Professional Documents
Culture Documents
Auditing
Auditing
in Accounting
INTRODUCTION TO AUDITING
Module Guide
Copyright © 2021
MANCOSA
All rights reserved; no part of this book may be reproduced in any form or by any means, including photocopying machines,
without the written permission of the publisher. Please report all errors and omissions to the following email address:
modulefeedback@mancosa.co.za
Bachelor of Commerce
in Accounting
INTRODUCTION TO AUDITING
Preface.................................................................................................................................................................... 2
i
Introduction to Auditing
List of contents
List of tables
Preface
A. Welcome
Dear Student
It is a great pleasure to welcome you to Introduction to Auditing (ITA6). To make sure that you share our
passion about this area of study, we encourage you to read this overview thoroughly. Refer to it as often as you
need to, since it will certainly make studying this module a lot easier. The intention of this module is to develop
both your confidence and proficiency in this module.
The field of Auditing is extremely dynamic and challenging. The learning content, activities and self- study
questions contained in this guide will therefore provide you with opportunities to explore the latest developments
in this field and help you to discover the field of Auditing as it is practiced today.
This is a distance-learning module. Since you do not have a tutor standing next to you while you study, you need
to apply self-discipline. You will have the opportunity to collaborate with each other via social media tools. Your
study skills will include self-direction and responsibility. However, you will gain a lot from the experience! These
study skills will contribute to your life skills, which will help you to succeed in all areas of life.
MANCOSA does not own or purport to own, unless explicitly stated otherwise, any intellectual property rights in or
to multimedia used or provided in this module guide. Such multimedia is copyrighted by the respective creators
thereto and used by MANCOSA for educational purposes only. Should you wish to use copyrighted material from
this guide for purposes of your own that extend beyond fair dealing/use, you must obtain permission from the
copyright owner.
B. Module Overview
In this section, include the following:
The module is a 15 Credit module at National Qualification Framework (NQF) level 6.
Course overview
The broad areas covered by this module include:
An Introduction to Auditing
Professional Conduct
Corporate Governance and King IV
General Principles of Auditing
Overview of Audit Process
Elements of the Audit Process
Auditing Using IT
Display the necessary knowledge and Fundamental and specialist knowledge is applied in an
skills, attitudes and applied organisational context to identify and analyse
competence to enable them to appropriate policies to achieve administrative efficiency
demonstrate administrative proficiency Appropriate processes are selected and implemented
to resolve administrative deficiencies
Apply skills of rational judgment and Method and procedure in rational judgement and
planning planning is understood, selected and applied to resolve
problems or to introduce change within practice
Analyse and solve operational Operational problems are identified, analysed and
problems evaluated to critically address complex problems within
an organisation by applying evidence based solutions
and theory–driven arguments
Display skills for the recording and Accessing, processing and managing information are
processing of financial information explained to develop appropriate processes of
within an accounting framework recording within an accounting framework
Display ethical behaviour in a corporate Ethics and professional practice is considered and
management context applied in corporate management context to justify the
decisions and actions taken
Define the nature and objective of an audit The nature and objectives of an audit are fully defined and
examined to establish the purpose of conducting audits
Describe the qualities, duties and An auditor’s duties, responsibilities and qualities are
responsibilities of an auditor deduced and described to determine the purpose and
function of auditors
Analyse relevant legislation and auditing An auditor’s duties, responsibilities and qualities are
standards governing the professional deduced and described to determine the purpose and
conduct of auditors function of auditors
Assess the role and responsibilities of The auditor’s role and responsibilities are assessed to
auditors in contributing towards effective determine their contributions towards effective corporate
corporate governance in accordance with governance and king IV
King IV
Demonstrate an understanding of the The audit process and its elements are explained to be
general principles of auditing and provide able to conduct an effective audit
explanations of the audit process and
elements of an audit
Illustrate and explain the basics of using IT The basics of IT auditing is explained to understand how
auditing IT is utilised to help conduct an audit
Learning
Types of learning activities time
Syndicate groups 0
Independent self-study of standard texts and references (study guides, books, journal articles) 60
Other: Online 5
TOTAL 100
G. Acronyms
AFS Annual Financial Statements
INC. Incorporated
Ltd Limited
PC Personal Computer
PI Public Interest
Pty Proprietary
The purpose of the Module Guide is to allow you the opportunity to integrate the theoretical concepts from the
prescribed textbook and recommended readings. We suggest that you briefly skim read through the entire guide
to get an overview of its contents. At the beginning of each Unit, you will find a list of Learning Outcomes and
Associated Assessment Criteria. This outlines the main points that you should understand when you have
completed the Unit/s. Do not attempt to read and study everything at once. Each study session should be 90
minutes without a break
This module should be studied using the prescribed and recommended textbooks/readings and the relevant
sections of this Module Guide. You must read about the topic that you intend to study in the appropriate section
before you start reading the textbook in detail. Ensure that you make your own notes as you work through both
the textbook and this module. In the event that you do not have the prescribed and recommended
textbooks/readings, you must make use of any other source that deals with the sections in this module. If you
want to do further reading, and want to obtain publications that were used as source documents when we wrote
this guide, you should look at the reference list and the bibliography at the end of the Module Guide. In addition,
at the end of each Unit there may be link to the PowerPoint presentation and other useful reading.
I. Study Material
The study material for this module includes tutorial letters, programme handbook, this Module Guide, a list of
prescribed and recommended textbooks/readings which may be supplemented by additional readings.
In addition to the prescribed textbook, the following should be considered for recommended books/readings:
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal Auditing an Introduction. 6th Edition. Lexis
Nexis.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing Internal Audit Engagements. 6 th
Edition. Lexis Nexis.
K. Special Features
In the Module Guide, you will find the following icons together with a description. These are designed to help you
study. It is imperative that you work through them as they also provide guidelines for examination purposes.
The Learning Outcomes indicate aspects of the particular Unit you have
LEARNING to master.
OUTCOMES
A Think Point asks you to stop and think about an issue. Sometimes you
THINK POINT are asked to apply a concept to your own experience or to think of an
example.
You may come across Activities that ask you to carry out specific tasks.
In most cases, there are no right or wrong answers to these activities.
ACTIVITY
The purpose of the activities is to give you an opportunity to apply what
you have learned.
At this point, you should read the references supplied. If you are unable
READINGS to acquire the suggested readings, then you are welcome to consult any
current source that deals with the subject.
OR EXAMPLES
KNOWLEDGE You may come across Knowledge Check Questions at the end of each
CHECK Unit in the form of Knowledge Check Questions (KCQ’s) that will test
QUESTIONS your knowledge. You should refer to the Module Guide or your
textbook(s) for the answers.
You may come across Revision Questions that test your understanding
REVISION
of what you have learned so far. These may be attempted with the aid
QUESTIONS
of your textbooks, journal articles and Module Guide.
CASE STUDY This activity provides students with the opportunity to apply theory to
practice.
Unit
1: An Introduction to Auditing
1.2 What is the Function of an Auditor? Explain what is auditing and the function of an auditor in
entity
1.3 Various Types of Auditors Explain the difference between the various types of auditors
that exist in the auditing profession
1.4 Why are Auditors Necessary? Demonstrate an understanding of the importance of the
auditors and why they are necessary
Prescribed Textbook
Recommended textbooks:
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal
Auditing an Introduction. 6th Edition. Lexis Nexis.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019).
Performing Internal Audit Engagements. 6th Edition. Lexis Nexis.
1.1 Introduction
The word auditing has a Latin origin which means “a hearing” and has been in conception for more than 2000
years. A majority of individuals possess a basic idea of the concept of auditing and the duties of an auditor,
however, this knowledge is generally based on what individual’s witness on media and are often misconceptions
as compared to the actual duties and functions of an auditor. Auditors are typically seen to participate in numerous
activities and are often seen as boring professionals. Despite the mocking portrayal of auditors, the general
acceptance among society is that auditing is a serious business and auditors play an important role in the
corporate world.
Consider the following example which will provide insight into the duties and functions of an auditor:
Heavenly Glitter (Pty) Ltd requests a loan from Rights Resource Bank. The bank indicates to Heavenly Glitter
(Pty) Ltd that prior to making any consideration on providing them with a loan, the bank will require a copy of the
financial statements for the company which will then need to be audited. The bank is indicating to the company
that they will require reasonable assurance of the financial information of the Heavenly Glitter (Pty) Ltd from an
independent source which will also provide proof that their financial statements are fairly presented and free from
any material misstatements. This is the stage when an auditor is required, as the reasonability of the assurance
provided and the checks on the materiality of the financial statements will be provided by an auditor. The auditor
will assist in increasing the credibility of Heavenly Glitter (Pty) Ltd and the bank will in turn be increasingly
comfortable in placing reliance on the information that the company has provided, when formulating a decision
in granting them a loan. If the auditor provides assurance that the financial information is fair and reliable then
the bank will be confident that the risk of them suffering a loss, by Heavenly Glitter (Pty) Ltd not paying their
interest or the capital amount back, is relatively low. Had Rights Resource Bank not insisted on reviewing financial
statements that had been audited Heavenly Glitter (Pty) Ltd could have manipulated the company’s financial
information to make them seem reliable.
Think Point
What other examples can you provide to explain the function of an auditor?
Below is a list of the various types of auditors and each of their functions:
1.4.2 Accountability
The profession of auditing has seen a major bloom over the years and its growth has given the rise to
various audit functions such as internal audits, government audits, forensic audits and environmental
audits which have become major independent forces in their own functions. Investors globally have a
natural longing for accountability, directors of a company should take accountability for the manner in
which their businesses are run, the government must take accountability for the way taxpayers money
is spent and companies that partake in activities which have a direct impact on the government must
take accountability for adhering to regulations and legislations. Due to this a wider need for the auditing
profession to provide services which independently assesses and evaluates if directors and
governments meet their responsibilities has been created. The demand of sound corporate governance
(a set of principles, rules and processes by which a company is controlled and directed) by the world
has increased and auditors play a crucial role in ensuring this governance.
Think Point
Sufficient appropriate evidence The evidence the practitioner The evidence the reviewer needs
needs to be in a position to form an to express a conclusion on
opinion as to whether the financial whether anything has come to his
statements are free of material attention which causes him to
misstatement and are presented believe the financial statements
fairly in terms of IFRS. are not prepared in accordance
with IFRS for SMEs.
Written assurance report the audit opinion report on fair The review conclusion (limited
presentation assurance)
(reasonable assurance)
and performance of the entity. The opinions that are made by the auditor is then reported to the
shareholders and stakeholders of an entity through the audit report.
Reasonable Assurance
Reasonable insurance is defined as a “high but not absolute” assurance level and it can be presented
only when the auditor has gathered evidence which is sufficient and appropriate to comfortably satisfy
that the risks which he presents an opinion on is acceptably low. In the terms of financial statement
audits the auditor will be required to perform procedures and gather evidence that enables him to state
that financial statements are presented fairly and there are no evident material misstatements.
Reasonable assurance is given by auditor by making use of the phrase “In our opinion the financial
statements present fairly….”
Limited Assurance
Limited assurance is considered as an assurance which is at a lower level that that of reasonable
assurance, it is, however, meaningful to the users of financial statements. In a limited assurance
engagement, the auditor’s collection of evidence is relativity less than that collected in a reasonable
assurance engagement, but it remains sufficient enough for the auditor to form a conclusion on the audit.
Limited assurance is achieved when the auditor performs tests that are fewer and uses sample size that
are smaller in comparison to those used for reasonable assurance.
Absolute Assurance
Having read the above discussion, you may be wondering why the auditor cannot certify or confirm that
the financial statements are 100% correct. Why is the auditor restricted to providing reasonable
assurance? By carrying out more procedures couldn’t he actually confirm that the financial statements
are correct? Essentially the reason that the auditor cannot certify (provide absolute assurance) is that
an audit has inherent limitations which prevent the auditor from certifying or confirming the 100%
correctness of a set of financial statements. ISA 200 provides the basis for the following explanation of
the inherent limitations of an audit
1. The skills and services which are offered by an accounting practitioner should be of a high specialisation
and quality and they require:
Intellectual abilities of a particular nature
A formal education and proficiency of a special body of knowledge
Proficiency in application of intellectual abilities and specialised knowledge which can be obtained
by a practical training processes.
