CPA 17 - Auditing & Other Assurance Services

Solution 1

(a) As the Audit Manager for EBL;

(i) Advise the audit team on fundamental steps required to develop audit
objectives for the audit of financial statements of EBL.
The audit team from VXL must understand the objectives and responsibilities for
the audit of financial statements of EBL.
The objective of the financial audit of EBL is issuing an opinion on financial
statements for the year ended 30th June 2021 as to whether they have been
presented fairly, in all material respects, in accordance with the International
Financial Reporting Standards (IFRS). VXL Certified Public Accountants are
required to accumulate sufficient appropriate evidence in order to reach a
conclusion about whether all the financial statements of EBL up to 30th June
2021 are fairly stated, and after issue an appropriate audit opinion. The audit
opinion of VXL enhances the degree of confidence that intended users including
the board, management and staff of EBL can place on the audited financial
statements up to 30th June 2021.
Divide financial statements of EBL for the periods up to 30th June 2021 into
cycles (cycle approach).
The common way for VXL is to divide the financial audit of EBL into closely
related types/ classes of transactions and account balances in the same
segment. The logic of this approach ties to the way transactions of EBL are
recorded in journals and summarised in the general ledger and financial
statements of the company. XVL conduct audits of financial statements of EBL
using the cycle approach by performing audit tests of the transactions making up
ending balances and also performing audit tests of account balances and related
disclosures.
Know management assertions about the financial statements of EBL for the
periods up to 30th June 2021.
Management assertions of EBL are implied or expressed representations by
management about classes of transactions and related accounts and disclosures
in the draft financial statements for all the periods up to 30th June 2021. These
assertions apply to classes of transactions, account balances, and presentation
and disclosures. Management assertions of EBL are directly related to the IFRS
financial reporting framework, as they are part of the criteria used to record and
disclose accounting information in the financial statements for the periods up to
30th June 2021. VXL must therefore understand the assertions in order to
conduct an adequate audit.

Page 1 of 25
Know general audit objectives for classes of transactions, accounts and
disclosures.
The general audit objectives of the financial statements of EBL for the periods up
to 30th June 2021 in this case will be transaction related, balance related, and
presentation and disclosure related. These are broad in nature.
Know specific audit objectives for classes of transactions, accounts and
disclosures
Like the general audit objectives, the specific audit objectives of the financial
statements of EBL for the periods up to 30th June 2021 in this case will be
transaction related, balance related, and presentation and disclosure related.
These are very specific in nature.
(ii) Document your assessment of inherent risk for the audit of EBL for the
periods up to 30th June 2021.
Nature of EBL’s business e.g., expiry of products or obsolescence.
Inherent risk varies from business to business for accounts such as inventory,
accounts receivable, investments, property, plant and equipment. EBL may face
a greater likelihood of obsolete inventory because it deals with sanitizer which
has a specific shelf life and therefore expires. Wines, spirits and alcohol
beverages have a longer shelf life than sanitizers.
Results of previous period audits of EBL, regarding misstatements.
Misstatements found in the previous year’s audit of EBL have a high likelihood of
occurring again in the current year’s audit. This is because many types of
misstatements identified in EBL are systemic in nature, and the business is often
slow in making the necessary changes to eliminate them. Therefore, an audit
team of VXL will be negligent if the results of the preceding year’s audit are
ignored during the development of the subsequent year’s audit programs.
Initial (less knowledge) versus repeat engagements with EBL.
VXL Certified Public Accountants will gain experience and knowledge about the
likelihood of misstatements in EBL after auditing for several years. The lack of
previous year’s audit results causes VXL to assess a higher inherent risk for initial
audits than for repeat engagements in which no material misstatements were
previously found. VXL will set a high inherent risk in the first year of an audit and
reduce it in subsequent years as they gain more knowledge about EBL.
Related parties & compliance with arms’ length principle.
Transactions between the EBL main plant located in Kampala and the 3
autonomous branches located in Gulu, Mbarara and Jinja, and those between the
founders (Mr. Kitti and Kazitto), management and the corporate entity, are
examples of related party transactions as defined by IFRS. Since these
transactions did not occur between two independent parties dealing at arm’s
length, a greater likelihood exists that they might be misstated or inadequately
disclosed in the financial statements, causing an increased inherent risk.

Page 2 of 25
Complex or non-routine transactions.
Transactions that are unusual for EBL, or involve lengthy or complex contracts,
are more likely to be incorrectly recorded than routine transactions because EBL
often lack experience in recording them e.g., major property acquisitions,
purchase of complex investments and restructuring charges from discontinued
operations. By gaining knowledge of EBL’s business and reviewing minutes of
management meetings, VXL can assess the consequences of complex or non-
routine transactions made by EBL.
Judgement & estimations required to correctly record account balances and
transactions.
A number of account balances such as investments recorded at fair value,
allowances for uncollectible accounts receivables, obsolete inventory, asset
impairment, major repairs versus partial replacements of assets, and bank loan
loss reserves require estimates and a great deal of management judgement
related to valuation. Since they require considerable judgement, the likelihood of
misstatements increases, and as a result VXL should increase inherent risk.
Make-up of the population especially overdue balances & large volumes.
Often, individual items making up the total population also affect VXL’s
expectation of material misstatements. VXL will use a higher inherent risk for
valuation of accounts receivable where most accounts of EBL are significantly
over-due than where most accounts are current. Such situations require more
investigations because of the greater likelihood of misstatement than occurs with
more typical transactions.
Matters of fraudulent financial reporting due to lack of integrity.
Management of EBL may lack integrity and be motivated to misstate financial
statements which increases inherent risk. VXL will be required to investigate
more because of the greater likelihood of fraudulent financial reporting resulting
from misstatements. VXL will perform additional procedures to assess fraud risk
beyond assessing the risk of misstatements in relevant audit objectives to
respond to those risks.
Matters of misappropriation of assets.
Management of EBL may lack integrity and is motivated to misappropriate assets
increasing inherent risk. VXL will be required to investigate more because of the
greater likelihood of fraudulent financial reporting resulting from the
misappropriation of assets. VXL will perform additional procedures on assets to
assess fraud risk beyond assessing the risk of misappropriation of assets in
relevant audit objectives to respond to those risks.
Weak internal controls.
A number of issues identified at EBL (e.g., missing documented TORs, absence
of board of directors, incompetent or inadequate accountants, etc.) justify the
ineffectiveness of internal controls. Thus, evidence of inherent risk associated
with high levels of weak internal controls.

