Audit and Assurance- BAC 4802

A. Nature and Purpose of Audit

1. Definition and scope of audit

 The Auditing Practices Board (APB) defines an audit as “an exercise whose objective
is to enable auditors express an opinion whether the financial statements give a true
and fair view of the entity’s affairs for the period then ended and have been
properly prepared in accordance with the applicable reporting framework”
 Auditor: An auditor is a professional who, by evaluating a subjective matter like
financial statements, expresses an opinion on the subject matter.
 Opinion: This is a conclusion arrived at using a set criteria.
 Financial statements: These comprise annual accounts which show performance
and financial position of an entity i.e. the statement of comprehensive income,
statement of financial position, statement of changes in equity, statement of cash
flows and notes the accounts.
 Truth is having facts in accordance with reason or correct principle or received
standard like generally accepted accounting principles and the accounting
standards.
 Fair means that the accounts should reflect the commercial substance of the
business entity’s underlying transactions. The idea of fairness involves a number of
thoughts including:
(a) Expectation: Any user has certain expectations from a set of accounts. He/she
presumes that the accounts will conform to generally acceptable accounting
principles and accounting standards.
(b) Relevance: This means that the view given by the accounts will be relevant to the
information need of the user.
(c) Objectivity: This consists of externally verifiable facts.
(d) Freedom from bias: The producer of accounts should not allow personal
preferences to enter into their accounts preparation work.
(e) Beyond simple conformity: Users of accounts expect accounts to conform to
generally acceptable accounting principles and accounting standards.
(f) Least as good: At one time, the prudence convention was so highly esteemed
that shareholders and auditors expectations went no further than making sure that
the true position was at least as good as that shown by the balance sheet.
(g) Accounting principles: The accounting principles and policies used should be in
conformity with accounting standards; generally accepted; widely recognized and
supported; and appropriate and applicable in the particular circumstances.
( h) Disclosure: Disclosure at times can serve the users well, as accounting is an
aggregating and summarizing process.
 (i) Materiality: An item is material if its disclosure or non-disclosure would make any
difference to the view received by the user of the accounts. Fairness is, therefore, a
function of materiality.
 Entity: This is a general term representing all types of business enterprises including limited
liability companies, charities, local authorities, government agencies etc

2. Purpose of the audit

 The primary objective of an audit is to enable the auditor produce a report of his opinion of
the truth and fairness of financial statements so that any person reading and using them can
have belief in them.
 An audit has a number of benefits.
(i) Owners of company are given an independent opinion as to the truth and fairness of
the accounts.
(ii) An audit gives more confidence in the financial statements used by third parties like
banks.
(iii) The auditors can help the directors improve the business as a by-product of the
audit through reporting weaknesses identified in the course of audit.
(iv) (Disputes between members of management like in partnership may be more easily
settled.
(v) Major changes in ownership may be facilitated if past accounts contained an
unqualified/clean audit report.
(vi) The government relies more on audited accounts to ascertain profit or loss for tax
purposes.
(vii) Helps to prevent and detect errors and fraud: An audit has deterrent and moral
effect which helps entities to prevent errors and fraud. In addition errors and fraud
may be detected in the course of the audit work.

3. Limitations of audit
 The following are the limitations:
(a) Auditing is not a purely objective exercise because auditors use judgement in
areas like risk assessment, which tests to perform, determination of materiality
levels etc.
(b) In auditing, auditors do not check every item in the accounting records.
(c) Accounting and internal control systems on which auditors rely have inherent
limitations ( refer to inherent limitation of internal controls topic) .
(d) Audit does not and cannot tell that directors and management are telling the
truth and have colluded in fraud.
(e) An audit only indicates what is probable rather than what is certain.
 (f) Audit reports are issued some months after the financial statements date.
(g) The audit report format is unlikely to reflect all aspects of the audit.
(h) The auditor’s opinion is not a guarantee of the future viability of the entity;
effectiveness and efficiency of management and that fraud may not have been
perpetrated on the company.
4. Types of audit
 Audits can either be statutory or non statutory.
(a) Statutory audit This is an audit carried out because the law (i.e. Companies act)
requires it.

(b) Non statutory audit A non statutory audit is an audit conducted on affairs of the
firm by independent auditors because it is required by the owners.

B. Professional Ethics and Regulatory Framework

i. The Code of Ethics, Principles on Independence, Confidentiality, Conflict of interest

The five fundamental principles relating to Code of Ethics are:

i. Integrity: Members should be straightforward and honest in all professional and
business relationships.
ii. Objectivity (Independence): Members should not allow bias, conflicts of interest
or undue influence of others to override their professional or business
judgements.

Independence : An auditor must be and be seen to be independent, and this

helps the auditor to give an unbiased opinion of the financial statements.
Independence is essentially an attitude of mind characterised by integrity and
objective approach to professional work. A member in the public practice
should be, and be seen to be independent.

