CHAPTER NINE: Assessing the risk of

material misstatement

Risk assessment procedures:

• Inquiries of management and others within the entity
• Analytical procedures
• Observation and inspection
• Discussion among engagement team members
• Other risk assessment procedures
Identification of significant risks
A significant risk represents an identified and assessed risk of material
misstatement that, in the auditor’s professional judgment, requires
special audit consideration. Some matters to take into account here
include:
A- Nonroutine transactions
B- Matters that require significant judgment
C- Fraud risk
The audit risk model

 
The audit function includes some risk or uncertainty. A popular method of dealing
with risk is called the audit risk model, which can be summarised as:

AAR = IR * CR * PDR
Where AAR stands for acceptable audit risk, IR for inherent risk, CR for control risk,
and PDR for planned detection risk.
• Audit risk is the risk that an unqualified audit opinion is issued on the
financial statements, while in fact they contain material
misstatements.
• Acceptable audit risk is the risk the auditor is willing to accept that
the financial statements may be materially misstated after the audit is
completed and an unqualified opinion has been issued. The smaller
the AAR is, the less willing the auditor is to accept the risk of material
misstatements. This risk level is set by the auditor after considering
certain factors.
• Inherent risk is the risk that the financial statements may include
material misstatements due to the nature of the company or the
account(s) involved. The auditor cannot affect inherent risk, but he
assesses it due to its effect on the planning and conducting of the
audit. The higher the IR is, the more risky the audit is.
• Control risk is the risk that the financial statements may include
material misstatements that will not be prevented or detected by the
client's internal control system on a timely basis. The auditor cannot
directly affect control risk, but he assesses it due to its effect on the
planning and conducting of the audit. The higher the CR is, the more
risky the audit is.
• 
• Planned detection risk is the risk that the financial statements may include
material misstatements that will not be detected by the auditor's own
procedures (such as evidence collection and testing). This risk is related to the
other three in the audit risk model, and is calculated using the equation after
determining the other three. It is directly related to the amount of audit
procedures to be performed (such as evidence collection and testing), in that the
lower the PDR is, the more are the audit procedures that have to be performed,
and vice-versa.
• Assessing Acceptable Audit Risk
 
Engagement risk is the risk that the auditor or audit firm will suffer harm after the
audit is finished, even though the audit report was correct. If the client fails in
achieving its objectives or becomes bankrupt, the audit firm is likely to fall in
trouble even if the audit was of high quality. For example, it may face numerous
lawsuits and loss of reputation and loss of clients. There is a relation between
acceptable audit risk and what likely negative consequences may happen to the
audit firm in case of such trouble. Therefore, to assess AAR, the following issues
are taken into consideration:
1- The degree to which external users rely on the statements: AAR is generally
lowered if external users place heavy reliance on the financial statements and
the audit. External users are significantly more likely to file lawsuits or cause
other damage to the audit firm's reputation than internal users, who may
themselves be a main reason of the collapse of the client. The following factors
are likely to indicate the degree to which financial statements are relied on by
external users:
A- Size: In general, the larger the client's size, the more widely its financial statements are used by
external parties.
B- Distribution of ownership: The financial statements of publicly held companies (especially when
there are many small shareholders) are generally more widely used by external parties than those
of closely held companies, such as those with a small number of large investors, those with family
ownership, or partnerships.
C- Nature and amount of liabilities: The more the client's liabilities are, the more likely its financial
statements will be used by external creditors, such as banks, bondholders, and trade creditors.
 
2- The likelihood that a client will have financial difficulties after the audit
report is issued: When a client goes bankrupt or has significant financial
problems after the audit is completed, the audit firm is likely to face more
challenges to the quality of its audit (such as lawsuits). This will likely cause
AAR to be set at a lower level if the likelihood of the client's financial
difficulties is higher. Some indicators of a client's financial difficulties include
poor liquidity, continuing losses, financing growth only by debt, taking high
risks, and poor competence of management.
 3- The auditor's evaluation of management's integrity: If the auditor considers
that the client's management lacks integrity, and still accepts the
engagement, he is likely to set the AAR at a significantly low level.

