Advanced Audit and

Assurance
Session 04
PROFESSIONAL RESPONSIBILITIES AND LIABILITY
Learning Outcomes
 A3 – Laws and regulations
 B2 – Fraud and error
 B3 – Professional liability

3
Exam Focus
 Professional issues are usually examined alongside ethical issues but can be
examined in their own right.
 Typical exam questions may ask for respective responsibilities of
management and auditors in respect of fraud & error or laws & regulations,
or could ask whether an auditor is liable in a given situation.

4
Laws and regulations

5
Guidance relating to laws and regulations
Guidance relating to laws and regulations in an audit of financial statements is provided in ISA 250
(Revised) Consideration of Laws and Regulations in an Audit of Financial Statements.

Non-compliance with laws and regulations may lead to material

misstatement
if liabilities for non-compliance are not recorded

contingent liabilities are not disclosed, or

if they lead to going concern issues which would require disclosure or affect
the basis of preparation of the financial statements.

6
 Non-compliance with laws and regulations
- meaning
Acts of omission or commission
Non-compliance
does not include
either intentional or unintentional personal
misconduct
unrelated to the
committed by the entity business activities
of the entity.

which are contrary to the prevailing laws or

regulations.

7
 Responsibilities of management
Those charged with
governance: The
persons with
responsibility for
overseeing the In accordance with
strategic direction of relevant laws and
regulations, including
the entity and To ensure that the those that determine
obligations related to entity's operations are the reported amounts
the accountability of conducted and disclosures in the
the entity. This It is the responsibility
financial statements.
includes the directors of management, with
(executive and non- the oversight of those
charged with It includes amounts
executive) and the
governance reported in FS
audit committee

8
Policies and procedures management can implement (In
order to help prevent and detect non-compliance)
Monitoring legal
requirements and ensuring Instituting and operating
Developing, publicising and
that operating procedures appropriate systems of
following a code of conduct. In larger entities, these
are designed to meet these internal control
requirements. policies and
procedures may be
supplemented by
Monitoring compliance with
Ensuring employees are
the code of conduct and Engaging legal advisors to
assigning appropriate
properly trained and responsibilities to:
acting appropriately to assist in monitoring legal
understand the code of
discipline employees who requirements. • An internal audit
conduct.
fail to comply with it.
function
• An audit committee
• A compliance
Maintaining a register of
significant laws and
function.
regulations with which the
entity has to comply

9
Auditor’s responsibility for compliance with
laws
To obtain reasonable assurance that the financial statements, are free from
material misstatement.

To obtain sufficient, appropriate evidence regarding compliance with those laws

It is not the
and regulations generally recognised to have a direct effect on the determination
of material amounts and disclosures in the financial statements. auditor's
responsibility
to prevent or
To perform specified audit procedures to help identify instances of non detect non-
compliance that may have a material impact on the FS compliance
with laws and
regulations
To respond appropriately if non compliance is identified (or suspected)
Investigations of possible non-
compliance

Understand the
nature of the act and
circumstances in Obtain further
which it has occurred. information to evaluate
the possible effect on the
financial statements

11
Audit procedures when non-compliance
is identified

Inspect correspondence
Enquire of management
with the regulatory
of the penalties to be
authority to identify the
imposed.
consequences.

Inspect board minutes Enquire of the

for management's company's legal
discussion on actions to department as to the
be taken regarding the possible impact of the
non-compliance. non-compliance.

12
Auditor’s reporting relating to non-compliance

To management and those charged with governance, unless prohibited by law or regulation

To those charged with governance, if the auditor believes the non-compliance is intentional and material

If the auditor suspects management or those charged with governance are involved in the non-compliance,
the matter should be reported to higher authorities like the audit committee or supervisory board

A qualified or adverse audit opinion should be issued, if the non-compliance has a material effect on the
financial statements

