1

AA - Audit and Assurance

Contents

Laws and Regulations ............................................................................................................. 2

REGULATORY BODY ............................................................................................................ 2

REQUIREMENT OF EXTERNAL AUDIT .................................................................................. 2

THE RIGHTS AND DUTIES OF THE AUDITOR ....................................................................... 3

APPOINTMENT AND REMOVAL OF THE AUDITOR ............................................................. 4

Fraud ...................................................................................................................................... 5

AUDITOR'S RESPONSIBILITIES ............................................................................................. 5

FRAUD ................................................................................................................................. 6

The Planning Process .............................................................................................................. 7

THE PURPOSE OF THE PLAN ............................................................................................... 7

IDENTIFYING AUDIT RISKS .................................................................................................. 7

AUDIT STRATEGY ................................................................................................................ 8

MATERIALITY AND PERFORMANCE MATERIALITY ............................................................. 8

Audit Documentation ........................................................................................................... 10

AUDIT DOCUMENTATION ................................................................................................. 10

CURRENT AUDIT FILE ........................................................................................................ 11

ACCESS TO WORKING PAPERS .......................................................................................... 12

Quality Control (ISA 220) ...................................................................................................... 13

1. The H is for HUMAN RESOURCES: ................................................................................ 13

2. The E is for ETHICAL REQUIREMENTS: .......................................................................... 13

3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS: ....................................... 14

4. The R is for RESPONSIBILITIES OF LEADERSHIP: ........................................................... 14

5. The M is for MONITORING: .......................................................................................... 14

6. Finally, E is for ENGAGEMENT PERFORMANCE: ........................................................... 15

2

Laws and Regulations

REGULATORY BODY

External auditors must follow strict guidance to ensure their work is of the correct standard.

This includes:

– The code of ethics which is guidance on behaviour of the auditor;

– Auditing standards that must be followed; and

– Corporate law specific to where they are based and where the client operates.

The IFAC, International Federation of Accountants, is a global supervisory body.

The IAASB, International Auditing and Assurance Standards Board, is the group that looks

after the external auditor. They have 2 key outputs:

1. The development of international standards on auditing, or ISAs (currently 36); and

2. International standard on quality control, or ISQC (only 1).

ISAs are published in a book, regularly reviewed and periodically updated by the IAASB.

Each ISA gives the auditor specific guidance on elements of the audit process. For a new ISA

to be developed, there is a lengthy process, which includes:

– A debate within the IAASB on the issue;

– An issue of an exposure draft, which is a draft of the standard;

– Comments from external parties are taken on board and approval from the IAASB is

sought; and

– The new or adapted ISA is published.

Note: Many countries may have created their own version of auditing standards and choose

not to follow the international ones. This is permitted as the IFAC has no legal standing in

each country.

REQUIREMENT OF EXTERNAL AUDIT

Who needs an audit?

1. Registered companies are required to have an external audit.

2. In UK law there is an exemption which allows small companies (companies with

revenue not more than £6.5 million) to not appoint external auditors, but they can

still have an external audit if they wish.

3

Who is allowed to form an independent opinion?

– The practitioners (those responsible for the audit and decisions made on it) are

required to be a member of a recognised supervisory body or RSB (ACCA and ICAEW),

and be allowed to be a practitioner by their rules.

– Once a member, they are allowed to form an opinion on financial statements and sign

audit reports.

THE RIGHTS AND DUTIES OF THE AUDITOR

The key rights of an auditor are:

1. They must be allowed access to all relevant company books and records;

2. They must be given all information and explanations necessary to complete their

audit;

3. They must be allowed to attend any general meetings between the management

and the shareholders, including the AGM;

4. They are allowed to be heard at such meetings; and

5. They must be given copies of any written resolutions of the company.

The auditor's duties are:

1. To audit the financial statements and form an independent opinion on them, stating

whether or not they are true and fair;

2. To report on any specific legal requirements relevant to the company being audited;

and

3. To ensure they follow auditing standards and their ethical code while carrying out

the audit.

4

APPOINTMENT AND REMOVAL OF THE AUDITOR

Auditors are generally appointed by the shareholders. However there are some exceptions

to this rule:

If it is the first year that the audit has been required, or if it is the first year the

company has been set up, the directors are allowed to appoint the auditors initially.

If neither the directors or shareholders have appointed the auditors, and deadlines

for submission of an audit report have passed, then the government would usually

step in.