 
Assessing Inherent Risk

• The following factors may affect the auditor's assessment of inherent risk:
1- Nature of the client's business: The more risky the nature of the client's business
is, the higher is IR.
2- Results of previous audits: An auditor may discover some misstatements in
previous audits of the client that are likely to recur in future audits because they
are systematic and the client cannot, or has not done something to, stop them.
The more these types of misstatements exist, the higher is IR.
3- Initial versus repeat engagements: Having audited the client's
financial statements for several years, the audit firm gains knowledge
and experience about the likelihood of occurrence of some
misstatements. Therefore, new clients have a higher IR compared to
old ones.
4- Related parties: IR is higher when there are more related parties and
more transactions with them, because these are generally more likely
to include misstatements due to the nature of the relationship among
the related parties.
5- Nonroutine transactions: Transactions that are unusual for a client
are more likely to be incorrectly recorded than routine transactions
because the client often lacks experience recording them. In addition,
nonroutine transactions may be questionable and may contain some
type of fraud concealment. Therefore, the more and the larger
nonroutine transactions are, the larger is IR.
6- Judgment required to correctly record account balances and
transactions: The more the financial reporting of the client includes
personal judgements and estimates (such as allowances or fair
valuation), the higher is IR due to the possible intentional and
unintentional material misstatements.
7- Makeup of the population: The makeup of the population for some
accounts or transactions may affect IR. For example, IR is higher for
accounts receivable if a larger percentage of them (in number or
amount) are overdue.
8- Factors related to fraudulent financial reporting and
misappropriation of assets: The presence of fraud risk factors
increases the IR. (It also affects CR)

 
• Chapter Eleven: Internal Controls and COSO Framework

• Chapter Twelve: Assessing Control Risk and Testing Controls

Internal control has the following objectives:
• Reliability of the financial reporting process and outcomes.
• Efficiency (in terms of cost and revenue) and effectiveness (in terms of
achieving intended goals) of operations.
• Ensuring compliance with laws and regulations.
• Internal control only provides reasonable (not absolute) assurance
about the fairness of financial statements. Reasons include:
1-The cost-benefit relation: In general, the cost of implementing an
internal control system should not exceed the expected benefit from
it. This means that some errors may still occur since the benefit of
preventing them may be less than the cost of implementing the
improved system.
2- The human factor: Internal control systems are operated by humans.
If humans do not understand the system or act carelessly, the
system will not operate effectively.
3- Collusion: The system may separate several jobs to reduce the
chance of error or fraud. If employees collude to beat the system,
they might succeed.
COSO components of internal control
The COSO framework is one of the most regarded frameworks used
worldwide to discuss effective internal control systems. It has five
components:
• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
Control environment
The control environment consists of the actions, policies, and procedures that
reflect the overall attitudes of top management, directors, and owners of an
entity about internal control and its importance to the entity. It has several
subcomponents:
1- Integrity and ethical values: Such as management’s actions to remove or reduce
incentives and temptations that might prompt personnel to engage in dishonest,
illegal, or unethical acts. It also includes communicating entity values and
behavioral standards to employees through policy statements, codes of conduct,
and by example.
2- Commitment to competence: Management’s consideration for
specific jobs and how those levels translate into requisite skills and
knowledge.
3- Board of directors and audit committee participation: The more
effective this is the better is the internal control environment.
4- Management philosophy and operating style: Such as the risk
appetite, performance targets, bureaucracy, etc, and their effects
on internal control.
5- Organizational structure: Controls should be implemented taking into
account the entity’s lines of responsibility and authority.
6- Human resource policies and practices: In areas of hiring, training,
promoting, compensating, dealing with personal problems, etc.
Risk assessment
Risk assessment for financial reporting is management’s identification
and analysis of risks relevant to the preparation of financial
statements in conformity with accounting standards. It is important to
evaluate the significance of the risk and its likelihood of occurrence,
and decide the actions needed to address the risks.
Control activities
• Control activities are policies and procedures that help ensure that
necessary actions are taken to address risks facing the achievement of
the entity’s objectives. They generally fall into five categories:
• Adequate separation of duties: Such as separation of the duties of custody of
assets and accounting, authorization of actions and custody of related assets,
operational responsibility and record-keeping responsibility, and information
technology duties and user departments.
• Proper authorization of transactions and activities: whether it is general
authorization or specific authorization for individual actions.
• Adequate documents and records: including prenumbering similar
documents consecutively, preparing documents as quickly as possible when
transactions take place, designing documents for multiple use, and
constructing documents in a manner that encourages correct preparation.
• Physical control over assets and records, such as using safes, emergency
alarms, and password access.
• Independent checks on performance: This is important in order for the
other above mentioned four to perform well and not be forgotten or
neglected. An internal auditing department is part of this function, as may
be forcing employees to take vacations when they are replaced by others.
Information and communication
• This includes maintaining an information and communication system
to initiate, record, process, and report the entity’s transactions and to
maintain accountability for the related assets. Your accounting
information systems course is likely to give you deeper information
on this issue.
Monitoring
• Monitoring activities deal with ongoing or periodic assessment of the
quality of internal control by management to determine that controls
are operating as intended and that they are modified as appropriate
for changes in conditions. Several sources of information are used
here, including studies of existing internal controls, internal auditor
reports, exception reporting on control activities, reports by
regulators, feedback from operating personnel, and complaints from
customers.
• See Table11-1 (p. 384) for a summary of COSO components of
internal control.
IT Controls and auditing
• Currently, a very large number of businesses of different sizes rely on IT to record
and process transactions. Various types of IT functions, including the internet,
exist. IT integration into accounting systems has led to:
• Computer controls replacing manual controls, with the lower possibility of
random errors, and the ability to handle too many transactions quickly and
cost-effectively.
• Higher quality information is available at a larger quantity and speed.
Assessing risks of information technology