Activity
Think Point
What are the main differences between internal and external auditors and how
do they rely on each for information when conducting an audit?
2. The evaluation of services that professionals deliver to the public cannot be performed effortlessly.
Regulatory mechanisms are implemented to ensure that the public and the profession is protected from
any incompetence or unethical behaviours. The regulatory mechanisms are inclusive of:
Laws that exist to prevent and restricting any unqualified persons from practicing in that profession
An organisation which is dedicated to ensuring the advancement of a profession and is devoted to
improving the services that those professionals render
An environment which is free from competition that is uninhibited to ensure services are carried out
in a dignified manner
A code of conduct that is actively supported, which can be used by the public to make judgements
on an accounting practitioner’s professional stature
3. The profession and members of the profession will be required to demonstrate ethical and intellectual
commitments as this will lead to transcending aspirations for financial gains
4. The last mechanism, which can be considered as the most important aspect, is the ethical principles
that the members of an auditing profession will need to obey. This will be discussed in UNIT 2 but
includes the following principles:
Objectivity
Integrity
Professional competence and due care
Confidentiality
Professional behaviour
Think Point
In this unit the dominant bodies that we will deal with are the South Africa include the South African
Institute of Charted Accountants (SAICA) and the Independent Regulatory Board for Auditors (IRBA) as
they play roles which can be overlapped and interlinked.
Revision Questions
2. As discussed in this unit, there a various different types of auditors which exist.
You are required to discuss the one common characteristic which is shared
among these auditors.
Solution:
The different types of auditors share one characteristic in common, which is
independence, as any audit conducted without a degree of independence from
the entity being audited will make the results and assurance provided by the
auditor ‘worthless’.
Solution:
The responsibility of the IRBA is to take care of the interest of professional
auditors. Affairs such as registration, training, accreditation with
professional bodies, education and the prescribed ethical and competent
standards are dealt with by the IRBA.
The IRBA is responsible for the protection of the public when dealing with
registered auditors and to part take in disciplinary measures against
members who are in transgression of the rules
Activity – Solution
An auditor should possess skills that are of a high quality as all stakeholders and users
of financial information place reliance on the opinions given by audits when making
financial decisions regarding an entity.
1.7 Summary
The role of an auditor is imperative in the strengthening of the credibility of financial information that is presented
to the public and the stakeholders of a company. This role is performed when auditors give an expression of their
opinions on whether or not the financial information which is presented in the financial statements of an entity is
fair and reliable. The confidence that stakeholders place on the opinion of an auditor can only be preserved if the
public accepts that auditors are professional practitioners that are clearly distinguishable from the general public
and that each individual auditor and the profession is in adherence with a strict set of codes and ethical values.
“Financial information is the lifeblood of the economy and it is vital in the interests of society (the public at large)
that such information be fair and credible”.
Unit
2: Code of Ethics for Auditors
2.1 Introduction to the Fundamental Explain the fundamental principles of the code of ethics and
Principles of the Code of Ethics apply the code to various ethical scenarios
2.2 Threats to Compliance with the Demonstrate knowledge of the possible threats that could
Fundamental Principles of the Code impact an auditor’s compliance with the code of ethics
of Ethics
2.3 Safeguards Against Threats to the Provide explanations of safeguards that could be implemented
Principles of the Code of Ethics to prevent threats against the principles of the code of ethics
Prescribed Textbook
Recommended textbooks:
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal
Auditing an Introduction. 6th Edition. Lexis Nexis.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing
Internal Audit Engagements. 6th Edition. Lexis Nexis.
A. Integrity
The principle of integrity imposes an obligation on all chartered accountants to be
straightforward and honest in all professional and business relationships.
A chartered accountant shall not knowingly be associated with reports, returns, communications
or other information where the chartered accountant believes that the information:
Contains a materially false or misleading statement
Contains statements or information furnished recklessly
Omits or obscures information required to be included where such omission or obscurity
would be misleading.
If the chartered accountant becomes aware that there has been association with such
information, they must take steps to be disassociated from that information.
B. Objectivity
The principle of objectivity imposes an obligation on all chartered accountants not to compromise
their professional or business judgment because of bias, conflict of interest or the undue influence
of others.
Competent professional service requires the exercise of sound judgment in applying professional
knowledge and skill in the performance of such service. Professional competence maybe divided
into two separate phases:
Attainment of professional competence
Maintenance of professional competence
A chartered accountant shall take reasonable steps to ensure that those working under the
chartered accountant’s authority in a professional capacity have appropriate training and
supervision.
Where appropriate, a chartered accountant shall make clients, employers or other users of the
chartered accountant’s professional services aware of the limitations inherent in the services.
A chartered accountant shall not undertake or continue with any engagement which the chartered
accountant is not competent to perform, unless the chartered accountant obtains advice and
assistance which enables the chartered accountant to carry out the engagement satisfactorily.
D. Confidentiality
The principle of confidentiality imposes an obligation on all chartered accountants to refrain from:
Disclosing outside the firm confidential information acquired as a result of professional
and business relationships without proper and specific authority or unless there is a
legal or professional right or duty to disclose
Using confidential information acquired as a result of professional and business
relationships to their personal advantage or the advantage of third parties.
A chartered accountant shall maintain confidentiality of information within the firm or employing
organisation.
A chartered accountant shall take reasonable steps to ensure that staff under the chartered
accountant’s control and persons from whom advice and assistance is obtained respect the
chartered accountant’s duty of confidentiality.
The need to comply with the principle of confidentiality continues even after the end of
relationships between a chartered accountant and a client. When a chartered accountant
acquires a new client, the chartered accountant is entitled to use prior experience. The chartered
accountant shall not, however, use or disclose any confidential information either acquired or
received as a result of a professional or business relationship.
As a fundamental principle, confidentiality serves the public interest because it facilitates the free
flow of information from the chartered accountant’s client or employing organization to the
chartered accountant.
E. Professional Behaviour
The principle of professional behaviour imposes an obligation on all chartered accountants to
comply with relevant laws and regulations and avoid any conduct that the chartered accountant
knows or should know may discredit the profession. This includes conduct that a reasonable and
informed third party, weighing all the specific facts and circumstances available to the chartered
accountant at that time, would be likely to conclude adversely affects the good reputation of the
profession.
In marketing and promoting themselves and their work, chartered accountants shall not bring the
profession into disrepute. Chartered accountants shall be honest and truthful and not:
Make exaggerated claims for the services they are able to offer, the qualifications they
possess, or experience they have gained
Make disparaging references or unsubstantiated comparisons to the work of others.
Multiple firms:
An individual chartered accountant is permitted to be a member of more than one registered
firm and some other type of professional firm providing professional services. It is also
permissible to practice under different firm names for different offices, provided this does not
mislead.
Individual chartered accountants who are members of registered audit firms as well as being
members of other accounting or consulting firms that provide professional services and have
individual members who are not chartered accountants, must ensure there is a clear distinction
between the different firms and the members thereof, and that they do not unwittingly
contravene section 41(2) of the Act, or cause it to be contravened by the members of those
other accounting or consulting firms who are not individual chartered accountants.
2.2 Threats to Compliance with the Fundamental Principles of the Code of Ethics
Once the fundamental principle included in the code of ethics have been identified, the following circumstances
which pose threats to an auditor’s compliance to the fundamental principles will need to be examined.
A. Self-interest threats:
A self-interest threat is a threat whereby a financial or other interest influences the behaviour or
judgement of a chartered accountant or auditor which results in him acting in the best interest of himself
rather than his client. For example:
A chartered accountant holds shares in a client that he is auditing – Objectivity is threatened
If an audit or accounting firm’s survival is dependent on fees from a single client – Objectivity is
threatened
An audit team member becomes an employee if the client once the audit has been completed -
Objectivity is threatened
The client is pressurising the audit firm to provide them with a reduced fee - Objectivity, professional
competence and due care is threatened as the team will be forced to “cut corners” in order to save
on fees
Information of a financial nature is obtained from the board of directors by the engagement client
which can be used for his own financial gain – Confidentiality, objectivity, professional behaviour
and integrity is threatened
B. Self-review threats
“Threats that a chartered accountant will not appropriately evaluate the results of a previous service
performed by the chartered accountant or by another individual in his firm, on which the chartered
accountant will rely as part of a current service”.
For example:
A financial accountant who was employed by an audit client took his resignation and was hired by
the audit firm which conducts the audits for his previous employer. He was subsequently placed on
the audit team for an audit that is being currently conducted at his previous employment - Objectivity,
due car and professional competence are threatened.
A frim who designed and implemented the internal control system for a client is also hired to perform
an audit at the company - Objectivity and professional competence and due care is threatened as
the team will make the assumption that the clients internal controls are effectively working due the
fact that they had designed the controls.
C. Advocacy threats
“Threats may arise when a chartered accountant promotes a client’s position to a point that his
subsequent objectivity may be compromised for example: A chartered accountant values a client’s
shares and then leads the negotiations on the sale of the client’s company”.
D. Familiarity threats
Threats which can arise from a relationship of a personal nature that the accountant has with others.
For example:
The acceptance of gifts or special treatment from an audit client – Objectivity is threatened as
the professional relationship which should exist between the auditor and the client is threatened.
E. Intimidation threats
When an accountant is threatened physically or pressurised into acting in a manner which impacts
their objectivity.
For example:
The chartered accountant of a business is neglects to disclose fraud that is being committed by
his head of department as he is afraid that he might also be dismissed – Integrity, professional
behaviour and objectivity is threatened
“An audit firm is being threatened with dismissal from the engagement (objectivity). Pressure to
accept an inappropriate decision on an accounting matter, is exerted by the client’s financial
director on a young, inexperienced audit manager- Objectivity and integrity are threatened”
Note: All threats do not neatly and perfectly fit into the above categories, however, they should still be
addressed and dealt with.
Think Point
interest of the public and it should be a decision which any other reasonable third party would make after taking
the relevant information into account.
Activity
a. Why should an audit firm not be responsible for conducting an audit for a client
for a period exceeding 5 years?
b. According to the code of professional conduct, threats are categorised into the
following categories: self-interest threats, self-review threats, advocacy threats,
familiarity threats and intimidation threats. Provide an explanation of each of the
different types of threats with at least 1 example to support each explanation.
Revision Questions
1. For each of the examples listed below, indicate the fundamental principle that has
been threatened, the type of threat and provide possible safeguards against these
threats.
A. Thembi Walter is an audit partner in ABC audit firm. Thembi owns a shareholding
of 19 % in a company which is a client of the audit firm.
B. Masey Fox is the audit manager for XYZ audit firm and one of his clients has
offered him employment at the company which will include a much higher
compensation.
C. Aisha Muzuva an auditor realised that she could make an extensive amount of
money if she advises her husband to invest and purchase shares in the company
which she is conducting an audit at, however, he must purchase the shares before
the financial statements are published.
D. The financial director of Kippers Ltd has made an offer to the audit team to take
them on a weekend trip to a safari with all expenses paid for, which will become
an event that occurs on a yearly basis should all audit deadlines be met annually.
E. The financial director of GeminiTech (Pty) Ltd has a very hostile, authoritarian
and dismissive attitude towards the audit function and the entire audit team.
Solution:
B. Masey Fox is the Self-interest Objectivity, integrity and Masey should be removed from
audit manager for professional behaviour – the audit engagement team or
XYZ audit firm and Masey can overlook audit the work performed by Masey
one of his clients has findings that discover should be reviewed by an
offered him discrepancies or accountant who is independent
employment at the inconsistencies as she will try from the engagement.
company which will to prevent jeopardising the
include a much higher job offer that was made to
compensation. her.
