Audit Manual Version 7

Global Focus
Audit Methodology
Audit Manual
Version 7 (2022)
Published July 2022
For internal use within Baker Tilly network

member firms only. Not for external distribution.
Queries to: globalfocus@bakertilly.global
Global Focus Audit Methodology
Audit Manual
Version 7 (2022)
Contents
Introduction
Preliminary
Reporting
Activities
Global
Focus
Risk
Evaluate
Assessment
and
and
Conclude
Planning
Respond to
Risk
Section
1 Introduction to the audit manual
1.1 Audit manual guidance to member firms
2 Preliminary activities
2.1 Preliminary activities
3 Risk Assessment and Planning
3.1 Risk assessment and planning procedures
3.2 Materiality
3.3 Understanding the entity and its environment, and the applicable financial reporting framework
3.4 Understanding the entity’s System of Internal Control
3.5 Assessing Risks of Material Misstatement at the Assertion Level
3.6 Identifying and assessing Financial Statement level risks
4 Responding to risk
4.1 Nature, timing and extent of audit procedures
4.2 Substantive audit sampling
4.3 Responding to Financial Statement level risks
4.4 Responding to assertion level risks
4.5 Responding to significant risks
4.6 Substantive analytical procedures
4.7 Tests of controls
4.8 Auditing the consolidation process
5 Evaluate and conclude
5.1 Evaluate and conclude
5.2 Evaluating misstatements
5.3 Evaluating the financial statements
5.4 Evaluating the work of component auditors
6 Reporting
6.1 Forming an opinion
6.2 Key Audit Matters
Audit Manual
Version 7 (2022)
Section 1: Introduction to the Audit Manual
Introduction
Preliminary
Report
Activities
Global
Focus
Risk
Evaluate
Assessment
and
and
Conclude
Planning
Respond to
Risk
Page | 0
Audit Manual
Version 7 (2022)
Contents
1.1 Introduction
1.2 Content of the Audit Manual
1.3 Structure of individual sections of the Audit Manual
1.4 Changes permitted by member firms
1.5 Mandatory Audit Documentation
1.6 Group Audit Considerations
Appendix 1: List of Mandatory Documents in Global Focus (MLP and PIE profiles)
Appendix 2: List of Mandatory Documents in Global Focus (NCP profile)
1.1 Introduction
Member firms are required to comply, as a minimum, with the International Standards on
Auditing (ISAs) published by the International Federation of Accountants (IFAC). Member firms
should, where relevant, also comply with any additional requirements of standards for their
jurisdiction.
The Global Focus methodology has been developed to be fully compliant with the requirements
of the ISAs other than ISAs 805 and 810, and therefore provides a basis for member firms to
comply with the requirements for membership of Baker Tilly International. The methodology,
audit manual and the associated Global Focus software provided by CaseWare, have been
mapped to the requirements of the ISAs and a copy of the mapping is available should member
firms require it.
The Global Focus audit manual has been written to support the roll out of Global Focus version
7 in 2022. In version 6 onwards, the version of Global Focus used to create a particular audit file
is recorded within the Optimiser (Form 400-XXX).
As a global methodology it is intended that Global Focus be applied consistently in all member
firms, to the extent permitted by local standards. As a result, there are some restrictions on the
changes member firms are permitted to make to this manual.
This guidance document summarises the:
• structure of the audit manual

• structure of individual sections of the audit manual
• changes permitted by member firms.
The audit manual has been developed for a global audience and therefore the terminology used
throughout reflects the terminology used in the ISAs and International Financial Reporting
Standards (IFRS).
1.2 Content of the audit manual

The audit manual is structured to follow the audit process and the completion of an audit in the
Global Focus software as far as possible. The contents of the Audit Manual for Version 7 of
Global Focus are listed above.
1.3 Structure of individual sections of the audit manual

The features of each section are:
Page | 1
Audit Manual
Version 7 (2022)
Contents list
A contents list of the main headings with the chapter to aid in navigation through the chapter. In
due course it is intended that the audit manual will be provided in a different format using these
headings as hyperlinks to assist users.
Summary table of requirements
There then follows a table, as copied below, which summarises the main requirements of the
chapter and shows where to find the relevant documentation in the global focus software. The
table below summarises what information is to be included:
Objective This will be objectives from the relevant ISA(s) which the auditor
is intending to achieve.
Relevant ISA A list of ISAs relevant to the individual chapter. Paragraph

references are not used in the manual as these may change as
new versions are issued. However, auditors are intended to
refer to the ISAs for details of requirements.
Additional local standards For member firms: This section is intended for member firms to
add in any additional requirements from local standards.
Global Focus software This will be a list of documents in the global focus software or
areas within the software where the relevant requirements are
met.
Policy requirements Policy requirements are those areas where Baker Tilly
(if any) International has set policy in implementing the ISAs. For
example, the benchmark ranges used in materiality, certain
settings in the sampling calculator etc.
For member firms: Where a member firm establishes its own

policies, in addition to any established by Baker Tilly
International, these are also documented in this box.
Detail of the requirements
The remainder of each section sets out the:
• requirements of the ISAs in relation to the relevant topic including in most cases a flow
diagram of the relevant process to follow.
• guidance to support auditors in meeting the requirements.
• guidance on how to address the requirements in Global Focus.
• Examples.
1.4 Changes permitted by member firms

In order to maintain the integrity of the global audit methodology and the audit manual, member
firms should not amend the substance of the document, that is the main content and guidance
setting out the requirements of the ISAs.
Page | 2
Audit Manual
Version 7 (2022)
Member firms may, however, amend the manual in the following ways:
• Include any requirements of local standards, over and above those of the ISAs, in the
summary box (see Section 1.3).
• Include any additional policies established by the member firm, e.g. restrictions on
materiality ranges etc (see Section 1.3).
• Add additional examples relevant to the local jurisdiction.
• Amend the terminology to reflect differences in local standards and ISA and IFRS, (e.g.
financial report vs financial statements, balance sheet vs. statement of financial
position).
• Add any additional content included in your local Global Focus software templates.
NOTE: Where a member firm establishes its own policy in any area, that policy must:
• Be at least as stringent as the requirements of the ISA, and/or

• Be at least as stringent as the requirements of the Baker Tilly International policy where
one has been established. (e.g. the materiality benchmarks established by Baker Tilly
International may not be exceeded, although lower benchmark restrictions may be set.
For example, the range for Profit Before Tax is 3% to 10% - a member firm may wish to
restrict the range to 5% for, say, public interest entity audits. However, it is not
appropriate for a member firm to set a range which is higher than 10%)
Users should not generally delete anything from the Document Manager, or any procedure in
the Forms and checklists within the Global Focus , other than via an Optimiser.
1.5 Mandatory Audit Documentation

Global Focus includes a number of documents which are designated as mandatory, as set out
in Appendix 1 (MLP and PIE profiles) and Appendix 2 (NCP profile) to this section of the audit
manual. Member firms are not permitted to exclude (unless via legitimately answering an
Optimiser tailoring question)or replace any of these documents.
In accordance with Section 1.4, member firms are not permitted to amend the substance of
mandatory documents, that is the main content and guidance setting out the requirements of
the ISAs. However, member firms may include additional local requirements to the mandatory
documents where required.
1.6 Group Audit Considerations

The Global Focus methodology for group audits is fully compliant with the requirements of the
ISAs, including ISA 600 Special Considerations – Audits of Group Financial Statements
(including the work of Component Auditors). ISA 600 includes considerations for auditors in
addition to those in other ISAs when performing a group audit engagement.
To reflect the relationship between ISA 600 and other ISAs, the audit manual includes additional
sections where there are Special Considerations for group audits identified by ISA 600. Such
“Group Audit Considerations” sections are found in the following sections of the Audit Manual:
• Section 2.1 – Preliminary Activities

• Section 3.1 – Risk assessment and planning procedures
• Section 3.2 – Materiality
Page | 3
Audit Manual
Version 7 (2022)
• Section 3.3 – Understanding the entity and its environment and the applicable financial
reporting framework
• Section 3.4 – Understanding internal control
• Section 4.1 – Nature, timing and extent of audit procedures
• Section 5.1 – Evaluate and conclude
• Section 5.2 – Evaluating misstatements
In addition, there are separate sections for the following aspects of Group Audits:
• Section 4.8 Auditing the consolidation process

• Section 5.4 Evaluating the work of component auditors
Page | 4
Audit Manual
Version 7 (2022)
Appendix 1: List of Mandatory Documents in Global Focus (MLP and PIE profiles)
AOCR Audit Optimiser confirmation report
405. Engagement - Acceptance/Continuance
415. -1 Terms of engagement (engagement letter) - signed
430. Overall audit strategy
436-GF Engagement team discussion
420. Materiality
FSA. Financial statement areas worksheet
525. Going concern - Identifying events and conditions
510. Identifying risks through understanding the entity
510-1 Use of Inflo Cascade module*
511-GF Understanding the IT Environment
523 Worksheet - Understanding Accounting Estimates
523-1 Worksheet - Understanding Complex Accounting Estimates
530 Identifying risks through understanding the components of the entity’s system of
internal control
530-GF Understanding of General IT Controls
532. Control design/implementation
520E. Risk report
605. Responding to risk at the financial statement level
625. Going concern evaluation
645. Litigation, claims and non-compliance
650 Subsequent events
666 Related party transactions and disclosures
670. Use of journal entries**
670-I Testing of journals and other unusual transactions – Inflo**
670-M Testing of journals and other unusual transactions – Mindbridge**
335. Worksheet - Summary of identified misstatements
335-1. Worksheet - Summary of identified misstatements
304. Optimiser - Reporting checklist
305. Reporting checklist
520E. 7 Risk report - Risk addressed
320. Notes on significant audit decisions
330. Worksheet - Audit findings and matters for discussion
110. Final financial statements
340. Worksheet - Matters to be communicated to management and those charged with
governance
350. -1 Written representations (management representation letter)
310 Checklist - Audit completion
311 Independence declaration
* Mandatory only if using Inflo Cascade
** One of these three Forms must be used
Page | 5
Audit Manual
Version 7 (2022)
Appendix 2: List of Mandatory Documents in Global Focus (NCP profile)

ONEFORM Audit memo
AOCR Audit Optimiser confirmation report
415. -1 Terms of engagement (engagement letter) - signed
420. Materiality
FSA. Financial statement areas worksheet
510-1 Use of Inflo Cascade module*
666 Related party transactions and disclosures
670. Use of journal entries**
670-I Testing of journals and other unusual transactions – Inflo**
670-M Testing of journals and other unusual transactions – Mindbridge**
330. Worksheet - Audit findings and matters for discussion
110. Final financial statements
350. -1 Written representations (management representation letter)
311 Independence declaration
* Mandatory only if using Inflo Cascade
** One of these three Forms must be used
Page | 6
Audit Manual
Version 7 (2022)
Section 2: Preliminary Activities
Introduction
Preliminary
Reporting
Activities
Global
Focus
Risk
Evaluate
Assessment
and
and
Conclude
Planning
Respond to
Risk
Page | 7
Audit Manual
Version 7 (2022)
Contents
2.1.1 Introduction
2.1.2 Client acceptance and continuance
2.1.3 Agreement with management
2.1.4 Assigning engagement teams
2.1.5 Selecting an engagement profile in Global Focus
2.1.6 When is it appropriate to use the Non-Complex Profile (NCP)?
2.1.7 Use of OneForm in Non-Complex Profile (NCP)
2.1.8 Group Audit Considerations
Objective The objective of the auditor is to:
• Accept or continue an audit engagement only when the

basis upon which it is to be performed has been agreed,
through:
(a) Establishing whether the preconditions of an audit
are present
(b) Confirming that there is a common understanding
between the audit and management, and where
appropriate, those charged with governance of the
terms of the audit engagement (ISA 210.3)
• Implement quality control procedures at the
engagement level that provide the auditor with
reasonable assurance that:
(a) The audit complies with professional standards and
applicable legal and regulatory requirements
(b) The auditor’s report issued is appropriate in the
circumstances (ISA 220.6)
Relevant ISA • ISA 210 Agreeing the terms of audit engagements

• ISA 220 Quality control for an audit of financial
statements
• ISA 600 Special Considerations – Audits of Group
Financial Statements (Including the Work of Component
Auditors)
Additional local standards
Global Focus software Form 405 Engagement – Acceptance/Continuance

Form 408 Initial Audit Engagement – Opening balances
Placeholder 415-1 Terms of engagement (engagement letter) –
signed
Form 5000-1 Group Audit Program
Policy requirements
(if any)
Page | 8
Audit Manual
Version 7 (2022)
2.1.1 Introduction
Performing preliminary engagement activities enables the auditor to identify events or

circumstances that may adversely affect their ability to plan and perform the audit engagement,
to ensure that:
• The engagement team maintains independence and ability to perform the engagement
• There are no issues with management integrity that may affect the engagement team’s
willingness to continue the engagement
• There is no misunderstanding with the client as to the terms of the engagement.
The auditor follows the member firm’s processes and procedures for client acceptance and
continuance, for agreeing the terms of engagements and issuing appropriate terms of
engagement in the member firm’s format, including appropriate legal terms and conditions.
The documentation of preliminary activities is included in the planning section of the Global
Focus file, including the following:
2.1.2 Client acceptance and continuance

Audit engagements may only be accepted when the auditor considers whether ethical
requirements such as independence and professional competence will be satisfied, and when
the engagement exhibits certain characteristics, including establishing that certain
preconditions for an audit are present. To establish whether the preconditions for an audit are
present, the auditor determines whether the financial reporting framework to be applied in the
preparation of the financial statements is acceptable.
If the preconditions for an audit are not present, unless required by law or regulation to do so,
the auditor shall not accept the proposed audit engagement:
• If they have determined that the financial reporting framework to be applied in the
preparation of the financial statements is unacceptable.
• If the agreement of management and, where appropriate, those charged with
governance, that it acknowledges and understands it responsibilities as set out in ISA
210.6 (see Section 1.3) has not been obtained.
Performing initial acceptance procedures at the beginning of the current audit engagement
means that such procedures are completed prior to agreeing the terms of the audit engagement
in writing and prior to performing other significant activities. For continuing audit engagements,
it may be effective and efficient to perform such initial procedures shortly after (or in connection
with) the completion of the previous audit.
Page | 9
Audit Manual
Version 7 (2022)
Limitation on scope prior to audit engagement acceptance
If management or those charged with governance impose a limitation on the scope of the
auditor’s work in the terms of a proposed audit engagement such that the engagement team
believes the limitation will result in a disclaimer of opinion on the financial statements, the firm
shall not accept such a limited engagement as an audit engagement, unless required by law or
regulation to do so.
Engagement partner responsibilities
The engagement partner satisfies themselves that appropriate acceptance and continuance
procedures have been followed and determines that acceptance and continuance conclusions
are appropriate and have been documented.
If the engagement partner obtains information that would have caused the firm to decline the
audit engagement had that information been available earlier, the engagement partner is
required to communicate that information promptly to the firm, so that the firm and the
engagement partner can take the necessary action.
Information such as the following assists the engagement partner in determining whether the
conclusions reached regarding the acceptance and continuance of client relationships and
audit engagements are appropriate:
• The integrity of the principal owners, key management, and those charged with
governance which may include:
o The identity and business reputation of the principal owners, key management,
and those charged with its governance
o The nature of the entity’s operations, including its business practices
o Information concerning the attitude of the principal owners, key management,
and those charged with its governance towards such matters as aggressive
interpretation of accounting standards and the control environment
o Whether the entity is aggressively concerned with maintaining the firm’s fees as
low as possible
o Indications of an inappropriate limitation in the scope of work
o Indications that the entity might be involved in money laundering or other
criminal activities
o The reasons for the proposed appointment of the firm and, where applicable,
non-reappointment of the previous firm
o The identity and business reputation of related parties.
• Whether the engagement team is competent to perform the audit engagement and has
the necessary capabilities, including time and resources
• Whether the firm and the engagement team can comply with relevant ethical
requirements
• Significant matters that have arisen during the current or previous audit engagement,
and their implications for continuing the relationship. Significant matters to consider may
include significant findings from the audit and other specific matters communicated to
those charged with governance. Other considerations may include significant matters
related to the entity’s operations and business activities, such as an entity that may have
started to expand its business operations into an area the firm does not possess the
necessary expertise.
Page | 10
Audit Manual
Version 7 (2022)
2.1.3 Agreement of management

To establish whether the preconditions for an audit are present, the auditor obtains the
agreement of management and, where appropriate, those charged with governance that they
acknowledge and understand their responsibilities:
• For the preparation of the financial statements in accordance with the financial reporting
framework, including where relevant their fair presentation;
• For such internal control as management determines is necessary to enable the
preparation of financial statements that are free from material misstatement, whether
due to error or fraud; and
• To provide the auditor with:
o access to all information of which management is aware that is relevant to the
preparation of the financial statements such as records, documentation, and
others matters;
o additional information that the auditor may request from management for the
purpose of the audit; and
o unrestricted access to persons within the entity from whom the auditor
determines it necessary to obtain audit evidence. (ISA 210.6(b))
Preparation of the financial statements
Law or regulation may establish the responsibilities of management and, where appropriate,
those charged with governance in relation to financial reporting. An audit is conducted on the
premise that management and, where appropriate, those charged with governance have
acknowledged and understand their responsibilities. The preparation of financial statements
requires:
• The identification of the financial reporting framework in the context of any relevant law
or regulations
• The preparation of the financial statements in accordance with that framework
• The inclusion of an adequate description of that framework in the financial statements.
Internal control
Management maintains such internal control as they determine is necessary to enable the
preparation of financial statements that are free from material misstatement, whether due to
fraud or error. Where applicable, those charged with governance typically monitor the entity’s
internal control related to financial reporting. Internal control, no matter how effective, can
provide an entity with only reasonable assurance about achieving the entity’s financial reporting
objectives due to the inherent limitations of internal control.
Management determines what internal control is necessary to enable the preparation of the
financial statements. An entity’s internal control (in particular, its accounting systems) will reflect
the needs of management, the complexity of the business, the nature of the risks to which the
entity is subject, and relevant laws or regulation.
Management may also have additional responsibilities related to internal control. For example, in
some jurisdictions, management is responsible for assessing, and reporting on, the
effectiveness of the entity’s internal control over financial reporting.
Page | 11
Audit Manual
Version 7 (2022)
2.1.4 Assigning the engagement team

The engagement team includes all partners and staff performing the engagement, and any
individuals engaged by the firm who perform audit procedures on the engagement. The term
“engagement team” excludes the following, unless otherwise required by local law or regulation:
• An auditor’s external expert engaged by the firm or a network firm

• Individuals within the client’s internal audit function who provide direct assistance on an
audit engagement, in those jurisdictions where this is permitted
• An engagement quality control reviewer
Considering appropriate competence and capabilities
The engagement partner satisfies themselves that the engagement team, and any auditor’s
experts who are not part of the engagement team, collectively have the appropriate
competence and capabilities to:
• Perform the audit engagement in accordance with professional standards and

applicable regulatory requirements; and
• Enable an auditor’s report that is appropriate in the circumstances to be issued.
Competence means having the knowledge and skills necessary to accomplish tasks that define
the individual’s job and may be developed through:
• Professional education
• Continuing professional development, including training
• Work experience
• Coaching by more experienced staff or other members of the engagement team.
When considering the appropriate competence and capabilities expected of the engagement
team as a whole, the engagement partner may consider matters such as the team’s:
• Understanding and practical experience of similar audit engagements and industries

• Understanding of professional standards and applicable legal and regulatory
requirements
• Technical expertise, including expertise with relevant information technology
• Ability to apply professional judgment
Other factors that may be relevant include the size and complexity of the engagement and the
availability of staff, as well as supervision and review, to conduct the audit within a reasonable
period of time.
2.1.5 Selecting an engagement profile in Global Focus

The Global Focus template includes the following three engagement profiles:
Medium-Large Entities (“MLP”)
This profile provides an audit template for the audit of general-purpose financial statements or
special purposes financial statements for entities that are not public interest entities.
The MLP is the default audit profile in Global Focus.
Page | 12
Audit Manual
Version 7 (2022)
Public Interest Entities (“PIE”)
This profile is used for the audit of general-purpose financial statements for Public Interest
Entities (“PIEs”), as defined by the IESBA Code of Ethics (“the Code”), i.e.:
a) A listed entity*; or
b) An entity:
i) Defined by regulation or legislation as a public interest entity; or
ii) For which the audit is required by regulation or legislation to be conducted in
compliance with the same independence requirements that apply to the audit of
listed entities. Such regulation might be promulgated by any relevant regulator,
including an audit regulator.
*A listed entity is defined in the Code and in the ISA Glossary as an entity whose shares, stock
or debt are quoted or listed on a recognized stock exchange, or are marketed under the
regulations of a recognized stock exchange or other equivalent body.
Other entities might also be considered to be public interest entities, as set out in paragraph
400.8 of the Code. This includes any other entities designated as a PIE in a firm’s jurisdiction or
to be treated as PIEs by the firm’s own internal procedures.
The PIE profile is based on the MLP profile and has been enhanced to address the additional
requirements of the audit of a Public-Interest Entity. It also contains all additional ISA
requirements for listed entities.
The PIE profile should be used for all PIE audits AND any other entities that have securities listed
in such a way, or are listed on such an exchange, that they do not meet the definition of a listed
entity noted above.
Non-Complex Profile (“NCP”)
The NCP profile requires the use of the CaseWare OneForm for documentation of planning,
certain risk responses and completion. The NCP profile may only be deployed where the auditor
considers the entity under review to be “non-complex” and has documented their rationale in
reaching this assessment.
Differences between the MLP profile and the NCP profile
The main difference between the MLP (“default”) profile and the NCP profile is the following list
of specialised documents which appear in the default profile, but which are covered by the
single OneForm document in the NCP profile:
Planning
405 Client acceptance
415 Terms of Engagement
A1.4 Hiring an external audit expert
416 Worksheet – Provisions, estimates, allowances and accruals
428 Selecting an Auditor’s Expert
430 Overall audit strategy
436-GF Engagement team discussion
455 Risk assessment procedures
437 Fraud scenarios
506 Identifying fraud risk
511-GF Understanding the IT environment
Page | 13
Audit Manual
Version 7 (2022)
443 Understanding and evaluation of a service organisation

444 Understanding and evaluation of the internal audit function
510 Identifying risks through understanding the entity
501-1 Analytical review – Balances – Preliminary
523 Understanding Accounting Estimates
523-1 Understanding Complex Accounting Estimates
523-2 Outcome of Prior Year Accounting Estimates
530 Identifying risks through understanding the components of the entity’s system of
internal control
530- GF Understanding of General IT Controls
532 Control design/implementation
565 Control implementation – Business process controls
520E Risk report
Risk response
605 Responding to risk at the financial statements level
509 Notes on meetings with management and others
525 Going concern – identifying conditions and events
625 Going Concern evaluation
645 Litigation, claims and non-compliance
Completion
335 Summary of identified misstatements
620 Evaluating the work of an auditor’s expert
301 EQCR checklist
5000-12 Consolidation completion
520E.7 Risk report – Risks addressed
320 Notes on significant audit decisions
340 Matters to be communicated to TCWG
365 Management letter
350 Written representations
650 Subsequent events
310 Audit completion checklist
304 Optimiser – Reporting checklist
305 Reporting checklist
665-1 Analytical review – Balances - Final
2.1.6 When is it appropriate to use the Non-Complex Profile (NCP)?

The NCP profile may only be deployed where the auditor considers the entity to be “non-
complex” and documents their rationale in reaching this assessment. In determining whether
the NCP profile is to be deployed on an audit engagement, the auditor considers (and
documents their consideration of):
i. Factors presumed to indicate non-complexity, and

ii. Factors presumed to indicate complexity
Factors presumed to indicate non-complexity
When deciding whether an entity is “non-complex” auditors may consider qualitative

characteristics such as:
Page | 14
Audit Manual
Version 7 (2022)
a) Concentration of ownership and management in a small number of individuals (often a

single individual - either a natural person or another enterprise that owns the entity
provided the owner exhibits the relevant qualitative characteristics); and
b) One or more of the following:
• Straightforward or uncomplicated transactions;
• Simple record-keeping;
• Few lines of business and few products within business lines;
• Simpler systems of internal controls;
• Few levels of management with responsibility for a broad range of controls; or
• Few personnel, many having a wide range of duties.
Factors presumed to indicate complexity
• Public Interest Entity (“PIE”) or Listed Entity

• The auditor plans to:
o undertake extensive controls testing
o use a large number of detailed schedules/checklists from the default
MLP Profile (contained in the Document Library)
2.1.7 Use of OneForm in Non-Complex Profile (NCP)

The NCP profile in Global Focus is founded upon the CaseWare OneForm, which allows
Planning, certain Risk Responses and Completion to be undertaken in a single memo instead of
in a series of specialised documents. Following the OneForm approach enables an experienced
auditor to comply with the requirements of the ISAs.
The use of the OneForm document in the Global Focus template is mandatory for those
engagements which deploy the NCP profile, in accordance with section 1.4 of the Audit Manual.
In unusual circumstances, the OneForm may be replaced by other documents, but only where
the member firm can clearly demonstrate that the locally developed document meets all the
requirements of ISAs.
In each section of the OneForm, the auditor is reminded that more specific documents, as listed
above, may be used as necessary and are available in the Document Library. Any of these
documents can be brought into the audit file to supplement the OneForm where the auditor
considers it necessary to enhance documentation. Where done, this is indicated within the
OneForm by marking the relevant checkbox:
Note that marking a checkbox does not, in itself, bring the corresponding document into the
audit file – users must do this manually within the Document Library.
It follows that, if a large number of these detailed forms are regularly being added to an NCP
engagement, this may indicate that it may be more appropriate to use the default MLP profile,
and the auditor reconsiders whether the use of the NCP profile is appropriate.
Page | 15
Audit Manual
Version 7 (2022)

Introduction
Terms of engagement for the group audit are agreed in addition to those in respect of the audit
of the parent entity’s own financial statements and of any components of the group.
Client acceptance and continuance

In addition to client acceptance and continuance procedures performed on a standalone entity
audit, the group engagement partner satisfies themselves that sufficient appropriate audit
evidence can reasonably be expected to be obtained in relation to the consolidation process
and the financial information of the components on which to base the group audit opinion. To
achieve this, the group audit team obtains an initial understanding of the group, its components
and their environment that is sufficient to identify those components that are likely to be
significant to the group. Where component auditors will perform work on the financial
information of such components, the group engagement partner evaluates whether the group
engagement team will be able to be sufficiently involved in the work of those component
auditors.
If the group engagement partner concludes that it will not be possible to obtain sufficient
appropriate audit evidence due to restrictions imposed by group management and the possible
effect of this will result in a disclaimer of opinion on the group financial statements, the group
engagement partner either:
a) Does not accept the engagement (new engagements) or withdraws from the
engagement (continuing engagements); or
b) Where law or regulation prohibit declining the engagement or withdrawal is otherwise
not possible, disclaims an opinion on the group financial statements.
Documenting group audit considerations
The group audit considerations relating to preliminary activities are documented in Form
5000-1.
Page | 16
Audit Manual
Version 7 (2022)
Section 3: Risk Assessment and Planning
Introduction
Preliminary
Reporting
Activities
Global
Focus
Risk
Evaluate
Assessment
and
and
Conclude
Planning
Respond to
Risk
Page | 17
Audit Manual
Version 7 (2022)
3.1 Risk assessment and planning procedures
Contents
3.1.1 Introduction
3.1.2 Planning activities
3.1.3 Establishing an overall audit strategy
3.1.4 Developing an audit plan
3.1.5 Changes to the audit plan during the audit
3.1.6 Risk assessment procedures
3.1.7 Information from client acceptance or continuance, previous audits or other sources
3.1.8 Discussion among the engagement team (including consideration of fraud)
Objective The objective of the auditor is to plan the audit so that it will be
performed in an effective manner. (ISA 300.4)
The objective of the auditor is to identify and assess the risks of

material misstatement, whether due to fraud or error, at the
financial statement and assertion levels thereby providing a
basis for designing and implementing responses to the assessed
risks of material misstatement. (ISA 315.11)
Relevant ISA • ISA 240 The auditor’s responsibilities relating to fraud in

the audit of financial statements
• ISA 300 Planning an audit of financial statements
• ISA 315 Identifying and Assessing the Risks of Material
Misstatement
• ISA 550 Related parties
Auditors)
Global Focus software Form 419 Assessment of Entity Level Client Risk
Form 430 Overall audit strategy
Form 436-GF Engagement team discussion
Form 437 Worksheet - Fraud scenarios
Form 455 Preparing the risk assessment procedures
Form 501 Analytical procedures – preliminary
Form 506 Worksheet – Identifying fraud risks
Form 510 Identifying risks through understanding the entity
Form 5000-2 Group Audit – Overall Strategy
Policy requirements
(if any)
Page | 18
Audit Manual
Version 7 (2022)
3.1.1 Introduction
Risk assessment procedures are performed to identify and assess the risks of material
misstatement by obtaining an understanding of the entity and its environment, including its
internal control.
Planning the audit involves establishing the overall audit strategy and developing an audit plan
and includes, among other things, considering the timing and performance of risk assessment
procedures and related activities as well as the planned responses to the assessed risks. The
overall audit strategy and audit plan are not necessarily discrete or sequential processes but are
closely inter-related, since changes in one may result in consequential changes to the other.
3.1.2 Planning activities

The nature and extent of planning activities will vary based on the size and complexity of the
entity, the key engagement team members’ previous experience with the entity, and changes in
circumstances that occur during the audit. Involving the engagement partner and other key
members of the engagement team draws on their experience and insight to enhance the
effectiveness and efficiency of the planning process.
Planning procedures assist the auditor in giving appropriate attention to important areas,
determining locations or components to perform audit procedures, resolving potential problems,
assigning members of the engagement team with appropriate competence and capabilities,
appropriately directing, supervising, and reviewing work performed, and coordinating other
areas of the audit. This may include, for example, appropriate and timely involvement of
individuals with specialised skill or knowledge, auditor’s experts, and component auditors.
Performing preliminary activities, such as client acceptance and continuance, evaluating

compliance with ethical requirements, and establishing an understanding of the terms of the
engagement, assists in planning the audit. (See Section 2 of the Audit Manual).
The engagement team is required to communicate an overview of the planned scope and timing
of the audit with those charged with governance. Although the engagement team may discuss
elements of planning with management (for example, to coordinate the timing of planned audit
procedures and the documents to be provided to the engagement team), it is essential not to
compromise the effectiveness of the audit by, for example, discussing detailed audit
procedures, which may make audit procedures too predictable.
3.1.3 Establishing an overall audit strategy

The auditor is responsible for establishing and documenting an overall audit strategy that sets
the scope, timing and direction of the audit, and that guides development of the audit plan. In
establishing the overall strategy, the auditor:
• defines the scope of the engagement.

• ascertains the reporting objectives of the engagement to plan the timing of the audit and
the nature of the communications required.
• considers the factors that are significant in directing the engagement team’s efforts.
• considers the results of preliminary engagement activities and, where applicable,
whether knowledge gained on other engagements performed by the engagement
partner for the entity is relevant.
Page | 19
Audit Manual
Version 7 (2022)
• determines the nature, timing and extent of resources necessary to perform the
engagement.
Establishing the overall audit strategy assists the engagement team to determine the type of
resources to deploy or the amount of resources to allocate to specific audit areas (for example,
the use of appropriately experienced team members and the involvement of experts, as
necessary), how such resources are managed, directed and supervised, and the related timing
of audit procedures and reviews of work performed.
The Appendix to ISA 300 includes examples of matters the engagement team may consider in
establishing the overall audit strategy.
How is this addressed in Global Focus?

The auditor documents the overall audit strategy in Form 430.
3.1.4 Developing an audit plan

The auditor is required to develop and document an audit plan that includes description of:
• The nature, timing and extent of planned risk assessment procedures;

• The nature, timing and extent of planned further audit procedures at the assertion level;
and
• Other planned audit procedures to ensure compliance with the ISAs.
The audit plan is more detailed than the overall audit strategy and includes the nature, timing
and extent of audit procedures to be performed. Planning the audit includes planning risk
assessment procedures, overall responses to address the assessed risks of material
misstatement at the financial statement level, and further audit procedures that are based on
and are responsive to the assessed risks of material misstatement at the assertion level.

The auditor documents planned risk assessment procedures in Form 455 and responses to
assessed risks are summarised in Form FSA. Planned further audit procedures are documented
in work programs for each area subject to audit identified in the FSA.
3.1.5 Changes to the audit plan during the audit

The auditor is required to update and change the overall audit strategy and audit plan as
necessary during the audit, documenting any significant changes and the reasons for such
changes.
Changes to the overall audit strategy or the audit plan may be necessary when information
comes to the engagement team’s attention that differs significantly from the information
available when the engagement team planned the audit procedures. For example:
• Audit evidence obtained through substantive procedures may contradict the audit
evidence obtained through tests of controls
• Audit evidence obtained through tests of controls does not support the planned control
reliance
• Significant changes have occurred in relevant industry, regulatory environment or other
external factors
• Information comes to the engagement team’s attention that would have caused them to
have determined a different materiality amount (or amounts)
Page | 20
Audit Manual
Version 7 (2022)
The engagement team is also required to determine whether the overall audit strategy and audit
plan need to be revised if
a) the nature of identified misstatements and the circumstances of their occurrence

indicate that other misstatements may exist that could be material (when aggregated
with the accumulated misstatements);
b) the aggregate of misstatements accumulated during the audit
• approaches materiality;
• changes a profit to a loss (or vice versa);
• changes net assets to net liabilities (or vice versa); or
• impacts the entity’s compliance with loan covenants.

The auditor documents any changes to the audit plan in Form 455 and changes to the planned
audit procedures in the relevant section of the audit file.
3.1.6 Risk assessment procedures

The auditor is required to perform risk assessment procedures to provide a basis for the
identification and assessment of risks of material misstatement at the financial statement and
assertion levels, including procedures to obtain information for use in identifying the risk of
material misstatement due to fraud.
Risk assessment procedures shall include the following procedures performed in the course of
obtaining an understanding of the entity and its environment, including its internal control:
• Inquiries of management, of appropriate individuals within the internal audit function (if
the function exists), and of others within the entity who in the engagement team’s
judgment may have information that is likely to assist in identifying risks of material
misstatement due to fraud or error;
• Analytical procedures; and
• Observation and inspection.
The engagement team is not required to perform all of these procedures for each aspect of
such understanding, except that inquiry alone is not sufficient to obtain audit evidence about the
design and implementation of relevant controls.
The form and extent of documentation of risk assessment procedures is influenced by the:
• Nature, size and complexity of the entity, its business processes relevant to financial
reporting, and its controls; for example, documentation for uncomplicated business
processes may be simple in form and relatively brief.
• Availability of information from the entity.
• Experience and capabilities of members of the engagement team; for example, less
experienced members may need more detailed documentation to direct them.
For recurring audits, certain documentation may be carried forward and updated, as necessary,
to reflect changes in the entity and its environment, including its internal control.
Page | 21
Audit Manual
Version 7 (2022)
Required risk assessment procedures
Inquiries
Specific inquiries are required of management, those charged with governance, the internal
audit function (if the function exists), or others within the entity in the following areas:
• Fraud
• Laws and regulations
• Litigation and claims
• Accounting estimates
• Related parties
• Going concern
The engagement team is required to inquire of others within the entity who in the engagement
team’s judgment may have information that is likely to assist in identifying risks of material
misstatement due to fraud or error. The engagement team may also obtain information, or a
different perspective in identifying risks of material misstatement, through inquiries of others
within the entity including:
• Those charged with governance – may help the engagement team understand the
environment in which the financial statements are prepared, in addition to obtaining
information through required communications and required inquiries about fraud
• Employees involved in initiating, processing or recording complex or unusual
transactions – may help the engagement team to evaluate the appropriateness of the
selection and application of certain accounting policies
• In-house legal counsel – may provide, in addition to information obtained through
required inquiries about litigation and claims, information about such matters as
compliance with laws and regulations, knowledge of fraud or suspected fraud affecting
the entity, warranties, post-sales obligations, arrangements (such as joint ventures) with
business partners, and the meaning of contract terms
• Marketing or sales personnel – may provide information about changes in the entity’s
marketing strategies, sales trends, or contractual arrangements with its customers
• Risk management or similar function – may provide information about operational and
regulatory risks that may affect financial reporting
• Information technology personnel – may provide information about system or program
changes and failures.

The auditor’s inquiries of management and others are documented in Form 506 – Worksheet –
Identifying fraud risks.
Risk assessment analytical procedures
Risk assessment analytical procedures may identify aspects of the entity of which the
engagement team was unaware and may assist in identifying and assessing the risks of material
misstatement, including the existence of unusual transactions or events, and amounts, ratios,
and trends.
Risk assessment analytical procedures may vary based on the size, nature, and complexity of
the entity. Understanding how management and others measure and review the entity’s
Page | 22
Audit Manual
Version 7 (2022)
financial performance may assist the engagement team in understanding what management
and external parties regard as important. The engagement team may use and consider the
entity’s performance measures as a starting point for purposes of performing risk assessment
analytical procedures. Such analytical procedures may use interim or monthly financial
information and may include both financial and non-financial information, such as the
relationship between sales and square footage of selling space or volume of goods sold.
Comparisons of data and ratios is often more informative when performed for a number of years
rather than simply compared to the equivalent in the prior period only, in order to establish
longer term trends and norms. However, even this more extensive analysis still takes into
account the auditor’s expectations of the current period’s performance, factoring in the auditor’s
updated knowledge of the entity.
Considerations specific to less complex entities
Some less complex entities may not have interim or monthly financial information that can be
used for purposes of performing risk assessment analytical procedures. The engagement team
may be able to perform either limited risk assessment analytical procedures for purposes of
planning the audit or obtain some information through inquiry, although the engagement team
may instead need to plan to perform risk assessment analytical procedures when an early draft
of the financial statements is available.

Risk assessment analytical procedures are documented in Form 501.
Observation and inspection
Observation and inspection may support (or contradict) responses to inquiries of management
and others and may also provide significant information about the entity and its environment,
including its internal control. Examples include observation or inspection of:
• the entity’s operations, premises, and plant facilities
• documents (such as business plans, strategies, and budgets), records, accounting
policy manuals, and internal control manuals
• reports prepared by management, such as quarterly management reports and interim
financial statements
• reports prepared by those charged with governance, such as minutes of board of
directors’ meetings.

The auditor’s inquiries of management and others are documented in Form 506 – Worksheet –
Identifying fraud risks.
3.1.7 Information from client acceptance or continuance, previous audits, and other
sources
The auditor is required to consider information from acceptance or continuance procedures,
other engagements performed by the engagement partner, information gained from risk
assessment procedures and previous audits when identifying risks of material misstatement,
including those due to fraud.
The engagement team’s previous experience with the entity and audit procedures performed in
previous audits may provide the engagement team with information about such matters as:
Page | 23
Audit Manual
Version 7 (2022)
• past misstatements and whether they were corrected on a timely basis

• the nature of the entity and its environment, and the entity’s internal control (including
internal control deficiencies)
• significant changes that the entity or its operations may have undergone since the prior
financial period.
• types of transactions and other events or account balances (and related disclosures)
where the engagement team experienced difficulty, for example due to their complexity.
3.1.8 Discussion among the engagement team (including consideration of fraud)

The engagement partner and key engagement team members are required to discuss the
susceptibility of the financial statements to material misstatement, and the application of the
applicable accounting framework to the entity’s facts and circumstances. The discussion, which
is to be documented, is required to:
• place particular emphasis of how and where the financial statements may be misstated
due to fraud,
• consider the susceptibility of the financial statements to misstatement resulting from
related party transactions
• set aside any beliefs that management and those charge with governance are honest
and have integrity.
The engagement team discussion provides an opportunity for more experienced engagement
team members, including the engagement partner, to share their insights based on their
knowledge of the entity, including their insights about how and where the financial statements
may be susceptible to material misstatement due to fraud. This may include how related parties
may be involved in fraud (for example, using special-purpose entities to facilitate earnings
management or facilitating misappropriation of assets with a known business partner) and the
circumstances (for example, complex organisational structures, use of special-purpose entities
for off-balance sheet transactions, or an inadequate information system) that may indicate the
existence of related party relationships or transactions that management has not identified or
disclosed.
It also allows for discussion of:
• the importance of exercising professional skepticism throughout the audit regarding the
potential for material misstatement due to fraud or associated with related party
relationships and transactions
• business risks relevant to the entity
• disclosure requirements of the applicable financial reporting framework
• the appropriate response to the fraud risks and to determine which members of the
engagement team will conduct certain audit procedures
• the potential for material misstatement of the financial statements in the specific areas
assigned to individual team members
It is not always necessary or practical for the discussion to include all engagement team
members in a single discussion (as, for example, in an audit of an entity with multiple locations
or components). Taking into account the extent of communication considered necessary
throughout the engagement team, the engagement partner may discuss matters with key
engagement team members and, as considered appropriate, delegate the discussion or
communication with other engagement team members. Depending on the circumstances, key
Page | 24
Audit Manual
Version 7 (2022)
engagement team members may include, for example, individuals with specialised skills or
knowledge, internal experts, and engagement team members responsible for the audits of
components.
Although not part of the engagement team, the engagement quality control reviewer may attend
the discussion among the engagement team.

The engagement team discussion is documented in Form 436-GF (Engagement team
discussion) and Form 437 (Fraud scenarios).

Introduction
Risk assessment procedures are performed to identify and assess the risks of material
misstatement by obtaining an understanding of the entity and its environment, including its
internal control.
Planning the group audit involves establishing the overall group audit strategy and developing a
group audit plan and includes, among other things, considering the timing and performance of
risk assessment procedures and related activities as well as the planned responses to the
assessed risks. The overall group audit strategy and group audit plan are not necessarily
discrete or sequential processes but are closely inter-related, since changes in one may result
in consequential changes to the other.
Planning activities
The nature and extent of planning activities will vary based on the size and complexity of the
group, the key group engagement team members’ previous experience with the group, and
changes in circumstances that occur during the audit. Involving the group engagement partner
and other key members of the group engagement team draws on their experience and insight to
enhance the effectiveness and efficiency of the planning process.
Establishing an overall audit strategy
The group auditor is responsible for establishing and documenting an overall group audit
strategy that sets the scope, timing and direction of the group audit, and that guides
development of the group audit plan. The additional group audit considerations relating to
establishing the overall audit strategy are set out in the table below:
Standalone entity audit Additional group audit considerations
Defines the scope of the Audit scope is defined for each component in the
engagement. group. This is a choice between:
a) Full scope audit
b) Specific audit procedures on an area of the

component financial statements considered to
be of particular risk and/or materiality
Page | 25
Audit Manual
Version 7 (2022)
Standalone entity audit Additional group audit considerations
c) Specific audit procedures in response to an

identified significant risk within a component
d) Analytical procedures at group level
Ascertains the reporting objectives The reporting objectives of the group auditor in
of the engagement to plan the timing respect of the consolidated financial statements may
of the audit and the nature of the be in addition to those relating to the parent holding
communications required. company’s individual financial statements.
Communications are planned between the group

auditor and any component auditors, including the
nature, scope and timing of reporting from component
auditors to the group auditor.
Considers the factors that are Whether or not to use the work of component auditors
significant in directing the will have a significant impact on directing the group
engagement team’s efforts. engagement team’s efforts.
Considers the results of preliminary The results of preliminary activities performed by

engagement activities and, where component auditors is reviewed as part of the group
applicable, whether knowledge engagement partner’s consideration of group audit
gained on other engagements acceptance and continuance.
performed by the engagement
partner for the entity is relevant.
Determines the nature, timing and The extent to which the group engagement team
extent of resources necessary to intends to perform audit work on the components, or
perform the engagement. to review the work of component auditors will have a
significant impact on the resources necessary to
perform the group audit.

The auditor documents their overall audit strategy for the Group Audit in Form 5000-2 (Group
Audit – Overall Strategy).
Page | 26
Audit Manual
Version 7 (2022)
3.2 Materiality
Contents
3.2.1 Introduction
3.2.2 Materiality levels to be determined
3.2.3 Overall materiality for the financial statements as a whole
3.2.3.1 Qualitative considerations
3.2.4 Specific materiality for particular classes of transactions, account balances and
disclosures
3.2.5 Performance materiality
3.2.6 Clearly trivial threshold
3.2.7 Revision of materiality as the audit progresses
3.2.9 Determining component materiality in a group audit
Objective The objective of the auditor is to apply the concept of materiality

appropriately in planning and performing the audit. (ISA 320.8)
Relevant ISA • ISA 320 Materiality in planning and performing an audit

Misstatement
• ISA 450 Evaluation of misstatements identified during
the audit
• ISA 600 Special Considerations - Audits of Group
Financial Statements (including the work of component
auditors)
Global Focus software Form 419 Assessment of Entity Level Client Risk
Form 420 Materiality
Form FSA Financial Statement Areas
Form 310 Audit Completion
Form 335 Summary of Identified Misstatements
Policy requirements 1. The benchmark percentages applied by the auditor are

(if any) not to exceed the ranges set out in 3.2.3 (Determining
the appropriate percentage to apply to the benchmark)
other than in very exceptional circumstances.
2. The clearly trivial threshold of 5% is not to be exceeded.
Auditors may select a threshold below 5% if appropriate.
Group audits:
1. Component materiality may not be set higher than that
which would be determined using the MACM method
(see 3.2.9).
Page | 27
Audit Manual
Version 7 (2022)
3.2.1 Introduction
The concept of materiality recognises that some matters, either individually or in aggregate, are
important to users making economic decisions based on financial statements (see the IASB’s
Framework for the Preparation and Fair Presentation of Financial Statements for further
discussion on the concept of materiality). Materiality is applied by the auditor in risk assessment
and performing the audit, and in evaluating the effect of unidentified misstatements on the audit
and of uncorrected misstatements, if any, on the financial statements and in forming the opinion
on the auditor’s report. Materiality judgments provide a basis for the auditor to:
• determine the nature, timing and extent of risk assessment procedures

• identify and assess risks of material misstatement, and
• determine the nature timing and extent of procedures in responding to risks.
The materiality determined when planning the audit does not necessarily establish an amount
below which uncorrected misstatements, individually or in the aggregate, will always be
evaluated as immaterial. The circumstances related to some misstatements may cause the
auditor to evaluate them as material even if they are below materiality. The auditor considers not
only the size but also the nature of uncorrected misstatements, the particular circumstances of
their occurrence and the impact on users, when evaluating the effect on the financial
statements.
The auditor’s determination of materiality is not a simple mechanical calculation and involves the
exercise of professional judgment and is affected by the auditor’s perception of the financial
information needs of users of the financial statements. In this context, it is reasonable for the
auditor to assume that users:
• have a reasonable knowledge of business and economic activities and

accounting and a willingness to study the information in the financial statements
with reasonable diligence;
• understand that financial statements are prepared, presented and audited to
levels of materiality;
• recognise the uncertainties inherent in the measurement of amounts based on
the use of estimates, judgment and the consideration of future events; and
• make reasonable economic decisions on the basis of the information in the
financial statements. (ISA 320.4)
3.2.2 Materiality levels to be determined

In planning the audit, the auditor makes judgments about the size of misstatements that will be
considered material. In this light, the auditor:
• determines the following materiality levels and
• documents the amounts and factors considered in their determination
Page | 28
Audit Manual
Version 7 (2022)
Materiality level Description

Overall materiality for the financial Overall materiality is based on what could reasonably be
statements as a whole expected to influence the economic decisions of users of
the financial statements / group financial statements.
Specific materiality (if applicable) A separate specific level of materiality is established for
for particular classes of each account balance, class of transactions or disclosure
transactions, account balances for which misstatements of lesser amounts than overall
and disclosures materiality could reasonably be expected to influence the
economic decisions of users (for example related party
transactions and Director’s remuneration). Specific
materiality must always be less than Overall Materiality.
Performance materiality Performance materiality enables an auditor to reduce to

an appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements
exceeds overall materiality / specific materiality.
For both overall materiality and specific materiality,

performance materiality is set at a lower amount.
Performance materiality is determined as a percentage of

overall materiality / specific materiality according to our
understanding of the entity, the assessment of risks
identified during the planning phase, and misstatements
identified in previous periods.
Clearly trivial threshold The clearly trivial threshold is an amount below which
misstatements would not need to be accumulated
because the accumulation of such amounts clearly would
not have a material impact on the financial statements.
In Global Focus, the clearly trivial threshold is set at a

maximum of 5% of overall materiality.
The auditor also considers whether qualitative misstatements in financial statement disclosures
could be material to the identified users of the financial statements.
When is materiality determined?
Materiality is initially considered early in the planning phase as the determination of materiality
will impact the nature, timing and extent of risk assessment procedures. Materiality may be
determined after obtaining interim financial results and an initial meeting with the client. We will
then have a basic updated understanding of the main events that have taken place during the
year along with our understanding of the client based on past experience. Preliminary overall
materiality and performance materiality are determined prior to conducting our risk assessment
procedures, as it is important to have a concept of what is material when identifying and
assessing Risks of Material Misstatement (RMM).
Page | 29
Audit Manual
Version 7 (2022)
After performing risk assessment procedures, specific materiality for particular classes of
transactions, account balances and disclosures, and specific performance materiality are set
where required, along with any updates to overall materiality and performance materiality arising
from risk assessment procedures.
Overall and specific materiality is to be revised in the event of the auditor becoming aware of
information during the audit that would have led to the determination of a different amount (or
amounts) initially. Materiality is also revisited at the concluding stage of the audit when
assessing the impact of misstatements and other findings arising from the audit.
Process for determining materiality
Page | 30
Audit Manual
Version 7 (2022)
3.2.3 Overall materiality for the financial statements as a whole

Identifying the users of the financial statements
Through developing an understanding of the entity, the auditor determines who the primary
users, or stakeholders, of the financial statements are. Users may be, for example:
• Shareholders/owners
• Investors
• Directors
• Banks, lenders, and financial institutions
• Important customers or suppliers
• Regulators
It is through understanding the users of the financial statements that the auditor can form an
understanding of what could reasonably be expected to influence the economic decisions of
users of the financial statements. It is, therefore, essential to consider who the primary users are
and what their expectations are when determining overall materiality.
Considerations for public sector entities
In the case of public sector entities, legislators and regulators are often the primary users of the
financial statements. Furthermore, the financial statements may be used to make decisions
other than economic decisions. The determination of overall and specific materiality for public
sector entities may be influenced by law, regulator or other authority and by the financial
information needs of legislators and the public in relation to public sector programs.
Determining an appropriate benchmark for materiality

The auditor determines what they perceive to be the financial information needs of the primary
users of the financial statements. In doing so, an appropriate benchmark to use as a basis of
materiality can be identified. Profit before tax from continuing operations is often used as a
benchmark for profit-oriented entities. However, this may not be the case if profit from
continuing operations is volatile. There are a number of factors to consider when identifying an
appropriate benchmark, including:
• The elements of the financial statements (assets, liabilities, equity, revenue, expenses);
• Items which the attention of the primary users of the financial statements are focused
on;
• The nature of the entity, where the entity is in its life cycle, and the industry and
economic environment in which the entity operates;
• The entity’s ownership structure and the way it is financed; and
• The relative volatility of the benchmark.
Typically, it is not appropriate to use more than one benchmark when determining overall
materiality. While more than one benchmark may be important to users, the most important
benchmark should be selected and justified, hence the importance of identifying the primary
users.
The benchmarks available within the Global Focus software are:
• Profit before tax
Page | 31
Audit Manual
Version 7 (2022)
• Net Assets
• Total revenue/expenses
• Gross Assets
• Other
Although the benchmark selected may change from one year to the next, it would not be
appropriate for the benchmark to change frequently. The auditor only changes the benchmark
measure where the factors influencing the economic decisions of the users have changed
compared to the prior year. It is not appropriate to change the benchmark each year to reflect
changes in performance of the entity (e.g. fluctuations in profit levels).