To report non-compliance to third parties e.g. to a regulatory authority like ACCA if the auditor has any legal or
ethical responsibility
Engagement withdrawal
The auditor may consider the need to
withdraw from the engagement (i.e. resign
as auditor) if:
• management or those charged with governance do if there is a responsibility
not take remedial action that the auditor considers to report the entity, the
appropriate, or auditor must do so, they
cannot resign to avoid
• the non-compliance raises doubts about the integrity having to make the report.
of management or those charged with governance

14
 Responding to Non-Compliance with
Laws and Regulations (NOCLAR)
Professional accountant’s responsibilities when non-compliance with laws and regulations (NOCLAR) is
identified or suspected is set out in the Code of Ethics of both the IESBA and ACCA

Examples of laws and regulations addressed in the

requirements include:
• Fraud, corruption and bribery
• Money laundering, terrorist financing and proceeds of crime
The accountancy profession is
• Securities markets and trading
expected to act in the public interest.
• Financial services such as banking
• Data protection • This means considering matters that could
• Tax and pension liabilities and payments cause harm to investors, creditors, employees
• Environmental protection or the general public
• Public health and safety

15
 Objectives of NOCLAR
requirements

To enable PAs to comply To enable companies to

To enable the PA to take
with the fundamental take prompt action to
further action as
ethical principles of mitigate consequences of
appropriate in the public
integrity and professional NOCLAR as the PA will have
interest
behaviour. alerted them to the issue.

16
Responsibilities of the professional accountant
Obtain an understanding of the matter
• Establish what legal or regulatory obligations
are triggered, e.g. required to report, must
not tip-off
• Apply knowledge, professional judgment and
expertise
• Discuss the matter with management and
those charged with governance.
Address the matter
• Discuss the matter with management and
advise them to take appropriate action such
as:
• Rectify, remediate or mitigate the
consequences of the noncompliance.
• Deter the commission of non-compliance
where it has not yet occurred
• Disclose the matter to an appropriate
authority
• In a group audit, communicate NOCLAR to
the group engagement partner or
component auditor if not prohibited by law.
17
Responsibilities of the professional accountant
- continued
Determine what further action is needed

• Assess the appropriateness of management’s response

including whether:
• The response is timely.
• The non-compliance has been adequately investigated.
• Appropriate action has been, or is being, taken to
rectify, remediate or mitigate the consequences of non-
compliance

18
Professional accountants performing
non-audit services
If the PA is performing a non-
audit service for an audit client
of the firm, the matter should
be communicated within the
firm.
If the PA is performing a non-
audit service to a client that is
not an audit client, the matter
should be communicated to the
client's external auditor unless
this would be contrary to law or
regulation
19
Senior Professional Accountants in Business (PAIB) i.e.
directors, officer and senior employees with the ability to make
decisions about the control of the entity’s resources

They should fulfil their professional responsibilities by:

• Obtaining an understanding of matters of actual or suspected non-

compliance
• Discussing such matters with an immediate superior or next higher
level of authority, as appropriate
• Communicating matters with those charged with governance
• Rectifying or mitigating consequences of NOCLAR
• Deterring NOCLAR
• Determining whether to notify the external auditor

20
Case Study-past exam: Q5d-Margot:
Exhibit 5 solution from revision kit
Exhibit 5 – Email sent from Len Larch, employee of Margot Co, to Ben Duval, audit engagement partner To:
Ben Duval
From: Len Larch Subject: Business practices

In my role as production manager in one of the company’s factories, I inspect samples of the fruit which
comes into the factory from the company’s farms, and speak to the farmers on a regular basis. Recently,
several farmers told me that they have been instructed to use certain chemicals to spray the fruit trees,
which should increase the fruit yield. However, some of these chemicals are prohibited for use in this
country because they can be toxic to humans.
While talking to one of my friends who is a production manager from another factory, it transpired that he
had also become suspicious that banned chemicals are being used in the farms. He raised the issue with
one of the company directors, who allegedly gave him $10,000 and asked him not to discuss it with
anyone. My friend said that I should ask for the same sum of money, but I felt uncomfortable and thought I
should tell someone from outside the company about what is going on
Discuss the audit implications of the email from Len Larch, recommending any further action to be taken
by our firm.