C. Aisha Muzuva an Self-interest Integrity, confidentiality, The company’s audit
auditor realised that objectivity and professional committee should be
she could make an behaviour – The Inside familiarised with the situation
extensive amount of Trader Act will be and they should implement
money if she advises contravened by Aisha as she safeguards.
her husband to invest will be acting with dishonesty
and purchase shares and making use of There should be continuous
in the company which confidential company education available to
she is conducting an information for her personal employees with regard to
audit at, however, he gain. Her objectivity will also ethical issues and compliance
must purchase the be comprised as she will not with legislation. This breach
shares before the be acting in the best interest emanates in an immediate
financial statements of the company, should her
are published.
D. The financial director Familiarity Objectivity, professional The audit firm should
of Kippers Ltd has competence and due care – implement a policy which
made an offer to the the professional relationship states that accepting gifts and
audit team to take which should exist between hospitality of a material nature
them on a weekend the auditor and the should be prohibited.
trip to a safari with all engagement client will be Any transgressors should be
expenses paid for, influenced by this trip. The dealt with appropriately.
which will become an financial director may expect
event that occurs on a payback for his efforts in
yearly basis should all terms of the audit team doing
audit deadlines be him certain favours when
met annually conducting audits. The
indication of possible future
trips being made should
deadlines be met will
compromise the audit team’s
abilities as they may
‘overlook’ errors to ensure
that all deadlines are met.
E. The financial director Intimidation Objectivity, professional The individuals which form part
of GeminiTech (Pty) competence and due care is of the engagement team
Ltd has a very hostile, threatened – The audit should be experienced and
authoritarian and team’s professional strong minded to ensure that
dismissive attitude judgement may be they are not easily intimidated
towards the audit compromised as they can be by the financial director and
function and the bullied into disregarding any they should be able to stand
entire audit team. problems that they discover their ground.
out due to fearing the The audit firm should perform
financial director. quality procedures and decide
if they would want to continue a
professional relationship with
the client. with
Activity Solutions
a. To enhance the independence and objectivity of the audit by preventing the threat
of familiarity among the auditor and the employees of the entity.
b.
2.4 Summary
The principles in the code of ethics will assist chartered accountants and auditors to evaluate their actions and
events which may impact their ability to act in a professional manner. The principles in the code will govern the
behaviour of the accountant and auditor and it will ensure that they act in the best interest of the engagement
client.
Unit
3: Corporate Governance and
King IV
3.3 The King IV Code of Corporate Understand and apply the principles of the King IV Code on
Governance Corporate Governance
Prescribed Textbook
Recommended textbooks:
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal
Auditing an Introduction. 6th Edition. Lexis Nexis.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing
Internal Audit Engagements. 6th Edition. Lexis Nexis.
3.1 Introduction
Corporate governance is defined as “the exercise of ethical and effective leadership by the governing body
towards the achievement of governance outcomes that include ethical culture, good performance, effective
control and legitimacy”. It is important to note that ‘good corporate governance’ is not just linked with companies
that are of a large nature but can be applied to any entity as good corporate governance forms part of an intergral
system in when running a business. Coproate governance can differ across all enterprises of a different nature
and it is not necessarily a “one size fits all” situation.
In an attempt to promote good corporate governance among South African companies, the King Commission
drew up a summary of the best international practices in corporate governance. The First King Report on
Corporate Governance was published in 1994 in response to the increasing concern over corporate failures and
the perceived need for a formal code of corporate governance. It sought to assist companies and their directors
by providing a comprehensive set of principles and guidelines to codify, clarify and (in some circumstances)
expand upon the common law principles of corporate governance.
The Second King Report ("King II") was finalized in March 2002 and it reviewed and expanded on the first report.
The Third King Code and Report on Corporate Governance was released on 1 September 2009 ("King III"), and
became effective on 1 March 2010. It was prompted by a number of developments that had occurred since the
release of King II, including the publication of the new Companies Act 71 of 2008 ("new Companies Act"). King
IV was published on 1 November 2016 and is effective for all financial years commencing on or after 1 April 2017.
King IV moved from rules based approach to a more principle and outcomes based approach. King IV distilled
the 72 principles previously embodied in King III down to 17 principles. Recommended practices support the 17
principles. It is assumed that if these recommended practices are implemented the related principle will be
achieved. King IV has also moved from an “apply or explain’ to an “apply and explain” basis. King III required
an explanation if any principle was not applied. King IV assumes the application of all principles and companies
must explain how they have implemented each principle. King IV also provides additional guidance to different
categories of organisations such as small and medium entities, non-profit organisations, public sector
organisations and entities, municipalities and pension funds. This is to ensure a wider implementation of King IV
across all sectors.
King IV for the first time has included a definition of corporate governance as follows:
- the exercise of ethical and effective leadership by the governing body towards achievement of the
following governance outcomes:
Ethical culture
Good performance
Effective control
Legitimacy
Think Point
Discuss the governance outcomes in detail and think of examples for each
outcome.
King IV defines 17 principles to attain the four governance outcomes. The principles are supported with
recommended practices that explain what needs to be implemented to achieve each principle.
King IV refers to governing bodies in assigning responsibilities and these are defined as “the structure
that has primary accountability for the governance and performance of the organisation. Depending on
context, it includes, among others, the board of directors of a company, the board of a retirement fund,
the accounting authority of a state-owned entity and a municipal council. Members of governing body
(also referred to as those charged with governance duties) are those who are duly appointed to serve
on the governing body and/or its committee.”
2. Organisational ethics
Principle 2: The governing body should govern the ethics of the organisation in a way that supports the
establishment of an ethical culture
The recommended practices that the governing body should perform are summarised as:
Set the direction for ethics in the organisation;
Approve codes of conduct and ethics policies as well as ensure that they include all stakeholders
and key ethical risks;
Ensure that there are ways for stakeholders to be made familiar with the codes of conduct and
ethics policies;
Delegate implementation of codes of conduct and ethics policies to management and provide
ongoing oversight of this management, including results in such matters as recruitment, employee
remuneration, supplier selection, breach management, whistleblowing and independent
assessments; and
Disclose how ethics are being managed, focus areas, monitoring measures and how ethical
outcomes are addressed.
The recommended practices that the governing body should perform, are summarised as:
Set the direction for good corporate citizenship, including compliance with the Constitution, laws,
standards and own policies and procedures, as well as congruence with the organisation’s purpose,
strategy and conduct;
Oversee and monitor (using agreed performance indicators and targets) the organisations status
as a good corporate citizen in such areas as the workplace, economic behaviours and results,
societal and environmental impacts; and
Disclose how corporate citizenship is managed, current and future focus areas, monitoring
measures and how corporate citizenship outcomes are addressed.
The recommended practices that the governing body should perform, are summarised as:
Steer and set the direction, purpose and strategy of the organisation;
Delegate to management the formulation and thereafter approval of strategy with due reference to
timelines, risks and opportunities, resources and relationships, legitimate expectations of
stakeholders, changes in the six capitals and the inter-connectedness and interdependencies of all
these factors;
Approve managements policies and operational plans, including key performance measures and
targets
Delegate the implementation of policy and plans to management;
Oversee implementation of the strategy and plans by management against the agreed performance
measures and targets;
Oversee that there is ongoing assessment and response to any negative consequences for the
economy, society and environment by the company using its 6 capitals; and
Be alert to the organisation’s general viability, reliance and effect on its capitals, solvency and
liquidity and its going concern status.
5. Reporting
Principle 5: The governing body should ensure that reports issued by the organisation enable
stakeholders to make informed assessments of the organisation’s performance, and its short, medium
and long-term prospects.
The recommended practices that the governing body should perform, are summarised as:
Set the direction, approach and conduct for the organisation’s reporting;
Approve the reporting frameworks to be used;
Oversee that the various reports are compliant with legal reporting requirements and meet the
reasonable and legitimate needs of material stakeholders;
Ensure that an annual integrated report is issued (either as a stand-alone report or as part of
another report);
Approve the bases for determining materiality for the purposes of including in reports;
Ensure the integrity of external reports; and
Oversee publication and access by stakeholders of the King Code™ disclosure requirements,
integrated reports, financial statements and other external reports on its website or other
appropriate platform/media.
The recommended practices that the governing body should perform, are summarised as:
Exercise its leadership role; have a charter; approve a protocol for it, its committees and members to get
professional advice; approve a protocol for non-executive members to get documentation and meetings
with management;
Disclose the number of its meetings and attendance thereof,
Discharge its responsibilities in relation to its charter.
The recommended practices that the governing body should perform, are summarised as:
Consider the past performance of a member prior to nomination for re-election, and for potential
nonexecutive directors request information of other commitments and whether he/she has sufficient
time;
Investigate and verify potential member’s backgrounds and qualifications;
Disclose potential candidates profile and commitments, as well as governing body’s endorsement, with
annual general meeting notices; and
After election of an incoming member, issue a letter of appointment, provide induction and for
inexperienced members a mentor and training. Obtain ongoing professional development.
Assess a member for independence every year after 9 years of serving as a member, and allow
continuance as an independent member if the same would be judged by a reasonable and informed
third party
Disclose satisfaction with:
composition of mix of governing body;
gender and race targets and progress made;
categorization of each director (including more information on directors serving longer than nine
years);
member’s qualifications, experience, age, period of service, other governing body and positions held
and
reasons for departing members
The recommended practices that the governing body should perform, are summarised as:
General
Determine delegation to individual members, groups of members, standing or ad-hoc committees;
Assume all the responsibilities itself if no delegations are made;
Provide and approve formal terms of reference to committees, and record in writing details of delegation
to a member or group of members;
Ensure that composition, roles and responsibilities of committees are complimentary, not
fragmented or duplicated and that there is no undue reliance or dominance by any individual
member;
Ensure that each committee has a minimum of three members and sufficient capability and
capacity to function effectively;
Allow any member to attend any committee meeting as an observer, and allow management to
attend by standing or ad-hoc invitation;
Apply its mind to the information and results provided to it by its committees as delegation to a
committee does not discharge the governing body of its accountability; and
Disclose for every committee its role and responsibilities, composition (with member’s
qualifications and experience), advisors and attendees, areas of focus, number of and
attendance at meetings, whether it is satisfied that it has fulfilled its responsibilities.
Audit Committee
Must in terms of law establish an audit committee for certain organisations (and should consider
establishing one for those that issue audited financial statements) that has as its role to provide
independent oversight of the assurance functions and on the integrity of the annual financial
statements and other external reports;
May delegate (in addition to any statutory duties where applicable) other governance responsibilities
such as approval of annual financial statements and risk governance (whilst ensuring sufficient time
for the latter) but remains accountable;
Ensure that the audit committee oversees risks that may affect the integrity of external reports
Ensure that the audit committee as a whole has the necessary financial literacy, skills and
experience, and that all members are independent non-executive members of the governing body;
Appoint an independent non-executive chair;
Ensure that the audit committee meets annually with external and internal auditors without
management;
Disclose (in addition to statutory disclosure requirements) all the above general matters relating to
committee’s plus;
a statement on the independence and specific particulars thereof for the external auditor;
significant annual financial statement matters and how addressed;
views on quality of external audit,
effectiveness of the chief audit executive and internal audit;
effectiveness of the design and implementation of internal financial controls
effectiveness of the CFO and finance function and
on combined assurance and the effectiveness thereof
Ensure that the social and ethics committee has executive and non-executive members with a majority
being non-executive members of the governing body; and
Disclose the role and responsibilities, composition (with member’s qualifications and experience),
advisors and attendees, areas of focus, number of and attendance at meetings, whether it is satisfied
that the social and ethics committee has fulfilled its responsibilities.
The recommended practices that the governing body should perform, are summarised as:
Assume responsibility for performance evaluations of itself, its committees, its chair and individual
members;
Appoint a lead independent director if there is not one to lead the evaluation of the chair;
Ensure that every two years and externally facilitated performance evaluation (or one not in
accordance with the approved methodology of the governing body) is conducted on itself, its
committees, its chair and individual members; and every alternate year reflect on the performance
of itself, its committee, its chair and its members as a whole; and
Disclose a description of the performance evaluations, scope, formality, whether or not externally
facilitated, an overview of results and remedial actions, whether it is satisfied that it is improving its
performance and effectiveness.