Form 420 Section A. Overall Materiality.
This section provides for five typical benchmarks and allows for any others deemed appropriate
for your client. The comments box must be used to justify why you have selected the relevant
benchmark for materiality based on the information needs of the primary users and the
percentage applied.
In rare circumstances, depending on the nature of the business, it may be appropriate to use a
benchmark other than those available in the materiality work program in Global Focus. Any non-
standard benchmarks should be carefully considered and fully justified in the audit file.
For example, in a business where dividends are a function of cash flows and the main reason for
investment in the company is for the flow of dividends, it may be appropriate to base overall
materiality on cash flows, as this is the most important financial result for users of the financial
statements.
Examples
Example 1 – purpose of the financial statements influences the benchmark
Property Group Pty Ltd is a privately-owned full-service property group with three shareholders,
all involved in the day-to-day running of the business. It has operations in property development,
asset management, and property investment.
The external users are banks/financiers who are concerned with whether the entities in the
group have sufficient assets to cover their loans. The bank covenants, in particular, are
Page | 32
Audit Manual
Version 7 (2022)
concerned with Loan-Value-Ratios (fair values) and interest cover ratios relating to the results of
the relevant entity with the debt. No covenants are affected by the results of the group as a
whole. Therefore, the profit of the group is not a primary measure for external users. With
covenants restricted to measures of the relevant entity with debt, the auditor considered the
broader indicators of going concern and viability of the group to the banks and directors. As the
shareholders have access to the group’s financial information, it is privately held, and the
accounts are primarily prepared for the external debt holders to satisfy the terms of the
covenants, the external debt holders are considered the primary users.
Therefore, the auditor, in understanding the primary users, determined that the most important
measure is total assets supporting the debt covenants.
Conclusion
Total assets is an appropriate basis for the materiality calculation due to the business value and
the financing being tied to assets.
Example 2 – economic factors change the appropriate benchmark
A carpet manufacturer owned by a single family. The business is a profit-making entity, and as
such the primary users of the accounts, the family members (owners), typically focus on profit.
However, in recent years the change in fashion has seen a decline in the use of carpet. The
Board has made a conscious decision to try and retain its market share by reducing prices and
therefore profits, because the alternative of closing one of their manufacturing plants and losing
skilled staff would mean they could not scale back up quickly enough if fashion changes back.
The Board continue to review this year on year, but in the current year they remain focused on
revenue rather than profit as the most important measure of the business, and hence overall
materiality for the year will be based on revenue rather than profit.
Based on the most recent Board minutes, if the carpet market does not show signs of growth in
the next financial year the Board will close a plant and look to re-establish profitability at a lower
capacity going forward.
Conclusion
While this business is in principle a profit-oriented business and with a stakeholder group
typically focused on profit, in the current period that is not the focus of the primary users of the
accounts and hence revenue may be a more appropriate measure. This is an example of the
factors influencing the users changing, but typically the benchmark used will remain consistent
year on year absent other factors impacting the needs of the users of the accounts similar to
this example.
Example 3 – users of the financial statements drive the benchmark
A pastoral farming industry-based testing organisation is a company limited by guarantee and
the parent company is a not-for-profit company. There are no shareholders and no dividends,
therefore, profit before tax is not a primary focus of users. The primary users of the financial
statements are the directors and members. The company mission is to assist or promote the
development of pastoral farming resources in its home country, in particular, by providing
independent objective data and information services which will facilitate the efficient production,
marketing and processing of pastoral livestock.
The focus of primary users is ensuring the ongoing viability of the company through its strong
asset base – plant and equipment and its investment portfolio – to ensure the industry is
Page | 33
Audit Manual
Version 7 (2022)
supported with critical testing and industry-based information into the future. Therefore, the
profit of the company is not a primary focus of users and assets is deemed the most appropriate
benchmark for determining overall materiality.
Members are still interested in profit to a lesser degree as it has an effect on the performance of
the business and whether pricing structures will remain constant. As the company has a high
asset base when compared to annual net profit before tax, the auditor has determined that the
level of testing on the profit and loss statement would be at too high a level for primary users’
interests. The auditor has decided to assign specific materiality to the revenue accounts to
address this issue. Refer section on Specific Materiality for more discussion on this concept.
Example 4 – unusual benchmark reflective of the users and the business
A listed toll road company has made substantial investment to build the road. The results in the
early periods are significant losses, and this will reverse over the life of the concession on the
road, as the tolls increase and the depreciation of the road remains constant.
Investors in this entity are considered the primary users and are, in the view of the auditor,
focused on the distributions the entity can pay out each year which is based on its free cash
flow. Therefore, the appropriate benchmark is net cash inflow from the cash flow statement as
this supports the entity’s ability to pay distributions.
FAQs
Q. What materiality do we use where there is a large difference between Statement of Financial
Position/Balance Sheet and Statement of Comprehensive Income/Profit and Loss accounts, e.g.
large asset balances for employee benefit plans or Not for Profit entities?
A. There are businesses which often have a balance sheet and profit & loss focus and/or where
there is a large difference in the scale of balances on the Balance Sheet and the Profit & Loss
account. The auditor is required to determine a single overall materiality for the financial
statements as a whole., In such situations “blending” the outcome of the two materiality
measures is not appropriate as it leads to a materiality that is lower than may be appropriate for
assets and potentially higher than may be appropriate for the profit & loss statement. In this
situation the auditor determines materiality based on the primary financial statement with the
higher values and determines lower materiality for the other financial statement using the
concepts applied to specific materiality. For example, If the entity’s users are focused primarily
on the balance sheet, then the materiality benchmark selected relates to a balance sheet
measure and a specific materiality is established for the P&L items which is lower than overall
materiality.
Identifying the most appropriate data on which to base materiality

For the benchmark selected, the auditor needs to determine the most appropriate data on
which to base overall materiality which may be any of current year, normalised current year, or a
2-3-year average. The table below summarises each basis and when they should be used:
Page | 34
Audit Manual
Version 7 (2022)
Basis When to use

Current Year The default is to use the current year data for calculating
overall materiality. Where full year information is not
available, consider an extrapolated amount based on Year to
Date “YTD” results at the time of planning or management’s
full-year forecast results where management
budgets/forecasts are reasonably accurate and monitored.
Ensure that when using extrapolated balances that you take
into consideration seasonality of the business operations and
revisit materiality when final results are known. Where
appropriate current year information is not available at the
initial planning stage of the audit, it may be appropriate to
base materiality on prior year information – however,
materiality in this situation must be revisited when current
year financial information is available.
Normalised Current Year Use when there are unusual circumstances that give rise to
an exceptional decrease or increase in the chosen
benchmark (e.g. profit) in the current year. For example:
one-off impairment expense may be excluded from the profit
results for the purposes of determining materiality so as not
to understate materiality. In this situation, setting specific
materiality may be appropriate for the impairment expense in
its own right.
2-3 Year Average May be appropriate where the business is cyclical and using
a current-year basis would see materiality fluctuating
significantly year on year due to seasonality and cycles. For
example, cattle farming is subject to a longer business cycle
due to periods of calving, grazing and harvesting. Depending
on the size of a farm, profitability may not be stable year on
year and they may be subject to a multi-year business cycle.
Therefore, it may be appropriate to assess materiality on the
full business cycle over an average of the last 2-3 years,
rather than on the current year alone.
Note that it is expected that the use of an average of years
will be used in very rare circumstances. Downturns in
business are not valid reasons for averaging materiality over
a number of years’ results.

Page | 35
Audit Manual
Version 7 (2022)
This section provides for the current period and previous period data to be entered. If a 2-3-year
average is the most appropriate data for materiality, this must be shown in the comments box,
as there is no other relevant space for the calculation. The comments box must also be used to
justify why you have selected the relevant data for materiality based on the relevant
circumstances of your client.
Determining the appropriate percentage to apply to the chosen benchmark

Determining the percentage to be applied to a chosen benchmark involves the exercise of
professional judgment. There is a relationship between the percentage and chosen benchmark,
such that a percentage applied to profit before tax from continuing operations will normally be
higher than a percentage applied to total revenue. For example, the auditor may consider five
percent of profit before tax from continuing operations to be appropriate for a profit-oriented
entity in a manufacturing industry, while the auditor may consider one percent of total revenue
or total expenses to be appropriate for a not-for-profit entity. Higher or lower percentages may
be appropriate in the circumstances.
To assist auditors in exercising their judgment, Global Focus establishes the following ranges for
the most common benchmarks:
Benchmark Percentage
range
Profit before tax 3 - 10%
Net assets 1 - 5%
Total revenue / Total Expenses 0.5 - 2%
Gross assets 0.5 - 2%
NOTE: While the auditor may apply a percentage which is lower than the ranges set out in the
table above, the top of the range is not to be exceeded other than in very exceptional
circumstances.
Page | 36
Audit Manual
Version 7 (2022)
When selecting a measurement percentage, the percentage applied will typically be lower for
larger, more complex entities, particularly for Public Interest Entities and other listed entities with
numerous shareholders and potential users of the financial statements. For example, when total
revenues is the appropriate benchmark, the engagement team may select a percentage closer
to the bottom of the range for a larger PIE or listed entity, while a revenue benchmark
percentage closer to top of the range may be appropriate for a less complex, privately held
entity.
However, in all instances, a thorough understanding of the entity and the users of the financial
statements enables the auditor to exercise appropriate professional judgment to determine
overall materiality. In addition, specific materiality will be set at a lower level where there may be
particular stakeholder interest in the individual amounts or disclosures reported.
Considerations specific to public sector and not for profit entities
Within the materiality form in Global Focus, there is the option to select a not-for-profit entity.
This reduces the available benchmarks to ‘total revenue or expenses’ and other. The same
range as above would apply to total revenues/expenses for a not-for-profit entity (i.e. 0.5 – 2%).
When an entity’s profit before tax is consistently nominal, as might be the case for an owner
managed business where the owner takes much of the profit before tax in the form of
remuneration, a benchmark such as profit before remuneration and tax may be more
appropriate.
As for all entities, the expectations of stakeholders/users must be considered when setting
overall materiality for a less complex organisation. For certain less complex entities, such as
clubs, associations, less complex proprietary companies and simple not-for-profit entities, where
reporting risk is low due to the nature of the organisation, using the standardised approach in
Global Focus to calculate overall materiality may not be appropriate.
For example, where all balances are relatively small, the calculation based on the available
benchmarks may result in materiality being set at an inappropriately low level and,
consequently, almost all balances being selected for audit testing. In these circumstances, the
auditor may override the calculated amount to determine an amount for overall materiality at an
appropriate level to identify only those balances and transactions relevant to the users of the
financial statements. In this situation, the auditor documents their rationale for the overall
materiality amount they have determined.

Page | 37
Audit Manual
Version 7 (2022)
This section provides for the benchmark percentage applied. Again, the comments box must be
used to justify why you have selected the relevant percentage for your audit.
Once the preliminary materiality is determined based on the calculations provided, it is entered
into the Conclusions table in the program. The previous period materiality should also be noted.
Examples
Example 1
Property Group Pty Ltd is a privately-owned full-service property group with three shareholders,
all involved in the day-to-day running of the business. It has operations in property development,
asset management, and property investment. The external users are banks/financiers who are
concerned with the relevant entities in the group having sufficient assets to cover their loans.
Current year total assets has been deemed the appropriate benchmark for determining overall
materiality.
Conclusion
Given the entity is privately-owned with the shareholders involved in the day-to-day business
and that banks/financier covenants are more directly interested in the results of the specific
entity in the group that holds the asset securing the debt, there are no indications that the high
end of the % ranges is not appropriate. Therefore, 2% of gross assets has been used to
calculate materiality.
Page | 38
Audit Manual
Version 7 (2022)
Example 2
ABC food retailer operates in the highly competitive consumer grocery business. Margins are
extremely low but the business is focused on profits. The shareholders are the primary users of
the financial statements and are therefore focused on profit but are highly sensitive to
movements in profit, which is reflected in the share price of the entity. Any earnings
announcements with even small differences to the forecasts see significant changes in the
share price.
Conclusion
The auditor has therefore determined that 3% of profit from continuing operations is an
appropriate materiality benchmark.
3.2.3.1 Qualitative considerations

The auditor considers the nature of uncorrected misstatements as well as their size when
evaluating their effect on the financial statements. Further, the auditor identifies and considers
misstatements in qualitative disclosures as well as within classes of transactions, account
balances and quantitative disclosures.
When considering whether misstatements in qualitative disclosures could be material, the

auditor may identify relevant factors such as:
• The circumstances of the entity for the period (for example, the entity may have
undertaken a significant business combination during the period).
• The applicable financial reporting framework, including changes therein (for example, a
new financial reporting standard may require new qualitative disclosures that are
significant to the entity).
• Qualitative disclosures that are important to users of the financial statements because of
the nature of an entity (for example, liquidity risk disclosures may be important to users
of the financial statements for a financial institution).

Form 420 Section B. Possible misstatements in qualitative disclosures
3.2.4 Specific materiality for particular classes of transactions, account balances and
disclosures
There may be some situations where misstatements of amounts below overall materiality for
particular classes of transactions, account balances or disclosures could reasonably be
expected to influence the economic decisions of users. In considering whether it is necessary to
set a specific materiality below overall materiality for particular classes of transactions, account
balances or disclosures, it is often useful to obtain an understanding of the views and
expectations of those charged with governance and management.
Page | 39
Audit Manual
Version 7 (2022)
Factors to consider in determining whether specific materiality is required for particular classes
of transactions, account balances or disclosures include:
Factor Examples
Laws, regulations, Do laws, regulations or the applicable financial reporting framework
and accounting affect primary users’ expectations regarding the measurement or
framework disclosure of certain items? For example:
requirements
• Sensitive financial statement disclosures such as the
remuneration of management and those charged with
governance.
• Related-party transactions.
• Non-compliance with loan covenants, contractual
agreements, regulatory provisions, and statutory/regulatory
reporting requirements.
• Certain types of expenditures such as illegal payments or
executives’ expenses.
Industry disclosures • Reserves and exploration costs for a mining entity

• Research and development costs for a pharmaceutical or
technology entity.
Disclosure of Will the attention of primary users be focused on a particular aspect

significant events and of an entity’s business that is separately disclosed in the financial
important changes in statements? For example:
operations
• Newly acquired businesses or expansion of operations
• Discontinued operations
• Unusual events or contingencies (e.g., lawsuits)
• Introduction of new products and services.
The ability to select specific materiality will always be available, but is not always required – i.e.
just because a risk of material misstatement exists does not mean specific materiality is required
for the related balance/transaction/disclosure. For example, there is a rebuttable presumption of
significant risks in revenue, but as revenue is likely to be one of the largest numbers in the
financial statements, overall materiality will generally be appropriate.
Specific materiality is always set at an amount lower than overall materiality. However, there are
no specific guidelines as to how to determine specific materiality on selected items. The
question of what specific materiality value may be appropriate is a matter of professional
judgment. Some factors to consider in determining specific materiality may include:
• Specific requests made by primary users e.g. those charged with governance;
• Specific conditions that may be relevant to the balance, transaction, or disclosure – for
example, a supplier contract may provide for significant rebates that are complex to
calculate if sales are above a certain threshold, therefore, specific materiality may be set
with reference to these conditions;
• Consideration of the existing benchmark ranges – for example, where the profit and loss
account is wholly immaterial based on overall materiality set with reference to total or net
Page | 40
Audit Manual
Version 7 (2022)
assets, the existing Profit Before Tax range may be appropriate for particular profit and
loss items for which specific materiality is being determined;
• The auditor’s experience and discussions with relevant users in relation to the balance,
transaction, or disclosure; and
• Thresholds which may trigger certain consequences or results – for example, an amount
which may trigger a profit vs a loss.
Determination of specific performance materiality is also required in accordance with the

guidance on performance materiality below, but to be applied to the particular class of
transactions, account balance or disclosure item.
FAQs
Are there circumstances where specific materiality may be determined for revenues?
Determining specific materiality for revenues may be appropriate, such as where there is a new
revenue stream or a more risky revenue stream with low sales values. Examples may include
where commercialisation of a new product has recently commenced and sales in the current
period are vital to supporting the carrying amount of R&D by demonstrating that a market exists
and budgets/forecasts are achievable. In this situation specific materiality might be identified for
the new revenue stream, at a level lower than overall materiality which will be applied to the
financial statements as a whole (and therefore to the remainder of the revenues recorded).
Specific materiality may also be set for revenue when overall materiality is based upon an asset
measure, and the balance sheet is disproportionately large in comparison to the profit and loss
account, e.g.
• Property investment companies
• Entities where the sole or main source of income is investment income e.g. non-profit
charities and trusts, and pension schemes, especially those with few or no active
members making regular contributions.
Whilst revenue may not be material when compared to overall materiality, it is the key figure in a
primary statement, and as such, will usually receive a significant amount of attention from users
of the financial statements. Most auditors will therefore want to perform at least some audit work
on revenue (and other elements of the profit and loss account), and so a lower specific
materiality may be appropriate in such instances.

Form 420 Section C. Performance Materiality and Section D. Materiality for specific
circumstances
Page | 41
Audit Manual
Version 7 (2022)
The audit program addresses specific materiality in two ways. Where specific materiality relates
to classes of transactions or balances that exist in the Financial Statement Area (FSA)
categories, the second part of Section C. “Adjusted performance materiality levels” allows these
items to be linked directly to the FSA line items. The number entered in the space provided is
the specific performance materiality related to the selected line item. The comments box is used
to explain the basis for specific materiality, the benchmark, and the data used to calculate it.
Note that the program does not provide a section for the gross specific materiality to be entered
in a table for these FSA line items – it only provides for the discounted specific performance
materiality. Therefore, it is important that the value of the specific materiality is clearly
documented in the comments box. The discount factor to bring the specific materiality down to
specific performance materiality should be the same discount factor as identified in section
3.2.5 below. The specific performance materiality noted in this section is then populated in the
FSA in the drop-down area for that particular line item as shown below.
Section D. “Materiality for specific circumstances” provides for specific materiality to be

assessed on non-FSA line items. For example related party disclosures or a specific acquisition
transaction. Again, the comments box is used to explain the basis for the specific materiality,
Page | 42
Audit Manual
Version 7 (2022)
the benchmark, and data used to calculate it. The specific materiality amount is entered in
section D.
How might specific materiality for related party transactions be set?
There are three key factors to consider when setting a level for specific materiality in relation to
related party transactions:
a) Qualitative considerations – in the context of related party transactions, the auditor

considers the nature and frequency of the transaction, for example:
• A transaction with a director, particularly if made only to a single director, may be of

more interest to users of the financial statements where the shareholders are all
external (and thus merit a lower level of specific materiality), than where all
shareholders are also directors.
• Transactions of a more routine nature (remuneration, dividends etc) are likely to be
lower risk and of less interest to users than unusual transactions and/or those
outside the normal course of business.
• Transactions with a single shareholder may be of particular interest.
b) Financial reporting framework – if the financial reporting framework specifies that

materiality to the related party must also be considered, specific materiality for related
party transactions is likely to have to be set much lower than would otherwise be the
case. In such a scenario, possible approaches may include:
• setting specific materiality as a percentage of the average director’s salary; or

• using a “third party test” to gauge an appropriate level of specific materiality,
although this may be difficult to do in practice. This approach will be client-specific,
as what is material to a small business director may be very different to what is
material to a highly paid director of a listed entity.
In many financial reporting frameworks, related party transactions are defined as

including transactions where no price is charged. In such cases qualitative
considerations (see (a) above) will come to the fore.
c) Legal or regulatory framework – For some types of entity in some jurisdictions, there
may be additional legal or regulatory guidance on the monetary value of related party
disclosures that should be disclosed, and this will therefore affect specific materiality for
audit purposes. Common examples where this can arise include listed companies (may
be specified in the relevant Listing Rules) and charitable/not-for-profit entities. However,
qualitative factors also play a part, and transactions below such a monetary level may
still need to be disclosed, impacting the level of specific materiality.
3.2.5 Performance materiality

Performance materiality is set to reduce to an appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements in the financial statements exceeds
overall materiality for the financial statements as a whole. Similarly, performance materiality
relating to any specific materiality determined for a particular class of transactions, account
balance or disclosure (see 3.2.4) is set to reduce to an appropriately low level the probability
that the aggregate of uncorrected and undetected misstatements in that particular class of
Page | 43
Audit Manual
Version 7 (2022)
transactions, account balance or disclosure exceeds the materiality level for that particular class
of transactions, account balance or disclosure.
If audit procedures were performed only to identify individual misstatements exceeding overall
materiality / specific materiality, there would be a risk that the aggregate of individually
immaterial misstatements not corrected or identified during an audit would exceed overall
materiality / specific materiality. By establishing performance materiality, a “buffer” is created to
allow for possible undetected misstatements impacting the financial statements as a whole.
The determination of performance materiality is not a simple mechanical calculation and

involves the exercise of professional judgment. It is affected by the auditor’s understanding of
the entity, updated during the performance of the risk assessment procedures; and the nature
and extent of misstatements identified in previous audits and thereby the auditor’s expectations
in relation to misstatements in the current period.
Form 419 Assessment of Entity Level Client Risk sets out a number of factors which the auditor
should take into account, before concluding as to whether the entity level client risk is: -
• High
• Moderate, or
• Low
The suggested percentages to be applied in Global Focus to overall and specific performance
materiality are as follows:
Client risk Percentage

High 60%
Moderate 70%
Low 85%
All materiality determinations, including performance materiality, are judgmental and are made
based on the facts and circumstances at each client. Teams consider past history and current
year information. Specifically, teams consider the types of pervasive risks and control
deficiencies that may exist along with the expected response to those risks. For example, if the
team has historically recorded numerous misstatements because the client has an entity‐level
deficiency related to the competency of the financial reporting function, one option to respond
to that risk is by lowering performance materiality, which will drive increased audit effort across
the entire engagement. Teams document their rationale for setting performance materiality.
Where they have not already been considered as part of the client risk assessment, the
following factors may influence determination of performance materiality:
• Management’s attitude to identified misstatements

• Resistance to adjusting misstatements
• High numbers of misstatements in prior periods
Where a specific materiality has been applied to a particular class of transactions, account
balance or disclosure, it may be appropriate for the auditor to apply a different performance
materiality percentage than that which applies to the overall materiality. For example, for a low
Page | 44
Audit Manual
Version 7 (2022)
risk client with few adjustments and a strong management attitude in the past, the auditor may
consider an area with specific materiality (e.g. Directors’ remuneration) to be higher risk – in this
situation they may apply 85% as performance materiality for the audit as a whole but apply 60%
as the performance materiality for Director’s remuneration).

Form 420 Section C. Performance Materiality and E. Performance materiality for the specific
circumstances in Step D.
The discount factor must be selected from the drop-down box provided. Once selected, the
Preliminary performance materiality amount will be calculated automatically based on the
preliminary overall materiality entered in Section A. The previous period performance materiality
must be manually entered.
Section E. provides for the calculation of specific performance materiality on items noted in
Section D. Note that the program does not automatically calculate the specific performance
materiality and therefore, the calculation should be shown in the comments box to provide
clarity.
Example
Funding Excellence Foundation is a large philanthropic foundation that provides grants to

charitable organisations working to benefit the community across a wide range of sectors. From
our prior experience of auditing this client, we know that management often tends to resist
adjusting any misstatements that are found and therefore we are aware that there are several
misstatements brought forward from prior years.
In this situation, we are likely to conclude that there is high client risk and therefore set
performance materiality at 60% of overall materiality.
3.2.6 Clearly trivial threshold

The auditor is required to accumulate misstatements identified during the audit, other than
those that are clearly trivial (ISA 450.5). The auditor designates the clearly trivial threshold,
which is the amount below which misstatements would not need to be accumulated because
Page | 45
Audit Manual
Version 7 (2022)
the accumulation of such amounts clearly would not have a material impact on the financial
statements. Clearly trivial matters are those which are clearly inconsequential, individually or in
aggregate, whether judged by size, nature or circumstances. When there is uncertainty about
whether one of more items are clearly trivial, then the matter is considered not to be clearly
trivial.
Clearly trivial is not another expression for “not material”. Further, the clearly trivial threshold is
not intended to be used in the determination of items to be selected for testing.
All misstatements identified during an audit that are greater than the clearly trivial threshold are
transferred to the summary of identified misstatements. The clearly trivial threshold is set at a
maximum of 5% of overall materiality or a maximum of 5% of specific overall materiality (if
applicable, for each balance, transaction, disclosure for which specific materiality has been set).
Amounts below the clearly trivial threshold are not accumulated as they would not have a
material effect on the financial statements in aggregate. Although 5% is the maximum level for
the clearly trivial threshold, a lower level may be selected depending on the circumstances of
the audit and the exercise of professional judgment, for example where in previous years there
have been significant numbers of smaller misstatements which could become material in the
aggregate or where those charged with governance request a lower percentage.

The clearly trivial amount is entered in section F of Form 420 and comments provided as to how
it was calculated.
3.2.7 Revision of materiality as the audit progresses

Although overall and specific materiality are determined during the risk assessment and
planning phase of an audit, these amounts may be revised at any time during the audit to reflect
changes in circumstances (e.g. a decision to dispose of a major part of the entity’s business),
new information obtained or a change in the auditor’s understanding of the entity and its
operations arising from audit findings. For example, if during the audit it appears as though
actual financial results are likely to be substantially different from the anticipated period-end
financial results that were used initially to determine overall materiality, the auditor revises that
materiality.
Whether or not a difference in financial information is sufficient to warrant a change in materiality

is a matter of professional judgment. Factors to consider include whether there would be a
significant change in the sufficiency of audit evidence required (e.g. larger sample sizes would
be generated or expectations and variances used in Substantive Analytical Procedures would
differ significantly) or whether the change in financial information changes the scope of the audit
(e.g. a decrease in materiality/performance materiality may mean that items previously
considered to represent No RMM on the grounds of materiality to be material items for which
substantive procedures are now required).

Form 420 Materiality
Page | 46
Audit Manual
Version 7 (2022)
In order to revise materiality, it is necessary to update Form 420 (Materiality) in the Global
Focus Software. The following applies to all materiality determinations made, i.e. overall, specific
and performance materiality where these have been revised.
Where review has already been documented in Global Focus, it is critical that these reviews are
not overwritten so as to leave the file with an insufficient audit trail of the work performed and
reviewed. A PDF of the original Form 420 should be made and added to the audit file with a
comment as to the revisions being made. Where details of the original review are not apparent
in the PDF, these details should also be recorded.
Amendments should be clearly documented in the program in the relevant comment boxes and
the program should be marked as reviewed again in the document manager at the updated
date. Evidence of review of the revised materiality should be recorded. The reasons for revision
to materiality should be recorded, for example “Updated Materiality: Due to significant
differences in actual results to those extrapolated at planning, we have updated the revenue for
overall materiality purposes as follows…”

The concept of materiality applies to group audits in a very similar way to that of standalone
entity audits, with minor differences as set out below.
Materiality levels to be determined
In planning the group audit, the group auditor makes judgments about the size of misstatements
that will be considered material. The group auditor:
• determines the following materiality levels, and
• documents the amounts and factors considered in their determination

(a) Overall group materiality As per the Audit Manual for a standalone entity, but
set for the consolidated financial statements as a
whole
(b) Group specific materiality As per the Audit Manual for a standalone entity, but
for any particular classes of transactions, account
balances or disclosures in the consolidated financial
statements
(c) Group performance materiality As per the Audit Manual for a standalone entity, but
applied to the consolidated financial statements
(d) Group clearly trivial threshold As per the Audit Manual for a standalone entity, but
applied to the consolidated financial statements
(e) Component materiality The level of materiality determined for a component by

the group auditor for those components where an
audit or review is undertaken for the purposes of the
group audit.
Page | 47
Audit Manual
Version 7 (2022)

(f) Component performance As per the Audit Manual for a standalone entity,
materiality applied to those components being audited (see also
Section 3.2.9 below)
Overall group materiality and group specific materiality in the context of consolidated financial
statements is determined on the basis of the needs of users of the consolidated financial
statements and therefore will be based on the consolidated benchmarks for profit before tax,
total revenue etc. and specific balances, transactions and disclosures as included in the
consolidated financial statements.
Where the group audit is documented in a separate audit file to that of the parent entity’s
individual financial statements, Form 420 should be used to determine (a) to (e) above using
figures from the draft consolidated financial statements.
If using a single audit file to document both the group audit and that of the parent entity’s
individual financial statements, Form 420 will automatically be populated with the figures from
the parent entity’s individual financial statements. (a) to (e) for the group audit will therefore
need to be otherwise documented. An Excel version of Form 420 (Form 420G) is available on
Billy for this purpose.
Clearly trivial threshold
Although 5% is the maximum level for the clearly trivial threshold, a lower level may be selected
depending on the circumstances of the group audit and the exercise of professional judgment,
for example where the group auditor specifies a particular percentage for a component audit.
Misstatements identified in the financial information of a component that are above the threshold
for misstatements are communicated to the group engagement team.
3.2.9 Determining component materiality in a group audit

In accordance with ISA 600.21(c) and ISA 600.A44, component materiality is determined for
those components whose financial information will be audited or reviewed for the purposes of
the group audit. Such components are those where:
a) the component is financially significant to the group and is to be audited under ISA
600.27;
b) the component is significant because it is likely to include significant risks of material
misstatement of the consolidated financial statements due to its specific nature or
circumstances, and the group auditor has decided that the component is to be audited
under ISA 600.27(a); or
c) the component is not individually significant to the group, but analytical procedures at
group level are not considered to generate sufficient appropriate audit evidence on
which to base the group audit opinion, and thus the component is to be audited under
ISA 600.29.
It is important to note that component materiality need NOT be determined for any other
component in the group.
ISA 600 sets out the following parameters for the determination of component materiality:
Page | 48
Audit Manual
Version 7 (2022)
• To reduce to an appropriately low level the probability that the aggregate of uncorrected
and undetected misstatements in the group financial statements exceeds materiality for
the group financial statements as a whole, component materiality shall be lower than
materiality for the group financial statements as a whole. (ISA 600.21(c) and A43)
• Different component materiality may be established for different components. (ISA
600.A43)
• Component materiality need not be an arithmetical portion of the materiality for the
group financial statements as a whole and, consequently, the aggregate of component
materiality for the different components may exceed the materiality for the group
financial statements as a whole. (ISA 600.A43)
The following options are available for determining component materiality:
Abbreviation Description Component

materiality
size
PROP Allocates group materiality to components in proportion to Lower ISA
their size boundary
HALF Sets component materiality to 50% of group materiality

(irrespective of the number or size of components)
GUAM “General Unified Assurance and Materiality” model, which

determines component materiality based on group audit
confidence required and component level risk Increasing
assessments component
SQRT Sets component materiality as group materiality multiplied materiality
by the square root of the relative component size size
MACM Allocates a “Maximum Aggregate Component Materiality”

to components in proportion to their size or the square
root of their size
FULL Component materiality must be smaller than group Upper ISA

materiality boundary
The Global Focus methodology permits the group auditor to select the most appropriate method
for the determination of component materiality with the following restrictions:
• Component materiality may not be set higher than that which would be determined
using the MACM method.
• The General Unified Assurance and Materiality (GUAM) model is not recommended due
to its inherent complexity.
Firms may choose to select a single method to be used on all group audits where they act as
group auditor.
Optional Excel templates for determining component materiality using the HALF, SQRT and
MACM methods are available on Billy (Forms 421G).
Page | 49
Audit Manual
Version 7 (2022)
Where a component is subject to audit by local statute, regulation or other reason and the
group engagement team elects to use that audit to provide audit evidence for group audit
purposes, the group auditor determines whether materiality for the component financial
statements as a whole as set by the component auditor, meets the requirements of ISA 600. In
rare cases it may be necessary for the group auditor to request that the component auditor
uses a lower figure for component materiality.
Determining component performance materiality
Where the group auditor audits a component for the purposes of the group audit, the group
auditor sets performance materiality for that component in the same way as for a standalone
entity audit.
Where component auditors audit a component for the purposes of the group audit, the group
engagement team evaluates the appropriateness of performance materiality determined by the
component auditor. This is usually done by the group auditor determining performance
materiality for the component separately and then comparing it to that determined by the
component auditor.
Where a component is subject to audit by local statute, regulation or other reason and the
group engagement team elects to use that audit to provide audit evidence for group audit
purposes, the group auditor determines whether performance materiality, as determined by the
component auditor, meets the requirements of ISA 600. In rare cases it may be necessary for
the group auditor to request that the component auditor uses a lower figure for component
performance materiality.
Page | 50
Audit Manual
Version 7 (2022)
3.3 Understanding the entity and its environment, and the applicable
financial reporting framework
Contents
3.3.1 Introduction
3.3.2 The entity’s organisational structure, ownership and governance, and its business
model (ISA 315 para 19ai)
3.3.3 Industry, regulatory and other external factors (ISA 315 para 19aii)
3.3.4 The measures used, internally and externally, to assess the entity’s financial
performance (ISA 315 para19aiii)
3.3.5 The applicable financial reporting framework, and the entity’s accounting policies and
the reasons for any changes thereto (ISA 315 para 19b)
3.3.7 Component significance
3.3.8 Understanding component auditors
3.3.9 Understanding Accounting Estimates
Objective To obtain an understanding of the entity and its environment,

including the relevant controls sufficient to identify the risks of
material misstatement.
Authoritative • ISA 315 Identifying and assessing the risks of material

pronouncements misstatement
• ISA 240 The Auditor’s Responsibilities relating to Fraud
in an Audit of a Financial Report
• ISA 250 Consideration of Laws and Regulations in an
audit of a financial report
• ISA 540 Auditing accounting estimates and related
disclosures
• ISA 550 Related Parties
• ISA 570 Going Concern
Auditors)
Global Focus software 510 Identifying risks through understanding the entity
Control Design Section within Risk Assessment
523 Understanding Accounting Estimates
523-1 Understanding Complex Accounting Estimates
Group audits
5000-3 Component auditors – Firm summary profile
5000-4 Worksheet – Group audit – Understanding the group
and its environment
5000-5 Group audit – Group component summary
Policy requirements Component significance in a group audit: the percentage
(if any) applied to the chosen benchmark(s) for determining component
significance may not exceed 15% of Group Materiality unless
approved by either a second partner review or technical
department review. Such justification must be clearly
documented on the audit file.
Page | 51
Audit Manual
Version 7 (2022)
Sources of risk of material misstatement
Process
Page | 52
Audit Manual
Version 7 (2022)
3.3.1 Introduction
Information about the entity and its environment can be obtained from internal and external
sources. In many cases, the auditor will start with internal sources of information. This
information can then be checked for consistency with information obtained from external
sources such as trade association data and data about general economic conditions, which can
often be obtained from the Internet. In obtaining an understanding of the entity and its
environment, the auditor may identify transactions or balances which are likely to give rise to
estimates in the financial statements.
The figure below shows some of the potential sources of information:
Source: IFAC guide; paragraph 8.3
In addition to the auditor also considers the understanding of the entity obtained in previous
engagements where appropriate.
The remainder of this section sets out the understanding required by ISA 315 when obtaining an
Understanding of the Entity and its Environment.
3.3.2 The entity’s organisational structure, ownership and governance, and its
business model (ISA 315 para 19ai)
Organisational structure and ownership
In documenting the entity’s organisational structure and ownership, the auditor may consider:
Page | 53
Audit Manual
Version 7 (2022)
• The complexity of the entity’s structure, which may include subsidiaries, divisions or
other components in multiple locations
• The possibility that the legal structure may be different from the operating structure.
• The ownership, and relationships between owners and other people or entities, including
related parties (this may assist in determining whether related party transactions have
been appropriately identified, accounted for and adequately disclosed in the financial
statements).
• The distinction (if any) between the owners, those charged with governance and
management.
• The structure and complexity of the entity’s IT environment. This may include
consideration of matters such as:
o The existence of (multiple) legacy IT systems, particularly in diverse businesses
that are not well integrated.
o The entity’s use of external or internal service providers e.g. outsourcing the
hosting of its IT environment to a third party or using a shared service centre for
central management of IT processes in a group.
Ownership of a public sector entity may not have the same relevance as in the private sector
because decisions related to the entity may, to some extent, be made outside of the entity as a
result of political processes.

The auditor’s understanding is documented in Form 510, part B
Governance
Understanding the entity’s governance arrangements may assist the auditor with understanding
the entity’s ability to provide appropriate oversight of its system of internal control, and thus also
Page | 54
Audit Manual
Version 7 (2022)
provide evidence of deficiencies, which may indicate an increase in the susceptibility of the
financial statements to risks of material misstatement.
In documenting the entity’s governance, the auditor may consider:
• Whether any or all of those charged with governance are involved in managing the
entity.
• The existence (and separation) of a non-executive Board, if any, from executive
management.
• Whether those charged with governance hold positions that are an integral part of the
entity’s legal structure, e.g. as directors.
• The existence of sub-groups of those charged with governance, such as an audit
committee, and the responsibilities of such a group.
• The responsibilities of those charged with governance for oversight of financial
reporting, including approval of the financial statements.

Page | 55
Audit Manual
Version 7 (2022)
Business model
Understanding the entity’s objectives, strategy and business model helps the auditor to
understand the entity at a strategic level, and to understand the business risks the entity takes
and faces. An understanding of business risks affecting the financial statements assists in the
identification of risks of material misstatement, since most business risks will eventually have
financial consequences, and hence an effect on the financial statements.
Business risks increasing the susceptibility to risks of material misstatement may arise from:
• Inappropriate objectives or strategies, ineffective execution of strategies, or change or

complexity.
• A failure to recognise the need for change e.g.
o The development of new products or services that may fail;
o A market which, even if successfully developed, is inadequate to support a
product or service; or
o Flaws in a product or service that may result in legal liability and reputational risk.
• Incentives and pressures on management, which may result in intentional or
unintentional management bias, and therefore affect the reasonableness of significant
assumptions and the expectations of management or those charged with governance.
In documenting the entity’s business model, objectives, strategies and related business risks,
the auditor may consider:
• Industry developments e.g. lack of personnel or expertise to seal with changes in the
industry.
• New products and services that may lead to increased product liability.
• Expansion of the entity’s business, and demand has not been accurately estimated.
• New accounting requirements where there has been incomplete or improper
implementation.
• Regulatory requirements resulting in legal exposure.
• Current and prospective financing requirements, e.g. the loss of financing due to the
entity’s inability to meet requirements.
• Use of IT, such as the implementation of a new IT system that will affect both operations
and financial reporting.
• The effects of implementing a strategy, particularly any effects that will lead to new
accounting requirements.
A detailed explanation of the objectives and scope of the entity’s business model and further
examples of matters that the auditor may consider in understanding the activities of the entity
that may be included in the business model can be found in Appendix 1 to ISA 315.
The identification of business risks and development of approaches to address them is ordinarily
part of the role of management. This risk assessment forms part of the entity’s system of internal
control (see 3.4.5.2).
Page | 56
Audit Manual
Version 7 (2022)

Page | 57
Audit Manual
Version 7 (2022)
3.3.3 Industry, regulatory or other external factors (ISA 315 para 19aii)
The auditor identifies industry, regulatory or legislative factors which may give rise to risks of
material misstatement, and whether there have been substantial changes from the prior period
for continuing clients. The following factors may be considered by the auditor but are not an
exhaustive list:
Industry factors:
• The market and competition, including demand and price competition.

• Cyclical or seasonal activity.
• Product technology relating to the entity’s products
• Energy supply and cost
Regulatory factors:
• Regulatory framework for a regulated industry, for example, prudential requirements,

including related disclosures.
• Legislation and regulation that significantly affect the entity’s operations, for example,
labour laws and regulations.
• Taxation legislation and requirements.
• Government policies currently affecting the conduct of the entity’s business, such as:
o Monetary policies, including foreign exchange controls;
o Fiscal policies;
o Financial incentives; and
Page | 58
Audit Manual
Version 7 (2022)
o Tariffs or trade restriction policies.

• Environmental requirements affecting the industry and the entity’s business.
Other external factors:
• General economic conditions.

• Interest rates and the availability of financing.
• Inflation or currency revaluation.
Non-profit and public sector entities may be affected by particular laws and regulations, which
may be an essential consideration when obtaining an understanding of the entity and its
environment.
All of these factors may give rise to, or increase the risk of, material misstatement as they may
affect the ability of the entity to accurately estimate items such as revenue or expenses or their
ability to accurately forecast budgets. Additional risk factors may be identified relating to
environmental or legal matters. The diagrams below are different representations of the
influences on the entity:
Page | 59
Audit Manual
Version 7 (2022)
Examples
1. A mining business during a cyclical downturn in commodity prices, may have potential
risks of material misstatement due to:
• Contracted sales volumes which cannot be supplied at the market price

• Reduced sales driven by a market downturn making mines inefficient
• Incorrect valuation of material on hand
2. A carpet manufacturing business being impacted by a change in customer preferences to

alternative flooring solutions provided by competitors, may have potential risks of material
misstatement due to:
• Going concern where the change is impacting the business as a whole; and
• Impairment of assets, where the value in use no longer supports the book value
3. A potential change in environmental legislation rendering an exploration license valueless,

may give rise to potential risks of material misstatement due to:
• Going concern where the loss of the licenses is core to the business
• Impairment of assets
• Bank covenants may be breached
• Loans may be misclassified due to trigger clauses
4. Changes to qualification requirements or child / educator ratios in schools or

kindergartens, may give rise to potential risks of material misstatement due to Going
concern where the changes impact the business model/licensee to operate.
5. Financial Services regulations which must be complied with in order to do business, e.g.
BASEL III / IV for banking, may give rise to potential risks of material misstatement due to:
• Inability to conduct business or certain business streams due to the business not
adopting/complying with the specific regulation
• Deposit loan ratio disclosures may be materially misstated

The auditor’s understanding is documented in Form 510, Part A:
Page | 60
Audit Manual
Version 7 (2022)
Page | 61
Audit Manual
Version 7 (2022)
3.3.4 The measures used, internally and externally, to assess the entity’s financial
performance (ISA 315 para 19aiii)
The auditor considers how management and those charged with governance determines the
key drivers of their business, including how they measure and review financial performance,
including any Key Performance Indicators (KPIs).
Performance measures are not necessarily the same as the monitoring of internal controls
(although there may be overlap in practice). Performance measurement and review is focused
on whether the objectives of management are being met, while monitoring of controls is focused
on whether the internal control environment is operating effectively.
This understanding assists the auditor in considering whether such measures may crease
pressures on the entity to achieve performance targets. Such pressures may motivate
management to take actions that increase the susceptibility to misstatement due to
management bias or fraud. For example, management may define the KPIs that are linked to
their compensation, giving rise to an increased risk of material misstatement due to
manipulation of financial performance.
Examples
Measurement and review information or Key Performance Indicators (financial and non-
financial) and key ratios, trends and operating statistics may include:
• Period-on-period financial performance analyses.

• Budgets, forecasts, variance analysis, segment information and divisional,
departmental or other level performance reports.
• Employee performance measures and incentive compensation policies.
Page | 62
Audit Manual
Version 7 (2022)
• Comparisons of an entity’s performance with that of competitors.

An example of a risk arising from obtaining this understanding may be where sales bonuses
are linked solely to the volume of sales, excluding returns/bad debts. This may give rise to a
risk of material misstatement due to cut off and/or a fraud risk, as the performance measure
may incentivise selling to entities which are unable or unlikely to pay, or fraudulent sale and
return schemes to meet bonus targets or to meet covenants.
External parties may also review and analyse the entity’s financial performance, especially
where the entity’s financial information is publicly available. Publicly available information may
also assist the auditor in understanding the business or in identifying contradictor information,
and can often be obtained from the audited entity. Examples include information from:
• Analysts or credit agencies.

• News and other media, including social media.
• Taxation authorities,
• Regulators.
• Trade unions.
• Providers of finance.

The auditor’s understanding is documented in Form 510, Part D.
Page | 63
Audit Manual
Version 7 (2022)
3.3.5 The applicable financial reporting framework and the entity’s accounting policies
and the reasons for any changes thereto (ISA 315 para 19b)
Applicable financial reporting framework
The auditor obtains an understanding of the entity’s applicable financial reporting framework
and how it applies in the context of the nature and circumstances of the entity and its
environment. In doing so, the auditor may consider the following matters:
• Accounting principles and industry-specific practices.

• Revenue recognition
• Accounting for financial instruments, including related credit losses.
• Foreign currency assets, liabilities and transactions.
• Accounting for unusual or complex transactions, including those in controversial or
emerging areas e.g. accounting for crypto assets.
Entity’s accounting policies and the reasons for any changes thereto
Changes to accounting policies, or to the applicable laws and regulations, often give rise to
either additional or increased risk of material misstatement. The auditor considers how the entity
selects and applies its accounting policies, including any changes from the previous year. The
auditor’s focus is to ensure that the accounting policies are appropriate for the entity and
comply with the requirements of the financial reporting framework.
The auditor’s understanding of the entity’s selection and application of accounting policies,
including any changes thereto, may include matters such as:
• The methods used by the entity to recognise, measure, present and disclose significant
and unusual transactions.
• The effect of significant accounting policies in controversial or emerging areas for which
there is a lack of authoritative guidance or consensus.
• Changes in the environment, e.g. changes in the applicable financial reporting
framework or tax reforms that may necessitate a change in the entity’s accounting
policies.
• Financial reporting standards and laws and regulations that are new to the entity and
when and how the entity will adopt or comply with such requirements.
Page | 64
Audit Manual
Version 7 (2022)

The auditor’s understanding is documented in Form 510, Part C.
Examples
The following situations may give rise to Risks of Material Misstatement in relation to the
accounting policies selected and applied by the entity:
• Introduction of a new financial reporting framework – Although rare, when an entity

applies a new financial reporting framework (e.g. on adoption of IFRS), this is likely to
give rise to a Financial Statement Level Risk requiring an overall response.
• Changes to standards, laws and regulations – changes to the leasing standards may
require assets to be brought on balance sheet when previously not disclosed and may
lead to both accounting and disclosure risks.
• Changes to accounting policies – changes such as determining whether a class of
assets is available for sale, can often give rise to risks around disclosure and
presentation or classification of assets and liabilities.
• Unusual or significant transactions – Acquisitions are usually one-off transactions and
as such many businesses lack experience and as such the accounting treatment of
the transaction may typically raises risks in relation to valuation and disclosure over
items such as goodwill and intangibles. In many instances these are assessed as
Significant Risks. In addition, business combinations can give rise to a Financial
Statement Level Risk where there are pervasive impacts on the amounts disclosed.
Understanding whether there are unusual or significant transactions is a key part of
the risk assessment process.
Page | 65
Audit Manual
Version 7 (2022)
• Accounting policies in controversial or emerging areas - where there is a lack of

definitive guidance in a controversial or emerging area, entities may select policies or
interpretations that are advantageous to the entity but which may misstate the
substance of a transaction, or hide or inflate liabilities or assets. For example, the
misuse and accounting for special purpose vehicles and developments such as
Bitcoin and Blockchain may emerge as controversial accounting areas.

Understanding the group’s organisational structure, ownership and governance and business
model
Many of the matters about which the group auditor gains an understanding are discussed in
Sections 3.3.2 to 3.3.5 above. Appendix 2 to ISA 600 gives examples of other matters specific
to group audits which are considered by the group engagement team.
The group engagement team’s assessment of the risks of material misstatement to the
consolidated financial statements is based on information such as:
• Information obtained from the understanding of the group, its components, and their
environments, and of the consolidation process, including audit evidence obtained in
evaluating the design and implementation of group-wide controls and controls that are
relevant to the consolidation; and
• Information obtained from the component auditors.
Industry, regulatory or other external factors
The group auditor identifies industry, regulatory or legislative factors which may give rise to risks
of material misstatement to the consolidated financial statements, and whether there have been
substantial changes from the prior period for continuing clients. In a group audit, the group
auditor makes this assessment for the group as a whole. This requires the group auditor to have
knowledge of industry, regulatory or legislative factors in jurisdictions in which group
components are based and/or operate.
The group auditor also considers whether differences in these factors between components
may give rise to additional risks of material misstatement e.g. staff working for more than one
component, different product regulations in different jurisdictions etc.
The applicable financial reporting framework and the group’s accounting policies and the
reasons for any changes thereto
The group auditor determines the financial reporting framework applicable to the group financial
statements, and obtains an understanding of the accounting policies used across the group. In
addition to those procedures that may be used on a standalone entity audit, for a group audit
this may also include:
• reviewing the instructions issued by group management to components.

• reviewing the communications received from component auditors.
Changes to group accounting policies, or to the applicable laws and regulations, often give rise
to either additional or increased risk of material misstatement, often through miscommunication
between group management and the components. The group auditor considers how the group
Page | 66
Audit Manual
Version 7 (2022)
selects and applies its accounting policies, including any changes from the previous year. The
group auditor’s focus is not only to ensure that the accounting policies are appropriate for the
group and comply with the requirements of the financial reporting framework, but also that
those policies are applied consistently throughout the group.
Examples
Inconsistent accounting policies – the use of inconsistent accounting policies (and financial
reporting frameworks) within a group results in the need for GAAP and accounting policy
adjustments as part of the consolidation process. This can give rise to risks of material
misstatement to the consolidated financial statements, due to fraud (deliberately hiding or
misrepresenting transactions in a component) or error, especially where the auditor is
relatively unfamiliar with the GAAP(s) used by the components.
The measures used, internally and externally, to assess the group’s financial performance
The group auditor considers how management and those charged with governance determines
the key drivers of their business, including how they measure and review financial performance,
including any Key Performance Indicators (KPIs).
In a group audit scenario, misalignment between the way that financial performance is
measured and reviewed at group level and at component level could give rise to risks of
material misstatement to the consolidated financial statements.
The auditor also considers external measures of financial performance of the group as a whole
e.g. group banking covenants, investor expectations etc.
3.3.7 Component significance

ISA 600 requires the group auditor to assess the significance of each component to the group.
A significant component is defined as one identified by the group engagement team that is
either:
• of individual financial significance to the group; or

• likely to include significant risks of material misstatement of the group financial
statements due to its specific nature or circumstances.
Financially significant components
The most common way to determine financial significance is to apply a percentage to a chosen
benchmark. Identification of an appropriate benchmark is a matter of professional judgment;
however, the benchmark used to determine overall group materiality is often appropriate. Where
level(s) of group specific materiality have been set, it may be appropriate to also use such
benchmark(s) in addition to group materiality on an “either/or” basis.
Example
Overall group materiality is based on revenues. Group specific materiality is also set for related
party transactions.
Component financial significance is set such that a component is financially significant to the
group if it exceeds a set percentage of either group revenues OR group related party
transactions.
Page | 67
Audit Manual
Version 7 (2022)
In Global Focus the percentage applied to the chosen benchmark(s) for determining component
significance may not exceed 15% unless approved by either a second partner review or
technical department review. Such justification must be clearly documented on the audit file.
Group engagement teams may set a lower percentage as considered appropriate.
Otherwise significant components
The group engagement team may also identify a component as likely to include significant risks
of material misstatement of the group financial statements due to its specific nature or
circumstances (that is, risks that require special audit consideration). For example, a
component could be responsible for foreign exchange trading and thus expose the group to a
significant risk of material misstatement, even though the component is not otherwise of
individual financial significance to the group.