There are three main ways in which the auditor’s independence can manifest
itself:

i. Programming independence This is the independence which essentially

protects the auditor’s ability to select the most appropriate strategy
when conducting an audit.
ii. Investigative independence: Auditors must have unlimited access to all
company information
iii. Reporting independence This protects the auditors’ ability to choose to
reveal to the public any information they believe should be disclosed.

The following are threats to professional independence:

 i. Self-interest threats – arises when the auditor has something to lose, be
it reputation, credibility, money and relationships. For example having
financial interest in the client
ii. Self-review threats – this arises when the auditor has to evaluate a
material that was originally prepared by himself. For example auditing
the financial statements prepared by the auditor himself
iii. Advocacy threats – This arises when the auditor supports the position of
the client to the extent that subsequent objectivity of the auditor
becomes questionable. eg assisting the client obtain financing from the
bank
iv. Familiarity threats – This occurs when due to long association the
auditor and the client becomes too close resulting in auditors becoming
sympathetic toward the client and losing professional skepticism.
v. Intimidation threats–This is when for one reason or another the auditor
is threatened by the client. For example the auditor receiving threats of
dismissal, physical threats and gifts

iii. Professional competence and due care: Members have a continuing duty to
maintain professional knowledge and skill at a level required to ensure that a
client or employer receives competent professional service based on current
developments in practice, legislation and techniques
iv. Confidentiality: Members should respect the confidentiality of information
acquired as a result of professional and business relationships and should not
disclose any such information to third parties without proper or specific
authority of the client or unless there is a legal or professional right or duty to
disclose

Confidentiality is about observing secrecy when dealing with any information an

individual comes across in an official capacity.

a. However, there are recognised exceptions to confidentiality;

b.  There can be obligatory disclosure where a client has committed an
offence of treason.
c.  Disclosure can be made to protect auditor’s interest.
d.  Disclosure may be required by legal process.
e.  Public duty can compel an auditor to disclose.
f.  There may be need to comply with technical standards and ethical
requirements.
g.  When there is need to comply with the quality review of the auditor.
h.  There is need for an inquiry or investigation by a regulatory body
 v. Professional behavior: Members should comply with relevant laws and
regulations and should avoid any action that discredits the profession

ii. Auditors Legal and Professional Liability

 Contract law is the law which regulates legally binding agreements
 The law of contract affects the auditor as follows.  The auditor and the client
agree on express terms of the contract set out in the engagement letter.  The
law may also impose implied terms into contractual agreements.
 Implied terms are terms deemed to form part of a contract even though not
expressly mentioned by the parties to the contract. Examples of implied terms
are: 
1. The auditors have a duty to exercise reasonable care and skill.

Reasonable care is the degree of care, diligence, or precaution that

may fairly, ordinarily, and properly be expected or required in
consideration of the nature of the action, the subject matter, and
the surrounding events.

The following guidelines help to know when an auditor is said to

have displayed reasonable care.
i. Auditors should use generally accepted auditing techniques
contained in auditing standards.
ii. If auditors’ suspicions are aroused (this is called being ‘put
upon enquiry’), they must carry out investigations until they
are satisfied as to what those suspicions mean.
iii. Auditors must act honestly and carefully when making
judgements.

When the auditors breach their implied duty of care under the
contract, the client may be entitled to bring a claim against the
auditor. In order for the claim to be successful, three things must be
proved.
(i) There must have been a duty of care enforceable at law.
(Always the case when there is a contract)
(ii) The auditors are negligent in the performance of a duty
judged by the accepted professional standards of the day.
(iii) The client has suffered some monetary loss as a result of
the auditors’ negligence. (Re Thomas Gerrard & Son
1968,p47)
 2. The auditors have a duty to carry out the work required with
reasonable expediency.
3. The auditors have a right to reasonable remuneration.

 All auditors can be sued in a civil court when they have breached their position
of trust e.g. if an auditor uses information acquired during the course of the
audit to make financial gain ,then in such a case he or she can be sued for
breaching his position of trust and confidentiality

 The auditor's liability falls under three categories

i. To their clients
An auditor may be liable for negligence not only under the law of
contract but also in the law of tort i.e. if a person to whom he owed a
duty of care has suffered financial loss as a result of the auditor's
negligence.

ii. To third parties in case of negligence

For the third party to succeed, he must prove the following: • The
auditor owed him a duty of care •The auditor was negligent • He has
suffered financial loss resulting from the auditor's negligence. (Caparo
Case p50)

iii. Criminal Liability

An auditor shall be criminally liable if he willingly makes a material false
statement in any report, certification or in the financial statement with
the intention to deceive and mislead. Examples of criminal liabilities
include:
The auditor accepts appointment when he is ineligible to do so or
continue in office after becoming ineligible.
 The auditor accepts appointment when he is ineligible to do so
or continue in office after becoming ineligible.
 The auditor obtains the advantage of deception.
 The auditor falsifies accounting records or documents.
 When the auditor publishes misleading statements intended to
deceive members.
 When an auditor misappropriates a clients' property

