governance and request that the predecessor auditor be informed. If the prior period nancial report is amended, and the predecessor auditor agrees to issue a new auditors report on the amended nancial report of the prior period, the auditor shall report only on the current period. (Ref: Para. A11) If the prior period nancial report was not audited, the auditor shall state in an Other Matter paragraph that the comparative nancial report is unaudited. Such a statement does not, however, relieve the auditor of the requirement to obtain sufcient appropriate audit evidence that the opening balances do not contain misstatements that materially affect the current periods nancial report.
710.19
40.1
Overview
The nature of comparative information presented in an entitys nancial report will depend on the requirements of the applicable nancial reporting framework. The auditors reporting responsibilities will be based on the adopted approach to the comparative information presented as established by law, regulation and by the terms of the engagement. There are two broad approaches taken with respect to comparative information. These are illustrated below.
Exhibit 40.1-1
Approach Corresponding gures Comments Amounts and other disclosures for the prior period are included as an integral part of the current period nancial report, and are intended to be read only in relation to the amounts and other disclosures relating to the current period. The auditors opinion would refer to the current period only.
Practical guidance
597
Approach Comparative nancial report
Comments Amounts and other disclosures for the prior period are included for comparison with the nancial report of the current period but, if audited, are referred to separately in the auditors opinion. The level of information included in the comparative nancial report is comparable with that of the nancial report of the current period. The auditors opinion would refer to each period for which nancial report are presented.
40.2
Audit procedures
Exhibit 40.2-1
Task Obtain necessary audit evidence Procedures Obtain sufcient appropriate audit evidence that the comparative information meets the requirements of the applicable nancial reporting framework and whether such information is appropriately classied. This involves evaluating whether: > Accounting policies reected in the comparative information are consistent with those applied in the current period or, if there have been changes in accounting policies, whether those changes have been properly accounted for and adequately presented, and > Comparative information agrees with the amounts and other disclosures presented in the prior period or, when appropriate, have been restated. Any potential misstatements? If possible, material misstatement in the comparative information is identied while performing the current period audit, and the auditor would: > Perform such additional audit procedures as are necessary in the circumstances to determine whether a material misstatement exists, and > Where the prior period nancial report is amended, determine that the comparative information agrees with the amended nancial report. If the auditor had audited the prior periods nancial report, the auditor would also address the relevant requirements of ASA 560 on subsequent events. These are discussed in Part A, Chapter 11. Obtain written representations Request written representations for all periods referred to in the auditors opinion. This would include specic written representation regarding any restatement made to correct a material misstatement in the prior period nancial report.
PART B
598
40.3
Corresponding gures
The reporting responsibilities are set out below.
Exhibit 40.3-1
Procedures No reference made to comparatives in auditors opinion The auditors opinion would not refer to the corresponding gures except when the auditors report on the prior period included an unresolved modication. The auditor would modify the current periods opinion by: > Referring to both the current periods gures and the corresponding gures when the effects or possible effects of the matter on the current periods gures are material, or > Explaining that the current audit opinion has been modied because of the effects or possible effects of the unresolved matter on the comparability of the current periods gures and the corresponding gures. Any re-statements required? A qualied or adverse opinion on the current period nancial report is required where a material misstatement exists in the prior period nancial report on which: > An unmodied opinion has been previously issued, and > The corresponding gures have not been properly restated or appropriate disclosures have not been made. Prior period gures audited by another rm If the auditor is not prohibited by law/regulation from referring to the predecessor auditors report and decides to make such a reference, the auditor would state in an Other Matter paragraph in the auditors report: > That the nancial report of the prior period were audited by the predecessor auditor > The type of opinion expressed by the predecessor auditor and, if the opinion was modied, the reasons therefore, and > The date of that report. Prior period gures not audited State in an Other Matter paragraph in the auditors report that the corresponding gures are unaudited. However, this does not relieve the auditor of the requirement to obtain sufcient appropriate audit evidence that the opening balances do not contain material misstatements that affect the current periods nancial report. If a material misstatement is identied, the corresponding gures would require restating and appropriate disclosures made. If such a restatement or disclosure is not possible, the audit opinion would be modied in respect of any corresponding gures included.
599
40.4
Comparative nancial report
The reporting responsibilities are set out below.
Exhibit 40.4-1
Procedures Any changes required in previous opinion provided? Prior period gures audited by another rm If the auditors opinion on a prior period nancial report differs from the opinion previously expressed, disclose the substantive reasons for the different opinion in an Other Matter paragraph. In addition to expressing an opinion on the current periods nancial report, state in an Other Matter paragraph (unless the predecessor auditors report is reissued with the nancial report): > That the nancial report of the prior period were audited by a predecessor auditor > The type of opinion expressed by the predecessor auditor and, if the opinion was modied, the reasons therefor, and > The date of that report. Any restatements required in the comparative nancial report? If a material misstatement exists that affects the prior periods nancial report on which the predecessor auditor had previously reported without modication: > Communicate the misstatement with the appropriate level of management and those charged with governance, and > Request that the predecessor auditor be informed. If the prior periods nancial report are amended and the predecessor auditor agrees to issue a new auditors report on the amended nancial report of the prior period, the auditor would report only on the current period. Prior period gures not audited State in an Other Matter paragraph in the auditors report that the corresponding gures are unaudited. However, this does not relieve the auditor of the requirement to obtain sufcient appropriate audit evidence that the opening balances do not contain material misstatements that affect the current periods nancial report. If a material misstatement is identied, the corresponding gures would require restating and appropriate disclosures made. If such a restatement or disclosure is not possible, the audit opinion would be modied with respect to any corresponding gures included.
600
Notes:
601
Notes:
602
Notes:
603
Notes:
604
Notes:
Get a clear view on quality