• IT may be better for internal control of companies, but it has its own
problems and risks which the company and its auditors must be
aware of. These include:
1-Reliance on the functioning capabilities of hardware and software:
If the hardware or software were limited in their features or not well
maintained or carried viruses, their functioning may be impaired.
2-Systematic versus random errors: While the errors that occur in
manual systems tend to be random, errors occurring in IT systems
tend to be systematic. For example, if there was an error in designing
an IT system, this is likely to lead to errors in all transactions
processed through this system.
3- Unauthorized access: In addition to physically unauthorized access
by people having access to the IT machines, there is the risk of
unauthorized access through misusing passwords or hacking.
4- Loss of data: A simple “delete” process may lead to a loss of a large
amount of data stored electronically.
5- Invisibility of audit evidence: This occurs through computer
functions reducing or eliminating, or at least hiding, the evidence the
auditor can use, leading to significantly less evidence to test
(especially documents and records).
6- Reduced human involvement: This implies that many individuals
who deal with the system may never have the access to the results of
their work, and therefore cannot verify the accuracy of it.
7- Lack of traditional authorization: This is because in IT systems, there are less
procedures like authorised signatures and seals. In this case, the entity should be
careful with IT authorisation of transactions.
8- Reduced separation of duties: IT environments often lead to reduced separation
of duties through combining many functions that were traditionally separated in
one centralized IT function. If an individual has large access to many functions on
the system, he/she might act dishonestly.
9- Need for IT experience: IT environments need special knowledge
that not every employee possesses. If employees dealing with IT are
not qualified, this may lead to high IT risks.
 
General internal controls

• General controls apply to all aspects of the IT function, including IT

administration, separation of IT duties, systems development, physical and online
security over access to hardware, software, and related data, backup and
contingency planning in the event of unexpected emergencies, and hardware
controls. Because general controls often apply on an entity-wide basis, auditors
evaluate general controls for the company as a whole.
Main general controls include:
A- Administration of the IT function: This includes the board of directors' and
senior management's attitude about IT and the perceived importance of it in
the organisation from their point of view. Important topics here include
oversight, resource allocation, and involvement in key IT decisions. The
management may establish special committees reporting to them regarding
important IT issues. The chief of IT reports to the senior management and the
board of directors.
B- Separation of IT duties: Main responsibilities to be separated in an IT
environment include IT management, systems development, operations, and
data control. In general, those who perform programming, operating, and data
controlling should be different people.
C- Systems development: This includes purchasing or developing in-house software
to meet the organization's needs, and testing all software to ensure that the new
software is compatible with existing hardware and software and determine
whether the hardware and software can handle the needed volume of
transactions.
D- Physical and online securities: IT systems need physical securities in terms of, for
example, keys, cameras, security personnel, and cooling and humidity
circumstances to protect the machines. The systems also need online securities
to reduce the likelihood of unauthorised use and misuse, such as firewall and
encryption programs.
 E- Backup and contingency planning: This means having plans to deal with
issues such as power failures, fire, water damage, or even theft of machines,
all of which can lead to a big loss of data.
F- Hardware controls: These controls are built in the computer equipment by
the computer manufacturers to detect and report equipment failures.
 