Page 3 of 25
(b) Discuss with the VXL audit team;
(i) The possible features which would lead you to investigate a particular
transaction in EBL to determine whether it is a related party transaction.
Unusual terms of trade. EBL transactions between the 4 branches (located in
Kampala, Gulu, Mbarara and Jinja) and the main factory which have unusual
terms of trade, such as unusual prices like discounted prices, and repayment
terms or credit terms extended to the branches.
Lack of logical business sense. EBL transactions between the 4 branches of
EBL that may appear to lack a logical business reason for their occurrence.
Complex transactions. EBL transactions between the 4 branches of EBL
that are overly complex and not easily understood.
Newly identified related parties or transactions. EBL transactions between the
4 branches of EBL which may involve previously unidentified related parties.
Unclearly processed transactions. EBL transactions between the 4 branches
of EBL that are processed in an unusual manner.
(ii) The audit procedures to perform by VXL certified public accountants to
ensure that material related party transactions of EBL have been
identified.
Obtain a list of current known related parties of EBL for the periods
ending 30th June 2021, such as, all the EBL branches.
Ensure that the permanent file for EBL is updated for the identified related
parties.
Being the first financial audit of EBL, perform company search on EBL;
otherwise review statutory records to confirm directorships, other
directorships and significant investors.
Discuss the list of related parties obtained from EBL as disclosed by the
directors as to its accuracy and completeness.
Enquire of the EBL directors as to whether there have been any material
transactions with the related party, such as loans, purchase of inventory etc.
List and review all EBL transactions disclosed by the directors.
Review the accounting records of EBL before and after the periods ended
for any large or round sum amounts; investigate and analyse with reasons.
Analyse all loans receivable or payable for EBL, and seek confirmation of
identity of lender or borrower for accuracy and existence.
Review board minutes and enquire as to whether EBL has provided any
guarantees.

Page 4 of 25
 Analyse the details of guarantees given by EBL and review the terms.
Include confirmation of all EBL related party transactions or lack of them
within the letter of representation.
Check the adequacy & accuracy of disclosure and compliance within the
context of IAS 24 in the financial statements of EBL.
(c) Describe to the VXL audit team:
(i) The business risks arising from the outsourcing of EBL’s payroll function,
and the implications for the financial statements of EBL for the periods
ending 30th June 2021.
Loss, theft or misuse of personal data obtained by the individual employees
of EBL or VXL, for the period under review.
Reputational damage for EBL resulting from non-compliance especially with
deduction and remittance of statutory obligations.
Fines for late submissions and non-submission of returns to the statutory
authorities such as URA and NSSF.
Sanctions from the government - imposed on EBL for breach of data
protection that may be considered by government of Uganda using the
laws of Uganda.
Continued incompetence of staff & management, arising from failure to internally
manage payroll function i.e. lack of opportunity for practical capacity building of
staff
Low employee motivation & likelihood of loss of key staff, in case the staff
perceive/attribute outsourcing of payroll function to be due to of lack of trust
amongst the staff by management
(ii) The key controls for the payroll and personnel cycle suitable for assessing
control risk at EBL as at 30th May 2021
Adequate separation of duties within EBL
EBL should have an in-house human resource department with clear segregation
of duties. Separation of duties at EBL is important in the payroll and personnel
cycle, especially to prevent overpayments and payments to nonexistent
employees. The payroll function at EBL should be kept independent of the
human resource function, which controls key payroll activities, such as adding
and deleting employees. Payroll processing at EBL should also be separate from
the issuance of payroll disbursements.

Proper authorisation
The human resource function of EBL should be the only authorised unit to add
and delete employees from the payroll or change pay rates and deductions. The

Page 5 of 25
number of hours worked by each employee of EBL, especially overtime, should
be authorised by the designated employee’s supervisor. Approval may be noted
on all-time records or done on an exception basis only for overtime hours.

Adequate documents and records

EBL should have appropriate documents and records depending on the nature of
the payroll system adopted. Time records are necessary for hourly employees
but not for salaried employees. For EBL employees compensated based on piece
rate or other incentives systems, different HR records are required. For EBL, time
records must be adequate to accumulate payroll costs by job or assignment. Pre-
numbered documents for recording time are less of a concern for payroll
because the completeness objective is not a concern.