There are two main situations where auditors would no longer act for a company:

1. They are no longer able to act for the company and resign as auditors. Auditors issue

a statement of circumstances which gives the reasons for the resignation, and would

then be available to assist with a handover to the next audit firm appointed; or

2. They are sacked or removed.

Notes:

– The shareholders are responsible for removing the auditors;

– Notice is given to both the directors and auditors;

– If auditors feel the decision is unjust, they have the right to send a response to all

parties explaining why they should not be removed.

5

Fraud

AUDITOR'S RESPONSIBILITIES

ISA 240 Auditor’s responsibilities relating to fraud: The auditors have a duty to identify and

communicate any evidence found that fraud is present.

Auditor’s responsibility: To obtain reasonable assurance that the financial statements as a

whole are free from material misstatements, whether they arise from fraud or error.

Note: The key difference between fraud and error is whether the misstatement was

intentional or not.

The primary responsibility towards fraud (remains with directors) is to ensure that fraud is

not present in the financial statements and the company as a whole.

The secondary responsibility towards fraud (auditor’s responsibility) is to identify

misstatements during the audit process and assess whether they are as a result of fraud or

error.

In order to maintain responsibility, the auditor must:

– Maintain professional scepticism throughout the audit process;

– Assess any audit risks that could lead to fraud;

– Generally assess the risk of material misstatements for the entity;

– Review how management react and manage fraud;

– Talk to management to see if they are aware of any instances of fraud; and

– Gather sufficient appropriate evidence from audit procedures designed to assess the

risk of fraud.

6

FRAUD

Fraud is criminal activity. There are two types of fraud:

1. Fraudulent financial reporting; and

2. Misappropriation of assets.

A high risk of fraud requires:

1. Planning of appropriate procedures to ensure auditors are in the best position to

detect fraud;

2. Ensuring that more experienced audit staff is available for the audit team;

3. Changing audit procedures from what auditors would normally do, as being less

predictable could catch out anyone trying to conceal fraud;

4. Focusing on balances containing estimates from management as this would be a

popular area to manipulate figures; and

5. Focusing on the transactions posted around the year end, as cut-off errors are often

an intentional way of increasing or reducing balances.

If fraud is found by the auditor, the following steps must be followed:

1. Report it to those responsible for the audit team, for example, the audit manager

and audit partner;

2. They should then consider the evidence obtained and report this to the highest level

of management at the client;

3. If the auditor is suspicious that the management are involved, they should seek legal

advice and consider whether they should report externally;

4. Caution should be taken when reporting externally as the auditor has a duty to

maintain confidentiality;

5. If the fraud detected is material to the users of the financial information, then the

auditor would need to modify the audit report to make the shareholders aware of

the issue.

7

The Planning Process

THE PURPOSE OF THE PLAN

ISA 300: The objective of planning the audit is to ensure it is performed in an effective

manner. There are some key reasons why a plan is important for an audit:

– It will ensure the auditor can give enough attention to more problematic areas;

– It gives auditors time to assess the risks associated with the audit before they start the

audit work;

– They are able to plan appropriate audit procedures in relation to these risks;

– They can select the right level of experience needed on the audit team; and

– They can consider the need for experts and assistance from internal auditors which can

then be planned properly.

IDENTIFYING AUDIT RISKS

The audit plan begins with identifying potential audit risks. An audit risk is the risk of the

auditor providing an inappropriate opinion, for example, reporting that the financial

statements are true and fair when they are not. The auditor must assess risks using the

audit risk model:

AR = IR x CR x DR, where

IR = Inherent risk - the risk of material misstatement due to the nature of the entity;

CR = Control risk - the risk of material misstatement due to poor controls; and

DR = Detection risk - the risk of material misstatement due to the auditor not spotting

errors.

There are two main pieces of work that assist auditors in identifying these risks:

1. Analytical procedures: These are comparisons of financial and non-financial data to help

the auditor understand material changes in the financial statements. With the use of ratios,

auditors can identify changes in balances which may then need to be investigated when

carrying out their audit procedures later on.

2. Understanding the entity and its environment: This is an important procedure because if

the auditor lacks a fundamental understanding of what the client does, there is a real risk

they may make poor decisions and issue an inappropriate opinion.

