Auditing

Bachelor of Commerce
in Accounting
INTRODUCTION TO AUDITING
Module Guide
Copyright © 2021
MANCOSA
All rights reserved; no part of this book may be reproduced in any form or by any means, including photocopying machines,
without the written permission of the publisher. Please report all errors and omissions to the following email address:
modulefeedback@mancosa.co.za
Bachelor of Commerce
in Accounting
INTRODUCTION TO AUDITING
List of Contents ....................................................................................................................................................... 1
Preface.................................................................................................................................................................... 2
Unit 1: An Introduction To Auditing ....................................................................................................................... 11
Unit 2: Code Of Ethics For Auditors ...................................................................................................................... 24
Unit 3: Corporate Governance And King Iv ........................................................................................................... 40
Unit 4: General Principles Of Auditing................................................................................................................... 62
Unit 5: Overview Of The Audit Process ................................................................................................................. 85
Unit 6: Elements Of The Audit Process ............................................................................................................... 102
Unit 7: Auditing Using It....................................................................................................................................... 116
References List ................................................................................................................................................... 130
i
Introduction to Auditing
List of contents
List of tables
Table 4.1.: Nature, Extent, and Timing of Evidence........................................................................................73
Table 4.4: Financial statement assertions ......................................................................................................76
Table 4.5: Financial statement assertions ......................................................................................................78
1 MANCOSA – Bachelor of Commerce: Accounting

Preface
A. Welcome
Dear Student
It is a great pleasure to welcome you to Introduction to Auditing (ITA6). To make sure that you share our
passion about this area of study, we encourage you to read this overview thoroughly. Refer to it as often as you
need to, since it will certainly make studying this module a lot easier. The intention of this module is to develop
both your confidence and proficiency in this module.
The field of Auditing is extremely dynamic and challenging. The learning content, activities and self- study
questions contained in this guide will therefore provide you with opportunities to explore the latest developments
in this field and help you to discover the field of Auditing as it is practiced today.
This is a distance-learning module. Since you do not have a tutor standing next to you while you study, you need
to apply self-discipline. You will have the opportunity to collaborate with each other via social media tools. Your
study skills will include self-direction and responsibility. However, you will gain a lot from the experience! These
study skills will contribute to your life skills, which will help you to succeed in all areas of life.
We hope you enjoy the module.
MANCOSA does not own or purport to own, unless explicitly stated otherwise, any intellectual property rights in or
to multimedia used or provided in this module guide. Such multimedia is copyrighted by the respective creators
thereto and used by MANCOSA for educational purposes only. Should you wish to use copyrighted material from
this guide for purposes of your own that extend beyond fair dealing/use, you must obtain permission from the
copyright owner.
MANCOSA – Bachelor of Commerce: Accounting 2

B. Module Overview
In this section, include the following:
 The module is a 15 Credit module at National Qualification Framework (NQF) level 6.
Course overview
The broad areas covered by this module include:
 An Introduction to Auditing
 Professional Conduct
 Corporate Governance and King IV
 General Principles of Auditing
 Overview of Audit Process
 Elements of the Audit Process
 Auditing Using IT
C. Exit Level Outcomes and Associated Assessment Criteria of the Programme
Exit Level Outcomes (ELOs) Associated Assessment Criteria (AACs)
 Display the necessary knowledge and  Fundamental and specialist knowledge is applied in an
skills, attitudes and applied organisational context to identify and analyse
competence to enable them to appropriate policies to achieve administrative efficiency
demonstrate administrative proficiency  Appropriate processes are selected and implemented
to resolve administrative deficiencies
 Complex administrative problems are identified,

analysed and evaluated to apply appropriate problem
solving solutions to enhance administrative proficiency
 Knowledge of key management terms and concepts are
 Display knowledge of management in
explained to understand and demonstrate knowledge of
general
disciplines or practices of management
 Components of fundamental and specialised effective
management knowledge are evaluated to understand
the various operational management levels
 Context and systems in general management are

recognised and applied to organisational processes in
unfamiliar and variable contexts

 Apply skills of rational judgment and  Method and procedure in rational judgement and
planning planning is understood, selected and applied to resolve
problems or to introduce change within practice
 Evidence – based solutions and theory driven

arguments are critically evaluated to address complex
problems in planning
 Ethics and professional practice is considered and

applied when planning to justify the decisions and
actions taken
 Recognise and appreciate changes  Knowledge of organisational contexts and their

within organisations dynamics are analysed to inform current practice
 to remain current in this regard
 Key change management principles are applied in

appropriate organisational contexts to appreciate
change within an organisation
 Make appropriate use of information  Accessing, processing and managing information

technology technology is demonstrated to develop appropriate
processes of information gathering and analysis for a
given context
 Information technology applied to independently

evaluate and validate the sources of information
 Appropriate information technology is utilised to record,

report on and maintain information management
systems for a variety of contexts within an organisation
 Analyse and solve operational  Operational problems are identified, analysed and
problems evaluated to critically address complex problems within
an organisation by applying evidence based solutions
and theory–driven arguments
 Method and procedure in solving operational problems

are applied to resolve problems or to introduce change
within practice

 Display skills for the recording and  Accessing, processing and managing information are
processing of financial information explained to develop appropriate processes of
within an accounting framework recording within an accounting framework
 Key concepts, principles, knowledge, skills and

techniques in accounting and related fields are applied
to display these skills for the recording and processing of
financial information
 Display ethical behaviour in a corporate  Ethics and professional practice is considered and
management context applied in corporate management context to justify the
decisions and actions taken
 Prescribed ethical codes of conduct, values and

practices are discussed to inform appropriate behaviour
within the corporate management context
 Develop the functional competence of a  Scope of knowledge with respect to management

graduate to proceed to middle competencies are analysed to be functional at middle
management level within an accounting management level
(auditing/tax) environment.
 A range of methods and procedures are applied to
problem solving contexts in middle management
 Management decisions are discussed to apply ethical

and professional judgement
D. Learning Outcomes and Associated Assessment Criteria of the Module
LEARNING OUTCOMES OF THE MODULE ASSOCIATED ASSESSMENT CRITERIA OF THE MODULE
 Define the nature and objective of an audit  The nature and objectives of an audit are fully defined and
examined to establish the purpose of conducting audits
 Describe the qualities, duties and  An auditor’s duties, responsibilities and qualities are
responsibilities of an auditor deduced and described to determine the purpose and
function of auditors
 Analyse relevant legislation and auditing  An auditor’s duties, responsibilities and qualities are
standards governing the professional deduced and described to determine the purpose and
conduct of auditors function of auditors

 Assess the role and responsibilities of  The auditor’s role and responsibilities are assessed to
auditors in contributing towards effective determine their contributions towards effective corporate
corporate governance in accordance with governance and king IV
King IV
 Demonstrate an understanding of the  The audit process and its elements are explained to be
general principles of auditing and provide able to conduct an effective audit
explanations of the audit process and
elements of an audit
 Illustrate and explain the basics of using IT  The basics of IT auditing is explained to understand how
auditing IT is utilised to help conduct an audit
E. Learning Outcomes of the Units

You will find the Unit Learning Outcomes on the introductory pages of each Unit in the Module Guide. The Unit
Learning Outcomes lists an overview of the areas you must demonstrate knowledge in and the practical skills
you must be able to achieve at the end of each Unit lesson in the Module Guide.
F. Notional Learning Hours
Notional Learning Hour Table for the Programme
Learning
Types of learning activities time
Lectures/Workshops (face to face, limited or technologically mediated) 10
Tutorials: individual groups of 30 or less 5
Syndicate groups 0
Practical workplace experience (experiential learning/work-based learning etc.) 0
Independent self-study of standard texts and references (study guides, books, journal articles) 60
Independent self-study of specially prepared materials (case studies, multi-media, etc.) 20
Other: Online 5
TOTAL 100

G. Acronyms
AFS Annual Financial Statements
CAATs Computer Assisted Audit Techniques
CPC Code of Professional Conduct
EFT Internet Fund Transfer
GAAP Generally Accepted Accounting Practice
GRN Goods Received Notes
IFRS International Financial Reporting Standard
IESBA International Ethics Standards Board for Accountants
INC. Incorporated
IoDSA Institute of Directors of Southern Africa
ISA International Standard on Auditing
ISO Internal Sales Order
IRBA Independent Regulatory Board of Auditors
ISRE International Standards on Review Engagements
Ltd Limited
PC Personal Computer
PI Public Interest
Pty Proprietary
SME Small Medium Enterprise
H. How to Use this Module

This Module Guide was compiled to help you work through your units and textbook for this module, by breaking
your studies into manageable parts. The Module Guide gives you extra theory and explanations where necessary,
and so enables you to get the most from your module.
The purpose of the Module Guide is to allow you the opportunity to integrate the theoretical concepts from the
prescribed textbook and recommended readings. We suggest that you briefly skim read through the entire guide
to get an overview of its contents. At the beginning of each Unit, you will find a list of Learning Outcomes and
Associated Assessment Criteria. This outlines the main points that you should understand when you have
completed the Unit/s. Do not attempt to read and study everything at once. Each study session should be 90
minutes without a break

This module should be studied using the prescribed and recommended textbooks/readings and the relevant
sections of this Module Guide. You must read about the topic that you intend to study in the appropriate section
before you start reading the textbook in detail. Ensure that you make your own notes as you work through both
the textbook and this module. In the event that you do not have the prescribed and recommended
textbooks/readings, you must make use of any other source that deals with the sections in this module. If you
want to do further reading, and want to obtain publications that were used as source documents when we wrote
this guide, you should look at the reference list and the bibliography at the end of the Module Guide. In addition,
at the end of each Unit there may be link to the PowerPoint presentation and other useful reading.
I. Study Material
The study material for this module includes tutorial letters, programme handbook, this Module Guide, a list of
prescribed and recommended textbooks/readings which may be supplemented by additional readings.
J. Prescribed and Recommended Textbook/Readings

There is at least one prescribed and recommended textbooks/readings allocated for the module.
The prescribed and recommended readings/textbooks presents a tremendous amount of material in a simple,
easy-to-learn format. You should read ahead during your course. Make a point of it to re-read the learning content
in your module textbook. This will increase your retention of important concepts and skills. You may wish to read
more widely than just the Module Guide and the prescribed and recommended textbooks/readings, the
Bibliography and Reference list provides you with additional reading.
The prescribed and recommended textbooks/readings for this module is:

 Auditing Notes for South African students 10th Edition – Jackson and Stent, LexisNexis Publishers, 2019.
In addition to the prescribed textbook, the following should be considered for recommended books/readings:
 Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal Auditing an Introduction. 6th Edition. Lexis
Nexis.
 Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing Internal Audit Engagements. 6 th
Edition. Lexis Nexis.

K. Special Features
In the Module Guide, you will find the following icons together with a description. These are designed to help you
study. It is imperative that you work through them as they also provide guidelines for examination purposes.
Special Feature Icon Explanation
The Learning Outcomes indicate aspects of the particular Unit you have
LEARNING to master.
OUTCOMES
The Associated Assessment Criteria is the evaluation of the students’

ASSOCIATED
understanding which are aligned to the outcomes. The Associated
ASSESSMENT
Assessment Criteria sets the standard for the successful demonstration
CRITERIA
of the understanding of a concept or skill.
A Think Point asks you to stop and think about an issue. Sometimes you
THINK POINT are asked to apply a concept to your own experience or to think of an
example.
You may come across Activities that ask you to carry out specific tasks.
In most cases, there are no right or wrong answers to these activities.
ACTIVITY
The purpose of the activities is to give you an opportunity to apply what
you have learned.
At this point, you should read the references supplied. If you are unable
READINGS to acquire the suggested readings, then you are welcome to consult any
current source that deals with the subject.
PRACTICAL Practical Application or Examples will be discussed to enhance
APPLICATION understanding of this module.
OR EXAMPLES
KNOWLEDGE You may come across Knowledge Check Questions at the end of each
CHECK Unit in the form of Knowledge Check Questions (KCQ’s) that will test
QUESTIONS your knowledge. You should refer to the Module Guide or your
textbook(s) for the answers.
You may come across Revision Questions that test your understanding
REVISION
of what you have learned so far. These may be attempted with the aid
QUESTIONS
of your textbooks, journal articles and Module Guide.

Case Studies are included in different sections in this Module Guide.
CASE STUDY This activity provides students with the opportunity to apply theory to
practice.
You may come across links to Videos Activities as well as instructions
VIDEO ACTIVITY on activities to attend to after watching the video.

Unit
1: An Introduction to Auditing

Unit Learning Outcomes
CONTENT LIST LEARNING OUTCOMES:
1.1 Introduction  Introduce topic areas for the unit
1.2 What is the Function of an Auditor?  Explain what is auditing and the function of an auditor in
entity
1.3 Various Types of Auditors  Explain the difference between the various types of auditors
that exist in the auditing profession
1.4 Why are Auditors Necessary?  Demonstrate an understanding of the importance of the
auditors and why they are necessary
1.5 Assurance Engagements  Display an understanding of the assurance engagements

that are performed by an auditor
1.6 The Accounting Profession –  Demonstrate an understanding of the relevant Accounting

Accounting Bodies in South Africa bodies that exist for the profession of auditing
1.7 Summary  Summarise topic areas covered in unit
Prescribed and Recommended Textbooks/Readings
Prescribed Textbook
 Auditing Notes for South African students 10th Edition – Jackson

and Stent, LexisNexis Publishers, 2019.
Recommended textbooks:
 Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal
Auditing an Introduction. 6th Edition. Lexis Nexis.
 Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019).
Performing Internal Audit Engagements. 6th Edition. Lexis Nexis.

1.1 Introduction
The word auditing has a Latin origin which means “a hearing” and has been in conception for more than 2000
years. A majority of individuals possess a basic idea of the concept of auditing and the duties of an auditor,
however, this knowledge is generally based on what individual’s witness on media and are often misconceptions
as compared to the actual duties and functions of an auditor. Auditors are typically seen to participate in numerous
activities and are often seen as boring professionals. Despite the mocking portrayal of auditors, the general
acceptance among society is that auditing is a serious business and auditors play an important role in the
corporate world.
1.2 What is the Function of an Auditor?

Auditors, in the simplest form, are providers of assurance and consulting services. The performance of audits by
auditors ensures that there is reasonable assurance that financial statements, which are presented by
management, are free from any material misstatements and errors that can result in fraudulent activities taking
place in an entity. An audit conducted by auditors can only provide evidence which is reasonably assured, which
means that auditors are not capable of guaranteeing a client that their financial statements have no material
misstatements or fraud. The duty of an auditor is described in the following flow of events:
Reporting results - indicating

Planing of the Gathering of
if financial statements are
audit eveidence
fairly presented
Consider the following example which will provide insight into the duties and functions of an auditor:
Heavenly Glitter (Pty) Ltd requests a loan from Rights Resource Bank. The bank indicates to Heavenly Glitter
(Pty) Ltd that prior to making any consideration on providing them with a loan, the bank will require a copy of the
financial statements for the company which will then need to be audited. The bank is indicating to the company
that they will require reasonable assurance of the financial information of the Heavenly Glitter (Pty) Ltd from an
independent source which will also provide proof that their financial statements are fairly presented and free from
any material misstatements. This is the stage when an auditor is required, as the reasonability of the assurance
provided and the checks on the materiality of the financial statements will be provided by an auditor. The auditor
will assist in increasing the credibility of Heavenly Glitter (Pty) Ltd and the bank will in turn be increasingly
comfortable in placing reliance on the information that the company has provided, when formulating a decision
in granting them a loan. If the auditor provides assurance that the financial information is fair and reliable then
the bank will be confident that the risk of them suffering a loss, by Heavenly Glitter (Pty) Ltd not paying their
interest or the capital amount back, is relatively low. Had Rights Resource Bank not insisted on reviewing financial
statements that had been audited Heavenly Glitter (Pty) Ltd could have manipulated the company’s financial
information to make them seem reliable.

Think Point
What other examples can you provide to explain the function of an auditor?
1.3 Various types of Auditors

The field of auditing is incredibly vast and is not limited to the audit of financial statements only. There are various
types of auditors who have a variety of skills to conduct audits that are different in nature. Each of the different
types of auditors share one characteristic in common, which is independence, as any audit conducted without a
degree of independence from the entity being audited will make the results and assurance provided by the auditor
‘worthless’.
Below is a list of the various types of auditors and each of their functions:
1.3.1 Registered external auditor:

 A registered external auditor is an auditor who expresses an opinion that is independent and is an
indication of whether or not the annually presented financial statement of an entity is a fair
representation of the entities financial position and results of its operational activities
 An external auditor is not considered, in any manner, as an employee of a company, but they
possess the ability to enhance the levels of confidence that the users of the financial statements for
a certain entity has in the information that is contained in the financial statements
 Auditors who are registered and offer services to public institutions are considered as being part of
“public practice. Auditors register with the Independent Regulatory Board of Auditors (IRBA)
1.3.2 Internal Auditors:

 Internal auditors are auditors who act on behalf of a company’s board of directors. The duties of an
internal auditor greatly involve evaluating the effectiveness, efficiency and economy of the internal
controls that are implemented by management and the ability of these controls to mitigate any risks
that the company faces in its operational processes
 The internal auditor will then provide suitable recommendations to management which they can
utilise or implement in order to better control the risks that they may face
 An internal auditor is considered an employee of the organisation. However, they act completely
independent of the department in which they conducting the audit
 Individuals who perform the duties of an internal auditor are not required to be in possession of any
registration with a professional body, they however may choose to be a member if the Institute of
Internal Auditors

1.3.3 Government Auditors:

 The role which is performed by a government auditor is effectively similar to that of internal auditors,
the major existing difference exists in the fact that these auditors only operate within departments
in government bodies or at municipalities
 These auditors conduct the evaluation and the investigations of financial matters within the
governmental departments and make a report of the audit findings to senior officials in government.
 Government auditors have the responsibility of assisting government departments in maintaining
the financial matters of the country. These audits will increase the reliance and confidence that
government places on their individual departments and it will indirectly enhance the reliance that
the public places on the financial management of the governmental departments
 A government auditor is call the Auditor General South Africa(AGSA). The AGSA is considered to
be an employee of the government but the AG will remain and continuously maintain the
independence in the work that they carry out for the government departments in which they conduct
auditors
 The registration of the government auditor with a professional body is not a requirement but they
may register with any professional body such as the IIA, IRBA, CA, etc.
1.3.4 Forensic Auditors:

 The core focus of a forensic auditor is to place importance and emphasis on the investigation and
gathering of evidence to determine if there are any material misstatements, theft or fraud which is
occurring at an organisation
 Forensic audits can be performed at any type of business entity; however, it is imperative that the
audit function remains independent from the entity that is being audited
 Forensic auditing is a highly specialised field and majority of individuals who conduct these audits
should possess a qualification in auditing with sufficient experience
1.3.5 Special purpose auditors:

 Special purpose auditors are auditors who have a specific specialisation in a particular field of
auditing, examples of these auditors are environmental auditors (deal with compliance to
environmental laws and regulations) and VAT auditors (employed by SARS and conduct audits on
VAT vendors).

1.4 Why are auditors necessary?

1.4.1 Confidence in financial information
All stakeholders who invest in a business require assurance that the financial information of the entity is
reliable and has credibility. In order for a company to ensure that their investors can maintain confidence
in their financial information assurance will need to be provided by an auditor. An auditor’s role in
providing assurance is crucial as they express honest opinions on how fairly the financial information of
a company is presented. Financial information which is independently audited and available to investors
help them to choose an investment which best suits their needs. It is imperative to note that investing
entities and the public possess a direct interest in a countries economy and this interest is supported by
financial information that is reliable. SARS, unit trusts and pension fund administrators have a direct
impact on the public in general and the performance of these organisations highly depends on the
reliability of financial information that is made available by them. This financial information will play a
critical role in the investments that the public makes in these organisations, and this information is
enhanced by their relationship with the profession of auditing and accounting.
1.4.2 Accountability
The profession of auditing has seen a major bloom over the years and its growth has given the rise to
various audit functions such as internal audits, government audits, forensic audits and environmental
audits which have become major independent forces in their own functions. Investors globally have a
natural longing for accountability, directors of a company should take accountability for the manner in
which their businesses are run, the government must take accountability for the way taxpayers money
is spent and companies that partake in activities which have a direct impact on the government must
take accountability for adhering to regulations and legislations. Due to this a wider need for the auditing
profession to provide services which independently assesses and evaluates if directors and
governments meet their responsibilities has been created. The demand of sound corporate governance
(a set of principles, rules and processes by which a company is controlled and directed) by the world
has increased and auditors play a crucial role in ensuring this governance.
Think Point
Why is it important for entity to have auditors and to incorporate an audit

function into their financial statements?