Physical control over assets and records

Access to unsigned payroll cheques should be restricted at EBL. Cheques should
be signed by a designated employee, and payroll should be distributed by
someone independent of the payroll and timekeeping functions. Any unclaimed
cheques should be returned for re-deposit. If the cheques are signed off by a
machine, access to the machine should be restricted. Similarly, when payments
occur through direct deposits, access to systems used to authorise payments
should be restricted.

Independent checks on performance

Payroll computations for EBL should be independently verified, including
comparison of batch totals to summary reports. A designated member of EBL
management or other responsible employee should review the payroll output for
any obvious misstatements or unusual amounts. When manufacturing labour
affects inventory valuation or when it is necessary to accumulate costs by job,
adequate controls are necessary to verify the proper assignment of costs.

Application controls and IT General Controls (ITGCs)

Availability of automated systems to process payroll costs & related balances
(e.g. Net Pay, PAYE, etc). Systems create application controls and information
technology general controls (ITGCs), which help to minimise human errors
associated to manual processes.

Page 6 of 25
(d) As the audit manager, guide the audit team on:

(i) The specific conditions required to exist for the audit team to issue the standard
unqualified audit reports.

If all statements of EBL (Statement of Financial Position, Statement of profit or

loss and other comprehensive income, Statement of changes in owners’
equity/reserves, Statement of cash flows and Notes to the financial statements)
are included in the set of EBL financial statements presented for the audit to
VXL.

When sufficient appropriate audit evidence, including explanations and

information, has been accumulated, and VXL has conducted the engagement in a
manner that enables the audit team to conclude that the audit was performed in
accordance with international standards on auditing.

If the financial statements of EBL are presented with adequate disclosures, in

accordance with International Financial Reporting Standards or other appropriate
financial reporting framework. This also means that adequate disclosures have
been included in the foot notes and other parts of the financial statements for
EBL.

When there are no circumstances requiring the addition of an explanatory

paragraph or modification of the wording of the audit report.

If all the financial statements agree with the records of the entity, & the records
include all the transactions for the accounting period.

(ii) The circumstances that must exist for the auditor to issue an unqualified audit
report with emphasis of matter explanatory paragraph or modified wording.

Lack of consistent application of generally accepted accounting principles

(GAAPs).
VXL Certified Public Accountants are required by the auditing standards to call
their attention to circumstances in which accounting principles have not been
consistently observed in the current period in relation to the preceding period.
Changes in accounting principles or their method of application, nature and
impact of the change must be adequately disclosed. Where material changes
occur, VXL should modify the report by adding an emphasis of matter paragraph
after the opinion paragraph that discusses the nature of the change. Examples of
changes that affect consistency and therefore require an explanatory paragraph
include: changes in accounting principles such as from FIFO to LIFO inventory
valuation; changes in reporting entities such as inclusion of an additional branch
in financial statements; correction of errors involving accounting principles

Page 7 of 25
Substantial doubt (material uncertainty) about going concern of EBL but if
adequate disclosures have been made in the report.
The auditing standards require VXL to include among his responsibilities to
evaluate whether EBL is likely to continue as a going concern. For example,
existence of the following factors causes uncertainty about the ability of EBL to
continue as a going concern: Significant recurring operating losses or working
capital deficiencies; Inability of EBL to pay its obligations as they fall due; Loss of
major customers, the occurrence of uninsured catastrophe e.g. floods,
earthquakes etc. The concern of VXL is the possibility of EBL to be able to
continue in operation or meet obligations for a reasonable period, usually not
exceeding one (1) year from the date of the audit. When VXL concludes that
there is substantial doubt of VXL to continue as a going concern, an unqualified
opinion with an emphasis of matter is required.

VXL agrees with the departure from promulgated accounting principles.

There situations of departure from accounting principles that may not require a
qualified or adverse opinion. However, to justify an unqualified opinion, VXL
must be satisfied and must state with explanations, in a separate paragraph of
the audit report that adhering to the principle would produce a misleading result
in that situation.

Emphasis of other matters, without material impact on the financials.

Under certain circumstances, VXL may want to emphasize specific matters
regarding the financial statements of EBL, even though he intends to express an
unqualified opinion. Normally, the explanatory information is included in a
separate paragraph of the report and may include the following: The existence of
material related party transactions; important events occurring subsequent to the
date of Statement of Financial Position; description of accounting matters
affecting comparability of the financials with those of the preceding year; and
material uncertainties are disclosed in the notes.

Reports involving technical audit experts.

VXL may rely on a technical audit expert to perform part of the audit when EBL
has specialized business operations. When VXL relies on a technical audit expert
to perform part of the audit, the firm can make no reference in the audit report,
or make reference in the audit report, or qualify the opinion depending on the
level of responsibility the firm is willing or not willing to assume relating to the
work of the technical audit expert. In addition, the auditor may include an
emphasis of matter paragraph if the reviewed expert’s results/workings expert
are questionable but without a material impact on the financial statements

Significant uncertainty other than going concern.

Page 8 of 25
 Need for emphasis of matter paragraph when there is a significant uncertainty
(other than a going concern), the resolution of which is dependent upon future
events & which may affect the financial statements.

Uncorrected material inconsistency in other information.

Need for emphasis of matter paragraph when there’s material inconsistency in
other information within the documents containing financial statements (e.g.
directors’ statement in the annual report), and if directors/management refuses
to make appropriate amendments in the misrepresented other information.