Component significance is documented in Form 5000-5 Group audit – Group component
summary. Alternatively, group engagement teams may use the optional new Form 445G Group
Audit Planning template in Excel (available on Billy) to assist in the determination and
documentation of component significance.
3.3.8 Understanding component auditors

Where the group engagement team plans to request a component auditor to perform work on
the financial information of a component, the group engagement team obtains an understanding
of each component auditor.
The nature, timing and extent of the group engagement team’s procedures to obtain such an
understanding are affected by factors such as previous experience with or knowledge of the
component auditor. More extensive procedures and inquiries are expected when assessing a
component auditor for the first time. In subsequent years, this understanding may be based on
the group engagement team’s previous experience with the component auditor, plus
confirmation from the component auditor of any changes to the matters listed below since the
previous year.
Members of the Baker Tilly International network are independent firms, and do not necessarily
operate on the same policies or procedures, and not all member firms use Global Focus. The
Global Focus methodology gives no “exemption” or “short-cut” to the need to understand a
component auditor in each of the respects listed below, where that auditor is also a member of
Baker Tilly International.
Understanding of ethical requirements and independence
In a group audit, the component auditor is subject to the ethical requirements that are relevant
to the group audit. These may be different to those applying to the component auditor when
performing a statutory, standalone audit in their own jurisdiction and may include additional
requirements over and above those in that jurisdiction. The group auditor therefore obtains an
understanding of whether the component auditor will comply with the ethical requirements
relevant to the group audit. This is usually done via written communications explaining the group
auditor’s ethical requirements and requesting the component auditor to sign a memorandum of
understanding and confirmation of adherence thereto.
Page | 68
Audit Manual
Version 7 (2022)
Baker Tilly International is a member of the Forum of Firms, which requires all members of the
Baker Tilly network to comply with the requirements of the IFAC Code of Ethics for Accountants
as a minimum.
Professional competence
The group engagement team’s understanding of the component auditor’s professional

competence may include whether the component auditor:
• Possesses a sufficient understanding of auditing and other standards applicable to the

group audit;
• Possesses the special skills (for example, industry specific knowledge) necessary to
perform the work on the financial information of the particular component; and
• Where relevant, possesses a sufficient understanding of the applicable financial
reporting framework (this understanding may be obtained via instructions issued by
group management to components, which often describe the characteristics of the
applicable financial reporting framework).
Extent of involvement possible in the work of the component auditor
ISA 600 requires the group auditor to be involved in the audit of component auditors to some
extent at all stages of the audit. It is therefore vital that the group auditor establishes at an early
stage in the audit planning process the extent to which their involvement in the work of
component auditors is possible and permissible.
Where component auditors are members of the Baker Tilly International network and use the
Global Focus audit methodology, remote reviewing of component auditor files may be possible.
This may also be possible even if the component auditor uses a different methodology and/or
audit software. However, in some jurisdictions, auditors are not permitted to send or transmit
audit working papers outside of their jurisdiction. In such cases, any review of the component
auditor’s working papers will need to be undertaken in the component auditor’s jurisdiction.
Regulatory environment in which the component auditor operates
Where independent oversight bodies have been established to oversee the auditing profession
and monitor the quality of audits, awareness of the regulatory environment may assist the group
engagement team in evaluating the independence and competence of the component auditor.
Information about the regulatory environment may be obtained from the component auditor or
information provided by the independent oversight bodies. Group auditors may also check
whether a component auditor’s regulator is a member of the International Forum of Independent
Audit Regulators (IFIAR) by reviewing the IFIAR membership directory at
https://www.ifiar.org/members/member-directory/

The group engagement team’s assessment of component auditors is documented on Form
5000-3 Component auditors - Firm summary profile. Alternatively, the group engagement team
may use the following new Excel templates, available on Billy, to obtain an understanding of
component auditors and to document and conclude upon that understanding:
• 445G Group audit planning

• 446G Initial group audit instructions
Page | 69
Audit Manual
Version 7 (2022)
3.3.9 Understanding Accounting Estimates
When obtaining an understanding of the entity and its environment, including the entity’s internal
control, the auditor shall obtain an understanding of the following matters related to the entity’s
accounting estimates. The auditor’s procedures to obtain the understanding shall be performed
to the extent necessary to provide an appropriate basis for the identification and assessment of
risks of material misstatement at the financial statement and assertion levels.

The auditor’s understanding is documented in Form 510, part C
Page | 70
Audit Manual
Version 7 (2022)
Page | 71
Audit Manual
Version 7 (2022)
Those areas selected in Form 510 auto populate Form 523:
Any areas identified as “complex” in Form 523 are activated in Form 523-1:
The software includes the following Forms to assist the auditor with documentation their
assessment of the outcome of previous accounting estimates:
• Form 523-2
• Form 416
It is acknowledged that some auditors may not find the layout of these Forms helpful to record
their assessment. In the case of these two documents, the user is encouraged to replace them
and record their work on a document of their own design, if preferred.
Page | 72
Audit Manual
Version 7 (2022)
3.4 Understanding the entity’s system of internal control
Contents
3.4.1 Introduction
3.4.2 Control environment
3.4.3 The entity’s risk assessment process
3.4.4 The entity’s process to monitor the system of internal control
3.4.5 The information system and communication
3.4.5.1 How information flows through the entity’s information system
3.4.5.2 Accounting and other supporting records
3.4.5.3 Financial reporting process
3.4.5.4 The entity’s resources, including the IT environment
3.4.5.5 Communication of significant matters
3.4.6 Control activities
3.4.6.1 Characteristics of control activities
3.4.6.2 Control activities the auditor must understand – Those prescribed by ISAs
3.4.6.3 Control activities the auditor must understand – Other controls
3.4.6.4 Examples of control activities
3.4.6.5 Risks arising from IT and understanding General IT Controls
3.4.7 Evaluating the design and implementation of controls
3.4.7.1 Design of controls
3.4.7.2 Implementation of controls
3.4.8 Identifying control deficiencies and significant deficiencies
Appendix 1 Examples of General IT Controls to address examples of risks arising from the use
of IT, including for different IT applications based on their nature (taken from ISA 315
Appendix 6)
Objective The objective of the auditor is to identify and assess the risks of
financial statement and assertion levels, thereby providing a
basis for designing and implementing responses to the
assessed risks of material misstatement. (ISA 315.11)
Relevant ISA • ISA 240 The Auditor’s Responsibilities relating to Fraud
in an Audit of a Financial Report
• ISA 265 Communicating deficiencies in internal control
to those charged with governance and management
• ISA 300 Planning an audit of Financial Statements
• ISA 315 Identifying and assessing the risks of material
misstatement
• ISA 500 Audit Evidence
auditors)
Global Focus software Form 510 Identifying risks through understanding the entity
Form 511-GF Understanding the IT environment
Form 530 Identifying risks through understanding the
components of the entity’s system of internal control
Form 530-GF Understanding of General IT Controls
Page | 73
Audit Manual
Version 7 (2022)
Form 532 Control design/implementation

Form 565 Worksheet – Control implementation - business
process controls
Form 566 Worksheet – Information flow – Business process
Form 670 Use of Journal entries, OR
Form 670-I Use of Journal entries – audited using Inflo OR
Form 670-M Use of Journal entries – audited using Mindbridge
Policy requirements
(if any)
Page | 74
Audit Manual
Version 7 (2022)
3.4.1 Introduction
An auditor’s understanding of the entity’s system of internal control assists in identifying risks of
material misstatement and in designing the nature, timing and extent of audit procedures to
respond to identified risks.
A system of internal control is broader than just traditional control activities such as segregation
of duties, authorisations, reconciliations etc. The auditor is required to obtain an understanding
of the entity’s system of internal control, including its five components summarised in the
diagram below:
(Exhibit 5.2.1 from the IFAC Guide to SME audits)
Further details of each of the auditor’s understanding of these components are set out in this
section of the Audit Manual, and Appendix 3 of ISA 315 provides detailed descriptions of each
component.
Obtaining an understanding of control activities also involves evaluating the design of those
controls and determining whether they have been implemented, by performing procedures in
addition to inquiry of the entity’s personnel. An improperly designed control is a control
deficiency. The determination of whether one or more control deficiencies, individually or in
combination, constitute significant deficiencies assists the auditor in evaluating the design of
controls. This is considered further in section 3.4.7.1.
The components of the system of internal control have been incorporated into the COSO
framework, as shown in the diagram below:
Page | 75
Audit Manual
Version 7 (2022)
The purpose of the system of internal control

An entity’s system of internal control is designed, implemented and maintained to address
identified business risks that threaten the achievement of any of the entity’s objectives that
concern:
• The reliability of the entity’s financial reporting,

• The effectiveness and efficiency of its operations, and
• Its compliance with applicable laws and regulations.
The way in which the system of internal control is designed, implemented and maintained varies
with an entity’s size and complexity. For example, less complex entities may use less structured
means and simpler processes and procedures to achieve their objectives and there may be
more controls performed directly by management, greater direct interaction with personnel and
closer working relationships, and more frequent, informal meetings and communications.
Page | 76
Audit Manual
Version 7 (2022)
There are inherent limitations on any system of internal control such that it can only provide
reasonable assurance about achieving the entity’s objectives. Management applies their
judgment in the controls it implements and that nature and extent of risks which they choose to
address. Such limitations include human judgment in designing the system of internal control
which may lead to ineffective design, human error in the operation of controls or lack of
understanding to perform a control. In addition, controls may be circumvented by collusion of
one or more people or may be overridden inappropriately by management. For example:
• management may enter into side agreements with customers which alter the terms of
conditions of sales contracts, resulting in improper revenue recognition,
• edit checks designed to identify and report transactions over specified limits may be
overridden or disabled.
Less complex entities often have fewer employees which may limit the extent to which
segregation of duties is practicable. In a small owner-managed entity, the owner-manager may
be able to exercise more effective oversight than in a larger, more complex entity, which may
compensate for the generally more limited opportunities for segregation of duties. On the other
hand, the owner-manager may be more able to override controls because the system of internal
control is less structured. This is taken into account by the auditor when identifying the risks of
The level of operation of control
A system of internal control typically consists of:
• Pervasive (Entity level) controls – controls that typically relate to governance and
general management and serves to establish the overall tone at the top. Pervasive
controls may relate to the control environment, the entity’s risk assessment process, the
entity’s information systems (specifically, General IT Controls), financial reporting
communications and the entity’s monitoring of controls, and
• Control activities – controls that typically relate to the processing of routine and non-
routine classes of transactions. Control activities may relate to controls over transaction
cycles and also to the entity’s information systems (IT application controls) at the
transaction level.
Pervasive controls and control activities may be designed to operate at various levels of
precision. The precision of a control relates to how exact the control will be in preventing, or
detecting and correcting, a misstatement. For example, if a purchasing manager reviews all
purchases over a certain amount, the supervisory control may mitigate the risk of errors over
the determined amount, capping the entity’s exposure, but it does not cover all transactions. On
the other hand, an automated edit check that compares prices on all purchase orders to a price
master file, producing an exception report for review by a purchasing supervisor addresses
accuracy for all transactions.
Control activities are typically more direct and precise than pervasive controls in ensuring that
transactions are appropriately recorded, accounting records are maintained, receipts and
expenditures are authorised, and unauthorised acquisition, use, or disposition of assets would
be prevented or detected. However, some pervasive controls may be designed to operate at a
level of precision that would adequately prevent, or detect and correct, misstatements on a
Page | 77
Audit Manual
Version 7 (2022)
timely basis (e.g. a detailed review by senior management of monthly monitoring reports of sales
and operating data for numerous retail locations).
Some pervasive controls monitor the effectiveness of other controls, which could identify
breakdowns in control activities but not at a level of precision that would, by themselves,
address the risk of misstatement. (e.g. activities of the internal audit function, those charged
with governance, and self-assessment programs).
The following sections provide further details of the auditor’s considerations for each of the five
components of the entity’s system of internal control. For a full description of each component,
see Appendix 3 of ISA 315.
3.4.2 Control Environment

The auditor is required to obtain an understanding of the control environment relevant to the
preparation of the financial statements through performing risk assessment procedures, and to
evaluate whether:
• management, with the oversight of those charged with governance, has created and
maintained an honest and ethical culture;
• the control environment provides an appropriate foundation for the other components of
the entity’s system of internal control; and
• those other components are undermined by deficiencies in the control environment.
The control environment includes the governance and management functions, as well as the
attitudes, awareness, and actions of those charged with governance and management
concerning the entity’s system of internal control and its importance in the entity. It sets the tone
of an organisation, influencing the control consciousness of its people.
The control environment differs from entity to entity and, in particular, between entities of
different complexities. Regardless of the entity’s size, elements of the control environment that
may be relevant include:
• how management’s oversight responsibilities are carried out, such as the entity’s culture
and management’s commitment to integrity and ethical values
• when those charged with governance are separate from management, the
independence of, and oversight over the entity’s system of internal control by, those
charged with governance
• the entity’s assignment of authority and responsibility (including the organisational
structure and lines of accountability)
• how the entity attracts, develops, and retains competent individuals.
• how the entity holds individuals accountable for their responsibilities in the pursuit of the
objectives of the system of internal control.
These last two points may form part of the broader effectiveness of the entity’s management of
Human Resources.
Although the control environment itself does not prevent, or detect and correct, a material
misstatement, it may influence the auditor’s evaluation of the effectiveness of other controls and
thereby the assessment of the risks of material misstatement.
Page | 78
Audit Manual
Version 7 (2022)

Form 530, Identifying risks through understanding the components of the entity’s system of
internal control, is used to document the auditor’s evaluation of each of the elements of the
control environment and concludes whether there are significant deficiencies, whether the risk
has been addressed and whether an audit response is required in relation to risks identified.
Obtaining audit evidence for elements of the control environment
Audit evidence may be obtained through a combination of inquiries of management and other
procedures such as corroborating via observation or inspection of documents, including
minutes or other communications.
Examples
1. Through inquiring of management, the auditor may obtain an understanding of how

management communicates to employees its views on business practices and ethical
behaviour. Determination of whether such controls have been implemented may be through
review of a written Code of Conduct and whether management acts in accordance with that
Code.
2. The audit may consider how management has responded to the findings and
recommendations of internal audit regarding deficiencies identified in internal control, including
whether management has implemented the agreed actions and whether their implementation
has been evaluated by internal audit.
Page | 79
Audit Manual
Version 7 (2022)
Considerations for less complex entities
The formal control environment of a less complex entity will likely be more limited than a large
client due to fewer people and resources being available in the business, resulting in a lack of
segregation of duties with many tasks and processes undertaken by the owner/manager (if
there are no other owners). The nature of the entity may mitigate certain risks such as a lack of
segregation of duties but increase other risks such as management override of controls.
There may also be fewer formal or documented elements in a less complex entity, and the
control environment may be shaped by the culture of the entity and management/ownership
example. Consequently, the documentation of management’s/owners’ attitudes, awareness and
actions impacting the control environment are important to the auditor’s understanding of the
control environment.
The control environment in less complex entities may be less formal or may not be formally
documented. Consequently, the attitudes, awareness, and actions of management (or owner-
manager) are of particular importance to the engagement team’s understanding of a less
complex entity’s control environment. For example, less complex entities might not have a
written code of conduct but, instead, develop a culture that emphasizes the importance of
integrity and ethical behaviour through verbal communication and by management leading by
example. Also, in less complex entities, while the active involvement of an owner-manager may
mitigate the risk of material misstatement related to segregation of duties, it may increase such
risk due to, for example, management override of controls.
The control environment in less complex entities may also have a significant influence on the
consideration of fraud risk and the auditor’s response. Domination of management by a single
individual in a less complex entity alone does not generally, in and of itself, indicate a failure by
management to display and communicate an appropriate attitude regarding internal control and
the financial reporting process. However, domination of management by a single individual may
represent a potential control deficiency due to enhanced risk of management override of
controls. In some entities, management authorisation may compensate for otherwise deficient
controls and reduce the risk of employee fraud. (ISA 240.A28)
3.4.3 The entity’s risk assessment process

The auditor is required to obtain an understanding of the entity’s process for:
• Identifying business risks relevant to financial reporting objectives;

• Assessing the significance of those risks, including the likelihood of their occurrence;
and
• Addressing those risks.
In understanding how management and those charged with governance have identified
business risks relevant to the preparation of the financial statements, and decided about actions
to address those risks, matters the auditor may consider include how management or, as
appropriate, those charged with governance, has:
• Specified the entity’s objectives with sufficient precision and clarity to enable the
identification and assessment of the risks relating to the objectives;
• Identified the risks to achieving the entity’s objectives and analysed the risks as a basis
for determining how the risks should be managed; and
Page | 80
Audit Manual
Version 7 (2022)
• Considered the potential for fraud when considering the risks to achieving the entity’s
objectives.
Not all business risks give rise to risks of material misstatement. If the auditor identifies a risk of
material misstatement which management has failed to identify, they are required to evaluate
whether they would have expected the entity’s risk assessment process to have identified the
risk. If such a risk is identified, the auditor is required to understand why the risk assessment
process did not identify the risk and evaluate whether the risk assessment process is
appropriate to the entity’s circumstances, considering the nature and complexity of the entity
(for example, a less complex entity may have a less formal process than a larger, more complex
entity).
The extent and appropriateness of any risk assessment process will depend on the size and
complexity of the entity and its transactions. The process and the risks identified, assuming that
the process is appropriate to the entity, assists the auditor in identifying risks of material
misstatement. Whether the risk assessment is appropriate to the circumstances of the entity is a
matter of auditor judgment.
For less complex entities it is unlikely there will be a formal documented risk assessment
process. It is likely that management/owners will identify risks of material misstatement through
their direct involvement in the business. Whether the process is documented or not, inquiry
about any identified risks, and the actions taken including management’s estimation of their
significance and likelihood of occurrence is still required.

internal control, is used to document the auditor’s evaluation of the entity’s risk assessment
process and concludes whether there are significant deficiencies, whether the risk has been
addressed and whether an audit response is required in relation to risks identified.
Page | 81
Audit Manual
Version 7 (2022)
Examples
Examples of changes in the entity or its circumstances which may give rise to risks of material
misstatement include:
• Changes in the operating environment - Changes in the regulatory or operating

environment can result in changes in competitive pressures and new risks of material
misstatement.
• New personnel - New personnel may have a different focus on or understanding of
internal control.
• New or revamped information systems - Significant and rapid changes in information
systems can change the risk relating to internal control.
• Rapid growth - Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
• New technology - Incorporating new technologies into production processes or
information systems may change the risk associated with internal control.
• New business models, products, or activities - Entering into business areas or
transactions with which an entity has little experience may introduce new risks
associated with internal control.
• Corporate restructurings - Restructurings may be accompanied by staff reductions
and changes in supervision and segregation of duties that may change the risk
associated with internal control.
• Expanded foreign operations - The expansion or acquisition of foreign operations
carries new and often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
• New accounting pronouncements - Adoption of new accounting principles or
changing accounting principles may affect risks in preparing the financial report.
3.4.4 The entity’s process to monitor the system of internal control

The auditor is required to obtain an understanding of the entity’s process for monitoring the
system of internal control relevant to the preparation of the financial statements, and how the
entity initiates remedial action to address deficiencies. The auditor is also required to obtain an
understanding of the information used by management in its monitoring activities and the basis
upon which management considers the information to be sufficiently reliable.
Monitoring of controls is a process to assess the effectiveness of internal control performance

over time and involves assessing the effectiveness of controls on a timely basis and taking
necessary remedial actions. Elements of monitoring that may be relevant to the audit include
whether the entity conducts ongoing or separate evaluations and how the entity evaluates and
communicates control deficiencies.
Management’s monitoring of activities may include using information from external

communications such as customer or regulator comments which may indicate problems or
highlight areas for improvement.
Internal audit function
In a more complex organisation, monitoring of controls may be undertaken by an internal audit

function, or through formal management meetings. Where the entity has an internal audit
Page | 82
Audit Manual
Version 7 (2022)
function, the auditor is required to obtain an understanding of internal audit’s responsibilities, its
organisational status and the activities performed.
The objectives and scope of internal audit, including its responsibilities and status in the
organisation may vary widely depending on the size and nature of the entity and management’s
requirements. In some cases, internal audit will provide assurance over the design and
effectiveness of internal controls, risk management and governance processes; in others they
may be focused on evaluating value for money of operations, in which case their work may not
be directly related to financial reporting.
Where the auditor intends to use the work of the internal audit function to modify the nature,
timing or extent of audit procedures to be performed, the requirements of ISA 610 apply.
In less complex entities, management’s monitoring of controls is often accomplished by

management’s or the owner-manager’s close involvement in operations. This involvement often
will identify significant variances from expectations and inaccuracies in financial data, leading to
remedial action to the control.

internal control is used to document the auditor’s evaluation of the entity’s monitoring of controls
and concludes whether there are significant deficiencies, whether the risk has been addressed
and whether an audit response is required in relation to risks identified.
3.4.5 The information system and communication

The auditor is required to obtain an understanding of the entity’s information system and
communication relevant to the preparation of the financial statements through performing risk
assessment procedures. This includes:
Page | 83
Audit Manual
Version 7 (2022)
a) Understanding the entity’s information processing activities, including its data and
information, the resources to be used in such activities and the policies that define, for
significant classes of transactions, account balances and disclosures:
i. How information flows through the entity’s information system (see 3.4.5.1),
including how:
• Transactions are initiated, and how information about them is recorded,
processed, corrected as necessary, incorporated into the general ledger and
reported in the financial statements
• Information about events and conditions, other than transactions, is
captured, processed and disclosed in the financial statements. This may
include significant accounting estimates and disclosures.
ii. The accounting records, specific amounts in the financial statements and other
supporting records relating to the flows of information in the information system
(see 3.4.5.2);
iii. The financial reporting process used to prepare the entity’s financial statements,
including disclosures (see 3.4.5.3); and
iv. The entity’s resources, including the IT environment relevant to (a)(i) and (a)(ii)
above (see 3.4.5.4).
b) Understanding how the entity communicates significant matters that support the
preparation of the financial statements and related reporting responsibilities in the
information system and other components of the system of internal control (see 3.4.5.5):
i. Between people within the entity, including how financial reporting roles and
responsibilities are communicated;
ii. Between management and those charged with governance; and
iii. With external parties, such as those with regulatory authorities.
The information system can be summarised as shown in the diagram below:
(Exhibit 5.5-2 from the IFAC Guide to SME audits)
Page | 84
Audit Manual
Version 7 (2022)
The information system in less complex entities is likely to be less sophisticated than in larger,
more complex entities. Less complex entities with active management involvement may not
need extensive descriptions of accounting procedures, sophisticated accounting records, or
written policies. Therefore, the necessary understanding may be more dependent on inquiries of
entity personnel.
3.4.5.1 How information flows through the entity’s information system

How the information system deals with transactions
An entity’s business processes are the activities designed to:
• develop, purchase, produce, sell, and distribute an entity’s products and services
• ensure compliance with laws and regulations and
• record information, including accounting and financial reporting information.
Global Focus uses the following business cycles which relate to significant classes of
transactions:
• Financial Reporting (see 3.4.5.3)

• Investments
• Inventory
• Payroll
• Purchases, Payables, Payments
• Revenue, Receivables, Receipts
Documenting our understanding of the entity’s business processes for these cycles and
identifying the controls in place is a core element of understanding internal control. It may also
be helpful to document the interrelationship between these cycles where relevant. Business
process documentation involves recording the procedures, within both information technology
and manual systems, by which significant classes of transactions are initiated, recorded,
processed, corrected as necessary, incorporated in the general ledger and reported in the
financial statements as summarised in the diagram below:
How to obtain an understanding of business processes
Page | 85
Audit Manual
Version 7 (2022)
The methods available for obtaining understanding of business processes may include:
• Using the entity’s narratives or flowcharts – whilst this may be a quick means of
obtaining information, often the entity’s procedures have not been written from an
auditor’s perspective and it may be difficult to identify controls, assertions etc.
• Using prior year documentation – for continuing audits, using prior period
documentation may be appropriate subject to confirmation that there have been no
changes to systems, processes and controls
• Obtaining service auditor’s reports when the entity uses a service organisation
• Reviewing predecessor auditor workpapers in the case of an initial audit
• Performing a walkthrough which involves following a transaction from origination through
the entity’s processes, including information systems, until it is reflected in the entity’s
financial records, using the same documents and information technology that entity
personnel use. Note that the walkthrough is also used in confirming the implementation
of controls.

Business process documentation (often known as “system notes”) may take whatever form the
auditor chooses, which may include narrative system notes, flowcharts, entity documentation
and should be documented in the Global Focus software as external documents attached in the
‘Control Design’ folder:
In practice, auditors are likely to document the business processes and control activities at the
same time and will, along with documenting narrative system notes, complete the control cards
which record attributes (characteristics) of controls, their design, implementation and, where
relevant, testing, all of which is them automatically summarised in worksheet 532 as shown in
the extract below:
Page | 86
Audit Manual
Version 7 (2022)
How the information system captures events and conditions
The understanding of how the information system captures events and conditions, is typically
obtained in connection with obtaining an understanding of the entity’s financial reporting
process, particularly the financial statement closing and preparation processes. Examples of
events and conditions, other than transactions, that may be significant to the entity’s financial
statements include:
• Depreciation, amortisation, and revaluation

• Conditions affecting the recoverability of assets, such as an asset impairment
• Contingent liabilities, including those arising from litigation and claims
• Events or conditions that may cast significant doubt on the entity’s ability to continue as
a going concern
• Subsequent events requiring adjustment of, or disclosure in, the financial statements.
The entity’s processes may include, for example, discussions with business units, components,
or process leaders, reviews of business performance and review of the financial statements by
senior personnel.

As with the financial reporting process documentation above, the auditor will document their
understanding of how the information system captures events and conditions in narrative form
and will attach the documentation in the Control Design folder.
The auditor may also use Form 566 – Worksheet – Information flow – Business process, within
the Implementation of Controls/Walkthrough Procedures folder.
3.4.5.2 Accounting and other supporting records

Understanding the entity’s information processing activities also includes an understanding of
the accounting records, specific accounts in the financial statements and other supporting
records relating to the flows of information in the information system. This will include knowledge
of the financial accounting system and the chart of accounts utilised, but also of any external
records which may feed into the information system such as EPOS systems, external fixed asset
register, inventory records etc.

The nature of the accounting and other related records may be documented as part of the
auditor’s systems notes as described above.
The auditor may also use Form 566 – Worksheet – Information flow – Business process.
Page | 87
Audit Manual
Version 7 (2022)
3.4.5.3 Financial reporting process

The financial reporting process used to prepare the entity’s financial statements includes the
financial statement closing and preparation processes, consideration of disclosures and also
procedures related to:
• How events and conditions, other than transactions, that are significant to the financial
statements are captured
• Controls surrounding journal entries and other adjustments
• The selection and application of accounting policies (see Section 3.3.5)
• Significant accounting estimates
The financial statement closing process may involve procedures such as making corrections
and accruals, preparing reconciliations (such as for trade receivables or payables) and
accumulating information for financial statement preparation.
The financial statement preparation process relates to the development of the overall
presentation, structure, and content of the financial statements in accordance with the financial
reporting framework. This process may include, for example, evaluating the appropriateness
and consistency of accounting policies, the reasonableness of accounting estimates, the
adequacy of disclosures and in some cases, matters related to regulatory reporting.
Disclosures comprise explanatory or descriptive information which may be on the face of the
financial statements or in the notes, or may be cross-referred to information in another
document, such as an annual report.
The auditor may gain an understanding of disclosures through their understanding of the entity
and its environment based on prior knowledge or information obtained during the risk
assessment phase of the audit including discussions with management and those charged with
governance. Understanding disclosures and the related processes may assist in identifying risks
of material misstatement related to disclosures.
The auditor may consider factors such as the following when identifying and understanding
disclosures:
• financial reporting requirements, including changes to the requirements of the financial

reporting framework
• industry-specific disclosures
• regulatory requirements
• changes to the entity and its environment
• entity-specific factors such as investment or financing activities, related parties,
accounting estimates with high estimation uncertainty and material uncertainties related
to going concern.
Information disclosed in the financial statements may be obtained from within or outside of the
general and subsidiary ledgers. Examples of information that may be obtained from outside of
the general and subsidiary ledgers includes information obtained from:
Page | 88
Audit Manual
Version 7 (2022)
• lease agreements, such as renewal options or future lease payments

• the entity’s risk management system (e.g. credit risk, liquidity risk and market risk
disclosures)
• fair value estimates from management’s experts
• models or other calculations used to develop estimates, including information relating to
the underlying data and assumptions (either externally or internally generated)
• sensitivity analysis which demonstrates management’s consideration of alternative
assumptions
• tax returns and related records
• analyses prepared to support management’s assessment of the entity’s ability to
continue as a going concern and any related disclosures.

As with the business process documentation above, the auditor will document their
understanding of the financial reporting process in narrative form and will attach the
documentation in the Control Design folder.
Controls surrounding journal entries
Whilst recurring and non-recurring journal entries form part of the financial reporting process,
the auditor’s understanding of journals is required under ISA 315.26(a)(ii) under the heading
Control Activities, and so this is considered in this Audit Manual in section 3.4.6.
3.4.5.4 The entity’s resources, including the IT environment
Understanding the entity’s information system also includes an understanding of the resources
to be used in the entity’s information processing activities. Information about the human
resources involved that may be relevant to understanding risks to the integrity of the information
system include:
• The competence of the individuals undertaking the work;

• Whether there are adequate resources; and
• Whether there is appropriate segregation of duties.
The IT environment
Understanding the IT environment is intrinsically linked to the auditor’s consideration of risks

arising from IT and General IT Controls (GITCs) as required by ISA 315.26(c)(ii) – see section
3.4.6.5.

The resources and IT applications used to process transactions are recorded in Form 566 –
Worksheet – Information flow – Business process within the Implementation of
Controls/Walkthrough Procedures section of the Global Focus file.
Page | 89
Audit Manual
Version 7 (2022)
3.4.5.5 Communication of significant matters
The auditor is required to obtain an understanding of how the entity communicates significant
matters that support the preparation of the financial statements and related reporting
responsibilities in the information system and other components of the system of internal
control:
• Between people within the entity, including how financial reporting roles and
responsibilities are communicated;
• Between management and those charged with governance; and
• With external parties, such as those with regulatory authorities.
This involves providing an understanding of individual roles and responsibilities pertaining to

internal control over financial reporting. An entity may establish policies and procedures (for
example, a financial reporting manual) to achieve this communication.
External communications may include information about the entity’s objectives provided to
shareholders or other owners, business partners, customers, regulators, financial analysts,
governmental entities, and other external parties.
Communication may be less structured and easier to achieve in a less complex entity due to
fewer levels of responsibility and management’s greater visibility and availability.

The auditor’s understanding of financial reporting communication is documented in Form 530 -
Identifying risks through understanding the components of the entity’s system of internal control,
as shown below.
Page | 90
Audit Manual
Version 7 (2022)
3.4.6 Control activities

The auditor is required to obtain an understanding of control activities through performing risk
assessment procedures to identify controls that address the risks of material misstatement at
the assertion level.
3.4.6.1 Characteristics of control activities

Control activities are defined in the ISA Glossary as, “those policies and procedures that help
ensure that management directives are carried out”. They are typically more direct and precise
than pervasive controls in ensuring that transactions are appropriately recorded, accounting
records are maintained, receipts and expenditures are authorised, and unauthorised
acquisition, use, or disposition of assets would be prevented or detected. However, some
pervasive controls may be designed to operate at a level of precision that would adequately
prevent, or detect and correct, misstatements on a timely basis (e.g. a detailed review by senior
management of monthly monitoring reports of sales and operating data for numerous retail
locations).
Control activities can be described in terms of a number of different characteristics:
Indirect controls
Where the operation of a control which the auditor intends to test depends on the effective
operation of other control(s), the other controls are known as “indirect controls”. Many General
IT Controls (“GITCs”) are, in fact, indirect controls as the operation of control activities at the
application level often rely on the effective operation of GITCs. Indirect controls may also include
non-financial information produced by a separate process, the treatment of exceptions and
periodic reviews of reports by management.
Manual and automated (or automatic) controls
Control activities may be:
• Automated controls performed by an automated system without direct human

intervention
• Manual controls performed by an individual or individuals.
An entity’s mix of manual and automated controls varies with the nature and complexity of the
entity’s use of information technology (IT). For example, controls in a manual system may
include approvals, reviews of transactions and reconciliations whereas in IT systems there
would likely be a combination of automated controls embedded in computer programs and
manual controls.
Manual controls may:
• be independent of IT
• use information produced by IT
• be limited to monitoring the effective functioning of IT and of automated controls, and to
handling exceptions.
If a manual control is dependent on information from a system, or if an individual has to manually

intervene in a process that is otherwise automated, then there may be either two separate
Page | 91
Audit Manual
Version 7 (2022)
controls (a manual control and an automated control) or a single manual control supported by
an automated process (a manual IT dependent control).
Manual controls may be less reliable than automated controls because they can be more easily
bypassed, ignored, or overridden, and they are also more prone to simple errors and mistakes.
Consistency of application of a manual control cannot therefore be assumed. However, manual
controls may be more suitable where judgment and discretion are required, such as for large,
unusual or non-recurring transactions, where it may be difficult to define errors and when
monitoring the effectiveness of automated controls.
Control frequency
The frequency of a control is the same as the control population, which is defined as the number
of instances of operation of that control during the period under audit.
Examples
In an annual period, a month end control would have a frequency of 12.
In a nine-month period, a weekly control would have a frequency of 39.
In Global Focus, control frequencies are categorised as follows:
Control frequency Mapping to common control frequencies in Classification

an annual period
1 Yearly “Small” control

populations
2-4 Quarterly
5-12 Monthly
13-26 Fortnightly
27-53 Weekly
54-260 Weekdays
>260 Every day “Large” control

populations
OR
Control applied to every transaction
Preventative and detective controls
Typically, a mix of the following types of controls is appropriate in addressing risks:
• Preventative – controls that have the objective of preventing errors or fraud that could
result in a misstatement of the financial statements (e.g. an authorisation or approval
obtained prior to a transaction being processed)
• Detective - controls that have the objective of detecting and correcting errors, or
detecting fraud, that has already occurred that could result in a misstatement of the
financial statements (e.g. a reconciliation performed after transactions have been
processed).
Page | 92
Audit Manual
Version 7 (2022)

A control card is raised for each control activity which the auditor is required or otherwise
intends to document. The control card, as shown below, records the attributes (characteristics)
of the control, the conclusions reached regarding the assessment of design and implementation
(see Section 3.4.7) and, where relevant, the testing of the operational effectiveness of the
control (see Section 4.7). These details are then summarised automatically in the control
design/implementation Form 532 within the Control Design section of the Global Focus file.
The ability to record a control as being either Preventative or Detective within a control card
requires it to have first been linked to a risk card. This is done by clicking on the Risk link icon
within the Associations section. This brings up two icons, P and D, one of which can be selected
as appropriate:
When assessing the design of controls (see 3.4.7.1), there are other characteristics which the
auditor may consider but which are not formally documented in the control card. These
characteristics, which may impact the assessment of whether there is an appropriate mix of
controls as part of assessing the design of controls over a risk, include the following:
Page | 93
Audit Manual
Version 7 (2022)
Documented controls
A documented control is one where performance can be subsequently evidenced by supporting

documentation; when such documentation is either not produced or retained, the control is not
formally documented. It is possible in many cases to verify the design and implementation of
controls which are not formally documented, although the mix of documented/undocumented
controls may impact the auditor’s assessment of design.
Segregation of duties
A lack of segregation of duties can adversely impact on a control. For example, a manual
detective control may be less likely to identify errors and misstatements if it is performed by the
same person who processed the data being checked by the control.
Less complex entities often have fewer employees which may limit the extent to which
segregation of duties is practicable. In a small owner-managed entity, the owner-manager may
be able to exercise more effective oversight than in a larger, more complex entity, which may
compensate for the generally more limited opportunities for segregation of duties. On the other
hand, the owner-manager may be more able to override controls because the system of internal
control is less structured. This is taken into account by the auditor when identifying the risks of
3.4.6.2 Control activities the auditor must understand – Those prescribed by ISAs
As expected, most of the requirements to understand certain controls are found in ISA 315, but
other ISAs also contain requirements to understand specific control activities.
3.4.6.2a Controls that address a significant risk of material misstatement (ISA 315.26(a)(i))
Paragraph A158 of ISA 315 notes that regardless of whether the auditor plans to test the
operational effectiveness of controls that address significant risks, such an understanding is
nevertheless still required to help provide a basis for the design and performance of substantive
procedures in response to those risks.
Due to the rebuttable presumption in ISA 240.27, this will include controls over revenue on most
audits, but will also include controls over all other identified significant risks (see 3.5.7.1),
including
• any other material fraud risks, which are automatically designated as significant risks in
accordance with ISA 240.28;
• other risks of material misstatement where inherent risk is judged to be at the upper end
of the spectrum of inherent risk; and
• risks relating to identified significant related party transactions outside the normal course
of business (if any).
Controls related to significant risks arising from non-routine or judgmental matters
Risks relating to significant non-routine or judgmental matters are typically less likely to be
subject to routine control activities, and management may have other responses to deal with
such risks. Such responses may include:
• A review of assumptions by senior management or management’s experts.
Page | 94
Audit Manual
Version 7 (2022)
• Documented processes for estimations.

• Approval by those charged with governance.
Example
Where the entity receives notice of a significant lawsuit, the auditor may consider whether the
matter has been referred to legal counsel, whether an assessment has been made of the
potential effect, and proposals for the circumstances are to be disclosed in the financial
statements.
3.4.6.2b Controls over journal entries (ISA 315.26(a)(ii))

Journal entries includes recurring and non-standard journal entries used to record non-
recurring, unusual transactions or adjustments. Further characteristics and examples of each
type are summarised in the table below:
Type of Purpose Examples

journal entry
Standard, Typically used to record Examples include journal entries to:
recurring transactions and adjustments
• record sales, purchases and
journal entries that occur on a recurring basis in
cash disbursements in the
the normal course of business,
general ledger
including periodic accounting
• record accounting estimates
estimates, consolidation
that are periodically, such as
adjustments, and
changes to the provision of
reclassifications.
uncollectable accounts
receivable
• eliminating intercompany profit
or an investment in a subsidiary
Non-standard, Typically used to record Examples include journal entries

non-recurring transactions outside the normal related to:
journal entries course of business including non-
• adjustments related a business
recurring unusual transactions or
combination or disposal
adjustments. They may occur at
• non-recurring estimates such
any time during the period or
as asset impairment
during the financial reporting
• consolidation adjustments
process and may relate to
consolidation adjustments and • reclassifications when
reclassifications for purposes of preparing financial statements
financial statement preparation.
Obtaining an understanding of the entity’s journal entries and other adjustments generally
includes the types of journal entries and other adjustments; their frequency; and how and by
whom they are authorised, approved, recorded, and reported.
The processing of journal entries and other adjustments may involve both manual and
automated procedures and controls. Where information technology is used in the financial
reporting process, journal entries and other adjustments may exist only in electronic form. The
Page | 95
Audit Manual
Version 7 (2022)
auditor may consider the following when obtaining their understanding of relevant controls
journal entries:
• Segregation of duties
• Authorisation controls including access rights controlling authorisation, approval, and
recording of journal entries, including consideration of limits of authority
• Controls over the accuracy and completeness of journal entries
• Any monitoring of journal entries by management or internal audit
• Any monitoring of controls over journal entries by, for example, internal audit
• The financial statement closing and preparation processes
Non-standard journal entries and other adjustments are typically not subject to the same level of
internal control as standard journal entries and other adjustments. In obtaining an
understanding of and selecting for testing, non-standard journal entries may be identified
through the use of computer-assisted audit techniques or through inspection of ledgers,
journals, and supporting documentation.
Risk of management override of controls
Material misstatement of financial statements due to fraud often involves the manipulation of the
financial reporting process by recording inappropriate or unauthorised journal entries. This may
occur throughout the period or at period-end, or when management makes other adjustments,
such as consolidating adjustments and reclassifications.
Designing and performing audit procedures to test the appropriateness of journal entries and
other adjustments is a required response to fraud risks related to management override of
controls. The engagement team’s consideration of the risks of material misstatement associated
with inappropriate override of controls over journal entries is important since automated
processes and controls may reduce the risk of inadvertent error but do not overcome the risk
that individuals may inappropriately override such automated processes, for example, by
changing the amounts being automatically passed to the general ledger or to the financial
reporting system. Furthermore, where IT is used to transfer information automatically, there may
be little or no visible evidence of such intervention in the information systems.
See section 4.5.3.1 for details of testing journal entries.

The auditor will document their understanding of controls surrounding journal entries in narrative
form and will attach the documentation to Form 670 (Use of journal entries) or Form 670-I (Use
of journal entries – Audited using Inflo) or Form 670-M (use of journal entries – Audited using
Mindbridge) in the General Audit Procedures section of the Global Focus file in response to
Procedure 1.
3.4.6.2c Controls for when testing of operational effectiveness is planned (ISA 315.26(a)(iii))
This comprises any control that the auditor plans to test as part of the planned audit approach,
and hence where control risk is below the maximum, i.e. where any degree of reliance is to be
placed on the control. In Global Focus, if testing of operational effectiveness has not been
performed or is unsuccessful, control reliance is set as “No reliance/Not tested”.
This category also includes controls that address risks for which substantive procedures alone
do not provide sufficient appropriate audit evidence, i.e. a necessity to get the required audit
Page | 96
Audit Manual
Version 7 (2022)
evidence rather than the choice of the auditor. One of the most common examples of this is
controls over cash sales, where substantive evidence alone will rarely be sufficient.
3.4.6.2d Controls related to services provided by a service organisation (ISA 402.10)

Where an entity is using a service organisation, ISA 402.10 requires the auditor to identify
control activities related to the services being provided to the entity (and evaluate their design
and implementation (see 3.4.7).
3.4.6.2e Controls over related parties and related party transactions (ISA 550.14)
ISA 315.14 requires the auditor to inquire of management and others within the entity and to
perform other risk assessment procedures considered appropriate to obtain an understanding
of the controls, if any, that management has established to:
• Identify, account for and disclosure related party relationships and transactions in
accordance with the applicable financial reporting framework.
• Authorise and approve significant transactions and arrangements with related parties;
and
• Authorise and approve significant transactions and arrangements outside the normal
course of business.
The use of the phrase “if any” in paragraph 14 is important. It will often be the case, especially in
less complex entities, that there are no special controls over related party transactions and
disclosures, although such transactions may still be subject to routine controls over the relevant
business cycle. However, since the auditor is required to ask management and others within the
entity about the existence of such controls, the audit file should document that the auditor has
made such inquiries, even where there are no such controls.
3.4.6.3 Control activities the auditor must understand - Other controls

ISA 315.26(a)(iv) additionally requires the auditor to gain an understanding of other controls
(other than those prescribed by ISAs) to enable the auditor to fulfil the requirements of
paragraph 13 of the ISA, i.e. to
• identify and assess risks of material misstatement; and

• design further audit procedures.
The auditor is therefore not required to understand all control activities related to each business
cycle or to every assertion relevant to them. However, in most cases this would include all the
key controls over the accounting system if not already covered by one or more of the prescribed
categories above e.g. bank reconciliation, credit control procedures, authorisation of purchases
etc.
ISA 315.A165 suggests that the auditor may consider:
• Controls that address risks assessed as higher on the spectrum of inherent risk but have
not been determined to be at the upper end, and hence are not significant risks, i.e.
“near misses”.
• Controls related to reconciling detailed records to the general ledger.
• Complementary user entity controls, if using a service organisation (see 3.4.6.2d).
Page | 97
Audit Manual
Version 7 (2022)
Other factors relevant to the auditor’s judgment in deciding which controls to understand and
document include:
• materiality and significance of the related risk.

• size, complexity, and diversity of the entity, its organisation and ownership
characteristics, and its business and operations.
• applicable component of internal control and how specific controls operate individually
or in combination with others to prevent or detect and correct, material misstatement.
• nature and complexity of, and the extent of changes in, systems and operations,
including the use of service organisations.
• applicable legal and regulatory requirements; e.g. listed or public-sector entities may
have additional responsibilities with respect to internal control.
3.4.6.4 Examples of control activities

Control activities an entity may implement for business processes related to classes of
transactions include:
Controls Description Examples

Segregation of duties Separation of duties can reduce the The employee responsible for
opportunities for a person to be in a the accounts receivable
position to both perpetrate and processing has no access to
conceal errors or fraud. cash receipts.
Authorisation and Define who has the authority to Assigning responsibility to

approval approve various routine and non- authorise:
routine transactions and events.
• Hiring of new
Such authorisation and approval
employees;
can affirm the validity of
• Making investments;
transactions.
• Ordering goods and
services, and
• Extending credit to
customers.
Verifications Compares two or more items with Manual checks of goods

each other, or compares an item received to a valid order,
with a policy, and performs a checks to confirm that orders
follow-up action when the two items placed with suppliers are in
do not match or the item is not accordance with
consistent with policy. procurement policy.
Account Reviewing account reconciliations Reconciliations of bank

reconciliations on a timely basis, investigating accounts, sales transactions,
reconciling items and taking any intercompany balances,
necessary corrective actions. suspense accounts, etc.
Page | 98
Audit Manual
Version 7 (2022)
Controls Description Examples

Performance reviews Regular review and analyses of Analysis of operating results,
actual results versus budgets, comparing actual results to
forecasts, and prior period budget, and investigating
performance. It also involves variances.
relating different sets of data
(operating or financial) to one
another and comparing internal
data with external sources of
information. Unexpected variations
would be investigated and
corrective actions taken.
Physical controls Relate to the physical security of Such controls consist of asset
assets and permitted access to security (door locks and
entity premises, accounting restricted access to
records, computer programs, and inventory/records) and
data files. periodically comparing the
results of cash, security, and
inventory counts with
accounting records.
Controls over standing Controls over the processes to Controls put in place over the
data populate, update, and maintain the maintenance of price master
accuracy, completeness, and files.
validity of standing data.
Supervisory controls Assess whether other control Review by more senior

activities (particularly verifications, personnel of the operation of
reconciliations, authorisations and controls, such as review of
approvals, controls over standing bank reconciliations by the
data, and physical controls) are Chief Financial Officer.
being performed completely,
accurately, and according to policy
and procedures.
IT application controls Controls programmed into IT Checking the arithmetical

applications such as sales or accuracy of records, pricing
purchases. They include fully of invoices, edit checks of
automated and manually input data, numerical
dependent IT controls. sequence checks, and
production of exception
reports for manager review.
Control activities are designed to directly prevent a material misstatement from occurring or
detecting and then correcting a misstatement after it has occurred. In less complex entities, the
Page | 99
Audit Manual
Version 7 (2022)
concepts underlying control activities are likely to be similar to more complex entities, but their
relevance to the auditor may vary considerably.
In less complex entities it is likely that:
• controls may operate informally and not be formally documented, for example granting
credit to a customer may be more based on judgment and knowledge of the manager
rather than a formal credit limit.
• to the extent that control activities exist, they may be more limited in scope to the main
business cycles such as revenues, purchases and employment expenses.
• certain types of control activities may not be relevant because of controls applied by
management. Strong control over account balances and transactions by management
(for example, being the sole authority for granting credit to customers and approving
significant purchases) may lessen or remove the need for more detailed control
activities.
• more direct oversight by management may compensate for the more limited
opportunities for segregation of duties. However, domination of management by a single
individual can be a potential control deficiency since there is an opportunity for
management override of controls.
3.4.6.5 Risks arising from IT and understanding General IT Controls

In understanding the entity’s control activities, the auditor is also required to identify:
• the IT applications and the other aspects of the entity’s IT environment (see also 3.4.5.3)
that are subject to risks arising from the use of IT;
• the related risks arising from the use of IT; and
• the entity’s General IT Controls (“GITCs”) that address such risks.
Although information technology (IT) generally benefits an entity’s internal control, IT also poses
risks to internal control as shown in the table below:
Benefits of IT Potential risks arising from IT

• consistently applies predefined • reliance on systems or programs that
business rules and perform complex are inaccurately processing data,
calculations in processing large processing inaccurate data, or both
volumes of transactions or data • unauthorised access to data that may
• enhances timeliness, availability, and result in the destruction of data or
accuracy of information improper changes to data, including
• facilitates the additional analysis of the recording of unauthorised or non-
information existent transactions, or inaccurate
• enhances ability to monitor recording of transactions. Particular
performance of the entity’s activities risks may arise where multiple users
and its policies and procedures access a common database
• reduces the risk that controls will be • the possibility of IT personnel gaining
circumvented access privileges beyond those
• enhances effective segregation of necessary to perform their assigned
duties by implementing security duties, thereby breaking down the
controls in applications, databases, segregation of duties
and operating systems
Page | 100
Audit Manual
Version 7 (2022)
Benefits of IT Potential risks arising from IT

• unauthorised changes to systems,
programs, or data in master files
• failure to make necessary changes to
systems or programs
• inappropriate manual intervention
• potential loss of data or inability to
access data as necessary
For the IT applications relevant to the information system, understanding the nature and
complexity of the specific IT processes and GITCs that the entity has in place may assist the
auditor in determining which IT applications the entity is relying on to accurately process and
maintain the integrity of information in the entity’s information system.
Identifying which IT applications are subject to risks arising from the use of IT involves taking
into account identified controls, as these may involve the use of or rely on IT. Identified controls
may depend on system-generated reports, in which case the IT applications that produce those
reports may be subject to risks arising from the use of IT. ISA 315.A169 notes that where the
auditor does not plan to rely on controls over system-generated reports and instead plans to
directly test the inputs and outputs of such reports, the auditor may not identify the related IT
applications as being subject to risks arising from IT.
When the auditor has identified IT applications that are subject to risks arising from IT, other
aspects of the IT environment (.e.g. database, operating system, network) are likely to be
identified because such aspects support and interact with the identified applications.
Understanding the IT environment
General IT Controls apply to all technology, such as mainframe, miniframe, and end-user
environments, and are generally implemented to address the specific risks that IT poses to an
entity’s internal control. With respect to each of these technologies, controls activities will vary
based on various factors, such as the complexity of the IT environment and the underlying,
supported business processes.
In obtaining an understanding of the IT environment (Form 511- GF) the auditor considers:
• An overview of the IT system including design of the network, hardware and software
used, details of any third-party service providers
• IT governance arrangements including strategic plans, organisation charts, job
descriptions
• IT administration policies and procedures including password standards, authentication
(including the sharing of credentials), data retention policies, physical security, remote
access, email and internet usage and data archiving
• Technical support and training available to users
• Change management policies and procedures for changes to both hardware and
applications, including scheduling of major IT operations (new installations, major
upgrades etc)
• IT security, including logical access (internal and third-party access), passwords,
authorisation (user privileges) and administrator rights, provisioning and deprovisioning
(authorising new users, modifying existing users’ rights and removing user access upon
Page | 101
Audit Manual
Version 7 (2022)
termination or transfer), reviews of user privileges, virus protection, firewalls and

intrusion detection
• Physical access
• Business continuity and disaster recovery planning including identification of critical
business processes, business continuity plans, critical data backup policies, testing the
ability to restore from backup, offsite storage and alternative infrastructures
• Service organisations including service models, service agreements and compliance
with laws and regulations
• Any e-commerce activities, including related laws and regulations, controls over data
transfers between systems, backup and recovery procedures
• How the entity managers documents that may be used as source documents for the
financial statements but which are outside of the accounting applications (e.g. policies
over the control and use of spreadsheets)
In addition, the auditor uses Form 511 - GF to record detailed listings of the hardware and
applications used by the entity.
General IT Controls
General IT Controls are policies and procedures that relate to many applications and support
the effective functioning of IT application controls, thereby maintaining the integrity and security
of the data within the IT system. General IT Controls commonly include manual and automated
controls over the following categories, the relevance of which to each audit will depend upon the
complexity of the entity’s IT systems and the underlying business processes:
• Technology infrastructure – An infrastructure in which to operate, ranging from

communication networks for linking technologies to each other and the rest of the entity,
to the computing resources for applications to operate. Technology infrastructure
includes applications, databases, operating systems, and networks, including controls
over data centre and network operations. Further, maintaining technology often includes
incident management, such as backup and recovery procedures as well as disaster
recovery plans
• Security management – Sub-processes and control activities over who and what has
access to an entity’s technology, including who has the ability to execute transactions.
They generally cover access rights at the data, operating system (system software),
network, application, and physical layers
• Technology acquisition, development, and maintenance – Support the acquisition,
development, and maintenance of technology (both systems and applications) and
provides appropriate controls over changes to technology, which may involve requiring
authorisation of change requests, verifying the entity’s legal right to use the technology
in the manner in which it is being employed, reviewing changes, obtaining approvals,
and testing results, as well as implementing protocols to determine whether changes are
made properly.
Certain General IT Controls may be relevant to the audit only when certain events or conditions
exist. For example, controls over backup and recovery, as well as disaster recovery plans, may
not be relevant unless there are risks and consequences related to an incident during the
period.
Page | 102
Audit Manual
Version 7 (2022)
In documenting their understanding of General IT Controls (Form 530-GF) the auditor considers
policies, procedures and controls over:
• Corporate and IT governance and management

• Data management
• Business continuity
• Information security
• Change management
• Service organisations
• Accuracy, completeness and validity of data
• Segregation of duties
IT application controls
IT application controls are manual or automated procedures that typically operate at the
business cycle level and apply to the processing of transactions within individual applications. IT
application controls can be preventive or detective in nature and are designed to ensure the
integrity of the accounting records. Accordingly, IT application controls typically relate to
business processes used to initiate, record, process, and report transactions or other financial
data, ensuring that transactions occurred, are authorised, and are completely and accurately
recorded and processed. Examples include edit checks of input data and numerical sequence
checks, with manual follow-up of exception reports or correction at the point of data entry.
Examples
Some examples of IT application controls include:
• review of exception reports which are automatically generated by the system,

investigating any exceptions which arise and taking corrective action (Detective
control).
• edit checks of data such as system validation of the date, or numerical sequence
checks (Preventive control).
• authorisation controls over payments set to a specific dollar value or role, or for
specific items such as approval of expenses, or capital expenditure, opening bank
accounts.
• physical controls such as the use of access controls over server facilities,
authorisation for access to computer programs and data files.
• segregation of duties whereby IT staff and management do not have access to
financial systems for processing of transactions.