The recommended practices that the governing body should perform, are summarised as:
Delegation
Reserve certain powers and matters to itself and set those powers and matters to be delegated
to management via the CEO;
The recommended practices that the governing body should perform, are summarised as:
Set the approach for risk governance, including opportunities and risks when developing strategy and
the potential positive and negative effects of the same risk on the achievement of objectives;
Treat risk as integral part of decision-making and adherence to duties, approve risk policy, evaluate
and agree the risks it is prepared to take (i.e. risk appetite and risk tolerance levels)
Delegate to management risk management implementation;
Oversee the risk management (including assessment of risks and opportunities in relation to the triple
context and use of 6 capitals, achievement of objectives, dependency on resources as well as the risk
responses, business continuity and culture of the organization);
Consider receiving periodic, independent assurance on the effectiveness of risk management; and
Disclose nature and extent of risks and opportunities; overview of the risk management system; areas
of focus; key risks, unexpected risks, risks taken outside tolerance levels; and actions to monitor and
address risk management.
Think Point
The recommended practices that the governing body should perform, are summarised as:
Direct the governance of compliance to laws, adopted non-binding rules, codes and
standards;
Approve policy that directs compliance;
Delegate to management the responsibility for implementing compliance management;
Oversee compliance management so that it is understood, relates holistically and is
responsive to changes and developments following continuous monitoring of the
regulatory environment; and
Disclose an overview of compliance management; areas of current and future focus;
actions to monitor and address compliance management; material or repeated sanctions,
fines and penalties on the organization, its officers and/ or members; environment
regulator inspections and incidents of noncompliance and the consequences.
The recommended practices that the governing body should perform, are summarised as:
Remuneration policy
Set the direction and approach for remuneration of the organization and approve
remuneration policy that aspires to fairness, responsibility and transparency;
Design the remuneration policy to attract and retain human capital, promote achievement
of strategic objectives, positive outcomes, an ethical culture and responsible corporate
citizenship;
In the remuneration policy, address organization-wide remuneration and that of executive
management such that it is fair and responsible, use appropriate measures and outline
voting by shareholders;
In the remuneration policy set out all elements of remuneration; and
Oversee implementation of the policy so as to ensure achievement of the policy objectives.
Remuneration report
Disclose the remuneration report in three parts;
I. background statement;
II. main policy provisions; and
III. an implementation report of all remuneration to members and executive management.
I. Background statement
In the remuneration background statement, provide information on:
context and decision-making factors;
results of voting on the policy and implementation report and responses thereto;
current and future focus areas;
key decisions and changes; and
use of remuneration consultants and if the remuneration committee was satisfied with
their independence and objectivity, and if they were satisfied as to whether the policy
achieved its objectives.
Voting on remuneration
For companies:
comply with the Companies Act provisions relating to shareholder special resolution
approval every two years for non-executive members;
table annually the remuneration policy and implementation report at the AGM, and record
voting results;
take measures to address dissenting votes where they are 25% or more against the policy
and/or the implementation report; and
disclose in the background statement, actions taken to engage with and address concerns
in the event of 25% or more dissenting vote.
15. Assurance
Principle 15: The governing body should ensure that assurance services and functions enable
an effective control environment, and that these support the integrity of information for internal
decision-making and of the organisation’s external reports
The recommended practices that the governing body should perform, are summarised as:
I. Combined Assurance
Direct assurance services and functions and delegate to the audit committee oversight to
ensure an effective internal control environment, integrity of information for management
decision making and external reporting;
Ensure a combined assurance model is applied that covers the significant risks and
material matters through a combination of the organisation’s line functions, risk and
compliance functions, internal auditors, fraud examiners, safety assessors, actuaries,
external auditors, other assurance providers and regulatory inspectors; and
With its committees, assess output of the combined assurance and form their own opinion
on integrity of information and reports and effectiveness of the control environment.
Approve the appointment, contract and remuneration of the CAE whilst ensuring that he/
she is suitably capable;
Ensure the CAE has access to the audit committee chair, but that the CAE is not a member
of the executive;
Ensure that if internal audit is outsourced that there is clarity on who is the CAE;
Ensure that the CAE reports to the chair of the audit committee on internal audit duties
and on other matters to a designated executive;
Be responsible for removal of the CAE;
Monitor that internal audit follows a risk-based plan, reviews the risk profile regularly and
adapts the plan accordingly;
Ensure internal audit makes an annual statement on the effectiveness of the governance,
risk management and controls;
Ensure that the internal audit is externally and independently reviewed every 5 years; and
Confirm annually with the CAE that the internal audit function conforms to a code of ethics.
16. Stakeholders
Principle 16: In the execution of its governance roles and responsibilities, the governing body
should adopt a stakeholder–inclusive approach that balances the needs, interests and
expectations of material stakeholders in the best interests of the organisation over time
The recommended practices that the governing body should perform, are summarised as:
I. Stakeholders relationships
Direct the stakeholder approach and approve policies to this effect;
Delegate to management effective stakeholder relationship management;
Oversee the management of stakeholder relationships including methodology for
identification, material stakeholders, management of stakeholder risk, formal mechanisms
for engagement and communication, and measurement of quality of stakeholder
engagement; and
Disclose an overview of stakeholder management, current and future focus areas and
actions taken to monitor and address stakeholder engagement effectiveness.
In the case of a company, ensure that all directors are available at the AGM, that the
external audit partner is at the AGM and that the minutes of the AGM of listed companies
are made publically available; and
In the case of a company, ensure equal treatment of all shareholders and that minority
interests are protected.
oversee that the formal outsourcing mandate incorporates the responsible investment
policy;
ensure accountability for complying with the formal mandate; and
disclose the responsible investment code adopted and its application thereof.
Revision Question
Question 1
The audit committee play an imperative role in the decision making process of an entity,
regarding the performance of audits, discuss matters which should be disclosed to the
audit committee.
Solution 1
a statement on the independence and specific particulars thereof for the external
auditor;
significant annual financial statement matters and how addressed;
views on quality of external audit,
effectiveness of the chief audit executive and internal audit;
effectiveness of the design and implementation of internal financial controls
effectiveness of the CFO and finance function and
on combined assurance and the effectiveness thereof
Question 2
“Corporate governance is the system of rules, practices and processes by which a firm
is directed and controlled. Corporate governance essentially involves balancing the
interests of a company's many stakeholders, such as shareholders, management,
customers, suppliers, financiers, government and the community”. With the above
definition in mind, discuss the objectives of the KING IV report on corporate governance.
3.4 Summary
The King IV report assumes the application of all principles and companies must explain how they have
implemented each principle. This report on corporate governance serves as a major guideline for the way in
which company’s practice business.
Unit
4: General Principles of Auditing
4.2 Internal controls Illustrate an understanding of the internal controls that are
implemented in a business and examine their purpose
4.3 Audit Evidence Demonstrate the importance of audit evidence provided by the
auditor which is linked to the financial statement assertions
4.4 Auditors Toolbox
4.5 Audit Sampling Examine the various forms of evidence that an auditor can
gather when conducting an audit
Prescribed Textbook
Recommended textbooks:
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal
Auditing an Introduction. 6th Edition. Lexis Nexis.
4.1 Introduction
In this chapter we will discuss the general principles of auditing and how the auditor utilises these principles when
conducting an audit for an engagement client. The controls, evidence and auditor collects, the toolbox they use
when collecting evidence and the various sampling methods that are utilised by the auditor are discussed.
B. It is effected by people – internal controls do not only entail policies and procedures, it requires
the involvement of people at various levels in the organisation to perform a certain task.
C. Management does not have the sole responsibility for internal controls – the responsibility for
internal controls is shared between management, the board of directors and employees.
D. Internal controls are not static in nature – internal controls are implemented as a response to
the risks that come with operating a business, therefore, as the risks change the responses to these
risk will need to change.
E. Internal controls are not fool proof – internal controls can only provide a reasonable assurance
that any of the risks which can prevent an entity from achieving their objectives will be addressed
as internal controls have limitations (discussed below).
F. A single internal control will not be able to address a single risk – all existing internal control
policies and procedures will be required to function is conjunction with each another as the ability
to control a risk is achieved most effectively by combining these actions and policies.
A. Managements interpretation that the cost of implementing internal control procedures outweighs
the benefits that can be expected.
B. Internal controls are generally directed at transactions that are routine in nature and transactions,
which are non-routine are ignored.
D. Internal controls can be circumvented as a manager can possibly be in collusion with an employee
of the entity or a party that is external to the organisation.
E. The person responsible for exercising internal controls could exploit their position by overriding
controls as and when they see fit.
F. Internal controls can become inadequate due to changing circumstances and conditions which
could negatively impact on compliance with certain procedures.
Activity 1
Jabu Thulani is a junior auditor for AXY Pty (Ltd). He is currently experiencing
struggles with understating the internal control process and why internal
controls cannot be created for each possible risk that the entity could be faced
with. You are required to provide Jabu with the possible limitations that could
prevent the entity from achieving its objectives.
The control environment is responsible for setting the and atmosphere of an entity in which employees
can perform their duties.
An effective control environment is one which includes competent employees who have an
understanding of their duties and who have a degree of commitment to “do things the right way” as
these employees will have the ability to be committed to the policies and procedures of an entity in a
manner which is constructive, ethical and appropriate.
The basis of the control environment is one of technical competence and ethical commitment and is
inclusive of the following:
In order for controls to be effective, employees at all different levels in an entity will need to perform
with integrity and have resilient ethical characteristics.
Every employee should be competent and committed to performing their tasks with competency.
The participation of the board of directors and commitment to their ethical behaviour is imperative.
Managements philosophy and operating style is a major factor of the control environment as they will
be responsible for setting an example which will emphasize and highlight the importance of having an
internal control process.
The structure of the organisation should be effective in recognising areas that are important in terms
of the appropriate reporting lines to figures of authority.
The assignment of authority and responsibility is imperative as individuals should have full awareness
with regard to the manner in which they exercise their authority and the extent of their authority.
Human resources policies and practices possibly plays the most integral role in the control
environment of an entity as a company which lacks in sound policies governing its employees will have
a substandard control environment.
Operational risks – these risks threaten the achievement of effective and efficient operations in an
entities functions and departments. E.g.: Risk of inventory being stolen, risk of unauthorised persons
having access to confidential company information, the risk of payments being made for
unauthorised expenses, etc.
Financial reporting risks – these risks affect a company’s ability to achieve the objective of
implementing a sound accounting system which will record and process transactions that have
actually occurred, have been authorised are accurate and complete. E.g.: Risk of wages being paid
to employees that are fake and do not exist, risk that journal entries and transactions that are not
authorised have been processed, risk of incorrectly calculating discounts and VAT payments, etc.
Compliance risk – these risks impact the entities ability to comply with laws and regulations that are
applicable to them. E.g.: environmental laws, tax laws, labour laws, etc.
Subsequent to the definition of objectives and identification and assessment of risk the entity can then respond
to these risk. The response of management can entail:
Implementing an information system and relevant business process
Designing and implementing control activities which can assist in the reduction or elimination of
particular risks.
4. Control activities
Segregation of duties
Segregation of duties is an imperative control as it plays an important role in the reduction of risks
that can emanate from actions that are illegal, inappropriate and made in error. The idea of
segregation of duties is to ensure that the procedures which are conducted in respect of
transactions must be correctly divided among various employees and the individual who is takes
custody of assets should not be the same person that is responsible for the records relating to
those assets. The greatest downfall of segregation of duties is the collusion which can occur
between employees, as discussed previously.
Isolation of responsibilities
For internal control systems to be effectively employed, the individuals who are involved must
have full awareness of the responsibilities that are given to them, this ensures that individuals
are accountable for their specific performances. The tasks that are performed by employees must
be acknowledged by the signing of documentation which will enable the isolation of the employee
who were responsible for a specific control activity. This prevents an employee from transferring
the responsibility of a certain task onto another employee.
Access / Custody
This control activity will be inclusive of policies and procedures that provide protection for a
company’s assets as an entity is in possession of assets and confidential information and
documentation that will need to safeguarded from any threats.