8

AUDIT STRATEGY

The audit strategy is produced to identify the overall plan for the audit. We can separate the

audit strategy into three components:

1. The scope: specific details relating to the audit for the client (inventory locations,

reporting systems, etc.);

2. The timing: Considers when areas of the audit process should be completed. The

audit may need to include an interim and a final audit; and

3. The overall direction of the audit: The auditor decides what style of procedures are

required and the volume of work needed. The auditor will be able to determine

whether control systems look reliable and decide whether direction will be controls

based (the level of substantive work can be reduced), or procedural (more detailed

audit testing, larger sample sizes, skilled staff and more time needed).

MATERIALITY AND PERFORMANCE MATERIALITY

At the planning stage, the auditor must decide what a material misstatement is, which

means that it can influence the users of the financial information. An item can be material

by:

1. Its size: If that is the case, the auditor would request that the client correct this in the

financial statements. If they don’t, the auditor would conclude that the financial statements

are not true and fair. The guidelines on materiality state that an item is material if it is

above:

a. 5-10% of profit;

b. 1/2 - 1% of revenue; or

c. 1-2% of total assets.

2. Its nature: A prime example is directors' transactions which must be transparent to the

users.

The auditor must also consider and set performance materiality. If any misstatements

identified while performing audit procedures are above performance materiality, they are

recorded and presented in the summary of unadjusted errors. The auditor would then

request the client to adjust these errors in the financial statements.

9

WRITTEN AUDIT PLAN

The audit planning document is a detailed document that proves whether the auditor has

planned the audit properly and includes all information needed to then carry out the rest of

the audit process. The planning document should include the following:

– Assessment of materiality and performance materiality;

– Details from the analytical review performed at the planning stage;

– Key audit risks;

– Background information regarding the client in understanding the entity;

– Any specific laws and regulations;

– Staff booked for the audit team and budgets set;

– The overall audit strategy; and

– Deadlines set to ensure the audit process is completed on time.

10

Audit Documentation

AUDIT DOCUMENTATION

ISA 230: The auditors must ensure they have written documentation that:

– Proves that the audit was planned and performed in accordance with auditing

standards;

– Helps the audit team plan and perform the audit;

– Helps more senior members of the audit team direct and supervise, as well as review

the work completed;

– Is a sufficient appropriate record of audit work completed to assist in forming the audit

opinion;

– Assists future audits; and

– Enables the audit team to prove they did the work.

For every client, the audit firm will keep files to organise documentation. There will be:

1. Current audit file: Stores all relevant evidence and documentation relating to the current

audit:

a. It should be completed in a timely manner;

b. Files must be retained by the audit firm for a minimum of 5 years; and

c. It enables the auditor to prove what they did (e.g., in case of legal action).

2. Permanent audit file: Stores all client-related documentation that would be useful for

current and future audits (previous years' financial statements, client organisation structure,

key personnel, contact details, etc.).

3. Correspondence: Evidence that proves that communication between the auditor and the

client is effective (may be electronic or physical).

11

CURRENT AUDIT FILE

The current audit file has three main sections:

1. The planning section: Includes all considerations made during the planning stage;

– Assessment of materiality and performance materiality;

– Details from the analytical review performed at the planning stage;

– Key audit risks;

– Background information regarding the client in understanding the entity;

– Any specific laws and regulations;

– Staff booked for the audit team and budgets set;

– The overall audit strategy; and

– Deadlines set to ensure the audit process is completed on time.

2. Audit performance:

Note: The audit performance section will include all documentation and evidence collected

that relates to the audit procedures carried out on the systems, transactions, balances and

disclosures relating to the financial statements. Without this work the auditor cannot form

an opinion on the financial statements.

For every test carried out, the auditor needs to prepare something called working papers.

The working papers will usually include:

i. Lead schedule: The first document for each balance that will show the total balance,

which will agree with the balance shown in the financial statements;

ii. Backup schedules: Individual schedules for each sub balance which makes up the total

balance in the financial statements;

iii. Audit programmes: Detailed documents which explain the audit procedures carried

out on the balance. Each audit programme must show the following:

– Objective of the test;

– Description of the audit work;

– How the sample was chosen to test;

– Outcome or conclusion from the work;

12

– Who did the work;

– Date it was completed; and

– Who reviewed the work at the completion stage.