The understanding of the IT environment and detailed lists of hardware and systems are
documented on Form 511-GF in the Risk Assessment section of the Global Focus file.
Page | 103
Audit Manual
Version 7 (2022)
The understanding of General IT Controls is documented in Form 530-GF in the Control Design
section of the Global Focus file.
Page | 104
Audit Manual
Version 7 (2022)
Appendix 1 to Section 3.4 reproduces the table of illustrative examples of General IT Controls to
address examples of risks arising from the use of IT (including for different IT applications based
on their nature) from Appendix 6 to ISA 315.
3.4.7 Evaluating design and implementation of controls

The auditor is required to evaluate the design and determine implementation of controls relevant
to the audit. Obtaining an understanding of controls, including evaluating their design and
verifying implementation, does not provide audit evidence of the operating effectiveness of
controls. See section 4.7 for tests of the operating effectiveness of controls.
3.4.7.1 Design of controls

Evaluating the design of a control involves considering whether the control, alone or in
combination with other controls, is capable of effectively preventing, or detecting and
correcting, material misstatements (i.e. the control objective). An improperly designed control is
a control deficiency and may, depending on the circumstances, represent a significant
deficiency in internal control (see 3.4.8).
The ability to effectively evaluate the design of a control is therefore heavily dependent on the
quality of and level of detail in the auditor’s documentation of the client’s systems and controls.
Page | 105
Audit Manual
Version 7 (2022)
Control activities
Evaluating the design of a control activity is often an objective exercise. It requires the auditor to
consider whether a control activity should achieve its objective if it operates as documented.
Examples of poorly designed controls
1. A weekly bank reconciliation control is performed by marking cash book entries when
they appear on the bank statement.
This is a poorly designed control, as it does not fully reconcile the cash book to the bank
statement. Transactions which appear on the bank statement which the company has no
prior notification of may go unnoticed and unrecorded e.g. interest receivable or payable,
bank charges, settlement of accounts payable by direct bank transfer etc.
2. A monthly reconciliation between the receivables ledger and the receivables control
account is performed by one of two members of the finance team. The reconciliation is
independently reviewed and signed off by the Head of Finance to ensure they are properly
reconciled.
This sounds like a good control at first glance; there is segregation of duties via the
independent review, and the fact that two persons are authorised to perform it should
mean there are no instances that are missed due to holiday, sick leave etc. However, this
is primarily a control that should detect and correct misstatements. If any reconciling
differences are identified but never corrected (i.e. they appear every month on the
reconciliation), then the design of the control is deficient.
3. All purchases invoices must be authorised by the person who ordered the related goods
or services. The finance department photocopies all purchase invoices received before
sending the originals to the purchase originator for authorisation. Invoices are not marked
for payment within the accounting system until they have been authorised.
If the original invoice is lost before it is authorised, the finance team may send a
photocopy to the originator to authorise instead. If the original invoice is subsequently
found, there is a risk of recording and paying the same invoice twice. This is particularly
true where:
• Large volumes of invoices for identical or similar amounts are received from a
supplier.
• The supplier’s invoice number is not checked to the system before being recorded
within the payables ledger.
• Purchase orders are not raised for all orders, or purchase invoices are not
matched to purchase orders and/or goods received notes (GRNs), either
physically or within the accounting system.
If it is not possible for purchase originators to authorise invoices directly in the accounting
system, then it would be better for the financial department to retain the originals and to
send photocopies for authorisation signature. The photocopy can then be attached to the
original when the invoice is entered into the accounting system.
Page | 106
Audit Manual
Version 7 (2022)
Purchase invoice authorisation controls should also ideally include procedures for dealing
with lost or mislaid invoices to avoid the risk of duplicate payment. For example:
• Photocopies of invoices should never be recorded on the accounting system.
• If an invoice has been lost or mislaid, a proper duplicate invoice should be

obtained from the original supplier. Duplicate invoices should only be requested
by authorised persons and logged as such.
Duplicate invoices sent by suppliers should be clearly marked as such or stamped as

being a duplicate on receipt within the finance department.
Pervasive (entity level) controls
The evaluation of the design of pervasive (entity level) controls will be more subjective. An
understanding of pervasive controls provides an important foundation for evaluating specific
controls. In addition, certain significant deficiencies in pervasive controls may call into question
the integrity or competence of management. Significant deficiencies in pervasive (entity level)
controls may have a bearing on the overall audit strategy and audit plan.
The design of pervasive controls can also relate to the nature and complexity of the entity. For
example, in a less complex, straightforward owner-managed business, the owner’s monthly
review of a small number of critical metrics or KPIs may be sufficient to identify any material
discrepancies. However, in a large complex business, the management accounts may
necessarily need to be more detailed with the inclusion of prior period data for comparison
purposes, and reviewed more frequently by lower level management who have a better grasp of
the day-to-day detail than senior management.
General IT Controls
Similarly, the identification of significant deficiencies in General IT Controls may have a more
pervasive effect on the audit and are taken into account when evaluating relevant IT controls at
the business process level. An IT application control may still be effective, even if significant
deficiencies exist in General IT Controls, depending upon the nature of the significant deficiency
and whether the relevant controls, individually or in combination, are capable of effectively
preventing, or detecting and correcting, material misstatements.
3.4.7.2 Implementation of controls

A control has been implemented when a properly designed control exists and is being used by
the entity in accordance with its design. ISA 315.A176 notes that there is little point in assessing
the implementation of a control that is not designed effectively, and thus the design of a control
is evaluated first.
Inquiry alone is not sufficient for purposes of determining whether controls have been
implemented. Other risk assessment procedures which may be used to obtain audit evidence
about the design and implementation of controls may include:
• observing the application of controls

• inspecting documentation and reports
• tracing transactions through the information system by performing a walkthrough
• obtaining a service auditor’s report when the entity uses a service organisation
Page | 107
Audit Manual
Version 7 (2022)
• using the work of the internal audit function and performing procedures on their work
When obtaining the understanding of business process, the auditor may consider questions
related to matters such as the following when determining whether controls are implemented:
• How errors are identified

• What action is taken when finding an error or what happens as a result of finding an
error
• What errors were found and how were they resolved; if an error has never been found,
consider the reasons why
• Whether entity personnel have been asked to override the process (or control) and, if
so, the related situation, including why and what happened
If a control is not implemented, a control deficiency exists which may affect the engagement
team’s evaluation as to whether the control, individually or in combination with other controls, is
capable of effectively preventing, or detecting and correcting, material misstatements.

The auditor’s assessment of the implementation of controls is recorded in the Implementation of
Controls/Walkthrough Procedures section of the Global Focus software.
3.4.8 Identifying control deficiencies and significant deficiencies

Identifying control deficiencies
The auditor may identify deficiencies in internal control not only during risk assessment and
planning, but also at any other stage of the audit. A control deficiency exists when:
• a control is designed, implemented, or operated in such a way that it is unable to

prevent, or detect and correct, misstatements in the financial statements on a timely
basis; or
• a control necessary to prevent, or detect and correct, misstatements in the financial
statements on a timely basis is missing.
Factors to consider when considering whether control deficiencies exist may include:
Pervasive • Missing or ineffective controls addressing key elements of an internal

(Entity level) control component, particularly the control environment, entity’s risk
controls assessment process, and entity’s monitoring of controls
• Missing or ineffective GITCs addressing technology infrastructure;
security management; or technology acquisition, development, and
maintenance
• Potential effect on the foundation of other controls, including the
design and operation of specific controls
Control • Missing or ineffective controls, in particular those addressing what

activities can go wrong
• Segregation of duties issues
• Control not performed by appropriate, competent individual
Page | 108
Audit Manual
Version 7 (2022)
• Control not operating frequently or on a timely basis

• Control not sufficiently precise
• Inappropriate mix of controls, considering:
o detective versus preventive controls
o controls that are not formally documented
o monitoring or supervisory controls versus transactional controls
Segregation of duties
Segregation of duties typically involves dividing the responsibility for authorisation and approval,
recording and reporting, and the custody of assets. For instance, a manager who authorises
credit sales would not have responsibility for maintaining accounts receivable records or
handling cash receipts. Where segregation of duties is not practical, management typically
selects and develops alternative controls (e.g. detective controls).
Segregation of duties also addresses important risks related to management override of

controls. It reduces, but does not prevent, the possibility of one person acting alone. When key
business process responsibilities are divided between at least two competent individuals,
collusion is needed to perform fraudulent activities. Form 530-SEG provides guidance.
While the concepts underlying controls, and in particular control activities, in less complex
entities are likely to be similar to those in complex entities, the formality with which they operate
will vary. Further, less complex entities may find that certain types of control activities are not
necessary because of controls performed by management. For example, management’s sole
authority for granting credit to customers and approving significant purchases can provide
effective control over important account balances and transactions, lessening or removing the
need for more detailed control activities.
Also, less complex entities often have fewer employees, which may limit the extent to which
segregation of duties is practicable. However, in a small owner-managed entity, the owner-
manager may be able to exercise more effective oversight than in a larger, more complex entity.
Page | 109
Audit Manual
Version 7 (2022)
This oversight may mitigate control deficiencies related to the generally more limited
opportunities for segregation of duties. On the other hand, management may be more able to
override controls because the system of internal control is less structured. Accordingly, the
higher level of management oversight needs to be balanced against the greater potential for
management override of controls, which is taken into account by the engagement team when
identifying risks of material misstatement due to fraud.
Determining whether control deficiencies constitute significant deficiencies
A significant deficiency is a control deficiency or combination of control deficiencies that, in the

auditor’s professional judgment, is of sufficient importance to merit the attention of those
charged with governance. The significance of a control deficiency or a combination of control
deficiencies depends not only on whether a misstatement has actually occurred, but also on the
likelihood that a misstatement could occur and the potential magnitude of the misstatement.
Significant deficiencies may therefore exist, even though the misstatements have not been
identified during the audit.
Controls may be designed to operate individually or in combination to effectively prevent, or

detect and correct, misstatements. A control deficiency on its own may not be sufficiently
important to constitute a significant deficiency. However, a combination of control deficiencies
affecting the same class of transactions, account balance, or disclosure, relevant assertion, or
component of internal control may increase the risks of misstatement to such an extent as to
give rise to a significant deficiency. The determination of whether one or more control
deficiencies, individually or in combination, constitute significant deficiencies assists the auditor
in evaluating the design of relevant controls.
In determining whether a control deficiency or combination of control deficiencies constitutes a

significant deficiency the auditor may consider:
• The likelihood of the control deficiencies leading to misstatements in the current financial
statements or in the future
• The susceptibility to loss or fraud of the related asset or liability
• The subjectivity, complexity, or extent of judgment involved in determining estimated
amounts, such as fair value accounting estimates
• The financial statement amounts exposed to the control deficiencies
• The volume of activity that has occurred or could occur (in the current period or
expected in future periods) in the account balance or class of transactions exposed to
the control deficiencies
• The importance of the controls to the financial reporting process; for example controls
over:
o general monitoring, such as those relating to the oversight of management

o prevention and detection of fraud
o selection and application of significant accounting policies
o significant transactions with related parties
o significant transactions outside the entity’s normal course of business
o the financial statement closing and preparation processes, including controls over
nonstandard journal entries or other adjustments
• The cause and frequency of the exceptions detected as a result of the control
deficiencies
Page | 110
Audit Manual
Version 7 (2022)
• The precision of the control(s) and the interaction or relationship of the control(s) with
other controls
• The interaction of the control deficiency with other control deficiencies. (ISA 265.A6)
Examples
Indicators of the existence of significant deficiencies include, for example:
• Evidence of ineffective aspects of the control environment, such as:
o Indications that significant transactions in which management is financially interested

are not being appropriately scrutinised by those charged with governance
o Identification of management fraud, whether or not material, that was not prevented
by the entity’s internal control
o Management’s failure to implement appropriate remedial action on significant
deficiencies previously communicated.
• Evidence of ineffective aspects of the entity’s risk assessment process, such as:
o Management’s failure to identify a risk of material misstatement that the engagement

team would expect the entity’s risk assessment process to have identified
o Ineffective management response to identified significant risks (e.g. absence of
controls over such a risk)
o The absence of a risk assessment process within the entity where such a process
would ordinarily be expected to have been established
• Misstatements detected by audit procedures that were not prevented, or detected and
corrected, by the entity’s internal control
• Restatement of previously issued financial statements to reflect the correction of a
material misstatement due to fraud or error
• Evidence of management’s inability to oversee the preparation of the financial statements.
Impact of control deficiencies on control reliance
Where significant deficiencies are identified in GITCs, control reliance may NOT be set at the
highest available level (“High”) (see section 3.5.6). Careful auditor judgment is required as to
whether a controls-based approach is viable in such circumstances.
Financial reporting process

The financial reporting process used to prepare the group’s consolidated financial statements
includes the consolidated financial statement closing, consolidation and preparation processes,
consideration of disclosures and also procedures related to:
• how events and conditions, other than transactions, that are significant to the
consolidated financial statements are captured
• controls surrounding journal entries and other adjustments
• the consolidation process.
• the selection and application of accounting policies (see Section 3.3.5)
Page | 111
Audit Manual
Version 7 (2022)
• significant accounting estimates.
The consolidation process includes making consolidation adjustments, including the elimination
of intercompany balances, transactions and intragroup profits/losses, the elimination of
investments in consolidated components, component equity and pre-acquisition reserves, and
may include adjustments for goodwill on consolidation and any impairment thereof. It may also
include adjustments to components’ financial information to achieve uniformity of accounting
policies and financial reporting framework.
How the information system captures events and conditions
The understanding of how the information system captures events and conditions, is typically
obtained in connection with obtaining an understanding of the group’s financial reporting
process, particularly the consolidated financial statement closing, consolidation and preparation
processes.
The group’s processes may include, for example, discussions with components, reviews of
component performance and component financial statements by group management.
Consolidation process (ISA 600.10)
The consolidation process includes:
• The recognition, measurement, presentation, and disclosure of the financial information

of components in group financial statements by way of consolidation, proportionate
consolidation, or the equity or cost methods of accounting
• The aggregation in combined financial statements of the financial information of
components that have no parent but are under common control.
The matters about which the group auditor is required to obtain an understanding are set out in
Appendix 2 to ISA 600 and include the following matters relating to the consolidation process:
• Financial reporting framework including accounting policies, identification of and

accounting for components and segments, identification and reporting of related parties
and dealing with components with a different year end to the group
• Consolidation process including group management’s processes for understanding
accounting policies of components and ensuring uniform accounting policies are used,
ensuring complete, accurate and timely reporting by components, currency translation
and subsequent events
• Consolidation adjustments including processes and controls around journal entries,
identification of adjustments required, transactions between components, processes
around intragroup transactions and identification of fair value adjustments.

The auditor will document their understanding of the consolidation process in narrative form and
will attach the documentation to Form 670 (Use of journal entries) or Form 670-I or Form 670-M
in the General Audit Procedures section of the Global Focus file in response to Procedure 1.
Page | 112
Audit Manual
Version 7 (2022)
Appendix 1 Examples of General IT Controls to address examples of risks arising from

the use of IT, including for different IT applications based on their nature (taken from
ISA 315 Appendix 6)
Process Risks Controls IT Applications
IT process Example Example Non-complex Mid-size and Large or

Risks Arising General IT commercial moderately complex IT
from the Use Controls software – complex applications
of IT Applicable commercial (e.g. ERP
(yes/no) software or IT systems) -
applications - Applicable
Applicable (yes/no)
(yes/no)
Manage User-access Management Yes – instead Yes Yes

Access privileges: approves the of user
Users have nature and access
access extent of user- reviews noted
privileges access below
beyond those privileges for
necessary to new and
perform their modified user
assigned access,
duties, which including
may create standard
improper application
segregation profiles/roles,
of duties. critical financial
reporting
transactions and
segregation of
duties.
Access for Yes – instead Yes Yes

terminated or of user
transferred access
users is reviews below
removed or
modified in a
timely manner.
User access is Yes – instead Yes for Yes

periodically of certain
reviewed provisioning/ applications
deprovisioning
controls
above
Page | 113
Audit Manual
Version 7 (2022)

Applicable (yes/no)
(yes/no)
Segregation of N/A – no Yes for Yes

duties is system certain
monitored and enabled applications
conflicting segregation
access is either
removed or
mapped to
mitigating
controls which
are documented
and tested.
Privileged-level Yes – likely at Yes at IT Yes at all

access (e.g. IT application application layers of IT
configuration, layer only and certain environment
data and layers of IT for platform
security environment
administrators) for platform
is authorised
and
appropriately
restricted.
Manage Direct data Access to N/A Yes for Yes

access access: application data certain
Inappropriate files or database applications
changes are objects/ tables/ and
made directly data is limited to databases
to financial authorised
data through personnel,
means other based on their
than job
application responsibilities
transactions. and assigned
role, and such
access is
approved by
management.
Page | 114
Audit Manual
Version 7 (2022)

Applicable (yes/no)
(yes/no)
Manage System Access is Yes – Yes – mix of Yes

access settings: authenticated password password and
Systems are through unique authentication multi-factor
not user IDs and only authentication
adequately passwords or
configured or other methods
updated to as a mechanism
restrict for validating
system that users are
access to authorised to
properly gain access to
authorised the system.
and Password
appropriate parameters
users. meet company
or industry
standards (e.g.
password
minimum length
and complexity,
expiration,
account
lockout).
The key N/A – no Yes for Yes

attributes of the technical certain
security security applications
configuration configurations and
are exist databases
appropriately
implemented.
Manage Application Application N/A – would Yes for Yes

change changes: changes are verify no commercial
Inappropriate appropriately source code software
changes are tested and installed
made to approved before
application being moved
Page | 115
Audit Manual
Version 7 (2022)

Applicable (yes/no)
(yes/no)
systems or into the

programs production
that contain environment.
relevant
Access to N/A Yes for non- Yes
automated
implement commercial
controls (i.e.
changes into the software
configurable
application
settings,
production
automated
environment is
algorithms,
appropriately
automated
restricted and
calculations
segregated from
and
the
automated
development
data
environment.
extraction) or
report logic.
Manage Database Database N/A – no Yes for non- Yes

change changes: changes are database commercial
Inappropriate appropriately changes software
changes are tested and made at entity
made to the approved before
database being moved
structure and into the
relationships production
between the environment.
data.
Manage System System software N/A – no Yes Yes

change software changes are system
changes: appropriately software
Inappropriate tested and changes
changes are approved before made at entity
made to being moved to
system production.
software
(e.g.
Page | 116
Audit Manual
Version 7 (2022)

Applicable (yes/no)
(yes/no)
operating
system,
network,
change-
management
software,
access-
control
software).
Manage Data Management N/A – Yes Yes

change conversion: approves the addressed
Data results of the through
converted conversion of manual
from legacy data (e.g. controls
systems or balancing and
previous reconciliation
versions activities) from
introduces the old
data errors if application
the system or data
conversion structure to the
transfers new application
incomplete, system or data
redundant, structure and
obsolete or monitors that
inaccurate the conversion
data. is performed in
accordance with
established
conversion
policies and
procedures.
IT Network: The Access is N/A – no Yes Yes

operations network does authenticated separate
not through unique network
adequately user IDs and
Page | 117
Audit Manual
Version 7 (2022)

Applicable (yes/no)
(yes/no)
prevent passwords or authentication

unauthorised other methods method exists
users from as a mechanism
gaining for validating
inappropriate that users are
access to authorised to
information gain access to
systems. the system.
Password
parameters
meet company
or professional
policies and
standards (e.g.
password
minimum length
and complexity,
expirations,
account
lockout).
Network is N/A – no Yes – with Yes – with

architected to network judgment judgment
segment web- segmentation
facing employed
applications
from the internal
network, where
ICFR relevant
applications are
accessed.
On a periodic N/A Yes – with Yes – with

basis, judgment judgment
vulnerability
scans of the
network
perimeter are
Page | 118
Audit Manual
Version 7 (2022)

Applicable (yes/no)
(yes/no)
performed by
the network
management
team, which
also investigates
potential
vulnerabilities.
On a periodic N/A Yes – with Yes – with

basis, alerts are judgment judgment
generated to
provide
notification of
threats identified
by the intrusion
detection
systems. These
threats are
investigated by
the network
management
team.
Controls are N/A – no VPN Yes – with Yes – with

implemented to judgment judgment
restrict Virtual
Private Network
(VPN) access to
authorised and
appropriate
users.
IT Data backup Financial data is N/A – relying Yes Yes

operations and backed up on a on manual
recovery: regular basis backups by
Financial according to an finance team
data cannot established
be recovered
or accessed
Page | 119
Audit Manual
Version 7 (2022)

Applicable (yes/no)
(yes/no)
in a timely schedule and

manner when frequency.
there is a
loss of data.
IT Job Only authorised N/A – no Yes for Yes

operations scheduling: users have batch jobs certain
Production access to applications
systems, update the
programs or batch jobs
jobs result in (including
inaccurate, interface jobs) in
incomplete or the job
unauthorised scheduling
processing of software.
data.
Critical systems, N/A – no Yes for Yes
programs or batch jobs certain
jobs are applications
monitored, and
processing
errors are
corrected to
ensure
successful
completion.
Page | 120
Audit Manual
Version 7 (2022)
3.5 Assessing risks of material misstatement at the assertion level
Contents
3.5.1 Introduction
3.5.2 The risk assessment process
3.5.3 Recording risks in Global Focus
3.5.4 Assertions used in Global Focus
3.5.5 Assessing inherent risk
3.5.6 Assessing control risk
3.5.7 Assessing the risk of material misstatement (RMM)
3.5.7.1 Identifying significant risks
3.5.7.2 Understanding controls over significant risks
3.5.7.3 Risks for which substantive procedures alone are not sufficient
3.5.7.4 Fraud risks
3.5.7.5 The “stand back” requirement
3.5.8 Revision of risk assessment
Appendix 1 Events and conditions that may indicate risks of material misstatement (taken
from ISA 315 Appendix 2)
Appendix 2 Mapping of Global Focus assertions to ISA 315
risks of material misstatement (ISA 315.11)
The objectives(s) of the audit are to identify and assess the risks
of material misstatement of the financial statements due to fraud
(ISA 240.11(a))

an audit of a financial report
• ISA 315 Identifying and assessing the risks of material
misstatement
• ISA 330 The auditor’s responses to assessed risks
• ISA 550 Related Parties
Global Focus software Risk Card

Form FSA (Financial Statement Areas)
Form 520E Risk Report
Policy requirements
(if any)
Page | 121
Audit Manual
Version 7 (2022)
3.5.1 Introduction
A risk of material misstatement is defined in the ISA Glossary as the risk that the financial
statements are materially misstated prior to audit. This consists of two components:
• Inherent risk – the susceptibility of an assertion about a class of transaction, account

balance or disclosure to a misstatement that could be material, either individually or
when aggregated with other misstatements, before consideration of any related controls
(see Section 3.5.5); and
• Control risk – the risk that a misstatement that could occur in an assertion about a class
of transaction, account balance or disclosure and that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or
detected and corrected, on a timely basis by the entity’s internal control (see Section
3.5.6)
An RMM is therefore illustrated by the following diagram:
The auditor is required to identify and assess risks of material misstatement at the financial
statement level and the assertion level for classes of transactions, account balances and
disclosures to provide a basis for designing and performing further audit procedures. Risks are
identified from risk assessment procedures including obtaining an understanding of the entity
Page | 122
Audit Manual
Version 7 (2022)
and its environment (see Section 3.3), including the entity’s system of internal control, and
considering the classes of transactions, account balances and disclosures in the financial
statements. Appendix 1 to Section 3.5 provides examples of events and conditions which may
indicate the existence of risks of material misstatements.
Having identified risks, the first stage is to assess whether those risks are applicable at the
financial statement level or assertion level. Risks of material misstatement at the assertion level
for classes of transactions, account balances and disclosures are considered to assist in
determining the nature, timing and extent of further audit procedures necessary to obtain
sufficient appropriate audit evidence. In identifying and assessing risks of material misstatement
at the assertion level, the auditor may conclude that the identified risks relate more pervasively
to the financial statements as a whole and potentially affect many assertions. This section of the
audit manual focuses on the assessment of assertion level risks. See Section 3.6 for identifying
and assessing financial statement level risks.
For identified risks of material misstatement at the assertion level, the auditor then assesses
inherent risk by assessing the likelihood and magnitude of misstatement. In doing so, the auditor
takes into account how, and the degree to which:
• inherent risk factors affect the susceptibility of relevant assertions to misstatement; and
• the risks of material misstatement at the financial statement level affect the assessment
of inherent risk for risks of material misstatement at the assertion level.
The auditor also assesses control risk.
Using the assessments of inherent and control risk, the auditor then assesses the risk of
material misstatement for each identified risk. This includes determining whether any of these
assessed risks of material misstatement are significant risks.
Page | 123
Audit Manual
Version 7 (2022)
3.5.2 The Risk Assessment process
3.5.3 Recording risks in Global Focus

Risks are recorded in Global Focus using risk cards. Having identified and documented the risks
arising from our understanding of the entity and its environment, including its system of internal
control, the auditor may document details of the risk identified which are specific to the client or
Page | 124
Audit Manual
Version 7 (2022)
select the relevant risk from a risk library in the Global Focus software. Significant risks (those
risks at the upper end of the spectrum of inherent risk and those required by be treated as
significant by ISAs) are identified by checking the relevant box in the risk card.
Risk Identification
The following fields are populated in the risk card in Global Focus detailing the characteristics of
each identified risk:
• Risk name
• Risk description
• Source/reference linking to where in the audit file the risk is identified
• Financial statement area
• Business cycles affected
Page | 125
Audit Manual
Version 7 (2022)
Risk Assessment
Having recorded a description and the characteristics of the identified risk, the risk assessment
is documented for the following:
• relevant assertions (selected after selecting financial statement areas in the risk card
above as shown below) and business cycles affected
• inherent risk factors
• likelihood of misstatement
• magnitude of misstatement (monetary impact)
• inherent risk
• control reliance
• risk of material misstatement
• designation as a significant risk (or not)
Risk Response
In the risk response section of the risk card, an assessment of management’s response the risk
is made using the following categories:
• Yes - management’s response fully addresses the risk, including consideration of all
assertions at risk.
• Some - management has not fully addressed the risk, for example either the response
addresses some but not all the assertions considered at risk, or the response was not in
place for the entire period.
• No - management’s response does not mitigate the risk.
The effectiveness of management’s response will impact the auditor’s response. For example,
where management has established controls to assess the risk, the auditor may assess and
consider testing those controls. On the other hand, where management has not addressed the
risk, the auditor will develop an appropriate audit response to address the risk.
Finally, the auditor concludes on whether the audit response has addressed the risk. Typically,
this would be answered yes as the auditor’s response will have addressed the risk even if there
are misstatements and findings reported to the entity. On the rare occasion where the auditor’s
response does not address the risk, the auditor considers the impact on their audit report.
3.5.4 Assertions used in Global Focus

In representing that the financial statements are in accordance with the applicable financial
reporting framework, management implicitly or explicitly makes assertions regarding the
recognition, measurement, presentation and disclosure of the elements of the financial
statements and related disclosures.
The assertions used by the auditor to consider the potential types of misstatements in Global
Focus, and their definitions, are:
Page | 126
Audit Manual
Version 7 (2022)
Assertion Definition
Completeness • All assets, liabilities, equity interests, transactions and events
(C) that should have been recorded have been recorded, and all
related disclosures that should have been included in the
financial statements have been included
Existence and • Transactions and events that have been recorded or disclosed
Occurrence have occurred, and such transactions and events pertain to the
(E&O) entity
• Assets, liabilities and equity interests exist
Accuracy • Amounts and other data relating to recorded transactions and

(A) events have been recorded appropriately and financial and
other information is disclosed fairly and at appropriate amounts
• Assets, liabilities, and equity interests have been included in the
financial report at appropriate amounts
Valuation and • Valuation or allocation adjustments to assets, liabilities and

Allocation equity interests have been appropriately recorded, and financial
(V&A) and other information is disclosed fairly and at appropriate
amounts
Rights and Obligations • The entity holds or controls the rights to assets, and liabilities
(R&O) are the obligations of the entity
Cut-off • Transactions and events have been recorded in the correct

(CO) accounting period
Classification and • Assets, liabilities, equity interests, transactions and events have
Presentation been recorded in the proper accounts
(C&P) • Assets, liabilities, equity interests, transactions, events, are
appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and
understandable in the context of the requirements of the
applicable financial reporting framework
These assertions are mapped to those described in ISA 315.A190 in Appendix 2 to this section.
Considerations specific to public sector entities
When making assertions about the financial statements of public sector entities, in addition to
the assertions above, management may often assert that transactions and events have been
carried out in accordance with law, regulation or other authority. In certain circumstances, such
assertions may fall within the scope of the financial statements audit and auditors would need to
develop an appropriate risk assessment and response.
Page | 127
Audit Manual
Version 7 (2022)
3.5.5 Assessing inherent risk

Inherent risk is the susceptibility of an assertion about a class of transactions, account balance
or disclosure to misstatement that could be material, either individually or when aggregated with
other misstatements, before consideration of any related controls.
Inherent risk is higher for some assertions and related classes of transactions, account
balances, and disclosures than for others. The auditor uses professional judgment to assess
inherent risk by assessing the likelihood and magnitude of misstatement and determining the
significance of that combination.
In considering the likelihood of a misstatement, the auditor considers the possibility that a
misstatement may occur, based on consideration of inherent relevant risk factors. Inherent risk
factors are defined as characteristics of events or conditions that affect susceptibility to
misstatement. Such factors may be quantitative or qualitative, and include:
• Complexity
• Subjectivity
• Change
• Uncertainty
• Susceptibility to management bias
• Other fraud risk factors (insofar as they affect inherent risk)
For example, the likelihood of misstatement may be higher for:
• complex calculations or for accounts consisting of amounts derived from accounting

estimates that are subject to significant estimation uncertainty.
• technological developments might make a particular product obsolete, thereby causing
inventory to be more susceptible to overstatement.
Paragraph A8 of ISA 315 also note that other inherent risk factors that affect susceptibility to
misstatement of an assertion may include:
• The quantitative or qualitative significance of the class of transactions, account balance

or disclosure; or
• The volume or a lack of uniformity in the composition of the items to be processed
through the class of transactions or account balance, or to be reflected in the
disclosure.
It is also possible that the auditor may identify other inherent risk factors relevant to a particular
assertion. For these reasons, the list of risk factors that can be selected within the risk card
includes a category of “Other”.
In Global Focus, the likelihood of misstatement is categorised as follows:
Page | 128
Audit Manual
Version 7 (2022)
Likelihood terminology Definition
Highly unlikely So unlikely as to be negligible, such that no audit response is

required
Likely Sufficiently likely that an audit response is required i.e. not

negligible, but not “Very likely”
Very likely More likely than not, i.e. greater than a fifty per cent chance of
occurring
In considering the magnitude of a misstatement, the auditor considers the qualitative and
quantitative aspects of the possible misstatement i.e. misstatements may be judged to be
material due to size, nature or circumstances.
In Global Focus, the magnitude of misstatement is categorised in relation to performance

materiality (“PM”) as follows:
Magnitude terminology Definition
Not material Magnitude of misstatement is lower than PM
AND
Would not, if it occurred, increase an class of transaction,

account balance or disclosure that was below PM such that it
became above PM
Material Magnitude of misstatement exceeds PM
OR
Magnitude of misstatement is lower than PM, but would, if it

occurred, increase an class of transaction, account balance or
disclosure that was below PM such that it became higher than
PM
Very material Magnitude of misstatement is a multiple of PM
The auditor then uses the significance of the combination of the likelihood and magnitude to
determine where the risk lies on the spectrum of inherent risk. For a risk to be assessed as
higher on the spectrum, it does not mean that both the magnitude and likelihood need to be
assessed as high; rather, it is the intersection of these parameters that is key. Different
combinations of magnitude and likelihood may result in a higher inherent risk assessment.
In assessing the inherent risk of identified risks of material misstatement at the assertion level,
the auditor also takes into account how, and the degree to which it is affected by risks of
material misstatement at the financial statement level (entity level risks), for example, a lack of
sufficient working capital to continue operations or a declining industry characterised by a large
number of business failures.
Page | 129
Audit Manual
Version 7 (2022)
Having determined the likelihood and magnitude of inherent risk, the auditor then determines
where on the spectrum of inherent risk the identified risk lies. In Global Focus, inherent risk is
categorised as follows:
Inherent risk terminology Definition
Negligible Likelihood of misstatement is “Highly unlikely”
AND/OR
Magnitude of misstatement is “Not material”
Lower Higher than “Negligible”, thus requiring an audit response
Higher Higher than “Lower”, but not at the upper end of the spectrum
of inherent risk (see section 3.5.7.1)
Upper end At the upper end of the spectrum of inherent risk and which, by
definition, is to be treated as a significant risk of material
misstatement (see section 3.5.7.1)
In Global Focus, the following conceptual diagram can be used to visualise how inherent risks
are categorised on the spectrum of inherent risk:
With the exception of the Negligible category, inherent risk levels cannot be mapped to specific
combinations of likelihood and magnitude; where each inherent risk category starts and finishes
is a matter of professional judgment, depending on the circumstances of the entity and the
period under audit, and is not something that can be automated.
Page | 130
Audit Manual
Version 7 (2022)
3.5.6 Assessing control risk

Control risk is the risk that a misstatement that could occur in an assertion about a class of
transactions, account balance or disclosure and that could be material, either individually or
when aggregated with other misstatements, will not be prevented, or detected and corrected,
on a timely basis by the entity’s internal control. Control risk is a function of the effectiveness of
the design, implementation and maintenance of the entity’s system of internal control by
management to address identified risks that threaten the achievement of the entity’s objectives
relevant to preparation of the entity’s financial statements.
Control risk in Global Focus is characterised by considering the inverse, i.e. the level of control
reliance the auditor intends to place when responding to identified and assessed inherent risks.
Control reliance is justified by the auditor’s assessment of the design, implementation and
operational effectiveness of the control.
In Global Focus, control reliance is categorised as follows:
Control risk Control risk % Corresponding control reliance category
Lowest 10% High
30% Moderate
50% Low
Highest 100% No reliance / not tested
No reliance is placed on internal controls where the control has:
a) been tested and found to be operationally ineffective; or

b) not been tested for operational effectiveness.
The degree to which a control can be relied upon depends on its effectiveness. This is
determined by the size of the sample for control testing and the number of control deviations
found. This is considered in detail in section 4.7.
Note, however, that where the auditor decides not to place reliance on the operating
effectiveness of controls, this does not remove the requirement to assess design and
implementation of controls as part of risk assessment procedures.
A common misconception is that less complex entities do not or cannot have effective internal
controls because of a lack of segregation of duties. For less complex entities, the design of
control procedures will typically focus on the entity level controls i.e. top down, as the activity
level or application level controls may be compromised by a lack of segregation of duties.
Therefore, in less complex entities, the entity level controls may be relevant controls and may be
most effective for preventing errors or fraud from occurring or going undetected. Properly
designed entity level controls can still provide an appropriate internal control system, and these
entity level controls can be used as part of the assessment of control risk; however, remember
that the operating effectiveness of controls must be tested if the auditor is going to rely on
controls in their response to risk.
Page | 131
Audit Manual
Version 7 (2022)
3.5.7 Assessing the risk of material misstatement

The auditor assesses the risk of material misstatement (“RMM”) for each identified risk i.e. the
combination of inherent risk and control reliance. Global Focus has five categories of RMM as
follows:
RMM terminology
No RMM
Low RMM
Moderate RMM
Elevated RMM
Significant RMM
In Global Focus, combinations of inherent risk and control reliance map to RMM categories as
follows:
Inherent risk
Negligible Lower Higher Upper end
High
Controls reliance
Moderate
Low
No reliance / not
tested
Due to the greater emphasis in ISA 315 (Revised) on the individual assessments of inherent risk
and control risk, in the Global Focus methodology, the auditor’s response to risk is based upon
these individual assessments and not upon the combined measure of RMM.
The level of RMM is automated within the risk cards, such that completing the inherent risk and
control reliance fields will automatically populate the RMM field. This can be manually
overridden, but this is not recommended as then the RMM level will not accord to the Global
Focus methodology.
3.5.7.1 Identifying significant risks

Significant risks are defined in ISA 315.12(l) as those identified risks of material misstatement:
a) for which the assessment of inherent risk is close to the upper end of the spectrum of
inherent risk, due to the degree to which inherent risk factors affect the combination of
the likelihood of misstatement occurring and the magnitude of the potential
misstatement, should the misstatement occur, or
b) that are to be treated as a significant risk in accordance with the requirements of ISAs.
As part of the risk assessment, the auditor is required to determine whether any of the risks
identified are significant risks (ISA 315.32).
Page | 132
Audit Manual
Version 7 (2022)
In determining significant risks, the auditor may first identify those assessed risks of material
misstatement that have been assessed higher on the spectrum of inherent risk, to form the
basis for considering which risks may be close to the upper end.
Being close to the upper end of the spectrum of inherent risk will differ from entity to entity, and
will not necessarily be the same for an entity period on period. It may depend on the nature and
circumstances of the entity for which the risk is being assessed. Thus determining where the
upper end of the spectrum of inherent risk lies is a matter of professional judgment in the
context of the circumstances of the entity in a given period under audit.
Due to the way that a significant risk is now defined under ISA 315 (Revised), any risk of
material misstatement for which inherent risk is judged to be at the upper end of the spectrum,
is categorised as being a significant risk of material misstatement.
Part (b) of the definition of a significant risk encompasses risks of material misstatement that are
required to be treated as significant by ISAs. These risks comprise:
Risk Status ISA reference
Revenue recognition Rebuttable presumption ISA 240.27 and 48
Fraud risks Mandatory if identified ISA 240.28
Management override of controls Mandatory on all audits ISA 240.32
Significant related party transactions Mandatory if identified ISA 550.18

outside the entity’s normal course of
business
Risks identified under part (b) of the definition should be categorised such that inherent risk is
set as “Upper end”, and the risk of material misstatement as “Significant”.
Once a risk of material misstatement has been categorised as being significant under either part
(a) or part (b) of the definition, the auditor should select the significant risk box for that risk in the
Global Focus risk card:
Note – this is not automatically driven by selecting inherent risk as “Upper end” or the risk of
material misstatement as “Significant” – the checkbox must be selected manually. Failure to do
so results in certain built-in warnings within the Global Focus software relating to significant risks
not working subsequently.
3.5.7.2 Understanding controls over significant risks

Where the auditor has identified a significant risk, the auditor is required to obtain an
understanding of the entity’s controls that address it.
Although risks relating to significant non-routine or judgmental matters may be less likely subject
to routine controls, management may have implemented responses to deal with such risks.
Accordingly, the auditor’s understanding of whether the entity has designed and implemented
Page | 133
Audit Manual
Version 7 (2022)
controls for significant risks arising from non-routine or judgmental matters includes whether
and how management responds to such risks. These responses may include:
• Control activities such as review of assumptions by senior management or experts

• Documented processes for estimations
• Approval by those charged with governance
Example
Where there are one-off events such as the notification of a significant lawsuit, consideration of
the entity’s response may include whether it has been referred to appropriate experts (e.g.
internal or external legal counsel), whether an assessment has been made of the potential
effect, and how it is proposed that the circumstances are disclosed in the financial statements.
In some cases management may not have responded appropriately to the risk by implementing
controls. Failure to implement controls over significant risks is an indicator of a significant
deficiency in controls.
See Section 4.5 for further details on responding to significant risks.
3.5.7.3 Risks for which substantive procedures alone are not sufficient
For some risks, the auditor may judge that it is not possible or practicable to obtain sufficient
appropriate audit evidence only from substantive procedures. Such risks may relate to the
inaccurate or incomplete recording of routine and significant classes or transactions or account
balances (such as revenues, purchases, cash transactions) with highly automated processing
with little or no manual intervention or when no documentation of the transactions or the
underlying information or data is produced or maintained other than through the IT system. In
this situation the auditor is required to obtain an understanding of those controls, including
evaluating whether the control is designed effectively and has been implemented (ISA
315.26(d)).
For example, this may be the case where a significant amount of the entity’s information is
initiated, recorded, processed or reported only in electronic form such as in an integrated
system. In this situation, audit evidence may only be available in electronic form and the
sufficiency and appropriateness of audit evidence will depend on the effectiveness of controls
over its preparation. The potential for misstatement is greater where controls are not operating
effectively.
Furthermore, the auditor is required to design and perform tests of controls to obtain sufficient
appropriate audit evidence as to the operating effectiveness of controls where substantive
procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
(ISA 330.8(b))
3.5.7.4 Fraud risks

All identified fraud risks, whether due to fraudulent financial reporting or misappropriation of
assets, are significant risks. This includes the presumed risks of fraud in revenue recognition
and management override of controls, as established by ISA 240 The auditor’s responsibilities in
relation to fraud. However, if the risk of fraud is judged to be immaterial (e.g. theft of stationery)
then a risk of material misstatement is not identified and there is therefore no significant risk.
Page | 134
Audit Manual
Version 7 (2022)
Fraud, whether due fraudulent financial reporting or misappropriation of assets, involves

incentive or pressure to commit fraud, a perceived opportunity to do so, and some
rationalisation of the act. These factors are summarised in the fraud triangle, the three aspects
of which are:
• Pressure - This is often generated by immediate needs (such as having significant personal
debts or meeting an analyst’s or bank’s expectations for profit) that are difficult to share with
others.
• Opportunity – A poor corporate culture and a lack of adequate internal control procedures
can often create confidence that a fraud could go undetected.
• Rationalisation - Rationalisation is the belief that a fraud has not really been committed. For
example, the perpetrator rationalises that “this is not a big deal” or “I am only taking what I
deserve.”
There are two means by which fraud may impact the financial statements:
Fraudulent financial reporting
Fraudulent financial reporting involves intentional misstatements, including omissions of

amounts or disclosures in the financial statements to deceive financial statement users.
Fraudulent financial reporting can be caused by managing earnings to influence financial
statement users’ perceptions of the entity’s performance and profitability. Such earnings
management may start out with small actions, or with inappropriate adjustments of assumptions
and changes by management. Pressures and incentives may lead to these actions to increase
to the extent that they result in fraudulent financial reporting, which often involves management
override of controls.
Examples may include:
• Manipulation, falsification (including forgery), or alteration of accounting records or

supporting documentation
• Misrepresentation in, or international omission from, the financial statements of events,
transactions, or other significant information
• Intentional misapplication of accounting principles relating to amounts, classification,
manner of presentation, or disclosure
Page | 135
Audit Manual
Version 7 (2022)
Misappropriation of assets
Misappropriation of assets involves the theft of an entity’s assets and is often perpetrated by
employees in relatively small and immaterial amounts, which over time may become material.
However, it can also involve management, who may be able to disguise or conceal it in ways
that are difficult to detect.
Misappropriation of assets is often accomplished by false or misleading records or documents in

order to conceal the fact that the assets are missing or have been pledged without proper
authorisation (for example, pledging entity assets as collateral for a personal loan).
Examples may include:
• Embezzling receipts
• Stealing physical assets or intellectual property
• Causing an entity to pay for goods and services not received
• Using an entity’s assets for personal use
The figure below summarises the types and characteristics of fraud:
(Exhibit 8.6-1 from the IFAC guide to audit of small and medium sized entities)
Page | 136
Audit Manual
Version 7 (2022)
3.5.7.5 The “stand back” requirement
Significant classes of transactions, account balances and disclosures (“SCOTABD”) are those
for which there is one or more relevant assertion i.e. an assertion for which there is an identified
risk of material misstatement.
ISA 315.36 requires the auditor to identify all material classes of transactions, account balances
and disclosures which have not been determined to be SCOTABD and to evaluate whether that
determination remains appropriate. Effectively, the auditor is required to “stand back” and
review their initial risk assessment, identify any material classes of transactions, account
balances and disclosures without an identified risk of material misstatement, and consider
whether any risks may have been missed.
A procedure in Form 455 prompts the auditor to perform the standback requirement, and the
results of the exercise should be documented in response to that procedure.
Where a missing risk is identified through performance of the stand back requirement:
a) A risk card is raised for each missing risk that is identified;
b) The FSA assessment of inherent risk for the relevant assertion(s) is updated
accordingly; and
c) A suitable response to each risk is planned in the relevant audit programme(s) and
linked back to the relevant risk card.
It may be appropriate to link the risk card to Form 455, as well as to any other documentation
on the audit file that prompted the identification of the missing risk.
3.5.8 Revision of risk assessment

The assessment of risks of material misstatement at the assertion level may change during the
course of the audit as additional evidence is obtained. Where the auditor obtains audit evidence
when responding to risks, or if new information is obtained, either of which is inconsistent with
the audit evidence on which the risk assessment was based, the auditor is required to revise the
risk assessment and modify the planned responses to risks accordingly.
For example, the risk assessment may be based on an expectation that controls are operating
effectively, but when the auditor tests those controls, they are not operating effectively.
Similarly, when performing substantive procedures, misstatements may be detected in amounts
or frequency greater than the auditor expected when performing the risk assessment. In such
circumstances the risk assessment may not appropriately reflect the true circumstances of the
entity and further planned audit procedures may be necessary.
Page | 137
Audit Manual
Version 7 (2022)
Appendix 1 Events and Conditions That May Indicate Risks of Material Misstatement
(Taken from ISA 315 Appendix 2)
The following are examples of events (including transactions) and conditions that may indicate
the existence of risks of material misstatement in the financial statements, at the financial
statement level or the assertion level. The examples provided by inherent risk factor cover a
broad range of events and conditions; however, not all events and conditions are relevant to
every audit engagement and the list of examples is not necessarily complete.
The events and conditions have been categorised by the inherent risk factor that may have the
greatest effect in the circumstances. Importantly, due to the interrelationships among inherent
risk factors, the example events and conditions also are likely to be subject to, or affected by,
other inherent risk factors to varying degrees.
Relevant inherent Examples of events or conditions that may indicate the existence of risks
risk factor of material misstatement at the assertion level
Complexity Regulatory:
• Operations that are subject to a high degree of complex

regulation.
Business model:
• The existence of complex alliances and joint ventures.
Applicable financial reporting framework:
• Accounting measurements that involve complex processes.
Transactions:
• Use of off-balance sheet finance, special purpose entities, and

other complex financing arrangements.
Subjectivity Applicable financial reporting framework
• A wide range of possible measurement criteria of an accounting

estimate. For example, management’s recognition of
depreciation or construction income and expenses.
• Management’s selection of a valuation technique or model for a
non-current asset, such as investment properties.
Change Economic conditions:
• Operations in regions that are economically unstable, for

example, countries with significant currency devaluation or
highly inflationary economies.
Markets:
• Operations exposed to volatile markets, for example, futures

trading.
Customer loss:
Page | 138
Audit Manual
Version 7 (2022)
• Going concern and liquidity issues including loss of significant

customers.
Industry model:
• Changes in the industry in which the entity operates.
Business model:
• Changes in the supply chain.

• Developing or offering new products or services or moving into
new lines of business.
Geography:
• Expanding into new locations.
Entity structure:
• Changes in the entity such as large acquisitions or

reorganisations or other unusual events.
• Entities or business segments likely to be sold.
Human resources competence:
• Changes in key personnel including departure of key executives.
IT:
• Changes in the IT environment.