The auditor must act correctly and in accordance with the law when
he/she discovers crimes committed by a client or members of the client
staff. Such acts may include money laundering, inside trading etc
  Auditors and accountants can minimise their potential liability for professional
negligence in the following several ways.
i. By not being negligent
ii. By following the precepts of the auditing standards.
iii. By agreeing the duties and responsibilities in an engagement letter.
iv. By defining in their report the precise work undertaken, the work not
undertaken, and any limitations to the work.
v. By stating in the engagement letter the purpose for which the report
has been prepared and that the client may not use it for any other
purpose.
vi. By stating in any report the purpose of the report and that it may not be
relied on for any other purpose.
vii. By advising the client in the engagement letter of the need to obtain
permission to use the name of the auditor and withholding permission
in appropriate cases.
viii. By identifying the authorized recipients of reports in the engagement
letter and in the report.
ix. By limiting liability by a term in the engagement letter or to third
parties.
x. By obtaining an indemnity from the client or third party.
xi. By defining the scope of professional competence to include only
matters within the auditor’s/accountants’ competence.

iii. Corporate Governance

 Corporate governance is the means by which a company is operated and controlled.
 It encompasses such matters as:
• The responsibilities of directors
• The appropriate composition of the board of directors
• The necessity for good internal control
• The necessity for an audit committee
• Relationship with the external auditors
 Corporate governance is about ensuring that companies are run well in the interests
of their shareholders and other stakeholders.
 The key principles of corporate governance include transparency, accountability,
fairness, responsibility and reputation.
i. Transparency means providing information about activities, plans, actions to
stakeholders that are entitled to. In good corporate governance, directors
should clarify to shareowners and other key stakeholders why every
material decision has been made.
ii. Accountability is about explaining how powers or authority and resources
entrusted have been used. Directors should be held accountable for their
 decisions to shareowners, and, in certain cases, key stakeholders,
submitting themselves to rigorous scrutiny.
iii. The Board and management should apply fair practice in their dealings with
stakeholders and adhere to the spirit not just the letter of all rules and
regulations that govern the organisation. The organisation should provide
effective redress for violations.
iv. Responsibility means management accepting the credit or blame for
governance decisions. It implies clear definition of the roles and
responsibilities of the roles of senior management. To this end, directors
should carry out their duties with honesty, probity and integrity. They
should exercise independent judgement when making decisions.
v. Good practices ensure a good reputation. Bad practices can destroy a
reputation overnight. Consequences of poor reputation include:  suppliers
and customers unwillingness to deal with the organisation for fear of being
victims of dishonesty;  inability to recruit high quality staff;  fall in demand
because of consumer boycotts;  increased public relations costs because of
adverse stories in the media;  increased compliance costs because of close
attentions from regulatory bodies or external auditors; and  loss of market
value because of a fall in investor confidence.
C. Audit Engagement Process
i. Obtaining and accepting professional engagements
 Obtaining Engagement
1. Advertisement of audit services: It is acceptable to advertise their
services so as to obtain new business. However such
advertisements or any other form of marketing should be done in a
manner or medium that does not reflect adversely or bring the
profession into disrepute
2. Tendering: IFAC code states that, the fact that in response to
tenders, one firm may quote a fee lower than another is in itself not
unethical. However there may be threats to compliance with ethical
principles arising from the level of fees quoted. The practice of
undercutting fees, known as lowballing, to the extent that it is less
than the expected market rate which makes the firm willingly
undertake the work at less than it is worth or at a loss, without
compromising its quality, will make the auditor’s independence to
be called into question.
 Appointment of an auditor
The auditors will be appointed by the following persons:
ii. Appointment of the auditors by the members of the company at the annual
general meeting
iii. Directors of company may appoint an Auditor either to fill the vacancy if the
existing auditor resigns or Appoint the first auditor between the date of
 incorporation and the first AGM or if the company qualifies to have an
audit, before the next AGM
iv. Registrar of Companies may appoint an Auditor where the auditor has not
been appointed by the company at the appropriate time.

The following cannot act as auditors;  An officer or an employee of a company 

A shareholder of the company  A partner or employee of such a person  A
partner in a partnership in which such a person is a partner  Ineligible by the
above for appointment as auditor of any directly connected companies.  A
person disqualified from acting as an auditor to any other corporate body within
the same group.

 Before accepting nomination the nominee auditors must carry out the following
procedures before accepting the nomination .
o The nominee auditors must ensure that they are professionally qualified
to act
o They should also ensure that they have adequate resources in terms of
personnel, technical expertise and time to undertake the engagement
o Obtain references and make independent enquiries if the directors are
not personally known
o Communicate with present auditors. Find out whether there are
reasons behind the change which new auditors ought to know; but do
with courtesy
o Ensure that the outgoing auditors’ removal or resignation has been
properly conducted in accordance with the law. Check valid notice or
confirm that the outgoing auditors were properly removed.
o Ensure that the new auditor’s appointment is valid. The new auditors
should obtain a copy of resolution passed at the general meeting
appointing them as company auditors.
o Find out whether the previous auditors have fees owed to them. The
new auditors should decide how far they may go in helping the former
auditors to obtain their fees, as well as whether they should accept
appointment.
o

Procedures after accepting nomination

o Set up and submit an engagement letter to the directors of the

company.
o The new auditors should obtain all books and papers which belong to
the client from the auditors unless the former auditors have a lien over
the books because of unpaid fees.
 o The old auditors should also pass any useful information to the new
auditors if it will be of help, without charge unless a lot of work is
involved.