3. Completion: The section where the final review is carried out and post year end audit

procedures are carried out. The key areas of the completion stage are:

– Final analytical procedures;

– Disclosure checklist for accounting standards;

– Summary of unadjusted errors;

– Record of adjustments made since the trial balance was produced;

– The subsequent event review;

– The going concern review;

– Written representations;

– Draft financial statements; and

– Draft management letter or report to those charged with governance.

ACCESS TO WORKING PAPERS

The audit file and all of the working papers produced by the audit team belong to the

auditor. Access to the working papers is only permitted if authorisation is given by the

auditor. The reasons for this are:

– The working papers will contain sensitive information about the client;

– If any of the work is lost or stolen, it would need to be recreated in order to form an

opinion; and

– There is a risk of evidence being tampered with.

13

Quality Control (ISA 220)

The topic of Quality Control directly relates to the auditing standard, ISA220 – Quality

Control for an Audit of Financial Statements. This auditing standard focuses on the audit

firm’s own quality control procedures.

Overall objective and importance of quality control:

The standard states that the objective of the auditor is to implement quality control

procedures at the

engagement level that provide the auditor with reasonable assurance that:

(a) The audit complies with professional standards and applicable legal and regulatory

requirements; and

(b) The auditor’s report issued is appropriate in the circumstances.

For this to happen, the standard gives a recommended set of policies and procedures that

should be carried out.

To help remember the key policies and procedures from the standard, you could use ‘HEAR

ME’.

1. The H is for HUMAN RESOURCES:

The audit firm, and in particular, the engagement partner who is responsible for the client,

should ensure that their audit team is capable.

– They should assess the competence of the team members to ensure that the audit is

performed at an appropriate standard.

– They should ensure that the audit team has sound knowledge of the client being

audited, and therefore understands the entity and its environment.

– However, they must also ensure the technical skills within the audit team are enough to

reach appropriate conclusions.

2. The E is for ETHICAL REQUIREMENTS:

Quite simply, the audit firm must ensure that they comply with the ACCA code of ethics.

– They must ensure the fundamental principles are followed, and;

– That they manage any ethical threats, conflicts of interest or other risks appropriately.

14

3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS:

The audit firm must consider whether they should accept every engagement.

– Once they have accepted the client engagement, they must then review every year to

ensure the entity should continue to be their client.

– The key issue is that the audit firm must only accept clients with an acceptable level of

risk.

4. The R is for RESPONSIBILITIES OF LEADERSHIP:

– The engagement partner must take overall responsibility for the audit team and the

audit process.

– This means they must also ensure the quality control procedures within the audit firm

are of a high standard so as to follow professional standards accordingly.

5. The M is for MONITORING:

We have already said that strong policies and procedures should be in place. However, to

ensure these are followed, there must be an element of review from the audit firm. The

standard recommends 2 types of monitoring:

– HOT review

– COLD review

An independent partner within the audit firm undertakes the hot review usually. They

review the audit work and conclusions reached. This is to ensure that the overall conclusion,

i.e. the opinion is appropriate. Hot reviews are usually carried out for listed clients or those

with significant audit risks. A hot review is carried out before the audit report is signed. It is

also known as an EQCR or engagement quality control review. A senior member of staff at

the audit firm performs a cold review. An external consultant can carry it out. They review

the work carried out for the client and the conclusions reached. The key difference is that

the review takes place after the audit has been completed and the audit report is signed. A

sample of clients is selected across the audit firm to review. This ensures consistency across

audit teams, and identifies if there is a risk of noncompliance of professional standards.

15

6. Finally, E is for ENGAGEMENT PERFORMANCE:

This looks at the overall performance of the audit assignments across the audit firm. This is

made up of 3

elements:

– Direction of audit:

The direction focuses on ensuring everyone is aware of the objectives of the audit,

knowledge of the client

business, the risks and any problems that may arise.

– Supervision of audit:

Supervision is looking to ensure that the audit is reviewed by someone senior who can

ensure the team is

competent and the deadlines are met to provide timely information for the client.

– Review of the audit:

The review is to ensure professional standards have been followed, that there is evidence to

back up conclusions made and that the evidence collected is sufficient and appropriate.

Each of these 6 components is explained in ISA220 to enable audit firms to ensure the

highest quality work is performed. This therefore ensures that an appropriate audit opinion

is formed on the financial statements for every client, which ties back to the obligation to

ensure they follow professional standards and that their reports are appropriate for the

client’s requirements.