Application internal controls
 

• Application controls apply to processing transactions, such as controls

over the processing of sales or cash receipts. Auditors must evaluate
application controls for every class of transactions or account in which
the auditor plans to reduce assessed control risk, because IT controls
will be different across classes of transactions and accounts.
Application controls are likely to be effective only when general
controls are effective. Application controls can be classified into:
A- Input controls: These controls are designed to ensure that the information
entered into the computer is authorised, accurate, and complete. These are
important as a wrong entry would normally lead to a wrong output. Examples of
input controls include management's authorisation of transactions, adequate
preparation of input source documents, competent personnel, adequately
designed input screens with pull-down menu lists and computer-performed
validation tests, and on-line based input controls for e-commerce transactions
with external parties.
B- Processing controls: These controls are designed to prevent and
detect errors while transaction data are processed. They include tests
for validation, sequence, arithmetic accuracy, data reasonableness,
and completeness.
C- Output controls: These controls focus on detecting errors after processing is
completed, rather than on preventing errors. The most important issue here is
the reasonableness of the results. Controls that may apply here include
reconciling computer-generated totals to manual control totals, comparing the
number of units processed to the number of units submitted for processing,
comparing some transaction output to its input source documents, and verifying
data and times of processing to identify any out-of-sequence-processing.
Obtaining and documenting understanding of
internal control
• An auditor starts by obtaining and documenting understanding of
internal control design and operation. He then assesses control risk,
designs, performs, and evaluates tests of controls, and finally decides
on planned detection risk and substantive tests of details.
• There are three types of methods used to obtain and document the
auditor’s understanding of the design of internal control. These are:
• Narrative: This is a written description of a client’s internal controls. It includes the origin
of every document and record in the system, all processing that takes place, the
disposition of every document and record in the system, and an indication of the
controls relevant to the assessment of control risk.
• Flowchart: This is a diagram of the client’s documents and their sequential
flow in the organization. It also includes the origin of every document and
record in the system, all processing that takes place, the disposition of
every document and record in the system, and an indication to the controls
relevant to the assessment of control risk.
• Questionnaire: This asks a series of questions about the controls in each
audit area as means of identifying internal control deficiencies.
It may be applicable to use more than one of the above methods
together to get a clearer idea about the internal control system and
its actual application in the client.
In addition to understanding the internal control system, the auditor
has to evaluate the system’s implementation. Some methods used
here are:
• Update and evaluate the auditor’s previous experience with the
entity.
• Make inquiries of client personnel.
• Examine documents and records.
• Observe entity activities and operations.
• Perform walkthroughs of the accounting system.
Assessing control risk
• Having documented and initially made a view on the internal controls of the
client, the auditor’s next step is to assess control risk. This is made in several
steps:
1- Assess whether the financial statements are auditable
This includes assessing whether there are any very significant issues that may make
the financial statements in general not auditable, such as very poor management
integrity, or very poor internal controls. In such cases, the auditor may consider
quitting from this audit. If not, the auditor proceeds to the next step.
2- Determine assessed control risk supported by the understanding obtained,
assuming the controls are being followed
• After obtaining an understanding of the client’s internal control and initially
evaluating it, the auditor makes a preliminary assessment of control risk based
on what he currently already knows, which includes what the client claims to
be there. This assessment is a measure of the auditor’s expectation that
internal controls will prevent material misstatements from occurring or detect
and correct them if they have occurred. This preliminary assessment is made
for the specific related audit objective.
3- Use of a control risk matrix to assess control risk
A control risk matrix is a method often employed by auditors to assess control risk
by tying audit objectives to internal controls. The steps in doing so include:
• a- Identifying audit objectives for classes of transactions, account balances,
and presentation and disclosure to which the control risk assessment applies.
• b- Identifying existing controls aimed at satisfying the audit objectives. The
auditor determines what controls should exist in order to achieve the audit
objectives.
• c- Associating controls with related audit objectives
• d- Identifying and evaluating control deficiencies (in the design or operation of
the controls), significant deficiencies (one or more control deficiencies exist and
the issue merits attention by those responsible for oversight of the company’s
financial reporting), and material weaknesses (one or more significant
deficiencies make it reasonably possible that internal control will not prevent or
detect material financial statement misstatements on a timely basis).
• Control deficiencies, significant deficiencies, and material weaknesses are
assessed on two horizons: likelihood of occurrence and significance of outcome.
• Control deficiencies, significant deficiencies, and material weaknesses are
identified by (1) identifying existing controls, then (2) identifying the absence of
key controls, then (3) considering the possibility of compensating controls, then
(4) deciding whether there is a significant deficiency or material weakness, then
(5) determine potential misstatements that could result from a deficiency or a
weakness.
• e- Associating significant deficiencies and material weaknesses with related audit
objectives.
• f- Assessing control risk for each related audit objective.

After the previous steps are undertaken, the auditor now makes a subjective
assessment of control risk for each audit objective. This may be in the form of
(high – moderate – low) or percentage or numerical levels. This assessment may
be amended as a result of the tests of controls and substantive tests of details.
• Communications to those charged with governance and management letters:
• Auditing standards require the auditor to report some control issues to those
charged with governance (such as the client’s board of directors and audit
committee). Those charged with governance can then interfere and improve
the control problems, and therefore help both the client and the auditor.
Auditors may (but are not required to) report recommendations on less
significant internal control issues to the client as a value-added service.
In summary, the steps for performing a preliminary assessment of control risk
are as follows:
1- Identify what controls should exist in the situation
2- Identify what controls exist in the situation
3- Identify the absence of key controls
4- Consider the possibility of compensating controls
5- Decide whether there are significant deficiencies or material weaknesses
6- Determine potential misstatements in the financial statements that can result
from these significant deficiencies and material weaknesses.
This is repeated for each audit objective.
Tests of controls
• If the auditor decides to consider relying on the internal controls of
the client (the assessed control risk is low or medium), he has to test
the controls in order to justify the previously made assessment of
control risk. If the results of the tests of controls supports the
previous assessment of control risk, then they can be used to reduce
substantive testing evidence collection. If not, the previous
assessment of control risk is to be reconsidered.
The operational effectiveness of internal controls can be tested using
the following four procedures:
• Making inquiries of appropriate client personnel.
• Examining documents, records, and reports.
• Observing control-related activities.
• Reperforming client procedures.
• The extent of use of these tests of control procedures depends on the
desired level of control risk to be depended on by the auditor. The
lower the level of control risk the auditor wants to use, the more
extensive the tests of controls procedures will be.
After performing tests of controls and determining a final assessment
of control risk, this assessment is alined to audit objectives and
integrated into the determination of planned detection risk, and
therefore the types of audit evidence to be collected and evaluated
and the types of substantive tests of details to be performed.
Chapter Ten: Assessing and Responding to Fraud Risks