1.5 Assurance Engagements

1.5.1 Assurance Engagements
As discussed previously an assurance engagement is an engagement where by “a professional
expresses a conclusion designed to enhance the degree of confidence of the intended users, other that
the responsible party, about the outcome of the evaluation or measurement of a subject matter against
the criteria”. This definition of assurance engagements is better explained when each of the elements
are broken down in relation to the audit of financial statements.
The elements of an assurance engagement
Element Example of the audit Example of a review
Three party relationships: Registered auditors Registered auditor

Professional accountant Directors who are responsible for Directors
Responsible party financial statements Shareholders
Intended users Shareholders
Subject matters Financial position, results of Financial position, results of

operations, etc. operations, etc.
Suitable criteria International financial reporting International financial reporting

standards standards for SME’s.
Sufficient appropriate evidence The evidence the practitioner The evidence the reviewer needs
needs to be in a position to form an to express a conclusion on
opinion as to whether the financial whether anything has come to his
statements are free of material attention which causes him to
misstatement and are presented believe the financial statements
fairly in terms of IFRS. are not prepared in accordance
with IFRS for SMEs.
Written assurance report the audit opinion report on fair The review conclusion (limited
presentation assurance)
(reasonable assurance)
1.5.2 The Audit Engagement

A deduction can be made that the audit of financial statements is an engagement by which an auditor
is responsible for gathering evidence, that is appropriate and sufficient enough to assist them in forming
an opinion on whether directors have made an appropriate application of the International Financial
Reporting Standards (IFRS) when they have presented the financial statements that display the position

and performance of the entity. The opinions that are made by the auditor is then reported to the
shareholders and stakeholders of an entity through the audit report.
The following is information which is important to note:

 Any opinion formed by the auditor on the fair presentation of financial statements must be performed
utilising criteria which is suitable enough to judge the fair presentation of the statements. This criterion will
include benchmarks or standards which is obtained by implementing accounting frameworks
 The audit must be performed in a prescribed manner which is detailed in the International Standards on
Auditing (IAS) which has to be complied to when an audit is being conducted
 The audit engagement provides reasonable assurance
1.5.3 The Review Engagement

A review engagement is relatively similar to an assurance engagement. In a review engagement the
reviewer, who is often a registered auditor, is responsible for gathering evidence that is sufficient and
appropriate to assist them in forming a conclusion on whether or not financial statements that are
prepared company directors are according to IFRS.
The following is information which is important to note:

 The conclusion that is formed by a reviewer is defined in terms of a criteria such as IFRS
 The review is performed in manner which is prescribed which is highlighted in the International
Standards on Review Engagements
 A review engagement only provides assurance which is limited
1.5.4 Non-assurance Engagements

There are a variety of engagements which accountants and auditors undertake that are classified as
non-assurance engagements such as providing tax services and other advisory services that relate to
a business’s performance. The defining characteristic of non-assurance engagements is that the
accountant or auditor is not required to express any opinions or form any conclusions based on the
subject matter of a specific engagement.
1.5.5 Reasonable Assurance, Limited Assurance and Absolute Assurance

The level of assurance that is provided by an audit practitioner is dependent on amount of evidence that
is gathered. Below is an explanation of the types of assurance that is provided by an auditor:
 Reasonable Assurance
Reasonable insurance is defined as a “high but not absolute” assurance level and it can be presented
only when the auditor has gathered evidence which is sufficient and appropriate to comfortably satisfy
that the risks which he presents an opinion on is acceptably low. In the terms of financial statement

audits the auditor will be required to perform procedures and gather evidence that enables him to state
that financial statements are presented fairly and there are no evident material misstatements.
Reasonable assurance is given by auditor by making use of the phrase “In our opinion the financial
statements present fairly….”
 Limited Assurance
Limited assurance is considered as an assurance which is at a lower level that that of reasonable
assurance, it is, however, meaningful to the users of financial statements. In a limited assurance
engagement, the auditor’s collection of evidence is relativity less than that collected in a reasonable
assurance engagement, but it remains sufficient enough for the auditor to form a conclusion on the audit.
Limited assurance is achieved when the auditor performs tests that are fewer and uses sample size that
are smaller in comparison to those used for reasonable assurance.
 Absolute Assurance
Having read the above discussion, you may be wondering why the auditor cannot certify or confirm that
the financial statements are 100% correct. Why is the auditor restricted to providing reasonable
assurance? By carrying out more procedures couldn’t he actually confirm that the financial statements
are correct? Essentially the reason that the auditor cannot certify (provide absolute assurance) is that
an audit has inherent limitations which prevent the auditor from certifying or confirming the 100%
correctness of a set of financial statements. ISA 200 provides the basis for the following explanation of
the inherent limitations of an audit
1.6 The Accounting Profession – Accounting Bodies in South Africa

1.6.1 The achievement of professional status is not attained effortlessly, in order for a body of practitioners to
be
regarded as professionals, the public will need to accept that the body of practitioners in question are
worthy
of being recognised as professionals. Howard F, Stettler made suggestions that the professional status of
practitioners have certain attributes attached to them, which can be summarised as follows:
1. The skills and services which are offered by an accounting practitioner should be of a high specialisation
and quality and they require:
 Intellectual abilities of a particular nature
 A formal education and proficiency of a special body of knowledge
 Proficiency in application of intellectual abilities and specialised knowledge which can be obtained
by a practical training processes.

Activity
Why should the skills offered by an audit practitioner be of a high quality?
Think Point
What are the main differences between internal and external auditors and how
do they rely on each for information when conducting an audit?
2. The evaluation of services that professionals deliver to the public cannot be performed effortlessly.
Regulatory mechanisms are implemented to ensure that the public and the profession is protected from
any incompetence or unethical behaviours. The regulatory mechanisms are inclusive of:
 Laws that exist to prevent and restricting any unqualified persons from practicing in that profession
 An organisation which is dedicated to ensuring the advancement of a profession and is devoted to
improving the services that those professionals render
 An environment which is free from competition that is uninhibited to ensure services are carried out
in a dignified manner
 A code of conduct that is actively supported, which can be used by the public to make judgements
on an accounting practitioner’s professional stature
3. The profession and members of the profession will be required to demonstrate ethical and intellectual
commitments as this will lead to transcending aspirations for financial gains
4. The last mechanism, which can be considered as the most important aspect, is the ethical principles
that the members of an auditing profession will need to obey. This will be discussed in UNIT 2 but
includes the following principles:
 Objectivity
 Integrity
 Professional competence and due care
 Confidentiality
 Professional behaviour

Think Point
Why is it important for auditing professionals to obey or abide by ethical

principles?
1.6.2 Accounting Bodies in South Africa

The professional bodies which regulate the practice of accounting in South Africa include the South
African Institute of Charted Accountants (SAICA), the Charted Institute of Management Accountants
(CIMA), the Association of Chartered Certified Accountants (ACCA) and the South African Institute of
Professional Accountants (SAIPA), however, the auditing profession is regulated by the Independent
Regulatory Board for Auditors and the Institute for Internal Auditors.
In this unit the dominant bodies that we will deal with are the South Africa include the South African
Institute of Charted Accountants (SAICA) and the Independent Regulatory Board for Auditors (IRBA) as
they play roles which can be overlapped and interlinked.
1. South African Institute of Charted Accountants (SAICA)

 SAICA is a regulatory body which takes care of their members interests regardless of whether it is
in public practice or private businesses
 In order to qualify as a SAICA member and individual will need to be in possession of a recognised
and relevant accounting qualification form a university that is accredited and obtain the necessary
experience to write and pass the SAICA board exams
 Once an individual has met the requirements they will then be allowed to use the designation
Charted Accountant (South Africa) – CA (SA)
 Members of SAICA can practice in public or in businesses
 A charted accountant who is in public practice that wishes to perform any services of an auditing
nature must have an active registration with the IRBA to do so
2. The Independent Regulatory Board for Auditors (IRBA)

 The responsibility of the IRBA is to take care of the interest of professional auditors. Affairs such as
registration, training, accreditation with professional bodies, education and the prescribed ethical
and competent standards are dealt with by the IRBA
 The IRBA is responsible for the protection of the public when dealing with registered auditors and
to part take in disciplinary measures against members who are in transgression of the rules

 To be an IRBA member, an individual must meet or conduct the following:

 The education requirements stipulated by SAICA must be adhered to
 A public practice training contract should be completed
 The Audit Development Program requirements must be satisfied in subsequence to the
requirements for a registered Charted Accountant
 The designated title for an individual who is an IRBA member is a “registered auditor” or an “RA”.
Revision Questions
1. The assurance provided by auditors can be at different levels. Explain the

difference between reasonable assurance and limited assurance that a
registered auditor can give to their client.
Solution:
Reasonable insurance is defined as a “high but not absolute” assurance level
and it can be presented only when the auditor has gathered evidence which is
sufficient and appropriate to comfortably satisfy that the risks which he presents
an opinion on is acceptably low. In the terms of financial statement audits the
auditor will be required to perform procedures and gather evidence that enables
him to state that financial statements are presented fairly and there are no
evident material misstatements. Reasonable assurance is given by auditor by
making use of the phrase “In our opinion the financial statements present
fairly….”.
Limited assurance is considered as an assurance which is at a lower level that
that of reasonable assurance, it is, however, meaningful to the users of financial
statements. In a limited assurance engagement, the auditor’s collection of
evidence is relativity less than that collected in a reasonable assurance
engagement, but it remains sufficient enough for the auditor to form a
conclusion on the audit. Limited assurance is achieved when the auditor
performs tests that are fewer and uses sample size that are smaller in
comparison to those used for reasonable assurance.
2. As discussed in this unit, there a various different types of auditors which exist.
You are required to discuss the one common characteristic which is shared
among these auditors.

Solution:
The different types of auditors share one characteristic in common, which is
independence, as any audit conducted without a degree of independence from
the entity being audited will make the results and assurance provided by the
auditor ‘worthless’.
3. The audit profession is governed by the IRBA, provide an explanation of the

responsibility of the IRBA
Solution:
 The responsibility of the IRBA is to take care of the interest of professional
auditors. Affairs such as registration, training, accreditation with
professional bodies, education and the prescribed ethical and competent
standards are dealt with by the IRBA.
 The IRBA is responsible for the protection of the public when dealing with
registered auditors and to part take in disciplinary measures against
members who are in transgression of the rules
Activity – Solution
An auditor should possess skills that are of a high quality as all stakeholders and users
of financial information place reliance on the opinions given by audits when making
financial decisions regarding an entity.
1.7 Summary
The role of an auditor is imperative in the strengthening of the credibility of financial information that is presented
to the public and the stakeholders of a company. This role is performed when auditors give an expression of their
opinions on whether or not the financial information which is presented in the financial statements of an entity is
fair and reliable. The confidence that stakeholders place on the opinion of an auditor can only be preserved if the
public accepts that auditors are professional practitioners that are clearly distinguishable from the general public
and that each individual auditor and the profession is in adherence with a strict set of codes and ethical values.
“Financial information is the lifeblood of the economy and it is vital in the interests of society (the public at large)
that such information be fair and credible”.

Unit
2: Code of Ethics for Auditors

2.1 Introduction to the Fundamental  Explain the fundamental principles of the code of ethics and
Principles of the Code of Ethics apply the code to various ethical scenarios
2.2 Threats to Compliance with the  Demonstrate knowledge of the possible threats that could
Fundamental Principles of the Code impact an auditor’s compliance with the code of ethics
of Ethics
2.3 Safeguards Against Threats to the  Provide explanations of safeguards that could be implemented
Principles of the Code of Ethics to prevent threats against the principles of the code of ethics
Prescribed Textbook

and Stent, LexisNexis Publishers, 2019
 Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing
Internal Audit Engagements. 6th Edition. Lexis Nexis.

2.1 Introduction to the Fundamental Principles of the Code of Ethics

Registered accountants and auditors have a general responsibility to part take in actions that are in the best
interest of the public. The code of ethics highlights the fundamental principles that govern the ethical behaviour
of an accountant and auditor and also provides a framework which can be applied to dilemmas of an ethical
nature.
2.1.1 Basis of the code of ethics

The approach provided by the code of ethics governs the manner in which accountants and auditors
behave and ensure compliance with the fundamental principles included in the code of ethics.
Accountants and auditors are required to constantly use their expert judgement to:
 Identify any possible threats which could affect their compliance to the ethical principles in the code
 Asses the consequences of the threats and appropriately apply the necessary safeguards which
will assist in reducing or eliminating these threats to ensure compliance with the principles remain
unaffected
 The conceptual framework can only be applied once the accountant or auditor has a thorough
understanding of the fundamental principles, the threats which could prevent compliance with the
principles and the safeguards that can be applied to eliminate these threats
2.1.2 THE FUNDEMENTAL PRINCIPLES OF THE CODE OF ETHICS
A. Integrity
 The principle of integrity imposes an obligation on all chartered accountants to be
straightforward and honest in all professional and business relationships.
 Integrity implies fair dealing and truthfulness.
 A chartered accountant shall not knowingly be associated with reports, returns, communications
or other information where the chartered accountant believes that the information:
 Contains a materially false or misleading statement
 Contains statements or information furnished recklessly
 Omits or obscures information required to be included where such omission or obscurity
would be misleading.
 If the chartered accountant becomes aware that there has been association with such
information, they must take steps to be disassociated from that information.

B. Objectivity
 The principle of objectivity imposes an obligation on all chartered accountants not to compromise
their professional or business judgment because of bias, conflict of interest or the undue influence
of others.
 A chartered accountant may be exposed to situations that may impair objectivity. It is

impracticable to define and prescribe all such situations. A chartered accountant shall not perform
a professional service if a circumstance or relationship biases or unduly influences the chartered
accountant’s professional judgment with respect to that service.
C. Professional Competence and Due Care

 The principle of professional competence and due care imposes the following obligations on all
chartered accountants:
 To maintain professional knowledge and skill at the level required to ensure that clients
receive competent professional service
 To act diligently in accordance with applicable technical and professional standards
when providing professional services
 Competent professional service requires the exercise of sound judgment in applying professional
knowledge and skill in the performance of such service. Professional competence maybe divided
into two separate phases:
 Attainment of professional competence
 Maintenance of professional competence
 The maintenance of professional competence requires a continuing awareness and an

understanding of relevant technical, professional and business developments. Continuing
professional development enables a chartered accountant to develop and maintain the
capabilities to perform competently within the professional environment.
 Diligence encompasses the responsibility to act in accordance with the requirements of an

assignment, carefully, thoroughly and on a timely basis.
 A chartered accountant shall take reasonable steps to ensure that those working under the
chartered accountant’s authority in a professional capacity have appropriate training and
supervision.
 Where appropriate, a chartered accountant shall make clients, employers or other users of the
chartered accountant’s professional services aware of the limitations inherent in the services.

 A chartered accountant shall not undertake or continue with any engagement which the chartered
accountant is not competent to perform, unless the chartered accountant obtains advice and
assistance which enables the chartered accountant to carry out the engagement satisfactorily.
D. Confidentiality
 The principle of confidentiality imposes an obligation on all chartered accountants to refrain from:
 Disclosing outside the firm confidential information acquired as a result of professional
and business relationships without proper and specific authority or unless there is a
legal or professional right or duty to disclose
 Using confidential information acquired as a result of professional and business
relationships to their personal advantage or the advantage of third parties.
 A chartered accountant shall maintain confidentiality, including in a social environment, being

alert to the possibility of inadvertent disclosure, particularly to a close business associate or a
close or immediate family member
 A chartered accountant shall maintain confidentiality of information disclosed by a prospective

client or employer
 A chartered accountant shall maintain confidentiality of information within the firm or employing
organisation.
 A chartered accountant shall take reasonable steps to ensure that staff under the chartered
accountant’s control and persons from whom advice and assistance is obtained respect the
chartered accountant’s duty of confidentiality.
 The need to comply with the principle of confidentiality continues even after the end of
relationships between a chartered accountant and a client. When a chartered accountant
acquires a new client, the chartered accountant is entitled to use prior experience. The chartered
accountant shall not, however, use or disclose any confidential information either acquired or
received as a result of a professional or business relationship.
 As a fundamental principle, confidentiality serves the public interest because it facilitates the free
flow of information from the chartered accountant’s client or employing organization to the
chartered accountant.

 Disclosure is permitted by law and is authorized by the client or the employer.
 Disclosure is required by law in the following instances:
 Production of documents or other provision of evidence in the course of legal

proceedings; or
 Disclosure to the appropriate public authorities of infringements of the law that come to
light
 There is a professional duty or right to disclose, when not prohibited by law:

 To comply with the quality review of a member body or professional body
 To respond to an inquiry or investigation by a member body or regulatory body
 To protect the professional interests of a chartered accountant in legal proceedings
 To comply with technical and professional standards, including ethical requirements.
 In deciding whether to disclose confidential information, relevant factors to consider include:

 Whether the interests of all parties, including third parties whose interests may be
affected, could be harmed if the client consents to the disclosure of information by the
chartered accountant
 Whether all relevant information is known and substantiated (disclosing unsubstantiated
facts or incomplete information could be unfairly damaging to other parties and is
unprofessional)
 Whether the method or type of communication is appropriate and the recipient of the
information is appropriate, e.g. going on a popular TV talk show and disclosing
confidential information about say, alleged fraud at a client company would not be
appropriate.
E. Professional Behaviour
 The principle of professional behaviour imposes an obligation on all chartered accountants to
comply with relevant laws and regulations and avoid any conduct that the chartered accountant
knows or should know may discredit the profession. This includes conduct that a reasonable and
informed third party, weighing all the specific facts and circumstances available to the chartered
accountant at that time, would be likely to conclude adversely affects the good reputation of the
profession.

 In marketing and promoting themselves and their work, chartered accountants shall not bring the
profession into disrepute. Chartered accountants shall be honest and truthful and not:
 Make exaggerated claims for the services they are able to offer, the qualifications they
possess, or experience they have gained
 Make disparaging references or unsubstantiated comparisons to the work of others.
 Multiple firms:
 An individual chartered accountant is permitted to be a member of more than one registered
firm and some other type of professional firm providing professional services. It is also
permissible to practice under different firm names for different offices, provided this does not
mislead.
 Individual chartered accountants who are members of registered audit firms as well as being
members of other accounting or consulting firms that provide professional services and have
individual members who are not chartered accountants, must ensure there is a clear distinction
between the different firms and the members thereof, and that they do not unwittingly
contravene section 41(2) of the Act, or cause it to be contravened by the members of those
other accounting or consulting firms who are not individual chartered accountants.
 Signing convention for Reports or Certificates:

 A chartered accountant shall not delegate to any person who is not a partner, or
fellow director, the power to sign audit, review or other assurance reports or
certificates that are required, in terms of any law or regulation, to be signed by the,
chartered accountant responsible for the engagement. In specific cases where
emergencies of sufficient gravity arise, however, this prohibition may be relaxed,
provided the full circumstances giving rise to the need for delegation are reported
both to the client of the chartered accountant concerned and to the Regulatory Board,
where applicable.
 The individual chartered accountant responsible for the audit, review or other
assurance engagement9 shall, when signing any audit, review or other assurance
report or certificate, reflect the following:
 the individual chartered accountant’s full name
 if not a sole proprietor, the capacity in which they are signing, namely as
the ‘partner’ or ‘director’
 the designation ‘Chartered accountant’ underneath their name
 if not set out on the firm’s letterhead, the name of the chartered
accountant’s firm.

2.2 Threats to Compliance with the Fundamental Principles of the Code of Ethics
Once the fundamental principle included in the code of ethics have been identified, the following circumstances
which pose threats to an auditor’s compliance to the fundamental principles will need to be examined.
Threats are categorised in the code as follows:
A. Self-interest threats:
 A self-interest threat is a threat whereby a financial or other interest influences the behaviour or
judgement of a chartered accountant or auditor which results in him acting in the best interest of himself
rather than his client. For example:
 A chartered accountant holds shares in a client that he is auditing – Objectivity is threatened
 If an audit or accounting firm’s survival is dependent on fees from a single client – Objectivity is
threatened
 An audit team member becomes an employee if the client once the audit has been completed -
Objectivity is threatened
 The client is pressurising the audit firm to provide them with a reduced fee - Objectivity, professional
competence and due care is threatened as the team will be forced to “cut corners” in order to save
on fees
 Information of a financial nature is obtained from the board of directors by the engagement client
which can be used for his own financial gain – Confidentiality, objectivity, professional behaviour
and integrity is threatened
B. Self-review threats
 “Threats that a chartered accountant will not appropriately evaluate the results of a previous service
performed by the chartered accountant or by another individual in his firm, on which the chartered
accountant will rely as part of a current service”.
 For example:
 A financial accountant who was employed by an audit client took his resignation and was hired by
the audit firm which conducts the audits for his previous employer. He was subsequently placed on
the audit team for an audit that is being currently conducted at his previous employment - Objectivity,
due car and professional competence are threatened.
 A frim who designed and implemented the internal control system for a client is also hired to perform
an audit at the company - Objectivity and professional competence and due care is threatened as
the team will make the assumption that the clients internal controls are effectively working due the
fact that they had designed the controls.