Solution 2

(a) Using the scenario;

(i) Distinguish between professional ethics and ethical dilemma.

Ethics refers to the set of moral principles or values which may include laws and
regulations, codes of ethics for professional groups like CPAs e.g. conflict of
interest, whereas
Ethical dilemmas refer to a situation a CPA faces in which a decision must be
made about the appropriate behaviour whether to accept being both an internal
auditor manager & external auditor manager of the same client or not.

(ii) Describe the six steps approach to be adopted by the audit manager of
MMK in resolving the ethical dilemma.

Obtain the relevant facts.

The audit manager of MMK consultants is required to critically focus on the
engagement for Zoch Limited and obtain all the relevant facts about the ethical
dilemma at hand. The fact is that MMK consultants are both external and internal
auditors for Zoch Limited and there are no firm policy guidelines on potential
conflict of interest.

Identify the ethical issues or threats from the facts.

MMK Consultants will then be required to carefully identify the ethical issues from
the facts obtained from the engagement. The major ethical issue from the facts
is that there is conflict of interest among the selected audit team members to
handle the internal audit engagement.

Determine the people affected by the outcome of the dilemma and how each
person or group is affected. The audit manager appointed to be in charge of the
internal audit engagements of Zoch Limited is also a key member of the external
audit team of the same client. This will definitely result into a self-review threat
in executing Zoch audits.

Page 9 of 25
 Determine the significance of ethical threat/issues (impact) i.e. rate or rank the
ethical issues/threats in order to appreciate the necessary safeguards to be
adopted to address the identified ethical issue/threat e.g. rank by low, medium
or high, significant or insignificant, etc. In this case, the ethical issue (conflict of
interest) or threat to objectivity or self-review is significant or high risk.

Identify the alternatives available to the person who must resolve the dilemma.
The audit manager can either decline the appointment as the audit manager for
the internal audit assignments of Zoch Limited or resign from the external audit
team of Zoch limited. This action should clearly disclose the reasons as conflict of
interest.

Identify the likely consequence of each alternative.

Declining the appointment of audit manager of the internal audit team means
that MMK Consultants will then identify another person without potential conflict
of interest. Resigning from the external audit team, the audit manager will be
replaced by a new team member identified by MMK Consultants to be free from
conflict of interest.

Decide the appropriate action.

The audit manager should reject the new appointment as the internal audit
manager of Zoch Limited

(b) As the audit manager for the engagement, Describe;

(i) The likely causes of audit failure that may be faced by MMK Consultants
for the audit of Zoch Limited.

The failure of the audit team to assess audit risk properly. This is where
MMK fails to properly identify the audit risks for the audit of Zoch Limited.
This is likely to be caused by failure by the audit team to fully understand the
business and control environment of Zoch Limited.

The failure to respond appropriately to audit risk: MMK obtains details of

audit risks at the planning stage for the audit of Zoch Limited but fails to
devise mechanisms of dealing with the identified audit risk.

The failure to recognise and respond to situations where the auditor's

objectivity is threatened. MMK provides both external and internal audit
services to Zoch Limited which is likely to cause a conflict of interest and lack
of independence.

The failure to recognise and respond to situations beyond the auditor's

Page 10 of 25
area of competence. The audit team from MMK consultants may not have
the right knowledge, experience and competencies to properly execute
the audit in Zoch Limited.

The failure to have adequate and appropriate staff to assign separate team
members on internal & external audit engagements. The firm may have
inadequate staff to fulfil the need to separate team members of the internal
audit engagement and external audit engagement especially with increase in
clientele from 51 to 112 clients.

Inadequate time to conduct the audit engagements for Zoch alongside other
increased clientele. Lack of adequate time might result into poor quality of work-
done by the staff of MMK.

High staff turnover - especially engagement team members leaving in the middle
of the audit assignment before it's done. Exit of staff disrupts continuity of audit
engagements.

No policies & weak internal controls - lack of policies for auditor's guidance in
audit execution and having weak internal controls increases the risk of the
auditor failure to identify existing risks i.e. makes the audit failure inherent due
to high possibility of failure to identify potential risks.

(ii) Identify circumstances where management threat would be unacceptably

high for MMK Consultants while conducting internal audits at Zoch
Limited.

If the scope and nature of internal audit services provided to Zoch Limited
by MMK Consultants is not defined. The management threat can be
unacceptably high for MMK Consultants where the scope and nature of
internal audit services is not specified. Where MMK is involved in making
decisions for the management team of Zoch Limited then the
management threat will be unacceptably high. MMK is only responsible to
the extent of making recommendations but not getting involved in
decision making of management at Zoch Limited.

If there’s high level of involvement in designing or making changes to

internal controls of Zoch Limited by MMK Consultants. The management
threat will be unacceptably high where MMK consultants is involved in
designing or making changes to internal controls of Zoch limited. MMK is
only supposed to be involved in reviewing the adequacy and effectiveness
of internal controls of Zoch Limited as an internal audit function.

Taking responsibility for risk management at Zoch Limited. The

Page 11 of 25
 management threat is unacceptably high where MMK Consultants is
involved in taking responsibility for risk management at Zoch Limited.
MMK is only supposed to be involved in reviewing the risk management
at Zoch Limited as an internal audit function.

If not involved in evaluating cost effectiveness of activities, systems and

controls of Zoch Limited. The management threat is unacceptably high where
MMK Consultants is not involved in evaluating the cost effectiveness of
activities, systems and controls. MMK as a provider of internal audit services
is required to evaluate the cost effectiveness of activities, systems and
controls at Zoch Limited.