Access/custody controls are designed with the purpose of:
Preventing the deterioration of non-physical book assets for example: ensuring that debtors
are not late with their payments.
Preventing use of assets that are unauthorised as well as the theft of assets (physical and
non-physical).
Performance reviews
Reviewing performances is a control activity which provides the entity with a basis for the
identification of problems. The reviewer who conducts a review will investigate for
inconsistencies and the reasonableness of the data that is under review. Conditions which
are unexpected or unusual in nature will immediately be followed up on. This control activity
is generally conducted by persons who are in a managerial position.
specifically to prevent a loss from occurring. Types of preventative controls are inclusive of segregation
of duties, physical control over assets and authorisation of transactions.
Detective controls - as previously discussed, internal controls cannot guarantee the prevention of all
threats or errors that an entity may face, however, errors that slip through the prevention control stage
will be dealt with in the detective control stages. These controls are designed and implemented to identify
the errors or thefts which could not be prevented. Types of detective controls are inclusive of
reconciliations and reviews and segregation of duties.
Corrective controls – corrective controls are designed and implemented to assist in providing
resolutions for the errors that have been detected by the detective controls.
5. Monitoring of controls
This is the final element in the internal control process and entails the involvement of assessing the
performance and effectiveness of internal controls over a period of time.
The reason management implements internal controls are to ensure that the objectives set by them are
achieved and the monitoring process will indicate to management how well their internal controls are
performing. Monitoring can be successfully achieved by management by conducting ongoing self-
assessments, the presence of supervisory employees such as head of departments as well as internal
audit and risk committees.
“The important point about monitoring the internal control system is that if it is not carried out, neither
the board nor management will know whether the entities financial reporting is effective, operations are
being effectively and efficiently conducted and the entity is complying with applicable laws and
regulations”.
be impossible in a large entity, but they are however required to perform audit procedures on a sample
of transactions from the population. The quantity of evidence that is required cannot be easily and
precisely calculated and it is a subjective decision which requires a high degree of professional
judgement from the auditor. The quantity of the audit evidence that is required is greatly dependent on
the extent of testing that is required in the audit which will be highlighted in the audit plan.
The sufficiency of evidence can however be complicated by “the fact that evidence about an assertion
is not gathered by performing a single procedure, but by performing a number of procedures each of
which contribute some evidence. Evidence is cumulative in nature. For example, evidence relating to
the existence of debtors can be gathered by performing a debtors circularisation and by testing
subsequent receipts from debtors”.
Reliability – some evidence may hold more reliability than other evidence, the hierarchy of reliable
evidence is expressed as follows:
The most reliable source of evidence is developed by an auditor. E.g.: the auditor
conducts an inspection of inventory to obtain evidence that it actually exists.
Evidence that is provided to the auditor directly by a third party is reasonably reliable –
the third party must be a person who is independent of the entity being audited and a
reputable and competent source. E.g.: information that is obtained from the client’s
attorney.
Evidence that is provided by a third party but has passed through the client is less
reliable. This is due to the client having access to the information and possibly tampering
with it. E.g.: bank statement that has not been directly sent to the auditor.
Evidence generated by the computer of the client becomes more reliable when the client
has effective internal controls implemented.
Evidence that the client directly provides to the auditor is the least reliable as it is not
independent.
Written evidence is more reliable than evidence obtained orally as oral evidence can be
easily manipulated and evidence obtained from original copies of documents is more
reliable photocopies.
Relevance – the relevance of audit evidence refers to how relevant the evidence obtain is in
relation to the assertion being audited.
Activity 2
The statements that follow are with regard to evidence that is sufficient and
appropriate. As a future auditor, you are required to indicate if you agree with
each statement and provide reasons for your decisions.
1. An auditor can only properly measure the appropriateness and sufficiency
of audit evidence that will be used when expressing opinions are by
utilising statistical sampling method only when they are gathering
evidence.
2. The conduction of an audit in prior years for an entity will not have any
influence when the auditor is determining if the evidence gathered is
sufficient and appropriate for the current audit.
Definition Example
Which audit procedure to use? An audit Confirm the accounts receivable balance with
Nature procedure is a detailed instruction for the the customer or check accounts receivable
collection of particular audit evidence. collections after year end
Think Point
Can you think of alternative examples which could explain the nature, extent
and timing of the audit evidence that is provided by the auditor?
Table 4.2:
Assertions Explanation
Occurrence Transactions about events that have been recorded or disclosed, have occurred, and
such transactions and events pertain to the entity.
Completeness All transactions and events that should have been recorded have been recorded, and
all related disclosures which should have been included in the financial statements,
have been included.
Accuracy Amounts and other data relating to recorded transactions and events have been
recorded appropriately, and related disclosures have been appropriately measured and
described.
Cut-off Transactions and events have been recorded in the correct accounting period.
Classification Transactions and events have been recorded in the proper accounts.
Presentation Transactions and events are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of
the requirements of the applicable financial reporting framework.
2 Assertions about account balances, and related disclosures, at the period end
Table 4.3
Assertions Explanation
Rights and obligations The entity holds or controls the rights to assets, and liabilities are the obligations
of the entity.
Completeness All assets, liabilities and equity interests that should have been recorded, and
all related disclosures that should have been included in the financial
statements, have been included.
Accuracy, valuation and Assets, liabilities and equity interests have been included in the financial
allocation statements at appropriate amounts and any resulting valuation or allocation
adjustments have been appropriately recorded, and related disclosures have
been appropriately measured and described.
Classification Assets, liabilities and equity interests have been recorded in the proper
accounts.
Example 1 - When the auditor gathers evidence about sales transactions, he will be seeking evidence to
support the following assertions
Occurrence All sales included are genuine sales (not fictitious) of the entity (a genuine sale of the
company’s goods/services has occurred)
Completeness All sales which were made, have been included in the total of sales made for the
year
Accuracy All sales have been recorded appropriately : this implies prices are correct and that
the correct discount and VAT rates have been used and correctly calculated
Cut-off All sales recorded, occurred in the accounting period being audited
Classification All sales have been posted to (recorded in) the proper account. This implies that a
credit sale has been posted to the correct debtor’s account and that VAT has also
been correctly posted.
Presentation The sales transactions have been presented in terms of the disclosure requirements
of the relevant financial reporting standard.
“The auditor will also ensure that related disclosures pertaining to “sales” are complete, accurate, relevant and
understandable. The assertions which do not apply to sales are existence, (accuracy) valuation and allocation
and rights and obligation. Why is this? It is because these three assertions apply to balances in the statement
of financial position which are carried forward to the following period, and not to transactions. To explain it slightly
differently, the auditor does not try to establish that a sale existed at reporting date, he seeks evidence that the
sale which is included in total sales, actually occurred; furthermore, the auditor does not seek to value the sale
at year end, he seeks to establish that the amount of the sale was correctly recorded at the time it was made
during the year”
Example 2 - When the auditor gathers evidence about plant and equipment he will be seeking evidence
to support the following assertions:
Existence All plant and equipment included in the balance, existed at reporting date
Completeness All plant and equipment owned by the company, is included in the balance reflected
in the financial statements
Accuracy, valuation The plant and equipment has been reflected in the statement of financial position at
and allocation appropriate amounts; and that reasonable adjustments have been made for
depreciation, impairment and/or obsolescence.
Rights The company has (holds or controls) the right of ownership to the plant and
equipment reflected in the statement of financial position (any encumbrances on that
ownership must be disclosed
Presentation Plant and equipment has been appropriately aggregated/disaggregated and clearly
described, e.g. plant and equipment has been presented in the statement of financial
position aggregated with land and buildings as a separate line item under non-current
assets as property, plant and equipment and has been disaggregated in the property,
plant and equipment disclosure notes into plant and machinery, fixtures and fittings
and tools and equipment.
Activity 3
External confirmation Involves obtaining a direct written response from a third party to a request/query from
the auditor to that third party in paper form or by electronic or other medium, e.g. the
auditor requests a client’s debtors to confirm the amounts owed to the client at
reporting date.
Re-performance Involves the auditor’s independent execution of procedures or controls that were
originally performed as part of the entity’s internal control.
Analytical procedures Involves evaluating financial information through analysis of plausible relationships
among both financial and non-financial information.
Inquiry Consists of seeking information, both financial and non-financial from knowledgeable
persons within the entity or outside the entity.
(Jackson and Stent, 2019)
E.g.: To vouch a sales transaction the auditor will conduct an inspection of documentation, may
make enquiries relating discounts and may verify the mathematical precision of the invoice by
recalculation. To authenticate the debtors, balance the auditor can acquire confirmation in writing
from each debtors and can enquire as to what steps were used to calculate the allowance for bad
debts and thereafter perform a debtors’ age analysis.
“ISA 530 – Audit Sampling requires that when designing audit procedures, the auditor should determine
appropriate means for selecting items for testing so as to gather sufficient, appropriate audit evidence to be able
to draw reasonable conclusions on which to base the auditor’s opinion. The statement deals with the auditor’s
use of statistical and non-statistical sampling when designing and selecting the audit sample, performing tests of
controls and tests of detail, and evaluating the results from the sample”.
Step 6 – Selection of the sample: the sample can be selected using the following methods:
Random – Every unit in the population will have an opportunity of being selected.
Systematic – A starting point is chosen and then for example every 20th unit in the
population is selected.
Haphazard – the auditor is responsible for stimulating randomisation. This method is not
accepted for statistical sampling.
Block – A block of items that have numerical consecutiveness are chosen.
Monetary unit sampling – the sampling unit will be every rand that is in the population.
The selection of larger amounts is inevitable in this method.
Step 7 – Performing the audit procedures
Step 8 – Analysing the nature and cause of any misstatements or deviations that may exist
Step 9 – The results are projected over the entire population
Step 10 – Evaluate the results
Revision Question
Question 1
The evidence that is gathered by an auditor plays a crucial role in the results of the audit
and the recommendations that are provided to management. There are two attributes
with regard to evidence that an auditor will need to meet before concluding the audit.
What are these attributes and why are they important?
Solution 1
Sufficient evidence:
Sufficient audit evidence is relating to the quantity of the evidence that the
auditor gathers during an audit as the auditor will need to support any opinions
that he makes based on this evidence. It is important to note that auditors are
not required to examine and evaluate every transaction, as this may be
impossible in a large entity, but they are however required to perform audit
procedures on a sample of transactions from the population. The quantity of
evidence that is required cannot be easily and precisely calculated and it is a
subjective decision which requires a high degree of professional judgement
from the auditor. The quantity of the audit evidence that is required is greatly
dependent on the extent of testing that is required in the audit which will be
highlighted in the audit plan.
Appropriate evidence:
Appropriate evidence relates to the quality of the evidence that is obtained in
the audit. The quality of evidence can be broken into reliable evidence in terms
of the source and nature of the evidence and relevant evidence in terms of the
assertion that the auditor is auditing.
Activity 1 – Solution
E. The person responsible for exercising internal controls could exploit their
position by overriding controls as and when they see fit
Activity 2 - Solution
2. Disagree. 2.1 Performing the audit of the same company for consecutive
years provides the audit team with more experience of that
particular client’s strengths and weaknesses and thus
improves the team’s professional judgement.
3.2 The more sceptical the auditor is, the more he will need to
be convinced that he has gathered sufficient evidence, and
that the evidence which has been gathered is reliable
(source and nature).
Activity 3 - Solution
1. False. Although the vehicle is registered it may not exist; it could have been
written off, stolen etc. Physical inspection provides proof of existence.
2. False. This provides evidence that the inventory included in the inventory
account exists, but it does not prove that inventory in the warehouse is included
in the account balance. For completeness the sample must be selected from
the warehouse and compared to the records.
3. True. This procedure provides some evidence as to whether all plant and
equipment purchased has been included in the recorded plant and equipment
accounts. It also provides evidence that repairs and maintenance transactions
have not been misclassified.
4. False. This procedure provides evidence relevant to the rights assertion, i.e.
the client has the right to capitalize the lease as a finance lease and raise the
asset. It provides no evidence of the value at which it should be capitalized.