21
Fraud and error

22

Fraud
is an intentional act by one or more
individuals among management,
those charged with governance,
employees or third parties,
involving the use of deception to
obtain an unjust or illegal
advantage
Fraud can be split
into two types:
Fraudulent financial reporting –
intentional misstatement including
omissions of amounts in financial
statements to deceive financial
statement users
Misappropriation of assets – the
theft of an entity’s assets and is
perpetrated by employees in
relatively small and immaterial
amounts. However, it can involve
management who are more
capable of disguising or concealing
misappropriaions in ways that are
difficult to understand
Fraudulent financial reporting Example
• Raising sales invoices on
Misrepresentation
(or omission) of subsidiary on 30 December
events or 2016 although the actual
transactions in the sales took place on 2
financial statements
January 2017
Manipulation,
falsification or • Creating fictitious journal
Intentional
alteration of
misapplication of entries for bad debts at year
accounting records / end
accounting principles
supporting
documents • Sale of a motor car to the
directors at two times of its
Fraudulent market value
• Omitting disclosures of
financial directors remuneration
reporting required by financial
includes reporting framework, in
order to keep the
Normally caused due to management override of controls remuneration paid as
confidential
Misappropriation of assets
Misappropriation of assets includes:
• Stealing physical assets and intellectual property
• Embezzling receipts
• Causing an entity to pay for goods and services not received
• Using the entity’s assets for personal use

Example
• Using entity’s assets as collateral for personal loans taken by the entity’s directors
• Payment to fictitious vendors
• Embezzlement of cash
• Stealing inventory of the entity
 Misstatement
Misstatement is difference between the amounts, classification, presentation, or disclosure of a reported
financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in
accordance with the applicable financial reporting framework. A misstatement of financial statements can arise from frau
error.

Misstatement occurs due to Misstatement arises either due

• inappropriate application of
accounting policies
• Non-disclosure of matters required
under IFRS
• Incorrect accounting estimates
to fraud or error (i.e. Error is an
unintentional misstatement in
financial statements, including
the omission of an amount or a
disclosure)
Error
An error can be defined as an unintentional misstatement in
financial statements, including the omission of amounts or
disclosures, such as the following:
• A mistake in gathering and processing data from which financial
statements are prepared.
• An incorrect accounting estimate arising from oversight or a
misinterpretation of facts.
• A mistake in the application of accounting principles relating to
measurement, recognition, classification, presentation or
disclosure.
27
Responsibilities relating to fraud
Directors responsibilities
• The primary responsibility for the prevention and
detection of fraud rests with those charged with
governance and the management of an entity
• This is achieved by:
• Designing, implementing and maintaining internal
control systems to prevent and detect fraud
• creating a culture of honesty, ethical behaviour,
and active oversight by those charged with
governance
External auditor
• It is not the primary responsibility of the external
auditor to prevent or detect fraud or error in the
financial
statements
• While conducting audit auditor to maintain
professional skepticism recognising the possibility
that a material misstatement due to fraud could
exist
• Thus the auditor:
• Assesses the risk of material misstatement due to
fraud,&
• Responds to the assessed risks.
Auditor’s approach toward risk of fraud

Assessing the risk of fraud

• Obtain reasonable assurance that the financial statements are free from material misstatement,
whether caused by fraud or error
• Maintain professional skepticism recognising the possibility that a material misstatement due to
fraud could exist
• Consider the potential for management override of controls and recognise that audit procedures
that are effective for detecting error may not be effective for detecting fraud
 Responses to an assessed risk of fraud

Evaluate whether the

Assign responsibility to
accounting policies of Use unpredictable
personnel with
the entity indicate procedures to obtain
appropriate knowledge
fraudulent financial evidence.
and skill.
reporting.