C. Advocacy threats
 “Threats may arise when a chartered accountant promotes a client’s position to a point that his
subsequent objectivity may be compromised for example: A chartered accountant values a client’s
shares and then leads the negotiations on the sale of the client’s company”.
D. Familiarity threats
 Threats which can arise from a relationship of a personal nature that the accountant has with others.
 For example:
 The acceptance of gifts or special treatment from an audit client – Objectivity is threatened as
the professional relationship which should exist between the auditor and the client is threatened.
E. Intimidation threats
 When an accountant is threatened physically or pressurised into acting in a manner which impacts
their objectivity.
 For example:
 The chartered accountant of a business is neglects to disclose fraud that is being committed by
his head of department as he is afraid that he might also be dismissed – Integrity, professional
behaviour and objectivity is threatened
 “An audit firm is being threatened with dismissal from the engagement (objectivity). Pressure to
accept an inappropriate decision on an accounting matter, is exerted by the client’s financial
director on a young, inexperienced audit manager- Objectivity and integrity are threatened”
Note: All threats do not neatly and perfectly fit into the above categories, however, they should still be
addressed and dealt with.
Think Point
Why is it imperative for an auditor to address threats to the principles of the

code of ethics?
2.3 Safeguards Against Threats to the Principles of the Code of Ethics

All significant threats require safeguards to be implemented which will assist in the elimination or reduction of the
threat to an acceptable level. There is no ‘set and stone’ formula for evaluating the significance of a threat. The
decision will be based on the professional judgements of the chartered accountant which should consider the

interest of the public and it should be a decision which any other reasonable third party would make after taking
the relevant information into account.
2.3.1 Categories of safeguards:

A. Safeguards created by the profession, legislation or regulation:
 The companies act prevents an audit firm from being responsible for an audit for a period
exceeding 5 years as this enhances the independence and objectivity of the audit by
preventing the threat of familiarity.
 Entry into the profession should be limited to individuals who possess the correct education,
training and experience requirements.
 There should be implementation of corporate governance regulations such as the existence
of an audit committee.
 Standards of professionalism should be evaluated before accepting an engagement.
 IRBA’s or SAICA’s procedures and processes for disciplinary action should be implemented.
 The chartered accountants work should be reviewed by an external service provider to ensure
quality control.
B. Safeguards in the work environment

 Leadership from a firm which places emphasis on the significance of complying with
fundamental principles.
 Implementation of procedures and policies which enable the monitoring of quality control on
the engagements being conducted.
 Evidence of threats that have been identified, evaluated and responded to should be
documented
 Policies and procedures which regulate the relationship between the audit firm and the
engagement client should be designed and implemented.
 Mechanisms of a disciplinary nature should be designed to assist in dealing with individuals
who transgress the fundamental principles.
 Conducting independent reviews on work conducted by the engagement team.
 Rotation of personnel should exist.
 Sound procedures which ensure the protection of employees from an intimidation threats that
could come from management.

Activity
a. Why should an audit firm not be responsible for conducting an audit for a client
for a period exceeding 5 years?
b. According to the code of professional conduct, threats are categorised into the
following categories: self-interest threats, self-review threats, advocacy threats,
familiarity threats and intimidation threats. Provide an explanation of each of the
different types of threats with at least 1 example to support each explanation.
Revision Questions
1. For each of the examples listed below, indicate the fundamental principle that has
been threatened, the type of threat and provide possible safeguards against these
threats.
A. Thembi Walter is an audit partner in ABC audit firm. Thembi owns a shareholding
of 19 % in a company which is a client of the audit firm.
B. Masey Fox is the audit manager for XYZ audit firm and one of his clients has
offered him employment at the company which will include a much higher
compensation.
C. Aisha Muzuva an auditor realised that she could make an extensive amount of
money if she advises her husband to invest and purchase shares in the company
which she is conducting an audit at, however, he must purchase the shares before
the financial statements are published.
D. The financial director of Kippers Ltd has made an offer to the audit team to take
them on a weekend trip to a safari with all expenses paid for, which will become
an event that occurs on a yearly basis should all audit deadlines be met annually.
E. The financial director of GeminiTech (Pty) Ltd has a very hostile, authoritarian
and dismissive attitude towards the audit function and the entire audit team.
Solution:

Example Threat Fundamental principle that Safeguards

has been threatened
A. Thembi walter is an Self-interest Objectivity, integrity and The audit firm should design
audit partner in ABC professional behaviour – and implement a policy which
audit firm. Thembi Thembi can overlook audit indicates that employees must
owns a shareholding findings that discover not be allowed to hold shares in
of 19 % in a company discrepancies or an engagement clients
which is a client of the inconsistencies as she will company.
audit firm want to protect her
investment. Follow up and disciplinary
procedures should be
developed for employees who
fail to abide by this policy.
B. Masey Fox is the Self-interest Objectivity, integrity and Masey should be removed from
audit manager for professional behaviour – the audit engagement team or
XYZ audit firm and Masey can overlook audit the work performed by Masey
one of his clients has findings that discover should be reviewed by an
offered him discrepancies or accountant who is independent
employment at the inconsistencies as she will try from the engagement.
company which will to prevent jeopardising the
include a much higher job offer that was made to
compensation. her.
C. Aisha Muzuva an Self-interest Integrity, confidentiality, The company’s audit
auditor realised that objectivity and professional committee should be
she could make an behaviour – The Inside familiarised with the situation
extensive amount of Trader Act will be and they should implement
money if she advises contravened by Aisha as she safeguards.
her husband to invest will be acting with dishonesty
and purchase shares and making use of There should be continuous
in the company which confidential company education available to
she is conducting an information for her personal employees with regard to
audit at, however, he gain. Her objectivity will also ethical issues and compliance
must purchase the be comprised as she will not with legislation. This breach
shares before the be acting in the best interest emanates in an immediate
financial statements of the company, should her
are published.

husband own shares in the dismissal and a report to

company. authorities should be made.
D. The financial director Familiarity Objectivity, professional The audit firm should
of Kippers Ltd has competence and due care – implement a policy which
made an offer to the the professional relationship states that accepting gifts and
audit team to take which should exist between hospitality of a material nature
them on a weekend the auditor and the should be prohibited.
trip to a safari with all engagement client will be Any transgressors should be
expenses paid for, influenced by this trip. The dealt with appropriately.
which will become an financial director may expect
event that occurs on a payback for his efforts in
yearly basis should all terms of the audit team doing
audit deadlines be him certain favours when
met annually conducting audits. The
indication of possible future
trips being made should
deadlines be met will
compromise the audit team’s
abilities as they may
‘overlook’ errors to ensure
that all deadlines are met.
E. The financial director Intimidation Objectivity, professional The individuals which form part
of GeminiTech (Pty) competence and due care is of the engagement team
Ltd has a very hostile, threatened – The audit should be experienced and
authoritarian and team’s professional strong minded to ensure that
dismissive attitude judgement may be they are not easily intimidated
towards the audit compromised as they can be by the financial director and
function and the bullied into disregarding any they should be able to stand
entire audit team. problems that they discover their ground.
out due to fearing the The audit firm should perform
financial director. quality procedures and decide
if they would want to continue a
professional relationship with
the client. with

The situation can be discussed

with the clients audit committee
and the governance structure.
Activity Solutions
a. To enhance the independence and objectivity of the audit by preventing the threat
of familiarity among the auditor and the employees of the entity.
b.
Threat Explanation Situations which may create a threat

category
* APP has a close business relationship with

Self- The threat that a financial
an audit client.
interest or other interest will
* APP has the possibility of future
threat inappropriately influence
employment with an audit client in a
a professional
lucrative senior position.
accountant’s judgement
* AB holds a material number of shares in
or behaviour.
his employer.
* AB is offered an expensive gift by his

employer’s main supplier.
* APP has been requested to give an

Self-review The threat that a
opinion on a set of financial statements
threat professional accountant
prepared by individuals in his firm.
will not evaluate the
* APP has been requested to evaluate the
results of a previous
efficiency of a computerized internal
judgement made or an
control system designed and implemented
activity performed by the
by the APP for a non-audit client.
accountant or another
* AB instructed by his employer to review a
individual in the
tender document which he was
professional accountant’s
instrumental in preparing.
firm or employer.
* AB is required to provide a written report
for SARS justifying a decision he himself

recommended with regard to a tax policy

adopted by the company.
* APP acts for an audit client in resolving

Advocacy The threat that a
disputes with third parties.
* APP acts as a negotiator for the sale of a
will promote a client’s or
client’s business.
employing organizations
* AB has the opportunity to select
position to the point that
accounting policies which cast his
the professional
employer in a better financial light, but
accountant’s objectivity is
which are not necessarily the most
compromised.
appropriate. (This compromises his
objectivity).
* AB defends the actions of his employer at
a hearing into price fixing to an irrational
extent.
* APP’s daughter-in-law is the key member
Familiarity The threat that due to a
of the audit client’s financial reporting
threat long or close relationship
team.
with a client or employing
* APP has conducted the audit of the same
organization, a
client for fifteen consecutive years.
professional accountant
* AB is requested to determine a bonus to
will be too sympathetic to
be paid to a colleague who is a long term
their interests or too
friend of the AB’s family.
accepting of their work.
* AB being responsible for the financial
reporting of his employer when a close
family member makes important decisions
about disclosures to be made in the
financial statements.
* It is suggested to the APP that it would be

Intimidation The threat that a
in the APP’s best interests to ignore what
the APP perceives to be a reportable
will be deterred from
irregularity.
acting objectively by
actual or perceived

pressures including * An audit client’s senior employees adopt

attempts to exercise an aggressive attitude towards the APP’s
undue influence over the team.
accountant. * The AB is informed that he will be demoted
if he does not withdraw an allegation that
he has made against a senior manager for
involvement in tender fraud.
* The financial director of the employer has
suggested that the AB interpret the
company’s management bonus regulations
in a way which provides the largest
bonuses, or face a negative personal
performance appraisal.
(Growar and Jackson 2019: 50)
2.4 Summary
The principles in the code of ethics will assist chartered accountants and auditors to evaluate their actions and
events which may impact their ability to act in a professional manner. The principles in the code will govern the
behaviour of the accountant and auditor and it will ensure that they act in the best interest of the engagement
client.

Unit
3: Corporate Governance and
King IV

3.2 Background, Fundamental  Demonstrate an understanding of the fundamental concepts

Concepts, Application and of Corporate Governance and explain how these concepts
Disclosure of Corporate Governance apply to companies and entities in South Africa
in SA
3.3 The King IV Code of Corporate  Understand and apply the principles of the King IV Code on
Governance Corporate Governance
Prescribed Textbook


3.1 Introduction
Corporate governance is defined as “the exercise of ethical and effective leadership by the governing body
towards the achievement of governance outcomes that include ethical culture, good performance, effective
control and legitimacy”. It is important to note that ‘good corporate governance’ is not just linked with companies
that are of a large nature but can be applied to any entity as good corporate governance forms part of an intergral
system in when running a business. Coproate governance can differ across all enterprises of a different nature
and it is not necessarily a “one size fits all” situation.
3.2 Background, Fundamental Concepts, Application and Disclosure of Corporate Governance in SA

Corporate governance is defined as the framework of rules and practices by a company’s board of directors to
ensure accountability, fairness and transparency in the company’s interactions with its shareholders, creditors,
customers and other stakeholders. Management practices should always be legitimate, objective, transparent
and honourable. Acceptable principles of corporate governance are focussed mainly on the following practices:
 Shareholders should be treated equally. Their best interests should be a priority for management.
 All stakeholders of the company have legal rights and they should be treated accordingly.
 The board of directors should comprise individuals who have the necessary skills, competence and
commitment to fulfil their duties and responsibilities. The board should consist of executive and non-
executive directors.
 Ethical and responsible decision-making is a prerequisite for risk management and avoidance of lawsuits.
 Conduct should at all times be transparent to provide shareholders with a level of accountability. All
investors should have access to unambiguous and factual information.
In an attempt to promote good corporate governance among South African companies, the King Commission
drew up a summary of the best international practices in corporate governance. The First King Report on
Corporate Governance was published in 1994 in response to the increasing concern over corporate failures and
the perceived need for a formal code of corporate governance. It sought to assist companies and their directors
by providing a comprehensive set of principles and guidelines to codify, clarify and (in some circumstances)
expand upon the common law principles of corporate governance.
The Second King Report ("King II") was finalized in March 2002 and it reviewed and expanded on the first report.
The Third King Code and Report on Corporate Governance was released on 1 September 2009 ("King III"), and
became effective on 1 March 2010. It was prompted by a number of developments that had occurred since the
release of King II, including the publication of the new Companies Act 71 of 2008 ("new Companies Act"). King
IV was published on 1 November 2016 and is effective for all financial years commencing on or after 1 April 2017.
King IV moved from rules based approach to a more principle and outcomes based approach. King IV distilled
the 72 principles previously embodied in King III down to 17 principles. Recommended practices support the 17

principles. It is assumed that if these recommended practices are implemented the related principle will be
achieved. King IV has also moved from an “apply or explain’ to an “apply and explain” basis. King III required
an explanation if any principle was not applied. King IV assumes the application of all principles and companies
must explain how they have implemented each principle. King IV also provides additional guidance to different
categories of organisations such as small and medium entities, non-profit organisations, public sector
organisations and entities, municipalities and pension funds. This is to ensure a wider implementation of King IV
across all sectors.
3.3 The King IV Code of Corporate Governance

3.3.1 Definition of corporate governance
King IV for the first time has included a definition of corporate governance as follows:
- the exercise of ethical and effective leadership by the governing body towards achievement of the
following governance outcomes:
 Ethical culture
 Good performance
 Effective control
 Legitimacy
3.3.2 Objectives of King IV
King IV’s objectives are to:
 Promote corporate governance as integral to running an organisation and delivering

governance outcomes such as an ethical culture, good performance, effective control and
legitimacy
 Broaden the acceptance of the King IV by making it accessible and fit for implementation across
a variety of sectors and organisational types
 Reinforce corporate governance as a holistic and interrelated set of arrangements to be
understood and implemented in an integrated manner
 Encourage transparent and meaningful reporting to stakeholders
 Present corporate governance as concerned with not only structure and process, but also with
an ethical consciousness and conduct
(King IV,2016)

Think Point
Discuss the governance outcomes in detail and think of examples for each
outcome.
3.3.3 Legal status of King IV

The legal status of King IV, as with its predecessors, is that of a set of voluntary principles and leading
practices. Corporate governance could apply on a statutory basis as rules, as a voluntary code of
principles and practices, or as a combination of the two. In South Africa a hybrid system has developed,
as over time, some practices of good governance have been legislated in parallel with the voluntary
King codes of governance. If there is a conflict between legislation and King IV, the law prevails. (King
IV,2016).
King IV defines 17 principles to attain the four governance outcomes. The principles are supported with
recommended practices that explain what needs to be implemented to achieve each principle.
King IV refers to governing bodies in assigning responsibilities and these are defined as “the structure
that has primary accountability for the governance and performance of the organisation. Depending on
context, it includes, among others, the board of directors of a company, the board of a retirement fund,
the accounting authority of a state-owned entity and a municipal council. Members of governing body
(also referred to as those charged with governance duties) are those who are duly appointed to serve
on the governing body and/or its committee.”
3.3.4 Principles and recommended practices in the KING IV report

1. Leadership
Principle 1: The governing body should lead ethically and effectively
The recommended practices that the governing body should perform, are summarised as:
 Cultivate and exhibit collectively and individually, characteristics of integrity, competence,
responsibility, accountability, fairness and transparency;
 Offer leadership that results in achievement of strategy and outcomes over time; and
 Disclose how they are being held to account for their leadership.

2. Organisational ethics
Principle 2: The governing body should govern the ethics of the organisation in a way that supports the
establishment of an ethical culture
The recommended practices that the governing body should perform are summarised as:
 Set the direction for ethics in the organisation;
 Approve codes of conduct and ethics policies as well as ensure that they include all stakeholders
and key ethical risks;
 Ensure that there are ways for stakeholders to be made familiar with the codes of conduct and
ethics policies;
 Delegate implementation of codes of conduct and ethics policies to management and provide
ongoing oversight of this management, including results in such matters as recruitment, employee
remuneration, supplier selection, breach management, whistleblowing and independent
assessments; and
 Disclose how ethics are being managed, focus areas, monitoring measures and how ethical
outcomes are addressed.
3. Responsible corporate citizenship

Principle 3: The governing body should ensure that the organisation is and is seen to be a responsible
corporate citizen.
 Set the direction for good corporate citizenship, including compliance with the Constitution, laws,
standards and own policies and procedures, as well as congruence with the organisation’s purpose,
strategy and conduct;
 Oversee and monitor (using agreed performance indicators and targets) the organisations status
as a good corporate citizen in such areas as the workplace, economic behaviours and results,
societal and environmental impacts; and
 Disclose how corporate citizenship is managed, current and future focus areas, monitoring
measures and how corporate citizenship outcomes are addressed.
4. Strategy and performance

Principle 4: The governing body should appreciate that the organisation’s core purpose, its risks and
opportunities, strategy, business model, performance and sustainable development are all inseparable
elements of the value creation process.
 Steer and set the direction, purpose and strategy of the organisation;

 Delegate to management the formulation and thereafter approval of strategy with due reference to
timelines, risks and opportunities, resources and relationships, legitimate expectations of
stakeholders, changes in the six capitals and the inter-connectedness and interdependencies of all
these factors;
 Approve managements policies and operational plans, including key performance measures and
targets
 Delegate the implementation of policy and plans to management;
 Oversee implementation of the strategy and plans by management against the agreed performance
measures and targets;
 Oversee that there is ongoing assessment and response to any negative consequences for the
economy, society and environment by the company using its 6 capitals; and
 Be alert to the organisation’s general viability, reliance and effect on its capitals, solvency and
liquidity and its going concern status.
5. Reporting
Principle 5: The governing body should ensure that reports issued by the organisation enable
stakeholders to make informed assessments of the organisation’s performance, and its short, medium
and long-term prospects.
 Set the direction, approach and conduct for the organisation’s reporting;
 Approve the reporting frameworks to be used;
 Oversee that the various reports are compliant with legal reporting requirements and meet the
reasonable and legitimate needs of material stakeholders;
 Ensure that an annual integrated report is issued (either as a stand-alone report or as part of
another report);
 Approve the bases for determining materiality for the purposes of including in reports;
 Ensure the integrity of external reports; and
 Oversee publication and access by stakeholders of the King Code™ disclosure requirements,
integrated reports, financial statements and other external reports on its website or other
appropriate platform/media.

6. Primary roles and responsibilities of the governing body

Principle 6: The governing body should serve as the focal point and custodian of corporate governance
in the organisation
 Exercise its leadership role; have a charter; approve a protocol for it, its committees and members to get
professional advice; approve a protocol for non-executive members to get documentation and meetings
with management;
 Disclose the number of its meetings and attendance thereof,
 Discharge its responsibilities in relation to its charter.
7. Composition of the governing body

Principle 7: The governing body should comprise the appropriate balance of knowledge, skills, diversity
and independence for it to discharge its governance role and responsibilities objectively and
effectively.
Composition of the governing body

 Direct and approve the processes for attaining an appropriate composition;
 Consider an appropriate size for itself, with reference to the optimal mix of knowledge, skills, experience,
diversity, independence (i.e. executive, nonexecutive and independent non-executive members),
sufficiency in numbers for its committees, quorum requirements, regulatory requirements and diversity
targets;
 Comprise of a majority of non-executive members, most of whom should be independent
 Appoint as a minimum the CEO and one other executive to the governing body;
 Promote diversity in its membership (age, culture, race, gender and fields of expertise) and set targets for
race and gender representation in its composition;
 Arrange for periodic and staggered rotation of its membership; and
 Establish a succession plan for its membership
Nomination, Election and Appointment of members to the governing body

 Approve nominations as a whole and ensure that the process for nomination, election and appointment is
formal and transparent;
 Consider the collective attributes and diversity needed, as well as whether the candidate is ‘fit and proper’
prior to potential member nomination;

 Consider the past performance of a member prior to nomination for re-election, and for potential
nonexecutive directors request information of other commitments and whether he/she has sufficient
time;
 Investigate and verify potential member’s backgrounds and qualifications;
 Disclose potential candidates profile and commitments, as well as governing body’s endorsement, with
annual general meeting notices; and
 After election of an incoming member, issue a letter of appointment, provide induction and for
inexperienced members a mentor and training. Obtain ongoing professional development.
Independence and conflicts

 Obtain annually (or whenever there is significant change) from each member a declaration of all
interests and related parties;
 Obtain declarations from each member prior to any meeting of the governing body or its committees,
any conflict of interest and proactively manage them;
 Categorise non-executive members as independent if when judged by a reasonable and informed
third-party they would conclude that there are no factors which could cause undue influence or biased
decision-making;
 Assess independence of a member with reference to the person being:
 a provider of funding or capital (or an employee, officer or a representative of the same);
 a share incentive scheme participant;
 an owner of securities material to the member;
 employed as an executive in prior 3 years (or is related party to such executive);
 the auditor (or key audit team member) in past 3 years;
 an advisor; governing body member or executive of a significant customer or supplier;
 governing body member or executive of a related party organisation;
 entitled to remuneration that is linked to the organisation’s performance.
 Assess a member for independence every year after 9 years of serving as a member, and allow
continuance as an independent member if the same would be judged by a reasonable and informed
third party
 Disclose satisfaction with:
 composition of mix of governing body;
 gender and race targets and progress made;
 categorization of each director (including more information on directors serving longer than nine
years);
 member’s qualifications, experience, age, period of service, other governing body and positions held
and
 reasons for departing members

Chair of the governing body

 Elect an independent member as chair and a lead independent non-executive member;
 Document the role, responsibilities and term of the chair and lead independent non-executive member;
 Not allow the CEO to be the chair, nor allow (until after 3 years) a retired CEO to become the chair;
 Determine with the chair the number of other outside professional appointments that he/she can hold;
 Generally:
 Not allow the chair to be a member of the audit committee, chair of the remuneration committee or chair
of social and ethics committee;
 Allow the chair to be a member of the remuneration committee and social and ethics committee; Allow
the chair to be a member and/or the chair of the risk committee; Be a member of nominations committee
and may also be its chair.
 Ensure succession planning for the chair; and
 Disclose whether the chair is considered independent and the appointment of a lead non-executive and
the respective role and responsibilities of the latter.
8. Committees of the governing body