Engagement Letter

 Engagement letter is a document which documents and confirms that

the auditor has officially accepted the appointment.
 The purpose of an engagement letter is as follows:
1. To define clearly the extent of the auditor’s responsibility.
2. To minimise misunderstandings between auditor firm and client in
the future
3. To confirm in writing verbal arrangements.
4. To confirm acceptance by the auditor of his engagement.
5. To inform and educate the client about the audit
 The engagement letter should be sent in the following situations:
a. To all new clients before any professional work has been
started.
b. To all existing clients who have not received such a letter
previously.
c. Whenever there have been major changes at the client e.g.
change of top management at the client and changes in the
structure and nature of the business
d. Whenever the auditor has reasons to believe that the client
does not understand the purpose of the audit
 Contents of an engagement letter to include:
o The objective of the audit of financial statements.
o The management’s responsibility to keep proper records and
prepare financial statements which show a true and fair view.
o The auditor’s responsibility to report on the financial
statements.
o Scope of the auditors work i.e., should be in accordance with
auditing standards and guidelines, accounting systems review
be conducted, collection of audit evidence and tests and
reliance on internal controls.
 The responsibilities of the Auditors include the following:
o To make a report to the members or shareholders on all
financial statements laid before members in an annual general
meeting.
o To state in his report whether accounts comply with the
requirements of the Act and that they show a true and fair view
in his opinion.
 o To report if proper accounting records have not been kept.
o To report if proper returns from branches not visited by the
auditor have not been received.
o To report if financial statements are not in agreement with
books of accounts.
o To consider if any information in the Director’s report is
inconsistent with the accounts and to report any such instances.
o To investigate (this is an implied duty) if there are indications
that material errors and fraud have occurred.

 Rights of an auditor are as follows:

o Right of access at all times to the books, accounts, vouchers or
documents of the company.
o Right to require from directors, employees of the company any
information which the auditor thinks necessary.
o Right to receive notices and attend meetings and to report on
any matters concerning him as auditor.
o Right to make a report on his findings including failure of the
directors to provide him with information and explanation
which he deems necessary.
o Right to be heard when making a presentation during a
meeting.
o Right to reasonable remuneration.
o Right of lien. A lien is right to hold or keep somebody’s property
until that somebody settles a debt.
o Right to receive correct information.
ii. Termination, Dismissal and resignation of auditor
Resignation of auditors
 An auditor has a right to resign if he/she wishes
 An auditor has a right to resign if he wishes:
i. Poor health: Sickness may cause the auditor fail to execute his/her duties.
ii. Growth in the size of the audit firm such that the fee is inadequate.
iii. Restriction to the extent of audit work
 Resignation procedures are as follows:
1. An auditor may resign by depositing a notice of resignation to the
registered (or head) office of the audit client including reasons for
resignation known as statement of circumstances
2. The statement of circumstances is sent by the auditors to Registrar
of companies within twenty-eight days.
 3. The auditor can cease to be auditor by simply not seeking re-
election. In that case, the auditor must still deposit a statement of
circumstances
 Dismissal (removal) of auditors
A company can remove an auditor before expiry of his tenure of office. The
following requirements have to be followed.
o First the company must pass an ordinary resolution at an extraordinary
general meeting.
o Second, a special notice of dismissal must be given to the auditor within
twenty-eight (28) days. This avoids the removal being done secretly
without the auditor knowing.
o If the auditor feels that his/her dismissal is unjustified, he has right to
make representations which require the company to state that
representations have been made by the auditor and notice given to the
shareholders.
iii. Books and records
 The board of a company is under obligation to cause accounting records to be
kept that, inter alia, correctly record and explain the transactions of the
company and enable the financial position of the company to be determined
with reasonable accuracy
 Records must be kept for 7 years.
D. Audit Planning
i. Purpose of audit planning

Audit planning assists the auditor to issue a correct audit report or conduct
an efficient audit.

In the audit plan, the auditor documents a description of the nature, timing,
and extent of the planned audit procedures to be used in order to comply
with auditing standards.

Basically, the audit plan should consider how to conduct the audit in an
effective and efficient manner.

The Auditor should consider the following during planning:

1. Assess business risks.
One way that the auditor reduces audit risk to an acceptably low
level is by obtaining an understanding of the entity and its
environment.
Based on this understanding, the auditor identifies those business
risks that may result in material misstatements.
 The auditor then evaluates how the entity responds to those
business risks and ensures that those responses have been
adequately implemented.

2. Establish materiality.

Information is generally considered to be material if its omission or

misstatement could influence the economic decisions of users taken
on the basis of the financial statements.