If involved in pre-implementation of work on non-financial systems at Zoch

Limited. The management threat is unacceptably high where MMK
Consultants is involved in pre-implementation work on non-financial systems.
MMK as a provider of internal audit services is not required to get involved in
pre-implementation work on non-financial systems of Zoch Limited. This is a
management activity performed by Zoch limited and MMK is only required to
review the adequacy and effectiveness of the systems.

(c) Advise MMK Consultants on compliance to general guidance and requirements to

Ethical Standards while performing internal audit services at Zoch Limited.

MMK Consultants is required by the general guidance and requirements

to ethical standards to continuously monitor compliance of the firm and
individuals to maintain the highest level of ethical standards.

MMK is required to have adequate and effective systems to ensure that

actual or possible breaches of ethical standards are promptly communicated
to the engagement partner.

MMK is required to always evaluate the implications of identified possible

or potential breaches. This is aimed at timely action towards addressing
the identified breaches at the firm.

MMK is required to report specific circumstances of breach as required by

Ethical Standards. This implies that certain circumstances are required to be
brought to the attention of professional bodies such as ICPAU.

The general guidance and requirements to ethical standards prohibit MMK

from getting involved in management decision taking on behalf of the
audited entity, in this case Zoch Limited.

MMK is required to establish an enforcement mechanism, to ensure that

Page 12 of 25
 compliance actually happens within the firm, through disciplinary
procedures and other systems.

MMK is required to empower all the staff of the firm at the various levels
to communicate about ethical issues. The communicating mechanism
should be handled with integrity and transparency.

MMK is required to conduct regular training and enforcing continuous

professional development programs (CPDs) amongst staff, aimed at
ensuring high levels of competence & updates on recent changes in the
internal audit environment.

Solution 3

(a) Recommend the internal control activities necessary to address risk of

misstatements during the process of financial reporting.

Adequate separation of duties at CTL

CTL must have adequate separation of duties to prevent both fraud and errors.
Separation of duties at CTL can take the following forms: separation of the
custody of assets from accounting; separation of authorisation of transactions
from the custody of related assets; separation of operational responsibility from
record keeping responsibility and separation of IT duties from different user
departments. The measure of separation of duties at CTL reduces the likelihood
of embezzlement of company assets.

Proper authorisation of transactions and activities of CTL

Every transaction at CTL must be properly authorised if controls are to be
satisfactory. Authorisation can be either general or specific. Under general
authorisation, CTL management establishes policies and employees are
instructed to implement these general authorisations by approving all
transactions within the limits set by the CTL policy. Specific authorisation applies
to individual transactions. For certain transactions, management of CTL should
prefer to authorise each transaction.

Adequate documents and records at CTL

Documents and records prepared by CTL are the basis upon which transactions
are entered and summarised e.g. sales invoices, purchase orders, journals in the
accounting system. Many of these documents and records for CTL are
maintained in electronic rather than paper formats. Adequate documents are
essential for correct recording of transactions and control of assets for CTL.

Physical control over assets and records of CTL.

Page 13 of 25
 To maintain adequate internal control, assets and records of CTL must be
protected. If CTL assets are unprotected, they can be stolen by employees. If
CTL records are not adequately protected, they can be stolen, damaged, altered
or lost by employees. This can seriously disrupt the accounting process and
business operations of CTL. For highly computerised companies, equipment,
programs and data files must be protected.

Independent checks on performance at CTL (internal verification)

The need for independent checks at CTL arises because internal controls tend to
change over time, unless there is frequent review. Employees at CTL are likely to
forget or intentionally fail to follow procedures, or they may become careless
unless there is designated officer employed to observe and evaluate their
performance. Regardless of the quality of controls at CTL, employees can make
errors or commit fraud. Employees responsible for performing internal
verification procedures must be independent of those originally responsible for
preparing the data or information for CTL.

Automating most of the CTL’s operations (application/system controls)

There is need to introduce application or system controls and information
technological general controls (ITGCs) through the embracing of automation of
the company’s most operations like customer enrollment, loan processing, cash
withdraws, etc

(b) Describe the possible limitations of Internal Controls that have been
recommended to CTL in (a) above.
Limitations of internal control will always exist no matter what industry the
company is in or how strong the control procedures in place are. Hence, it is
important to understand those limitations of internal control.

Reasonable assurance for CTL.

Internal control at CTL can only provide reasonable assurance, not absolute
assurance. The internal controls cannot ensure 100% that error or fraud will
never occur at CTL.

Override control
Internal controls at CTL will not work if it is overridden by management or
employees with high authority. It may be possible that management can override
the controls with their authority, e.g. if the CEO tells low-level employees of CTL
to do something, they usually will do so, even if it will not comply with control
policies of CTL.

Page 14 of 25
 Collusion
Internal control will not work at CTL if the employees or management collude to
by-pass the control in place. This limitation of control is the type that overtakes
the segregation of duties control procedures. For example, segregation of duties
at CTL can be extremely effective in an internal control system. However, if
employees who are supposed to act independently collude amongst themselves,
the internal control of segregation of duties here will not work anymore.

Deliberate circumvention
Although the internal controls at CTL are implemented to prevent or detect
errors, deliberate circumvention by employees in the system can still occur

Events outside expectation

Controls for CTL are usually designed to cope with routine activities. The
established controls at CTL might not work against any irregular event outside
the expectation. This limitation of control usually happens for the new
implementation of control procedures and requires a regular monitoring process
by management of CTL.