• Types of fraud
 
• Fraudulent financial reporting is an intentional misstatement or omission of amounts or
disclosures with the intent to deceive users. Most fraud includes an attempt to overstate income,
but also there is fraud that intends to understate income, if this leads to lower income tax or to
create earnings reserves. Some forms of fraud include earnings management, involving deliberate
actions taken by management to meet earnings objectives. A form of that is income smoothing,
where revenues and expenses are shifted between periods to reduce fluctuations in earnings.
 Misappropriation of assets involves theft of the
entity's assets. While this usually involves internal
parties, such as employees and members of the
executive management and the board of
directors, it may sometimes involve external
parties, such as customers (ex. shoplifting) or
suppliers (ex. cheating in products).
Conditions for fraud

• According to the fraud triangle principle, three conditions should be available in order for fraud to
occur. These are:
• Incentives / Pressures: Management or other employees have incentives or pressures to commit
fraud.
• Opportunities: Circumstances provide opportunities for management or employees to commit
fraud.
• Attitudes / Rationalization: An attitude, character, or set of ethical values exists that allows
management or employees to commit a dishonest act, or they are in an environment that
imposes sufficient pressure that causes them to rationalize committing a dishonest act.
See page 340 and page 342 and the appendixes of ISA240 for examples
of risk factors concerning the above three conditions, in the cases of
fraudulent financial reporting or misappropriation of assets.
• In the case of fraudulent financial reporting, incentives and pressures
include a decline in the company's prospects, such as low profitability
or low ability to repay debt, and a willingness to meet budgets or
analysts' forecasts or conditions of debt covenants. Another
important factor here is the willingness of managers to earn higher
bonuses through manipulating financial statements.
• As for opportunities, risk factors include the existence of significant judgements
and estimates in accounting, weakness of accounting information systems and
internal control, and high turnover of accounting and information technology
employees.
 
• As for attitudes and rationalization, risk factors include a managerial disregard of
the financial reporting process, desire to meet overly optimistic forecasts, and
lack of ethics.
• In the case of misappropriation of assets, incentives and pressures include
financial pressures on employees, or their dissatisfaction with the company they
work at. Opportunities include weakness of internal controls, such as easy access
to cash or inventory or other valuable assets, and lack of adequate separation of
duties or lack of keeping adequate records and documents. Attitudes and
rationalization include management's attitudes towards ethics (if managers cheat
then lower-level employees may consider this acceptable).
 
Assessing the risk of fraud

• An auditor should act towards fraud in a manner of professional scepticism,

neither assuming that management is dishonest or that it is unquestionably
honest. This includes approaching the audit with a questionable mind throughout
the audit to identify fraud risks and critically evaluate audit evidence. If auditors
come across a possibility of a material misstatements due to fraud, they must
thoroughly probe the issues, acquire additional evidence and perform additional
tests, and consult with other team members.
Sources of information to assess fraud risks

1 -Communication among the audit team: Discussions among the members of the
audit team may reveal some issues related to fraud, such as the opportunities of
its occurrence due to poor controls, or the existence of some suspicious
observations by some members. Sometimes, lower-level auditors (who do most
of the daily work) may not be aware of the risk of something that the higher-level
auditors may, due to experience, perceive as important.
2-Inquiries of management: Sometimes management may be aware of
the existence of fraud or suspecting it in the company, and tell the
auditor about that and about its plans to deal with it. The auditor is
required to ask the client's management about their knowledge about
any fraud in the entity and what they have done in response to this
issue.
3-Risk factors: The auditor has to evaluate risk factors in order to
consider whether there are significant possibilities of fraud in the
company, whether through fraudulent financial reporting or through
misappropriation of assets. The existence of one or more risk factors
does not definitely mean that there is fraud, but the auditor has to
give more attention to the issue.
4-Analytical procedures: Analysis using analytical procedures may
show that there are differences between the reported figures and the
auditor's expectations. In this case, this issue may be the result of a
hidden fraud.
5- Other information: This information may be obtained through other
risk assessment activities or from other sources, such as the
reputation of management on integrity and honesty. Another source
is receiving tips from employees or other people about the possible
existence of fraud or suspicious activities in the client.
 