30
Auditor’s approach toward risk of fraud
Identifying risk of fraud and audit procedures

• Enquiries of management regarding management's assessment of the risk that the financial statements may be
misstated due to fraud,
• Enquiries of management's process for identifying and responding to the risk of fraud,
• Enquiries of management's communication to those charged with governance in respect of its process for
identifying and responding to the risk of fraud,
• Enquiries of management's communication to employees regarding its views on business practices and ethical
behaviour
• Enquiries with those charged with governance, management and other staff (including internal auditors) within
the organisation about their knowledge of a fraud/ suspected fraud
• Evaluate unusual relationships identified while conducting analytical procedures
• Evaluate fraud risk factors like granting bonuses based on profits, a control environment which gives an
opportunity to create fraud
• Review journal entries made to identify manipulation of figures recorded or unauthorised journal adjustments
• Review management estimates for evidence of bias
Communication relating to fraud

If the auditor identifies fraud or receives information that a fraud may exist

• the auditor shall report this on a timely basis to the appropriate level of management
• And the fraud involves management, they shall communicate this on a timely basis to those charged with
governance.
• in situations when the auditors have doubts about the integrity of the management or those charged with
governance. In such cases, they are required to seek legal advice.
• Revealing client information to parties other than the client (like regulators) will lead to a breach of the
fundamental principles of confidentiality. It is likely that any legal responsibility will take precedence. In
these circumstances it is advisable to seek legal advice
• If the fraud has a material impact on the financial statements the audit opinion will be modified
Engagement withdrawal
In exceptional circumstances the auditor may consider it necessary to
withdraw from the engagement. This may be if fraud is being committed by
management or those charged with governance and therefore casts doubt
over the integrity of the client and reliability of representations from
management.

The auditor should seek legal advice first as withdrawal may also require a
report to be made to the shareholders, regulators or others.

33
Question 6(cii) REDBACK SPORTS – Page
46
Exhibit 4 page 49

Part (e) requires a discussion of whether an audit or limited assurance review could have uncovered a
fraud. Discuss the limitations of each type of engagement including the types of procedures that are
performed for each. Remember that fraud is an intentional act of deception which means it may be
difficult to identify due to concealment

Solution: Page 255

34
Professional liability

35
 Auditor’s liability
Liability to the client
• Arises from contract law. The company has a contract
with the auditor, the engagement letter, and hence
can sue the auditor for breach of contract if the
auditor delivers a negligently prepared report.
• When carrying out their duties the auditor must
exercise due care and skill.
• Generally, if the auditor can show that they have
complied with professional standards including
auditing standards and ethical requirements, they
will not have been negligent
The auditor will have exercised due
professional care if they have:
• Complied with the most up-to-date
professional standards and ethical
requirements.
• Complied with the terms and
conditions of appointment as set
out in the letter of engagement
and as implied by law.
• Employed competent staff who are
adequately trained and supervised
in carrying out instructions.
36
Auditor’s liability: Liability to third party
A duty of care must exist
In the tort of negligence,
• The auditor must know, or should have known, that the injured party was likely to rely on the plaintiff (i.e. the third
the FS party) must prove that:
• The injured party must have sufficient ‘proximity’ i.e. he must belong to a class likely to
rely on the FS
• The injured party must in fact have so relied
1. The auditor owes a
• The injured party must show that he would have acted differently if the FS had shown a duty of care
less attractive picture. 2. The auditor has
breached the
The duty of care must have been breached appropriate standard
of care, and
• For example, late / no submission of audit report, Breaching confidentiality, iIndulging in
insider dealing, etc.
3. The plaintiff has
suffered loss as a
Loss must have been suffered as a result of the breach. direct result of the
auditor’s breach

37
When is a duty of care owed?
When is a duty of care owed?
When there is a special
relationship between the
parties,
i.e. where the auditors knew, or ought to
have known, that the audited FS would be
made available to, and would be relied
upon by, a particular person (or class of
person).
The injured party must therefore prove:
• The auditor knew, or should have
known, that the injured party was likely
to rely on the FS
• The injured party has sufficient
‘proximity’, i.e. belongs to a class likely
to rely on the FS
• The injured party did in fact so rely.
• The injured party would have acted
differently if the FS had shown a
different picture
38
Has the injured party suffered a loss?
This is normally a matter of fact. For example, if X relies on the audited financial statements of
Company A and pays $5 million to buy the company, but it soon becomes clear that the
company is worth only $1 million, then a loss of $4 million has been incurred.