Materiality should be considered by the auditor when determining

the nature, timing and extent of audit procedures and when
evaluating the effects of misstatements.

During planning, the auditor must establish materiality for the

financial statements as a whole. The auditor must also determine
performance materiality in order to assess the risks of material
misstatement and to determine the nature, timing and extent of
further audit procedures.

Determining materiality for the financial statements as a whole

involves the exercise of professional judgement.

Materiality affects the audit work as follows

(a) Materiality affects the nature and size of audit tests. The auditor
needs to design audit procedures to verify only those items which
could be materially wrong.

(b) When deciding whether to seek adjustment for errors found, the
auditor is concerned that adjustments are made only of material
errors.

3. Consider multi locations.

As part of the planning process, the auditor should determine which
locations or business units are to be audited and the extent of audit
procedures to be performed at the selected locations or business
units.

In auditing a company with operations in multiple locations or

business units, the auditor needs to determine the extent to which
 audit procedures should be performed at selected locations or
business units

4. Assess the need for specialists.

Examples include specialists in finance, tax, valuation, pension, and
information technology (IT).

Such specialists may assist the auditor with valuing financial

instruments, determining physical quantities, valuing environmental
liabilities, or interpreting regulations or contracts.

In relying on the specialist, the auditor should evaluate the

competence and objectivity of the specialist, audit the inputs used
by the specialist and reconcile the output, and review the
specialist’s work for reasonableness, including the reasonableness
of assumptions.

5. Consider violations of laws and regulations.

The auditor should be aware that illegal acts may occurred. If
specific information comes to the auditor’s attention that provides
evidence concerning the existence of such material but indirect
illegal acts, the auditor should apply audit procedures specifically
directed at determining whether illegal acts have occurred.

6. Identify related parties.

Auditors should attempt to identify all related parties during the
planning phase of the audit. It is important to identify related party
transactions because the transaction may not be “at arm’s length.”

7. Consider additional value-added services.

The auditor should look for opportunities to recommend additional
value-added services. Traditionally, value-added services have
included tax planning, system design and integration, and internal
reporting processes.
ii. Audit Risks
o Audit risk is the risk that the auditor expresses an inappropriate audit
opinion when the financial statements are materially misstated. It is a
function of the risk of material misstatement (inherent risk and control
risk) and the risk that the auditor will not detect such misstatement
(detection risk)
o Audit risk = Inherent risk x control risk x detection risk
o Inherent risk is the risk that items will be misstated due to the
characteristics of those items, such as the fact they are estimates or that
they are important items in the accounts. The auditors must use their
professional judgement and all available knowledge to assess inherent
risk. If no such information or knowledge is available then the inherent
risk is high.

Factors that affect inherent risk (a) Integrity and attitude to risk of
directors and management – domination by a single individual can
cause problems. (b) Management experience and knowledge.(c)
Unusual pressures on management, e.g. tight reporting deadlines or
market or financing expectations. (d) Nature of business. Potential
problems include technological obsolescence or over-dependence on a
single product. (e) Competitive conditions, regulatory requirements
technology developments, changes in customer demand. (f) Future
plans of the client.(g) High gearing. A client that has a large proportion
of prior charge capital has high inherent risk. (h) Liquidity problems.
Cash-flow problems increase inherent risk. (i) Information technology.

o Control risk is the risk that internal controls will not prevent or detect
material errors.

The following are the factors that affect control risk. (i) The quality and
effectiveness of management and the degree of supervision exercised
by management. (ii) The existence and quality of internal control. (iii)
The competence of accounting staff. (iv) The nature of accounting
records kept. (v) The existence and effectives of the internal audit
department, if there is one.
o Detection risk is the risk that auditors’ substantive procedures and his
review of the financial statements will not detect material errors.

Examples of areas of detection risk include:  Failure to recognise ‘put

upon enquiry’ situations.  Failure to draw the correct conclusions from
audit evidence and the analytical review.  Use of wrong procedures in a
particular situation.  Failure to perform necessary audit work because
of time or cost considerations.  Failure to detect error or fraud because
of poor sampling method or inadequate

o Features of audit firm which may minimize risk  Proper recruitment

and training of all personnel.  Allocation of staff with appropriate
ability to particular audits.  Planning of the work of the firm in such a
 way that each audit can be approached in a relaxed but disciplined way
and timing problems can be accommodated.  Two way communication
with staff on matters of general concern and in connection with specific
audits.  Use of audit manuals which conform to the audit standards
and guidelines.  Use of audit documentation which is comprehensive
and yet which allows for special situations.  Use of budgeting and other
techniques to ensure that audits are remunerative and yet risk-
minimising.  Use of precise and frequently updated letters of
engagement.  Use of review techniques for all audits.  Existence of a
technical section so that all new developments are rapidly incorporated
into the audit firm’s action.

iii. Quality Control

o The auditor should document the audit strategy and audit plan. This
involves documenting the decisions about the nature, audit risks
identified, timing, and extent of audit tests.
o Auditors should ensure that all audit evidence gathered is properly
documented.
o Audit programs containing specific audit procedures must also be
prepared and used.
o An important part of the planning and conduct of the audit is
appropriate supervision of audit personnel. The engagement partner
should ensure that the work of engagement team members is properly
reviewed.