• Installation of significant new IT systems related to financial
reporting.
Applicable financial reporting framework:
• Application of new accounting pronouncements.
Capital:
• New constraints on the availability of capital and credit.
Regulatory:
• Inception of investigations into the entity’s operations or financial

results by regulatory or government bodies.
• Impact of new legislation related to environmental protection.
Uncertainty Reporting:
• Events or transactions that involve significant measurement

uncertainty, including accounting estimates, and related
disclosures.
Page | 139
Audit Manual
Version 7 (2022)
• Pending litigation and contingent liabilities, for example, sales

warranties, financial guarantees and environmental remediation.
Susceptibility to Reporting:
misstatement due
• Opportunities for management and employees to engage in
to management
fraudulent financial reporting, including omission, or obscuring,
bias or other fraud
of significant information in disclosures.
risk factors insofar
as they affect Transactions:
inherent risk
• Significant transactions with related parties.
• Significant amount of non-routine or non-systematic transactions
including intercompany transactions and large revenue
transactions at period end.
• Transactions that are recorded based on management’s intent,
for example, debt refinancing, assets to be sold and
classification of marketable securities.
Other events and conditions that may indicate risks of material misstatement at the financial
statement level include:
• Lack of personnel with appropriate accounting and financial reporting skills

• Control deficiencies - particularly in the control environment, risk assessment process
and process for monitoring, and especially those not addressed by management
• Past misstatements, history of errors or a significant number of adjustments at period
end
Page | 140
Audit Manual
Version 7 (2022)
Appendix 2 Mapping of Global Focus assertions to ISA 315

The table below show the mapping of the assertions in ISA 315.A190 to those used in Global
Focus
Assertions for Classes of Transactions, and events and related disclosures, for the period under
audit (i.e. Statement of Comprehensive Income or Profit & Loss assertions)
Assertion (ISA 315.A190) Global Focus Assertion
Occurrence – transactions and events that have been Existence and Occurrence
recorded or disclosed have occurred, and such
transactions and events pertain to the entity.
Completeness – all transactions and events that should Completeness

have been recorded have been recorded, and all related
disclosures that should have been included in the financial
report have been included.
Accuracy – amounts and other data relating to recorded Accuracy

transactions and events have been recorded appropriately,
and related disclosures have been appropriately measured
and described.
Cut-Off – transactions and events have been recorded in Cut-off

the correct accounting period.
Classification – transactions and events have been Classification and Presentation

recorded in the proper accounts.
Presentation – transactions and events are appropriately Classification and Presentation

aggregated or disaggregated and clearly described, and
related disclosures are relevant and understandable in the
context of the requirements of the applicable financial
reporting framework.
Page | 141
Audit Manual
Version 7 (2022)
Assertions for account balances, and related disclosures at the period end (i.e. Statement of
Financial Position or Balance Sheet assertions)
Assertion (ISA 315.A190) Global Focus Assertion
Existence – assets, liabilities and equity interests exist. Existence and Occurrence
Completeness – all assets, liabilities, and equity interests Completeness

that should have been recorded have been recorded, and
all related disclosures that should have been included in
the financial report have been included.
Accuracy, valuation and allocation – assets, liabilities, and Accuracy

equity interests have been included in the financial report at
appropriate amounts and any resulting valuation or
Valuation and Allocation
allocation adjustments have been appropriately recorded,
and the related disclosures have been appropriately
measured and described.
Rights and obligations – the entity holds or controls the Rights and Obligations
rights to assets, and liabilities are the obligations of the
entity.
Classification – assets, liabilities and equity interests have Classification and Presentation
been recorded in the proper accounts.
Presentation – assets, liabilities and equity interests are Classification and Presentation
appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and
understandable in the context of the requirements of the
applicable financial reporting framework.
Page | 142
Audit Manual
Version 7 (2022)
3.6 Identifying and assessing financial statement level risks
Contents
3.6.1 Introduction
3.6.2 Identifying financial statement level risks
3.6.3 Assessing financial statement level risks
risks of material misstatement. (ISA 315.11)

Misstatement
Global Focus software Form FSA

Form Risk Report – All
Form 530 Financial Statement Level Risks and Controls
Policy requirements
(if any)
Page | 143
Audit Manual
Version 7 (2022)
3.6.1 Introduction
The auditor is required to identify and assess the risks of material misstatement at the financial
statement level. Financial statement level risks are those risks that relate pervasively to the
financial statements as a whole and potentially affect many assertions and are not necessarily
identifiable with specific assertions at the class of transactions, account balance or disclosure
level. They represent circumstances that may increase the risks of material misstatement at the
assertion level, for example, through management override of internal control. Financial
statement level risks may be especially relevant to the consideration of fraud risks, including
concerns about management’s integrity or the reliability of an entity’s records.
The Global Focus software refers to financial statement level risks as “entity level” risks when
recording the financial statement areas affected in the risk cards, and which are sub-
categorised as either fraud or business risks.
3.6.2 Identifying financial statement level risks

Financial statements level risks may derive, in particular, from a deficient control environment
(fraud) or management’s lack of competence (fraud or error). For example, deficiencies such as
management’s lack of competence may have a more pervasive effect on the financial
statements and may require an overall response by the auditor. However, they may also relate
to other business-related factors, such as declining economic conditions (giving rise to a going
concern risk) or the condition of the entity’s records. Other examples of financial statement level
risks may include business combinations such as acquisitions or divestitures.
Examples of financial statement level risk indicators which may be identified during the risk
assessment phase of the audit include:
• Acquisition, divestiture, or reorganisation

• Rapid growth or expansion into new locations
• Declining economic conditions and/or financial results (going concern issues)
• Lack of personnel with appropriate accounting and financial reporting skills
• New IT systems or significant changes in IT systems relevant to financial reporting
• Significant deficiencies in the entity’s IT general controls
• High degree of complex regulation
• Condition or reliability of the entity’s records, such as poor or inadequate record
keeping.
Risks of material misstatement due to fraud may be particularly relevant to the auditor’s
consideration of financial statement level risks. For example, if an entity’s financial statements
are to be used in discussions with lenders to raise additional working capital, there may be a
greater susceptibility to fraud through fraudulent financial reporting, which may apply to the
financial statements as whole (as well as to specific classes of transactions, account balances
or disclosures).
The identification and assessment of financial statement level risks is influenced by the auditor’s
understanding of the entity’s system of internal control, particularly the control environment, the
entity’s risk assessment process and the entity’s monitoring of the system.
In extreme cases the auditor’s understanding of the entity’s system of internal control may raise
doubts about whether an audit can be conducted. For example:
Page | 144
Audit Manual
Version 7 (2022)
• Concerns about the integrity of the entity’s management may be so serious as to cause
the auditor to conclude that the risk of management misrepresentation in the financial
statements is such that an audit cannot be conducted
• Concerns about the condition and reliability of an entity’s records may cause the auditor
to conclude that it is unlikely that sufficient appropriate audit evidence will be available to
support an unmodified opinion on the financial statements.
ISA 705 establishes requirements and provides guidance in determining whether there is a
need for the auditor to express a qualified opinion or disclaim an opinion or, as may be required
in some cases, to withdraw from the engagement where withdrawal is possible under applicable
law or regulation.
3.6.3 Assessing financial statement level risks

There is no assessment of inherent risk or determination of control reliance for financial
statement level risks because inherent risk and control reliance exist only at the assertion level.
However, the engagement team is required to determine, using their professional judgment,
whether identified financial statement level risks are significant risks, in which case the
“significant risk” box in the risk card is checked.
Financial statement level risks (sometimes referred to as entity level risks in the Global Focus
software) are classified as either fraud risks or business risks. In accordance with ISA 240.28,
all financial statement level risks arising due to fraud are significant risks.
If a particular financial statement level risk can be related to a finite set of assertions, then such
financial statement level risks are considered when assessing inherent risk at the assertion level.
For example, a business combination is a financial statement level risk because it relates
pervasively to the financial statements as a whole and would require an overall response (this
may include, for example, assigning more experienced staff or those with special skills).
However, unlike certain other financial statement level risks (for example, a deficient control
environment), the business combination can also be related to specific assertions. In identifying
and assessing the inherent risk of material misstatement at the assertion level for a particular
class of transactions, account balance or disclosure, the engagement team takes the business
combination into account.

In Global Focus, financial statement level risks (also sometimes called “entity level” risks), are
categorised as either fraud or business risks.
When a new risk is identified, a new risk card is raised by clicking on the “Create new risk” icon
Within the risk card, when selecting the “Financial Statement Areas” the following options are
shown. Select either fraud or business risk depending on the nature of the risk identified.
Page | 145
Audit Manual
Version 7 (2022)
Since there is no assessment of inherent risk or determination of control reliance for financial
statement level risks, such risks appear in the 520E Risk Report marked with a P (for
“Pervasive”) instead of recording inherent and control risk assessments.
Page | 146
Audit Manual
Version 7 (2022)
Section 4: Respond to Risk
Introduction
Preliminary
Report
Activities
Global
Focus
Risk
Evaluate
Assessment
and
and
Conclude
Planning
Respond to
Risk
Page | 147
Audit Manual
Version 7 (2022)
4.1 Audit evidence: nature, timing and extent of audit procedures
Contents
4.1.1 Introduction
4.1.2 Nature, timing and extent defined
4.1.3 Nature, timing and extent when responding to risk
4.1.4 Types of audit procedures
Objective The objective of the auditor is to design and perform audit

procedures in such a way as to enable the auditor to obtain
sufficient appropriate audit evidence to be able to draw
reasonable conclusions on which to base the auditor’s opinion.
(ISA 500.4)
Relevant ISA • ISA 500 Audit Evidence

auditors)
Global Focus software The nature, timing and extent of procedures is considered when
developing audit work programs in Global Focus.
Group Audits
Form 5000-7 Group audit instructions.

Form 5000-8 Group audit questionnaire
Form 5000-9 Group accounting questionnaire
Policy requirements 1. Component financial significance should not exceed

(if any) 15% of group materiality other than in very exceptional
circumstances.
2. The aggregate of insignificant components should not
generally exceed 15% of the group.
Page | 148
Audit Manual
Version 7 (2022)
4.1.1 Introduction
Audit evidence is the information used by the auditor in arriving at the conclusions on which the
auditor's opinion is based. Audit evidence includes both information contained in the accounting
records underlying the financial statements and information obtained from other sources (ISA
500.5(c)).
Sufficiency of audit evidence is the measure of the quantity of audit evidence. The quantity of
the audit evidence needed is affected by the auditor’s assessment of the risks of material
misstatement and also by the quality of such audit evidence (ISA 500.5(f)).
Appropriateness of audit evidence is the measure of the quality of audit evidence; that is, its
relevance and reliability in providing support for the conclusions on which the auditor’s opinion is
based (ISA 500.5(b)):
• Relevance of audit evidence relates to whether or not the evidence is relevant in

addressing the assessed risk of misstatement, e.g. whether it relates to the relevant
assertion being addressed. As an example, inspection of documents related to
collection of receivables after period end may provide evidence regarding existence and
valuation but would not provide evidence relating to cut-off. Further, the direction of
testing may be important in determining what evidence is relevant, such as testing the
recorded accounts payable would be relevant when testing for overstatement in the
existence of accounts payable but would not be relevant if testing for understatement.
• Reliability of audit evidence relates to whether or not the audit evidence is from a
sufficiently reliable source. The following are typically true:
o audit evidence obtained from external parties is typically more reliable than
evidence provided by management, so long as the external party is itself reliable
and knowledgeable;
o internally generated information is typically more reliable if the controls over its
preparation and maintenance are operating effectively;
o audit evidence obtained directly by the auditor is typically more reliable than
where it is obtained indirectly;
o documented evidence is typically more reliable than evidence obtained orally;
and
o evidence obtained from original documents is more reliable than evidence from
copies of documents.
4.1.2 Nature, timing and extent defined

The table below summarises the nature, timing and extent of procedures which auditors may
apply when devising responses to risks:
Page | 149
Audit Manual
Version 7 (2022)
The nature of an audit procedure refers to its purpose (i.e. whether the procedure is a test of
controls or a substantive procedure). The following types of audit procedures are available to
auditors:
• Inspection – examining records or documents (e.g. paper, electronic or other media) or

physical examination of an asset
• Observation – observing a process or procedure being performed
• External confirmation – direct written response to the engagement team from a third party
• Re-calculation – checking the mathematical accuracy of documents or records
• Re-performance – independent execution of procedures or controls originally performed by
Nature the entity
• Substantive analytical procedures – analytical procedures that are sufficiently precise to
identify a misstatement that, individually or when aggregated with other misstatements,
may cause the financial statements to be materially misstated
• Inquiry – seeking information of knowledgeable persons, both financial and nonfinancial,
within or outside the entity.
The risks identified may affect the types of audit procedures to be performed and the combination
of such procedures required to obtain sufficient, appropriate audit evidence. Certain audit
procedures may be more appropriate for some assertions than others.
The timing of audit procedures refers to when the procedure is performed, or the period or date to
which the audit evidence applies. Substantive procedures and tests of controls may be performed:
• at an interim date, or
• at period end.
Relevant factors that influence when to perform further audit procedures include the control
Timing environment, the availability of relevant information, the nature of the risk and the period or date to
which the audit evidence relates.
For higher risks of material misstatement, it may be more effective to perform substantive
procedures nearer to, or at, the period end rather than at an earlier date. Alternatively, by
performing procedures before the period end the auditor may identify significant matters early,
thereby allowing more time to resolve issues or develop an approach to address them.
The extent of audit procedures refers to the quantity of work performed. Any one or a combination
of the following means for selecting the extent of items for testing may be appropriate depending
on the circumstances:
• Selecting all items (100%)

• Selecting specific items
• Audit sampling
Extent The extent of an audit procedure is determined taking account of materiality, the assessed risk,
and the quantity/quality of audit evidence required. In general, extent increases as the risk of
material misstatement increases; for example, for higher levels of assessed risk sample sizes
would typically be larger. However, increasing the extent of procedures is only effective if the
procedure is relevant to the risk and the evidence to be obtained is reliable. For example, when
responding to fraud risks, it may be necessary to obtain more reliable audit evidence rather than
merely increase the extent.
Page | 150
Audit Manual
Version 7 (2022)
4.1.3 Nature, timing and extent when responding to risk

When developing a suitable response to audit risks the auditor considers how best to obtain
sufficient appropriate audit evidence to address the risk. For a higher assessed risk of material
misstatement, the auditor typically requires more (sufficient) relevant and reliable (appropriate)
audit evidence. In general, as the level of risk increases:
• The nature of procedures provides more reliable and persuasive audit evidence
• The extent of audit evidence increases (for example, the audit sampling calculator takes
account of the level of risk when determining sample sizes)
• The timing of work is typically more likely to be performed at year end, unless the risk
relates to an in-year transaction which can be effectively audited at an interim date (e.g.
there is a major single transaction during the year which gives rise to a significant risk
where the auditor can audit the transaction at an interim date).
4.1.4 Types of audit procedures

When developing a response to an assessed risk of material misstatement the auditor may
undertake any or a combination of the following audit procedures, the precise combination of
which would be affected by the level of risk assessed and the nature of the assertion(s) being
tested.
Tests of Controls: When testing controls which we have evaluated as being designed and
implemented appropriately, we are looking to gain assurance that the controls are operating
effectively. Tests of controls are performed only when the auditor intends to rely on the
operation of those controls as part of their planned audit response.
Substantive procedures: Substantive procedures are designed to detect material misstatements

at the assertion level and comprise:
• Substantive analytical procedures, and

• Tests of details.
Substantive procedures are performed for:
• risks of material misstatement at the assertion level for significant classes of

transactions, account balances, and disclosures
• Significant risks at the assertion level; (Note: when the approach only consists of
substantive procedures, those procedures are required to include tests of details)
• Each material class of transactions, account balance, and disclosure
• Financial statement closing process.
Further details of the audit procedures to be performed are set out in the remainder of Section 4
of the Audit Manual.

In a group audit context, there are the following types of audit evidence:
a) Audit evidence in respect the financial information of components;

b) Audit evidence on group-wide controls and the consolidation process including, if
applicable, goodwill on consolidation and any impairment thereof; and
c) Analytical procedures performed at group level.
Page | 151
Audit Manual
Version 7 (2022)
Nature, timing and extent when responding to risk
The group engagement team’s determination of the type of work to be performed on the
financial information of a component and its involvement in the work of the component auditor is
affected by:
a) The significance of the component

b) The identified significant risks of material misstatement of the group financial statements;
c) The group engagement team’s evaluation of the design of group-wide controls and
determination whether they have been implemented; and
d) The group engagement team’s understanding of the component auditor.
The diagram below shows how the significance of the component affects the group engagement
team’s determination of the type of work to be performed on the financial information of the
component:
Page | 152
Audit Manual
Version 7 (2022)
Page | 153
Audit Manual
Version 7 (2022)
ISA 600 sets out the work to be performed on each type of component as follows:
Component Financially significant Otherwise significant Not significant
ISA 600 para ISA 600.26 ISA 600.27 ISA 600.28
Audit using Audit using component Analytical

component materiality OR procedures at
materiality group level
Audit of one or more account
balances, classes of transactions
Work specified or disclosures relating to the likely
significant risk(s) OR
Specified audit procedures

relating to the likely significant
risk(s)
Component auditor Component auditor or group Group auditor

Performed by
or group auditor auditor
A group may contain few or even no components that are individually significant to the group. In
such cases, application of the above may not yield sufficient appropriate audit evidence on
which to base the group audit opinion, as a relatively small proportion or even none of the group
will have been audited. In such cases ISA 600.29 requires the auditor to select some
components that are not significant and perform, or request a component auditor to perform,
one or more of the following on the financial information of the selected components:
• An audit of the financial information of the component using component materiality.

• An audit of one or more account balances, classes of transactions or disclosures.
• A review of the financial information of the component using component materiality.
• Specified procedures.
Global Focus is not prescriptive regarding the method of selecting components or the number of
components that should be selected; this is a matter of group auditor judgment. However:
1. Component financial significance should not generally exceed 15% of group materiality.
In the rare circumstances that the auditor considers it appropriate to exceed 15%, the
decision must be reviewed and approved by a second audit partner or the firm’s
technical department. Firms with a sole audit partner should consult either an audit
partner in another member firm or the Professional Standards team in Global Office.
2. The aggregate of insignificant components should not generally exceed 15% of the
group. Where this is the case, the auditor should consider whether sufficient appropriate
audit evidence will be obtained to fully support the group audit opinion, and either:
o Document why this is the case; or
o Follow the requirements of ISA 600.29 noted above.
ISA 600.A51 lists the following factors that may affect the group auditor’s decision as to how
many and which components to select:
• The extent of audit evidence expected to be obtained on the financial information of the
significant components.
Page | 154
Audit Manual
Version 7 (2022)
• Whether the component has been newly formed or acquired.

• Whether significant changes have taken place in the component.
• Whether the internal audit function has performed work at the component and any effect
of that work on the group audit.
• Whether the components apply common systems and processes.
• The operating effectiveness of group-wide controls.
• Abnormal fluctuations identified by analytical procedures performed at group level.
• The individual financial significance of, or the risk posed by, the component in
comparison with other components within this category.
• Whether the component is subject to audit required by statute, regulation or for another
reason.
The group auditor is also required, in such situations, to vary the selection of components over a
period of time. A cyclical basis may therefore be appropriate. However, including an element of
unpredictability in selecting components may be beneficial in increasing the likelihood of
identifying material misstatements of component financial information.

The work required on each component is recorded in Form 5000-5 Group audit – Group
component summary.
Alternatively, group engagement teams may use the Excel template Form 445G Group Audit
Planning, available on Billy, to assist in the determination and documentation of component
significance and the level of work to be performed on each component.
Communications between the group auditor and component auditors
ISA 600 requires the group auditor to communicate to component auditors:
• the work to be performed;

• the use to be made of that work; and
• the form and content of the component auditor’s communication with the group
engagement team.
The timing of such communications is critical to meeting these objectives, and group auditors
issue a detailed group audit timetable to component auditors early in the planning process to
ensure that all deadlines can be met.
ISA 600 also contains the following specific matters that the group auditor is to communicate
with component auditors in order for the group audit to be performed effectively and efficiently:
a) A request for confirmation that the component auditor will cooperate with the group
engagement team.
b) The ethical requirements that are relevant to the group audit and, in particular, the
independence requirements.
c) Where applicable, component materiality (and, if applicable, any levels of group specific
materiality) and the clearly trivial threshold.
d) Identified significant risks of material misstatement of the consolidated financial
statements, due to fraud or error, that are relevant to the work of the component
auditor.
e) A request to be informed of any other identified significant risks identified by the
component auditor, and their response to such risks.
Page | 155
Audit Manual
Version 7 (2022)
f) A list of related parties prepared by group management, and any other related parties of
which the group engagement team is aware.
g) A request to be informed of any other related parties not previously identified by group
management or the group engagement team.
This information is usually requested via the issuance of group audit instructions during the
planning stage of the group audit.
The group auditor may also decide to request additional and/or more detailed information by
way of detailed audit and/or accounting questionnaires.

A template set of group audit instructions is provided in Form 5000-7 Group audit instructions.
Optional detailed questionnaires Form 5000-8 Group audit questionnaire and Form 5000-9
Group accounting questionnaire are also provided.
Alternatively, group engagement teams may use the Excel templates available on Billy:
• Form 446G Initial group audit instructions – items (a), (b), (c), (f) and (g) above
• Form 447G Final group audit instructions – items (d) and (e) above
• Form 448G Group questionnaires
Page | 156
Audit Manual
Version 7 (2022)
4.2 Substantive audit sampling
Contents
4.2.1 Introduction
4.2.2 Audit sampling process
4.2.3 Designing an audit sample
4.2.4 Determining the audit sampling approach (statistical or non-statistical)
4.2.5 Determining the sample size
4.2.5.1 Statistical sampling
4.2.5.2 Non-statistical sampling
4.2.6 Determining the items for selection
4.2.7 Performing audit procedures when sampling
4.2.8 Investigating the nature and cause of misstatements
4.2.9 Projecting misstatements
4.2.10 Evaluating results of audit sampling
Appendix 1 Stratification and value-weighted selection
Objective The objective of the auditor, when using audit sampling, is to

provide a reasonable basis for the auditor to draw conclusions
about the population from which the sample is selected. (ISA
530.4)
Relevant ISA • ISA 530 Audit Sampling

• ISA 450 Evaluation of misstatements identified during
the audit

Global Focus software Form x.101 Substantive work programs
Form x.125 Sample calculator
Policy requirements Tolerable misstatement is not set higher than performance

(if any) materiality.
Expected misstatement is not set higher than 30% of tolerable
misstatement.
Page | 157
Audit Manual
Version 7 (2022)
4.2.1 Introduction
Audit sampling is a method of gathering audit evidence that provides the auditor with a
reasonable basis on which to reach a conclusion about an entire population by selecting and
examining a representative sample of items within a population. Only where all the following
characteristics are present is it possible to draw a conclusion about a population from the
results of audit work performed on a sample of a population:
• All items in the population have a chance of being selected

• The items selected and the basis of selection is free from bias; and
• The population is not significantly skewed. If the population is skewed stratifying the
population is typically appropriate before considering whether or not to apply sampling
methods to each stratum.
ISA 530 defines statistical sampling as an approach to sampling that has the following
characteristics, any other sampling approach being considered non-statistical sampling:
• Random selection of the sample items, and

• The use of probability theory to evaluate sample results, including measurement of
sampling risk.
The approaches to audit sampling available in the Global Focus methodology are:
• Statistical– a method of determining sample sizes using statistical formulae with the
following characteristics:
o Random selection of the sample items; and
o The use of probability theory to evaluate sample results, including measurement
of sampling risk.
• Non-statistical – a method of determining sample sizes using auditor judgment within a
framework and guidance set out in this section of the audit manual.
This section of the audit manual focuses on audit sampling for substantive procedures. Details
of audit sampling for tests of controls are provided in Section 4.7 (Tests of controls).
Page | 158
Audit Manual
Version 7 (2022)
4.2.2 Sampling process
4.2.3 – Designing an audit sample
In designing an audit sample, the auditor is required to consider the purpose of the audit
procedure and the characteristics of the population from which the sample will be drawn.
The auditor determines the appropriate population from which to draw the sample.
Examples
1. When testing fixed assets for existence (E&O), the appropriate population from which to
sample is the gross cost and not the net book value. This is because:
a) any non-existent assets will impact the cost disclosure in the fixed asset note as well
as the net book amount; and
b) older, fully written down assets are potentially at greater risk of having been scrapped
but not recorded as such in the fixed asset register.
2. When testing trade receivables for existence (E&O) or valuation and allocation (V&A), the
appropriate population is the gross amount of such receivables without deduction for any
provision for bad and doubtful debts.
3. When testing completeness of trade payables, their book value may not be the appropriate
population to sample from, as by definition, it will not contain any missing purchase invoices.
There are some common approaches to this issue:
Page | 159
Audit Manual
Version 7 (2022)
a) Use supplier turnover. Ideally a comparison should be drawn with the prior period to
identify suppliers with a significant drop in turnover, and these considered for
separate testing unless it can be demonstrated that this is expected e.g. due to a
change of supplier.
b) Select from the population of post-period end purchases. This could be taken from
payments or purchase invoices. Consideration would need to be given to the length of
period to include within the population. The period may need to be extended if
unrecorded creditors are found during testing.
c) Use the book value of trade payables as the population, but obtain the period end
listing that includes suppliers with zero balances, and consciously select some of
these and/or low value balances, particularly any with larger, regular suppliers for
separate testing. This approach requires detailed knowledge of the entity’s suppliers.
In accordance with ISA 500.9, the auditor also performs audit procedures to obtain evidence
that the population from which the audit sample is to be drawn is complete.
When designing an audit sample, the auditor considers the purpose of the test and the
combination of audit procedures that is likely to best achieve that purpose. The auditor’s
consideration of the purpose of the audit procedure includes a clear understanding of what
constitutes a deviation or misstatement so that all, and only those, conditions that are relevant
to the purpose of the audit procedure are included in the evaluation of deviations or projection
of misstatements.
Example
In a test of details relating to the existence of accounts receivable, such as confirmation,

payments made by the customer before the confirmation date but received shortly after that
date by the client, are not considered a misstatement. Also, a posting error between customer
accounts does not affect the total accounts receivable balance. Therefore, it may not be
appropriate to consider this a misstatement in evaluating the sample results of this particular
audit procedure, even though it may have an important effect on other areas of the audit, such
as the assessment of the risk of fraud or the adequacy of the allowance for doubtful accounts.
For tests of details, the auditor makes an assessment of the expected misstatement in the
population. If the expected misstatement is high (>30% of tolerable misstatement), then 100%
examination of the population or the use of a large sample size may be appropriate when
performing tests of details. Alternatively a non-sampling approach may be more effective.
In determining the characteristics of the population from which the sample will be drawn, the
auditor may determine that stratifying the population or value-weighted selection may be
appropriate. Further details of both methods are set out in Appendix 1.
4.2.4 – Determining the audit sampling approach (statistical or non-statistical)
ISA 530 indicates that the decision to use statistical sampling or non-statistical sampling is a
matter of professional judgment and does not indicate which should be used in any given
situation. However, ISA 530.A9 is clear that sample size is not a valid criterion to distinguish
between the selection of sampling methods. Therefore, the auditor should not base their
decision on whether to use statistical or non-statistical sampling on the outcome of the
calculation of sample sizes.
Page | 160
Audit Manual
Version 7 (2022)
Statistical sampling used in Global Focus is a sampling approach that uses statistical theory for
selecting a sample size from which to reach a conclusion about a population. In other words,
statistical sampling used in uses a mathematical model to determine the probability of the
sample selected being representative of the population. The sample sizes for statistical sampling
assume a large population (when performing substantive tests of details, it is generally
appropriate to treat any population of more than 2,000 sampling units as large).
ISA 530 Audit Sampling does not mandate the use of statistical sampling when calculating
sample sizes so long as the non-statistical sample considers the same factors that would be
considered in a properly designed statistical sample and therefore produces effective outcomes.
The auditor first determines whether statistical or non-statistical sampling is the most
appropriate method in the circumstances. In doing so the auditor may consider the following
factors as part of their professional judgment:
Size of the population being tested
Populations below 2,000 units are not considered to be large populations and as such, the use
of statistical sampling may be less appropriate because statistical sampling is designed to
reflect large populations. Therefore, auditor judgment may be exercised, and a non-statistical
approach may be more appropriate in the determination of the sample size. Note, however, that
the use of statistical sampling is permitted for populations of less than 2,000 units.
In Global Focus, the non-statistical method is based upon the quantity of items in the population
rather than the value. Whilst use of this method is not prohibited for large populations, it is
designed primarily for small populations. Its use for large populations should therefore be
carefully considered and justified on the file. Nature of the population
ISA 330.18 requires auditors to perform substantive procedures for each material class of
transactions, account balance or disclosure regardless of the assessed risk of material
misstatement. It may be appropriate to use non-statistical sampling for such material amounts
where the auditor has not identified a particular risk of material misstatement, or where inherent
risk has otherwise been assessed as Lower.
The homogeneity of the population should also be considered. Stratification can be used to
improve homogeneity and reduce the overall number of items to test, and is particularly effective
when taking a statistical approach.
Assertion/s being tested
The assertion/s being tested can influence whether to use statistical or non-statistical sampling,
depending on whether the assertion is considered to have a binary outcome i.e. it’s right or
wrong rather than being a numeric extrapolation, for example if testing the ownership of assets.
(Note that Global Focus contains separate guidance on sample sizes for testing controls in
section 4.7.5.)
Evidence gathered from other sources
Evidence from other sources may influence the auditor’s decision on whether a statistical or
non-statistical sample is appropriate. Where the evidence from other procedures is strong, then
a non-statistical approach may be appropriate to obtain sufficient additional audit evidence.
Where the evidence from other procedures is limited or where there have been errors identified,
Page | 161
Audit Manual
Version 7 (2022)
then a statistical approach may be more appropriate as more persuasive audit evidence is
needed from the sample tests of details.
These and other factors, may influence the auditor’s decision as to which sampling approach is
appropriate, remembering both can provide sufficient and appropriate audit evidence.
4.2.5 Determining the sample size

The auditor is required to determine a sample size which is sufficient to reduce sampling risk to
an acceptable low level. Sampling risk is defined as the risk that the auditor’s conclusion based
on a sample may be different from the conclusion if the entire population were subjected to the
same audit procedure. The level of sampling risk that the auditor is willing to accept affects the
sample size; the lower the risk the auditor is willing to accept, the greater the sample size will
be.
The sample size may be determined by a statistical formula or by the exercise of professional
judgment (non-statistical approach). Either way, the following factors are taken into account:
• The assessed risk of material misstatement

• Other substantive procedures addressing the assertions at risk
• The level of assurance the auditor requires
• The tolerable misstatement
• The expected misstatement
• Stratification of the population
• Number of sampling units in the population
These factors are incorporated into the Global Focus determination of sample sizes using
statistical and non-statistical approaches, as set out below.
4.2.5.1 Statistical sampling

To determine the sample size using a statistical, we utilise the statistical sample calculator
included within the Global Focus software. The sample size is determined by a number of
factors which are input to the sample calculator:
• The nature of the population (including application of stratification)

• Required level of audit confidence
• The assessed level of inherent risk
• The assessed level of reliance on controls
• Whether any other audit evidence has been obtained from substantive analytical
procedures
• The tolerable misstatement
• The expected misstatement
The nature of the population
The sample size calculator allows the auditor to adjust the size of the population to be sampled
for items tested specifically. These are items deliberately chosen by the auditor for testing, such
that the remaining balance is then sampled. The total items tested therefore comprise those
chosen for specific testing plus the sampled items.
Page | 162
Audit Manual
Version 7 (2022)
Typically, items which are individually greater than performance materiality would be chosen for
separate testing. Depending on the nature of the population, this often (but not always) results
in fewer items to test overall, and thus is an approach recommended for consideration by audit
teams.
There may be other characteristics of an item that may influence the auditor’s decision to select
it for specific testing. These include:
• Items which appear to be materially lower than expected i.e. potentially materially
understated;
• Balances or transaction relating to related parties, including management, those
charged with governance and other components within a group;
• Any other characteristic that the auditor considers to be unusual or unexpected and
meriting of further audit attention.
Setting aside items above a certain value or with certain characteristics for specific testing is a
form of stratification.
The auditor may also wish to consider stratifying the population based on other characteristics.
Examples include:
• Risk – It may be appropriate to test revenue streams with different inherent risk profiles
separately.
• Control reliance – relying on controls may be appropriate for cash sales and online
sales, but not for business to business sales on credit.
Stratification is considered in more detail in Appendix 1.
Required level of audit confidence
The level of audit confidence is usually set at 90%. Audit confidence is set for the audit
engagement as a whole and is not generally amended for individual substantive tests of details.
The auditor may increase audit confidence to 95% based on their professional judgment, the
legal and regulatory requirements in their jurisdiction or their firm’s internal policies.
The assessed level of inherent risk
The assessed level of inherent risk is carried forward from the risk assessment phase of the
audit and is used in the sample calculator to reduce sample sizes where inherent risk is below
the maximum “Upper end” i.e. inherent risk is assessed as either “Lower” or “Higher”.
Control reliance
Control reliance is carried forward from the risk assessment phase of the audit and is used in
the sample calculator to reduce sample sizes where a degree of reliance is being placed on the
operational effectiveness of controls.
The level of audit evidence from substantive analytical procedures
Where appropriate audit evidence is available from substantive analytical procedures, the
sample size is reduced.
Page | 163
Audit Manual
Version 7 (2022)
Tolerable misstatement
Tolerable misstatement is the amount set by the auditor for which they seek to obtain
appropriate assurance that the monetary amount set is not exceeded by the actual
misstatement in the population. This is typically set as Performance Materiality, and should not
be set higher than this. Lowering tolerable misstatement is one of the options the auditor has to
increase the assurance obtained from a test.
Expected misstatement
The expected misstatement is the monetary amount of misstatements which the auditor
anticipates will be identified by the sample test. Factors relevant to the auditor’s consideration of
the expected misstatement amount include the extent to which item values are determined
subjectively, the results of risk assessment procedures, the results of tests of control, the results
of audit procedures applied in prior periods, and the results of other substantive procedures.
There is no default setting for expected misstatement and the auditor uses their judgment in
setting this amount. However:
a) It is expected to be very rare that the expected misstatement could legitimately be set
as zero. For the majority of continuing audit engagements, it is expected that there will
have been at least some trivial errors identified in previous years, and thus even in the
absence of other information or expectations, the clearly trivial amount may be
appropriate. As trivial errors are not required to be documented on the list of unadjusted
errors under ISA 450.5, the auditor would review the prior year’s file in detail to ensure
that no such errors had been identified, in order to justify setting the expected
misstatement lower than this.
b) There are a number of factors which may cause the auditor to set the expected
misstatement at a level greater than the clearly trivial amount. These include:
• Large volume and/or magnitude of errors identified in prior years.
• Weak operational effectiveness of controls
• High(er) levels of assessed inherent risk
The expected misstatement may also need to be amended during the audit. For example, if the
actual errors found on substantive tests are significantly higher than expected, the auditor
increases the level of expected misstatement, reassesses the sample size and, if necessary,
extends the sample tested.
Minimum sample sizes for statistical sampling
The statistical calculator applies a minimum sample size as per the table below:
Level of control reliance
High Moderate Low No reliance/

not tested
Lower 5 5 6 7
Inherent
Higher 5 7 9 10
risk
Upper end 7 9 10 20
Page | 164
Audit Manual
Version 7 (2022)

The sample calculator worksheet is used to determine sample sizes (SAMP – Worksheet –
Substantive sampling – Tests of details). The auditor selects “Statistical” as the type of sampling
to be used in the sample calculator worksheet:
The auditor is then presented with options to select between two layouts:
• Summary view - this does not display any of the underlying calculations, and only shows
the calculated sample size and sampling interval.
• Detailed view – this shows the sample size calculation as well as the calculated sample
size and sampling interval.
The sample calculator worksheet is then used to record the above factors and generate the
audit sample size.
4.2.5.2 Non-statistical sampling

Non-statistical sampling involves the use of auditor judgment to determine an appropriate
sample size. The sample size selected reflects the risk being addressed and as such if the
auditor requires more assurance, i.e. for a higher risk of misstatement, then a larger sample size
is necessary. In determining non-statistical sample sizes for tests of details, the table below set
out the starting point , taking into account audit confidence and inherent risk, before
consideration of other factors mentioned in 4.2.5 (see below).
90% audit confidence

Inherent risk
Population size Lower Higher Upper end
50-499 5 10 20
500-999 6 12 24
1,000-1,499 8 18 36
1,500 – 1,999 12 24 48
2,000+ items 15 30 60
95% audit confidence

Inherent risk
Population size Lower Higher Upper end
50-499 7 15 30
500-999 9 18 36
1,000-1,499 13 27 54
1,500 – 1,999 18 36 72
2,000+ items 22 45 90
Page | 165
Audit Manual
Version 7 (2022)
For populations below 2,000 (i.e. not large) alternative methods of obtaining sufficient
appropriate evidence may be more efficient, but that does not preclude extrapolating based on
these sample sizes. For populations of less than 50 items, it is highly likely that other testing
methods (e.g. specific item testing) will be more efficient or that testing 100% may be required if
the aggregate of the items is material.
Using the tables above as a basis for the initial determination of a non-statistical sample size for
substantive tests of details, the impact of the factors set out below is also taken into account in
determining the final sample size.
The nature of the population
The non-statistical sample calculator allows the auditor to adjust the size of the population to be
sampled for items tested specifically, in an identical way to the statistical calculator. Again, items
which are individually greater than performance materiality or have other relevant
characteristics (as described in 4.2.5.1 above) are typically chosen for testing, with sampling
applied to the residual population.
Because the starting point for non-statistical sampling is based on the size of the population,
stratification is dealt with automatically by adjusting the population for items tested specifically.
However, since the non-statistical method is based on population size and not value, use of the
statistical method may be more appropriate in such circumstances.
Where the auditor elects to sub-divide the population and subject each sub-population to
sampling (e.g. through stratification by risk), the non-statistical sampling methodology is applied
separately to each sub-population.
Control reliance
Control reliance is carried forward from the risk assessment phase of the audit and is used in
the non-statistical sample calculator to reduce sample sizes where there is planned reliance on
controls.
The level of audit evidence from substantive analytical procedures
Where appropriate audit evidence is available from substantive analytical procedures, the
sample size is reduced.
Tolerable misstatement
The non-statistical sample calculator will increase the sample size where tolerable misstatement
is set below Performance Materiality.
Expected misstatement
The non-statistical sample calculator will increase the sample size where the expected
misstatement is set higher than the clearly trivial level, and will reduce the sample size where the
expected misstatement is set lower than the clearly trivial level. Setting the expected
misstatement is described in detail in 4.2.5.1 above.
Minimum sample size for non-statistical sampling
The non-statistical sample calculator applies the same minimum sample sizes as the statistical
calculator, as set out in the table in 4.2.5.1 above.
Page | 166
Audit Manual
Version 7 (2022)

The sample calculator worksheet is used to determine sample sizes (SAMP – Worksheet –
Substantive sampling – Tests of details). The auditor selects “Non-statistical” as the type of
sampling to be used in the sample calculator worksheet:
Examples
Example 1 – Small population
Population of trade receivables with 1,200 individual invoices with no controls assurance
obtained:
Factor Comments Sample Size /
impact
Number of sampling units in the 1,000 to 1,499
residual population
The desired level of audit Set at 90% 18

confidence
Inherent risk assessment Set as Higher
Level of reliance on controls Controls are not being relied upon. 0
Level of reliance on substantive A substantive analytical procedure -2

analytical procedures covering the existence assertion for trade
addressing the assertion(s) at receivables has been satisfactorily
risk performed.
The tolerable misstatement Performance materiality is used as the 0

tolerable misstatement
The expected misstatement The expected misstatement is set at the 0

clearly trivial level.
Sample size determined 16
Page | 167
Audit Manual
Version 7 (2022)
Example 2 – Minimum sample size
Population of trade receivables with 1,200 individual invoices with controls assurance obtained

impact
Number of sampling units in the 1,000 to 1,499
residual population

confidence
Level of reliance on controls Controls reliance is set as High. -10

risk performed.

The expected misstatement The expected misstatement is NIL based -2

on the experience from prior audits
MINIMUM SAMPLE SIZE 5

DETERMINED
Note: The non-statistical sample calculator will automatically apply the minimum sample sizes as
applicable. Note that this is the minimum for sampling; any items set aside for specific testing
are tested in addition.
Page | 168
Audit Manual
Version 7 (2022)
Example 3 – Large population
Population of trade receivables with over 2,000 individual invoices with no controls assurance
obtained and errors identified in previous audits

impact
Number of sampling units in the Over 2,000
population

confidence
Level of reliance on controls Controls are not being relied upon. 0

risk performed

The expected misstatement Misstatements in excess of the clearly +5

trivial threshold are expected based on the
experience of prior audits
4.2.6 Determining the items for selection

The auditor is required to select items for the sample in such a way that each sampling unit in
the population has a chance of selection, although not necessarily the same chance of
selection. It is important that the auditor selects a representative sample so that bias is avoided,
by choosing items which have characteristics typical of the population.
To determine which items will be selected the auditor can use a variety of methods as set out in
ISA 230:
Method Description
Random selection Samples are selected through random number generators, e.g. the
random function in Excel or random number tables.
If using Excel to generate random numbers, it is recommended that a

screenshot be taken or that the numbers are copied and pasted as
values in order to retain them as part of the documentation on the
audit file, as the formulae will refresh the answers generated every time
the Excel workbook is amended in any way.
Page | 169
Audit Manual
Version 7 (2022)
Method Description
Interval / systematic • The number of sampling units in the residual population is
selection divided by the sample size to give a sampling interval, for
example 50. Note that the sample calculator identifies the
interval for both statistical and non-statistical samples.
• The starting point is determined using a random number
generator and then every sampling unit thereafter is selected
according to the calculated interval, i.e. every 50th sampling
unit after the random number for this example.
• Determine that sampling units within the population are not
structured in such a way that the sampling interval corresponds
with a particular pattern in the population.
Monetary unit • MUS is a type of value-weighted selection (see Appendix 1) in

sampling (MUS) which sample size, section and evaluation results in monetary
amounts.
• The sampling unit is defined as the feature such as a
customer’s balance or invoice that make up a population.
• The sampling interval is calculated using interval / systematic
selection as described above.
• Each selected dollar acts as the basis for selecting the
sampling unit. For example, if auditing accounts receivable, you
would examine the individual debtors that contain the selected
monetary units, based off the interval.
Haphazard • Samples are selected without following a structured technique.

selection • Conscious bias or predictability must be avoided (for example,
avoiding items that are difficult to locate or always choosing or
avoiding the first or last items on a page) to ensure that all
items in the population have a chance of selection.
• Haphazard selection is typically not preferred as there is an
increased likelihood of bias in the selection of the sampling
items, by the auditor. As such where haphazard selection is
used as a selection method the auditor documents clearly why
it is appropriate and how they sought to remove bias from the
sample selection and considers whether it is appropriate to
extrapolate the results to the population.
• Haphazard selection is not permitted when using statistical
sampling (see paragraph (d) of Appendix 4 to ISA 530).
Monetary Unit Sampling “MUS”
Where MUS is used to select sampling units from a population, each selected individual dollar is
associated with a tangible feature e.g. a customer’s balance or invoice. The tangible features
i.e. the debtor or the invoice are the sampling units that will be examined - each selected dollar
merely acts as the basis for the selection of the entire tangible feature in which it occurs. Where
there are individual sampling units with a value greater than the sampling interval, the number of
sampling units may be fewer than the sample size.
Page | 170
Audit Manual
Version 7 (2022)
A common mistake is that users treat each individual dollar as a sampling unit. So, for example,
when assessing whether a population is large, they consider all populations with a value greater
than $2,000 to be large because it comprises 2,000 individual $1 sampling units.
It is not always effective to apply MUS and your understanding of the entity and the identified
inherent risk must be considered before applying this (or any other) sample selection approach.
An example of where MUS may not be effective is where an entity’s receivables balances are
comprised of a large number of invoices and existence cannot be audited using confirmations or
subsequent receipts testing. If a sample size of 20 was calculated, it would be necessary to
vouch evidence confirming that a legally recoverable debt exists (e.g. proof of delivery) for all
invoices making up the balances of all 20 debtors selected. If you only selected a sample of
invoices making up each debtor balance you would be auditing a sample of a sample which is
not permitted. In this instance, depending on how the entity is structured, it may be more
effective and efficient to select invoices – rather than each individual debtor – as your sampling
unit (tangible feature).
Using the example above, if an entity’s credit policy required all debtors to settle their accounts
within 30 days and strong internal controls enforced such a policy, subsequent receipts testing
might be possible. Applying MUS might then be the most effective and efficient approach as the
number of debtors that would need to be verified may be reduced below 20 as the larger debtor
balances would contain more than one sampling unit.
Example – Monetary unit sampling
For a population of $3,500,000 of trade receivables, the auditor requires 90% audit confidence
and sets inherent risk as Lower. Tolerable misstatement is set at the performance materiality
level of $70,000 and the expected misstatement as nil. No reliance is placed on controls or
substantive analytical procedures
Inputting this information into the sample calculator, a statistical sample size of 35 is produced.
In this instance MUS may provide effectiveness benefits if the sampling interval is smaller than
at least one of the invoices in the receivables population. With a population value of $3,500,000
and a sample size of 35, the sampling interval will be $100,000.
Therefore, if there is one or more invoices with an individual value greater than $100,000, more
than one of the $ intervals may be included for a single invoice, thus reducing the number of
invoices tested.
4.2.7 Performing audit procedures when sampling

The auditor is required to perform audit procedures appropriate to the purpose of the test on
each item selected. If the audit procedure is not applicable for a selected item, the auditor is
required to perform the procedure on a replacement item. For example, when a voided check is
selected for testing for evidence of payment authorisation, the auditor selects a replacement
item having satisfied themselves that the check has been appropriately voided.
If the auditor is unable to apply the designed audit procedures, or suitable alternative
procedures, to a selected item, the auditor is required to treat that item as a misstatement in the
case of tests of details. For example, the auditor may be unable to apply the procedure to a
selected item where documentation related to that item has been lost. As example of alternative
Page | 171
Audit Manual
Version 7 (2022)
procedures might be the examination of subsequent cash receipts together with evidence of
their source and the times they are intended to settle when no reply has been received to a
debtor confirmation.
4.2.8 Investigating the nature and cause of misstatements

The auditor is required to investigate the nature and cause of any misstatements identified in the
items tested, and to evaluate their possible effect on the purpose of the audit procedure and on
other areas of the audit. In the extremely rare circumstances where the auditor considers a
misstatement to be an anomaly, they are required to perform additional audit procedures to
obtain sufficient appropriate audit evidence that the anomaly does not affect the remainder of
the population.
In investigating the nature and cause of misstatements the auditor considers whether the
identified items have a common feature, such as type of transaction, location, product line or
period of time, incorrect taxation treatment, including or excluding a handling or shipping
charge, particular person processing the transactions etc. Where a common feature is
identified, the auditor may decide to identify all items within the population sharing that feature
and extend audit procedures to those items. The procedures performed will depend on the
nature of the feature and the impact on the financial statements. Where such misstatements
arise from intentional acts by management, they may indicate the possibility of fraud.
4.2.9 Projecting misstatements

For tests of details, the auditor is required to project misstatements identified in the sample to
the population to obtain a broad view of the scale of misstatement. However, this projection may
not be sufficient to determine an amount to be recorded. Any uncorrected misstatements
established to be an anomaly may be excluded when projecting misstatements to the
population, but the effect of any such misstatements still to be considered in addition to the
projection of other misstatements.
To assess any misstatements the auditor considers both the identified or factual error and
projected error. The auditor takes all factual errors greater than the amount determined to be
clearly trivial (Section 3.2.6) to the summary of identified misstatements. Additionally, the
auditor projects the error to the population as a whole, using the following formula:
Total Error = (Total population Value / Value of Sample selected) x Error in tested population
Example
Population tested $3,500,000
Value of sample selected $430,000
Errors identified $12,000
Total error ($3,500,000 / $430,000) * $12,000 = $97,674
The total error of $97,674 is comprised of:
Factual Error $12,000
Projected Error $85,674
Page | 172
Audit Manual
Version 7 (2022)
4.2.10 Evaluating results of audit sampling

In forming a conclusion on the test, the auditor is required to evaluate the results of the sample
and whether the use of audit sampling has provided a reasonable basis for conclusions about
the population that has been tested.
The total error is the auditor’s best estimate of misstatement in the population, and when this
exceeds tolerable misstatement, the sample does not provide a reasonable basis for the
conclusions about the population. The closer the total error is to tolerable misstatement the
more likely it is that the actual misstatement in the population may exceed tolerable
misstatement. Also, if the projected misstatement is greater than expected misstatement, the
auditor may conclude that there is an unacceptable sampling risk that the actual misstatement
in the population may exceed tolerable misstatement. This risk may be reduced if additional
audit evidence is obtained from other audit procedures.
The potential outcomes from the auditor’s assessment of misstatements are set out in the table
below:
No. Outcome Conclusion

1 No misstatements found The test would be considered to have concluded
successfully.
2 Misstatements found which The misstatements would be documented in the work

factually and on a projected paper as would the calculation of the misstatement.
basis are lower than clearly However, the misstatement would not be recorded in
trivial the Summary of Identified Misstatements and the test
would be considered to have concluded successfully.

factually are lower than clearly paper as would the calculation of the misstatement.
trivial but on a projected basis
The factual and projected error would be recorded on
are greater than clearly trivial
the Summary of Identified Misstatements and the test
but less than performance
would be considered to have concluded successfully,
materiality
subject to the evaluation of the Summary of Identified
Misstatements in total at the end of the audit.

factually are greater than paper as would the calculation of the misstatement.
clearly trivial and on a
The factual and projected error would be recorded on
projected basis are lower than
the Summary of Identified Misstatements and the test
performance materiality
would be considered to have concluded successfully,
subject to the evaluation of the Summary of Identified
Misstatements in total at the end of the audit.
Page | 173
Audit Manual
Version 7 (2022)
No. Outcome Conclusion

5 Misstatements found which The misstatements indicate the test fails to provide
factually are greater than sufficient appropriate audit evidence.
clearly trivial and on a
The auditor either:
projected basis are greater
than performance materiality * • Extends the sampling to determine if the errors
identified relate to a sampling issue or whether
there is a material misstatement.
• Performs a new test on the remaining
population and treats the existing test as a
standalone test of those specific items.
• Performs other audit procedures to obtain
sufficient appropriate audit evidence
6 Misstatements found which In this instance the test would be considered to have
factually are greater than failed to provide sufficient appropriate audit evidence.
performance materiality
As the factual error is greater than performance
materiality, and the projection will be greater still, a
material misstatement exists. (See Section 5.3 –
Evaluating audit results).
The auditor considers the implications of such findings

for their audit report and requests management to
correct those misstatements (ISA 450.8).
* Outcome 5: If the auditor concludes that the audit sampling fails to provide a reasonable basis
for conclusions about the population, the auditor may:
• request management to investigate misstatements that have been identified and the
potential for further misstatements and to make any adjustments, or
• request that the client adjusts the factual misstatement and extend the testing to
determine if the error was due to sampling risk i.e. that the findings did not represent the
true nature of the population. If the auditor elects to extend the testing, the confidence
factor used in the sample calculator is increased by one or more increments (i.e. if it was
80% then increase the confidence interval to at least 85%). The final error is then
calculated using the following formula.
Revised Total Error = ((Total population Value less the population tested / Value of the
extended Sample selected) * Error in the extended tested population)
• Request the client to adjust the factual misstatement and perform a new test over the
untested items to determine whether there is a misstatement. In this situation, an entirely
new sample is selected and potentially a different test may be selected to address the
relevant assertions. The auditor may use their judgment to increase the sample size for
this second test.
Page | 174
Audit Manual
Version 7 (2022)
Appendix 1 Stratification and Value-Weighted Selection

In considering the characteristics of the population from which the sample will be drawn, the
auditor may determine that stratification or value-weighted selection is appropriate. This
Appendix provides guidance to the auditor on the use of stratification and value weighted
sampling techniques.
Stratification
Audit efficiency may be improved if the auditor stratifies a population by dividing it into discrete
sub-populations which have an identifying characteristic. The objective of stratification is to
reduce the variability of items within each stratum and therefore allow sample size to be
reduced without increasing sampling risk.
When performing tests of details, the population is often stratified by monetary value. This allows
greater audit effort to be directed to the higher value items, as these items may contain the
greatest potential misstatement in terms of overstatement. Similarly, a population may be
stratified according to a particular characteristic that indicates a higher risk of misstatement, for
example, when testing the allowance for doubtful accounts in the valuation of accounts
receivable, balances may be stratified by age.
The results of audit procedures applied to a sample of items within a stratum can only be
projected to the items that make up that stratum. To draw a conclusion on the entire population,
the auditor will need to consider the risk of material misstatement in relation to whatever other
strata make up the entire population. For example, 20% of the items in a population may make
up 90% of the value of an account balance. The auditor may decide to examine a sample of
these items. The auditor evaluates the results of this sample and reaches a conclusion on the
90% of value separately from the remaining 10% (on which a further sample or other means of
gathering audit evidence will be used, or which may be considered immaterial).
If a class of transactions or account balance has been divided into strata, the misstatement is
projected for each stratum separately. Projected misstatements for each stratum are then
combined when considering the possible effect of misstatements on the total class of
transactions or account balance.
Example of how stratification reduces the sample size applicable to a stratum:
• Total Population of $3,500,000

• 90% is in one stratum $3,150,000
• Audit confidence 90%
• Performance materiality (and tolerable misstatement) $70,000
• Expected misstatement $5,000
• Inherent risk is set as Upper End
• Control reliance is set as Moderate
• SAPs are not performed
Sample for the total population is 60.
If the sample is calculated for the 90% stratum the size is 54, remembering that the item(s) in
the other stratum also need to be tested. Note the full performance materiality can be used for
this stratum in calculating the sample size.
Page | 175
Audit Manual
Version 7 (2022)
Audit teams may also wish to consider stratifying the population by inherent risk. For
populations with significant risks of material misstatement, it may be possible to justify applying
the highest level of risk to only part of the population, and to determine separate samples for
each sub-population. For example, when testing the occurrence of revenue, cash-settled
revenue may be at a lower level of risk than unsettled revenue transactions.
Value-Weighted Selection (See Also Monetary Unit Sampling)
When performing tests of details it may be efficient to identify the sampling unit as the individual
monetary units that make up the population. Having selected specific monetary units from within
the population, for example, the accounts receivable balance, the auditor may then examine the
particular items, for example, individual balances, that contain those monetary units. One
benefit of this approach to defining the sampling unit is that audit effort is directed to the higher
value items because they have a greater chance of selection and can result in smaller sample
sizes.
Page | 176
Audit Manual
Version 7 (2022)
4.3 Responding to financial statement level risks
Contents
4.3.1 Introduction
4.3.2 Responding to financial statement level risks classified as business related
4.3.3 Responding to financial statement level risks due to fraud
Objective The objective of the auditor is to obtain sufficient appropriate

audit evidence regarding the assessed risks of material
misstatement, thought designing and implementing appropriate
responses to those risks. (ISA 330.3).