Principle 8: The governing body should ensure that its arrangements for delegation within its own
structures promote independent judgement, and assist with balance of power and the effective
discharge of its duties.
General
 Determine delegation to individual members, groups of members, standing or ad-hoc committees;
 Assume all the responsibilities itself if no delegations are made;
 Provide and approve formal terms of reference to committees, and record in writing details of delegation
to a member or group of members;
 Ensure that composition, roles and responsibilities of committees are complimentary, not
fragmented or duplicated and that there is no undue reliance or dominance by any individual
member;
 Ensure that each committee has a minimum of three members and sufficient capability and
capacity to function effectively;
 Allow any member to attend any committee meeting as an observer, and allow management to
attend by standing or ad-hoc invitation;
 Apply its mind to the information and results provided to it by its committees as delegation to a
committee does not discharge the governing body of its accountability; and

 Disclose for every committee its role and responsibilities, composition (with member’s
qualifications and experience), advisors and attendees, areas of focus, number of and
attendance at meetings, whether it is satisfied that it has fulfilled its responsibilities.
Audit Committee
 Must in terms of law establish an audit committee for certain organisations (and should consider
establishing one for those that issue audited financial statements) that has as its role to provide
independent oversight of the assurance functions and on the integrity of the annual financial
statements and other external reports;
 May delegate (in addition to any statutory duties where applicable) other governance responsibilities
such as approval of annual financial statements and risk governance (whilst ensuring sufficient time
for the latter) but remains accountable;
 Ensure that the audit committee oversees risks that may affect the integrity of external reports
 Ensure that the audit committee as a whole has the necessary financial literacy, skills and
experience, and that all members are independent non-executive members of the governing body;
 Appoint an independent non-executive chair;
 Ensure that the audit committee meets annually with external and internal auditors without
management;
 Disclose (in addition to statutory disclosure requirements) all the above general matters relating to
committee’s plus;
 a statement on the independence and specific particulars thereof for the external auditor;
 significant annual financial statement matters and how addressed;
 views on quality of external audit,
 effectiveness of the chief audit executive and internal audit;
 effectiveness of the design and implementation of internal financial controls
 effectiveness of the CFO and finance function and
 on combined assurance and the effectiveness thereof

Committee responsible for nominations of members of the governing body

 Consider allocating oversight of nomination, election and appointment process of members, succession
planning and performance evaluations to a dedicated committee or another appropriate committee;
 Ensure that nominations committee are all nonexecutive members of the governing body with the majority
members being independent; and
 Disclose the role and responsibilities, composition (with member’s qualifications and experience), advisors
and attendees, areas of focus, number of and attendance at meetings, whether it is satisfied that the
nomination committee has fulfilled its responsibilities.
Committee responsible for risk governance

 Consider allocating oversight of risk governance to a dedicated committee or another appropriate
committee;
 Consider one or more members to have joint membership if the audit and risk committees are separate;
 Ensure that the risk committee has executive and non-executive members of the governing body with a
majority being non-executive; and
 Disclose the role and responsibilities, composition (with member’s qualifications and experience),
advisors and attendees, areas of focus, number of and attendance at meetings, whether it is satisfied
that the risk committee has fulfilled its responsibilities.
Committee responsible for remuneration

 Consider allocating oversight of remuneration governance to a dedicated committee or another
appropriate committee;
 Ensure that the remuneration committee has nonexecutive members of the governing body with a
majority being independent non-executive members and the chair being an independent non-executive
member; and
that the remuneration committee has fulfilled its responsibilities.
Social and ethics committee

 Must in terms of law establish a social and ethics committee for certain organisations, and should
consider establishing one where not law, to have oversight of and report on organisational ethics,
corporate citizenship, sustainable development and stakeholder relationships or add this to another
appropriate committee;
 Ensure that the social and ethics responsibilities include any statutory duties plus any other it may be
delegated by the governing body;

 Ensure that the social and ethics committee has executive and non-executive members with a majority
being non-executive members of the governing body; and
that the social and ethics committee has fulfilled its responsibilities.
9. Evaluation of the performance of the governing body

Principle 9: The governing body should ensure that the evaluation of its own performance and that of its
committees, its chair and its individual members, support continued improvement in its performance and
effectiveness.
 Assume responsibility for performance evaluations of itself, its committees, its chair and individual
members;
 Appoint a lead independent director if there is not one to lead the evaluation of the chair;
 Ensure that every two years and externally facilitated performance evaluation (or one not in
accordance with the approved methodology of the governing body) is conducted on itself, its
committees, its chair and individual members; and every alternate year reflect on the performance
of itself, its committee, its chair and its members as a whole; and
 Disclose a description of the performance evaluations, scope, formality, whether or not externally
facilitated, an overview of results and remedial actions, whether it is satisfied that it is improving its
performance and effectiveness.
10. Appointment and delegation to management

Principle 10: The governing body should ensure that the appointment of and, delegation to, management
contribute to role clarity and the effective exercise of authority and responsibilities.
CEO appointment and role

 Appoint the CEO, who should be responsible to lead strategy implementation, report to the
governing body and agree membership of other governing bodies; and
 Satisfy itself on CEO succession planning.
Delegation
 Reserve certain powers and matters to itself and set those powers and matters to be delegated
to management via the CEO;

 Approve a delegation of authority framework, including specific authority to appoint ex-officio

executive members and management;
 Oversee that key management functions are led by a competent and appropriately authorized
individual and are adequately resourced;
 Satisfy itself on succession planning for executive management and key positions; and
 Disclose whether it is satisfied with the delegation of authority framework.
Professional corporate governance services to the governing body

 Ensure that it has access to professional and independent guidance on legal and corporate
governance matters and for the functioning of it and its committees;
 Unless mandatory, consider appointing a company secretary/other appropriate professional;
 Approve the corporate governance services (and ensure this function has authority), appointment of
company secretary/ other professional, contract, remuneration and necessary qualities;
 Remove the company secretary/other professional
 Ensure the company secretary/other professional has access to and reports to the governing body
via the chair for statutory matters and governing body matters and to an appropriate executive on
other matters;
 Evaluate annually the performance and independence of the company secretary/other professional;
and
 Disclose the access to professional corporate governance services and the view on effectiveness
thereof.
11. Risk governance

Principle 11: The governing body should govern risk in a way that supports the organisation in setting
and achieving its strategic objectives
 Set the approach for risk governance, including opportunities and risks when developing strategy and
the potential positive and negative effects of the same risk on the achievement of objectives;
 Treat risk as integral part of decision-making and adherence to duties, approve risk policy, evaluate
and agree the risks it is prepared to take (i.e. risk appetite and risk tolerance levels)
 Delegate to management risk management implementation;
 Oversee the risk management (including assessment of risks and opportunities in relation to the triple
context and use of 6 capitals, achievement of objectives, dependency on resources as well as the risk
responses, business continuity and culture of the organization);
 Consider receiving periodic, independent assurance on the effectiveness of risk management; and

 Disclose nature and extent of risks and opportunities; overview of the risk management system; areas
of focus; key risks, unexpected risks, risks taken outside tolerance levels; and actions to monitor and
address risk management.
Think Point
Which individuals in an organisation are responsible for risk management

processes?
12. Technology and information governance

Principle 12: The governing body should govern technology and information in a way that
supports the organisation setting and achieving its strategic objectives.
The governing body should:

 Set the approach and approve the policy for technology and information governance (including
adoption of appropriate frameworks and standards);
 Delegate to management effective technology and information implementation;
 Oversee results of managements implementation (including integration, business resilience,
monitoring for responsiveness to cyber security and social media risks, third-party and outsourced
service provider risks, value delivered from technology investments and projects, disposal of
obsolete technology and information, ethical and responsible use and compliance with laws);
 Oversee management of information (including use, information architecture, protection of privacy
and security);
 Oversee management of technology (including technology architecture, sourcing risks,
developments and disruptions);
 Consider receiving periodic, independent assurance on the effectiveness of the technology and
information, including outsourcing; and
 Disclose overview of governance and management; areas of current and future focus; significant
changes, acquisitions, incident management; monitoring and response thereto.
13. Compliance governance

Principle 13: The governing body should govern compliance with applicable laws and adopted,
non-binding rules, codes and standards in a way that supports the organisation being ethical
and a good corporate citizen.

 Direct the governance of compliance to laws, adopted non-binding rules, codes and
standards;
 Approve policy that directs compliance;
 Delegate to management the responsibility for implementing compliance management;
 Oversee compliance management so that it is understood, relates holistically and is
responsive to changes and developments following continuous monitoring of the
regulatory environment; and
 Disclose an overview of compliance management; areas of current and future focus;
actions to monitor and address compliance management; material or repeated sanctions,
fines and penalties on the organization, its officers and/ or members; environment
regulator inspections and incidents of noncompliance and the consequences.
14. Remuneration governance

Principle 14: The governing body should ensure that the organisation remunerates fairly,
responsibly and transparently so as to promote the achievement of strategic objectives and
positive outcomes in the short, medium and long term.
Remuneration policy
 Set the direction and approach for remuneration of the organization and approve
remuneration policy that aspires to fairness, responsibility and transparency;
 Design the remuneration policy to attract and retain human capital, promote achievement
of strategic objectives, positive outcomes, an ethical culture and responsible corporate
citizenship;
 In the remuneration policy, address organization-wide remuneration and that of executive
management such that it is fair and responsible, use appropriate measures and outline
voting by shareholders;
 In the remuneration policy set out all elements of remuneration; and
 Oversee implementation of the policy so as to ensure achievement of the policy objectives.
Remuneration report
Disclose the remuneration report in three parts;
I. background statement;
II. main policy provisions; and
III. an implementation report of all remuneration to members and executive management.

I. Background statement
In the remuneration background statement, provide information on:
 context and decision-making factors;
 results of voting on the policy and implementation report and responses thereto;
 current and future focus areas;
 key decisions and changes; and
 use of remuneration consultants and if the remuneration committee was satisfied with
their independence and objectivity, and if they were satisfied as to whether the policy
achieved its objectives.
II. Overview of remuneration policy

In the remuneration policy, disclose:
 an overview of the main policy provisions;
 remuneration principles and elements for executive management and at a high level for
the organization, executive termination arrangements;
 the framework and performance measures including an illustration thereof;
 how the policy addresses fairness between executive pay and employee pay?
 benchmarks;
 basis for non-executive member fees and
 an electronic link to the policy for public access.
III. Implementation report

In the implementation report disclose the remuneration if each executive member
including vested and unvested award details, performance measures, targets and
achievement thereto, termination payments and a statement on compliance to or deviation
from the remuneration policy.
Voting on remuneration
For companies:
 comply with the Companies Act provisions relating to shareholder special resolution
approval every two years for non-executive members;
 table annually the remuneration policy and implementation report at the AGM, and record
voting results;
 take measures to address dissenting votes where they are 25% or more against the policy
and/or the implementation report; and

 disclose in the background statement, actions taken to engage with and address concerns
in the event of 25% or more dissenting vote.
15. Assurance
Principle 15: The governing body should ensure that assurance services and functions enable
an effective control environment, and that these support the integrity of information for internal
decision-making and of the organisation’s external reports
I. Combined Assurance
 Direct assurance services and functions and delegate to the audit committee oversight to
ensure an effective internal control environment, integrity of information for management
decision making and external reporting;
 Ensure a combined assurance model is applied that covers the significant risks and
material matters through a combination of the organisation’s line functions, risk and
compliance functions, internal auditors, fraud examiners, safety assessors, actuaries,
external auditors, other assurance providers and regulatory inspectors; and
 With its committees, assess output of the combined assurance and form their own opinion
on integrity of information and reports and effectiveness of the control environment.
II. Assurance of external reports

 Direct how assurance of external reports should be done taking account of legal
requirements as well as whether assurance is provided over the underlying data or the
process of preparing and reporting or both, suitability of the assurance, specifications for
evaluating the contents of the report;
 Satisfy itself as to the effectiveness of the combined assurance approach as a basis for
making its statements on the integrity of external reports; and
 Disclose in external reports the type of assurance applied including nature, scope and
extent of assurance on the report, and a statement on the integrity of the report and basis
for the statement.
III. Internal audit

 Direct internal audit and delegate oversight to the audit committee;
 Approve an internal audit charter and ensure internal audit has sufficient and adequate
skills, including supplementary specialists;
 If there is a CAE and internal audit function, ensure that it is independent of management;

 Approve the appointment, contract and remuneration of the CAE whilst ensuring that he/
she is suitably capable;
 Ensure the CAE has access to the audit committee chair, but that the CAE is not a member
of the executive;
 Ensure that if internal audit is outsourced that there is clarity on who is the CAE;
 Ensure that the CAE reports to the chair of the audit committee on internal audit duties
and on other matters to a designated executive;
 Be responsible for removal of the CAE;
 Monitor that internal audit follows a risk-based plan, reviews the risk profile regularly and
adapts the plan accordingly;
 Ensure internal audit makes an annual statement on the effectiveness of the governance,
risk management and controls;
 Ensure that the internal audit is externally and independently reviewed every 5 years; and
 Confirm annually with the CAE that the internal audit function conforms to a code of ethics.
16. Stakeholders
Principle 16: In the execution of its governance roles and responsibilities, the governing body
should adopt a stakeholder–inclusive approach that balances the needs, interests and
expectations of material stakeholders in the best interests of the organisation over time
I. Stakeholders relationships
 Direct the stakeholder approach and approve policies to this effect;
 Delegate to management effective stakeholder relationship management;
 Oversee the management of stakeholder relationships including methodology for
identification, material stakeholders, management of stakeholder risk, formal mechanisms
for engagement and communication, and measurement of quality of stakeholder
engagement; and
 Disclose an overview of stakeholder management, current and future focus areas and
actions taken to monitor and address stakeholder engagement effectiveness.
II. Shareholder relationships

 In the case of a company that has shareholders, oversee that there is encouragement of
proactive shareholder engagements;

 In the case of a company, ensure that all directors are available at the AGM, that the
external audit partner is at the AGM and that the minutes of the AGM of listed companies
are made publically available; and
 In the case of a company, ensure equal treatment of all shareholders and that minority
interests are protected.
III. Relationships within a group of companies

 In the case of a holding company, direct the group relationships and power and approve
a group governance framework that does not contain any conflicts;
 In the case of a holding company, include the subsidiary company board are included in
developing the group governance framework and ensure that there is recognition of the
subsidiary as a separate person to whom the subsidiary board owes fiduciary duties;
 In the case of a holding company, ensure that the group governance framework includes,
role of the holding company; where appropriate delegation of certain matters of a
subsidiary to the holding company; extent of adoption of holding company policies by the
subsidiary; prior engagement with the subsidiary company before appointing directors,
arrangements to reduce risk of a director who has a cross-holding misusing information
between companies;
 In the case of a holding company ensure that the agreed governance framework is
implemented across the group;
 In the case of a holding company, disclose the group governance arrangement; and
 In the case of a subsidiary company, disclose the responsibilities delegated to holding
company committees and extent of holding company policies adopted.
17. Responsibilities of institutional investors

Principle 17: The governing body of an institutional investor organisation should ensure that
responsible investment is practiced by the organisation to promote the good governance and
the creation of value by the companies in which it invests”
The recommended practices that the governing body should perform, are summarised as
follows:
In the case of an institutional investor:
 direct how responsible investing will take place, approve policy for responsible
investing;
 delegate to management and/or outsource manager the implementation for
responsible investing policy;

 oversee that the formal outsourcing mandate incorporates the responsible investment
policy;
 ensure accountability for complying with the formal mandate; and
 disclose the responsible investment code adopted and its application thereof.
Revision Question
Question 1
The audit committee play an imperative role in the decision making process of an entity,
regarding the performance of audits, discuss matters which should be disclosed to the
audit committee.
Solution 1
 a statement on the independence and specific particulars thereof for the external
auditor;
 significant annual financial statement matters and how addressed;
 views on quality of external audit,
 effectiveness of the chief audit executive and internal audit;
 effectiveness of the design and implementation of internal financial controls
 effectiveness of the CFO and finance function and
 on combined assurance and the effectiveness thereof
Question 2
“Corporate governance is the system of rules, practices and processes by which a firm
is directed and controlled. Corporate governance essentially involves balancing the
interests of a company's many stakeholders, such as shareholders, management,
customers, suppliers, financiers, government and the community”. With the above
definition in mind, discuss the objectives of the KING IV report on corporate governance.
 Promote corporate governance as integral to running an organisation and

delivering governance outcomes such as an ethical culture, good performance,
effective control and legitimacy.
 Broaden the acceptance of the King IV by making it accessible and fit for
implementation across a variety of sectors and organisational types.

 Reinforce corporate governance as a holistic and interrelated set of

arrangements to be understood and implemented in an integrated manner.
Encourage transparent and meaningful reporting to stakeholders.
Present corporate governance as concerned with not only structure and process,
but also with an ethical consciousness and conduct.
3.4 Summary
The King IV report assumes the application of all principles and companies must explain how they have
implemented each principle. This report on corporate governance serves as a major guideline for the way in
which company’s practice business.

Unit
4: General Principles of Auditing

4.2 Internal controls  Illustrate an understanding of the internal controls that are
implemented in a business and examine their purpose
4.3 Audit Evidence  Demonstrate the importance of audit evidence provided by the
auditor which is linked to the financial statement assertions
4.4 Auditors Toolbox
4.5 Audit Sampling  Examine the various forms of evidence that an auditor can
gather when conducting an audit
Prescribed Textbook



4.1 Introduction
In this chapter we will discuss the general principles of auditing and how the auditor utilises these principles when
conducting an audit for an engagement client. The controls, evidence and auditor collects, the toolbox they use
when collecting evidence and the various sampling methods that are utilised by the auditor are discussed.
4.2 Internal Controls

Prior to the discussion of internal controls in an audit context, we need to gain an understanding of the concept
of internal controls and what it entails. “Internal controls are the mechanisms, rules, and procedures implemented
by a company to ensure the integrity of financial and accounting information, promote accountability and prevent
fraud”. Internal controls need to be understood from a business perspective for auditors. Management has the
responsibility of running the day-to-day activities of an entity. Business objectives are set in place, risks that could
prevent management from achieving those objectives are identified and suitable policies are implemented to
address these risks.
Risks associated with the following matters are addressed:
 The assets of an entity need to be safeguarded from any theft or damage;

 Prevention of fraud;
 Compliance with laws and regulations applicable to the entity;
 Production of financial information that is reliable and satisfies the financial reporting requirements of an
entity; and
 Effective and efficient operation of the business.
4.2.1 Internal Controls – What we know.

A. Internal controls are a process – systems and policies and procedures are designed and
implemented to assist a business in address certain risks which exist.
B. It is effected by people – internal controls do not only entail policies and procedures, it requires
the involvement of people at various levels in the organisation to perform a certain task.
C. Management does not have the sole responsibility for internal controls – the responsibility for
internal controls is shared between management, the board of directors and employees.
D. Internal controls are not static in nature – internal controls are implemented as a response to
the risks that come with operating a business, therefore, as the risks change the responses to these
risk will need to change.

E. Internal controls are not fool proof – internal controls can only provide a reasonable assurance
that any of the risks which can prevent an entity from achieving their objectives will be addressed
as internal controls have limitations (discussed below).
F. A single internal control will not be able to address a single risk – all existing internal control
policies and procedures will be required to function is conjunction with each another as the ability
to control a risk is achieved most effectively by combining these actions and policies.
4.2.2 Limitations of Internal Controls

It is not always probable to identify possible risks until certain events occur. Management therefore
designs an internal control system which, in theory, maybe very effective. However, the limitations listed
below may prevent an entity from practically achieving its objectives:
A. Managements interpretation that the cost of implementing internal control procedures outweighs
the benefits that can be expected.
B. Internal controls are generally directed at transactions that are routine in nature and transactions,
which are non-routine are ignored.
C. Carelessness, false judgements and the factor of human error.
D. Internal controls can be circumvented as a manager can possibly be in collusion with an employee
of the entity or a party that is external to the organisation.
E. The person responsible for exercising internal controls could exploit their position by overriding
controls as and when they see fit.
F. Internal controls can become inadequate due to changing circumstances and conditions which
could negatively impact on compliance with certain procedures.
Activity 1
Jabu Thulani is a junior auditor for AXY Pty (Ltd). He is currently experiencing
struggles with understating the internal control process and why internal
controls cannot be created for each possible risk that the entity could be faced
with. You are required to provide Jabu with the possible limitations that could
prevent the entity from achieving its objectives.

4.2.3 Definition of internal controls

“Internal control can be defined as the process designed, implemented and maintained by those charged
with governance, management and other personnel to provide reasonable assurance about the
achievement of an entity’s objectives with regard to the reliability of the entity’s financial reporting, the
effectiveness and efficiency of its operations and its compliance with applicable laws and regulations”.
4.2.4 Components of internal controls
1. The control environment

 The control environment of an entity is regarded as the consciousness of an entity.
 The control environment is inclusive of:

 The attitudes and functions of management and governance
 Awareness, attitudes and actions of individuals who are in charge of the governance and management
of the internal controls for an entity.
 The control environment is responsible for setting the and atmosphere of an entity in which employees
can perform their duties.
 An effective control environment is one which includes competent employees who have an
understanding of their duties and who have a degree of commitment to “do things the right way” as
these employees will have the ability to be committed to the policies and procedures of an entity in a
manner which is constructive, ethical and appropriate.
 The basis of the control environment is one of technical competence and ethical commitment and is
inclusive of the following:
 In order for controls to be effective, employees at all different levels in an entity will need to perform
with integrity and have resilient ethical characteristics.
 Every employee should be competent and committed to performing their tasks with competency.
 The participation of the board of directors and commitment to their ethical behaviour is imperative.
 Managements philosophy and operating style is a major factor of the control environment as they will
be responsible for setting an example which will emphasize and highlight the importance of having an
internal control process.
 The structure of the organisation should be effective in recognising areas that are important in terms
of the appropriate reporting lines to figures of authority.
 The assignment of authority and responsibility is imperative as individuals should have full awareness
with regard to the manner in which they exercise their authority and the extent of their authority.