E. Internal Control Review

i. General principles of internal controls

 Internal control is a process, system or procedure designed and implemented by
board, management or other personnel with the aim of directing the
organization towards achieving its objectives in the following categories:
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with applicable laws and regulations

 Internal control consists of five interrelated components as follows:

 Control (or Operating) environment

It is the atmosphere in which people conduct their activities and carry out their
control responsibilities.

An effective control environment is an environment where competent people

understand their responsibilities, the limits to their authority, and are
knowledgeable, mindful, and committed to doing what is right and doing it the
right way.

 Risk assessment

Risk assessment is the identification and analysis of risks associated with the
achievement of operations, financial reporting, and compliance goals and
objectives.

This, in turn, forms a basis for determining how those risks should be managed.

After risks have been identified, a risk analysis should be performed to prioritize
those risks:
 Assess the likelihood (or frequency) of the risk occurring.
 Estimate the potential impact if the risk were to occur; consider both
quantitative and qualitative costs.
 Determine how the risk should be managed; decide what actions are
necessary..

 Control activities

Control activities are actions, supported by policies and procedures that, when
carried out properly and in a timely manner, manage or reduce risks.

 Information and communication

Information and communication are essential to effective control. Information
about an organizations plans, control environment, risks, control activities and
performance must be communicated up, down, and across an organization.

Reliable and relevant information from both internal and external sources must
be identified, captured, processed, and communicated to the people who need
it--in a form and timeframe that is useful.

Information systems produce reports, containing operational, financial, and

compliance-related information that makes it possible to run and control an
organization
  Monitoring
Monitoring is the assessment of internal control performance over time; it is
accomplished by ongoing monitoring activities and by separate evaluations of
internal control such as self-assessments, peer reviews, and internal audits.

The purpose of monitoring is to determine whether internal control is

adequately designed, properly executed, and effective

All five internal control components must be present to conclude that internal
control is effective.

 It is important to learn that internal controls have certain limitations known as

inherent limitations.

The limitations include:

i. Cost v benefit. The cost of establishing a system of internal control may be
greater than the benefits
ii. Human error. For example, one person makes out an invoice using the
wrong selling price and another one checks it and doesn’t see the error, this
is always a possibility even in the best regulated circumstances.
iii. Collusion. Where two or more cooperate to get around the internal control
system, the collusion might be to carry out a fraud or it might be to cover up
some error that was made. The more segregated duties are, the more
people it would need to collude to carry out an entire transaction.
iv. Bypass of controls. Say someone has forgotten to order a vital piece of
equipment and that to speed matters up, instead of getting the proper
authorization for the purchase; they issue the purchase order without that
authorization.
v. Non-routine transactions. These are transactions that are so rare that no
system of internal control has been devised.

ii. Types of internal control systems

 Controls can be either preventive or detective. The intent of these controls is
different.

Preventive controls attempt to deter or prevent undesirable events from

occurring. They are proactive controls that help to prevent a loss. Examples of
preventive controls are segregation of duties, proper authorization, adequate
documentation, and physical control over assets.

Detective controls, on the other hand, attempt to detect undesirable acts. They
provide evidence that a loss has occurred but do not prevent a loss from
 occurring. Examples of detective controls are reviews, analyses, variance
analyses, reconciliations, physical inventories count, and audits.

 Both types of controls are essential to an effective internal control system. From
a quality standpoint, preventive controls are essential because they are
proactive and emphasize quality.
 However, detective controls play a critical role providing evidence that the
preventive controls are functioning and preventing losses.
iii. The relevance and purpose of evaluating the entity internal control by the auditor
 The auditor is to decide whether or not to rely on the entity’s controls for
assurance about management’s financial statement assertions.
 When the auditor’s risk assessment procedures indicate that the controls are
not properly designed or not implemented, the auditor will not rely on the
controls. In this instance, the auditor will set control risk at high and use
substantive procedures to reduce the risk of material misstatement to an
acceptably low level
 If the auditor intends to rely on the controls, tests of controls are required to be
performed to obtain audit evidence that the controls are operating effectively.
The auditor will make an assessment of control risk based on the results of the
tests of controls.
iv. Controls in the computerized system
 Employees use a variety of information systems: mainframe computers, local area
and wide area networks of minicomputers and personal computers, single-user
workstations and personal computers, telephone systems, video conference
systems, etc.
 The need for internal control over these systems depends on the criticality and
confidentiality of the information and the complexity of the applications that reside
on the systems.
 There are basically two categories of controls over information systems, general
controls and application controls
i. General Controls
General controls apply to entire information systems and to all the
applications that reside on the systems.
General Controls Include:  Access Security, Data & Program Security,
Physical Security  Software Development & Program Change Controls 
Data Center Operations  Disaster Recovery