39
 Continued…

Cases Judgments

ADT Ltd v BDO BH owed a duty of care towards ADT on account of the proximity that was created after the meeting
Binder Hamlyn between the representatives of ADT and BH.

Caparo case The judgment supported the auditors on the grounds that the auditors did not have a duty of care to
individual shareholders but to the entire body of shareholders.
There was no proximity between:
 the auditors and individual shareholders
 the auditors and prospective investors

Bannerman case The judgment did not support the auditors on the grounds that the auditors owed a duty of care towards
the bank because the auditors were aware that the bank would rely on APC’s audited financial
statements. In this case, the auditors were aware of:
 the users (i.e. RBS) of the audited financial statements; and
 the purpose of using the audited financial statements.

There was proximity between the auditors and the third party.

40
 Ways to restrict auditor’s liability
Restrict the use of the auditor's report Screening potential audit clients to
Engagement letter clause to limit
and assurance reports to their specific, accept only clients where the risk can
liability to third parties.
intended purpose. be managed.

Respective responsibilities and duties

of directors and auditors
Take specialist legal advice where Insurance – professional indemnity
communicated in the engagement
appropriate. insurance (PII).
letter and auditor's report to minimise
misunderstandings.

Carry out high quality audit work. Take on LLP status. Set a liability cap with clients

41
The impact of limiting audit liability
Limiting audit liability is
contrary to the public interest,
since auditors will be less
motivated to do quality work if
they know that they will not
have to pay for their mistakes.
This ignores the professional nature
of the audit discipline. People
choose to be audit partners because
they want to do a high quality job
for themselves and for society.
42
Expectation Gap
The expectation gap is the gap between an auditor’s actual standards of performance and
what the public expects of his performance.
 Gap is created when
public is not aware of
Liability Gap: the persons to whom
the auditors owe
responsibility

Expectation gap
where users believe
auditing standards to be
Example: Users believe that the more comprehensive
auditor is responsible for preventing Standards and than they actually are
and detecting fraud and error, while and therefore the
ISAs at the moment only require
performance gap auditor does not
auditors to have only a reasonable perform the level of
expectation of detecting material work the user expects
fraud and error

44
 Bridging the expectation gap

Educating users to reduce the standards gap e.g.

Auditor's reports now include greater detail of the auditor’s responsibilities and key audit matters.
Written representation letters require management to sign to
acknowledge their responsibilities in respect of the FS

Increasing communication between the auditor and those charged with

governance regarding their respective responsibilities.

Increasing the scope of the work of the auditor e.g. to require greater
detection of fraud and error.
 Liability faced by an accountant
Criminal liability
Penalty for a
• Acting as auditor when ineligible; civil offence is
• Fraud, such as: theft, bribery and other forms of corruption, falsifying accounting records, and payment of
knowingly or recklessly including misleading matters in an auditor's report damages.
• Insider dealing
• Knowingly or recklessly making false statements in connection with the issue of securities Penalties for
criminal
Civil liability liability
include fines
• To third parties suffering loss as a result of relying on a negligently prepared auditor’s report.
and/or
• Under insolvency legislation to creditors – auditors must be careful not to be implicated in imprisonment
causing losses to creditors alongside directors.
• Under tax legislation – particularly where the auditor is aware of tax frauds perpetrated by the
client

46
Insurance for accountancy firms
 Professional indemnity insurance (PII) is insurance against claims made by
clients and third parties arising from work that the PA has carried out.

 Fidelity guarantee insurance (FGI) is insurance against any liability arising

through acts of fraud or dishonesty by any partner or employee in respect
of money or goods held in trust by the accountancy firm.