• ISA 315 Understanding the Entity and its Environment
and Assessing the Risk of Material Misstatement
Global Focus software Form FSA

Form 520E Risk Report
Form 530 Financial Statement Level Risks and Controls
Form 605 Responding to risk at the financial statement level
Policy requirements
(if any)
Page | 177
Audit Manual
Version 7 (2022)
4.3.1 Introduction
The auditor is required to design and implement overall responses to address the assessed
risks of materiality misstatement at the financial statement level. The auditor’s response will
differ depending upon whether the financial statement level risk is assessed as a Business or
Fraud risk, with specific requirements in ISA 240 relating to fraud risks at the financial statement
level.
4.3.2 Responding to financial statement level risks classified as business related

The auditor responds to financial statement level risks with an overall audit response, which may
include, for example:
• Emphasising to the audit team the need to maintain professional skepticism highlighting
any particular areas of concern where management may apply their judgment.
• Assigning more experienced staff or those with special skills or using experts.
• Providing more supervision.
• Incorporating additional elements of unpredictability in the selection of further audit
procedures to be performed.
• Making general changes to the nature, timing or extent of audit procedures, for
example: performing substantive procedures at period end instead of at an interim date
or modifying the nature of audit procedures to obtain more persuasive audit evidence.
An effective control environment may allow the engagement team to have more confidence in
internal control and the reliability of audit evidence generated internally within the entity.
Deficiencies in the control environment would have the opposite effect. Such considerations
have a significant bearing on the engagement team’s general approach, including whether there
will be an emphasis on substantive procedures or the use tests of controls as well as
substantive procedures. For example, when there are deficiencies in the control environment,
the engagement team may decide to:
• Amend their approach, reducing reliance on controls

• Conduct more audit procedures as of the period end rather than at an interim date
• Obtain more extensive audit evidence from substantive procedures
• Increase the number of locations to be included in the audit scope.
4.3.3 Responding to financial statement level risks due to fraud

There are specific requirements in ISA 240 in relation to determining overall responses to
address the identified and assessed risks of material misstatement due to fraud at the financial
statement level. For fraud risks, the engagement team is required to:
a. Assign and supervise personnel taking into account of the knowledge, skill, and ability of
the individuals to be given significant engagement responsibilities and the engagement
team’s assessment of the risks of material misstatement due to fraud for the
engagement;
b. Evaluate whether the selection and application of accounting policies by the entity,
particularly those related to subjective measurements and complex transactions, may be
indicative of fraudulent financial reporting resulting from management’s effort to manage
earnings; and
Page | 178
Audit Manual
Version 7 (2022)
c. Incorporate an element of unpredictability in the selection of the nature, timing, and

extent of audit procedures. (ISA 240.30)
Determining overall responses to address identified and assessed financial statement level risks
due to fraud involves more general considerations apart from the specific procedures otherwise
planned, including increased sensitivity in selecting audit procedures to obtain more reliable
audit evidence and increased recognition of the need to obtain corroborating audit evidence.
(ISA 240.A34)
Generally, determining overall responses includes consideration of how the overall conduct of
the audit can reflect increased professional skepticism, for example, through:
• Obtaining more reliable audit evidence to corroborate management’s explanations or

representations concerning important matters, such as through third party confirmation,
use of an auditor’s expert, or examining documentation from independent sources.
• Obtaining sufficiently reliable audit evidence regarding information produced by the
entity used in performing audit procedures in response to fraud risks. The engagement
team may also apply professional skepticism by increasing their sensitivity in the
selection of the nature and extent of documents to be examined in support of significant
or material classes of transactions, account balances, or disclosures.
The following provides additional considerations related to the requirement for overall responses
to address the identified and assessed risks of material misstatement due to fraud at the
financial statement level.
Assigning and supervising personnel
The engagement team may assign additional individuals with specialised skills or knowledge,
such as individuals with industry, forensic, or IT experience, or assign more experienced
individuals to the engagement (ISA 240.A35). The extent of supervision reflects the
engagement team’s assessment of the risks of material misstatement due to fraud and the
competencies of the engagement team members performing the work. (ISA 240.A36)
Evaluating selection and application of accounting policies
Financial reporting frameworks ordinarily allow for the entity to make accounting estimates and
judgments about accounting policies and financial statement disclosures (ISA 260.A19). The
selection and application of accounting policies, particularly those related to subjective
measurements and complex transactions, may indicate bias on the part of the entity’s
management that could lead to material misstatement of the financial statements. The
engagement team is required to perform specific procedures in regard to reviewing accounting
estimates for biases in response to the risks of management override of controls.
Incorporating element of unpredictability
Incorporating an element of unpredictability in the selection of the nature, timing, and extent of
audit procedures to be performed is important because individuals within the entity who are
familiar with the audit procedures normally performed on engagements may be more able to
conceal fraudulent financial reporting (ISA 240.A37).
Page | 179
Audit Manual
Version 7 (2022)
Incorporating an element of unpredictability can be achieved, for example, by:
• Performing substantive procedures on account balances, disclosures, and assertions

that would not otherwise be tested due to their size or composition or the engagement
team’s assessment of risk.
• Adjusting the timing of audit procedures from that otherwise expected or generally
varying the timing of audit procedures from period to period.
• Using different sampling methods or selecting items for testing that have lower amounts
or are otherwise outside typical selection parameters.
• Performing audit procedures at different locations or generally varying the locations from
period to period.
• Varying the nature, timing, and extent of audit procedures at locations from period to
period
• Performing audit procedures on an unannounced basis, including audit procedures on
unannounced locations.

Responses to financial statement level risks are documented in Form 605.
Page | 180
Audit Manual
Version 7 (2022)
4.4 Responding to Assertion Level Risks
Contents
4.4.1 Introduction
4.4.2 Audit procedures and the risk of material misstatement
4.4.3 Types of audit procedures to respond to risk of material misstatement
4.4.4 Testing opening balances and corresponding/comparative figures
4.4.4.1 Opening balances
4.4.4.2 Corresponding/comparative figures
Objective The objective of the auditor is to design and perform audit

procedures in such a way as to enable the auditor to obtain
sufficient appropriate audit evidence to be able to draw
reasonable conclusions on which to base the auditor’s opinion.
Global Focus software The nature, timing and extent of procedures required to respond
to assertion level risks is considered when developing audit
work programs in Global Focus.
Policy requirements
(if any)
Page | 181
Audit Manual
Version 7 (2022)
4.4.1 Introduction
The auditor designs and performs audit procedures to respond to the identified and assessed
risks of material misstatement at the assertion level. The nature, timing and extent of audit
procedures responds to the level of risk identified, with more reliable, persuasive evidence
required for higher assessed levels of risk.
4.4.2 Audit procedures and the risk of material misstatement

Designing audit procedures whose nature, timing, and extent are based on and responsive to
the assertion level risk provides a clear linkage between the audit procedures and the risk
assessment. The diagram below indicates the typical relationship between the nature, timing
and extent of procedures to respond to the level of risk identified:
When developing a suitable response to audit risks the auditor considers how best to obtain
sufficient appropriate audit evidence to address the risk. For a higher assessed risk of material
misstatement, the auditor typically requires more (sufficient) relevant & reliable (appropriate)
audit evidence. In general, as the level of risk increases:
• The nature of procedures provides more reliable and persuasive audit evidence, for
example by placing more emphasis on obtaining third party evidence or by obtaining
corroborating evidence from a number of different sources
• The extent (quantity) of audit evidence increases (for example, the audit sampling
calculator takes account of the level of risk when determining sample sizes)
For higher levels of risk, including significant risks, the timing of work is typically more likely to be
performed at year end, unless the risk relates to an in-year transaction which can be effectively
audited at an interim date (e.g. there is a major single transaction during the year which gives
rise to a significant risk where the auditor can audit the transaction at an interim date).
Further information on nature, timing and extent of audit procedures can be found in Section 4.1
and audit sampling in Section 4.2 of the audit manual.
4.4.3 Types of audit procedures to respond to risk of material misstatement

When developing a response to an assessed risk of material misstatement the auditor may
undertake any or a combination of the following audit procedures, the precise combination of
Page | 182
Audit Manual
Version 7 (2022)
which would be affected by the level of risk assessed and the nature of the assertion(s) being
tested.
Tests of controls: When testing controls which we have evaluated as being designed and
implemented appropriately, we are looking to gain assurance that the controls are operating
effectively. Tests of controls are performed only when the auditor intends to rely on the
operation of those controls in their audit procedures.
Substantive procedures: Substantive procedures are designed to detect material misstatements

at the assertion level and comprise:
• Substantive analytical procedures, and

• Tests of details.
Substantive procedures are performed for:
• risks of material misstatement at the assertion level for significant classes of

transactions, account balances, and disclosures
• Significant risks at the assertion level; (Note: when the approach only consists of
substantive procedures, those procedures are required to include tests of details)
• Each material class of transactions, account balance, and disclosure
• Financial statement closing process.
Further details of the audit procedures to be performed are set out in the remainder of Section 4
of the Audit Manual.
4.4.4 Testing opening balances and corresponding/comparative figures

For all audits other than an entity’s first accounting period, the opening balances and
corresponding/comparative figures are checked.
4.4.4.1 Opening balances

For initial audit engagements (i.e. those that are new to the firm in the current period), Form 408
covers the requirements of ISA 510.
For continuing audit engagements, Form 600 contains a test to check that the opening share
capital and reserves agree to the closing balances per the prior period’s financial statements
(whether these were audited or not). It also gives the auditor the option to check all other
opening balances in the balance sheet or statement of financial position on a line by line basis if
considered necessary.
4.4.4.2 Corresponding/comparative figures

ISA 710 contains the following definitions:
Term Definition
Comparative information The amounts and disclosures included in the financial
statements in respect of one or more prior periods in
accordance with the applicable financial reporting
framework.
Page | 183
Audit Manual
Version 7 (2022)
Term Definition
Corresponding figures Comparative information where amounts and other
disclosures for the prior period are included as an integral
part of the current period financial statements, and are
intended to be read only in relation to the amounts and
disclosures relating to the current period. The level of
detail presented in corresponding amounts and
disclosures is dictated primarily by its relevance to the
current period figures.
Comparative financial Comparative information where amounts and other

statements disclosures for the prior period are included for
comparison with the financial statements of the current
period but, if audited, are referred to in the auditor’s
opinion. The level of information included in those
comparative financial statements is comparable with that
of the financial statements of the current period.
Corresponding figures are the most common in sets of financial statements.
Whichever type of comparative information is included, the auditor checks it against the prior
period’s financial statements, especially where there is a need to amend that information, for
example:
• the entity has changed financial reporting framework in the current period;
• there have been changes in accounting policy during the current period; or
• a material misstatement relating to the prior period has been identified.

Form 600 Opening balances and corresponding/comparative figures. For initial audit
engagements, the requirements of ISA 510 are covered in Form 408 Initial Audit Engagement –
Opening balances (See Section 2).
Page | 184
Audit Manual
Version 7 (2022)
4.5 Responding to Significant Risks
Contents
4.5.1 Introduction
4.5.2 Responding to significant risk at the assertion level
4.5.3 Responding to risk of management override of controls
4.5.3.1 Journal entries and other adjustments
4.5.3.2 Reviewing accounting estimates for evidence of management bias
4.5.3.3 Significant transactions outside the normal course of business
4.5.4 Responding to significant risk of fraud in revenue recognition
4.5.4.1 Responding to risks related to the occurrence of revenue
Objective The objective of the auditor is to:
• identify and assess the risks of material misstatement of

the financial statements due to fraud (ISA 240. 11(a))
• obtain sufficient appropriate audit evidence regarding
the assessed risks of material misstatement due to
fraud, through designing and implementing appropriate
responses (ISA 240.11(b))
• obtain sufficient appropriate audit evidence regarding
the assessed risks of material misstatement, through
designing and implementing appropriate responses to
those risks (ISA 330.3)
• design and perform audit procedures in such a way as
to enable the auditor to obtain sufficient appropriate
audit evidence to be able to draw reasonable
conclusions on which to base the auditor’s opinion
(ISA 500.4)

an audit of financial statements
Global Focus software The nature, timing and extent of procedures in response to
significant risks is considered when developing audit work
programs in Global Focus.
Policy requirements Even where the auditor does not intend to test the operating
(if any) effectiveness of controls, they are required to obtain an
understanding of controls over significant risks.
When relying on the operating effectiveness of relevant controls,

those controls are required to be tested in the current period.
Tests of details are required if tests of controls are not

performed in the current period. Substantive analytical
Page | 185
Audit Manual
Version 7 (2022)
procedures alone are not sufficient as a response to a significant

risk at the assertion level.
{Member firms using Inflo may wish to consider establishing firm

policy on the use of transaction groupings for investigating out of
cycle transactions when using Inflo’s Revenue Cascade Module
– see Section 4.5.4.1 below}
4.5.1 Introduction
As part of the risk assessment, the auditor is required to determine whether any of the risks
identified are significant risks (See Section 3.5.7.1 for identification of significant risks).
Responding to significant risks at the assertion level involves applying professional judgment in
the design and performance of appropriate audit procedures. The response may include
changing the nature, timing, or extent of substantive procedures to obtain more reliable and
relevant audit evidence, as well as assigning engagement team members with appropriate
levels of capabilities and competence to perform such procedures. Incorporating an element of
unpredictability in audit procedures may also be important in responding to fraud risks.
When relying on the operating effectiveness of relevant controls over significant risks, those
controls are required to be tested in the current period. Tests of details are required if tests of
controls are not performed in the current period. Substantive analytical procedures alone are
not sufficient as a response to a significant risk at the assertion level.
All identified fraud risks, whether due to fraudulent financial reporting or misappropriation of
assets, are significant risks, which includes the presumed risks of management override of
controls and of fraud in revenue recognition established by ISA 240.
4.5.2 Responding to significant risk at the assertion level

The diagram below summarises the responses, and combinations of response available when
designing audit procedures in response to a significant risk at the assertion level:
When responding to significant risks, the auditor typically varies the nature, timing, or extent of
substantive procedures to obtain more reliable and relevant audit evidence, such as increasing
sample sizes or obtaining third party evidence. The Global Focus sampling methodology
(Section 4.2) takes account of the need for increased audit evidence by reflecting the level of
risk in the sample sizes determined.
Page | 186
Audit Manual
Version 7 (2022)
The auditor may choose to perform any of the following combinations of procedures in
responding to a significant risk at the assertion level:
• Tests of controls along with substantive procedures

o When relying on the operating effectiveness of relevant controls, those controls
are required to be tested in the current period
o Tests of detail are required if tests of controls are not performed in the current
period
o Where tests of controls are successfully performed the substantive procedures
may be any or a combination of substantive analytical procedures or tests of
detail
o However, for many significant risks, controls and substantive analytical
procedures alone may not provide sufficient assurance
• Tests of details only
o Where the auditor is unable to, or chooses not to, rely on the operating
effectiveness of controls tests of details are required
o The extent of tests of details (i.e. sample sizes) will typically be higher for
significant risks than for lower risks of material misstatement, and the Global
Focus sample calculator includes factors taking account of risk assessment (see
Section 4.2).
• Substantive analytical procedures and tests of details
o Substantive analytical procedures alone are not sufficient as a response to a
significant risk at the assertion level
o Tests of details are required if tests of controls are not performed in the current
period
o It may be appropriate for the auditor to undertake a combination of SAPs and
tests of details. In this situation the audit sampling calculator includes the option
for the auditor to consider audit evidence obtained from SAPs when determining
the sample size (see Section 4.2).
Even where the auditor does not intend to test the operating effectiveness of controls, they are
required to obtain an understanding of controls over significant risks.
The following diagram summarises permitted testing strategies in response to significant risks.
Page | 187
Audit Manual
Version 7 (2022)
Further information can be found in the audit manual on audit sampling (Section 4.2),
Substantive Analytical Procedures (Section 4.6) and Tests of Controls (Section 4.7).
4.5.3 Responding to risk of management override of controls

The risk of management override of controls is a pre-populated risk card in Global Focus. In
response to the presumed fraud risk related to management override of controls, specific audit
procedures are performed irrespective of the risk assessment. These procedures relate to:
• Journal entries and other adjustments

• Reviewing accounting estimates for evidence of management bias
• Significant transactions outside the normal course of business.
Other audit procedures may need to be performed to respond to specific risks of management
override of controls that may exist in the entity’s circumstances. Such procedures a matter of
auditor judgment.
4.5.3.1 Journal entries and other adjustments

Material misstatement of financial statements due to fraud often involves the manipulation of the
financial reporting process by recording inappropriate or unauthorised journal entries, which
may occur throughout the period or at period end. Management might also make inappropriate
or unauthorised adjustments to amounts reported in the financial statements that are not
reflected in journal entries, such as through consolidating adjustments and reclassifications.
Testing completeness and accuracy of journal entries and adjustments

The listing of journal entries and other adjustments, whether in an electronic file or other form,
constitutes information produced by the entity. Accuracy, including authorisation or approval
and appropriateness, is tested concurrent with the audit procedures specific to journal entries
and other adjustments selected for testing.
Testing for completeness may include:
• Performing a roll forward of general ledger accounts from the beginning of the period to
the end of the period and being alert to unusual entries or other adjustments identified in
the roll forward.
• Involving individuals with specialised skills and knowledge in IT to evaluate relevant
systems and observe the process of extracting journal entries from those systems.
• Using other computer-assisted audit techniques to analyse exceptions when journal
entries are numbered sequentially.
Testing the appropriateness of journal entries and other adjustments

Testing the appropriateness of journal entries recorded in the general ledger and other
adjustments made in the preparation of the financial statements includes:
• Making inquiries of individuals involved in the financial reporting process about

inappropriate or unusual activity relating to the processing of journal entries and other
adjustments.
• Selecting journal entries and other adjustments made at the end of a reporting period for
testing.
Page | 188
Audit Manual
Version 7 (2022)
• Considering the need to test journal entries and other adjustments throughout the
period, because material misstatements in financial statements due to fraud can occur
throughout the period and may involve extensive efforts to conceal how the fraud is
accomplished.
Professional judgment is used in determining the nature, timing, and extent of testing. It is also
important to apply appropriate professional skepticism by considering whether a journal entry or
other adjustment was used to conceal fraud and responding appropriately to matters that
appear unusual.
When testing journal entries and other adjustments, the auditor is seeking evidence of:
• appropriate authorisation or approval

• appropriate underlying support/documentation, and
• the appropriateness of the journal entry or adjustment based on the above.
Selecting journal entries and other adjustments for testing

The auditor determines the journal entries and other adjustments for testing based on the nature
and risks of the entries processed by the entity. Once the auditor has identified the journal
entries and other adjustments using factors similar to those below, then the auditor tests the
appropriate of all journals selected. Testing only a sample of the journals selected is not
appropriate.
When identifying and selecting journal entries and other adjustments for testing and determining
the appropriate method of examining the underlying support for the items selected, the auditor
may consider factors such as the following:
• the value of the entries processed:

o The auditor is required to test material journal entries and other adjustments
made in the preparation of the financial statements (ISA 240.33(a)(ii))
o The auditor may consider the materiality of other journal entries and
adjustments made during the year (ISA 240.33(a)(iii))
• characteristics of fraudulent journal entries or other adjustments such as those:
o made to unrelated, unusual, or seldom-used accounts
o made by individuals who typically do not make journal entries
o recorded at the end of the period or as post-closing entries that have little or no
explanation or description
o made either before or during the preparation of the financial statements that do
not have account numbers
o containing round numbers, repeated values or consistent ending numbers
Page | 189
Audit Manual
Version 7 (2022)
• nature and complexity of the accounts, with fraudulent entries often made to accounts
that:
o contain transactions that are complex or unusual in nature
o contain significant estimates and period-end adjustments
o have been prone to misstatements in the past
o have not been reconciled on a timely basis or contain unreconciled differences
o are otherwise associated with an identified risk of fraud
• journals or adjustments processed outside the normal course of business.
Using data analytics software
Auditors may utilise data analytics software to assist in the testing of journal entries and other
adjustments & accounting entries. The Global Focus methodology accommodates but does not
mandate the use of such software for this purpose.
Some of the most commonly used data analytics packages use a number of characteristics
such as those listed above, combined with an auditor-driven risk weighting for each to rank or
rate individual transactions. These can typically be grouped into three types of characteristic or
test:
• mathematical
• statistical
• application of artificial intelligence (AI)
The auditor then determines a transaction “score”, or similar means of selecting items, above
which qualifying transactions are tested. A similar approach can also be taken using Excel for
the first two categories.
These tasks require significant professional judgment and are either performed and/or reviewed
by senior members of the engagement team before testing individual items commences. In
particular, extra care should be exercised when considering the appropriateness of the
weighting of the analysis towards tests utilising AI. It can be difficult for the auditor to fully
understand how the software applies AI and the logic used in identifying unusual transactions. It
may be appropriate to consider amending the weighting used in such tests.
Many data analytics software packages analyse all transactions in the general ledger rather
than solely journal entries. As a result, the selected items may include transactions other than
journal entries. If using such software, these transactions are cross-referred to the appropriate
fieldwork section and tested therein.
Auditors using either Inflo’s or Mindbridge’s data analytics software to test journal entries may
select the relevant option within the Optimizer to generate a specific version of Form 670
(referenced 670-I or 670-M respectively), which guides the auditor through the tests required
when using these particular analytics tools.
4.5.3.2 Reviewing accounting estimates for evidence of management bias

Fraudulent financial reporting is often accomplished through intentional misstatement of
accounting estimates. Accordingly, accounting estimates are reviewed for bias and an
evaluation is made as to whether the circumstances producing the bias, if any, represent a risk
of material misstatement due to fraud. This review includes performing a retrospective review of
Page | 190
Audit Manual
Version 7 (2022)
management judgments and assumptions related to significant accounting estimates in prior

periods.
4.5.3.3 Significant transactions outside the normal course of business

In designing audit procedures, the auditor takes account of the types of material misstatements
that could result from significant unusual transactions outside the normal course of business, or
that otherwise appear to be unusual. In addition to inspecting underlying contracts or
agreements and obtaining audit evidence that the transactions have been appropriately
authorised and approved, such procedures may include, for example, evaluating the financial
capability of the other parties with respect to any significant uncollected balances, loan
commitments, supply arrangements, guarantees, and other obligations. Other procedures may
be performed, as necessary, depending on the identified and assessed risks of material
misstatement.
4.5.4 Responding to significant risk of fraud in revenue recognition

Revenue recognition is dependent on the particular facts and circumstances and the applicable
accounting principles and industry-specific practices. Audit procedures are designed and
performed taking into account the understanding of the entity and its environment, the
understanding of the composition of revenues, specific attributes of the revenue transactions,
and unique industry considerations, as well as the assessed risks of material misstatement.
In response to the presumed fraud risk related to revenue recognition audit procedures take into
account the ways that revenue could intentionally be misstated and how fraud might be
concealed. Audit procedures are designed and performed to seek more reliable and persuasive
audit evidence, such as evidence directly from independent and knowledgeable sources outside
the entity.
The auditor may identify up to five separate revenue streams in Global Focus and the risk
assessment is undertaken separately for each revenue stream with a view to identifying where
the presumed significant risk of fraud is applicable to the entity’s revenues. The auditor’s
response to the assessed risks will vary by revenue stream where the significant risk applies
only to certain revenues. The auditor also considers the relevant assertions to which the
significant risk applies.
In responding to the presumed risk of fraud in revenue recognition the auditor may consider the
following:
• When revenue transactions are electronically initiated, processed, and recorded, testing
controls to determine whether they provide assurance that recorded revenue
transactions occurred and are properly recorded.
• Using computer-assisted audit techniques/data analytics to identify unusual or
unexpected revenue relationships or transactions.
• Inquiring of the entity’s sales and marketing personnel or in-house legal counsel
regarding sales or shipments near the end of the period and their knowledge of any
unusual terms or conditions.
• Confirming with customers certain relevant contract terms and the absence of side
agreements, because the appropriate accounting often is influenced by such terms or
agreements. For example, acceptance criteria, delivery and payment terms, the
absence of future or continuing vendor obligations, the right to return the product,
Page | 191
Audit Manual
Version 7 (2022)
guaranteed resale amounts, and cancellation or refund provisions often are relevant in
such circumstances.
• Being physically present at one or more locations at period end to observe goods being
shipped or being readied for shipment (or returns awaiting processing) and performing
other appropriate sales and inventory procedures related to whether transactions are
recorded in the appropriate period.
• Performing substantive analytical procedures relating to revenue using sufficiently
disaggregated data (for example, comparing revenue reported by month and by product
line or business segment during the current reporting period with comparable prior
periods). However, substantive analytical procedures alone are not sufficient in
addressing a significant risk and the auditor is required to either test controls or perform
additional tests of details.
External confirmations
Audit evidence in the form of external confirmations may assist in obtaining audit evidence with
a high level of reliability (for example, designing external confirmation procedures not only to
confirm outstanding amounts, but also to confirm the details of sales agreements). In addition, it
may also be effective to supplement any external confirmation procedures with inquiries of non-
financial personnel in the entity.
Examples of fraud schemes related to revenue recognition include:
• Sham sales (for example, falsifying inventory records, shipping records, and invoices,
shipping goods to another entity location, or hiding inventory never shipped to
customers)
• Improper cut-off of sales
• Improperly accelerating the estimated percentage of completion method for projects in
process
• Recording transactions even though sales involved unresolved contingencies
• Improper recording of sales from bill and hold transactions that did not meet the criteria
for revenue recognition
• Recording revenue before all terms of the sales were completed
• Shipping goods never ordered by customers, or shipping defective products and
recording revenues at full, rather than discounted, prices
• Recording revenue for consignment shipments or shipments of goods for customers to
consider on a trial basis.
4.5.4.1 Responding to risks related to the occurrence of revenue

It is sometimes possible to test the occurrence of revenue by ensuring that revenue transactions
have all the appropriate “accounting attributes” i.e. they follow the expected double entry
pattern and workflow for revenue transactions, and finish in cash receipts. For example:
Step 1 Dr Trade receivables

Cr Revenue
Cr Sales tax
Step 2 Dr Cash receipts

Cr Trade receivables
Page | 192
Audit Manual
Version 7 (2022)
With appropriate client data, such an exercise can theoretically be performed manually or with
Excel, but is likely to be tedious and too time consuming in practice to represent an efficient
audit approach.
Some data analytics software packages can now automate much of the work, making such an
approach a more realistic prospect. Inflo is one such software package, and due to the number
of member firms using it across the network, v6 onwards of Global Focus incorporates a
specific workflow to help audit teams use Inflo’s Revenue Cascade module (hereafter referred to
as “Inflo Cascade”) seamlessly in their audits.
A question about Inflo Cascade has been added to the Form 400 Optimiser checklist in all three
Global Focus profiles which, if answered “yes”, will insert Form 510-1 to the Risk Assessment
section.
Risk assessment stage
Form 510-1 is completed at the risk assessment stage. This is a step by step guide to
determining whether the entity’s revenue cycle is suitable for testing with Inflo Cascade. There
are two key points for audit teams to be aware of:
Firstly, Inflo Cascade will not populate if the underlying data is volatile or “messy” e.g. contains
batched transactions, as the resulting visualisation is unhelpful and may be counter productive.
Inflo’s Transaction Transformation Tool is designed to help identify and cleanse such data sets
during the data ingestion process. However, audit teams should be mindful that it may not be
possible to use Inflo Cascade in such situations.
Secondly, a major part of this assessment is the analysis of revenue to determine the proportion
that is “in cycle” i.e. has all the expected accounting attributes. Situations where revenue
contains a significant proportion of partially out of cycle transactions include, but are not limited
to:
• Revenue transactions with foreign customers i.e. foreign exchange differences on

invoice settlement
• Intercompany sales
• Sales made to suppliers, where settlement may be made by netting off the amount due
against amounts owed
• Barter transactions
• Adjustments to the bad and doubtful debt provision
• Writing off of irrecoverable trade receivables
• Posting errors
• Fraudulent journal entries
Use of Inflo Cascade is not recommended for entities with complex revenue cycles involving
balance sheet “holding” accounts e.g. construction companies, entities with long term contracts
and entities with deferred and/or accrued revenue, as a majority of revenue is likely to be out of
cycle.
A copy of the Inflo Cascade report on the planning figures should be added to the audit file at
placeholder 510-2, and screenshot of the main Inflo Cascade visualisation graphic of the results
(which is unfortunately not currently included in the report) at placeholder 510-3.
The auditor then assesses and concludes upon:
Page | 193
Audit Manual
Version 7 (2022)
a) The impact on the risk assessment for the Existence and Occurrence (E&O) assertion
for revenue, and whether the fraud risk presumption can be rebutted (only for this
assertion); and
b) Whether Inflo Cascade is likely to be a practical and desirable way to respond to risk of
the E&O assertion for cash-settled revenue.
Answering “Yes” to this latter question will automatically generate appropriate risk response
procedures in the Revenue and Cash and Cash Equivalents audit programmes. These must be
reviewed by the audit partner or manager (and approved by the partner where this is the case)
to ensure they are not inappropriately tailored or removed. This step is a partner prerequisite
(see Section 5.1.5 for an explanation of a prerequisite).
The audit team will still need to plan and design audit procedures to respond to the E&O risk
relating to unsettled revenue and trade receivables within the Receivables audit programme(s).
Risk response stage
At the risk response stage, out of cycle transactions and transaction groupings exceeding
performance materiality should be investigated.
Transaction groupings
A transaction grouping is defined as those transactions with nature, account description and/or
accounting attributes. For example, foreign exchange differences on settlement of trade
receivables denominated in foreign currencies are all of the same nature and should all have the
same accounting attributes, e.g.
Dr Cash receipts
Dr/Cr Foreign exchange differences (P&L)
Cr Trade receivables
Transactions within a transaction grouping may be considered together, and when a transaction
grouping is greater than performance materiality, it may be investigated by considering one
such transaction and applying the results and conclusions therefrom to the other transactions in
the grouping, thus giving a more efficient audit approach.
However, in order to designate such transactions as a transaction grouping, the audit file must
document why the transactions are of the same type and justify their treatment as such. The
nature of the general ledger accounts affected by the transactions should also be considered.
For example, it may necessarily to individually test all such transactions if a high risk account
such a suspense account is impacted.
Member firms may choose to prohibit the use of transaction groupings where a more
conservative approach is preferred or to comply with local jurisdictional requirements and/or
regulator preferences.
Application of materiality
In this context, transactions with any individual debit or credit or a combination thereof in excess
of performance materiality that is out of cycle is investigated.
A material transaction grouping may comprise entirely of individually immaterial transactions,

but which are above performance materiality when considered in aggregate.
Page | 194
Audit Manual
Version 7 (2022)
4.6 Substantive analytical procedures
Contents
4.6.1 Introduction
4.6.2 Requirements when performing substantive analytical procedures
4.6.3 Determining the suitability of substantive analytical procedures
4.6.4 Evaluating the reliability of data
4.6.5 Developing an expectation
4.6.6 Determining the acceptable difference
4.6.7 Investigating the results of substantive analytical procedures
4.6.8 Concluding on substantive analytical procedures
Appendix 1 – Types of substantive analytical procedures
Objective The objective of the auditor is to obtain relevant and reliable

audit evidence when using substantive analytical procedures.
Relevant ISA • ISA 520 Analytical procedures


Global Focus software Form x.120 Worksheet - Substantive analytical procedures
Policy requirements The acceptable difference for a substantive analytical procedure

(if any) does not exceed performance materiality.
Page | 195
Audit Manual
Version 7 (2022)
4.6.1 Introduction
Analytical procedures are evaluations of financial information through analysis of plausible
relationships among both financial and non-financial data. Analytical procedures also
encompass investigation where necessary of identified fluctuations or relationships that are
inconsistent with other relevant information or that differ from expected values by a significant
amount.
This section of the audit manual outlines the requirements in relation to substantive analytical
procedures undertaken in response to assessed risks of material misstatement in accordance
with ISA 520. Section 3.1.6 includes consideration of Risk Assessment Analytical Procedures
undertaken in accordance with ISA 315 and section 5.1.2 includes consideration of the
requirement to perform analytical procedures when forming an overall conclusion in accordance
with ISA 520.6.
Substantive analytical procedures (SAPs) are typically more applicable to large volumes of
homogeneous transactions that tend to be predictable over time and may be performed either
alone or in combination with tests of details. SAPs include consideration of the entity’s financial
information with, for example:
• Comparable information from prior periods, where the prior period forms a valid
expectation for current year performance
• Anticipated results, such as budgets or forecasts
• Auditor’s expectations, e.g. estimation of depreciation
• Similar industry information, such as a comparison of the entity’s ratio of sales to
accounts receivable with industry averages or with entities of comparable size in the
same industry.
SAPs may also include consideration of relationships, such as:
• Among elements of financial information that would be expected to confirm to

predictable patterns, such as gross margin percentages
• Between financial information and relevant non-financial information, such as payroll
costs to number of employees.
A high quality SAP may provide sufficient appropriate audit evidence on its own in some
instances. However, when responding to significant risks, SAPs cannot be the only substantive
response when relevant controls are not tested because, when the approach to a significant risk
consists only of substantive procedures, those procedures are required to include tests of
details. The Global Focus sampling methodology permits a reduction to the substantive sample
size determined under both statistical and non-statistical approaches where a SAP is
successfully performed in addition to a substantive test of details.
4.6.2 Requirements when performing substantive analytical procedures

In order to comply with the requirements of ISA 520, when designing and performing SAPs,
either alone or in combination with tests of detail, the auditor is required to:
1. Determine the suitability of particular substantive analytical procedures for given

assertions, taking account of the risk of material misstatement and any tests of detail
undertaken
Page | 196
Audit Manual
Version 7 (2022)
2. Evaluate the reliability of the data from which the auditor’s expectation of recorded
amounts or ratios is developed, taking account of source, comparability and the
nature and relevance of available information and any controls over its preparation
3. Develop an expectation of recorded amounts or ratios and evaluate whether the
expectation is sufficiently precise to identify a misstatement that may cause the
financial statements to be materiality misstated
4. Determine the acceptable difference, which is the amount of any difference of
recorded amounts from expected values that is acceptable without further
investigation
5. Investigate the results where substantive procedures identify fluctuations or
relationships that are inconsistent with other information, including those differences
which are greater than acceptable difference
6. Conclude on the SAP
If the auditor is intending to rely on evidence from analytical procedures performed as a

substantive test when responding to risks, in accordance with ISA 330.6 and ISA 330.18, then
all of the stages outlined in this section of the audit manual are to be followed. If all of these
stages are not followed, then the procedure undertaken will not provide sufficient appropriate
substantive audit evidence.
Level of assurance gained from substantive analytical procedures
The diagram below shows the relationship between the precision of expectations, the degree of
assurance that can be achieved and the extent to where differences can be accepted without
further audit procedures performed. Assuming that any differences remain within the acceptable
difference, then the procedure provides audit evidence. It is a matter of professional judgment
as to whether the procedure provides sufficient, appropriate audit evidence or whether further
procedures are necessary.
LEVEL OF ASSURANCE GAINED FROM SAPs
Page | 197
Audit Manual
Version 7 (2022)
Process
Page | 198
Audit Manual
Version 7 (2022)
4.6.3 Determining the suitability of analytical procedures
Whether to use SAPs is a matter of professional judgment, specifically considering whether

such procedures will be effective in detecting a misstatement that, individually or in aggregate,
may cause the financial statements to be misstated. Whether or not a SAP is an appropriate
procedure for a particular assertion relating to a balance or class of transactions depends on
criteria such as:
• The auditor’s expectation that there is a known relationship between two sets of data
• Whether the SAP will detect a material misstatement, either individually or in aggregate
• Whether the assertion or assertions at risk of material misstatement can be effectively
tested by the SAP or may be more effectively auditing using other audit procedures (e.g.
tests of detail).
Together with the experience and knowledge of the client, the auditor’s professional judgment is
required to determine which relationships are strong and sufficiently well understood to consider
whether a misstatement will be detected in the relevant assertion using the SAP.
As a general guide, a SAP is more likely to be effective in the following areas due to the
increased likelihood of reliable data being available, and sufficiently strong expectations being
developed:
• Payroll
• Interest expense
• Interest income
• Depreciation
• Amortisation
• Rental income
This does not preclude SAPs being used effectively in other financial statement areas, nor does
it mean that it will be suitable for these areas in all instances.
Types of substantive analytical procedure
Although the ISA does not define the different types of SAP, they can be broadly categorised as
trend analysis, ratio analysis, reasonableness test or regression analysis (See Appendix 1 for
further details of each).
Different types of analytical procedure provide different levels of assurance. For example, a
reasonableness test involving the prediction of total rental income on a building divided into
apartments, taking the rental rates, the number of apartments and vacancy rates into
consideration, can provide persuasive evidence without the need for further tests of details. In
contrast, a ratio analysis involving calculation and comparison of gross margin percentages to
confirm a revenue figure may provide less persuasive evidence, although it may provide useful
corroborative evidence in combination with other procedures.
In some cases, even an unsophisticated predictive model may be effective as a SAP. For
example, where an entity has a known number of employees at fixed rates of pay throughout the
period, the auditor may develop a reasonableness test using this data to estimate total payroll
costs with a high degree of accuracy. The use of widely recognised trade ratios (e.g. profit
margins for retail entities) can often be used effectively to support the reasonableness of
recorded amounts.
Page | 199
Audit Manual
Version 7 (2022)
Particular SAPs may be considered suitable when tests of details are performed on the same
assertion. For example, when obtaining audit evidence regarding the valuation of accounts
receivable, analytical procedures may be applied to the ageing of customer accounts in addition
to tests of details on subsequent cash receipts to determine collectability.
Key features, and examples of their application, are provided for each of these types of
procedures in the table below. Depending on the type of analytical procedures selected, the
results may provide more or less persuasive audit evidence.
Factor Trend analysis Ratio analysis Reasonableness Regression

test analysis
Type of Implicit Implicit Explicit Explicit

expectation
Precision of Lower Lower Higher Higher

expectation
Source of data Typically Financial and Financial and non- Financial and
financial non-financial financial non-financial
Effectiveness in Lower Lower Higher Higher

identifying
material
misstatement
Typically No (although No (although Yes Yes

performed as the may be may be used
sole substantive appropriate for for higher
procedure lower risk assessed risks
where if the
substantive expectation is
procedures are sufficiently
only required precise)
due to
materiality)
Typically Yes Yes For significant risks For significant

performed with where controls not risks where
associated tests tested controls not
of detail tested
When determining the appropriate type of SAPs to perform, the auditor considers factors such
as:
• the nature of the account balance and related assertion being tested – for example, if
controls over sales order processing are deficient, the auditor may place more reliance
on tests of details rather than on SAPs for assertions related to receivables.
• the assessment of the risk of material misstatement – where risk is higher, performing
trend analysis and ratio analysis alone may not provide persuasive audit evidence
Page | 200
Audit Manual
Version 7 (2022)
without tests of details. For account balances and transaction streams where internal
controls are effective, reasonableness tests and regression analysis will likely provide
persuasive audit evidence on their own.
• how effective the procedure will be in detecting a material misstatement – expectations
developed using trend and ratio analysis are implicit and relatively imprecise;
reasonableness tests and regression analysis provide much more precise expectations.
• Volume of transactions and predictability - typically SAPs are more effective where there
is a large volume of transactions that tend to be predictable over time.
• whether the tests will be performed alone or in combination with other tests – typically
trend analysis and ratio analysis will be performed in conjunction with other tests, other
than in lower risk areas, whilst reasonableness tests and regression analysis are more
likely to be the sole substantive procedure performed.
• whether misstatement risks exist that may not be identified from tests of details alone
(e.g. completeness of revenues).
• whether relationships can be drawn between the account balance and non-financial
data.
Auditors of less complex entities are not precluded from using SAPs and in some instances
such procedures may be a more effective evidence-gathering tool, where the relationships are
robust and predictable and the data used can be validated effectively as being reliable, even
where control weaknesses were identified during the assessment of the control environment.

Form x.120 Worksheet - Substantive Analytical Procedures contains the following section for
addressing the suitability of the procedure:
When describing the procedure, the suitability of the SAP should be incorporated in the
auditor’s response.
Example
The example below illustrates some points to consider in determining where a SAP may be
appropriate and where it may not, for a $ value analytical procedure relating to payroll expense.
Page | 201
Audit Manual
Version 7 (2022)
Criteria Payroll expense and Number of Employees

The auditor’s expectation that In principle this is a very strong relationship, however the
there is a known relationship effectiveness of this relationship is determined by the number of
between two sets of data employees, the variety of their wages, bonuses, award rates,
overtime, etc.
For a simple business where the employees are paid a salary

the relationship could be very strong and effective. On the other
hand, where there is a range of pay rates (hourly, weekly,
monthly), significant amounts of overtime and bonuses,
substantive analytical procedures may not be effective and
alternative procedures may be more appropriate.
Whether the SAP will detect a If there are many variables to the payroll and payroll is a
material misstatement either balance substantially greater than materiality, then the basic
individually or in aggregate relationship may be strong but the likelihood of an analytic
detecting a material misstatement may be reduced. As the
payroll balance and the complexity of the payroll increases, the
less likely it is that substantive analytical procedures will be an
effective means of obtaining sufficient, appropriate audit
evidence.
Whether the assertion or Depending on the relevant assertions, even where the
assertions at risk of material relationship is strong and the SAP is likely to detect a
misstatement can be misstatement in the balance or transaction, it is possible that
effectively tested by the SAP the SAP will not detect a misstatement in a particular assertion.
For example, whilst the SAP might effectively test the existence
or accuracy of payroll costs, it may not provide any audit
evidence in respect of the disclosures in the financial
statements.
4.6.4 Evaluating the reliability of data

The reliability of the data used in a SAP can be assessed by considering the following factors:
• The source of the information available

• Comparability of the information available
• Nature and relevance of the information available
• Controls over the preparation of the data to ensure its completeness, accuracy and
validity.
Source of the information available

The following are typical generalisations about the reliability of data based on the source of this
data:
• The reliability of audit evidence is increased when it is obtained from independent

sources outside the entity.
• The reliability of audit evidence that is generated internally (Information Produced by the
Entity, or IPE) is increased when the related controls to ensure completeness, accuracy
Page | 202
Audit Manual
Version 7 (2022)
and validity of the data, including those over its preparation and maintenance, are
effective.
• Audit evidence obtained directly by the auditor (for example, valuation reports received
directly by the auditor) is more reliable than audit evidence obtained indirectly or by
inference (for example, valuation reports obtained by the entity and given to the auditor).
• Audit evidence in documentary form, whether paper, electronic, or other medium, is
more reliable than evidence obtained orally (for example, a contemporaneously written
record of a meeting is more reliable than a subsequent oral representation of the
matters discussed).
• Audit evidence provided by original documents is more reliable than audit evidence
provided by photocopies or facsimiles, or documents that have been filmed, digitised or
otherwise transformed into electronic form, the reliability of which may depend on the
controls over their preparation and maintenance.
Comparability of the data
Is the data used directly comparable to other available data? For example, broad industry data
while indicative of broad trends in the industry may require some additional analysis to be
comparable to data relating to a specific entity. If the data is not directly comparable then it may
not be possible to generate a reliable source of data.
Nature and relevance of the data
The nature of the data can impact its reliability, for example whether a budget is forward looking
and as such its reliability is dependent on whether budgets have been established as results to
be expected, rather than goals to be achieved at this entity. Budgets for start-ups and for new
products and services are less likely to be reliable and therefore it may not be possible to use
them for a SAP.
Controls over the preparation of the data to ensure its completeness, accuracy and validity
The controls over the generation of data will directly impact on the reliability of the data,
particularly for internally generated data. For example, if budgets are being used, understanding
the controls over creation, monitoring and maintenance of the budget would be a significant
factor in assessing the reliability of the budget as a source of data.
The auditor may consider testing the operating effectiveness of controls over the preparation of
data used in performing substantive analytical procedures, to provide greater confidence in the
reliability of the information used. ISA 500.9 establishes requirements and guidance on
procedures required to be performed on information provided by the entity which is used in
substantive analytical procedures.
The reliability of internal data at less complex entities is often impacted by the informal control
environment and the lack of auditor testing of the controls over the data. However, the simpler
nature of the relationships mean that SAP may still be appropriate for less complex entities even
where in principle, the data may be less reliable.

addressing the reliability of data:
Page | 203
Audit Manual
Version 7 (2022)
Examples
The examples below illustrate the considerations an auditor may have in assessing the reliability
of the data.
Example 1 - A toll road company’s revenue based on government traffic data and published toll
data.
Factor Evaluation
Source of the data The source of traffic data is independent, obtained directly from the
government website, and is documented. The toll prices would be
published on the company website.
Comparability of The traffic figures generated by the entity would be directly comparable
data to the government’s figures for the same roads.
Nature and The toll data is internally generated but also published on the entity’s
relevance of the website, and can be cross checked against the approved tolls, the
data government traffic data is historic and directly relevant to the revenue.
Controls The toll prices are approved by the Board, while the controls over the
government data are considered reliable because it is a third party with
no previous record of being incorrect. The finance team has no access
to the system to amend the toll data.
CONCLUSION In this instance the data would typically be considered reliable, subject
to any other factor the auditor is aware of. Factors which might change
this could be if there were news reports of incorrect tolls being charged,
or that the government department’s traffic records had been shown to
be flawed.
Page | 204
Audit Manual
Version 7 (2022)
Example 2 - A car dealership’s revenue based on budget
Factor Evaluation
Source of the data The budget is internally generated, it has typically been aspirational, and
there have been wide discrepancies in sales to budget in recent years.
Comparability of The client’s budget is not particularly comparable to other data sources
data available, as it relates to a specific car company/model range, for a
specific area, as models and ranges and tastes change over time even
the prior year is not necessarily a true comparison due to the
introduction of new models.
Nature and The budget data is internally generated and has previously been used as
relevance of the an incentive to the sales staff, so as an actual measure of expected
data sales it is not a strong predictor.
Controls The only control in place is the final review by the Board of Directors,
where the Sales Director and Finance Director often dispute the
budgeted amounts at length.
CONCLUSION In this instance, the client’s budget typically may not be considered a
reliable source of information.
Example 3 - A childcare provider’s revenue based on budget
Factor Evaluation
Source of the data The budget is internally generated, it has typically been highly accurate,
and there have been very limited variances to actual because of the
ongoing high occupancy rates of the centre and the known shortage of
childcare spaces in the area.
Comparability of The client’s budget is highly comparable to last year, as there are few
data variables because the number of places remains consistent due to the
same staffing ratio requirements and there has been no increase in the
accommodation space. The childcare rates are approved and widely
publicised.
Nature and The budget data is highly relevant to the performance of the business
relevance of the and is how management measures its performance.
data
Controls The budget is prepared by an experienced management team who

understand the market and control the budget tightly to ensure the
appropriate staff are on hand. Inputs such as childcare rates are non-
complex and widely publicised.
CONCLUSION In this instance, the client’s budget typically would be considered a

reliable source of information based on the historical performance and
the understanding of the entity and how it operates its business.
Page | 205
Audit Manual
Version 7 (2022)
4.6.5 Developing an expectation

The auditor develops an expectation of the recorded amounts or ratios used in the SAP and
then considers whether this expectation is sufficiently precise that, in combination with the
acceptable difference determined by the auditor, the SAP would be able to identify material
misstatement. There are three factors which may influence the auditor’s ability to develop a
sufficiently precise expectation as shown in the diagram below:
The accuracy with which the expected results can be predicted
The nature of the item being considered influences the ability of the auditor to accurately form
an expectation e.g. the auditor may expect greater consistency in comparing gross profit
margins from one period to another than in comparing discretionary expenses such as research
or advertising costs.
Typically, the use of prior year values as the expectation for a substantive analytical procedure
is unlikely to be appropriate unless the auditor can specifically demonstrate that the prior year
values represent a valid expectation. For example, when undertaking a SAP on payroll in a less
complex entity where the number of employees has not changed and salary increases are
known, the prior year may be a valid expectation, but for a larger, more complex entity, which
has undergone significant growth in the year through introduction of new products or services,
and changes in staff numbers, the prior year would not represent an appropriate expectation.
The degree to which the information can be disaggregated
Where the acceptable difference is comparatively small in relation to the balance it may be
possible to disaggregate the balance such that precise expectations can be formed about the
disaggregated components of the item being investigated. For example, substantive analytical
procedures may be more effective when applied to financial information on individual sections of
an operation or to financial statements of components of a diversified entity, than when applied
to the financial statements of the entity as a whole.
The availability of information to develop the expectation
The ability to form an expectation may depend on the availability of information, both financial
and non-financial. For example, the auditor may consider whether financial information, such as
budgets or forecasts, and non-financial information such as the number of units produced or
sold, is available. It may be possible to conceive of a suitable SAP and means of determining an
expectation but the data may not be available to actually develop the expectation. This can be
particularly true when seeking to disaggregate data, and the relevant disaggregated information
may not be available.
Page | 206
Audit Manual
Version 7 (2022)
Examples
Example 1 - A toll road company’s revenue.
Factor Evaluation
The accuracy with The auditor can develop a highly accurate expectation as the
which the expected calculation is traffic multiplied by toll per road section.
results can be
predicted
The degree to which The revenue could be broken down to individual toll sections and
the information can be then multiplied by traffic usage.
disaggregated
The availability of If there are multiple sections for tolling and the government data
information to develop does not capture the exit points on the road, then the
the expectation disaggregated data may not be available for road use.
CONCLUSION For a business like this it is likely that a reliably accurate expectation
can be developed. It may also be possible to rely on the internal
traffic figures depending on what other controls over that data exist,
and whether or not they have been tested. However, whether or not
suitably disaggregated data is available is depending on how the
data is captured.
Example 2 - A car showroom’s revenue
Factor Evaluation
The accuracy with It would be difficult for the auditor to develop a reliably accurate
which the expected expectation, given the changing economic factors, new car models,
results can be changes in pricing, and customer preferences.
predicted
The degree to which The revenue might be able to be disaggregated by model, or type of
the information can be vehicle.
disaggregated
The availability of It is likely that some public information might be available about the
information to develop number of each type of vehicle sold year on year for the industry
the expectation which could provide a reasonable expectation on a pro rata basis.
However, it is less likely that sufficiently disaggregated data by
retailer/site is available.
CONCLUSION While requiring more work to develop an accurate expectation,

such as drilling down to individual models, or perhaps looking at the
data by month on a comparative basis it may still be possible, to
develop an appropriate expectation. However, where this is not
possible alternative substantive testing procedures and/or controls
testing may be more effective.
Page | 207
Audit Manual
Version 7 (2022)
FAQ
Q. Do I have to disaggregate data when developing an expectation?
A. No, the level of disaggregation is determined by the auditor’s judgment in combination with
the nature of the data and whether or not an expectation can be developed that is sufficiently
precise, such that there are few or no deviations outside of the acceptable difference. However,
it is not appropriate to continue disaggregating data such that material misstatements cannot be
identified.
4.6.6 Determining the acceptable difference

The auditor’s determination of the amount of difference from the expectation that can be
accepted without further investigation is influenced by materiality and the consistency with
desired level of assurance. ISA 330 requires the auditor to obtain more persuasive audit
evidence the higher the assessed risk of material misstatement. Therefore, the more audit
evidence and assurance that is to be taken from the SAP the smaller the acceptable difference
should be.
The acceptable difference for a SAP does not exceed performance materiality. Where the
acceptable difference is less than or equal to performance materiality, and there are no
unexplained deviations greater than acceptable difference then the SAP provides the auditor
with some assurance. However, whether or not the SAP provides sufficient appropriate
evidence on its own, or whether more assurance is required, is a matter of professional
judgment depending on the level of risk identified and other planned audit procedures. For a
higher risk of material misstatement, a SAP with an acceptable difference approaching
Performance Materiality may not provide sufficient appropriate audit evidence on its own and
other procedures may need to be performed.
Determining the acceptable difference when using ratios and percentages

Ratios and percentages such as gross profit margin can be used in performing a SAP, however,
in determining the acceptable difference when using a ratio or percentage the acceptable
difference is still influenced by materiality.
While ratios can be used, they are often difficult to identify and may not provide much
assurance, as there are so many variables hidden by the ratio. The use of SAPs using ratios will
therefore not likely provide sufficient appropriate audit evidence on their own. They may be
more useful as part of Preliminary Analytical Procedures or Concluding Analytical Procedures.

addressing the acceptable difference:
Page | 208
Audit Manual
Version 7 (2022)
Examples
Example 1 - A SAP is being performed over payroll in total and assurance is required. Payroll
has been assessed as a Higher inherent risk and controls have not been tested.
Performance Materiality $100,000
Acceptable difference equal to Performance Materiality $100,000
Balance $3,500,000
The auditor develops an expectation of $3,415,000. The difference is $85,000, which is less
than the acceptable difference of $100,000 so no further action is required.
If, in the auditor’s judgment, a greater level of assurance is required, the auditor may take a
percentage of performance materiality, as their acceptable difference to increase the assurance
gathered from the SAP. For example, if we use 80% of performance materiality the threshold
would be $80,000 now the difference of $85,000 is greater than the acceptable difference of
$80,000 and further investigation would be required to determine if the SAP provides audit
evidence.
Example 2 – Gross Profit Margin
Performance materiality $100,000
Gross Profit Margin is expected to be 38.5% based on independently obtained industry data,
which equates to a Gross Profit expected of $2,500,000.
Therefore each 1% of Gross Profit margin = $64,935 ($2,500,000 / 38.5 = $64,935)
So, the acceptable difference in the Gross Profit Margin would be $100,000 / $64,935 = 1.5%
i.e. if the Gross Profit Margin was between 37.0% and 40.0% it would be within the acceptable
difference.
Increased assurance could be obtained by reducing the acceptable difference and/or

disaggregating the data and analysis by month/week or product etc.
Example 3 – Assets to liabilities ratio
Similar to percentages in example 3, materiality is considered.
Performance materiality of $100,000
Assets to liabilities ratio is expected to be 2:1, based on assets of $2,100,000 and liabilities of
$1,050,000.
The auditor considers the acceptable difference, in this case a range for the ratio.
If assets increase by $100,000 to then the ratio would be 2.1:1 if liabilities increased by
$100,000 the ratio would be 1.8:1
If liabilities decreased by $100,000 to then the ratio would be 2.2:1 if assets decreased by
$100,000 the ratio would be 1.9:1
So the ratio could fall in a range from 1.8:1 to 2:2:1 as an acceptable difference, however
typically the auditor would be more interested in one direction of movement such as being
Page | 209
Audit Manual
Version 7 (2022)
concerned with the liabilities being understated which might further influence their selection of
the acceptable difference in the ratio.
Increased assurance could be obtained by reducing the acceptable difference and/or

disaggregating the data and analysis by month/week or product etc.
4.6.7 Investigating the results of substantive analytical procedures

If substantive analytical procedures identify fluctuations or relationships that are inconsistent
with other relevant information, or that differ from expected values by an amount greater than
the acceptable difference, these differences are investigated by:
• Inquiring of management
• obtaining appropriate audit evidence to corroborate management’s response
• Performing other procedures as necessary in the circumstances
It is important to note that a SAP only fails to provide evidence that the risk has been reduced to
an acceptably low level where the investigation of the difference cannot be explained and
corroborated. However, where there are a number of differences greater than the acceptable
difference from expectation, the auditor may question whether their expectation was sufficiently
reliable and therefore question whether a SAP provides sufficient appropriate audit evidence,
even if all differences are explained when investigated.
The extent of the auditor’s investigation of the differences greater than acceptable difference is
to substantiate the difference to expectation i.e. actual to expectation, not just the difference
between the actual and the acceptable difference.
The need to perform other procedures may arise when, for example, management is unable to
provide an explanation, or the explanation, together the audit evidence obtained relevant to
management’s response, is not considered adequate.