ii. Application Controls

Application controls apply to computer application systems and include
input controls (e.g., edit checks), processing controls (e.g., record counts),
and output controls (e.g., error listings), they are specific to individual
applications.
 They consist of the mechanisms in place over each separate computer
system that ensures that authorized data is completely and accurately
processed. They are designed to prevent, detect, and correct errors and
irregularities as transactions flow through the business system.
F. Obtaining Audit Evidence
iii. Audit Evidence
 Audit evidence is all the information used by the auditor in arriving
at the conclusion on which the audit opinion is based.
 Audit evidence is any information that corroborates or refutes an
assertion.
 Audit evidence includes the information contained in the accounting
records underlying the financial statements and other information.
 Sufficient appropriate audit evidence must be obtained by
performing audit procedures to afford a reasonable basis for an
opinion regarding the financial statements under audit.
 The following are the types of audit evidence.
 Physical evidence: This is evidence that can actually be seen by
auditors. This involves examination of physical assets, witnessing
the internal control and bookkeeping procedures being carried out.
This type of evidence is generally effective for supporting the
existence assertion.
 Third-party representations: These are testimonies from
independent third parties. They include third party representations,
debtors’ circularization confirmations, lawyers’ letters and reports
of specialists.
 Documentary evidence: These are findings from documentation
of items recorded in the accounts; this demonstrates that a
transaction occurred. Confirmation that items recorded in the
supporting documentation are recorded in the accounting records
Re computations: This is the results obtained from checking of
arithmetic accuracy of client records. Computations are performed
independently by auditor and are used to verify mathematical
accuracy of client’s analyses and records.
 Client representations: These are oral and written client
representations. Responses to questions and inquiries to clients
during an audit constitute audit evidence. Oral representations are
generally not sufficient as primary evidence, but may provide
corroboration for other evidence. Written representations
(representation letter) are required, but should not be used as a
substitute for other audit procedures.
  Accounting records: Clients’ accounting records (e.g. ledgers and
journals) may provide worthwhile evidence in themselves. This can
also include checking the internal control system of the client.
supports completeness.
Results of inspection of assets: Inspection of assets that are
recorded in the accounting records confirms existence and also
gives evidence about valuation. When an asset is recorded in the
accounts, it gives evidence of completeness.
 Reconciliations: Checking the reconciliations of client’s control
account can provide evidence of completeness.
 External events: The auditor should use his knowledge of current
events in assessing company’s accounts, for example, considering
the value of overseas subsidiaries.
iv. Use of work of others
 According to ISA 620 An expert may be engaged by the client to
provide specialized advice on certain matters, or may be engaged by
the auditor to help obtain certain evidence and assurance on certain
matters regarding financial statements.
 Experts may be engaged to help in matters such as;  Valuation of
certain types of assets such as land and buildings or plant and
machinery.  Determination of quantities or physical condition of
assets such as stocks.  Determination of amounts using specialized
methods and techniques such pensions and actuaries. 
Measurement of work completed and work in progress on long
term contracts.
 When planning to use the work of an expert the auditor should
assess the need, materiality of the matter and the risk associated
with the work of an expert.
 The auditor should also consider the following factors;
 Expert’s professional competence in his field, by assessing
professional qualification, experience and resources of the expert.
 Independence of the expert from the client company, by
assessing whether he is an employee or not, or related in some way
to the company.
 The expert’s scope and quality of work,
 According to ISA 610 When planning the audit procedures auditors
should consider the presence and activities of internal audit. He
should assess their effect, if any, on the external audit work. While
the external auditor is still responsible for the overall audit opinion,
he may rely on some of the internal audit work to complement his.
 The auditor should consider the following:
 a. Scope of the Function Consider the extent and nature of
their assignment performed and actions taken by
management to assess the internal audit effectiveness in
the entity.
b. Technical Competence Assess whether internal auditors are
properly qualified and experienced through checking their
membership of professional bodies such ACCA, the Institute
of Internal Auditors (IIA) and other relevant bodies.
c. Due Professional Care Assess whether internal audit work is
properly carried out such as; planning, supervision, review
and documentation and the quality of their internal audit
reports
v. Financial statement assertions