 Human resources policies and practices possibly plays the most integral role in the control
environment of an entity as a company which lacks in sound policies governing its employees will have
a substandard control environment.
2. The risk assessment process of an entity

 The risk assessment process of an entity determines the manner in which an entity handles the risks
that they are faced with and how this risk in addressed. It is important to note that the objectives of an
entity will need to be thoroughly defined before the risks are identified, assessed and responded to.
 The risk assessment process is comprised of the following steps:
 The business risks that are relevant to financial reporting objective are identified;
 The likelihood and how frequently the risk can occur are assessed;
 The potential impact that the risk will have is estimated; and
 Actions that can be taken in relation to the risk is addressed.
 Risks can be described as follows:
 Operational risks – these risks threaten the achievement of effective and efficient operations in an
entities functions and departments. E.g.: Risk of inventory being stolen, risk of unauthorised persons
having access to confidential company information, the risk of payments being made for
unauthorised expenses, etc.
 Financial reporting risks – these risks affect a company’s ability to achieve the objective of
implementing a sound accounting system which will record and process transactions that have
actually occurred, have been authorised are accurate and complete. E.g.: Risk of wages being paid
to employees that are fake and do not exist, risk that journal entries and transactions that are not
authorised have been processed, risk of incorrectly calculating discounts and VAT payments, etc.
 Compliance risk – these risks impact the entities ability to comply with laws and regulations that are
applicable to them. E.g.: environmental laws, tax laws, labour laws, etc.
Subsequent to the definition of objectives and identification and assessment of risk the entity can then respond
to these risk. The response of management can entail:
 Implementing an information system and relevant business process
 Designing and implementing control activities which can assist in the reduction or elimination of
particular risks.
3. The information system and its relevant business process

 The information system will need to describe and provide the machines, documents, ledgers and
procedures which will manage the entity’s transactions through the system.

 This will include:

 The initiation of a transaction;
 The recording of a transaction;
 The processing of a transaction; and
 The posting of a transaction to relevant journals and ledgers.
 The above activities can occur in a manual environment or a computerised environment
Books and documents and document design

 It is imperative for the actions that are described above to be supported by the correct journals,
ledgers, records and documentation which is specific to each of the different transactions that take
place.
 Examples consist of sales that are supported by a customer order and an internal sale order (ISO)
form, a picking slip which will be used to pick the goods in the warehouse a dispatch or delivery note
and the invoice used to charge a customer.
 An entity should have a sales journal, debtor’s ledger and a general journal in which transactions are
recorded.
 It is imperative that these documents are designed in the proper manner as this will assist in ensuring
that transactions are complete and accurate.
 Documents should be pre-printed, pre-numbered and there should be multiple copies of each
document so that transactions are simple to trace.
4. Control activities
I. Types of control activities

Approval and authorisation
 The authorisation of a transaction entails more than just the signing of documentation. The
existence of supporting documentation must be ensured and all documentation must be thoroughly
checked to verify that transactions are valid.
Segregation of duties
 Segregation of duties is an imperative control as it plays an important role in the reduction of risks
that can emanate from actions that are illegal, inappropriate and made in error. The idea of
segregation of duties is to ensure that the procedures which are conducted in respect of
transactions must be correctly divided among various employees and the individual who is takes
custody of assets should not be the same person that is responsible for the records relating to

those assets. The greatest downfall of segregation of duties is the collusion which can occur
between employees, as discussed previously.
Isolation of responsibilities
 For internal control systems to be effectively employed, the individuals who are involved must
have full awareness of the responsibilities that are given to them, this ensures that individuals
are accountable for their specific performances. The tasks that are performed by employees must
be acknowledged by the signing of documentation which will enable the isolation of the employee
who were responsible for a specific control activity. This prevents an employee from transferring
the responsibility of a certain task onto another employee.
Access / Custody
 This control activity will be inclusive of policies and procedures that provide protection for a
company’s assets as an entity is in possession of assets and confidential information and
documentation that will need to safeguarded from any threats.
 Access/custody controls are designed with the purpose of:
 Preventing the deterioration of non-physical book assets for example: ensuring that debtors
are not late with their payments.
 Preventing use of assets that are unauthorised as well as the theft of assets (physical and
non-physical).
Comparison and reconciliation

 “A reconciliation is a comparison of two different sets of recorded information or of recorded
information and a physical asset”. There is various reconciliation process which can occur but
the main objective of conducting reconciliations is to ensure that differences re identified,
investigated and resolved.
Performance reviews
 Reviewing performances is a control activity which provides the entity with a basis for the
identification of problems. The reviewer who conducts a review will investigate for
inconsistencies and the reasonableness of the data that is under review. Conditions which
are unexpected or unusual in nature will immediately be followed up on. This control activity
is generally conducted by persons who are in a managerial position.
II. Preventative, detective and corrective control activities

Preventative controls – these are controls which are implemented to assist in the prevention and
minimisation of the occurrence of errors or illegal activities. The proactive procedures are designed

specifically to prevent a loss from occurring. Types of preventative controls are inclusive of segregation
of duties, physical control over assets and authorisation of transactions.
Detective controls - as previously discussed, internal controls cannot guarantee the prevention of all
threats or errors that an entity may face, however, errors that slip through the prevention control stage
will be dealt with in the detective control stages. These controls are designed and implemented to identify
the errors or thefts which could not be prevented. Types of detective controls are inclusive of
reconciliations and reviews and segregation of duties.
Corrective controls – corrective controls are designed and implemented to assist in providing
resolutions for the errors that have been detected by the detective controls.
5. Monitoring of controls
 This is the final element in the internal control process and entails the involvement of assessing the
performance and effectiveness of internal controls over a period of time.
 The reason management implements internal controls are to ensure that the objectives set by them are
achieved and the monitoring process will indicate to management how well their internal controls are
performing. Monitoring can be successfully achieved by management by conducting ongoing self-
assessments, the presence of supervisory employees such as head of departments as well as internal
audit and risk committees.
 “The important point about monitoring the internal control system is that if it is not carried out, neither
the board nor management will know whether the entities financial reporting is effective, operations are
being effectively and efficiently conducted and the entity is complying with applicable laws and
regulations”.
4.3 Audit Evidence

Evidence obtained during an audit play a fundamental role in the audit function as it states that “the objective of
the auditor is to design and perform audit procedures in such a way as to enable the auditor to obtain sufficient,
appropriate evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion”.
4.3.1 Sufficient and appropriate evidence

1. Sufficient evidence
Sufficient audit evidence is relating to the quantity of the evidence that the auditor gathers during an
audit as the auditor will need to support any opinions that he makes based on this evidence. It is
important to note that auditors are not required to examine and evaluate every transaction, as this may

be impossible in a large entity, but they are however required to perform audit procedures on a sample
of transactions from the population. The quantity of evidence that is required cannot be easily and
precisely calculated and it is a subjective decision which requires a high degree of professional
judgement from the auditor. The quantity of the audit evidence that is required is greatly dependent on
the extent of testing that is required in the audit which will be highlighted in the audit plan.
The sufficiency of evidence can however be complicated by “the fact that evidence about an assertion
is not gathered by performing a single procedure, but by performing a number of procedures each of
which contribute some evidence. Evidence is cumulative in nature. For example, evidence relating to
the existence of debtors can be gathered by performing a debtors circularisation and by testing
subsequent receipts from debtors”.
2.. Appropriate evidence

Appropriate evidence relates to the quality of the evidence that is obtained in the audit. The quality of
evidence can be broken into reliable evidence in terms of the source and nature of the evidence and
relevant evidence in terms of the assertion that the auditor is auditing.
 Reliability – some evidence may hold more reliability than other evidence, the hierarchy of reliable
evidence is expressed as follows:
 The most reliable source of evidence is developed by an auditor. E.g.: the auditor
conducts an inspection of inventory to obtain evidence that it actually exists.
 Evidence that is provided to the auditor directly by a third party is reasonably reliable –
the third party must be a person who is independent of the entity being audited and a
reputable and competent source. E.g.: information that is obtained from the client’s
attorney.
 Evidence that is provided by a third party but has passed through the client is less
reliable. This is due to the client having access to the information and possibly tampering
with it. E.g.: bank statement that has not been directly sent to the auditor.
 Evidence generated by the computer of the client becomes more reliable when the client
has effective internal controls implemented.
 Evidence that the client directly provides to the auditor is the least reliable as it is not
independent.

 Written evidence is more reliable than evidence obtained orally as oral evidence can be
easily manipulated and evidence obtained from original copies of documents is more
reliable photocopies.
 Relevance – the relevance of audit evidence refers to how relevant the evidence obtain is in
relation to the assertion being audited.
Activity 2
The statements that follow are with regard to evidence that is sufficient and
appropriate. As a future auditor, you are required to indicate if you agree with
each statement and provide reasons for your decisions.
1. An auditor can only properly measure the appropriateness and sufficiency
of audit evidence that will be used when expressing opinions are by
utilising statistical sampling method only when they are gathering
evidence.
2. The conduction of an audit in prior years for an entity will not have any
influence when the auditor is determining if the evidence gathered is
sufficient and appropriate for the current audit.
3. The level of professional scepticism that the auditor possesses is a factor

that that has an influence on the appropriateness and sufficiency of audit
evidence.
4. When the auditor is making a decision on whether or not sufficient and

appropriate evidence has been obtained they will first need to make
considerations regarding the sufficiency of the evidence gathered.

4.3.2 Nature, extent and timing of audit evidence

The nature, timing and extent of the evidence that is collected by an order plays an important factor in
the deciding on the type and manner of evidence that needs to be collected.
Table 4.1.: Nature, Extent, and Timing of Evidence
(Jackson and Stent, 2019)
Definition Example
Which audit procedure to use? An audit Confirm the accounts receivable balance with
Nature procedure is a detailed instruction for the the customer or check accounts receivable
collection of particular audit evidence. collections after year end
Accounts receivable balanced over a threshold

a) Sample size such as R50, 000 may be labelled as one with
Extent
b) Which items to select from the population? “high-value” that will be tested. Other non-high-
value items will be selected from a population
At year end or interim phase. For example, an

Timing When to perform the particular audit inventory count observation at November 31 or
procedure and NOT how long it takes to do? July 31?
Think Point
Can you think of alternative examples which could explain the nature, extent
and timing of the audit evidence that is provided by the auditor?
4.3.3 Financial statement assertions

1 Assertions about classes of transactions and events and related disclosures

Table 4.2:
Assertions Explanation
Occurrence Transactions about events that have been recorded or disclosed, have occurred, and
such transactions and events pertain to the entity.
Completeness All transactions and events that should have been recorded have been recorded, and
all related disclosures which should have been included in the financial statements,
have been included.
Accuracy Amounts and other data relating to recorded transactions and events have been
recorded appropriately, and related disclosures have been appropriately measured and
described.
Cut-off Transactions and events have been recorded in the correct accounting period.
Classification Transactions and events have been recorded in the proper accounts.
Presentation Transactions and events are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of
the requirements of the applicable financial reporting framework.
2 Assertions about account balances, and related disclosures, at the period end
Table 4.3
Assertions Explanation
Existence Assets, liabilities and equity interests exist.
Rights and obligations The entity holds or controls the rights to assets, and liabilities are the obligations
of the entity.
Completeness All assets, liabilities and equity interests that should have been recorded, and
all related disclosures that should have been included in the financial
statements, have been included.
Accuracy, valuation and Assets, liabilities and equity interests have been included in the financial
allocation statements at appropriate amounts and any resulting valuation or allocation
adjustments have been appropriately recorded, and related disclosures have
been appropriately measured and described.
Classification Assets, liabilities and equity interests have been recorded in the proper
accounts.

Presentation Assets, liabilities and equity interests are appropriately aggregated or

disaggregated and clearly described, and related disclosures are relevant and
understandable in the context of the requirements of the applicable financial
reporting framework.
Table 4.2 and 4.3: Financial statement assertions

3. Financial statement assertions – examples
Example 1 - When the auditor gathers evidence about sales transactions, he will be seeking evidence to
support the following assertions
Occurrence All sales included are genuine sales (not fictitious) of the entity (a genuine sale of the
company’s goods/services has occurred)
Completeness All sales which were made, have been included in the total of sales made for the
year
Accuracy All sales have been recorded appropriately : this implies prices are correct and that
the correct discount and VAT rates have been used and correctly calculated
Cut-off All sales recorded, occurred in the accounting period being audited
Classification All sales have been posted to (recorded in) the proper account. This implies that a
credit sale has been posted to the correct debtor’s account and that VAT has also
been correctly posted.
Presentation The sales transactions have been presented in terms of the disclosure requirements
of the relevant financial reporting standard.
“The auditor will also ensure that related disclosures pertaining to “sales” are complete, accurate, relevant and
understandable. The assertions which do not apply to sales are existence, (accuracy) valuation and allocation
and rights and obligation. Why is this? It is because these three assertions apply to balances in the statement
of financial position which are carried forward to the following period, and not to transactions. To explain it slightly
differently, the auditor does not try to establish that a sale existed at reporting date, he seeks evidence that the
sale which is included in total sales, actually occurred; furthermore, the auditor does not seek to value the sale
at year end, he seeks to establish that the amount of the sale was correctly recorded at the time it was made
during the year”

Example 2 - When the auditor gathers evidence about plant and equipment he will be seeking evidence
to support the following assertions:
Table 4.4: Financial statement assertions
Existence All plant and equipment included in the balance, existed at reporting date
Completeness All plant and equipment owned by the company, is included in the balance reflected
in the financial statements
Accuracy, valuation The plant and equipment has been reflected in the statement of financial position at
and allocation appropriate amounts; and that reasonable adjustments have been made for
depreciation, impairment and/or obsolescence.
Rights The company has (holds or controls) the right of ownership to the plant and
equipment reflected in the statement of financial position (any encumbrances on that
ownership must be disclosed
Presentation Plant and equipment has been appropriately aggregated/disaggregated and clearly
described, e.g. plant and equipment has been presented in the statement of financial
position aggregated with land and buildings as a separate line item under non-current
assets as property, plant and equipment and has been disaggregated in the property,
plant and equipment disclosure notes into plant and machinery, fixtures and fittings
and tools and equipment.

Activity 3
Consider the following statements with regard to financial statement

assertions and indicate if each statement is true or false. Provide suitable
explanations for your answers.
1. Carefully inspecting documents for the registration of a motor vehicle

can provide the auditor with evidence that the vehicle actually exists.
2. A sample of physical inventory items that are selected from the
inventory records of an entity which are verified by counting the stock
on hand can provide evidence that the inventory is complete.
3. The inspection of the account for repairs and maintenance for

specific items that maybe be a purchase of plant and equipment can
provide the auditor with evidence that the plant and equipment
account is complete and as well as the verification of the correct
classification for transactions relating to repairs and maintenance.
4. Inspecting lease documentation and agreements to help in

determining if all risks and rewards have been transferred over to the
client can provide evidence that relates to the valuation of the leased
asset.
5. Observation of the receiving clerk when he/she is counting the goods

that the company supplier delivers can provide evidence that the
purchases are arcuate.
6. Re-performance of calculations such as depreciation for PPE

provides the auditor with evidence that relates to the valuation of the
asset.
7. The conduction of a positive debtors circularisation provides the

auditor with evidence regarding the valuation of the accounts
receivables account.

4.4 Auditors Toolbox

The auditor can carry out analytical procedures to assess risk as well as when performing substantive procedures
which provide evidence that supports the assertions of the financial statements. Analytical procedures, however,
do not test the effectiveness of internal controls.
4.4.1 Internal controls are tested by using the following procedures:
Table 4.5: Financial statement assertions

Inspection Involves examining records or documents, whether internal or external, in paper
form, electronic form or other medium, e.g. inspecting a purchase order for an
authorizing signature or a physical examination of an asset, e.g. inspecting a piece
of equipment for evidence of its existence and condition.
Observation Consists of looking at a process or procedure being performed by others, or of

observing the performance of control activities, e.g. observing an inventory count
performed by the client’s employees
External confirmation Involves obtaining a direct written response from a third party to a request/query from
the auditor to that third party in paper form or by electronic or other medium, e.g. the
auditor requests a client’s debtors to confirm the amounts owed to the client at
reporting date.
Recalculation Consists of checking manually or electronically, the mathematical accuracy of

documents or records.
Re-performance Involves the auditor’s independent execution of procedures or controls that were
originally performed as part of the entity’s internal control.
Analytical procedures Involves evaluating financial information through analysis of plausible relationships
among both financial and non-financial information.
Inquiry Consists of seeking information, both financial and non-financial from knowledgeable
persons within the entity or outside the entity.
4.4.2 Vouching and verifying

 Vouching – relates to the verification of balances and verifying – relates to balances. Vouching and
verifying is a collection of substantive procedures.
 E.g.: To vouch a sales transaction the auditor will conduct an inspection of documentation, may
make enquiries relating discounts and may verify the mathematical precision of the invoice by

recalculation. To authenticate the debtors, balance the auditor can acquire confirmation in writing
from each debtors and can enquire as to what steps were used to calculate the allowance for bad
debts and thereafter perform a debtors’ age analysis.
4.5 Audit Sampling

It is nearly impossible for an auditor to conduct an examination of all samples that are in a population as
populations are often very large. Auditing every item in a population would be a waste of resources and time.
“ISA 530 – Audit Sampling requires that when designing audit procedures, the auditor should determine
appropriate means for selecting items for testing so as to gather sufficient, appropriate audit evidence to be able
to draw reasonable conclusions on which to base the auditor’s opinion. The statement deals with the auditor’s
use of statistical and non-statistical sampling when designing and selecting the audit sample, performing tests of
controls and tests of detail, and evaluating the results from the sample”.
4.5.1 Test of controls and sampling

Once the auditor has an understanding of how the internal control and accounting systems operate,
they will have the ability to identify the features that will indicate how well a control procedure is
performing. Once the auditor identifies the indicators the control can then be tested by performing an
extraction of a sample of items from the population. E.g.: Verifying that the credit controller has signed
and approved customers’ orders – the auditor will obtain a sample of orders and inspect that the credit
controller has authorised each order.
4.5.2 Substantive procedures and sampling

The concern of substantive procedures deals with balances and amounts of transactions and the auditor
use sampling to collect evidence regarding assertions that are relevant to balances an amounts. E.g.: a
debtor’s sample can be reviewed to obtain verification that the debtor actually exists.
4.5.3 Statistical sampling versus non-statistical sampling

Deciding on the type of sampling method to be used when selecting samples is based on the
professional judgement of the auditor.
Steps that the auditor can follow when choosing a sample:

 Step 1 – Determine the objective of the procedure to be performed
 Step 2 – Determine the type of procedure that will be performed
 Step 3 – Confirm that the population is appropriate and complete in relation to the audit
 Step 4 – Define the units of the population
 Step 5 – Determine the size of the sample that the audit will need to test

 Step 6 – Selection of the sample: the sample can be selected using the following methods:
 Random – Every unit in the population will have an opportunity of being selected.
 Systematic – A starting point is chosen and then for example every 20th unit in the
population is selected.
 Haphazard – the auditor is responsible for stimulating randomisation. This method is not
accepted for statistical sampling.
 Block – A block of items that have numerical consecutiveness are chosen.
 Monetary unit sampling – the sampling unit will be every rand that is in the population.
The selection of larger amounts is inevitable in this method.
 Step 7 – Performing the audit procedures
 Step 8 – Analysing the nature and cause of any misstatements or deviations that may exist
 Step 9 – The results are projected over the entire population
 Step 10 – Evaluate the results
Revision Question
Question 1
The evidence that is gathered by an auditor plays a crucial role in the results of the audit
and the recommendations that are provided to management. There are two attributes
with regard to evidence that an auditor will need to meet before concluding the audit.
What are these attributes and why are they important?
Solution 1
Sufficient evidence:
Sufficient audit evidence is relating to the quantity of the evidence that the
auditor gathers during an audit as the auditor will need to support any opinions
that he makes based on this evidence. It is important to note that auditors are
not required to examine and evaluate every transaction, as this may be
impossible in a large entity, but they are however required to perform audit
procedures on a sample of transactions from the population. The quantity of
evidence that is required cannot be easily and precisely calculated and it is a
subjective decision which requires a high degree of professional judgement
from the auditor. The quantity of the audit evidence that is required is greatly
dependent on the extent of testing that is required in the audit which will be
highlighted in the audit plan.