5. False. This procedure is a test of controls which provides evidence that this
internal control procedure took place (although only at the time the auditors
observed it taking place). It tells the auditor nothing about the amount at which
the purchase was recorded in the books.
6. True. This procedure provides evidence that the depreciation has been
accurately calculated (plant and equipment is presented net of depreciation),
and is therefore relevant to the accuracy, valuation and allocation assertion.
4.6 Summary
In this unit students are able to Illustrate an understanding of the internal controls that are implemented in a
business and examine their purpose, demonstrate the importance of audit evidence provided by the auditor which
is linked to the financial statement assertions and examine the various forms of evidence that an auditor can
gather when conducting an audit.
Unit
5: Overview of the Audit Process
5.1 Introduction to the Audit Process Demonstrate an understanding of the audit process and its
different stages
5.2 Preliminary Engagement Activities
Provide an explanation of the preliminary activities that take place
5.3 Planning Activities prior to the performance of an audit
5.4 Responding to Risk Examine and explain the various types of risk responses that
could be provided by an auditor
5.5 Evaluating, Concluding and Demonstrate an understanding of the evaluation, conclusion and
Reporting on an Audit reporting of a completed audit
Prescribed Textbook
Recommended textbooks:
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal
Auditing an Introduction. 6th Edition. Lexis Nexis.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing
Internal Audit Engagements. 6th Edition. Lexis Nexis.
It is important to note that the stages of the audit process are interdependent on each other and do not stand
alone.
Think Point
What are the audit standards the auditor will need to comply with when planning
and implementing the stages of the audit process?
A. Evaluating if the pre-conditions that are needed for the audit exist
There are two requirements which should be fulfilled prior to the acceptance of an engagement
which is to establish if the pre-conditions of the audit exist and ensuring that there is a mutual
understanding which is present between management, the auditor and individuals who are in
charge of governance of the audit engagement.
If the above two requirements are not met, then it will not be necessary for the auditor to proceed
further in the engagement.
B. Establishing procedures that will assist in determining if the audit firm wants to establish a new
relationship with a client or continue the relationship with the existing client
It is important to remember that an audit firm is also a business and the firm will not want to conduct
business with a client for the following reasons:
The client maybe lacking in ethics and integrity;
The client is involved with illegal operations such as pornography or pollution of the
environment;
The client has a bad reputation regarding its relationship with previous auditors;
The client has a reputation for not paying audit fees; and
The audit firm does not have the required resources or competencies to conduct services
for the client.
Evaluate and determine if the firm has the competencies to perform the engagement. The
following should be assessed:
Does the audit firm possess auditors who are schooled in the client’s type of business
activities with experience in reporting requirements?
Does the audit firm have technical skills and competencies that are in-house or do they
have relationships with experts who possess the required skills?
Does the audit firm have the resources which are necessary to conduct the audit?
Does the audit firm have necessary personal who can perform quality control reviews?
Does the audit firm possess sufficient combined resource to meet deadlines on reporting
the engagement?
Determining if the firm has the ability to comply with the ethical requirements. The following
will need to be evaluated:
Are there any probable or potential conflicts of interest which could exist between the firm
and the client?
Is there existence of threats to independence, the engagement partner and audit team and
if so, can safeguards be implementing to adequately deal with these threats?
Are there any other possible events that could result in a contravention of the Code of
Professional Conduct by an auditor in the team?
D. Procedures that are used to gather information for the “preliminary engagement”
It is obvious that the process of gathering information for a client whom already exists will be far
simpler than that for a new client and information will be available readily.
The following procedures should be able to provide information that is sufficient to make a decision
regarding clients:
Communicating with previous auditors
Having discussions with directors, senior financial personnel and audit committees of the client
Inquire with firm’s bankers and legal counsel
Background searches of relevant databases
Reviewing documents that are given by the client
Enquiring and analysing the statues employees and the firm in relation to potential clients
Activity 1
Azola is a junior auditor for Gemini Ltd. She was tasked with the process of
conducting the preliminary engagement activities for the client. She requires
your assistance in this process as she is unexperienced with regard to the
above mentioned task. Azola needs to determine if the pre-existing conditions
for the audit actually exits. Can you provide her with the conditions that she
will need to evaluate to make a decision?
C. Materiality
An audit is aimed towards the identification of the risk of material misstatement and prior to the
development of the audit strategy and plan the auditor will need to give consideration to what can be
considered “material” when conducting the audit.
Illustration of items to consider when making decision regarding the nature, time and extent of further
audit processes
Nature of tests – what tests will be The suitability of a particular procedure to provide the piece
conducted? of evidence required:
Re-performance, inspection, inquiry, observation
Recalculation, analytical procedures, external
confirmation
The need to perform tests of detail (e.g. significant risks)
The possibility of performing analytical procedures
exclusively (for certain aspects of the audit)
The hierarchy of evidence – how can the most relevant and
reliable evidence be gathered?
Statistically based or non-statically based sampling
The use of other parties
experts, other (component) auditors, internal
auditors
The use of computer assisted audit techniques system or
data orientated CAATs
Special client requests e.g. the client has asked you to
perform special cash counts
Do the tests selected, address the risk adequately?
Timing of test – when will tests be The need for and desirability of:
conducted interim audits
early verification of year end balances
combined with “roll forward tests”, e.g. debtors
circularisation carried out two months prior to
year-end, supplemented by tests of controls,
tests of detail and analytical procedures * for
the subsequent period of two months up to
reporting date
Preparatory work on 3rd party confirmations and supporting
schedules
Non-negotiable dates set by client
inventory count
reporting deadlines
availability of key personnel audit
committee meetings
Availability of information, e.g. fixed asset schedules for
audit, including final information for analytical procedures
Timeous preparation where other parties will be used, e.g.
auditor cannot contact an expert the week before the year-
end end inventory count to assist in the valuation of say,
work-in-progress
Special client requests e.g. the client may request that you
visit each branch to attend inventory cycle counts at least
once a year
Overall responses
Overall responses are not considered procedures but they are actions that the auditor can use
to deal with risks at a financial statement level.
“For example, if the auditor is concerned with management’s integrity, the overall response
may be to meet with the audit team to emphasise the need to maintain a high level of
professional scepticism, and to assign experienced and strong willed staff to the audit.
Obviously it does not end there. The potential effect of management’s lack of integrity on the
assertions at account balance/class of transaction/disclosure level will need to be evaluated,
and the appropriate procedures implemented (nature, timing and extent). For example, the
auditor’s concern may be that management will manipulate the financial statements by
overstating the value of inventory on hand at year-end and by including fictitious sales. The
auditor would respond by conducting extensive procedures on the existence, rights and
valuation of inventory and the occurrence of sales/existence of debtors”.
5.4.2 Audit procedures to respond to risks of material misstatement at the assertion level
These audit procedures play an imperative role in any audit as they are performed to enable the auditor
to respond to the risks of material misstatements that relate to assertions. It is important to remember
what assertions are – representations that can be applied to accounts, transactions of different classes
and disclosures underlined in the financial statements.
For example:
The valuing of inventory, plant and equipment ‘
Debtors existence
The completeness of sale transactions
Presenting and disclosing contingent liabilities
In order to accurately respond to risks and to reduce the risk of material misstatements passing through
the system undetected the auditor will be required to respond to the risks by obtaining the accurate
nature, timing and extent of the substantive tests and test of controls. This means that the auditor will
be conducting additional audit procedures which will assist in reducing the risk to a level that is
acceptable.
At this stage in the audit the auditor will utilise the key tools in their toolbox, which are:
Inspection:
The auditor will conduct an examination of records, tangible assets or documents
E.g.: The audit can inspect the director meeting minutes to obtain evidence that major
transactions were approved
E.g.: Clients physical assets can be inspected to ensure that they are not damaged
Observation:
Entails physically looking at a process or a procedure that the employees of an entity are
performing
E.g.: An auditor can observe inventory counts that are being conducted at an entity
E.g.: An auditor can observe that the receiving clerk is physically counting and checking
products that suppliers deliver to the organisation
Inquiry:
The auditor obtains information from persons who have necessary knowledge either
internally or external to the entity
Inquiries can be in the form of written documents addressed to a 3rd party or formal
inquiries that are made to internal staff
E.g.: The sales clerk could be asked what steps do they follow when receiving a customer’s
order
External confirmation:
External confirmation is when the auditor obtains direct responses to a written enquiry that
was made to obtain a confirmation that the information available in accounting records are
correct
E.g.: The auditor can directly communicate with debtors to confirm the amounts that they
owe to the organisation
Recalculation:
Recalculations are performed to ensure that documents or records are mathematically
correct and accurate
E.g.: Recalculating discounts and VAT to ensure that they are correct
Analytical procedures:
These procedures involve the analysis of ratios and trends that are significant to the entity
E.g.: Performing a comparison of the acid test ratio for the current year to the previous
years and investigating the reasons for any differences
Re-performance
The auditor will conduct and independent execution of controls or procedures which were
performed in the organisations internal control
E.g.: Re-performance of the year end bank reconciliations
It is important to note that when implementing the above procedures, the auditors focus is on obtaining information
which is sufficient, relevant, appropriate and reliable and can assist in the reduction of the risk of material
misstatements to a level that is acceptable by the entity.
The auditor will also be required to conduct substantive procedures that relate to the closing process of financial
statements. The auditor will need to:
Perform a reconciliation of and agree financial statements with the accounting records.
Perform an examination of journal entries and other adjustments which are material and are made
when financial statements are prepared.
Think Point
Think of other examples where the auditor could implement the audit tools listed
above. In which situation can each of the above tools used?
5.5.2 Misstatements that are not corrected that have been identified during the audit and results in an
individual or aggregate material misstatement of financial information:
ISA 450:
Evaluation of misstatements identified during the audit, a misstatement is a difference
between the reported amount, classification, presentation or disclosure of a financial
statement item and the amount, classification, presentation or disclosure that is required
for that item in terms of the applicable accounting framework e.g. IFRS.
Simplistically expressed, a misstatement is a difference in what has been reported (by the
directors) in the financial statements, and what should have been reported in terms of the
reporting framework e.g. a particular lease has been reported as a finance lease when in
fact it does not meet the criteria for classification as a finance lease, or inventory has been
valued and reported at replacement cost and not at the lower of cost or net releasable
value, or a material contingent liability has not been disclosed.
Misstatements may arise out of fraud or error.
The auditor must document all misstatements in the work papers (audit documentation)
and must indicate whether they have been corrected.
The auditor must also conclude on whether uncorrected misstatements are material,
individually or in aggregate.
An important distinction will need to be made between misstatements which have been
specifically identified and those for which there is no doubts (factual misstatements) e.g.
the total cost of certain inventory items has been incorrectly calculated, and those which,
in the auditor's judgment, are likely to exist (judgemental misstatements)
It is important to distinguish between the different types of misstatement because the type
of misstatement will affect how the auditor will react:
Factual misstatement – the auditor is on solid ground when requesting the client
to make adjustments to the financial statements and, if the adjustments are not
made, when modifying the audit report (qualifying the audit opinion).
Projected misstatement – the auditor may be in for an even harder time when
requesting amendments or qualifying the audit report. Projecting misstatement
over a population based on a sample can be a very subjective matter. If a proper
statistical sampling method has been properly applied it is less subjective, but
there is still plenty of subjectivity in setting the parameters for the sampling plan.
The auditor will need to accept a measure of compromise and think carefully
about modifying the audit report.
The materiality of the audit difference plays a very imperative role in this evaluation. If an
audit difference is regarded as not material (leaving the misstatement uncorrected will not
influence a user’s decision), the auditor will not insist on adjustment being made but will
still bring it to the attention of the client who, of course, may choose to correct it.
5.5.3 The financial statements have been prepared in all material respects and according to applicable
financial reporting standards. The auditor will need to evaluate if:
Significant accounting policies are adequately disclosed in the financial statements;
There is consistency with regard to the accounting policies that are selected and applied
in terms of the reporting standards and framework that is appropriate for nature of the
entity;
Management makes reasonable accounting estimates;
Financial information that is presented in the statements are reliable, relevant, comparable
and understandable;
Adequate disclosures are provided in the financial statements to assist users in
understanding the impact that the material transactions have on the financial
position/performance and cash flows of the company;
The financial statements make use of the appropriate terminology;
Statutory regulations and requirements are complied with; and
The financial statements are presented fairly.