 Management assertions or financial statement assertions is the set

of information that the preparer of financial statements (that is
management) is providing to another party.
 The following are the financial statements (management)
assertions.
 Existence or Occurrence--Assets, liabilities, and owners’ equity
accounts reflected in the financial statements exist; the recorded
transactions have occurred.
 Completeness--All transactions, assets, liabilities, and elements of
owners’ equity that should be presented in the financial statements
are included.
 Rights and Obligations--The client has rights to assets and
obligations to pay liabilities that are included in the financial
statements.
 Valuation or Allocation--Assets, liabilities, owners’ equity,
revenues, and expenses are presented at amounts that are
determined in accordance with generally accepted accounting
principles.
 Presentation and Disclosure--Accounts are described and
classified in the financial statements in accordance with generally
accepted accounting principles and all material disclosures are
provided.
 Accuracy – Amounts and other data relating to recorded
transactions have been recorded properly.
 Cutoff – Transactions have been recorded in the proper
accounting period.
vi. Audit tests and procedures (Methods)
  There are two methods of audit testing and these are sampling and
substantive tests.
 Audit sampling is the testing of less than 100% of the items within a
population to obtain and evaluate evidence about some
characteristic of that population, in order to form a conclusion
concerning the population.
 Advantages of statistical sampling include: It is scientific (ii) It is
defensible (it can be justified) (iii) It is efficient because reasonable
sample sizes are taken. (iv) It provides precise mathematical
statements about probabilities of being correct. (v) Uniform
standards among different audit firms are achieved.
 Disadvantages of statistical sampling (ii) This requires highly
competent audit employees that have knowledge of statistics. (ii)
This method could be time consuming because of complicated
mathematical formulae involved. (iv) Time is spent performing
mathematical calculations which are time consuming. (v) Audit
judgement takes second place to precise mathematics. (vi) This
method is inflexible through its use of statistics.
vii. Audit documentation
 Auditors are required to prepare on a timely basis audit
documentation that; provides a sufficient and appropriate record of
the basis of the audit report, and evidence that the audit was
performed in accordance with standards and regulatory
requirement (the Companies Act)

Audit documentation is the record of audit procedures performed,

relevant audit evidence obtained and conclusions reached

 Documentation should be in form of audit working papers, which

are a record of audit procedures performed and relevant audit
evidence obtained and conclusions reached.
 Importance and purpose of Documentation
(a) It provides evidence of the auditor’s basis for a conclusion
about the achievement of the overall objective.
(b) It provides evidence that the audit was planned and
performed in accordance with ISAs and other legal and
regulatory requirements
(c) It assists the engagement team to plan and perform the
audit.
(d) It assists team members responsible for supervision to
direct, supervise and review audit work
(e) It enables the team to be accountable for its work
 (f) It allows a record of matters of continuing significance to be
retained for future reference.
(g) It enables the conduct of quality control reviews and
inspections (both internal and external).
(h) To ensure work delegated by the reporting partner has
been properly performed. The only source is detailed
working papers prepared by the audit staff.
(i) They encourage the auditor to adopt a methodical
approach.
viii. Application of audit tests
d. Non Current Assets
 The auditor should obtain sufficient appropriate
evidence to support financial statements assertions
relevant to non-current assets (ie, existence,
valuation, completeness and ownership) in addition
to the control tests
 Existence The auditor should;  Obtain or compile a
list of assets to support the balances shown in the
financial statements and verify them in the non-
current assets register  Verify the existence of each
asset through physical inspection, matching the
detailed descriptions in the register with actual
assetsCheck through all records on each asset and
ensure that there is no indication that the assets
have not been lost, disposed of or stolen  Seek
confirmation from responsible management about
the existence of the assets if not around the
premises for some reasons.
 Ownership (rights and obligation) The auditor
should;  Check whether assets are owned by the
client by inspecting ownership documents (ie,
registration books for motor vehicles, title deeds for
land and buildings etc) and ensure they are in the
client’s name.  Verify through purchase documents
(purchase invoices, quotations etc) and ensure they
were ordered and paid for by the company. 
Observe use of the assets by the client without any
encumbrances or attached conditions from any
third party.  Confirm with responsible
management of the ownership of any asset which
the auditor doubts or other proof is not readily
available.  Check all assts held under lease
 agreement and conditions attached to such leases
in the lease agreements  Assess whether each
asset is adequately ensured against risks to which it
is exposed, accidents, theft and so on.  Check
whether any asset is held subject to loan security
against providers of loan capital.  For self-
constructed assets verify through costing
information in contracts accounts.
 Completeness, Presentation and Disclosure The
auditor should;  Obtain or compile a list of all the
non-current assets held by the client entity and
trace each asset in the non-current asset register. 
Check whether appropriate details about each asset
are contained in the register such as; Dates of
acquisition Original cost Names and details of
suppliers Description of each asset (ie, year of
make, model, serial numbers, part number, colour
etc) Current location, use and condition Asset life
history in terms of major repairs or replacement of
parts Asset depreciation policies and rates Asset
insurance policies and annual premiums paid. Verify
information from the register with other
information for example, with the asset ledger.
 Valuation The auditor should;  Trace the original
cost of each asset through the asset register and
cross-check with purchase documents and ensure
they were appropriately classified as capital
expenditure.  Trace any subsequent capital
additions and ensure they meet the requirement to
be classified as such (ie, that the costs enhance the
capacity or capability of the assets, not
maintenance and other running costs)  Check any
subsequent revaluation of the assets for
reasonableness, especially noting the competence
of valuers, assumptions and methods used to arrive
at the values.  Check whether annual reviews are
carried out at the balance sheet date and any
impairments are provided for.  Check
reasonableness of depreciation policies, adequacy
and accuracy of the calculations of annual
depreciation.  Assess whether each asset is
adequately ensured against risks to which it is
exposed.