After assessing fraud risks, auditors have to document their discussions
and findings in their working papers. In evaluating fraud risk factors,
auditors have to consider whether the fraud risk may be reduced
through better corporate governance oversight, including
management's fulfilment of their responsibilities towards fraud, and
the oversight of the audit committee.
 
Responding to the risk of fraud

After identification of risks of material misstatements due to fraud, auditors should

discuss the findings with management and see whether management have
applied controls to deal with the risks. Having discussed that, auditors' response
to fraud risks include:
1- Changing the overall conduct of the audit: Such as including fraud specialists
and adding unpredictability to audit procedures to meet fraudsters' possible
familiarity with the traditional procedures.
2- Designing and performing audit procedures to address fraud risks.
3- Designing and performing procedures to address management
override of controls: such as examining journal entries and other
adjustments for evidence of possible misstatements due to fraud,
reviewing accounting estimates for biases, and evaluating the
business rationale for significant unusual transactions.
• 
Responsibilities when fraud is suspected

 
 

• If fraud is suspected, the auditor gathers additional information to determine whether fraud
actually exists. A popular method here is additional inquiries of management and other parties.
Inquiries may be informational (to obtain new information) or assessment (to corroborate or
contradict prior information) or interrogative (to determine whether individuals are deceptive –
this method requires sufficient experience by auditors). After that, auditors evaluate the
responses to inquiry, and may perform follow-up inquiries and interviews. In interviews, auditors
should observe with attention verbal and nonverbal cues used by interviewees that may indicate
possible deception. (See tables 10-6 and 10-7 on page 361 for examples).
• Other practices in response to the suspicion of fraud existence include
using audit software analysis [such as Computer-Aided Audit
Techniques (CAATs)] and the use of expanded substantive testing.
Specific fraud risk areas

• Revenue and accounts receivable fraud risks

• Revenue is usually the largest item in the income statement, and it

therefore directly affects reported income, and is also easy to
manipulate because of the ambiguity of the application of the
revenue recognition principle, especially regarding the timing of the
recognition.
Main types of revenue manipulation regarding fraudulent financial
reporting include:
A- Fictitious revenues (the creation of fake revenues that do not exist)
B- Premature revenue recognition (recognizing revenue in periods
before the periods it should be recognized in)
C- Manipulation of adjustments to revenues (such as not recording
sales returns and allowances, or manipulating the bad debt expense).
 
• Main types of revenue manipulation regarding misappropriation of assets
include:
A- Failure to record a sale (stealing the inventory or the cash receipts and not
recording the transaction in the books).
B- Theft of cash receipts after a sale is recorded: (This may be committed through
recording a sale return or allowance, writing-off the customer's account as bad
debt, and closing the customer's account through opening another one and
repeating this practice).
Purchases and accounts payable fraud risks

• This usually includes the understatement of accounts payable or

purchases and costs of goods sold to make the financial statements
look better. Some methods used here for fraudulent financial
reporting include:
A- Not recording accounts payable until subsequent periods.
B- Recording fictitious reductions to accounts payable.
As for misappropriation of assets,
some methods used here include:
A- Issuing payments to fictitious
vendors and stealing the amounts.
B- Stealing payments to real vendors.
• Fraud risks in fixed assets
 
• These risks include the subjectivity of valuing fixed assets (including
revaluation and impairment) and the wrong capitalisation or
expensing of assets and expenses. Also, some fixed assets may be
subject to theft, such as computers.
Fraud risks in payroll accounts

Some methods used in payroll fraud include:

A- Overstating inventory by increasing direct labour and indirect labour costs in it.
B- Overstating the costs of assets by wrong capitalising of labour used to construct
them.
C- Manipulating fringe benefits, such as retirement benefits.
D- Creation of fictitious employees and stealing their salaries.
E-Overstating individual's working hours to steal some money as additional wages.
 
• Auditors must be aware of the above mentioned examples, and the
warning signs of their existence. Some methods used here are careful
analytical procedures and careful examination of document
discrepancies and weaknesses in internal control systems.
• CHAPTER THIRTEEN: Audit Strategy and Audit Program
Types of tests