Leading the way in Quality Audit Training The Institute of Chartered Accountants in Australia
Designed to help practitioners with implementing the Clarity Audit Standards, the Institute has developed and delivered a range of exible training solutions; with over 50 face-to-face workshops, 20 online sessions and onsite training around Australia, you can choose what suits you and your rm. With 41 new and revised Audit Clarity Standards (applicable for reporting periods commencing 1 January 2010), rms can update their audit procedures with practical workshops held by the Institute, assisting you in understanding how to apply the Clarity Auditing Standards on smaller sized audit engagements. Training provided will also guide practitioners in addressing the quality requirements of ASQC1 as well as the Accounting Professional & Ethical Standards (APES). To maintain our high standards, all audit training is developed in conjunction with the Institutes Head of Audit, Andrew Stringer, the Quality Review Team, and the Institutes Audit Advisory Committee. Member needs and feedback are used to develop training courses that are most effective for our audit practitioners. Extend your knowledge in auditing with the best in the eld. For more information or to register for audit training visit: charteredaccountants.com.au/training
charteredaccountants.com.au
0209-15

Audit Manual

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Manual

Uploaded by

Copyright:

Available Formats

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

For Small and Medium Sized Entities

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Request for comment

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

How to use the Manual

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Content and organisation

How to use the Manual

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

How to use the Manual

Those charged with governance

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Small- and medium-sized accounting practices/rms (SMP)

Acronyms used in the Manual

IFAC IFRS Institute ISAs IT R&D RAPs

How to use the Manual

RMM SME SMP TCWG TOC

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Structure of claried standards

ASA element Objectives

Application and other explanatory material

Conformity with International Standards on Auditing

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

ASA index and cross-references

Framework for assurance engagements

Audits and reviews of historical financial information

Assurance engagements other than audits or reviews of historical financial information

Australian Auditing Standards ASA 100-800* ASA 805 ASA 810

Standards on Assurance Engagements ASAE 3000- 3500

Guidance Statements, other guidance AUASB Bulletins

* Made under section 336 of the Corporations Act 2001.

ASA 101 ASA 102 ASA 200

ASA 210 ASA 220 ASA 230 ASA 240

Part B, 19 Part A, 14 Part B 19, 36 Part A, 2, 14 Part B, 33

ASA 250 ASA 260 ASA 265 ASA 300

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Australian Audit Manual and Toolkit 2010, Using Clarity Standards

Chapter Part B, 33 Part B, 34 Part B, 36 Part B, 37 Part B, 38 Part B, 39 Part B, 40

The audit process

Volume 1 Core Concepts

Plan the audit

Develop an overall audit strategy and audit plan2

Materiality Audit team discussions Overall audit strategy

Perform risk assessment procedures

Identify/assess RMM3 through understanding the entity

Business and fraud risks including significant risks

Design overall responses and further audit procedures

Develop appropriate responses to the assessed RMM3

Implement responses to assessed RMM3

Reduce audit risk to an acceptably low level

Work performed Audit findings Staff supervision Working paper review

Evaluate the audit evidence obtained

Determine what additional audit work (if any) is required

Is additional work required?

The risk-based audit overview

Perform risk assessment procedures

Perform further audit procedures