Cost-benefit consideration
Controls that cost more than the benefit they are expected to give are not worth
having. Usually, CTL may decide that certain controls are too costly to
implement, considering the risk that can occur due to the lack of such controls.
However, strong internal controls for CTL are still essential despite having those
existences of internal control limitations. This is due to internal controls bringing
many benefits to the business operations of CTL. In this case, good internal
controls can help CTL achieve efficient and effective business operations.

(c) Advise the audit engagement team from INT on the common methods used to
appraise internal control implementation in CTL.

Follow-ups & status updates on prior year’s findings & recommendations.

Internal control implementation can be appraised through follow-up on the
status and implementation of prior year findings and recommendations, to
confirm if management has fixed the earlier identified weakness based on earlier
recommendations given by the internal auditor or external auditors.

Inquiries or interviews - make inquiries of CTL employees & management

INT should ask management, supervisors and staff of CTL to explain their
respective duties. Careful questioning of appropriate personnel at CTL helps INT
to evaluate whether employees understand their duties and do what is described
in CTL’s control documentation.

Page 15 of 25
 Inspection of documents - examine relevant documents and records of CTL
The five components of internal control all involve the creation of many
documents and records for CTL. By examining completed documents, records,
and computer files, INT can evaluate whether information described in flow
charts and narratives has been implemented at CTL.

Observation especially for physical controls - observe activities & operations of

CTL
When INT observe CTL personnel carrying out their normal accounting and
control activities, including their preparation of documents and records, it further
improves their understanding and knowledge that controls at CTL have been
properly implemented.

Walkthroughs over controls of various processes/cycles and of the accounting

system for CTL
In a walkthrough, INT selects one or a few documents of a transaction type and
traces them from initiation through the entire accounting process of CTL. At each
stage of processing, INT makes inquiries, observe activities, and examine
completed documents and records. Walkthroughs conveniently combine
observation, inspection and inquiry to assure that the controls designed by
management of CTL have been implemented.

Analytical procedures
Perform applicable analytical procedures to identify or assess the plausible
correlation and relationship between the CTL’s financial records and the policy
requirements especially expected roles & responsibilities of each staff. This can
be improved by use of digital tools to identify exceptions in the design &
implementation of application controls.

(d) Advise INT on the suitable approach that could be employed to identify control
deficiencies and material control weaknesses at CTL.

Existence of adequate controls? Identify existing controls within CTL

INT must understand and identify controls that exist in CTL. Control deficiencies
and material control weaknesses are a result of absence of adequate controls in
CTL.

Absence of controls? Identify the absence of key controls within CTL

Questionnaires, charts and walkthroughs for internal controls are used by INT to
identify and understand where CTL controls are lacking and the likelihood of
misstatements is therefore increased. It’s also useful to examine the control risk
matrix to look for objectives where there are no or only a few controls to prevent
or detect misstatements at CTL.

Page 16 of 25
 Existence of compensating controls? - consider possibility of compensating
controls at CTL.
Compensating controls are controls that are elsewhere in the system that exist to
offset the absence of a key control in CTL. When compensating controls exist
within CTL, there is no longer a significant deficiency or material weakness.

Rank/rate the significance of identified weaknesses - decide whether there is a

significant control deficiency or material control weakness at CTL.
The likelihood of misstatements and their materiality are used to evaluate if
there are significant control deficiencies or material control weaknesses within
CTL.

Assess likely impact of identified weaknesses - determine potential

misstatements at CTL that could result.
Here INT will identify specific misstatements that are likely to occur because of
the significant control deficiency or material control weakness in CTL. The
importance of a significant control deficiency or material control weakness is
directly related to the likelihood and materiality of potential misstatements for
CTL.

Apply analytics – perform analytical reviews especially data analysis.

Perform analytical reviews to identify the possibility of unrelated activities or
control weaknesses and the level of non-compliance with the entity's policies.

(e) Discuss the criteria that the engagement partner of INT needs to adopt to
allocate appropriate staff to the engagement team for the audit of internal
control over reporting.
The engagement partner must consider the staff’s understanding of and
practical experience with similar engagements like that of CTL to be
allocated to the audit team for the assignment.

The engagement partner must consider the auditors understanding of

relevant professional and legal requirements in relation to CTL. Only
auditors with a good understanding of the relevant professional and legal
requirements should be allocated to the audit team.

The engagement partner must only consider auditors with the

appropriate technical knowledge to be allocated on the audit team.
Auditors are not expected to take on assignments where they do not
have the required technical knowledge of the client and assignment in
general.

The engagement partner must consider auditors with good knowledge of

the industry relevant to the business operations of CTL. Where the auditors

Page 17 of 25
 have limited or no knowledge of the industry, the partner should identify an
experienced auditor to supervise them or provide leadership as the audit is
performed.

The engagement partner should only consider allocating to the audit

team those individual auditors who have demonstrated a strong ability to
apply professional judgement.

The engagement partner of INT should only consider allocating to the

audit team those individuals or group of auditors with a good
understanding of the firm's quality control procedures and policies. This
will ensure that the engagement is performed in accordance with the set
standards and other professional requirements.

Solution 4

(a) Advise the directors of MAC School on how to discharge their responsibility of
preventing and detecting fraud and errors.