5.5.4 All material events that occur after the reporting date – should these events require there to be an
adjustment or disclosure to the financial information that the auditor in reporting on, they should be
identified and dealt with in an appropriate manner.
Revision Question
Question 1
The evidence that is gathered by an auditor plays a crucial role in the results of the audit
and the recommendations that are provided to management. When gathering evidence
with regard to financial misstatements, the auditor is presented with 3 various types of
misstatements that could occur at financial statement and assertion level. Discuss these
misstatements.
Solution 1
“Factual misstatement – the auditor is on solid ground when requesting the client
to make adjustments to the financial statements and, if the adjustments are not
made, when modifying the audit report (qualifying the audit opinion).
facts. The auditor cannot state categorically that the directors are wrong, and as a
result, the auditor may have to accept a measure of compromise when requesting
adjustment and will have to think very carefully about whether and how to modify the
report.
Projected misstatement – the auditor may be in for an even harder time when
requesting amendments or qualifying the audit report. Projecting misstatement over
a population based on a sample can be a very subjective matter. If a proper
statistical sampling method has been properly applied it is less subjective, but there
is still plenty of subjectivity in setting the parameters for the sampling plan. The
auditor will need to accept a measure of compromise and think carefully about
modifying the audit report.”
Activity – Solution
5.6 Summary
For an audit activity to be successful there must be a constructive working relationship between the auditor and
their client. In order to establish these working relationship auditors must present to their client a well thought of
plan to implement the audit. The audit process explained in this chapter presents the necessary steps in achieving
a constructive audit. It should be noted that these steps are sequential but in some cases not necessarily
implemented sequentially, especially in cases where the client has been previously audited by another firm that
has provided (upon request) some fundamental information to the present auditor.
Unit
6: Elements of the Audit Process
6.2 Understanding Audit Risk Explain and understand the elements of audit risk
6.3 Understanding an Entity and its Demonstrate an understanding of the environment that an
Environment entity operates in
6.5 The Responsibility of an Auditor in Demonstrate an understanding of and explain the responsibility
Relation to Fraud in Financial that an auditor has with regard to fraud in financial statements
Statements
Prescribed Textbook
Recommended textbooks:
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal
Auditing an Introduction. 6th Edition. Lexis Nexis.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing
Internal Audit Engagements. 6th Edition. Lexis Nexis.
6.1 Introduction
Prior to gaining an understanding of the elements that are included in the audit process it is important to remember
the role and expectations of an auditor – which is to reasonably assure that the financial statements of a company
are presented fairly and they are free from errors and material misstatements. It is also important to note that the
users of these financial statements place reliance on the functions that are performed by the auditor. The risk of
the auditor “getting it wrong” or giving opinions that are not 100% accurate will always be present and this is
referred to as audit risk.
“ISA 200 – Overall objectives of the independent auditor and the conduct of an audit in accordance with the
International Standards on Auditing, which defines audit risk as the risk that the auditor will express an
inappropriate opinion when the financial statements are materially misstated. In simpler terms, it is the risk that
the auditor will give an unqualified opinion when in fact a qualified, adverse, or disclaimer of opinion should have
been given” – this standard gives a thorough explanation of audit risk.
The auditor may not be in possession of the legal powers to peruse certain types of evidence
as he is not responsible for investigating wrong doings.
Due to the fact that majority of audit procedures are conducted on a sample of the population
and not the entire population the risk that material misstatements may go undetected is
inevitable.
Time constraints:
If an auditor has no limitations regarding the time he has to conduct an audit the risks could be
reduced significantly.
It is important to note however, that information becomes less valuable over time and it is
imperative for an audit to be completed in a reasonable time period after the end of the financial
year.
The time constraints that exist should not be utilised as an excuse when conducting audits as
this can be addressed and solved by have a proper audit plan in place, therefore time
constraints are a limiting factor of an audit.
Cost/benefit:
The cost factor is related to the time factor as it could become too costly for the auditor to
address every bit of information and to exhaustively pursue all matters, especially if the
evidence found does not result in the production of real benefits relevant to the audit.
The audit process which exist today has went through such development by the profession of auditing
which has resulted in the assurance that in the performance of the audit this risks will be kept to a level
which can be accepted. The process of the audit is directed by the ISA which ensures that there is
compliance with the standards that ensure the risk is kept at an acceptable level.
Inherent risk:
According to Jackson and Stent (2019: 7/5) “Inherent risk is the susceptibility of an assertion
about a class of transaction, account balance or disclosure, to a misstatement that could be
material, either individually or when aggregated with other misstatements, before consideration
of any related controls”.
E.g.: Transactions that require calculations which are complex such as lease agreements are
inherently more likely to have errors and have misstatements as compared to transactions that
are simpler such as purchasing goods.
Inherent risk could also be classified as the a “built in risk” that a certain class of transaction,
balance of account or disclose may have.
E.g.: The valuation assertion of jewellery at a jewellery shop has more of an inherent risk than
the valuation assertion of tennis balls at a sporting shop.
Control risk:
“The risk that a misstatement that could occur in an assertion about a class of transaction,
account balance or disclosure that could be material, individually or when aggregated with
other misstatements, will not be prevented or detected and corrected on a timely basis, by the
entity’s internal controls”.
Control risk means that if an entity has control system which is weak and ineffective the system
will not work which will result in the possibility of the occurrence of misstatements that the
auditor is unaware of.
Control risks evaluate how effectively internal controls are designed and operate in order to
assist an organisation in accomplishing the objectives that are set by management, however,
due to the limitations that exist on internal controls, it is impossible for a client to have a system
that is perfect and a minimal amount of control risk will always exist.
“IAS 315 - no matter how effective, internal control can provide an entity with only reasonable
assurance about achieving the entity’s financial reporting objectives”
Limitations that are inherent to the internal controls of an entity can be described as follows:
Managements assumption of the benefit of the control not being greater than the cost
hence controls can be sacrificed as they might be expense to implement.
Controls are swayed towards transactions which are routine rather than those which are
non-routine.
There is a potential of human error such as mistakes made in judgement and carelessness
Collusion of employees or management could circumvent internal controls.
Persons who are responsible for internal controls could abuse their responsibilities.
A change in conditions that impact compliance with internal controls is possible making
the procedures inadequate.
The process of identifying weaknesses that are present in the internal control system of a client
is insufficient. Auditors should also conduct an evaluation of the effect the weakness will have
on any assertions in the financial statements.
Detection risk
“The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low
level will not detect a misstatement that exists and that could be material, individually or when
aggregated with other misstatements”.
The nature, timing and extent of the procedures that auditors put in place in response to risks of
material misstatements and the reduction of risks to an acceptable level is impacted by detection
risks.
Detection risks impact the effectiveness of the application of audit procedures and may occur
when the auditor:
Makes a selection of an inappropriate audit procedure
Applies an appropriate procedure inappropriately
The results of a test are misinterpreted
Think Point
Think of examples of inherent, control and detection risks that an entity could
face.
Relationship between audit risk, inherent risk, control risk, detection risk and material
misstatements:
The risk of material misstatement is made up of inherent risk and control risk – “eg: the
risk of material misstatement will be highest where there is a high level of inherent risk relating
to the assertion and controls are weak. If controls are very strong (i.e. low control risk) and there
is low inherent risk relating to the assertion, then the risk of material misstatement relating to
that assertion will be low”.
Audit risk is a function of the risk of material misstatement and detection risk – e.g.: if
there is a high risk of material misstatement and the auditor does not respond with effective
selection and application of audit procedures, the risk of expressing an inappropriate audit
opinion (audit risk) will be very high. In other words, to keep audit risk to an acceptable level,
the auditor must ensure that detection risk is kept to a low level by sound planning, proper
assignment of personnel to the audit team, proper supervision, etc.”.
It is imperative for the auditor to have an understanding of the environment in which a client operates
in order for them to identify and assess the risk of material misstatements properly
The process of understanding an entity is not a once off and stand-alone activity and the more
audits that are performed at a client the greater of an understanding can be obtained. This process
is static and there is no set and stone procedures which can be followed
According to ISA 315 (Revised) – “Identifying and assessing the risks of material misstatement
through understanding the entity and its environment, an understanding of the entity establishes a
frame of reference within which the auditor plans the audit and exercises professional judgement,
for example when:
Assessing risks of material misstatement of the financial statements
Determining materiality;
Considering the appropriateness of the selection and application of accounting policies and the
adequacy of disclosures;
Identifying areas where special audit consideration may be necessary e.g. the audit of related
party transactions;
Developing expectations for use when performing analytical procedures;
Responding to the assessed risk of material misstatement, including performing further audit
procedures, to obtain sufficient, appropriate evidence; and
Evaluating the sufficiency and appropriateness of audit evidence obtained”.
6.3.2 Conditions and events which could indicate risks of material misstatements
The following examples are a provision of possible conditions and events that could indicate to the
auditor that there are mistrial misstatements in financial statements that are being audited (NB: this list
indicates a possibility of misstatements is not exhaustive):
The operations of the company have exposure to markets that are volatile such as trading in futures;
The company has going concern and liquidity problems and they have difficulties in obtaining
finance;
Significant changes occurring in the company like mergers and retrenchment of employees
The company has business arrangements that are complex;
The company lacks in proper reporting and accounting skills;
There are changes which are made to key personnel such as directors;
Internal control deficiencies;
Management and employees being presented with opportunities that encourage them to engage in
fraudulent reporting such as under paying employees;
Any changes that are made to the company’s’ IT environment;
An increase in transactions that are non-routine or systematic at the end of the year;
Introducing new accounting pronouncements to the company which are relevant such as IFRS 15;
Obscuring or omitting significant information when making disclosures to the auditor; and
Pending litigation and contingent liabilities such as financial guarantees.
Think Point
What are the other factors that could indicate to the auditor that material
misstatements exist in an entity?
Once the above step is completed the auditor will have a basis on which responses to risk can be
designed and implemented.
Useful information about a client is available from various sources but the most common are:
Clients acceptance of continuance procedures – when the client accepts the engagement a
good amount of information will be gathered about the client already.
Previous experience with the entity – a store of information will be available already if audits
have been conducted by the firm for the client previously.
Inquiries of management and others – this step will provide the most information with regard to
the entity.
Observation – observing processes and procedures provides information about the client’s
operations which will be useful.
Inspection – inspection and enquiry of documents such as the business plan, internal control
manuals, managements reports etc. will provide valuable information.
Analytical procedures – at this stage, analytical procedures indicate if the firm’s financial
performance is as the auditor expected and includes analysis of ratio and trend analysis and
comparing the current years’ information to previous years.
Transaction complexity – complex transactions will have significant risks attached to them
Risks involving significant transactions with related parties.
The degree of subjectivity in measuring financial information related to the risks – the greater
the subjectivity the more significant the risk will be.
If the risk has the involvement of transactions that are significant and not part of the usual
course of business or are unusual because of their nature or size.
Activity 1
2. At which level does the auditor assess the risk of a material misstatement?
The two international standards for auditing which address materiality are:
“ISA 320 – Materiality in planning and performing an audit - as its title suggests, is concerned with
materiality at the planning and performing stage of the audit, i.e. setting materiality levels to assist in the
planning and performance of the audit.
Misstatements, including omissions, are considered to be material if they, individually or in
aggregate could reasonably be expected to influence the economic decisions of users taken
on the basis of the financial statements.
Judgements about materiality are made in the light of surrounding circumstances and are
affected by the size or nature of a misstatement, or a combination of both.
Judgements about matters that are material to users of the financial statements are based on
a consideration of the common financial information needs of users not specific individual
users”.