• In developing an overall audit plan, auditors use five types of tests to determine
whether financial statements are fairly stated. Auditors use risk assessment
procedures to assess the risk of material misstatements. The other four types of
tests represent further audit procedures performed in response to the risk
identified. Each audit procedure falls into one, and sometimes more than one, of
these five categories. The five types of audit tests are:
• Risk assessment procedures: The auditor is required to obtain an understanding
of the entity and its environment, including its internal control, to assess the risk
of material misstatement in the client's financial statements. The other four
audit tests (discussed below) are performed in response to the auditor's
assessment of the risk of material misstatements. According to the audit firm's
approach to risk assessment, several different types and quantities of risks may
be assessed (although there are minimum requirements). This selection of risks,
and its results, significantly affects the mix of other tests performed in the audit
program.
• Tests of controls: The auditor's understanding of internal controls is used to
assess control risk for each transaction-related audit objective (the assessment
may be different for each objective). If the preliminary control risk assessment is,
for example, low or medium, and the auditor wants to rely on internal controls to
reduce substantive audit procedures, he has to perform tests of controls. Tests of
controls are performed to obtain sufficient appropriate evidence to support the
preliminary assessment of control risk. Tests of controls may include making
inquiries of appropriate client personnel, examining documents and records and
reports, observing control-related activities, and reperforming client procedures.
• Tests of control can be either manual or automated. They are also used to
determine whether the controls are effective (by testing a sample of the
controls). The amount of additional evidence required for tests of controls
depends on the extent of evidence obtained in gaining the understanding of
internal control, and the planned reduction in control risk. Tests of controls may
be performed separately, but it may be cost-effective to do them at the same
time as doing substantive tests of transactions, especially if the same procedure
is applied for both types of tests.
 • Substantive tests of transactions: Substantive tests are procedures designed
to test for monetary misstatements that directly affect the correctness of
financial statement balances. These tests are substantive tests of transactions,
substantive tests of details of balances, and substantive analytical procedures.
• Substantive tests of transactions are used to determine whether all six
transaction-related audit objectives (occurrence, completeness, accuracy, posting
and summarization, classification, timing) have been satisfied for each class of
transactions.
• Substantive tests of details of balances: These tests focus on the ending general
ledger balances for both balance sheet and income statement accounts. Typical
types of such tests include confirming payable and receivable accounts and
physical examination of tangible assets. These tests are performed to satisfy all
balance-related audit objectives (existence, completeness, accuracy,
classification, cutoff, detail tie-in, realizable value, rights and obligations) for
each significant account.
• Substantive analytical procedures: Analytical procedures involve comparisons of
recorded amounts to expectations developed by the auditor. They are required by
audit standards during the stages of planning and completing the audit, but they
can also be used as a substantive auditing procedure in order to provide
substantive evidence and indicate possible misstatements in the financial
statements. If auditors believe that analytical procedures indicate a reasonable
possibility of misstatement, they may perform additional analytical procedures or
decide to modify tests of details.
• However, if the results of analytical procedures make the auditor conclude
that the client's ending balances in certain accounts appear reasonable,
certain tests of details of balances may be eliminated or sample sizes
reduced. The extent to which an auditor may be willing to rely on analytical
procedures in support of account balances depends on several factors,
including the precision of the expectation developed by the auditor,
materiality, the risk of material misstatement, and the effectiveness of the
client's internal control.
Selecting which types of tests to perform

• Typically, auditors use all five types of tests when performing an audit of the
financial statements, but certain types may be emphasised, depending on the
circumstances. Several factors influence the auditor's choice of the types of tests
to select, including the availability of the different types of evidence, the relative
costs of each type of evidence, the effectiveness of internal controls, inherent
risks, fraud risks, and business risks.
• Availability of types of evidence for further audit procedures
• See Table 13-2, page 454. 

 
• We can see from the table that six out of eight possible types of
evidence are available for testing balances, four for testing
transactions, four for testing controls, and only two for analytical
procedures. Certain types of evidence, including physical examination
and confirmation, can only be used to test a balance, while inquiries
of the client can be used in all types of tests.
• Relative costs of audit procedures
Audit procedures are different in costs. The rule is that auditors have to fulfil their
responsibilities according to laws and regulations and auditing standards. This
includes collecting sufficient appropriate evidence. There are general
requirements for the use of certain types of audit procedures, but after that the
extent of use of each type is a matter of personal judgement. The audit firm is a
profit-seeking entity, and therefore would like to fulfil its legal and professional
responsibilities at the lowest possible cost. This influences the mix of audit
procedures it uses.
In general, the audit procedures are classified below, according to their
relative costs, with the least costly first:
• Analytical procedures
• Risk assessment procedures (including obtaining an understanding of
the entity)
• Tests of controls
• Substantive tests of transactions
• Substantive tests of details of balances
• It is clear that the least expensive type is analytical procedures, which may
include making only a few comparisons per case or using a software program,
while the most expensive is substantive tests of balances, which may include too
many complications in the account components, and the need to use expensive
confirmation and physical examination. Tests of controls are more expensive than
risk assessment procedures due to the need for more extensive testing
procedures in the former.
CHAPTER 24: Completing the Audit

• In this chapter, some procedures done at the end of the audit, but before the issuance of the
audit report are discussed.