Appropriate evidence:
Appropriate evidence relates to the quality of the evidence that is obtained in
the audit. The quality of evidence can be broken into reliable evidence in terms
of the source and nature of the evidence and relevant evidence in terms of the
assertion that the auditor is auditing.
Activity 1 – Solution
A. Managements interpretation that the cost of implementing internal control

procedures outweighs the benefits that can be expected.
B. Internal controls are generally directed at transactions that are routine in

nature and transactions which are non-routine are ignored.
C. Carelessness, false judgements and the factor of human error
D. Internal controls can be circumvented as a manager can possibly be in

collusion with an employee of the entity or a party that is external to the
organisation
E. The person responsible for exercising internal controls could exploit their
position by overriding controls as and when they see fit
F. Internal controls can become inadequate due to changing circumstances

and conditions which could negatively impact on compliance with certain
procedures
Activity 2 - Solution
1. Disagree. 1.1 Whether sufficient appropriate evidence has been gathered

is a matter of professional judgement.
1.2 Audit evidence cannot be gathered exclusively by using

statistical sampling. Evidence is gathered in numerous
different ways, e.g. observation, enquiry, etc., and evidence
relating to numerous account headings and disclosures
cannot be (and is not) obtained by sampling.

1.3 In addition, statistical sampling is itself not an exact science

and professional judgement is applied extensively in setting
the sample parameters.
2. Disagree. 2.1 Performing the audit of the same company for consecutive
years provides the audit team with more experience of that
particular client’s strengths and weaknesses and thus
improves the team’s professional judgement.
2.2 With better judgement and greater knowledge and

understanding of the client, the entire audit is likely to be of
a higher quality. Answering the questions as to whether the
evidence gathered is enough (sufficient) and whether it is
relevant and reliable (appropriate) will become easier for the
auditor as he is better informed, e.g. past experience
corroborates current thinking.
3. Agree. 3.1 Professional scepticism requires that the auditor remain

unconvinced of the truth of a fact until suitable evidence to
support the fact is provided.
3.2 The more sceptical the auditor is, the more he will need to
be convinced that he has gathered sufficient evidence, and
that the evidence which has been gathered is reliable
(source and nature).
6. Disagree. 6.1 The sufficiency and appropriateness of evidence are not

considered individually – they are dependent on each other.
6.2 The requirement is for the auditor to obtain enough

relevant and reliable evidence.
6.3 There is no point in obtaining lots of evidence which is from
an unreliable source and/or which is not relevant to the
assertion for which the evidence is being gathered.

6.4 A quality audit requires quality evidence and quality

evidence is judged in terms of its nature and source.
Activity 3 - Solution
1. False. Although the vehicle is registered it may not exist; it could have been
written off, stolen etc. Physical inspection provides proof of existence.
2. False. This provides evidence that the inventory included in the inventory
account exists, but it does not prove that inventory in the warehouse is included
in the account balance. For completeness the sample must be selected from
the warehouse and compared to the records.
3. True. This procedure provides some evidence as to whether all plant and
equipment purchased has been included in the recorded plant and equipment
accounts. It also provides evidence that repairs and maintenance transactions
have not been misclassified.
4. False. This procedure provides evidence relevant to the rights assertion, i.e.
the client has the right to capitalize the lease as a finance lease and raise the
asset. It provides no evidence of the value at which it should be capitalized.
5. False. This procedure is a test of controls which provides evidence that this
internal control procedure took place (although only at the time the auditors
observed it taking place). It tells the auditor nothing about the amount at which
the purchase was recorded in the books.
6. True. This procedure provides evidence that the depreciation has been
accurately calculated (plant and equipment is presented net of depreciation),
and is therefore relevant to the accuracy, valuation and allocation assertion.

7. False. This procedure primarily provides evidence as to the existence of the

debtor. Positive confirmation by a debtor does not confirm that the debtor will
actually pay. (Where a debtor provides an indication that the balance is
incorrect, the auditor is given some evidence that the amount at which the debt
is recorded may be incorrect.)
4.6 Summary
In this unit students are able to Illustrate an understanding of the internal controls that are implemented in a
business and examine their purpose, demonstrate the importance of audit evidence provided by the auditor which
is linked to the financial statement assertions and examine the various forms of evidence that an auditor can
gather when conducting an audit.

Unit
5: Overview of the Audit Process

CONTENT LIST LEARNING OUTCOMES
5.1 Introduction to the Audit Process  Demonstrate an understanding of the audit process and its
different stages
5.2 Preliminary Engagement Activities
 Provide an explanation of the preliminary activities that take place
5.3 Planning Activities prior to the performance of an audit
5.4 Responding to Risk  Examine and explain the various types of risk responses that
could be provided by an auditor
5.5 Evaluating, Concluding and  Demonstrate an understanding of the evaluation, conclusion and
Reporting on an Audit reporting of a completed audit
Prescribed Textbook


5.1 Introduction to the Audit Process

In the previous units we learnt about auditing and its various components. We will now look at the steps which
are necessary for an audit to embark on in order to perform an audit. The purpose and objective of an auditor is
to form opinions on whether the operations of an entity are effective and efficient and if financial statements are
reliable and do not contain any material misstatements. Once an audit is accepted by an auditor they will need
to gather evidence that is sufficient and reliable which will support any opinions that are made by the auditor.
The audit process is a logical and systematic process which is planned and implemented in accordance to the
audit standards.
The audit process consists of the stages:

 The Preliminary Stage
 The Planning Stage
 Responding to assessed risk stage
 Concluding stage
It is important to note that the stages of the audit process are interdependent on each other and do not stand
alone.
Think Point
What are the audit standards the auditor will need to comply with when planning
and implementing the stages of the audit process?
5.2 Preliminary Engagement Activities

The preliminary stage of the audit process is inclusive of activities that need to occur prior to an audit engagement
being accept by the audit firm and includes:
A. Evaluating if the pre-conditions that are needed for the audit exist
 There are two requirements which should be fulfilled prior to the acceptance of an engagement
which is to establish if the pre-conditions of the audit exist and ensuring that there is a mutual
understanding which is present between management, the auditor and individuals who are in
charge of governance of the audit engagement.
 If the above two requirements are not met, then it will not be necessary for the auditor to proceed
further in the engagement.

 The pre-conditions for an audit are that:

 The correct financial reporting framework is applied to the financial statements of the entity that
the auditor will audit. E.g.: IFRS.
 The auditor will need to obtain confirmation from management to state that they acknowledge
and understand their responsibilities, which are:
 To prepare and present financial statements that are fair and in accordance to IFRS.
 To design and implement the appropriate internal controls which will assist in
preparing statements that are free from material misstatements.
 To allow the auditor access to any information which will be relevant when preparing
financial statements.
B. Establishing procedures that will assist in determining if the audit firm wants to establish a new
relationship with a client or continue the relationship with the existing client
 It is important to remember that an audit firm is also a business and the firm will not want to conduct
business with a client for the following reasons:
 The client maybe lacking in ethics and integrity;
 The client is involved with illegal operations such as pornography or pollution of the
environment;
 The client has a bad reputation regarding its relationship with previous auditors;
 The client has a reputation for not paying audit fees; and
 The audit firm does not have the required resources or competencies to conduct services
for the client.
C. Complying with standards

 The quality control when financial statements are being audited requires satisfaction from the
engagement partner with regard to the procedures that are followed when accepting or continuing
relationships or engagements and the conclusions which are established are appropriate.
 The engagement partner must:

 Place consideration on the integrity of the management, individuals in charge of governance
and the owners of the client. The following should be evaluated:
 The business reputation of the above persons;
 The business practices of the client such as being involved in illegal activities;
 The attitudes of the above persons;
 The ability of the client to pay their audit fees;
 If the possibility of the client placing any limitations on the audit exists; and
 Managements attitude to corporate governance standards.

 Evaluate and determine if the firm has the competencies to perform the engagement. The
following should be assessed:
 Does the audit firm possess auditors who are schooled in the client’s type of business
activities with experience in reporting requirements?
 Does the audit firm have technical skills and competencies that are in-house or do they
have relationships with experts who possess the required skills?
 Does the audit firm have the resources which are necessary to conduct the audit?
 Does the audit firm have necessary personal who can perform quality control reviews?
 Does the audit firm possess sufficient combined resource to meet deadlines on reporting
the engagement?
 Determining if the firm has the ability to comply with the ethical requirements. The following
will need to be evaluated:
 Are there any probable or potential conflicts of interest which could exist between the firm
and the client?
 Is there existence of threats to independence, the engagement partner and audit team and
if so, can safeguards be implementing to adequately deal with these threats?
 Are there any other possible events that could result in a contravention of the Code of
Professional Conduct by an auditor in the team?
D. Procedures that are used to gather information for the “preliminary engagement”
 It is obvious that the process of gathering information for a client whom already exists will be far
simpler than that for a new client and information will be available readily.
 The following procedures should be able to provide information that is sufficient to make a decision
regarding clients:
 Communicating with previous auditors
 Having discussions with directors, senior financial personnel and audit committees of the client
 Inquire with firm’s bankers and legal counsel
 Background searches of relevant databases
 Reviewing documents that are given by the client
 Enquiring and analysing the statues employees and the firm in relation to potential clients

E. Establishing the terms of the engagement

 This process involves the finalisation of the terms of the engagement in an engagement letter which
will reflect the pre-conditions of the audit. Various important engagement aspects are allocated in
the letter and it is imperative that the client completely understands these terms.
 The following items, among others, should be included in the engagement letter:
 Audit objectives should be clear and concise
 Audit scope should be detailed and included the exact statements on which the auditor will
need to express opinions.
 The responsibilities of the auditor during the audit process should be clearly defined
 The responsibility of management during the audit process should be clearly defined
 An indication of the expected reports that the auditor will need to issue as well as its form and
content
 Arrangements can be made for other parties that maybe involved in the audit such as internal
auditors, etc.
 The fee that the audit firm will charge the client.
Activity 1
Azola is a junior auditor for Gemini Ltd. She was tasked with the process of
conducting the preliminary engagement activities for the client. She requires
your assistance in this process as she is unexperienced with regard to the
above mentioned task. Azola needs to determine if the pre-existing conditions
for the audit actually exits. Can you provide her with the conditions that she
will need to evaluate to make a decision?
5.3 Planning Activities

This is the stage where the development of an audit strategy, supported by an appropriate audit plan takes place.
This stage also requires that the engagement partner and other important key players of the audit team be
involved in planning the audit as their experience and insight will enhance the efficiency and effectiveness of the
planning process. Planning should not be seen as an independent stage or step in auditing, because just like the
other stages of audit process, it is not static. Also, in some cases, planning in the audit process could be a
continuous activity throughout an audit.
The importance of planning cannot be over-highlighted:

 Assists in ensuring that the needed attention is given to the areas of the audit which are significant;
 Problems that could potentially occur are identified and resolutions are implemented timeously;

 Competent audit staff and other required parties are assembled;

 The assignment of tasks is appropriately conducted which ensure that the audit is efficient and effective
and all deadlines are met; and
 Quality control standards can be met by setting up appropriate procedures for directing, supervising and
reviewing.
When planning in an audit process, the following components should be considered:
A. The overall audit strategy

 Determines the scope, timing and direction of the audit as well provides guidance for developing the
audit plan.
 Characteristics of the engagement which defines its scope – determines the expected audit coverage
 Matters affecting the reporting objectives, timing of the audit and the nature of communications –
reporting timetables for the client and the complexity and size of the client.
 Matters that determine the engagement team’s focus, effort and direction – materiality levels are
established, impact of risk of material misstatements on financial statement levels, etc.
B. The audit plan

 The audit plan consists of a greater amount of details as compared to the audit strategy. The audit plan
should contain:
 A detailed description of the nature, timing and extent of the risk assessment procedures that are
planned and if they are sufficient to assess the risks of material misstatements.
 A detailed description of the nature, timing and extent of audit procedures at the assertion level
 Any other required audit procedure
C. Materiality
 An audit is aimed towards the identification of the risk of material misstatement and prior to the
development of the audit strategy and plan the auditor will need to give consideration to what can be
considered “material” when conducting the audit.
D. Planning and conducting risk assessment procedures

 Risk are addressed and assessed at two different levels in an organisation – financial statement level
and assertion level.

E. Planning further audit procedures based on the risk

 If the risk is assessed and the auditor needs to develop any further audit procedures, a plan which
contains the nature, timing and extent of these procedures which will test controls and substantive
procedures.
Illustration of items to consider when making decision regarding the nature, time and extent of further
audit processes
CHARACTERISTICS MATTERS TO CONSIDER
Nature of tests – what tests will be  The suitability of a particular procedure to provide the piece
conducted? of evidence required:
 Re-performance, inspection, inquiry, observation
 Recalculation, analytical procedures, external
confirmation
 The need to perform tests of detail (e.g. significant risks)
 The possibility of performing analytical procedures
exclusively (for certain aspects of the audit)
 The hierarchy of evidence – how can the most relevant and
reliable evidence be gathered?
 Statistically based or non-statically based sampling
 The use of other parties
 experts, other (component) auditors, internal
auditors
 The use of computer assisted audit techniques system or
data orientated CAATs
 Special client requests e.g. the client has asked you to
perform special cash counts
 Do the tests selected, address the risk adequately?

Timing of test – when will tests be  The need for and desirability of:
conducted  interim audits
 early verification of year end balances
combined with “roll forward tests”, e.g. debtors
circularisation carried out two months prior to
year-end, supplemented by tests of controls,
tests of detail and analytical procedures * for
the subsequent period of two months up to
reporting date
 Preparatory work on 3rd party confirmations and supporting
schedules
 Non-negotiable dates set by client
 inventory count
 reporting deadlines
 availability of key personnel audit
 committee meetings
 Availability of information, e.g. fixed asset schedules for
audit, including final information for analytical procedures
 Timeous preparation where other parties will be used, e.g.
auditor cannot contact an expert the week before the year-
end end inventory count to assist in the valuation of say,
work-in-progress
 Special client requests e.g. the client may request that you
visit each branch to attend inventory cycle counts at least
once a year

Extent of tests – how much testing is to be  Level of assessed risk

done?  Prior year experience
 The planning and performance materiality limits which have
been set – as the level of misstatement which believes the
auditor would influence a user reduces, so the extent of
testing increases
 What sample size s are required to achieve meaningful
results (particularly when non statistically based sampling is
used)
 Possible reduction of testing when internal audit is used
 3rd parties to understand “how much” they should do *
special client requests e.g. positively confirm all debtors *
the extent of testing deemed necessary should not be
restricted by deadline
5.4 Responding to Risks

5.4.1 Overall response at a financial statement level
The auditor will be responsible for the design and implementation of possible responses to risk at the
financial statement level as well as risks at the assertion level.
 Overall responses
 Overall responses are not considered procedures but they are actions that the auditor can use
to deal with risks at a financial statement level.
 “For example, if the auditor is concerned with management’s integrity, the overall response
may be to meet with the audit team to emphasise the need to maintain a high level of
professional scepticism, and to assign experienced and strong willed staff to the audit.
Obviously it does not end there. The potential effect of management’s lack of integrity on the
assertions at account balance/class of transaction/disclosure level will need to be evaluated,
and the appropriate procedures implemented (nature, timing and extent). For example, the
auditor’s concern may be that management will manipulate the financial statements by
overstating the value of inventory on hand at year-end and by including fictitious sales. The
auditor would respond by conducting extensive procedures on the existence, rights and
valuation of inventory and the occurrence of sales/existence of debtors”.

 Overall responses may be summarized as follows

 Emphasis of professional scepticism
 Assignment of more experienced staff with distinct skills or making use of specialists or
experts
 Provision of more supervision
 Incorporating elements of randomness into the audit procedures utilised in other words to
surprise the clients with procedures they will not expect
 Executing changes to the nature, timing and extent of the audit procedures that have been
conducted previously.
5.4.2 Audit procedures to respond to risks of material misstatement at the assertion level
These audit procedures play an imperative role in any audit as they are performed to enable the auditor
to respond to the risks of material misstatements that relate to assertions. It is important to remember
what assertions are – representations that can be applied to accounts, transactions of different classes
and disclosures underlined in the financial statements.
For example:
 The valuing of inventory, plant and equipment ‘
 Debtors existence
 The completeness of sale transactions
 Presenting and disclosing contingent liabilities
In order to accurately respond to risks and to reduce the risk of material misstatements passing through
the system undetected the auditor will be required to respond to the risks by obtaining the accurate
nature, timing and extent of the substantive tests and test of controls. This means that the auditor will
be conducting additional audit procedures which will assist in reducing the risk to a level that is
acceptable.
At this stage in the audit the auditor will utilise the key tools in their toolbox, which are:
 Inspection:
 The auditor will conduct an examination of records, tangible assets or documents
 E.g.: The audit can inspect the director meeting minutes to obtain evidence that major
transactions were approved
 E.g.: Clients physical assets can be inspected to ensure that they are not damaged

 Observation:
 Entails physically looking at a process or a procedure that the employees of an entity are
performing
 E.g.: An auditor can observe inventory counts that are being conducted at an entity
 E.g.: An auditor can observe that the receiving clerk is physically counting and checking
products that suppliers deliver to the organisation
 Inquiry:
 The auditor obtains information from persons who have necessary knowledge either
internally or external to the entity
 Inquiries can be in the form of written documents addressed to a 3rd party or formal
inquiries that are made to internal staff
 E.g.: The sales clerk could be asked what steps do they follow when receiving a customer’s
order
 External confirmation:
 External confirmation is when the auditor obtains direct responses to a written enquiry that
was made to obtain a confirmation that the information available in accounting records are
correct
 E.g.: The auditor can directly communicate with debtors to confirm the amounts that they
owe to the organisation
 Recalculation:
 Recalculations are performed to ensure that documents or records are mathematically
correct and accurate
 E.g.: Recalculating discounts and VAT to ensure that they are correct
 Analytical procedures:
 These procedures involve the analysis of ratios and trends that are significant to the entity
 E.g.: Performing a comparison of the acid test ratio for the current year to the previous
years and investigating the reasons for any differences
 Re-performance
 The auditor will conduct and independent execution of controls or procedures which were
performed in the organisations internal control
 E.g.: Re-performance of the year end bank reconciliations

It is important to note that when implementing the above procedures, the auditors focus is on obtaining information
which is sufficient, relevant, appropriate and reliable and can assist in the reduction of the risk of material
misstatements to a level that is acceptable by the entity.
The auditor will also be required to conduct substantive procedures that relate to the closing process of financial
statements. The auditor will need to:
 Perform a reconciliation of and agree financial statements with the accounting records.
 Perform an examination of journal entries and other adjustments which are material and are made
when financial statements are prepared.
Think Point
Think of other examples where the auditor could implement the audit tools listed
above. In which situation can each of the above tools used?
5.5 Evaluating, Concluding and Reporting on an Audit

“IAS - 700 - forming an opinion and reporting on financial statements, states that the auditor should form an
opinion on the financial statements based on an evaluation of the conclusions drawn from the audit evidence
obtained. This is carried out in this stage of the audit process.
The evaluation is set out to determine the following:

5.5.1 Whether the evidence that is obtained is appropriate and sufficient enough to reduce the risk to
a level which is acceptable:
 ISA330 – The auditor’s responses to assessed risks, requires that the auditor conclude on whether
sufficient, appropriate audit evidence has been obtained to reduce audit risk to an acceptably low
level. The auditor is required to consider all evidence, not just that which corroborates the
assertions. If evidence contradicts say, the existence assertion relating to debtors (i.e. the evidence
suggests there may be fictitious debtors included in the balance) the auditor must consider this
evidence and respond by seeking further evidence. If the auditor is unable to obtain sufficient
appropriate audit evidence, a qualified opinion or a disclaimer of opinion will have to be issued.
Bear in mind that audit risk is the risk that the auditor expresses an inappropriate audit opinion when
the financial statements are materially misstated, e.g. the auditor’s opinion is that the financial
statements “present” fairly when in fact they are materially misstated.

5.5.2 Misstatements that are not corrected that have been identified during the audit and results in an
individual or aggregate material misstatement of financial information:
 ISA 450:
 Evaluation of misstatements identified during the audit, a misstatement is a difference
between the reported amount, classification, presentation or disclosure of a financial
statement item and the amount, classification, presentation or disclosure that is required
for that item in terms of the applicable accounting framework e.g. IFRS.
 Simplistically expressed, a misstatement is a difference in what has been reported (by the
directors) in the financial statements, and what should have been reported in terms of the
reporting framework e.g. a particular lease has been reported as a finance lease when in
fact it does not meet the criteria for classification as a finance lease, or inventory has been
valued and reported at replacement cost and not at the lower of cost or net releasable
value, or a material contingent liability has not been disclosed.
 Misstatements may arise out of fraud or error.
 The auditor must document all misstatements in the work papers (audit documentation)
and must indicate whether they have been corrected.
 The auditor must also conclude on whether uncorrected misstatements are material,
individually or in aggregate.
 Misstatements that are clearly trivial may be ignored.
 An important distinction will need to be made between misstatements which have been
specifically identified and those for which there is no doubts (factual misstatements) e.g.
the total cost of certain inventory items has been incorrectly calculated, and those which,
in the auditor's judgment, are likely to exist (judgemental misstatements)
 E.g.: Where estimation is involved such as allowances for inventory obsolescence.