Compliance with laws & regulations. The directors are expected to ensure that
the management and the employees of MAC School are fully complying with the
Laws of Uganda specifically the Anti-Corruption Act. Noncompliance to the laws
of Uganda should be reported to the relevant government bodies such as the
police for further management.

Code of ethics. The directors of MAC School are expected to develop a code of
conduct, monitoring compliance to the code and taking action against breaches.
The code should be applied consistently and the breaches dealt with precisely to
create a fraud free culture within MAC school.

Exemplary & ethical commitment. The directors of MAC School should

demonstrate and emphasize to management and employees a strong
commitment to fraud prevention. This involves establishing a culture of honesty
and ethical behaviour within MAC School with clearly communicated policies on
the corporate attitude to fraud and fraudsters.

Establishing control env't. The directors must commit to establishing a very

strong control environment, continuously monitoring its effectiveness and taking
timely corrective action. This will embed a strong control culture within MAC
school.

Internal audit function. The directors should consider establishing an internal

audit function at MAC school. This function will be in position to evaluate the

Page 18 of 25
 adequacy and effectiveness of governance, risk management and controls within
MAC School.

Compliance function. The directors should also consider establishing a

compliance function that will be a separate department of MAC School
specifically charged with ensuring compliance with laws and regulations of all
sorts that affect business conduct and behaviour of employees.

Board Audit Commitment. The directors should consider establishing an audit

committee of the board at MAC school. The audit committee will follow up
management of MAC school on the status of implementation of audit
recommendations and hold management accountable for financial and
operational results.

(b) Design the audit tests to be performed to detect and establish the extent of
fraud.

Tests of controls (TOCs) - perform tests of controls to identify weaknesses which

allowed a fraud.

Analytical reviews - perform analytics to identify plausible relationships as

indicators of fraud

CAATs - using computer aided audit techniques (CAATs) or computer programs

or digital tools, to identify any exceptions relating alterations in the system

Interviews - perform one-on-one interviews/discussions with the suspected

perpetrators of fraud and/ or those involved in the suspected fraud

Inspection of documents - obtain and review relevant support documents for the
transactions/items relating to the fraud

Tests of details e.g. review of unusual transactions or key items selected from
the population of transactions relating to the affected financial statement areas

Page 19 of 25
(c) Discuss the likely limitations on audit procedures designed to enable KAU detect
fraud in MAC School

Specific objective. The primary objective of KAU is to form an opinion on the

financial statements of MAC school and not detect fraud.

Sampling. Auditing is based on testing samples of transactions and evaluating

controls. Inherent in this approach is the possibility that not all errors or
misstatements, whether due to fraud or not, will be detected even if the audit is
properly planned and executed.

Override of controls. Management of MAC School, particularly senior

management, have the capacity to hide fraud from KAU and deliberately
manipulate the accounting records which may affect the ability of KAU to detect
the fraud.

Judgement. Where the misrepresentation at MAC School involves the exercise of

judgement, e.g. accounting estimates, it is difficult to decide whether these were
caused by fraud or error.

Sophisticated schemes esp cash based revenue & printed receipt book. Fraud at
MAC School may involve sophisticated and carefully organized schemes designed
to conceal it including collusion, forgery or deliberate non-recording of
transactions or intentional misrepresentation made to KAU.

Incompatible audit procedures e.g. inapplicability of computer aided audit

techniques (CAATs) to a highly manual dependent processes. Thus, limitation on
the auditor who’s unable to apply computer programs to analyse high volume of
data for purposes of detecting fraud.

Absence of policies and procedures to guide the auditors. Such pre-established

internal policies & procedures are vital in tracking responsibilities and expected
controls to be implemented to prevent fraud.

Page 20 of 25
(d) Recommend actions to be taken by KAU on discovery of potential errors or fraud
at MAC school

Consider materiality. If the matter is not material in the context of the accounts
of MAC School, KAU need not take further action in connection with their audit
report but must inform management of MAC School, unless the management are
involved themselves.

If the matter identified is material, KAU will perform appropriate additional tests
to discover the possible scale and extent of fraud at MAC School.

If it appears that irregularities or errors have occurred at MAC school, and may
be material, then KAU will consider the effects on the financial statements of
MAC School and ensure that these have been prepared with such adjustments
and amendments (and disclosures) as may be required.

If further investigations are required by KAU and the accounts of MAC School
cannot be delayed, then the audit report may have to be qualified for
uncertainty.

Where errors or irregularities have occurred at MAC School, KAU will ensure that
top management of MAC School is aware of such events. If top management is
involved, reports/communication may have to be made to non-executive
directors of MAC School or regulators.

Any weakness in the system of accounting and internal control at MAC School
which may give or have given rise to errors or irregularity should be fully
discussed with, and reported to management by KAU.

Page 21 of 25
Solution 5

(a) Propose specific activities that ICPAU and the accounting profession can adopt to
reduce exposure of licensed practitioners/ registered firms to lawsuits.

Establish new/additional specific standards and rules/code/guidelines

ICPAU through IFAC and IAASB must constantly set standards and revise them
to meet the changing needs of the accounting and auditing profession. E.g.
changes in auditing standards on the auditor’s responsibility to detect fraud were
issued to address user’s needs and expectations as to auditor performance.