The substantive analytical review template has the following section for addressing the
investigation of differences outside the acceptable difference:
Example
The auditor has performed substantive analytical procedures to the payroll expense on a month
by month basis and has identified a variation in one month which is in excess of the acceptable
difference. The table below sets out the additional steps taken by the auditor:
Page | 210
Audit Manual
Version 7 (2022)
Process Actions
Inquiries of management The auditor may inquire of management and/or the payroll staff
as to why the payroll expense in that particular month was higher
than expected.
Management’s response was that there was a rush order that

month for a product, which necessitated unplanned overtime.
Obtain appropriate In order to corroborate the explanation provided by

corroborative evidence management, the auditor may, review the sales documentation,
relevant to those or the particular contract and its timing, and the sales
management responses volumes/revenues for that month to see if the explanation can be
corroborated, in addition to observing or testing the overtime
claims for a sample of employees for that month.
Perform other procedures Assuming the contract and sales volumes and overtime claims
as necessary in the were appropriately higher, and no issues were identified in
circumstances testing of overtime claims, the auditor may conclude that the
difference is explained and conclude on the SAP.
4.6.8 Concluding on substantive analytical procedures

Having investigated any differences above the acceptable difference, the auditor concludes on
whether the SAP has provided audit evidence on which they can rely in forming their overall
conclusion. The following outcomes from the SAP are possible:
Page | 211
Audit Manual
Version 7 (2022)
No differences outside of the acceptable difference
If there are no differences outside of the acceptable difference, then the SAP is considered to
have met its objective and provides audit evidence. However, professional judgment is needed
for the auditor to consider whether the SAP alone provides sufficient, appropriate audit evidence
over the balances being tested or whether additional audit procedures are required.
Some differences outside of the acceptable difference but investigated and corroborated
If there are differences outside of the acceptable difference, but the auditor is able to obtain
sufficient appropriate corroborating evidence to explain the difference, then the SAP can still be
considered to have met its objective and provides audit evidence. Note, however, the greater
the number of differences, or the greater the variance, outside of the acceptable difference
(even where they can be investigated and corroborated), the more likely it is that the auditor
may consider that additional evidence is required.
One or more differences outside of the acceptable difference unable to be investigated and
corroborated
If the auditor is unable to obtain sufficient appropriate explanation and/or supporting audit
evidence regarding one or more of the differences greater than the acceptable difference, then
the SAP is deemed to have failed. In order to form an opinion, the auditor will need to perform
substantive audit procedures over the financial statement area and the assertions the SAP was
intended to address.

documenting the conclusion:
Page | 212
Audit Manual
Version 7 (2022)
Appendix 1 Types of Substantive Analytical Procedure

Trend analysis
Trend analysis involves the analysis of changes in an account balance or transaction stream
value over time, typically comparing period on period changes although may involve shorter
(e.g. monthly) trends, comparison against budgeted amounts or against industry data. Although
trend analysis is relatively easy to perform, it typically only provides lower levels of precision.
Accordingly, trend analysis alone may not provide sufficient appropriate audit evidence for a
higher assessed risk unless the expectation is sufficiently precise; it may, however, provide
sufficient appropriate audit evidence for an account balance or transaction stream with lower
assessed risk, or for those areas where substantive procedures are required simply because a
balance is material (ISA 330.18).
The engagement team's expectation is implicit and may be as simple as using the prior period
account balance or budget as the expectation and typically produces the most effective results
when performed on disaggregated data, as aggregated analysis lacks precision. It is also less
effective in detecting situations where amounts should have changed but did not. Trend analysis
is more likely to be useful for amounts recorded in the statement of comprehensive income.
The effectiveness of using budgeted data depends on the rigour and appropriateness of the
client's budgeting process. If, for example, budgets are overly optimistic, established on results
to be achieved as to opposed to results expected, the budget value will not represent the most
appropriate expectation. Also, budgets developed in advance of the accounting period may not
have anticipated events that occurred during the year. Therefore, when intending to compare
amounts to budget, the engagement team obtains an understanding of the budgeting process.
Ratio analysis
Ratio analysis involves the comparison through time of relationships between financial statement
accounts (e.g. sales compared to debtors), an account with non-financial data (e.g. rental
income compared to units available for rent) or relationships between entities operating within
the same industry. As with trend analysis the expectation generated is implicit with the
expectation being the compared item (e.g. prior year ratio or industry ratio). Ratio analysis is
typically not used as the sole substantive procedure for a higher assessed risk.
Ratio analysis on account balances is useful for those relationships expected to be stable (over
time) or comparable (across entities in the same industry or locations in the same entity). Once
a ratio is determined, it is compared with the ratio for prior periods or others in the same
industry during the same period. Because the relationships underlying various important ratios
tend to be relatively stable, such ratios can be valuable indicators of distorted financial
information. For example, ratio analysis can be a useful indicator of aging risks in relation to
debtors, inventory, and creditors.
Reasonableness test
A reasonableness test involves the analysis of accounts, or changes in accounts, between

accounting periods. It involves developing a model on which an explicit expectation is derived
using financial data, non-financial data or both. Reasonableness tests provide the opportunity
for tailoring the test to include all relevant factors that may explain fluctuations. A well-designed
reasonableness test provides audit evidence with much higher precision than trend or ratio
Page | 213
Audit Manual
Version 7 (2022)
analysis and may be sufficiently precise to provide the principal audit evidence for an elevated
inherent risk.
Reasonableness tests are best suited to statement of comprehensive income amounts which
tend to be more predictable than statement of financial position items. Potential applications
include employee compensation expense, sales commissions, employee taxation, depreciation
and amortisation expense, rental income, rental expense, investment income and interest
expense.
Regression analysis
Regression analysis uses statistical models to quantify the audit team's expectation in monetary
terms, with measurable risk and precision levels. It is similar to reasonableness testing in that an
explicit prediction (expectation) is generated using the audit team's understanding of the factors
that affect the account balances to develop a model of the account balance. The model is most
effective when the data are disaggregated and are from an accounting system with effective
internal controls
Regression analysis may be useful, for example, in comparing sales with cost of sales, or for a
chain of retail stores comparing sales with floor area/number of employees.
Page | 214
Audit Manual
Version 7 (2022)
4.7 Tests of controls
Contents
4.7.1 Introduction
4.7.2 Process for testing controls
4.7.3 Identifying which controls to test
4.7.4 Determining the nature of controls testing
4.7.5 Determining the extent of tests of controls (Audit sampling when testing controls)
4.7.5.1 Small control populations
4.7.5.2 Large control populations
4.7.5.3 Fully automated controls
4.7.5.4 Sample selection
4.7.6 Determining the timing of the controls testing
4.7.7 Using audit evidence from prior periods – tests of controls
4.7.7.1 Transitional rules applicable on adoption of Global Focus v7
4.7.8 Evaluating the operating effectiveness of controls
4.7.9 Responding when a control is not operating as effectively as planned
Objective The objective of the auditor is to obtain sufficient appropriate

audit evidence regarding the assessed risks of material
misstatement, through designing and implementing appropriate
responses to those risks. (ISA 330.3)
Relevant ISA • ISA 330 The auditor’s responses to assessed risks

• ISA 530 Audit sampling
Global Focus software Form 615-1 to 615-6 – Worksheet – Tests of controls – Business
cycles
Form 618-GF Guidance – Sample sizes for controls testing
Policy requirements The auditor must test the operating effectiveness of relevant
(if any) controls where:
• Control risk is assessed as below maximum, i.e. some

degree of reliance is planned to be placed on controls;
or
• Substantive procedures alone cannot provide sufficient
appropriate audit evidence at the assertion level (ISA
330.8)
Page | 215
Audit Manual
Version 7 (2022)
4.7.1 Introduction
Tests of controls are audit procedures designed to evaluate the operating effectiveness of
controls in preventing, or detecting and correcting, material misstatements at the assertion
level. The auditor is required to design and perform tests of controls to obtain sufficient
appropriate audit evidence as to the operating effectiveness of relevant controls if:
• control risk is assessed as below the maximum (i.e. the auditor intends to rely on the
operating effectiveness of controls to some degree in determining the nature, timing and
extent of substantive procedures)
• substantive procedures alone cannot provide sufficient appropriate audit evidence at the
assertion level.
Where the auditor is able to place some degree of reliance on the operating effectiveness of
controls, they are able to reduce the extent of substantive procedures required; for example,
substantive sample sizes will be reduced to reflect the level of controls reliance. Testing the
operating effectiveness of controls may therefore be an effective and efficient means of
obtaining sufficient appropriate audit evidence.
Tests of controls are performed only on those controls that have been determined are suitably
designed and implemented. If substantially different controls were used at different times during
the period under audit, each control is considered separately.
Although testing the operating effectiveness of controls is different from obtaining an

understanding of and evaluating the design and implementation of controls, the same types of
audit procedures are used. It may therefore be efficient to test the operating effectiveness of
controls at the same time as evaluating their design and determining that they have been
implemented.
Although the purpose of a test of controls is different from the purpose of a test of details, it may
be possible to perform a test of controls and a test of details on the same transaction at the
same time, also known as a dual-purpose test. For example, the auditor may design, and
evaluate the results of, a test to examine an invoice to determine whether it has been approved
and to provide substantive audit evidence of a transaction. A dual-purpose test is designed and
evaluated by considering each purpose of the test separately. Dual purpose testing is usually
most effective when substantively testing classes of transaction, and the control(s) to be tested
at the same time operate on a per-transaction basis.
For the avoidance of doubt, ISA 315.34 confirms that if the auditor does not plan to test the
operational effectiveness of controls as described above, the auditor’s assessment of control
risk (reliance in Global Focus) shall be such that the assessment of the risk of material
misstatement is the same as the assessment of inherent risk. In other words, no reliance may be
placed on controls and control reliance is set as “No reliance / Not tested”.
Page | 216
Audit Manual
Version 7 (2022)
4.7.2 Process for testing controls

Input 4.7.3 Identify controls to tests
Process
4.7.4.-4.7.5 Determine the nature and extent of controls testing
4.7.6 Determine the timing of the controls testing
4.7.7. Determine whether to use audit evidence from prior periods
Output Audit evidence on the operating effectiveness of relevant controls and support
for the reliance placed thereon
4.7.3 Identifying which controls to test

Section 3.4 sets out the auditor’s understanding of internal control, including the identification of
relevant controls which the auditor is required to understand. In Global Focus, the auditor is
required to understand and assess the design and implementation of control activities relating
to:
• Significant risks (ISA 315.26(a)(i))

• Journal entries, including non-standard journal entries used to record non-recurring,
unusual transactions or adjustments (ISA 315.26(a)(ii))
• Risk for which the engagement team intends to rely on the operating effectiveness of
control activities in responding to identified risks (ISA 315.26(a)(iii)). This may include
General IT Controls and any other indirect controls on upon which the controls to be
tested for operating effectiveness depend.
• Risks for which substantive procedures alone do not provide sufficient appropriate audit
evidence (ISA 315.26(a)(iii))
• Other controls that the auditor considers are appropriate to understand in order to
identify and assess risks of material misstatement at the assertion level and to design
Page | 217
Audit Manual
Version 7 (2022)
further audit procedures, based on the auditor’s professional judgment (ISA

315.26(a)(iv)).
Having obtained an understanding of controls, evaluated their design and verified their
implementation, the auditor then identifies those controls which they will test in order to place
reliance on their operating effectiveness. The auditor is required to test the operating
effectiveness of controls where they intend to rely on the operating effectiveness of controls in
designing substantive procedures and for those areas where substantive procedures alone are
not sufficient.

The control card is used to record the auditor’s decision on whether to test the operating
effectiveness of controls. The options available are “Yes”, “No”, “PY1 (Tested)” and “PY2
(Tested)”. This section of the control card is also used to link to supporting working papers and
conclude on whether the control will be relied upon.
4.7.4 Determining the nature of controls testing

In designing and performing tests of controls, the auditor is required to:
a. Perform other audit procedures in combination with inquiry to obtain audit evidence
about the operating effectiveness of the controls, including:
i. how the controls were applied at relevant times during the period under audit;
ii. the consistency with which they were applied; and
iii. by whom or by what means they were applied.
b. Determine whether the controls to be tested depend upon other controls (indirect
controls), and, if so, whether it is necessary to obtain audit evidence supporting the
effective operation of those indirect controls.
Inquiry alone is not sufficient to test the operating effectiveness of controls. Accordingly, other
audit procedures are performed in combination with inquiry. Inquiry combined with inspection or
reperformance of a control may provide more assurance than inquiry and observation, since an
observation is relevant only at the point in time at which it is made.
The nature and characteristics of a control influences which procedures are appropriate to
obtain audit evidence about whether the control was operating effectively, in particular whether
or not the control is documented and whether it is manual or automated, and whether the
control also relies on the operation of indirect controls.
Documented or undocumented controls
Where operating effectiveness of a control is evidenced by documentation, the auditor may

decide to inspect documentation to obtain audit evidence throughout the period. Other controls,
however, may not be documented. For example, documentation may not exist for some factors
in the control environment, such as assignment of authority and responsibility, or for some types
of control activities, such as automated controls. Audit evidence about operating effectiveness
Page | 218
Audit Manual
Version 7 (2022)
in this situation may be obtained through inquiry in combination with other audit procedures
such as observation or the use of automated tools and techniques.
Automated or manual controls
Automated controls can be expected to function consistently unless the program, including
tables, files or other permanent data is changed. Once the auditor determines that the control is
functioning as intended, they may consider performing further tests of General IT controls to
determine that the control continues to function as intended. Such testing may include:
• Changes to the program are not made without being subject to appropriate change
management
• The authorised version of the program is used for processing transactions.
• Other relevant General IT Controls are effective.
• Determining that changes to the programs have not been made, for example by
Inspecting the IT security administration records for evidence of unauthorised access
Manual controls may be less reliable than automated controls because they can be more easily
bypassed, ignored, or overridden, and they are also more prone to simple errors and mistakes
due to human intervention. Consistency of application of a manual control cannot therefore be
assumed. When testing manual controls, consider:
• How the controls were applied during the period under audit.
• Who applied the controls, including the experience and expertise of the individuals
performing the control.
• How frequently the control is applied, generally more frequently applied controls are
more likely to be effective.
• The expected or previous experience of control deviation/failure.
• The consistency of their application.
Many controls are, in practice, a hybrid, and in the Global Focus methodology, these are
described as “Manual, dependent on IT”. Such controls are typically performed manually but
involve the use of system-generated information. An example of such a control is the
reconciliation of the aged receivables ledger with the control account in the general ledger.
Indirect controls
Where the operating effectiveness of a control relies on other controls (indirect controls,
including General IT Controls) the auditor considers whether it is necessary to obtain evidence
over the effective operation of those controls. In some circumstances, it may be necessary to
obtain audit evidence supporting the effective operation of indirect controls. For example, when
the auditor decides to test the effectiveness of a user review of exception reports detailing sales
in excess of authorised credit limits, the user review and related follow up is the control that is
directly of relevance to the auditor. Controls over the accuracy of the information in the reports
(for example, the General IT Controls) are described as “indirect” controls.
Because of the inherent consistency of IT processing, audit evidence about the implementation
of an automated application control, when considered in combination with audit evidence about
the operating effectiveness of the entity’s general controls (in particular, change controls), may
also provide substantial audit evidence about its operating effectiveness.
Page | 219
Audit Manual
Version 7 (2022)
It is necessary to test General IT Controls when reliance is planned on automated controls or

manual controls that are dependent on IT. This testing should be performed before the control
activity on which reliance is planned is itself tested.
4.7.5 Determining the extent of tests of controls (Audit sampling when testing controls)
Audit sampling is used to determine the sample size for tests of controls, taking into the nature
of the control (frequency) and the associated population size.
Many controls do not operate frequently. For example, annual controls such as an inventory
count or period end closing will only be performed once and therefore the auditor can only test
the operating of the control once. Other controls may also have a low frequency of operation
such as monthly or quarterly. Other controls operate more frequently, for example daily
reconciliations, or may be applied to every transaction, thereby occurring multiple times in any
one day. In Global Focus, a small control population is defined as a control with no more than
260 instances in the period under audit.
4.7.5.1 Small control populations

The sample sizes to be used in Global Focus for testing small control populations are set out in
the table below. These sample sizes assume no deviations are expected in the current period.
Control population in Mapping to common control frequencies Recommended sample

the period under audit in an annual period size range
1 Yearly 1
2-4 Quarterly 2
5-12 Monthly 2–4
13-26 Fortnightly 3–8
27-53 Weekly 5–9
54-260 Weekdays Minimum of 10% of the

population
The control population is the absolute size of the population i.e. number of instances in the
period under audit.
Testing the lowest number in the recommended sample size range is expected to be
appropriate in a normal audit situation. Testing levels nearer or at the top of the ranges may be
appropriate in situations when other sources of evidence are less persuasive, such as:
• New engagements where there are concerns about the operation of controls;
• Where controls have changed since the prior period;
• Where deficiencies have been experienced in the past;
• Where the approach adopted consists primarily or solely of tests of controls;
• Where it is not possible or practicable to obtain sufficient appropriate audit evidence

from substantive procedures alone (ISA 315.33).
Page | 220
Audit Manual
Version 7 (2022)
Testing small control populations i.e. infrequent controls is usually a more efficient approach
than testing more frequent controls (unless automated – see 4.7.5.3) due to the smaller sample
sizes required.
4.7.5.2 Large control populations

A large control population is any control with more than 260 instances in the period under audit.
For an annual period this includes, for example, controls that operate on every day of the year
(i.e. 365 instances) and, usually, controls that are applied to every transaction within a class of
transactions.
The Global Focus methodology permits two different approaches to the testing of large control
populations for operational effectiveness, namely the sample extension method or the fixed
sample size method. The auditor should select the most appropriate method to the
circumstances, based on their professional judgment.
Fixed sample size method
The fixed sample size method requires the auditor to test a set sample size, the size of which is
dependent on the required level of audit confidence. The permitted level of control reliance
depends on the results of the testing as follows:
Audit Fixed sample Permissible number of deviations for a

confidence size given level of control reliance
High Moderate Low None
90% 35 0 1 2 >2
95% 45 0 1 2 >2
The auditor does not complete the test if more than two deviations are found.
Sample extension method
The sample extension method requires the auditor to test an initial sample size, the size of which
is dependent on the required level of audit confidence and the desired level of control reliance. If
no deviations are found, the test is complete and the auditor places the corresponding level of
reliance on the control. If one or two deviations are found in the initial sample, the sample is
extended by the amount shown in the table below, in which no further deviations must be found.
Page | 221
Audit Manual
Version 7 (2022)
Audit Control reliance Initial Sample extension needed

confidence level sample size
1 deviation 2 deviations
90% High 32 23 43
Moderate 19 14 24
Low 15 10 19
95% High 42 24 47
Moderate 25 13 25
Low 19 11 21
The sample extension method has the advantage of a smaller initial sample size, and the
flexibility to allow the auditor to plan for a level of control reliance is only moderate or low, but
requires a larger sample overall if deviations are found within the initial sample.
4.7.5.3 Fully automated controls
Certain types of control, due to the nature of the procedures used, do not normally involve audit
sampling. For example, tests of automated application controls are generally tested only once
when General IT Controls are present and have been tested to confirm their operational
effectiveness.
4.7.5.4 Sample selection
Both the fixed sample size method and the sample extension method are statistical methods.
This precludes use of the haphazard selection method when testing a large control population,
as haphazard selection is not permitted when using statistical sampling (see paragraph (d) of
Appendix 4 to ISA 530). Haphazard selection may be used when testing a small control
population though.
Monetary unit sampling (MUS) is not considered to be appropriate for any type of controls
testing, as it is the number of instances of the control which is relevant rather than the monetary
value of the underlying transactions or balances.
The systematic method is not recommended when performing dual purpose testing or when
otherwise using the sample extension method, since it is difficult to extend the sample should
deviations be found.
The random method is therefore the most universally applicable method when performing any
type of controls test.
Refer to section 4.2.6 for a more detailed explanation of each of the above sample selection
methods.
4.7.6 Determining the timing of the controls testing

The auditor is required to test controls for the particular time, or throughout the period, for which
the auditor intends to rely on those controls, subject to the approach to interim testing of
Page | 222
Audit Manual
Version 7 (2022)
controls set out below. In determining the timing of testing of the relevant controls, the auditor
considers:
• the intended period of reliance

• whether to test controls at an interim period
• whether to use of audit evidence from prior periods (i.e. rotation of controls testing – see
Section 4.7.7)
Intended period of reliance
It is important therefore for the auditor to identify the intended period of reliance. Where the
audit evidence relates to a point in time such as inventory counts at period end, then the auditor
may choose to consider only the effectiveness of the control at that point, rather than
throughout the period. If, on the other hand, the auditor intends to rely on a control over a
period, tests that are capable of providing audit evidence that the control operated effectively at
relevant times during that period are more appropriate. Such tests may include tests of the
entity’s monitoring of controls.
Controls testing in an interim period
The auditor may opt to carry out controls testing at an interim period, that is during the period
under audit. Where the auditor obtains audit evidence about the operating effectiveness of
controls during an interim period, they are required to:
• obtain audit evidence about significant changes to those controls subsequent to the
interim period, and
• determine the additional audit evidence to be obtained for the remaining period.
Assuming that there are no significant changes to the controls operating subsequent to the
interim period, the factors which influence whether additional tests of controls are required over
the remaining period are:
Factor Comments
The significance of the assessed risks of For a significant risk, consider whether an
material misstatement at the assertion untested period is appropriate or whether
level additional controls tests are required.
The specific controls that were tested Where significant changes have occurred, a
during the interim period, and any separate test of controls for the remaining period
significant changes to those controls is likely appropriate.
The degree of evidence obtained about Inquiry and observation may be considered less
the operating effectiveness of the control persuasive than re-performance of the control,
particularly as observation only gives assurance
at a point in time.
The length of the remaining period The shorter the untested period the greater the
reliance which can be placed on the interim
testing.
The planned level of reliance on the The greater the planned level of reliance on the
control i.e. the extent to which control, and hence the reduction in substantive
Page | 223
Audit Manual
Version 7 (2022)
Factor Comments
substantive procedures will be reduced procedures, the greater the likelihood that
based on reliance on the controls testing additional work may be required.
The control environment Where there have been weaknesses identified in

the control environment, particularly around
monitoring of controls, it is likely appropriate to
carry out further tests of controls for the
subsequent period.
The simplest approach is to calculate a pro-rata sample size for the interim and subsequent
periods.
Examples
1 Controls sample size pro-rated across the year
The auditor plans an interim audit visit after nine months of the year. In order to gain assurance
of the operation across the year, they have determined a sample size of 35 instances of
operation of the control, in accordance with the fixed sample size method. Assuming a roughly
even distribution of control instances throughout the year, they pro-rate the sample size across
the two periods, testing 26 instances from the first nine-month (interim) period and later
performing the remaining 9 tests on the subsequent three month period.
2 Significant changes to controls mid-year
The auditor determined a sample size of 35 for tests of controls, in accordance with the fixed
sample size method, relating to transactional processing of invoices. However, the client
implemented a new system, with a different control, after six months of the year. In this situation
the auditor is required to obtain assurance of the effective operation of the two controls, and so
treats each as a separate control population. The auditor therefore determines a sample size of
35 instances for the first half year, and a further sample of 35 instances for the second half year
giving a total sample size of 70.
Note that in these circumstances, it may be more efficient to adopt a wholly substantive
approach in the year that controls change, and look to take a more controls-based approach
the following year.
4.7.7 Using audit evidence from prior periods – tests of controls

The auditor may use audit evidence relating the operating effectiveness of controls subject to
performing procedures to establish its continuing relevance. The use of audit evidence from
prior periods may enable the auditor to establish rotational testing of controls over a three
period, thereby increasing the efficiency and effectiveness of the audit process.
Determining appropriateness of using prior period evidence
In determining whether it is appropriate to use audit evidence about the operating effectiveness
of controls obtained in previous audits, and, if so, the length of the time period that may elapse
before retesting a control, the auditor is required to consider:
Page | 224
Audit Manual
Version 7 (2022)
Factor Impact on the period for re-testing a control

The effectiveness of other elements of A deficient control environment, in particular
internal control, including the control deficient monitoring of controls, is likely to make it
environment, the entity’s monitoring of difficult to rely on tests of controls from prior
controls, and the entity’s risk assessment periods
process
The risks arising from the characteristics A significant manual element to the control is
of the control, including whether it is likely to result in a shorter period before re-
manual or automated testing, particularly if there have been changes in
personnel since the prior period
The effectiveness of General IT Controls Deficient General IT Controls are likely an

indicator that it is not appropriate to use audit
evidence from prior periods
The effectiveness of the control and its Where deviations have been noted in previous
application by the entity, including the audits and/or where there have been significant
nature and extent of deviations in the changes in personnel, it may not be appropriate
application of the control noted in to use audit evidence from prior periods
previous audits, and whether there have
been personnel changes that significantly
affect the application of the control
Whether the lack of a change in a Where changing circumstances at the entity

particular control poses a risk due to suggest that there should be consequent
changing circumstances changes in controls (e.g. a new system
implementation) it would likely not be appropriate
to use evidence from prior periods
The risks of material misstatement and The higher the assessed risk of material
the extent of reliance on the control misstatement, and/or the greater reliance on
controls, the shorter the period before re-testing
the control is likely to be
Establishing continuing relevance of audit evidence
In order to use audit evidence from a previous audit about the operating effectiveness of specific
controls, the auditor is required to establish the continuing relevance of that evidence by
obtaining audit evidence about whether significant changes in those controls have occurred
subsequent to the previous audit. This evidence is obtained by inquiry combined with
observation or inspection, to confirm the understanding of those specific controls, and:
• If there have been changes that affect the continuing relevance of the audit evidence
from the previous audit, the controls must be tested in the current period
• If there have been no such changes, the controls are to be tested at least once in every
third audit. Furthermore, some controls are to be tested during each audit to avoid the
possibility of testing all the controls on which the auditor intends to rely in a single audit
period with no testing of controls in the subsequent two audit periods.
Page | 225
Audit Manual
Version 7 (2022)
The thought process as to whether the auditor may adopt rotational audit testing, using prior
period evidence about the operating effectiveness of controls is summarised in the diagram
below:

There is no form for documentation of the auditor’s plan for rotational testing. The planned
approach should be documented manually and embedded in the Global Focus file in the Tests
of Control section of the Risk Response part of the file.
In the worksheets for tests of controls (Forms 615-1 to 615-6) there is the following question.
The auditor’s considerations should be either documented here, or separately and embedded in
the Global Focus file:
Restrictions on the use of evidence from prior periods
There are the following restrictions on the use of audit evidence relating to operating
effectiveness of controls from prior periods:
• If the auditor plans to rely on controls over a significant risk, those controls are required
to be tested in the current period (ISA 330.15)
• The ability to use audit evidence about the operating effectiveness of controls obtained
in previous audits applies only to audit testing performed directly by the auditor and
does not apply to controls tested for operating effectiveness by:
o A predecessor auditor
o A service auditor
o The internal audit function

The worksheets for tests of controls (Forms 615-1 to 615-6) address significant risks and
controls testing as follows:
Page | 226
Audit Manual
Version 7 (2022)
4.7.7.1 Transitional rules applicable on adoption of Global Focus v7 onwards
Transitional rules apply when:
a) Controls have been successfully tested for operating effectiveness by the auditor in
either of the two periods prior to the adoption of Global Focus v7 onwards; and
b) The auditor plans to rely on those controls in the current period.
In order to continue to place reliance on those controls, additional testing may be needed to
match that required under the Global Focus methodology as set out below:
Control Recommended sample size range Additional testing

population Under v6 and earlier Under v7* required?
1 1 1 No
2-4 2 2 No
5-12 2–4 2–4 No
13-26 3–8 3–8 No
27-53 5–9 5–9 No
54-260 10-15 Minimum of 10% of the Yes

population
>260 20-30 35 (90% audit confidence) Yes

45 (95% audit confidence)
*The comparison is made to the fixed sample size method, since the sample extension method
was not available in the Global Focus methodology prior to v7.
Examples
1. Global Focus v6 was used to perform an audit for the year to 31 December 2021. The
authorisation of purchase invoices (>260 instances) was successfully tested for operational
effectiveness in that period using a sample size of 20 items. For the audit of the year to 31
December 2022, to be performed under Global Focus v7 to 90% audit confidence, an additional
15 items must be tested to maintain the application of three year rotational testing. Assuming
that all other conditions for reliance on the control continue to be met, the control next needs to
be tested in full in the year to 31 December 2024.
2. Global Focus v5 was used to perform an audit for the year to 31 December 2020.
Reconciliations of the daily batch reports from a credit card machine with the retailer’s copies of
the receipts (every weekday i.e. 260 instances) was successfully tested for operational
effectiveness in that period using a sample size of 10 items. For the audit of the year to 31
December 2022, to be performed under Global Focus v7 to 90% audit confidence, an additional
16 items must be tested to maintain the application of three year rotational testing. Assuming
that all other conditions for reliance on the control continue to be met, the control next needs to
be tested in full in the year to 31 December 2023.
Page | 227
Audit Manual
Version 7 (2022)
The total number of deviations found in the entire sample (as tested in both periods) is taken
into account when determining the degree of reliance that may be placed on the control in the
transitional period.
Examples (continued)
1. No deviations were found in the samples tested during either 2022 or 2021. The auditor
therefore sets control reliance as High for the relevant assertion(s) in the year to 31 December
2022.
2. No deviations were found in the sample tested during 2020 but one deviation was found in
the sample tested during 2022. The auditor therefore sets control reliance as Moderate for the
relevant assertion(s) in the year to 31 December 2022.
Any member firm adopting Global Focus v7 onwards for the first time and wishing to place
reliance on controls tested in either of the previous two periods under a different audit
methodology will need to “top up” their testing of controls where the sample sizes used were
smaller than those required by Global Focus v7. This applies to any size of control population or
control frequency.

The evaluation of the operating effectiveness of controls relies on the consideration of whether
or not any deviations have been identified during testing and, if so, what is the impact of the
deviations. A deviation isa departure from the expected, adequate performance of a prescribed
control. Deviations from prescribed controls may be caused by factors such as changes in key
personnel, significant seasonal fluctuations in volume of transactions, misunderstandings or
human error, or fraud.
The first step is therefore for the auditor to identify the characteristics that indicate the
expected, adequate performance of the control, and ensure that the documented description of
the control is sufficiently detailed. This is important as whether or not an instance of a control is
considered to be a deviation or not is assessed against this definition.
Example
Consider a weekly reconciliation control:
a) If the control is defined such that the reconciliation can only be reviewed by Fred, and
must be performed every week, then any instance discovered during testing where
the reconciliation has not been reviewed by Fred is treated as a deviation.
b) If the control is defined such that the reconciliation can be reviewed by either Fred or
Jane, then Fred’s absence is not considered to be a deviation provided that the
reconciliation is properly reviewed by Jane.
Many controls are time dependent, whereby the control has to operate at a particular point in
time in order to be effective. For example, authorisation of a payment is of little use if the
authorisation takes place after the payment has been made.
Page | 228
Audit Manual
Version 7 (2022)
However, some controls are less time dependent, and could theoretically still be effective if
performed later than normal. Looking at part (a) of the above example again, if Fred is the only
person authorised to perform the review, and following his absence he reviews the reconciliation
a week late once he is back at work, the reconciliation may still act as an effective control if it
identifies an error which is subsequently corrected.
It is therefore vital that the performance characteristics of a control are tightly defined prior to
the auditor’s testing of the control for operational effectiveness. The description of a control
should not be subsequently amended in order to try and justify why a control deviation need not
be treated as such. The auditor’s work under ISA 315.26(d) in evaluating the design of a control
and determining whether it has been implemented (see 3.4.8) is critical in ensuring the
adequacy of the documented control description.
When planning a test of controls, the audit considers the characteristics of a population and
makes an assessment of the expected rate of deviation based on their understanding of the
controls. In Global Focus the sample sizes for controls testing assume that no deviations are
expected in the current period. However, the identification of control deviations in prior periods
does not automatically mean that deviations are therefore expected in the current period; this
depends on the actions taken by management to resolve the issues that led to past control
deviations.
If deviations are identified during controls testing the auditor is required to make specific
inquiries to understand the nature and cause of the deviation and the potential consequences.
In so doing, they determine whether:
• The tests of controls provide an appropriate basis for reliance on the controls, or
• Additional tests of alternative controls are necessary, or
• Additional substantive procedures are required to address the risk of material
misstatement.
The number of identified deviations is compared to the permitted number of deviations in

considering whether the control is operating sufficiently effectively to justify a degree of reliance.
When the number of identified deviations is greater than the permitted number of deviations for
the control test, the control is not operating effectively and no reliance is placed on it.
Small control populations
When testing small control populations, the sample sizes assume no expected deviations in the
current period. Where deviations have been found in the past but the auditor is satisfied that
management has taken action to rectify the issue(s), the auditor selects a sample size towards
or at the top of the appropriate range.
With such small sample sizes, no reliance may be placed on the control if any deviations are
found in the current period’s testing. If no deviations are found, the auditor may set control
reliance as High for the audit assertion(s) covered by the control for the relevant class(es) of
transactions, account balance(s) or disclosure(s).
Large control populations
As with small control populations, the sample sizes for testing large control populations also
assume no expected deviations in the current period. As explained above, this does not
Page | 229
Audit Manual
Version 7 (2022)
automatically preclude taking a controls-based approach when deviations have been identified
in prior periods.
If using the fixed sample size method, the level of control reliance that can be placed is dictated
by the number of deviations, if any, found in the fixed sample size, as set out in the table in
4.7.5.2. No reliance may be placed on a control if more than two deviations are found, and the
auditor responds as set out in section 4.7.9.
If the control testing performed only justifies a lower level of control reliance than was originally
planned, the auditor must amend the level of control reliance accordingly in the FSA.
Example
The auditor plans for High control reliance, and so sets control reliance in the FSA as High. The
auditor then tests a sample of thirty five instances of the control for operational effectiveness
using the fixed sample size method, and finds one deviation. The auditor must then return to the
FSA and amend the level of control reliance to Moderate.
In light of the lower level of control reliance, the auditor also considers whether there is any need
to modify the planned nature, timing, or extent of substantive procedures.
If using the sample extension method, the initial sample size is based on the required level of
audit confidence and the planned level of reliance on the control, as set out in the table in
4.7.5.2.
• If no deviations are found in the initial sample, the test is concluded and the
corresponding level of reliance may be placed on the control.
• If one or two deviations are found, the initial sample is extended as shown in the table. If
no additional deviations are found in the extended sample, the originally planned level of
reliance on the control may be placed.
• If more than two deviations are found in the initial sample, or if further deviations are
found in the sample extension, no reliance can be placed on the control, and the level of
control reliance for that control is set as “None/Not tested”. The FSA and control card
conclusion are updated accordingly (see 4.7.9).
4.7.9 Responding where a control is not operating as effectively as planned
If testing a large control population using the fixed sample size method, it is possible that whilst
the control may not be as effective as planned, the testing does justify a lower level of control
reliance. In this case the engagement team either:
a. Determines whether alternative controls can be tested for operating effectiveness to

achieve the originally intended level of control reliance; or
b. Modifies the planned audit approach by:
o amending the level of control reliance in the FSA for the relevant assertion(s) to
a lower level, as justified by the testing results; and
o modifying the planned nature, timing, or extent of substantive procedures. This
may involve, for example, adding additional substantive tests to the audit
programs or increasing substantive sample sizes.
Note - Relying solely on controls where deviations have been identified during testing is not
advised.
Page | 230
Audit Manual
Version 7 (2022)
If the engagement team concludes that the control is not operating sufficiently effectively, the
control cannot be relied on in determining the nature, timing, or extent of substantive
procedures. Accordingly, the engagement team either:
a. Determines whether alternative controls can be tested for operating effectiveness to

achieve the originally intended control reliance;
b. Abandons taking a controls-based approach by:
o amending the level of control reliance in the FSA for the relevant assertion(s) to
“None / Not tested”;
o updating the relevant control card conclusion to confirm that the control will not
be relied upon; and
o modifying the planned nature, timing, or extent of substantive procedures as
outlined above.
The auditor also considers the need to report to management and/or those charged with
governance in accordance with the requirements of ISA 260 and ISA 265.
A material misstatement detected by the auditor’s procedures is a strong indicator of the

existence of a significant deficiency in internal control. Accordingly, when evaluating the
operating effectiveness of relevant controls, the auditor evaluates whether any misstatements
detected by substantive procedures indicate that controls are not operating effectively. The
absence of misstatements detected by substantive procedures, however, does not provide
audit evidence that controls related to the assertion being tested are effective.

The results and final evaluation of the operating effectiveness of the control is recorded in the
tests of control section of the control card:
Test control
Selection options Comments

Yes The control will be tested for operational effectiveness, as the design
effectiveness was considered satisfactory, implementation was
successfully verified and the planned audit approach places reliance
on the control. Global Focus does not differentiate in the control card
between interim and year end control testing.
No The control will not be tested for operational effectiveness as the

design effectiveness was considered unsatisfactory and/or the control
was not properly implemented.
Or
The planned audit approach does not place reliance on the control.
Page | 231
Audit Manual
Version 7 (2022)

PY1 (Tested) The planned audit approach places reliance on the control, which was
tested in the prior year. i.e. the auditor has elected to rotate the control
testing.
PY2 (Tested) The planned audit approach places reliance on the control, which was
tested two years’ previous i.e. the auditor has elected to rotate the
control testing.
Supporting working papers
Provides a link to the testing of the relevant control and any related substantive tests which
support the conclusion on the control’s effectiveness.
Will the control be relied upon?

Yes The control is considered to be operating sufficiently effectively, based
on the testing performed, to justify a degree of reliance.
No The control is not considered to be operating sufficiently effectively,

based on the testing performed, to justify any degree of reliance.
Additional work will be required, either alternative controls testing or
amendments to the planned substantive procedures.
Not tested Not applicable (do not use).
Any control which is not tested is marked as such in the “Test control”
field, in which case this field can be left blank.
Page | 232
Audit Manual
Version 7 (2022)
4.8 Auditing the consolidation process
Contents
4.8.1 Introduction
4.8.2 Auditing the consolidation process
Objective The objective of the group auditor is to obtain sufficient

appropriate audit evidence regarding the financial information of
the components and the consolidation process to express an
opinion on whether the group financial statements are prepared,
in all material respects, in accordance with the applicable
financial reporting framework.
Relevant ISA • ISA 240 The Auditor’s Responsibilities Relating to Fraud

in an Audit of Financial Statements
Auditors)
Global Focus software Form 5000-1 Group audit program

Form 5000-6 Consolidation procedures
Policy requirements
(if any)
Page | 233
Audit Manual
Version 7 (2022)
4.8.1 Introduction
The group auditor designs and performs audit procedures to respond to the assessed risks of
material misstatement of the consolidated financial statements arising from the consolidation
process. This includes evaluating whether all components have been included in the
4.8.2 Auditing the consolidation process

In addition to checking that all components have been included in the consolidated financial
statements, ISA 600 requires certain specific procedures to be performed by the group
engagement team in auditing the consolidation process.
ISA 600 requirement Commentary
Evaluation of the appropriateness, This evaluation may include:

completeness and accuracy of
• evaluating whether significant adjustments
consolidation adjustments and
appropriately reflect the underlying events
reclassifications.
and transactions;
• determining whether significant
adjustments have been correctly
calculated, processed and authorised by
group management and, where applicable,
by component management;
• determining whether significant
adjustments are properly supported and
sufficiently documented; and
• checking the reconciliation and elimination
of intra-group transactions and unrealised
profits, and intra-group account balances.
Evaluation of whether any fraud risk ISA 240.33(a)(ii) requires the auditor to select and
factors or indicators of possible test the appropriateness of journal entries and
management bias exist. other adjustments made at the end of the reporting
period. This includes consolidation adjustments
and reclassifications made in preparing the
If the financial information of a This may be problematic where the group auditor is
component has not been prepared in unfamiliar with the component GAAP. In such
accordance with the same accounting cases the group auditor may need to use the work
policies applied to the consolidated of an auditor’s expert.
financial statements, evaluation of
whether the financial information of that
component has been appropriately
adjusted for purposes of preparing and
presenting the consolidated financial
statements.
Page | 234
Audit Manual
Version 7 (2022)
ISA 600 requirement Commentary
Determination of whether the financial This is usually achieved by:

information identified in the component
• the component auditor reconciling the
auditor’s communications is the
component financial statements to the
financial information that is
figures in the group reporting pack; and
incorporated in the consolidated
• the group auditor checking the financial
financial statements.
information in the consolidation workings
back to the group reporting pack.
If the consolidated financial statements For example, under IFRS 10 all components are
include the financial statements of a required to have the same reporting dates,
component with a non-coterminous otherwise the consolidation should be based on
period end, evaluation of whether additional financial information prepared by the
appropriate adjustments have been component. Where this is impracticable, the most
made to those financial statements in recent financial statements of the component are
accordance with the applicable used, adjusted for the effects of significant
financial reporting framework. transactions or events between the reporting dates
of the component and consolidated financial
statements, which may be no more than three
months. Non-coterminous year-ends can therefore
result in transactions included in the consolidated
financial statements that have not been audited.
This can create a risk of material misstatement,
and the group auditor must specifically plan to
obtain sufficient appropriate evidence about
transactions or adjustments made in respect of the
adjustment period.

Audit procedures to test the consolidation process are included in Form 5000-1 Group audit
program and Form 5000-6 Consolidation procedures.
Page | 235
Audit Manual
Version 7 (2022)
Section 5: Evaluate and Conclude
Introduction
Preliminary
Report
Activities
Global
Focus
Risk
Evaluate
Assessment
and
and
Conclude
Planning
Respond to
Risk
Page | 236
Audit Manual
Version 7 (2022)
5.1 Evaluate and conclude
Contents
5.1.1 Introduction
5.1.2 Concluding Analytical Procedures
5.1.3 Evaluating the sufficiency and appropriateness of audit evidence
5.1.4 Concluding on compliance with independence requirements
5.1.5 Scope of engagement partner and engagement quality review
5.1.6 Consultation
Objective The objective of the auditor is to apply the concept of materiality

appropriately in planning and performing the audit.

• ISA 520 Analytical Procedures
auditors)
• ISA 705 Modifications to the opinion in the Independent
Auditor’s Report
Global Focus software Form 310 Audit Completion
Policy requirements The minimum documents that must be reviewed by the

(if any) engagement partner and, if applicable, the engagement quality
control reviewer, are set out in Section 5.1.5.
Page | 237
Audit Manual
Version 7 (2022)
5.1.1 Introduction
To form an opinion on the financial statements as a whole, the auditor evaluates the results of
the audit engagement. This involves performing analytical procedures that assist in forming an
overall conclusion, evaluating the sufficiency and appropriateness of audit evidence, evaluating
identified misstatements, including the effects of uncorrected misstatements, and forming a
conclusion on compliance with independence requirements.
The form of opinion to be expressed (that is, whether unmodified or modified) depends on
whether the financial statements are free from material misstatement and whether the auditor
has obtained sufficient appropriate audit evidence on which to base the opinion. The type of
modified opinion (that is, qualified opinion, adverse opinion, or disclaimer of opinion) depends on
the nature of the matter giving rise to the modification and the pervasiveness of the effects or
possible effects of the matter on the financial statements (see Section 6 for further information
on forming an opinion).
5.1.2 Concluding Analytical Procedures

The auditor is required to perform analytical procedures near the end of the audit that assist in
forming an overall conclusion as to whether the financial statements are consistent with their
understanding of the entity.
If these concluding analytical procedures identify fluctuations or relationships that are

inconsistent with the auditor’s understanding, the auditor investigates these differences by
inquiring of management, obtaining appropriate audit evidence relevant to corroborate
management’s responses and performing other audit procedures as necessary in the
circumstances. Where such fluctuations are identified the auditor considers whether they give
rise to a risk of material misstatement due to fraud; for example unusually large amounts of
income reported in the last few weeks of the reporting period or unusual transactions; or income
that is inconsistent with trends in cash flow from operations.
Concluding analytical procedures may be similar to those that would be used as risk
assessment analytical procedures and may include comparing current period information to:
• the prior period

• budgets or forecasts
• industry information or averages, or to entities of a similar size and nature.

Concluding analytical procedures are documented in Form 310 (Checklist - Audit Completion).
Audit procedures performed are recorded in the Global Focus file and cross referenced to this
question.
5.1.3 Evaluating the sufficiency and appropriateness of audit evidence

In forming their opinion, the auditor evaluates whether they have obtained sufficient appropriate
audit evidence, which is defined as:
• Sufficiency of audit evidence is the measure of the quantity of audit evidence. The
quantity of the audit evidence needed is affected by the auditor’s assessment of the
risks of material misstatement and also by the quality of such audit evidence (ISA
500.5(e)).
Page | 238
Audit Manual
Version 7 (2022)
• Appropriateness of audit evidence is the measure of the quality of audit evidence; that
is, its relevance and reliability in providing support for the conclusions on which the
auditor’s opinion is based (ISA 500.5(b)).
The auditor’s judgment as to what constitutes sufficient appropriate audit evidence is influenced
factors such as:
• the significance of the potential misstatement in the assertion and the likelihood of it
having a material effect, individually or aggregated with other potential misstatements,
on the financial statements
• effectiveness of management’s responses and controls to address the risks
• experience gained during previous audits with respect to similar potential misstatements
• the results of audit procedures performed, including whether such audit procedures
identified specific instances of fraud or error
• the source and reliability of the available information
• persuasiveness of audit evidence
• the auditor’s understanding of the entity and its environment, including the entity’s
internal control.
Inability to obtain sufficient appropriate audit evidence
The engagement team may be unable to obtain sufficient appropriate audit evidence, which will
lead to a limitation on the scope of the audit. The inability to perform a specific procedure does
not constitute a limitation on the scope of the audit if the engagement team is able to perform
alternative procedures. Examples of limitations on scope are set out in the table below:
1. Cause of Limitation Examples

Circumstances beyond • The accounting records have been destroyed.
the control of the entity • The accounting records of a significant component have
(ISA 705.A10) been seized indefinitely by the authorities.
Circumstances relating • The entity uses the equity method of accounting for an
to nature or timing of the associated entity. The engagement team is unable to
engagement team’s obtain sufficient appropriate audit evidence about the
work (ISA 705.A11) financial information of the associated entity to evaluate
whether the equity method has been appropriately applied.
• The auditor determines that performing substantive
procedures alone is not sufficient, but is unable to verify
the operating effectiveness of the relevant controls.
• The timing of the auditor’s appointment is such that the
engagement team is unable to observe the counting of the
material physical inventories.
Limitations imposed by • Management prevents the engagement team from

management observing the physical inventory count.
(ISA 705.A12) • Management prevents the engagement team from
requesting external confirmation of specific account
balances.
Page | 239
Audit Manual
Version 7 (2022)
5.1.4 Concluding on compliance with independence requirements

The engagement partner is required to form a conclusion on compliance with independence
requirements that apply to the audit engagement. This conclusion is first formed during the
client acceptance and continuance process. However, the engagement partner may become
aware of new circumstances or relationships that create threats to independence. In such
circumstances, the engagement partner obtains relevant information to form a conclusion on
compliance with independence requirements prior to issuing the auditor’s report.