Judgemental misstatements are differences which arise between management’s
accounting estimates and what the auditor considers a reasonable estimate to be, e.g.
management may consider that an inventory obsolescence allowance of R600 000 is
appropriate but the auditor thinks that a reasonable allowance would be R800 000. The
judgmental misstatement would be R200 000. Similarly, a judgemental misstatement will
arise where the auditor thinks that the selection or application of a particular accounting
policy by management is unreasonable or inappropriate. This only applies where the

accounting policy and its application are open to interpretation. Judgemental

misstatements include differences arising from the judgements of management in respect
of presentation and disclosure.
 The third type of misstatement is termed projected misstatement. A projected

misstatement is the auditor’s best estimate of the amount of misstatement in a population
based on the projection of the misstatement found in a sample taken from that population.
 It is important to distinguish between the different types of misstatement because the type
of misstatement will affect how the auditor will react:
 Factual misstatement – the auditor is on solid ground when requesting the client
to make adjustments to the financial statements and, if the adjustments are not
made, when modifying the audit report (qualifying the audit opinion).
 Judgemental misstatement – the auditor is on far less solid ground. The

misstatement has only arisen because there is an element of interpretation in the
facts. The auditor cannot state categorically that the directors are wrong, and as
a result, the auditor may have to accept a measure of compromise when
requesting adjustment and will have to think very carefully about whether and
how to modify the report.
 Projected misstatement – the auditor may be in for an even harder time when
requesting amendments or qualifying the audit report. Projecting misstatement
over a population based on a sample can be a very subjective matter. If a proper
statistical sampling method has been properly applied it is less subjective, but
there is still plenty of subjectivity in setting the parameters for the sampling plan.
The auditor will need to accept a measure of compromise and think carefully
about modifying the audit report.
 The materiality of the audit difference plays a very imperative role in this evaluation. If an
audit difference is regarded as not material (leaving the misstatement uncorrected will not
influence a user’s decision), the auditor will not insist on adjustment being made but will
still bring it to the attention of the client who, of course, may choose to correct it.

5.5.3 The financial statements have been prepared in all material respects and according to applicable
financial reporting standards. The auditor will need to evaluate if:
 Significant accounting policies are adequately disclosed in the financial statements;
 There is consistency with regard to the accounting policies that are selected and applied
in terms of the reporting standards and framework that is appropriate for nature of the
entity;
 Management makes reasonable accounting estimates;
 Financial information that is presented in the statements are reliable, relevant, comparable
and understandable;
 Adequate disclosures are provided in the financial statements to assist users in
understanding the impact that the material transactions have on the financial
position/performance and cash flows of the company;
 The financial statements make use of the appropriate terminology;
 Statutory regulations and requirements are complied with; and
 The financial statements are presented fairly.
5.5.4 All material events that occur after the reporting date – should these events require there to be an
adjustment or disclosure to the financial information that the auditor in reporting on, they should be
identified and dealt with in an appropriate manner.
Revision Question
Question 1
The evidence that is gathered by an auditor plays a crucial role in the results of the audit
and the recommendations that are provided to management. When gathering evidence
with regard to financial misstatements, the auditor is presented with 3 various types of
misstatements that could occur at financial statement and assertion level. Discuss these
misstatements.
Solution 1
 “Factual misstatement – the auditor is on solid ground when requesting the client
to make adjustments to the financial statements and, if the adjustments are not
made, when modifying the audit report (qualifying the audit opinion).
 Judgemental misstatement – the auditor is on far less solid ground. The

misstatement has only arisen because there is an element of interpretation in the

facts. The auditor cannot state categorically that the directors are wrong, and as a
result, the auditor may have to accept a measure of compromise when requesting
adjustment and will have to think very carefully about whether and how to modify the
report.
 Projected misstatement – the auditor may be in for an even harder time when
requesting amendments or qualifying the audit report. Projecting misstatement over
a population based on a sample can be a very subjective matter. If a proper
statistical sampling method has been properly applied it is less subjective, but there
is still plenty of subjectivity in setting the parameters for the sampling plan. The
auditor will need to accept a measure of compromise and think carefully about
modifying the audit report.”
 The pre-conditions for an audit are that:

 The correct financial reporting framework is applied to the financial statements
of the entity that the auditor will audit. E.g.: IFRS
 The auditor will need to obtain confirmation from management to state that they
acknowledge and understand their responsibilities, which are:
 To prepare and present financial statements that are fair and in
accordance to IFRS.
 To design and implement the appropriate internal controls which will
assist in preparing statements that are free from material
misstatements.
 To allow the auditor access to any information which will be relevant
when preparing financial statements.
5.6 Summary
For an audit activity to be successful there must be a constructive working relationship between the auditor and
their client. In order to establish these working relationship auditors must present to their client a well thought of
plan to implement the audit. The audit process explained in this chapter presents the necessary steps in achieving
a constructive audit. It should be noted that these steps are sequential but in some cases not necessarily
implemented sequentially, especially in cases where the client has been previously audited by another firm that
has provided (upon request) some fundamental information to the present auditor.

Unit
6: Elements of the Audit Process

6.2 Understanding Audit Risk  Explain and understand the elements of audit risk
6.3 Understanding an Entity and its  Demonstrate an understanding of the environment that an
Environment entity operates in
6.4 The Concept of Materiality  Provide an explanation of the concept of materiality
6.5 The Responsibility of an Auditor in  Demonstrate an understanding of and explain the responsibility
Relation to Fraud in Financial that an auditor has with regard to fraud in financial statements
Statements
Prescribed Textbook


6.1 Introduction
Prior to gaining an understanding of the elements that are included in the audit process it is important to remember
the role and expectations of an auditor – which is to reasonably assure that the financial statements of a company
are presented fairly and they are free from errors and material misstatements. It is also important to note that the
users of these financial statements place reliance on the functions that are performed by the auditor. The risk of
the auditor “getting it wrong” or giving opinions that are not 100% accurate will always be present and this is
referred to as audit risk.
“ISA 200 – Overall objectives of the independent auditor and the conduct of an audit in accordance with the
International Standards on Auditing, which defines audit risk as the risk that the auditor will express an
inappropriate opinion when the financial statements are materially misstated. In simpler terms, it is the risk that
the auditor will give an unqualified opinion when in fact a qualified, adverse, or disclaimer of opinion should have
been given” – this standard gives a thorough explanation of audit risk.
6.2 Understanding Audit Risk

6.2.1 The inherent limitations of an audit
A question which has validity that is often asked is: “if the auditor does his job properly, won’t he eliminate
the risk of expressing an appropriate opinion, or in other words reduce audit risk to zero?” However, due
to the inherent limitations that exist in an audit, the risk that is involved in an audit can never be
completely eliminated.
These inherent limitations are summarised below:
 The nature of financial reporting:

 The opinions formed by the auditor on the financial statements are purely based on the
judgment and subjective decisions and assessments made by the auditor.
 The nature of the audit procedures:

 The possibility of management and employees of the entity not providing the auditor with
information that is complete in relation to financial statements is existent. The procedures
performed by the auditor with regard to the completeness of information cannot be 100%
accurate as the auditor will never have absolute confirmation that all information which are in
the company records have been presented to him.
 Fraud, collusion by employees and falsifying documentation can be sophistically and expertly
concealed which will result in the conventional audit procedures being unable to and ineffective
in the detection of these misstatements.

 The auditor may not be in possession of the legal powers to peruse certain types of evidence
as he is not responsible for investigating wrong doings.
 Due to the fact that majority of audit procedures are conducted on a sample of the population
and not the entire population the risk that material misstatements may go undetected is
inevitable.
 Time constraints:
 If an auditor has no limitations regarding the time he has to conduct an audit the risks could be
reduced significantly.
 It is important to note however, that information becomes less valuable over time and it is
imperative for an audit to be completed in a reasonable time period after the end of the financial
year.
 The time constraints that exist should not be utilised as an excuse when conducting audits as
this can be addressed and solved by have a proper audit plan in place, therefore time
constraints are a limiting factor of an audit.
 Cost/benefit:
 The cost factor is related to the time factor as it could become too costly for the auditor to
address every bit of information and to exhaustively pursue all matters, especially if the
evidence found does not result in the production of real benefits relevant to the audit.
6.2.2 Link between audit risk and the audit process

There are various stages which work in combination with each other that an auditor will have to go through
to have the ability to be in a position which they can present reports on the fairness of financial statements.
The audit process which exist today has went through such development by the profession of auditing
which has resulted in the assurance that in the performance of the audit this risks will be kept to a level
which can be accepted. The process of the audit is directed by the ISA which ensures that there is
compliance with the standards that ensure the risk is kept at an acceptable level.
1. The components of audit risk

Audit risk is better understood when the components of the risks are understood. There are 3 audit risk
components which exist and are summarised as follows:
 Inherent risk:
 According to Jackson and Stent (2019: 7/5) “Inherent risk is the susceptibility of an assertion
about a class of transaction, account balance or disclosure, to a misstatement that could be
material, either individually or when aggregated with other misstatements, before consideration
of any related controls”.

 E.g.: Transactions that require calculations which are complex such as lease agreements are
inherently more likely to have errors and have misstatements as compared to transactions that
are simpler such as purchasing goods.
 Inherent risk could also be classified as the a “built in risk” that a certain class of transaction,
balance of account or disclose may have.
 E.g.: The valuation assertion of jewellery at a jewellery shop has more of an inherent risk than
the valuation assertion of tennis balls at a sporting shop.
 Control risk:
 “The risk that a misstatement that could occur in an assertion about a class of transaction,
account balance or disclosure that could be material, individually or when aggregated with
other misstatements, will not be prevented or detected and corrected on a timely basis, by the
entity’s internal controls”.
 Control risk means that if an entity has control system which is weak and ineffective the system
will not work which will result in the possibility of the occurrence of misstatements that the
auditor is unaware of.
 Control risks evaluate how effectively internal controls are designed and operate in order to
assist an organisation in accomplishing the objectives that are set by management, however,
due to the limitations that exist on internal controls, it is impossible for a client to have a system
that is perfect and a minimal amount of control risk will always exist.
 “IAS 315 - no matter how effective, internal control can provide an entity with only reasonable
assurance about achieving the entity’s financial reporting objectives”
 Limitations that are inherent to the internal controls of an entity can be described as follows:
 Managements assumption of the benefit of the control not being greater than the cost
hence controls can be sacrificed as they might be expense to implement.
 Controls are swayed towards transactions which are routine rather than those which are
non-routine.
 There is a potential of human error such as mistakes made in judgement and carelessness
 Collusion of employees or management could circumvent internal controls.
 Persons who are responsible for internal controls could abuse their responsibilities.
 A change in conditions that impact compliance with internal controls is possible making
the procedures inadequate.

 The process of identifying weaknesses that are present in the internal control system of a client
is insufficient. Auditors should also conduct an evaluation of the effect the weakness will have
on any assertions in the financial statements.
 Detection risk
 “The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low
level will not detect a misstatement that exists and that could be material, individually or when
aggregated with other misstatements”.
 The nature, timing and extent of the procedures that auditors put in place in response to risks of
material misstatements and the reduction of risks to an acceptable level is impacted by detection
risks.
 Detection risks impact the effectiveness of the application of audit procedures and may occur
when the auditor:
 Makes a selection of an inappropriate audit procedure
 Applies an appropriate procedure inappropriately
 The results of a test are misinterpreted
 Detection risk can be reduced by complying with the following standards:

 Sound planning;
 Assignment of proper personnel to the team conducting the engagement;
 Applying professional scepticism at an appropriate level; and
 The audit work performed is supervised and properly reviewed.
Think Point
Think of examples of inherent, control and detection risks that an entity could
face.

 Relationship between audit risk, inherent risk, control risk, detection risk and material
misstatements:
 The risk of material misstatement is made up of inherent risk and control risk – “eg: the
risk of material misstatement will be highest where there is a high level of inherent risk relating
to the assertion and controls are weak. If controls are very strong (i.e. low control risk) and there
is low inherent risk relating to the assertion, then the risk of material misstatement relating to
that assertion will be low”.
 Audit risk is a function of the risk of material misstatement and detection risk – e.g.: if
there is a high risk of material misstatement and the auditor does not respond with effective
selection and application of audit procedures, the risk of expressing an inappropriate audit
opinion (audit risk) will be very high. In other words, to keep audit risk to an acceptable level,
the auditor must ensure that detection risk is kept to a low level by sound planning, proper
assignment of personnel to the audit team, proper supervision, etc.”.
6.3 Understanding an Entity and its Environment

6.3.1 Introduction
 It is imperative for the auditor to have an understanding of the environment in which a client operates
in order for them to identify and assess the risk of material misstatements properly
 The process of understanding an entity is not a once off and stand-alone activity and the more
audits that are performed at a client the greater of an understanding can be obtained. This process
is static and there is no set and stone procedures which can be followed
 According to ISA 315 (Revised) – “Identifying and assessing the risks of material misstatement
through understanding the entity and its environment, an understanding of the entity establishes a
frame of reference within which the auditor plans the audit and exercises professional judgement,
for example when:
 Assessing risks of material misstatement of the financial statements
 Determining materiality;
 Considering the appropriateness of the selection and application of accounting policies and the
adequacy of disclosures;
 Identifying areas where special audit consideration may be necessary e.g. the audit of related
party transactions;
 Developing expectations for use when performing analytical procedures;

 Responding to the assessed risk of material misstatement, including performing further audit
procedures, to obtain sufficient, appropriate evidence; and
 Evaluating the sufficiency and appropriateness of audit evidence obtained”.
6.3.2 Conditions and events which could indicate risks of material misstatements
The following examples are a provision of possible conditions and events that could indicate to the
auditor that there are mistrial misstatements in financial statements that are being audited (NB: this list
indicates a possibility of misstatements is not exhaustive):
 The operations of the company have exposure to markets that are volatile such as trading in futures;
 The company has going concern and liquidity problems and they have difficulties in obtaining
finance;
 Significant changes occurring in the company like mergers and retrenchment of employees
 The company has business arrangements that are complex;
 The company lacks in proper reporting and accounting skills;
 There are changes which are made to key personnel such as directors;
 Internal control deficiencies;
 Management and employees being presented with opportunities that encourage them to engage in
fraudulent reporting such as under paying employees;
 Any changes that are made to the company’s’ IT environment;
 An increase in transactions that are non-routine or systematic at the end of the year;
 Introducing new accounting pronouncements to the company which are relevant such as IFRS 15;
 Obscuring or omitting significant information when making disclosures to the auditor; and
 Pending litigation and contingent liabilities such as financial guarantees.
Think Point
What are the other factors that could indicate to the auditor that material
misstatements exist in an entity?

6.3.3 Risk assessment procedures and related activities

 Risk assessment procedures are conducted by the auditor to assist in gathering information
regarding the client so that they can identify and assess risks of material misstatements at the
financial statement and assertion level.
 Once the above step is completed the auditor will have a basis on which responses to risk can be
designed and implemented.
 Useful information about a client is available from various sources but the most common are:
 Clients acceptance of continuance procedures – when the client accepts the engagement a
good amount of information will be gathered about the client already.
 Previous experience with the entity – a store of information will be available already if audits
have been conducted by the firm for the client previously.
 Inquiries of management and others – this step will provide the most information with regard to
the entity.
 Observation – observing processes and procedures provides information about the client’s
operations which will be useful.
 Inspection – inspection and enquiry of documents such as the business plan, internal control
manuals, managements reports etc. will provide valuable information.
 Analytical procedures – at this stage, analytical procedures indicate if the firm’s financial
performance is as the auditor expected and includes analysis of ratio and trend analysis and
comparing the current years’ information to previous years.
6.3.4 Significant risks

 It is important for an auditor to assess and identify the significance of the risk as it will help determine
the nature, extent and timing of any further audit procedures that need to be carried out by the
auditor.
 When the auditor assesses if the risk is significant or not the following must be considered:
 If it is a risk of fraud – this is a significant risk
 If the risk has a relation to economic or accounting developments that are significant – if new
conditions could give rise to risks of material misstatement than it will be a significant risk.

 Transaction complexity – complex transactions will have significant risks attached to them
 Risks involving significant transactions with related parties.
 The degree of subjectivity in measuring financial information related to the risks – the greater
the subjectivity the more significant the risk will be.
 If the risk has the involvement of transactions that are significant and not part of the usual
course of business or are unusual because of their nature or size.
Activity 1
1. Provide 3 examples of significant risks.
2. At which level does the auditor assess the risk of a material misstatement?
3. The audit procedures are used by the auditor to obtain an understanding of

the entity they are operating in are referred to as “risk assessment procedure”.
Identify 3 different categories of risk assessment procedures with appropriate
examples.
6.4 The Concept of Materiality

6.4.1 Introduction
The concept of materiality is fundamental when conducting an audit. An auditor makes an opinionated expression
on the fair representation of financial statements with regard to all things material. Statements made in an audit
report is based on the opinion of the auditor that the financial statements are not inclusive of any material
misstatements. The users of financial statements understand that financial statements cannot be 100 percent
accurate and they may contain errors or uncertainties, however, this must be accepted by these users and when
the misstatement becomes unacceptable it then converts to material misstatements and will have an impact on
the decision of the users.
The two international standards for auditing which address materiality are:
 “ISA 320 – Materiality in planning and performing an audit - as its title suggests, is concerned with
materiality at the planning and performing stage of the audit, i.e. setting materiality levels to assist in the
planning and performance of the audit.
 Misstatements, including omissions, are considered to be material if they, individually or in
aggregate could reasonably be expected to influence the economic decisions of users taken
on the basis of the financial statements.

 Judgements about materiality are made in the light of surrounding circumstances and are
affected by the size or nature of a misstatement, or a combination of both.
 Judgements about matters that are material to users of the financial statements are based on
a consideration of the common financial information needs of users not specific individual
users”.
 “ISA 450 - Evaluation of misstatements identified during the audit - is concerned with materiality as
part of evaluating the effect of misstatements identified on the audit, and of uncorrected misstatements
on the financial statements for the purposes of forming an opinion on fair presentation”
 The difficulties that are faced by the auditor is that they must make a decision on what users will consider
as material and these judgements will be based on the consideration of the financial information needs
of users.
 When making a decision regarding materiality the auditor can assume the following:
 Users have a reasonable knowledge of business and economic activities and accounting and a
willingness to study the information in the financial statements with reasonable diligence
 Users understand that financial statements are prepared, presented and audited to levels of
materiality (i.e. users know financial statements are not 100% correct).
 Users recognize the uncertainty in the measurement of amounts based on the use of estimates,
judgements and the consideration of future events and that
 Users make reasonable economic decisions on the basis of the information in the financial
statements
6.4.2 The nature of materiality

 Materiality is subjective – Professional judgement of auditors play a major role in deciding on a
materiality level and different auditors will have different ideas of what is accepted as material.
 Materiality is relative – The relativity of materiality differs based on the users and the audit clients
as what maybe material to one user can be immaterial to another.
 Materiality can be qualitative and quantitative

Activity 2
Thabulani is a junior auditor for AXY Pty (Ltd). He is currently experiencing

struggles with understanding the concept of determining what will be
considered material in an audit. He has asked you for assistance in explaining
the assumptions that an auditor can make when setting a level of materiality
in an audit.
6.5 The Responsibility of an Auditor to Fraud in Financial Statements

ISA 240 indicates what the requirement of the auditor is when it comes to fraud:
 Maintain an attitude of professional scepticism
 Facilitate the discussion of a client’s susceptibility to material misstatement due to fraud, amongst the
audit team
 Conduct risk assessment procedures and related activities
Revision Question
Question 1
What are the requirements of the auditor when dealing with fraud?
Solution 1
 Maintain an attitude of professional scepticism.
 Facilitate the discussion of a client’s susceptibility to material misstatement due
to fraud, amongst the audit team.
 Conduct risk assessment procedures and related activities.
Question 2
Risk assessment procedures are conducted by the auditor to assist in gathering
information regarding the client so that they can identify and assess risks of material
misstatements at the financial statement and assertion level. A junior auditor has
requested assistance regarding the sources in which an auditor can use to obtain useful
information when making risk assessments.
Solution 2
 Clients acceptance of continuance procedures – when the client accepts the
engagement a good amount of information will be gathered about the client already.

 Previous experience with the entity – a store of information will be available

already if audits have been conducted by the firm for the client previously
 Inquiries of management and others – this step will provide the most information
with regard to the entity
 Observation – observing processes and procedures provides information about

the client’s operations which will be useful
 Inspection – inspection and enquiry of documents such as the business plan,

internal control manuals, management’s reports etc. will provide valuable
information.
 Analytical procedures – at this stage, analytical procedures indicate if the firm’s

financial performance is as the auditor expected and includes analysis of ratio and
trend analysis and comparing the current years’ information to previous years.
Activity 1 – Solution
1. Significant risks are risks which, in the opinion of the auditor, require\
special audit
consideration, examples:
 the company has numerous transactions with related parties
 the risk involves potential fraudulent activity, e.g. foreign exchange
 contraventions
 the company has a going concern problem
 there are a multitude of complex transactions which seem unnecessary.
2. At the financial statement level and at the assertion level.
3.1 Inquiries of management and others within the entity

Examples:
 inquiries of internal audit as to the design and effectiveness of the
internal control system or breakdowns thereof during the year.
 inquiries of the company’s sales manager in respect of the
company’s market share, declines in sales.
3.2 Analytical procedures

Examples:
 an analysis of the company’s overall performance, profitability, liquidity
compared say, to industry norms or prior years
 an analysis of inventory by branch, location, product value
(to assist in planning inventory count attendance).
3.3 Observation and inspection

Examples:
 observing the company’s manufacturing process
 inspecting systems flowcharts, minutes, loan agreements.
 When making a decision regarding materiality the auditor can assume the
following:
 Users have a reasonable knowledge of business and economic activities
and accounting and a willingness to study the information in the financial
statements with reasonable diligence.
 Users understand that financial statements are prepared, presented and
audited to levels of materiality (i.e. users know financial statements are not
100% correct).
 Users recognize the uncertainty in the measurement of amounts based on
the use of estimates, judgements and the consideration of future events
and that
 Users make reasonable economic decisions on the basis of the
information in the financial statements.
6.6 Summary
In this unit the students will gain an understanding of the elements of audit risk, the environment that an entity
operates in, the concept of materiality when evaluating risks and the responsibility that an auditor has with regard
to fraud in financial statements.