Education/ awareness of users of audit opinions

ICPAU, Partners of registered firms and educators should sensitize investors and
others users who read financial statements as to the meaning of an auditor’s
opinion and to the extent and nature of the auditor’s work. Users also need to
appreciate that auditors do not guarantee accuracy of financial records or the
prosperity of an audited company.

Sanction CPA members for improper conduct & performance (disciplinary)

The accounting profession must monitor its own membership. ICPAU has on a
continuous basis made progress in dealing with challenges of inadequate
performance and behaviour of CPA members and registered firms. Much as there
is notable progress, more is required to deal with emerging failures in
performance and behaviour within the profession.

Advocate for changes in laws regulating the accounting profession

Changes in laws like the Accountants Act, 2013 have favorably impacted on the
legal environment for the accounting profession. ICPAU must fully operationalize
the law to minimise misconduct and inadequate performance of the members.

Increase regular quality assurance inspection and reviews

The Institute needs to increase the regularity of quality assurance inspection and
reviews done to confirm the quality and compliance of all licenced accounting
firms and/ or practicing accountants. Quality assurance inspection reports should
contain practical recommendations towards how firms can improve on areas
which exposes them to legal liabilities (law suits).

Page 22 of 25
(b) Advise individual CPAs and/ or registered public accounting firms how to protect
themselves from legal liability.
Some of the common actions that can be taken by CPAs to protect themselves
from legal liability include, among others:

Individual CPAs and registered firms dealing only with clients demonstrating
integrity.
There is an increased likelihood of having legal problems when audit clients lack
integrity in dealing with their customers, employees, government etc. An
individual CPA or registered firm needs formal procedures to evaluate the
integrity of the audit clients and should dissociate itself from all clients found
lacking integrity.

Maintain independence & ethical requirements, at all times.

Independence requires an attitude of responsibility separate from the clients’
interests. Litigation of CPAs arises from client pressure or acceptance of client
representations. Firms and individual CPAs should avoid situations that create
potential conflict of interest

Understand the audit client’s business & do comprehensive risk assessment

CPA are required to have an appreciation of the operating environment of the
audit clients. This may include systems, processes and procedures used to run
the business. In a number of cases, the lack of knowledge of the industry
practices and the audit client’s operations has been a major factor for CPAs
failing to uncover misstatements.

Perform regular quality audits, with competent staff & independent reviews.
Quality audits are required for the CPA members to obtain appropriate evidence
and make appropriate judgements about the evidence. It’s therefore very
essential to understand the audit client’s internal controls and modify the
evidence to reflect the findings. Improved auditing reduces the likelihood of
failing to detect misstatements and resulting lawsuits.

Document work done properly, & file/archive sufficient appropriate evidence.

Preparation of good audit documentation helps the CPA members to perform
quality audits. Quality audit documentation is essential if the CPA has to defend
an audit engagement in court, including an engagement letter and
representation letter that define the respective obligations of both, the client and
the CPA.

Page 23 of 25
 Exercise professional skepticism & judgement
CPAs are often liable when they are presented with information indicating a
problem that they fail to recognise. CPAs need to strive to maintain a high level
of skepticism so that they are able to identify misstatements when they exist.

Insurance - Professional indemnity cover

It’s important for individual registered firms to carry adequate insurance and
choose a form of organisation that provides some form of legal liability protection
to partners. In the event that actual or threatened litigation occurs, the CPA
should consult with an experienced legal counsel.

Engagement letter
All practicing accountants (individuals and firms) must first sign engagement
letters stipulating responsibilities of either party, plus other terms and conditions
like fees, reporting framework, scope of work, etc. This reduces unnecessary law
suits from clients relating to responsibilities which are expected to be fulfilled by
management like financial statement preparation/presentation, fraud, etc.

(c) Justify the need for reviews by audit supervisors and audit engagement partners
on work performed by audit staff.
The purpose of the review is to consider whether the work done is in line
with the audit strategy and:

The audit supervisor and the audit partner assure themselves that the audit has
been performed in accordance with professional standards and regulatory
and legal requirements by the audit team;

Reviews by the audit partner and audit supervisor ensure that significant
matters have been raised for further consideration;

Reviews by the audit partner and audit supervisor confirm that

appropriate consultations have taken place throughout the audit and the
resulting conclusions have been properly documented and implemented;
Reviews by the audit partner and audit supervisors help determine
whether there is a need to revise the nature, timing and extent of work
performed;

Reviews by the audit supervisors and audit partners establish whether the
work performed by the audit teams supports the conclusions reached and
is appropriately documented;

Reviews by the audit supervisors and audit partners confirm that the
evidence obtained from the engagements is sufficient and appropriate to
support the report.

Page 24 of 25
 Reviews by the audit supervisors and partners help establish whether the
objectives of the engagement procedures have been achieved during
execution.

(c) Discuss the key matters needed to be considered for an effective independent
engagement quality control review within a registered firm.

Establish a general policy for engagement quality control reviews (EQCR)

Establish a specific policy on criteria for eligibility of engagement quality reviewer

(EQR)

Establish a specific policy for guiding the appropriate documentation of

engagement quality control reviews (EQCRs)

Establish a specific policy on differences in opinion and how to resolve the

differences between the engagement partner and engagement quality reviewer
(EQR)

Establish a specific policy on engagement documentation of work-done involving

the engagement quality reviewer (EQR)

Establish a specific policy on confidentiality, safe custody, and accessibility of

documents or information reviewed by the EQR

Establish a specific policy on retention of engagement documents and archiving

of work-done/file

Page 25 of 25