“ISA 450 - Evaluation of misstatements identified during the audit - is concerned with materiality as
part of evaluating the effect of misstatements identified on the audit, and of uncorrected misstatements
on the financial statements for the purposes of forming an opinion on fair presentation”
The difficulties that are faced by the auditor is that they must make a decision on what users will consider
as material and these judgements will be based on the consideration of the financial information needs
of users.
When making a decision regarding materiality the auditor can assume the following:
Users have a reasonable knowledge of business and economic activities and accounting and a
willingness to study the information in the financial statements with reasonable diligence
Users understand that financial statements are prepared, presented and audited to levels of
materiality (i.e. users know financial statements are not 100% correct).
Users recognize the uncertainty in the measurement of amounts based on the use of estimates,
judgements and the consideration of future events and that
Users make reasonable economic decisions on the basis of the information in the financial
statements
Materiality is relative – The relativity of materiality differs based on the users and the audit clients
as what maybe material to one user can be immaterial to another.
Activity 2
Revision Question
Question 1
What are the requirements of the auditor when dealing with fraud?
Solution 1
Maintain an attitude of professional scepticism.
Facilitate the discussion of a client’s susceptibility to material misstatement due
to fraud, amongst the audit team.
Conduct risk assessment procedures and related activities.
Question 2
Risk assessment procedures are conducted by the auditor to assist in gathering
information regarding the client so that they can identify and assess risks of material
misstatements at the financial statement and assertion level. A junior auditor has
requested assistance regarding the sources in which an auditor can use to obtain useful
information when making risk assessments.
Solution 2
Clients acceptance of continuance procedures – when the client accepts the
engagement a good amount of information will be gathered about the client already.
Inquiries of management and others – this step will provide the most information
with regard to the entity
Activity 1 – Solution
1. Significant risks are risks which, in the opinion of the auditor, require\
special audit
consideration, examples:
the company has numerous transactions with related parties
the risk involves potential fraudulent activity, e.g. foreign exchange
contraventions
the company has a going concern problem
there are a multitude of complex transactions which seem unnecessary.
Examples:
an analysis of the company’s overall performance, profitability, liquidity
compared say, to industry norms or prior years
an analysis of inventory by branch, location, product value
(to assist in planning inventory count attendance).
Activity – Solution
When making a decision regarding materiality the auditor can assume the
following:
Users have a reasonable knowledge of business and economic activities
and accounting and a willingness to study the information in the financial
statements with reasonable diligence.
Users understand that financial statements are prepared, presented and
audited to levels of materiality (i.e. users know financial statements are not
100% correct).
Users recognize the uncertainty in the measurement of amounts based on
the use of estimates, judgements and the consideration of future events
and that
Users make reasonable economic decisions on the basis of the
information in the financial statements.
6.6 Summary
In this unit the students will gain an understanding of the elements of audit risk, the environment that an entity
operates in, the concept of materiality when evaluating risks and the responsibility that an auditor has with regard
to fraud in financial statements.
Unit
7: Auditing Using IT
7.3 General Controls and Application Demonstrate an understanding of general and application
Controls controls used in IT auditing
Prescribed Textbook
Recommended textbooks:
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal
Auditing an Introduction. 6th Edition. Lexis Nexis.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019).
Performing Internal Audit Engagements. 6th Edition. Lexis Nexis.
7.1 Introduction
Auditors from all walks of life will have exposure to the computerised financial reporting system that an audit client
makes use of. Majority of the entities that audits are performed at will make use of IT to capture, process and
record financial transactions. For an auditor, it is important to know that the computer environment of a client will
have a direct impact on the audit strategy and plan.
A. Systems and Application Audit: This is an audit of the controls designed and implemented into
systems and applications to ensure the integrity of the data they process. This audit also checks that
systems and applications are effective, efficient and adequately controlled to ensure a reliable, timely
and secure input, process and output at all levels of the systems and applications.
B. Compliance Audit: This is the type of audit done to provide management with tools for the internal
review of compliance in their various operational units.
C. Security Audit: Security audit is performed in order to provide comprehensive and cost-effective
vulnerability assessments. This audit is expected to provide a detailed report on the weaknesses found,
and the threats that could be exploited by these weaknesses. It should also suggest preventive
measures and remedies that can help reduce or eliminate vulnerabilities and threats.
Other criterion that has been used in the classification of Information Technology Audit is the controls that exist
within the organization or within the Information Technology environment. Controls include the functions and
attitude, actions and awareness of those responsible for the management and governance of an organization’s
internal controls. Installing controls are necessary to provide security. Hence, individuals responsible for IT audit
must consider if controls are in place in the organization. Controls also set tone for an organization by influencing
the consciousness of its people and providing discipline and structure.
Using controls, Information Technology Audit has been categorized into two broad types, and they are:
General Control Review Audit
Application Control Review Audit
Think Point
Information technology general control should be addressed as part of an internal audit and internal
control developmental process. Without an efficient and effective general control reliance on Information
Technology systems may not be possible because a weakness in the general control could affect
numerous applications. General control concepts can be applied regardless of the industry, size and
complexity of the computer or information system environment. Also, the existence of a satisfactory
general control is a requirement for reliance on application control. Therefore, general controls should
be evaluated before application controls are tested.
A. Control environment
The evaluation of control environment within the information technology structure and activity is part of
the overall information technology audit exercise. The control environment of an organization depends
entirely on the tone and control consciousness set by management. In a smaller organization for
example, management and the employees will be working closely together so employees will frequently
be exposed to how management behaves and conducts themselves. The advantage of this is that
management can have a strong influence on the employees they work directly with and can play a more
direct role in control activities. The control environment in an information technology has some important
aspects to it, and these aspects include:
Communication and enforcement of integrity and ethical values
Commitment to competence
Participation by those charged with governance
Information Technology management’s philosophy and operating style
Organizational structure and assignment of authority and responsibility
If proper systems development and implementation are put in place, the above-mentioned risks could be avoided.
System developments could be of the following types:
In-house development
Purchased package/ Packaged software
C. Access Control
The consequences of an unauthorized access to a system can be disastrous for an organization. For
example, uncontrolled physical access to hardware could result in theft of, or damage to information
systems and the data which it stores. The unauthorized access could lead to the destruction and
disruption of data. Rather than having to implement cure for the theft and destruction of information
systems and data respectively, it is far better for an organization to prevent these negative
consequences by implementing strict access control policies and procedures. Access control represents
policies and procedures designed to restrict access to devices, data and programs. It consists of user
authorization and user authentication. User authorization consists of access rules to determine the
computer resources each user may access while user authentication tries to identify a user through
unique login identification, biometric data, access card or password. However, access control or
restriction should take into consideration the fact that authorized employees must have access to the
organization’s computer resources in order to perform their duties efficiently and effectively. Access
control procedures are designed to prevent or detect:
Unauthorized access to devices, programs and data;
The use of programs by unauthorized persons;
Entry of unauthorized transactions; and
Unauthorized changes to data files.
Access to all aspects of the organizational system which include the following must be
controlled:
Hardware
Software
Datafiles/database
Communication channel
Computer applications
E. Continuity Control
Continuity controls are aimed at protecting and preventing computer resources and facilities from all forms
of disasters e.g. natural disasters, man-made disasters etc., and as well as from acts of disruption and
destruction, attack or abuse by an unauthorized individual or people. One of its main objectives is to
implement controls designed to ensure the continuity of processes by preventing system interruptions or
limiting it to the minimum. It has been found that poor controls result in down time and disruption to normal
processes. Some of the components and factors to be considered when planning a continuity control in an
information technology environment include:
Risk assessment
Physical security
Disaster recovery
The stages through which a transaction flows through the system can be described as input, processing
and output. Controls must also be implemented over master files. A master file is a file used to store
standing information. It is very important in producing reliable information and must be strictly controlled.
Best controls over the master files are application controls and they are sometimes referred to as master
file maintenance controls. Application controls are dealt with under the following headings:
A. Input controls
B. Processing controls
C. Master file maintenance controls
D. Output controls
E. Integrity controls
F. Management trail controls
A. Input controls: These are controls that are used mainly to evaluate and check the integrity of data
entered into an application or data entered to update the master files. It checks whether the data is
entered directly by a staff member or remotely by a business partner, or through a web-enabled
application interface.
C. Master file maintenance controls: These are controls that are designed to protect the integrity of
master file information and to ensure that only valid changes to mater files are processed, and that
changes are processed completely and accurately by the computer.
D. Output controls: These controls address what is done with data and also compares output results
with the intended result. They are also controls designed to ensure the completeness and accuracy
of output and to control distribution of output to authorized users.
E. Integrity controls: These are controls that monitor data in process and in storage to ensure that
they remain consistent and correct.
F. Management Trail controls: Management trail is also referred to as Audit trail controls and it
means processing history controls. It enables management to identify the transactions and events
they record, by tracing and tracking transactions from their source to their output and also by doing
a reverse tracking and tracing. These controls are used to monitor the effectiveness of other controls
and to identify errors as close as possible to their sources.
7.4 CAATS
In Information technology, tests of controls and substantive test can be performed using audit software that can
access the client’s computerized system at a high speed, such software is referred to as Computer Assisted Audit
software, tools or techniques. Computer assisted audit techniques implies the process whereby computers are
used to assist in performing or carrying out an audit. Therefore, it refers to an auditor’s use of the computer to
assist in the performance of audit procedures and the acquisition of audit evidence. In most large and medium-
sized organizations of today, there are few processes that are not driven by computers, therefore performing
audit without using information technology is hardly an option because most of the information required to do an
audit is on the computer system. Wherever and whenever it is economical and efficient, the speed, power and
versatility of computer should be harnessed to assist with audit. CAAT tools can be developed to:
Access and extract information from auditee database
Tabulate, check and perform calculations on data
Perform sampling, statistical processing and analysis
Provide reports to meet particular audit needs
The auditor decides when and how to use CAATs when considering the audit plan (that is, the nature, timing
and extent) and the audit strategy (that is, scope, timing and direction) that are important to reduce audit risk
to an acceptable level. The decision made usually results in the auditor taking approaches which includes;
A. Auditing around the computer
B. Auditing through the computer
C. Auditing with the computer.
D. Combination Approach
D. Combination Approach
It should be noted that the most effective approach for the auditor to utilise will be to combine
the above approaches as there would be no restrictions when performing the audit.
Disadvantages of CAATs
CAATs requires a reasonable degree of skill to use
Initial setup cost can be high
Think Point
Revision Question
Question 1
What are the different types of controls that are useful to an auditor when conducting an
audit in an IT environment?
Solution 1
General controls
Encompass the framework of the overall controls in information technology
environment and provides a reasonable level of assurance that ensures that the
overall objectives of internal controls are achieved. They combine the controls
over the development, implementation, operation and maintenance of the
information technology environments. One of the main objectives of general
control is to ensure the maintenance of the integrity of data and programs and
the effective and efficient running of computer systems and information
technology.
Applications controls
Application controls in an information technology environment are controls that
are relevant to specific tasks within the system. They are both manual and
computerized controls that are within the area of the business that ensures that
data is processed accurately, completely and in a timely manner. They can be
7.5 Summary
Auditing information technology, information systems, computer systems and their inherent components,
processes and activities within an organization is among the highest priorities of most organizations in the modern
global market. Organizations are implementing the two major controls (general and application) in their business
processes so as to enhance their audit activities and improve their operational performance. In addition, the
advancement in information technology has made information technology, computer systems and information
systems a very vital and important tool in audit process. Hence, auditors and organizations are adopting computer
assisted audit techniques and tools in performing their audit activities and managing their audit activities.
Information Technology Audit and Computer Assisted Audit Techniques (CAATs) have now become integral parts
of an organization in order to achieve its objectives, and to auditors in achieving their audit objectives.
References List
Auditing Notes for South African students 10th Edition – Jackson and Stent, LexisNexis Publishers,
2019.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Internal Auditing an Introduction. 6th Edition.
Lexis Nexis.
Coetzee, P., du Bruyn, R., Fourie, H. and Plant K. (2019). Performing Internal Audit Engagements. 6 th
Edition. Lexis Nexis.
Grower, H.R. and Jackson, R.D.C. (2019). Graded Questions on Auditing. Lexis Nexis.