47
 June 2013 exam Q4a
You are a manager in Groom & Co, a firm of Chartered Certified Accountants. You have just attended a monthly
meeting of audit partners and managers at which client-related matters were discussed. Information in relation to
your client, which was discussed at the meeting, is given below:

Spaniel Co: The audit report on the financial statements of Spaniel Co, a long-standing audit client, for the year ended
31 December 2012 was issued in April 2013, and was unmodified. In May 2013, Spaniel Co’s audit committee
contacted the audit engagement partner to discuss a fraud that had been discovered. The company’s internal auditors
estimate that $4·5 million has been stolen in a payroll fraud, which has been operating since May 2012.
The audit engagement partner commented that neither tests of controls nor substantive audit procedures were
conducted on payroll in the audit of the latest financial statements as in previous years’ audits there were no
deficiencies found in controls over payroll. The total assets recognised in Spaniel Co’s financial statements at 31
December 2012 were $80 million. Spaniel Co is considering suing Groom & Co for the total amount of cash stolen from
the company, claiming that the audit firm was negligent in conducting the audit
Required: Explain the matters that should be considered in determining whether Groom & Co is liable to Spaniel Co in
respect of the fraud. (12 marks)

48
It is not the auditor’s primary responsibility to detect fraud. According to ISA 240, management is primarily
responsible for preventing and detecting fraud. The auditor is required to obtain reasonable assurance that the
financial statements are free from material misstatement whether caused by fraud or error.

The total amount estimated to have been stolen in the payroll fraud represents 5·6% of Spaniel Co’s assets. If
the amount has been stolen consistently over a 12-month period, then $3 million (8/12 x 4·5 million) had been
stolen prior to the year end of 31 December 2012. $3 million is material, representing 3·8% of total assets at
the year end. Therefore the fraud was material and it could be reasonably expected that it should have been
discovered.

However, material misstatements arising due to fraud can be difficult for the auditor to detect. This is because
fraud is deliberately hidden by the perpetrators using sophisticated accounting techniques established to
conceal the fraudulent activity. False statements may be made to the auditors and documents may have been
forged. This means that material frauds could go undetected, even if appropriate procedures have been carried
out.

ISA 240 requires that an audit is performed with an attitude of professional skepticism. This may not have been
the case. Spaniel Co is a long-standing client, and the audit team may have lost their skeptical attitude.
Necessary tests of control on payroll were not carried out because in previous years it had been possible to
rely on the client’s controls.

49
It seems that ISAs may not have been adhered to during the audit of Spaniel Co. The auditor should design
and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness
of relevant controls if the auditor’s assessment of risks of material misstatement at the assertion level includes
an expectation that the controls are operating effectively. It can be acceptable for the auditor to use audit
evidence from a previous audit about the operating effectiveness of specific controls but only if the auditor
confirms that no changes have taken place. The audit partner should explain whether this was the case.

Substantive procedures have not been performed on payroll either. This effectively means that payroll has not
been audited.

This leads to a conclusion that the audit firm may have been negligent in conducting the audit. Negligence is a
common law concept in which an injured party must prove three things in order to prove that negligence has
occurred:
– That the auditor owes a duty of care;
– That the duty of care has been breached;
– That financial loss has been caused by the negligence.

Looking at these points in turn, Groom & Co owes a duty of care to Spaniel Co, because a contract exists
between the two parties. The company represents all the shareholders as a body, and there is an automatic
duty of care owed to the shareholders as a body by the auditor

50
A breach of duty of care must be proved for a negligence claim against the audit firm to be successful.

Duty of care generally means that the audit firm must perform the audit work to a good standard and
that relevant legal and professional requirements and principles have been followed. For an audit firm, it
is important to be able to demonstrate that ISAs have been adhered to. Unfortunately, it seems that ISAs
have been breached and so the audit firm is likely to have been negligent in the audit of payroll.

Finally, a financial loss has been suffered by the audit client, being the amount stolen while the fraud was
operating.

In conclusion, Spaniel Co is likely to be able to successfully prove that the audit firm has been negligent in
the audit of payroll, and that Groom & Co is liable for some or all of the financial loss suffered

51
Any Questions?

52
Thank You

53