The Engagement Partner records this conclusion when signing off the “Partner Conclusion” in
the Audit Completion Checklist (Form 310) which includes the statement “I am not aware of any
instances of noncompliance by myself or any other members of the engagement team with
relevant ethical requirements, including independence requirements, that were not satisfactorily
resolved.”
5.1.5 Scope of engagement partner and engagement quality control review

The following mandatory documents (see Section 1.5) have been designated as the absolute
minimum that must be reviewed by the engagement partner and, if applicable, the engagement
quality control reviewer:
Ref Name Partner EQCR

405 Engagement - Acceptance/Continuance ✓ ✓
436-GF Engagement team discussion ✓ ✓
420 Materiality ✓ ✓
FSA Financial statement areas worksheet ✓ ✓
510-1 Use of Inflo Cascade module* ✓
520E Risk report ✓ ✓
625 Going concern evaluation ✓
650 Subsequent events ✓
335 Worksheet - Summary of identified misstatements ✓ ✓
520E. 7 Risk report - Risk addressed ✓ ✓
330 Worksheet - Audit findings and matters for discussion ✓
311 Independence declaration ✓ ✓
It is anticipated that more documents than the minimum will be reviewed in practice.
In Global Focus these documents (other than 436-GF as this is a Word document) have been
set as pre-requisites. This means that the engagement partner and engagement quality control
reviewer will be unable to sign off their completion checklists (Forms 310 and 301 respectively)
until these documents have been marked as reviewed. If any of the above documents have not
been reviewed when the relevant checklist is opened, a warning will appear on screen.
Member firms may wish to require engagement partners and engagement quality control
reviewers to review additional documents. These may be enforced by member firm policy only
or via the use of pre-requisites.
*Form 510-1 (Use of Inflo Cascade module) is only mandatory when Inflo Cascade is used, in
which case procedure 9 therein is also a partner pre-requisite (see Section 4.5.4.1).
Page | 240
Audit Manual
Version 7 (2022)
Auditors are reminded that the scope of an engagement quality control review is greater for
listed entities, as required by ISA 220.21. This is reflected in the additional procedures that are
included within Form 301 when using the PIE profile. These additional procedures remain in the
procedures library in the NCP and MLP profiles and can be brought into Form 301 if desired.

The engagement quality reviewer records their review, findings and conclusions in Form 301
Worksheet – Engagement quality control review checklist.
5.1.6 Consultation
There are a number of matters on which the engagement team may need to consult with other
persons:
Matter ISA reference
Non-compliance with relevant ethical requirements by member(s) of the 220.10

engagement team
Difficult or contentious matters, including:
• specialised area of accounting or auditing 220.18

• Differences of opinion within the engagement team 220.A11
Reporting of identified or suspected fraud to an appropriate authority 240.A68

outside the entity
Insufficient information provided by the entity to demonstrate that the 250.A22

entity is in compliance with laws and regulations
Reporting of identified or suspected non-compliance with laws and 250.A33

regulations to an appropriate authority outside the entity
Complex or unusual issues are involved, and the audit has been 300.A17
performed by a sole practitioner
Such a person is not part of the engagement team if that person’s involvement with the
engagement is only consultation (ISA 220.A11).
It may be appropriate to consult outside the firm, e.g., where the firm lacks the appropriate
internal resources. They may take advantage of services and/or expertise available in other
member firms within the Baker Tilly network, by other firms, professional and regulatory bodies
or independent commercial organisations providing relevant services.
ISA 701.A15 notes that in some circumstances, consultation may be an indicator that a matter
is a key audit matter (see Section 6.2).
Interaction with an engagement quality control review
When appointed, care must be taken when consulting the engagement quality control reviewer
to avoid compromising their objectivity (ISQC1.39b). The engagement partner may consult the
engagement quality control reviewer, for example, to establish that a judgment made will be
acceptable to them. Such consultation avoids identification of differences of opinion late in the
Page | 241
Audit Manual
Version 7 (2022)
engagement and need not compromise the engagement quality control reviewer’s eligibility to
perform the role.
Where it is not possible to maintain the reviewer’s objectivity, another person should be
appointed, either as the person to be consulted or to take over the role of the engagement
quality control reviewer.
Documentation
Documentation of consultation should be sufficiently complete and detailed in order to

contribute an understanding of:
• The nature of the issue on which consultation was sought and the scope of such
consultation; and
• The results and conclusions of the consultation, including any decisions taken, the basis
for those decisions and how they were implemented (ISA 220.24 and A37).

Form 676 Documenting Consultation can be used to summarise the nature of consultation, the
key issues identified and the conclusion or outcome. This should be supported by detailed notes
of the consultation or a report from the consultant.

The group engagement team evaluates whether sufficient appropriate audit evidence has been
obtained from the audit procedures performed on the consolidation process and the work
performed by the group engagement team and the component auditors on the financial
information of the components (see Section 5.4.3), on which to base the group audit opinion.
The group engagement partner’s evaluation of the aggregate effect of any misstatements (either
identified by the group engagement team or communicated by component auditors) allows the
group engagement partner to determine whether the group financial statements as a whole are
materially misstated.
Inability to obtain sufficient appropriate audit evidence
If the group engagement team concludes that sufficient appropriate audit evidence on which to
base the group audit opinion has not been obtained, the group engagement team may request
the component auditor to perform additional procedures. If this is not feasible, the group
engagement team may perform its own procedures on the financial information of the
component.
If the group engagement team is still unable to obtain sufficient appropriate audit evidence, this
will lead to a limitation on the scope of the group audit.
Concluding on compliance with independence requirements
The group engagement partner is required to form a conclusion on compliance with

independence requirements that apply to the group audit engagement. In a group audit, the
group auditor requests reconfirmation of the independence of component auditors at the end of
the group audit engagement. This is often done through requesting completion of a standard
form as part of the group audit instructions.
Page | 242
Audit Manual
Version 7 (2022)

Form 5000-7 Group audit instructions contains a request for the component auditor to
reconfirm their independence at the end of the group audit engagement.
Alternatively, group engagement teams may use the Excel template 447G Final group audit
instructions, available on Billy, which contains a template for reconfirmation of independence by
the component auditor.
Having satisfied themselves as to the independence of component auditors, the group

engagement partner records their overall conclusion when signing off the “Partner Conclusion”
in the Audit Completion Checklist (Form 310) which includes the statement “I am not aware of
any instances of noncompliance by myself or any other members of the engagement team with
relevant ethical requirements, including independence requirements, that were not satisfactorily
resolved.”
Page | 243
Audit Manual
Version 7 (2022)
5.2 Evaluating misstatements identified during the audit
Contents
5.2.1 Introduction
5.2.2 Accumulating identified misstatements
5.2.3 Evaluating identified misstatements
5.2.4 Evaluating the effect of uncorrected misstatements
Objective The objective of the auditor is to evaluate:
a) The effect of identified misstatements on the audit

b) The effect of uncorrected misstatements, if any, on the
Relevant ISA • ISA 450 Evaluation of misstatements identified during

the audit
Auditors)
Global Focus software Form 335 Summary of Identified Misstatements

Form 335-1 Summary of Identified Misstatements
Policy requirements The Clearly Trivial threshold is set at a maximum of 5% of overall

(if any) materiality
Page | 244
Audit Manual
Version 7 (2022)
5.2.1 Introduction
To form an opinion on the financial statements as a whole, the auditor evaluates the results of
the audit engagement. This involves performing analytical procedures that assist in forming an
overall conclusion, evaluating the sufficiency and appropriateness of audit evidence, evaluating
identified misstatements, including the effects of uncorrected misstatements, and forming a
conclusion on compliance with independence requirements.
5.2.2 Accumulating identified misstatements

The auditor is required to accumulate misstatements identified during the audit, other than
those that are clearly trivial, including misstatements of amounts and misstatements in
disclosures.
Misstatements that are clearly trivial are clearly inconsequential, whether taken individually or in
aggregate, or judged by any criteria of size, nature, or circumstance. In Global Focus,
misstatements less than 5% of overall materiality are considered clearly trivial. While
misstatements by nature (rather than amount), cannot be added together, they are evaluated
individually and collectively with other misstatements.
To assist the auditor in evaluating the effect of misstatements accumulated during the audit and
in communicating misstatements to management and those charged with governance Global
Focus distinguishes between the following types of misstatements:
• Factual misstatements – misstatements about which there is no doubt (for example, a

payment recorded in the incorrect period).
• Projected misstatements – the auditor’s best estimate of misstatements in populations,
involving the projection of misstatements identified in audit samples to the entire
population from which the samples were drawn (for example, where a payment is
identified as being recorded in the incorrect period during sample testing, the auditor
may project the error in the sample tested across the entire population).
• Judgmental misstatements – differences arising from the judgments of management
including those concerning recognition, measurement, presentation, and disclosure in
the financial statements, as well as the selection or application of accounting policies,
that the auditor considers unreasonable or inappropriate.
Misstatements may also result from an omission of an amount or disclosure required by the
financial reporting framework, as set out in the table below:
Page | 245
Audit Manual
Version 7 (2022)
Source of Examples
misstatement
Appropriateness of • The selected accounting policies are not consistent with the
selected accounting financial reporting framework or are otherwise deemed to be
policies inappropriate
• The financial statements do not correctly describe an
accounting policy relating to a significant item in the
• The financial statements do not represent or disclose the
underlying transactions and events in a manner that
achieves fair presentation
• Changes in significant accounting policies do not comply
with the accounting and disclosure requirements of the
Application of selected • The selected accounting policies have not been applied
accounting policies consistently with the financial reporting framework, including
such policies have not been applied consistently between
periods or to similar transactions and events
• Judgments of management concerning accounting
estimates are deemed to be unreasonable
• The application of accounting policies is deemed to be
inappropriate
• There is an unintentional error in the method of application
of accounting policies, such as an incorrect accounting
estimate arising from overlooking, or clear misinterpretation
of, facts
• Information is inappropriately classified, aggregated, or
disaggregated
Appropriateness or • The financial statements do not include all of the

adequacy of disclosures, whether quantitative or qualitative, required by
disclosures the financial reporting framework (that is, disclosures may
be omitted, inadequate, inaccurate, or incomplete)
• The disclosures in the financial statements are not
presented in accordance with the financial reporting
framework
• The financial statements do not provide the additional
disclosures necessary to achieve fair presentation beyond
disclosures specifically required by the financial reporting
framework
5.2.3 Evaluating identified misstatements

The auditor is responsible for evaluating the effect of identified misstatements on the audit. A
misstatement is a difference between the reported amount, classification, presentation, or
disclosure of a financial statement item and the amount, classification, presentation, or
Page | 246
Audit Manual
Version 7 (2022)
disclosure that is required for the item to be in accordance with the financial reporting
framework.
Misstatements can arise from fraud or error. For example, misstatements may result from an
inaccuracy in gathering or processing data from which the financial statements are prepared
(“error”) or from management override of controls (“fraud”).
Consideration of identified misstatements as the audit progresses
If the aggregate of misstatements accumulated during the audit approaches materiality, there
may be a greater than acceptably low level of risk that possible undetected misstatements,
when taken with the aggregate of misstatements accumulated during the audit, could exceed
materiality. Undetected misstatements could exist because of the presence of sampling risk and
non-sampling risk.
A misstatement may not be an isolated occurrence. Evidence that other misstatements may
exist include, for example, when the misstatement arose from a breakdown in internal control or
from inappropriate assumptions or valuation methods that have been widely applied by the
entity. The auditor may request management to examine a class of transactions, account
balance, or disclosure in order for management to understand the cause of a misstatement,
perform procedures to determine the amount of the actual misstatement, and to make
appropriate adjustments to the financial statements. This may be the case based on the
auditor’s projection of misstatements in an audit sample.
Consideration of identified misstatements in relation to fraud
Identified fraud is unlikely to be an isolated occurrence. Some misstatements, such as

numerous misstatements at a specific location even though the cumulative effect is not material,
may be indicative of a risk of material misstatement due to fraud.
Depending on the circumstances, misstatements in disclosures could also be indicative of fraud.

Such fraud may arise from misleading disclosures resulting from management bias in judgments
or lengthy and uninformative disclosures that are intended to obscure a proper understanding of
matters in the financial statements.
5.2.4 Evaluating the effect of uncorrected misstatements

The auditor is required to determine whether uncorrected misstatements are material,
individually or in aggregate. In making this determination, the auditor considers:
• the size and nature of the misstatements, both in relation to particular classes of
transactions, account balances, or disclosures and the financial statements as a whole,
and the circumstances of their occurrence; and
• the effect of uncorrected misstatements related to prior periods on the relevant classes
of transactions, account balances, or disclosures, and the financial statements as a
whole.
Prior to this evaluation, the auditor is required to reassess materiality to confirm whether it
remains appropriate in the context of the entity’s actual financial results.
Each individual misstatement is considered to evaluate its effect on the relevant classes of
transactions, account balances, or disclosures, including whether any specific materiality
Page | 247
Audit Manual
Version 7 (2022)
determined for that particular class of transactions, account balance, or disclosure has been
exceeded.
Misstatements of qualitative disclosures are considered to evaluate the effect on the relevant
disclosure(s), as well as the effect on the financial statements as a whole. The determination of
whether a misstatement(s) in a qualitative disclosure is material involves the exercise of
professional judgment. Examples where such misstatements may be considered material
include:
• omission of information about significant events or circumstances.

• incorrect description of a significant accounting policy.
• inaccurate or incomplete descriptions of information about the entity’s objectives,
policies, and procedures for managing assets (for example, managing capital in entities
with insurance and banking activities).
The auditor is required to understand management’s reasons for not correcting some or all
misstatements, and to take into account this understanding when evaluating whether the
financial statements as a whole are free from material misstatement.
If the auditor either confirms that, or is unable to conclude whether, the financial statements are
materially misstated as a result of fraud the auditor shall evaluate the implications for the audit
and the independent auditor’s report.
Qualitative and other considerations
The auditor may evaluate misstatements as material, individually or when considered together
with other misstatements accumulated during the audit, even if they are lower than materiality
for the financial statements as a whole. Circumstances that may affect this evaluation include
misstatements which:
• affect compliance with regulatory requirements, debt covenants or other contractual

requirements.
• relate to the incorrect selection or application of an accounting policy that has an
immaterial effect on the current period’s financial statements but is likely to have a
material effect in the future.
• masks a change in earnings or other trends.
• affects ratios used to evaluate the entity’s financial position, results of operations, or
cash flows.
• affects segment information presented in the financial statements.
• increase management compensation by meeting the requirements for the award of
bonuses or other incentives.
• impacts on related party transactions.
• is important to the users’ understanding of the financial position, financial performance
or cash flows of the entity.
Misstatements related to classification
Determining whether a classification misstatement is material involves the evaluation of

qualitative considerations, such as the effect of the classification misstatement on debt or other
contractual covenants, the effect on individual line items or sub-totals, or the effect on key
ratios. There may be circumstances where the auditor concludes that a classification
Page | 248
Audit Manual
Version 7 (2022)
misstatement is not material in the context of the financial statements as a whole, even though it
may exceed the materiality level or levels applied in evaluating other misstatements. For
example, a misclassification between balance sheet line items may not be considered material
in the context of the financial statements as a whole when the amount of the misclassification is
small in relation to the size of the related balance sheet line items and the misclassification does
not affect the income statement or any key ratios.
Offsetting misstatements
If an individual misstatement is judged to be material, it is unlikely that it can be offset by other

misstatements. For example, if revenue has been materially overstated, the financial statements
as a whole will be materially misstated, even if the effect of the misstatement on earnings is
completely offset by an equivalent overstatement of expenses. It may be appropriate to offset
misstatements within the same class of transactions or account balance; however, the risk that
further undetected misstatements may exist is considered before concluding that offsetting even
immaterial misstatements is appropriate.
Cumulative effect of prior period misstatements
The cumulative effect of immaterial uncorrected misstatements related to prior periods may
have a material effect on the current period’s financial statements. There are different
acceptable approaches to evaluate such uncorrected misstatements on the current period’s
financial statements. However, using the same evaluation approach provides consistency from
period to period.

Identified misstatements, both corrected and uncorrected, are recorded in Form 335 Worksheet
- Summary of identified misstatements:
Page | 249
Audit Manual
Version 7 (2022)
Form 335-1 Summary of identified misstatements is used to document:
• the auditor’s consideration of whether additional audit work needs to be performed

• any indications of management bias
• the evaluation of uncorrected misstatements
• any indications of fraud, particularly if involvement by management is suspected.
To form an opinion on the consolidated financial statements as a whole, the group auditor
evaluates the results of the group audit engagement.
The group auditor is required to accumulate misstatements identified during the group audit,
other than those that are clearly trivial, including misstatements of amounts and misstatements
in disclosures. This includes misstatements identified by either the group engagement team or,
and communicated by, component auditors.
Page | 250
Audit Manual
Version 7 (2022)
5.3 Evaluating the financial statements
Contents
5.3.1 Introduction
5.3.2 Evaluating the financial statements in accordance with the financial reporting framework
5.3.3 Disclosure of accounting policies
5.3.4 Disclosure of material transactions and events
Objective The objective of the auditor is to evaluate whether the financial

statements are prepared and presented in accordance with the
Relevant ISA • ISA 330 The auditor’s response to assessed risk

• ISA 700 Forming an opinion and reporting on financial
statements
Global Focus software Form 310 Audit Completion checklist
Policy requirements
(if any)
Page | 251
Audit Manual
Version 7 (2022)
5.3.1 Introduction
The auditor is required to evaluate whether the financial statements are prepared, in all material
respects, in accordance with the requirements of the financial reporting framework, including
consideration of the qualitative aspects of the entity’s accounting practices, including indicators
of possible bias in management’s judgments.
The requirements of the financial reporting framework determine the form and content of the
financial statements. Although the framework may not specify how to account for or disclose all
transactions or events, it includes sufficient broad principles that can serve as a basis for
developing and applying accounting policies that are consistent with the concepts underlying
the requirements of the framework.
5.3.2 Evaluating the financial statements in accordance with the financial reporting
framework
The auditor evaluates whether, in view of the requirements of the financial reporting framework:
• The financial statements adequately refer to or describe the financial reporting framework;
• the financial statements appropriately disclose the significant accounting policies selected
and applied. This evaluation includes considering the relevance of the accounting policies to
the entity, and whether the presentation is understandable;
• the accounting policies selected and applied are consistent with the applicable financial
reporting framework and are appropriate;
• accounting estimates made by management are reasonable;
• information presented in the financial statements is relevant, reliable, comparable, and
understandable. In making this evaluation, the auditor considers whether:
o the information that should have been included has been included, and whether
it is appropriately classified, aggregated or disaggregated.
o the overall presentation of the financial statements has been undermined by
including information that is not relevant or that obscures a proper
understanding of the matters disclosed.
o the financial statements provide adequate disclosures to enable users to
understand the effect of material transactions and events on the information
conveyed in the financial statements; and
• The terminology used in the financial statements, including the title of each financial
statement, is appropriate.
Adequacy of presentation
The auditor evaluates whether the overall presentation of the financial statements is in
accordance with the financial reporting framework. In making this evaluation, the auditor
considers whether the financial statements are presented in a manner that reflects the
appropriate:
• Classification and description of financial information and the underlying transactions,

events, and conditions; and
• Presentation, structure, and content of the financial statements.
Page | 252
Audit Manual
Version 7 (2022)
Information presented is relevant, reliable, comparable, and understandable
Evaluating the understandability of the financial statements includes consideration of such

matters as whether:
• the information in the financial statements is presented in a clear and concise manner
• the placement of significant disclosures gives them appropriate prominence (for
example, when there is perceived value of entity-specific information to users), and
whether the disclosures are appropriately cross-referenced.
5.3.3 Disclosure of accounting policies

In evaluating whether the financial statements appropriately disclose the significant accounting
policies selected and applied, the auditor considers matters such as: whether the disclosures
related to the significant accounting policies that are required to be included by the financial
reporting framework have been disclosed.
• whether the information about the significant accounting policies that has been
disclosed is relevant and therefore reflects how the recognition, measurement, and
presentation criteria in the financial reporting framework have been applied to classes of
transactions, account balances, and disclosures in the financial statements in the
particular circumstances of the entity’s operations and its environment.
• the clarity with which the significant accounting policies have been presented.
5.3.4 Disclosure of material transactions and events

Evaluating whether the financial statements provide adequate disclosures to enable users to
understand the effect of material transactions and events on the entity’s financial position,
financial performance, and cash flows includes consideration of such matters as:
• The extent to which the information in the financial statements is relevant and specific to
the circumstances of the entity.
• Whether the disclosures are adequate to assist users to understand:
o the nature and extent of the potential assets and liabilities arising from
transactions or events that do not meet the criteria for recognition (or the criteria
for derecognition) established by the financial reporting framework.
o the nature and extent of risks of material misstatements arising from transactions
and events.
o the methods used and the assumptions and judgments made that affect
amounts presented or otherwise disclosed, including relevant sensitivity
analyses.

The review of the financial statements is documented in Question 19 of Form 310 (Audit
Completion checklist). Where the auditor completes a disclosure checklist, this is attached into
the Global Focus file and cross referenced to this question.
Page | 253
Audit Manual
Version 7 (2022)
5.4 Evaluating the work of component auditors
Contents
5.4.1 Introduction
5.4.2 Information to be communicated by component auditors to the group auditor
5.4.3 Evaluating the work of component auditors
Objective The objective of the group auditor is to communicate clearly with

component auditors about the scope and timing of their work on
financial information related to components and their findings,
and to obtain sufficient appropriate audit evidence regarding the
financial information of the components and the consolidation
process to express an opinion on whether the group financial
statements are prepared, in all material respects, in accordance
with the applicable financial reporting framework. (ISA 600.8b)
Relevant ISA • ISA 600 Special Considerations - Audits of Group

auditors)
Global Focus software Form 5000-7 Group audit instructions

Form 5000-8 Group audit questionnaire
Form 5000-9 Group accounting questionnaire
Policy requirements
(if any)
Page | 254
Audit Manual
Version 7 (2022)
5.4.1 Introduction
Section 4.1.5 set out the three types of audit evidence in a group audit context:
a) Audit evidence in respect the financial information of components;

b) Audit evidence on group-wide controls and the consolidation process including, if
applicable, goodwill on consolidation and any impairment thereof; and
c) Analytical procedures performed at group level.
When component auditors are involved in the group audit, not all the audit evidence will be
generated by the group auditor. ISA 600 therefore considers how the group auditor becomes
satisfied that sufficient appropriate audit evidence has been obtained.
5.4.2 Information to be communicated by component auditors to the group auditor

The group auditor requires certain information about the audit work performed by component
auditors to determine if sufficient appropriate audit evidence has been obtained in respect of
those components. ISA 600.41 therefore prescribes the information that component auditors
must provide to the group auditor as a minimum:
• Whether the component auditor has complied with ethical requirements that are relevant
to the group audit, including independence and professional competence;
• Whether the component auditor has complied with the group engagement team’s
requirements;
• Identification of the financial information of the component on which the component
auditor is reporting;
• Information on instances of non-compliance with laws or regulations that could give rise
to a material misstatement of the group financial statements;
• A list of uncorrected misstatements of the financial information of the component that
are equal to or above the threshold for clearly trivial misstatements communicated by
the group engagement team;
• Indicators of possible management bias;
• Description of any identified significant deficiencies in internal control at the component
level;
• Other significant matters that the component auditor communicated or expects to
communicate to those charged with governance of the component, including fraud or
suspected fraud involving component management, employees who have significant
roles in internal control at the component level or others where the fraud resulted in a
material misstatement of the financial information of the component;
• Any other matters that may be relevant to the group audit, or that the component
auditor wishes to draw to the attention of the group engagement team, including
exceptions noted in the written representations that the component auditor requested
from component management; and
• The component auditor’s overall findings, conclusions or opinion.
These requirements, plus any others specifically needed by the group engagement team, are
usually communicated in the group audit instructions. These may contain template forms for the
component auditor to complete with the requested information; alternatively, the group auditor
may be satisfied to receive copies of the component auditor’s own working papers documenting
the same information.
Page | 255
Audit Manual
Version 7 (2022)

A template set of group audit instructions is provided in Form 5000-7 Group audit instructions.
Alternatively, group engagement teams may use the optional new Excel template Form 447G
Final group audit instructions, available on Billy.
5.4.3 Evaluating the work of component auditors

In evaluating the work of component auditors, ISA 600.42 requires the group auditor, as a
minimum, to:
• Discuss significant matters arising from that evaluation with the component auditor,
component management or group management, as appropriate; and
• Determine whether it is necessary to review other relevant parts of the component
auditor’s audit documentation.
It is therefore clear that reviewing part or all the component auditor’s audit working papers is not
a requirement of the ISA, but the need to consider doing so is, and is a matter of professional
judgment. Factors that may affect the group auditor’s decision as to whether or not to review
component auditor working papers include:
• The proportion of the group not audited by the group auditor themselves.
• The significance of the component to the group.
• The group auditor’s knowledge and experience of the component auditor, their
professional competency and the regulatory environment to which they are subjected.
• The risks of material misstatement identified within the component.
• The quality of the two-way communications with the component auditor.
• The information and level of detail already communicated from the component auditor to
the group auditor as requested in the group audit instructions, including whether
additional audit and/or accounting questionnaires were completed by the component
auditor*.
• The length of time since that component auditor’s working papers were last reviewed.
The regulatory environment to which the group auditor is subject and regulator expectations
may also be relevant. For example, some audit regulators expect the group auditor to review at
least part of the working papers of component auditors of all significant components.
Which working papers of the component auditor will be relevant to the group audit may vary
depending on the circumstances. Often the focus is on working papers that are relevant to the
significant risks of material misstatement of the consolidated financial statements. The extent of
the review may also be affected by the fact that the component auditor’s working papers have
been subjected to the component auditor’s firm’s review procedures.
If the group auditor concludes that the work of the component auditor is insufficient, the group
auditor determines what additional procedures are to be performed, and whether they are to be
performed by the component auditor or by the group engagement team.
Page | 256
Audit Manual
Version 7 (2022)

The group engagement partner’s decision and reasoning as to which audit working papers, if
any of which component auditors, if any, are to be reviewed should be included in the group
audit documentation.
Form 5000-8 Group audit questionnaire and Form 5000-9 Group accounting questionnaire are
optional, detailed questionnaires which may be used (having been first tailored) to obtain more
detailed information from component auditors. Alternatively, group engagement teams may use
the Excel template 448G Group questionnaires (optional), available on Billy, for this purpose.
Page | 257
Audit Manual
Version 7 (2022)
Section 6: Reporting
Introduction
Preliminary
Reporting
Activities
Global
Focus
Risk
Evaluate
Assessment
and
and
Conclude
Planning
Respond to
Risk
Page | 258
Audit Manual
Version 7 (2022)
6.1 Forming an opinion
Contents
6.1.1 Introduction
6.1.2 Form of auditor’s opinion (unmodified or modified)
6.1.3 Types of modification to auditor’s opinion
6.1.4 Management-imposed limitation after acceptance or continuance
6.1.5 Facts become known after the date of the auditor’s report but before the date the
financial statements are issued
6.1.5.1 Amendments not limited to the fact in question
6.1.5.2 Amendments not made by management but considered necessary by the
auditor
6.1.6 Facts become known after the financial statements have been issued
Objective In forming an opinion, the objectives of the auditor are to:
• Form an opinion on the financial statements based on an

evaluation of the conclusions drawn from the audit
evidence obtained, and
• Express clearly that opinion through a written report (ISA
700.6)
In modifying the opinion, the objective of the auditor is to

express clearly an appropriately modified opinion on the
financial statements that is necessary when either:
• the auditor concludes, based on the audit evidence

obtained, that the financial statements as a whole are
not free from material misstatement, or
• the auditor is unable to obtain sufficient appropriate
audit evidence to conclude that the financial statements
as a whole are free from material misstatement. (ISA
705.4)
Relevant ISA • ISA 560 Subsequent events

• ISA 700 Forming an opinion and reporting on the
• ISA 705 Modifications to the opinion in the independent
auditor’s report
Global Focus software Form 310 Completion checklist

Form 305 Reporting checklist
Policy requirements {Member firms may wish to establish consultation processes for
(if any) situations giving rise to modified audit opinions}
Page | 259
Audit Manual
Version 7 (2022)
6.1.1 Introduction
The form of opinion to be expressed, whether unmodified or modified, depends on whether the
financial statements are free from material misstatement and whether the auditor has obtained
sufficient appropriate audit evidence on which to base the opinion. The type of modified opinion
depends on the nature of the matter giving rise to the modification and the pervasiveness of the
effects or possible effects of the matter on the financial statements.
The following types of modified opinion are available:
• qualified opinion,
• adverse opinion, or
• disclaimer of opinion.
The auditor forms an opinion on whether the financial statements are prepared, in all material
respects, in accordance with the applicable financial reporting framework. In order to form their
opinion, the auditor concludes whether they have obtained reasonable assurance about
whether the financial statements as a whole are free from material misstatement, whether due
to fraud or error. The auditor’s conclusion takes into account whether:
• sufficient appropriate audit evidence has been obtained;

• uncorrected misstatements are material, individually or in aggregate; and
• the financial statements have been prepared in accordance with the financial reporting
framework.
When the auditor expects the modify the opinion in the auditor’s report, they communicate with
Those Charged with Governance the circumstances that led to the modification and the
proposed wording of the modification.
For guidance on the form and content of the audit opinion and the auditor’s report, refer to the
requirements set out in ISA 700 (Forming an Opinion and Reporting on the Financial
Statements). For guidance on the form and content of modified audit opinions refer to the
requirements set out in ISA 705 (Modifications to the opinion in the independent auditor’s
report).
The date of approval of the financial statements and audit report are recorded in Form 310
Checklist - Audit completion.
6.1.2 Form of auditor’s opinion (unmodified or modified)

The auditor expresses an unmodified opinion when they conclude that the financial statements
are prepared, in all material respects, in accordance with the financial reporting framework.
On the other hand, if the auditor:
• concludes that, based on the audit evidence obtained, the financial statements as a
whole are not free from material misstatement; or
• is unable to obtain sufficient appropriate audit evidence to conclude that the financial
statements as a whole are free from material misstatement,
then the auditor modifies the opinion in the auditor’s report.
Page | 260
Audit Manual
Version 7 (2022)
There are three types of modified opinions, namely, a qualified opinion, an adverse opinion, and
a disclaimer of opinion. The decision regarding which type of modified opinion is appropriate
depends upon:
• the nature of the matter giving rise to the modification. That is, whether the financial
statements are materially misstated or, in the case of an inability to obtain sufficient
appropriate audit evidence, may be material misstated.
• the auditor’s judgments about the pervasiveness of the effects or possible effects of the
matter on the financial statements.
Pervasive describes the effects on the financial statements of misstatements or the possible
effects on the financial statements of misstatements, if any, that are undetected due to an
inability to obtain sufficient appropriate audit evidence. Pervasive effects on the financial
statements are those that, in the auditor’s judgment:
• are not confined to specific elements, accounts, or items of the financial statements;
• if so confined, represent or could represent a substantial proportion of the financial
statements; or
• relate to disclosures which are fundamental to users’ understanding of the financial
statements.
6.1.3 Types of modification to auditor’s opinion

Qualified opinion
A qualified opinion is expressed when:
a. The auditor, having obtained sufficient appropriate audit evidence, concludes that
misstatements, individually or in the aggregate, are material, but not pervasive, to the
financial statements; or
b. The auditor is unable to obtain sufficient appropriate audit evidence on which to base
the opinion, but the auditor concludes that the possible effects on the financial
statements of undetected misstatements, if any, could be material but not pervasive.
Adverse opinion
An adverse opinion is expressed when the auditor, having obtained sufficient appropriate audit
evidence, concludes that misstatements, individually or in the aggregate, are both material and
pervasive to the financial statements.
Disclaimer of opinion
The auditor disclaims an opinion when they are unable to obtain sufficient appropriate audit
evidence on which to base the opinion, and they conclude that the possible effects on the
financial statements of undetected misstatements, if any, could be both material and pervasive.
The auditor also disclaims an opinion when, in extremely rare circumstances involving multiple
uncertainties, they conclude that, notwithstanding having obtained sufficient appropriate audit
evidence regarding each of the individual uncertainties, it is not possible to form an opinion on
the financial statements due to the potential interaction of the uncertainties and their possible
cumulative effect on the financial statements.
Page | 261
Audit Manual
Version 7 (2022)
The table below illustrates how the auditor’s judgment about the nature of the matter giving rise
to the modification, and the pervasiveness of its effects or possible effects on the financial
statements, affects the type of opinion to be expressed:
Nature of matter giving rise to Auditor’s judgment about the pervasiveness of the effects or
the modification possible effects on the financial statements
Material but not pervasive Material and pervasive
Financial statements are

Qualified opinion Adverse opinion
materially misstated
Inability to obtain sufficient

Qualified opinion Disclaimer of opinion
appropriate audit evidence
The table below summarises the requirements of the ISAs for the type of modified opinion to be
expressed for certain audit areas:
Audit area Description of matter giving rise to modification Type of modified

opinion
Non-compliance Non-compliance has a material effect on the Qualified opinion or
with laws and financial statements and has not been adverse opinion
regulations adequately reflected in the financial statements.
(ISA 250.25)
Auditor is precluded by management or those Qualified opinion or

charged with governance from obtaining disclaimer of opinion
sufficient appropriate audit evidence to evaluate
whether non-compliance that may be material to
the financial statements has, or is likely to have,
occurred. (ISA 250.26)
Unable to determine whether non-compliance Qualified opinion or

has occurred because of limitations imposed by disclaimer of opinion
the circumstances (rather than management or
those charged with governance) (ISA 250.27)
Material financial Unable to obtain sufficient appropriate audit Qualified opinion or

statement evidence as to a material financial statement disclaimer of opinion
assertion assertion (ISA 330.27)
Service Unable to obtain sufficient appropriate audit Qualified opinion or

organisations evidence regarding the services provided by the disclaimer of opinion
service organisation relevant to the user entity’s
financial statements (ISA 402.20)
Physical Attendance at physical inventory counting is Qualified opinion or

inventory impracticable, and the auditor is unable to disclaimer of opinion
counting perform alternative audit procedures to obtain
sufficient appropriate audit evidence (ISA 501.7)
Page | 262
Audit Manual
Version 7 (2022)

opinion
External Unable to obtain sufficient appropriate audit Qualified opinion or
confirmations evidence by performing alternative procedures disclaimer of opinion
when:
a. management refuses to give the auditor

permission to communicate with external
legal counsel; or
b. external legal counsel refuses to respond
to the letter of inquiry, or is prohibited
from responding (ISA 501.11)
Unable to obtain relevant and reliable audit Qualified opinion or

evidence from alternative procedures when disclaimer of opinion
management’s refusal to allow the auditor to
send an external confirmation is unreasonable
(ISA 505.9)
Response to a positive confirmation request that Qualified opinion or

is deemed necessary to obtain sufficient disclaimer of opinion
appropriate audit evidence is not obtained (ISA
505.13)
Initial audits Unable to obtain sufficient appropriate audit Qualified opinion or

evidence regarding opening balances (ISA disclaimer of opinion,
510.10) as appropriate; or
unless prohibited by
law or regulation,
qualified opinion or
disclaimer of opinion
regarding the results
of operations and
cash flows, and
unmodified regarding
financial position
Opening balances contain a misstatement that Qualified opinion or

materially affects the financial statements of the adverse opinion
current period, and the effect of the
misstatement is not properly accounted for or
not adequately presented or disclosed (ISA
510.11)
Current period's accounting policies are not Qualified opinion or

consistently applied in relation to opening adverse opinion
balances in accordance with the financial
reporting framework (ISA 510.12(a))
Page | 263
Audit Manual
Version 7 (2022)

opinion
Change in accounting policies is not Qualified opinion or
appropriately accounted for or not adequately adverse opinion
presented or disclosed in accordance with the
financial reporting framework (ISA 510.12(b))
Predecessor auditor's opinion regarding prior Depends on the

period's financial statements included a circumstances
modification to the auditor's opinion that remains
relevant and material to the current period's
financial statements (ISA 510.13)
Going concern Use of going concern basis of accounting is Adverse opinion

inappropriate (ISA 570.21)
Adequate disclosure of a material uncertainty is Qualified opinion or

not made in the financial statements (ISA adverse opinion
570.23)
Unable to obtain sufficient appropriate audit Qualified opinion or

evidence because management is unwilling to disclaimer of opinion
make or extend its assessment of the entity’s
ability to continue as a going concern when
requested to do so by the auditor (ISA 570.24)
Written The auditor has sufficient doubt about the Disclaimer of opinion
representations integrity of management such that the written
representations are not reliable (ISA 580.20(a))
Management does not provide the written Disclaimer of opinion

representations about management’s
responsibilities (ISA 580.20(b))
Comparative When corresponding figures are presented, Modify auditor’s

information- auditor's report on the prior period, as previously opinion on current
corresponding issued, included a qualified opinion, a disclaimer period
figures of opinion, or an adverse opinion and the matter
that give rise to the modification is unresolved
(ISA 710.11)
When corresponding figures are presented, audit Qualified opinion or

evidence that a material misstatement exists in adverse opinion on
the prior period on which an unmodified opinion current period,
was expressed, and the corresponding figures modified with respect
have not been properly restated or appropriate to corresponding
disclosures have not been made (ISA 710.12) figures
Page | 264
Audit Manual
Version 7 (2022)

The auditor’s report is included in Form 310 Checklist – Audit Completion at Question 32.
Form 305 Reporting checklist is used to ensure that an audit opinion appropriate to the
circumstances has been drafted.
Form 305 should first be optimised by the completion of Form 304 Optimiser – Reporting
checklist.
Page | 265
Audit Manual
Version 7 (2022)
6.1.4 Management-imposed limitation after acceptance or continuance

If the auditor becomes aware that management has imposed a limitation on the scope of the
audit that the auditor considers likely to result in the need to express a qualified opinion or to
disclaim an opinion on the financial statements, the auditor requests that management remove
the limitation. If management refuses to remove the limitation, the auditor determines whether it
is possible to perform alternative procedures to obtain sufficient appropriate audit evidence.
If the auditor is unable to obtain sufficient appropriate audit evidence, the implications may be:
a. if the auditor concludes that the possible effects on the financial statements of
undetected misstatements, if any, could be material but not pervasive, the auditor
qualifies the opinion; or
b. if the auditor concludes that the possible effects on the financial statements of
undetected misstatements, if any, could be both material and pervasive so that a
qualification of the opinion would be inadequate to communicate the gravity of the
situation, the auditor either:
i. withdraws from the audit, where practicable and possible under applicable law
or regulation; or
ii. if withdrawal from the audit before issuing the auditor’s report is not practicable
or possible, disclaims an opinion on the financial statements.
The practicability of withdrawing from the audit may depend on the stage of the completion of
the engagement at the time that management imposes the scope limitation. If the auditor has
substantially completed the audit, they may decide to complete the audit to the extent possible,
disclaim an opinion, and explain the scope limitation in the auditor’s report prior to withdrawing.
In certain circumstances, withdrawal from the audit may not be possible if the auditor is required
by law or regulation to continue the audit engagement. In such cases, the auditor may consider
it necessary to include an “other matter” paragraph in the auditor’s report.
6.1.5 Facts become known after the date of the auditor’s report but before the date the
financial statements are issued
Sometimes there may be a delay between the date that the auditor’s report is signed and the
date the financial statements are issued. The latter is defined in ISA 560.5(e) as the date that
the auditor’s report and audited financial statements are made available to third parties, and
may depend on the regulatory environment of the entity:
• In some jurisdictions, this may be the date the financial statements are filed with a
regulatory authority.
• For public sector entities, it may be the date they are presented to the legislature or
otherwise made public.
However that may be, it must also be at or later than the date the auditor’s report is provided to
the entity.
ISA 560 is clear that the auditor has no obligation to perform audit procedures in respect of the
financial statements after the date of the audit report. However, if the financial statements have
not yet been issued and the auditor becomes aware of a fact that, had it been known at the time
the audit report was signed, may have resulted in an amendment to the report (“the fact”), the
auditor shall:
Page | 266
Audit Manual
Version 7 (2022)
• Discuss the matter with management and, where appropriate, those charged with
governance
• Determine whether the financial statements need amendment; and if so,
• Inquire how management intends to address the matter in the financial statements.
If management does amend the financial statements, the auditor:
1. Performs appropriate audit procedures relevant to the amendment.

2. Unless the circumstances in section 6.1.5.1 below apply:
a. Extends their subsequent events procedures (as set out in ISA 570.6-7) to the
date of the new audit report; and
b. Issues a new auditor’s report on the amended financial statements, dated no
earlier than the date of their approval.
Test 1 of Form 650-S (available on Billy) is completed where facts are discovered after the date
of the audit report but before the financial statements are issued.
6.1.5.1 Amendments not limited to the fact in question

In some cases, law, regulation or the financial reporting framework may not restrict
management to making amendments only relating to the subsequent event in question. In such
a situation, ISA 560 permits the auditor to restrict their further audit procedures solely to the
amendment(s) relating to the fact noted above. In such cases, the auditor either:
• Amends the auditor’s report to include an additional date pertaining to that amendment
that indicates that the auditor’s procedures on subsequent events are restricted solely to
the amendment of the financial statements described in the relevant note; or
• Provides a new or amended auditor’s report that includes either an Emphasis of Matter
paragraph or Other Matter Paragraph, explaining the restriction on the auditor’s
subsequent events procedures.
6.1.5.2 Amendments not made by management but considered necessary by the

auditor
In some jurisdictions, management may not be required by law, regulation or the financial
reporting framework to issue amended financial statements in such circumstances, in which
case there is no need for the auditor to issue an amended or new auditor’s report. However,
should the auditor nevertheless believe that the financial statements do require amendment,
then the auditor shall modify the opinion in accordance with the requirements of ISA 705, if the
report has not yet been provided to the entity. Otherwise, the auditor shall notify management
and those charged with governance not to issue the financial statements to third parties until the
necessary amendments have been made. If the financial statements are issued without such
amendment, the auditor shall take appropriate action to seek to prevent reliance on their report;
this may include seeking legal advice.
6.1.6 Facts become known after the financial statements have been issued
ISA 560 is similarly clear that the auditor has no obligation to perform audit procedures in
respect of the financial statements after the financial statements have been issued. However, if
after that date the auditor becomes aware of a fact that, had it been known at the time the audit
report was signed, may have resulted in an amendment to the report (“the fact”), the auditor:
Page | 267
Audit Manual
Version 7 (2022)
• Discusses the matter with management and, where appropriate, those charged with
governance
• Determines whether the financial statements need amendment; and if so,
• Inquires how management intends to address the matter in the financial statements.
If management does amend the financial statements, the auditor:
1. Performs appropriate audit procedures relevant to the amendment.

2. Reviews the steps taken by management to ensure that anyone in receipt of the
previously issued financial statements and auditor’s report is informed of the situation.
3. Unless the circumstances described in Section 6.1.5.1 apply:
a. Extends their subsequent events procedures (as set out in ISA 570.6-7) to the
date of the new audit report; and
b. Issues a new auditor’s report on the amended financial statements, dated no
earlier than the date of their approval.
Where the circumstances described in Section 6.1.5.1 apply, the auditor follows the procedures
set out in this section of the Audit Manual instead of Step 3 above.
If management does not take the necessary steps to ensure that anyone in receipt of the
previously issued financial statements is informed of the situation and does not amend the
financial statements when the auditor believes that this is necessary, the auditor informs
management and those charged with governance that they will seek to prevent future reliance
on the auditor’s report. This may prompt management to take such action, but if it does not, the
auditor takes appropriate steps to prevent future reliance on the auditor’s report. This may
require the auditor to take legal advice, as the course of action will depend on the auditor’s legal
rights and obligations in their jurisdiction.
Test 2 of Form 650-S (available on Billy) is completed where facts are discovered after the date
of the audit report but before the financial statements are issued.
Page | 268
Audit Manual
Version 7 (2022)
6.2 Key Audit Matters
Contents
6.2.1 Introduction
6.2.2 Requirement to communicate key audit matters in the auditor’s report
6.2.3 Determining key audit matters
6.2.4 Communicating key audit matters
6.2.5 Circumstances when key audit matters should not be communicated in the auditor’s
report
6.2.6 Communication with those charged with governance
Objective The objectives of the auditor are to determine key audit matters
and, having formed an opinion on the financial statements (see
Chapter 6.1 of the Audit Manual), communicate those matters
by describing them in the auditor’s report. (ISA 701.7)
Relevant ISA • ISA 701 Communicating Key Audit Matters in the

Independent Auditor’s Report
Global Focus software Form 305 Reporting Checklist
(NOTE: Auditor selects that the audit report includes key audit
matters when completing Form 304 Optimiser – Reporting
Checklist)
Policy requirements {Member firms may wish to establish consultation processes for
(if any) engagements where key audit matters are included in the
auditor’s report}
Page | 269
Audit Manual
Version 7 (2022)
6.2.1 Introduction
Communicating key audit matters enhances the value of the auditor’s report by providing
greater transparency about the audit that was performed. Key audit matters provide additional
information to users of the financial statements to assist them in understanding those matters
that, in the auditor’s professional judgment, were of most significance in the audit. They may
also assist users in understanding the entity and areas of significant management judgment in
the audited financial statements.
Communicating key audit matters in the auditor’s report is in the context of the auditor having
formed an opinion on the financial statements as a whole. Communicating key audit matters is
not:
a) A substitute for disclosures in the financial statements that the applicable financial
reporting framework requires management to make, or that are otherwise necessary to
achieve fair presentation;
b) A substitute for the auditor expressing a modified opinion when required by the
circumstances of a specific audit engagement in accordance with ISA 705.
c) A substitute for reporting in accordance with ISA 570 when a material uncertainty exists
relating to events or conditions that may cast significant doubt on an entity’s ability to
continue as a going concern; or
d) A separate opinion on individual matters. (ISA 710.4)
6.2.2 Requirement to include key audit matters in the auditor’s report

The requirements in ISA 701 apply:
a) To audits of complete sets of general purpose financial statements of listed entities;

b) To circumstances when the auditor otherwise decides to communicate key audit
matters in the auditor’s report; and
c) When the auditor is required by law or regulation to communicate key audit matters in
the auditor’s report.
ISA 705 prohibits the auditor from communicating key audit matters when the auditor disclaims
an opinion on the financial statements, unless such reporting is required by law or regulation.
6.2.3 Determining key audit matters

ISA 701 defines key audit matters as
“…those matters that, in the auditor’s professional judgment, were of most significance
in the audit of the financial statements of the current period. Key audit matters are
selected from matters communicated to those charged with governance.”
The process for determining key audit matters is:
a) Determine which audit matters are to be communicated to those charged with

governance in accordance with the requirements of ISAs 260 and 265.
b) Determine which of the matters in (a) required significant auditor attention in performing
the audit, taking into account the following:
• Areas of higher risk of material misstatement or significant risks
Page | 270
Audit Manual
Version 7 (2022)
• Significant auditor judgments relating to areas in the financial statements that

involved significant management judgment, including accounting estimates with
high estimation uncertainty
• The effect on the audit of significant events or transactions that occurred during
the period.
c) Determine which of the matters in (b) were of most significance in the audit, and
therefore key audit matters.
ISA 701.A15 notes that consultation by the auditor, e.g. on a significant technical matter, may
be an indicator that it is a key audit matter.
6.2.4 Communicating key audit matters

Each key audit matter is described using an appropriate sub-heading in a separate section of
the auditor’s report under the heading “Key Audit Matters”. ISA 701.11 prescribes the
introductory language that should be used in this section.
The description of each key audit matter includes a reference to any related disclosure(s) in the
financial statements, and addresses:
• Why the matter was considered to be one of most significance in the audit (and
therefore determined to be a key audit matter); and
• How the matter was addressed in the audit.
6.2.5 Circumstances when key audit matters should not be communicated in the
auditor’s report
A matter that gives rise to a modified audit opinion under ISA 705 or a material uncertainty over
going concern under ISA 570 is by nature a key audit matter. However, ISA 705 makes clear
that such matters are not described in the Key Audit Matters section of the audit report. Instead,
the auditor:
a) reports on such matters in accordance with the relevant ISA(s) and

b) includes a reference to the Basis of Opinion and/or the Material Uncertainty Related to
Going Concern section in the Key Audit Matters section.
In extremely rare cases it is possible that a key audit matter may not be communicated
because:
a) Law or regulation precludes public disclosure about the matter; or

b) The auditor determines that the matter should not be communicated in the auditor’s
report because the adverse consequences of doing so would reasonably be expected to
outweigh the public interest benefits of such communication. Note that this does not
apply if the entity has publicly disclosed information about the matter.
ISA 701 notes that the auditor may conclude that there are no key audit matters to
communicate. In such cases the auditor is required to include a statement to this effect in the
Key Audit Matters section of the report. In either case the rationale for the auditor’s judgment is
to be documented in the audit file.
Page | 271
Audit Manual
Version 7 (2022)
6.2.6 Communication with those charged with governance

The auditor is required to communicate to those charged with governance those matters that
the auditor has determined to be key audit matters, or that there are no key audit matters to
communicate in the auditor’s report.

On completing the “Optimiser – Reporting Checklist” the auditor selects that Key Audit Matters
are to be included in the audit report. The reporting checklist (Form 305) includes the required
procedures.
Page | 272
Audit Manual
Version 7 (2022)
Global Office
6th Floor
2 London Wall Place
London, EC2Y 5AU, United Kingdom
Page | 273
globalfocus@bakertilly.global

Audit Manual Version 7

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Manual Version 7

Uploaded by

Copyright:

Available Formats

Global Focus

For internal use within Baker Tilly network

Section 1: Introduction to the Audit Manual

This guidance document summarises the:

• structure of the audit manual

1.2 Content of the audit manual

1.3 Structure of individual sections of the audit manual

Summary table of requirements

Relevant ISA A list of ISAs relevant to the individual chapter. Paragraph

For member firms: Where a member firm establishes its own

Detail of the requirements

The remainder of each section sets out the:

1.4 Changes permitted by member firms

• Be at least as stringent as the requirements of the ISA, and/or

1.5 Mandatory Audit Documentation

1.6 Group Audit Considerations

• Section 2.1 – Preliminary Activities

• Section 4.8 Auditing the consolidation process

* Mandatory only if using Inflo Cascade

** One of these three Forms must be used

Appendix 2: List of Mandatory Documents in Global Focus (NCP profile)

* Mandatory only if using Inflo Cascade

** One of these three Forms must be used

Section 2: Preliminary Activities

Objective The objective of the auditor is to:

• Accept or continue an audit engagement only when the

Relevant ISA • ISA 210 Agreeing the terms of audit engagements

Additional local standards

Global Focus software Form 405 Engagement – Acceptance/Continuance

Performing preliminary engagement activities enables the auditor to identify events or

2.1.2 Client acceptance and continuance

Limitation on scope prior to audit engagement acceptance

Engagement partner responsibilities

2.1.3 Agreement of management

Preparation of the financial statements

2.1.4 Assigning the engagement team

• An auditor’s external expert engaged by the firm or a network firm

Considering appropriate competence and capabilities

• Perform the audit engagement in accordance with professional standards and

• Understanding and practical experience of similar audit engagements and industries

2.1.5 Selecting an engagement profile in Global Focus

Medium-Large Entities (“MLP”)

The MLP is the default audit profile in Global Focus.

Public Interest Entities (“PIE”)

Non-Complex Profile (“NCP”)

Differences between the MLP profile and the NCP profile

443 Understanding and evaluation of a service organisation

2.1.6 When is it appropriate to use the Non-Complex Profile (NCP)?

i. Factors presumed to indicate non-complexity, and

Factors presumed to indicate non-complexity

When deciding whether an entity is “non-complex” auditors may consider qualitative

a) Concentration of ownership and management in a small number of individuals (often a

Factors presumed to indicate complexity

• Public Interest Entity (“PIE”) or Listed Entity

2.1.7 Use of OneForm in Non-Complex Profile (NCP)

2.1.8 Group Audit Considerations

Client acceptance and continuance

Documenting group audit considerations

Section 3: Risk Assessment and Planning

3.1 Risk assessment and planning procedures

The objective of the auditor is to identify and assess the risks of

Relevant ISA • ISA 240 The auditor’s responsibilities relating to fraud in