Unit
7: Auditing Using IT

7.2 Computer Auditing  Understand the concept of auditing with a computer
7.3 General Controls and Application  Demonstrate an understanding of general and application
Controls controls used in IT auditing
7.4 CAAT  Display an understanding of computer aided audit software
Prescribed Textbook

 Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019).
Performing Internal Audit Engagements. 6th Edition. Lexis Nexis.

7.1 Introduction
Auditors from all walks of life will have exposure to the computerised financial reporting system that an audit client
makes use of. Majority of the entities that audits are performed at will make use of IT to capture, process and
record financial transactions. For an auditor, it is important to know that the computer environment of a client will
have a direct impact on the audit strategy and plan.
7.2 Computer Auditing

Information Technology audit is also usually used to examine and evaluate organization systems internal control
design, efficiency and effectiveness. This usually includes but not limited to development processes, security
protocols, information systems usage etc. IT audit examines the environment of automated information systems
and how people use those systems. This is usually done by examining and evaluating system input, processes
and output, backups and recovery plans. Different authorities have created different criteria to distinguish the
various types of IT audit. Some of these criteria include the approach to carrying out an IT audit, the functions of
information technology within an organization and the controls used within an organization and within the
information technology environment. Using these criteria, below are some of the types of IT audits that are
available:
A. Systems and Application Audit: This is an audit of the controls designed and implemented into
systems and applications to ensure the integrity of the data they process. This audit also checks that
systems and applications are effective, efficient and adequately controlled to ensure a reliable, timely
and secure input, process and output at all levels of the systems and applications.
B. Compliance Audit: This is the type of audit done to provide management with tools for the internal
review of compliance in their various operational units.
C. Security Audit: Security audit is performed in order to provide comprehensive and cost-effective
vulnerability assessments. This audit is expected to provide a detailed report on the weaknesses found,
and the threats that could be exploited by these weaknesses. It should also suggest preventive
measures and remedies that can help reduce or eliminate vulnerabilities and threats.
Other criterion that has been used in the classification of Information Technology Audit is the controls that exist
within the organization or within the Information Technology environment. Controls include the functions and
attitude, actions and awareness of those responsible for the management and governance of an organization’s
internal controls. Installing controls are necessary to provide security. Hence, individuals responsible for IT audit
must consider if controls are in place in the organization. Controls also set tone for an organization by influencing
the consciousness of its people and providing discipline and structure.

Using controls, Information Technology Audit has been categorized into two broad types, and they are:
 General Control Review Audit
 Application Control Review Audit
Think Point
What other types of IT audits can auditors use when conducting an

audit for an entity?
7.3 General Controls and Application Controls

General controls in an information technology environment are those controls that establish an overall framework
of control for computer activities. They are also sometimes referred to as computer environment control. They try
to gain an overall access of the controls present in the environment surrounding the information technology. They
comprise of all the policies and procedures (could be manual or computerized), that govern the environment
within which an organization’s computer systems and information technology are developed, maintained and
operated, and within which the application controls operate. The systems development standards operated by
an organization are also included in the general control. General controls are controls that should be in place
before any processing of transactions begins and they usually span across all applications. Before conducting
an audit, auditors are required to obtain an understanding of the organization and its environment, and this will
include obtaining an understanding of the general control at the organization (client environment). General
controls in an information technology environment may include:
 Control over data centre and network operations
 Logical access controls over infrastructure
 Program change management controls
 System software accusation
 Access and Security
 Application systems acquisition, development and maintenance
7.3.1 General Controls

1. Objectives and Importance of General Controls
General controls encompass the framework of the overall controls in information technology
environment and provides a reasonable level of assurance that ensures that the overall objectives of
internal controls are achieved. They combine the controls over the development, implementation,
operation and maintenance of the information technology environments. One of the main objectives of
general control is to ensure the maintenance of the integrity of data and programs and the effective and
efficient running of computer systems and information technology.

Information technology general control should be addressed as part of an internal audit and internal
control developmental process. Without an efficient and effective general control reliance on Information
Technology systems may not be possible because a weakness in the general control could affect
numerous applications. General control concepts can be applied regardless of the industry, size and
complexity of the computer or information system environment. Also, the existence of a satisfactory
general control is a requirement for reliance on application control. Therefore, general controls should
be evaluated before application controls are tested.
2. Categories of General Control
General controls can be categorized into the following:

A. Control Environment
B. System Development and Implementation Controls
C. Access Controls
D. System Software and Operating Controls
E. Continuity controls
A. Control environment
The evaluation of control environment within the information technology structure and activity is part of
the overall information technology audit exercise. The control environment of an organization depends
entirely on the tone and control consciousness set by management. In a smaller organization for
example, management and the employees will be working closely together so employees will frequently
be exposed to how management behaves and conducts themselves. The advantage of this is that
management can have a strong influence on the employees they work directly with and can play a more
direct role in control activities. The control environment in an information technology has some important
aspects to it, and these aspects include:
 Communication and enforcement of integrity and ethical values
 Commitment to competence
 Participation by those charged with governance
 Information Technology management’s philosophy and operating style
 Organizational structure and assignment of authority and responsibility

B. Systems Development and Implementation Control

Systems development is necessary because the present business world is changing and these changes
are causing the need for a quicker and better system to handle information. System development refers
to the development of the significant changes relating to computer systems of an entity. Changes in the
organization’s information system may arise because of the changes in the organizations business
activities, growth and a need to maintain a competitive advantage or just to simply improve its all-round
performance by having better information usage. One good example of system development is when an
organization wants to computerize a previously manual payroll system. In this case, the computerized
system will have to be designed and developed to meet the functionalities of the manual system, and even
perform better. Unless the activities of designing the system are carefully controlled, the following might
occur:
 The cost of development may get out of control;
 The designed system may not meet user requirements;
 Programs in the system may be erroneous;
 Financial reporting requirements may not be incorporated into the system;
 The new system may not incorporate enough controls to ensure integrity of the data;
 Systems that are expertly designed may become fruitless if no one knows how to operate it;
and
 Information transferal from old to new systems may contain errors and data may be invalid and
incomplete.
If proper systems development and implementation are put in place, the above-mentioned risks could be avoided.
System developments could be of the following types:
 In-house development
 Purchased package/ Packaged software
C. Access Control
The consequences of an unauthorized access to a system can be disastrous for an organization. For
example, uncontrolled physical access to hardware could result in theft of, or damage to information
systems and the data which it stores. The unauthorized access could lead to the destruction and
disruption of data. Rather than having to implement cure for the theft and destruction of information
systems and data respectively, it is far better for an organization to prevent these negative
consequences by implementing strict access control policies and procedures. Access control represents
policies and procedures designed to restrict access to devices, data and programs. It consists of user
authorization and user authentication. User authorization consists of access rules to determine the
computer resources each user may access while user authentication tries to identify a user through
unique login identification, biometric data, access card or password. However, access control or

restriction should take into consideration the fact that authorized employees must have access to the
organization’s computer resources in order to perform their duties efficiently and effectively. Access
control procedures are designed to prevent or detect:
 Unauthorized access to devices, programs and data;
 The use of programs by unauthorized persons;
 Entry of unauthorized transactions; and
 Unauthorized changes to data files.
 Access to all aspects of the organizational system which include the following must be
controlled:
 Hardware
 Software
 Datafiles/database
 Communication channel
 Computer applications
 A proper and adequate access control will include the following:

 Security Policy
 Datafile security control
 Physical access control
 Login access control
 Other access control e.g. data communication, firewalls etc.
D. System Software and Operating Controls

System software control and operating controls are used to control the use of hardware as well as the use
of applications and end-user software, and also the other resources of the organizational system. They
incorporate the functions performed by operating systems as well as operating systems users. One of its
main objectives is to implement controls over programs so as to ensure that they are installed or developed
and maintained in an authorized, efficient and effective manner, and also, that access to system software
is limited. The evaluation of system software and operating controls is very much the domain of the computer
audit specialist that possesses a good technical knowledge. This is because it requires the implementation
of controls designed to control the proper operation of system and to ensure that programmed procedure is
applied correctly and consistently during the processing of data.

E. Continuity Control
Continuity controls are aimed at protecting and preventing computer resources and facilities from all forms
of disasters e.g. natural disasters, man-made disasters etc., and as well as from acts of disruption and
destruction, attack or abuse by an unauthorized individual or people. One of its main objectives is to
implement controls designed to ensure the continuity of processes by preventing system interruptions or
limiting it to the minimum. It has been found that poor controls result in down time and disruption to normal
processes. Some of the components and factors to be considered when planning a continuity control in an
information technology environment include:
 Risk assessment
 Physical security
 Disaster recovery
7.3.2 Application Controls

Applications are set of programmes and procedures designed to satisfy all the users associated with a
specific task. Application controls in an information technology environment are controls that are relevant
to specific tasks within the system. They are both manual and computerized controls that are within the
area of the business that ensures that data is processed accurately, completely and in a timely manner.
They can be preventive or detective in nature and are designed to ensure the integrity of information. In
an ideal situation, each organizational application needs specific controls to prevent, detect and correct
user and operator errors.
The stages through which a transaction flows through the system can be described as input, processing
and output. Controls must also be implemented over master files. A master file is a file used to store
standing information. It is very important in producing reliable information and must be strictly controlled.
Best controls over the master files are application controls and they are sometimes referred to as master
file maintenance controls. Application controls are dealt with under the following headings:
A. Input controls
B. Processing controls
C. Master file maintenance controls
D. Output controls
E. Integrity controls
F. Management trail controls
A. Input controls: These are controls that are used mainly to evaluate and check the integrity of data
entered into an application or data entered to update the master files. It checks whether the data is
entered directly by a staff member or remotely by a business partner, or through a web-enabled
application interface.

B. Processing controls: These controls provide an automated means of ensuring processing is

complete, accurate and authorized. It is also in place to implement controls designed to ensure that
only valid data is processed and that data is processed completely and accurately by the computer.
C. Master file maintenance controls: These are controls that are designed to protect the integrity of
master file information and to ensure that only valid changes to mater files are processed, and that
changes are processed completely and accurately by the computer.
D. Output controls: These controls address what is done with data and also compares output results
with the intended result. They are also controls designed to ensure the completeness and accuracy
of output and to control distribution of output to authorized users.
E. Integrity controls: These are controls that monitor data in process and in storage to ensure that
they remain consistent and correct.
F. Management Trail controls: Management trail is also referred to as Audit trail controls and it
means processing history controls. It enables management to identify the transactions and events
they record, by tracing and tracking transactions from their source to their output and also by doing
a reverse tracking and tracing. These controls are used to monitor the effectiveness of other controls
and to identify errors as close as possible to their sources.
1. Objectives of Application Controls

The objectives of this control are generally regarded as being centred around the occurrence,
authorization, accuracy and completeness of data and information processed by and stored on the
computer. The objectives of application controls are to (but not limited to this):
 Ensure all data is accurate, complete, authorized and correct
 Ensure all data is processed as intended
 Ensure all data stored is accurate and complete
 Ensure all output is accurate and complete
 Ensure records are maintained to track the process of data from input to storage and to the eventual
output
 Ensure access to data is limited based on business need
 Ensure incompatible duties within an application are systematically prevented

7.4 CAATS
In Information technology, tests of controls and substantive test can be performed using audit software that can
access the client’s computerized system at a high speed, such software is referred to as Computer Assisted Audit
software, tools or techniques. Computer assisted audit techniques implies the process whereby computers are
used to assist in performing or carrying out an audit. Therefore, it refers to an auditor’s use of the computer to
assist in the performance of audit procedures and the acquisition of audit evidence. In most large and medium-
sized organizations of today, there are few processes that are not driven by computers, therefore performing
audit without using information technology is hardly an option because most of the information required to do an
audit is on the computer system. Wherever and whenever it is economical and efficient, the speed, power and
versatility of computer should be harnessed to assist with audit. CAAT tools can be developed to:
 Access and extract information from auditee database
 Tabulate, check and perform calculations on data
 Perform sampling, statistical processing and analysis
 Provide reports to meet particular audit needs
7.4.1 Testing CAATs

The auditor should obtain reasonable assurance of the integrity, reliability, usefulness, and security of
CAATs through appropriate planning, design, testing, processing and review of documentation. This
should be done before reliance is placed upon CAAT. The nature, timing and extent of testing are
dependent on the commercial availability and stability of CAAT.
7.4.2 Fitting CAATs into the Auditing Process
The auditor decides when and how to use CAATs when considering the audit plan (that is, the nature, timing
and extent) and the audit strategy (that is, scope, timing and direction) that are important to reduce audit risk
to an acceptable level. The decision made usually results in the auditor taking approaches which includes;
A. Auditing around the computer
B. Auditing through the computer
C. Auditing with the computer.
D. Combination Approach
A. Auditing around the computer

 Is an approach that treats the computer system and programs as a box and places reliance on the
review and comparison of the input and the output documents. The concept behind this approach
is that if the source documents are valid, accurate and complete, and the output which is produced
by the computer system as a result of processing this source documents is correct, then we can
assume that all the processing functions performing precisely.

 Advantages of auditing around the computer:

 No risk of client’s data being corrupted by an auditor
 The auditor will need to have minimal IT knowledge
 The IT function of the client is not disrupted
 Associated costs with IT auditing are minimal
 Disadvantages of auditing around the computer:
 Computers can be helpful for large data volumes
 Errors and controls within the system can be ignored
 The most valuable tool in auditing is not utilised which is the computer
B. Auditing through the computer –

 Revolves around testing of computer systems and the controls which are built into the system. This
is achieved by sending transactions through the computer, the auditor then tests if the controls are
working as expected. Hence, auditing through the computer is also referred to as a test of controls
approach.
 Advantages of auditing through the computer:

 The computer can be used in an effective and efficient manner when auditing a sophisticated
system that is responsible for processing large volumes of data and places reliance on
computerised controls.
 Disadvantages of auditing through the computer:

 The auditor will need to have an extensive knowledge of computers and IT
 Audit costs could be unusually high as investments in technology and expertise will need
to be made
 The client’s data could become corrupt and the auditor will need to adopt strict
precautionary activities
 The level of client co-operation is of a high level would could impact the independence of
the audit
C. Auditing with the computer

 Involves using the computer to assist in the performance of audit procedures and using the
computer to produce electronic or automated reports.
 Advantages of auditing with the computer:

 The computer is used for its speed and versatility which makes the audit highly economical and
efficient

 Disadvantages of auditing around the computer:

 Hardware/software license fees
 Training needed by the audit team on how to utilise the software
 Audit team could adopt the tendency of auditing without actually paying attention to their work
D. Combination Approach
 It should be noted that the most effective approach for the auditor to utilise will be to combine
the above approaches as there would be no restrictions when performing the audit.
7.4.3 Factors That Influence the Decision to Use CAATs

In modern auditing, the use of CAATs is becoming prevalent, but this does not mean CAATs are always
an appropriate tool for every audit. The following factors should be considered when a decision is made
to use CAAT’s or not:
 Complexity of the client’s system

 Volume of transactions/output
 Data stored in electronic form
 Availability of skills in the audit team
 Potential loss of independence
 Client’s attitude
 Cost
 Compatibility of system hardware and software
7.4.4 The advantages and disadvantages of using CAAT’s

 Advantages of CAATs
 CAATs assist in achieving audit efficiency by saving time
 It assists in achieving a reduction in audit cost
 It helps in improving audit quality
 It helps develop a sound knowledge of information technology, information systems and
computers
 It helps deal with large volume of data
 It helps achieve improved client service.
 Disadvantages of CAATs
 CAATs requires a reasonable degree of skill to use
 Initial setup cost can be high

 Adaption often needed from machine to machine

 Impracticability of manual test i.e., lack of hard copy evidence which may be impracticable for
auditors to perform tests manually.
7.4.5 Uses of CAATs

 Substantive testing of details of transactions and balances
 Sorting and file re-organization
 Selecting and analysing samples from a large volume of transactions
 Producing reports for effective decision making
Think Point
In what other manner could an auditor make use of CAAT’s?
Revision Question
Question 1
What are the different types of controls that are useful to an auditor when conducting an
audit in an IT environment?
Solution 1
General controls
Encompass the framework of the overall controls in information technology
environment and provides a reasonable level of assurance that ensures that the
overall objectives of internal controls are achieved. They combine the controls
over the development, implementation, operation and maintenance of the
information technology environments. One of the main objectives of general
control is to ensure the maintenance of the integrity of data and programs and
the effective and efficient running of computer systems and information
technology.
Applications controls
Application controls in an information technology environment are controls that
are relevant to specific tasks within the system. They are both manual and
computerized controls that are within the area of the business that ensures that
data is processed accurately, completely and in a timely manner. They can be

preventive or detective in nature and are designed to ensure the integrity of

information. In an ideal situation, each organizational application needs specific
controls to prevent, detect and correct user and operator error
7.5 Summary
Auditing information technology, information systems, computer systems and their inherent components,
processes and activities within an organization is among the highest priorities of most organizations in the modern
global market. Organizations are implementing the two major controls (general and application) in their business
processes so as to enhance their audit activities and improve their operational performance. In addition, the
advancement in information technology has made information technology, computer systems and information
systems a very vital and important tool in audit process. Hence, auditors and organizations are adopting computer
assisted audit techniques and tools in performing their audit activities and managing their audit activities.
Information Technology Audit and Computer Assisted Audit Techniques (CAATs) have now become integral parts
of an organization in order to achieve its objectives, and to auditors in achieving their audit objectives.

References List
 Auditing Notes for South African students 10th Edition – Jackson and Stent, LexisNexis Publishers,
2019.
 Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal Auditing an Introduction. 6th Edition.
Lexis Nexis.
 Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing Internal Audit Engagements. 6 th
Edition. Lexis Nexis.
 Grower, H.R. and Jackson, R.D.C. (2019). Graded Questions on Auditing. Lexis Nexis.


Auditing

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing

Uploaded by

Copyright:

Available Formats

Bachelor of Commerce

List of Contents ....................................................................................................................................................... 1

Unit 1: An Introduction To Auditing ....................................................................................................................... 11

Unit 2: Code Of Ethics For Auditors ...................................................................................................................... 24

Unit 3: Corporate Governance And King Iv ........................................................................................................... 40

Unit 4: General Principles Of Auditing................................................................................................................... 62

Unit 5: Overview Of The Audit Process ................................................................................................................. 85

Unit 6: Elements Of The Audit Process ............................................................................................................... 102

Unit 7: Auditing Using It....................................................................................................................................... 116

References List ................................................................................................................................................... 130

Table 4.1.: Nature, Extent, and Timing of Evidence........................................................................................73

Table 4.4: Financial statement assertions ......................................................................................................76

Table 4.5: Financial statement assertions ......................................................................................................78

1 MANCOSA – Bachelor of Commerce: Accounting

We hope you enjoy the module.

MANCOSA – Bachelor of Commerce: Accounting 2

C. Exit Level Outcomes and Associated Assessment Criteria of the Programme

Exit Level Outcomes (ELOs) Associated Assessment Criteria (AACs)

 Complex administrative problems are identified,

 Context and systems in general management are

3 MANCOSA – Bachelor of Commerce: Accounting

 Evidence – based solutions and theory driven

 Ethics and professional practice is considered and

 Recognise and appreciate changes  Knowledge of organisational contexts and their

 to remain current in this regard

 Key change management principles are applied in

 Make appropriate use of information  Accessing, processing and managing information

 Information technology applied to independently

 Appropriate information technology is utilised to record,

 Method and procedure in solving operational problems

MANCOSA – Bachelor of Commerce: Accounting 4

 Key concepts, principles, knowledge, skills and

 Prescribed ethical codes of conduct, values and

 Develop the functional competence of a  Scope of knowledge with respect to management

 Management decisions are discussed to apply ethical

D. Learning Outcomes and Associated Assessment Criteria of the Module

LEARNING OUTCOMES OF THE MODULE ASSOCIATED ASSESSMENT CRITERIA OF THE MODULE

5 MANCOSA – Bachelor of Commerce: Accounting

E. Learning Outcomes of the Units

F. Notional Learning Hours

Notional Learning Hour Table for the Programme

Lectures/Workshops (face to face, limited or technologically mediated) 10

Tutorials: individual groups of 30 or less 5

Practical workplace experience (experiential learning/work-based learning etc.) 0

Independent self-study of specially prepared materials (case studies, multi-media, etc.) 20

MANCOSA – Bachelor of Commerce: Accounting 6

CAATs Computer Assisted Audit Techniques

CPC Code of Professional Conduct

EFT Internet Fund Transfer

GAAP Generally Accepted Accounting Practice

GRN Goods Received Notes

IFRS International Financial Reporting Standard

IESBA International Ethics Standards Board for Accountants

IoDSA Institute of Directors of Southern Africa

ISA International Standard on Auditing

ISO Internal Sales Order

IRBA Independent Regulatory Board of Auditors

ISRE International Standards on Review Engagements

SME Small Medium Enterprise

H. How to Use this Module

7 MANCOSA – Bachelor of Commerce: Accounting

J. Prescribed and Recommended Textbook/Readings

The prescribed and recommended textbooks/readings for this module is:

MANCOSA – Bachelor of Commerce: Accounting 8