Review for contingent liabilities and commitments

• A contingent liability is a potential future obligation to an outside party for an unknown amount
resulting from activities that have already taken place. Three conditions are required for a
contingent liability to exist:
• 1- There is a potential future payment to an outside party or the impairment of an asset that
resulted from an existing condition.
• 2- There is uncertainty about the amount of the future payment or impairment.
• 3- The outcome will be resolved by some future event or events.
• If the likelihood of occurrence of the future outcome is probable and the amount can be
reasonably estimated, financial statement accounts are adjusted (a debit to a loss/expense and a
credit to a liability).
• If the likelihood of occurrence of the future outcome is probable and the amount cannot be
reasonably estimated, note disclosure is necessary.
• If the likelihood of occurrence of the future outcome is reasonably possible, note disclosure is
necessary.
• If the likelihood of occurrence of the future outcome is remote, no disclosure is necessary.
• Certain contingent liabilities include, for example:
• Pending litigation.
• Income tax disputes
• Product warranties
• Guarantees of obligations of other parties.
• Main objectives in verifying contingent liabilities are:
• Evaluating the accounting treatment of known contingent liabilities.
• Identifying (to the extent practical) any contingent liabilities not already identified by the client.

• Examples of commitments include agreements to purchase raw materials or lease assets at a

certain price or sell merchandise at a fixed price, or bonus plans or pension plans. These are
characterised by the existence of an agreement to commit the client to a set of fixed conditions in
the future. Commitments generally need to be disclosed in notes.
 
• To find unidentified contingencies/commitments or evaluate known
contingencies/commitments, the following procedures can be performed (for
example):
• Inquiry of management about contingencies and commitments.
• Reviewing income tax reports.
• Reviewing minutes of meeting of shareholders, directors, and management.
• Reviewing documents
• Obtaining letters from attorneys.
• The last procedure (letters from attorneys) is a major audit procedure
used to evaluate litigation. See page 812 for an example of an inquiry
of an attorney on legal matters. The refusal of an attorney to
cooperate with the auditor may probably lead to a modification of the
audit report.
• Review for subsequent events

• The auditor must review transactions and events that occurred after the balance
sheet date to determine whether any of these transactions or events affects the
fair presentation and disclosure of the current period statements. Normally, this
responsibility extends up to the date of the auditor's report, which corresponds
to the completion of the important auditing procedures.
• Subsequent events are of two types:
1- Those that have a direct effect on the financial statements and require adjustments. This
generally means events that make issues that were unclear (probably estimated) at year-end
clearer, such as a settlement of litigation or a sale of an impaired asset. In these cases, an
adjustment to the financial statements of the previous year is required.
2- Those that do not have a direct effect on the financial statements but for which disclosure is
required. These are significant events that do not affect the balances at the year-end but are
significantly material to require a disclosure to mention their existence. These include a major loss
of uninsured buildings caused by fire, or the occurrence of a merger or acquisition.
 
Subsequent events are tested both as procedures normally integrated as part of the verification of
year-end account balances, and procedures performed specifically for the purpose of discovering
events or transactions that must be recognized as subsequent events. The first procedures are
done along with other audit tests (see cutoff and valuation objectives), while the second may
include procedures such as:
• Reviewing records prepared subsequent to the balance sheet date.
• Reviewing internal statements prepared subsequent to the balance sheet date.
• Examining minutes issued subsequent to the balance sheet date.
• Corresponding with attorneys.
• Inquiring of management.
• Obtaining a letter of representation.
• Perform final analytical procedures

• It is required from auditors to perform analytical procedures during the

completion of the audit. This is useful as a final review for material misstatements
or financial problems not noted during other testing and to help the auditor take
a final objective look at the financial statements. This procedure at this stage is
usually performed by a partner who usually has more knowledge than other
auditors in the team, and may therefore discover issues they did not discover. The
partner reads the financial statements and notes considering:
• The adequacy of evidence gathered about unusual or unexpected
account balances or relationships identified during planning or while
conducting the audit.
• Unusual or unexpected account balances or relationships that were
not previously identified.
• The results of this analytical procedure may indicate that additional
audit evidence and tests are necessary.
• Evaluate going concern assumption

• Although evaluating going concern can occur at different stages of an audit, it

may be desirable to perform an evaluation after all evidence has been
accumulated and tested and any required adjustments to the financial
statements are made. If a substantial doubt over going concern exists, the auditor
should evaluate management’s plans to avoid bankruptcy and the feasibility of
achieving these plans. After that, the auditor makes a decision on adding a
paragraph in the report to mention the going concern doubt.
• Obtain management representation letter
 
• The auditor is required to obtain a letter from the client’s management
documenting management’s most important oral representations made during the
audit. Refusal to give this letter may lead to qualification or disclaimer of opinion.
The main reasons for this letter:
• To impress upon management its responsibility for the assertions in the financial
statements.
• To remind management of potential misstatements or omissions in the financial
statements.
• To document the responses from management to inquiries about various
aspects of the audit.
Issues in this letter may include, for example:
• Management’s acknowledgement of its responsibility for the fair presentation of
the financial statements
• Management’s belief that the financial statements are presented fairly and in
conformity with required accounting standards.
• Completeness of the documents required by the auditor.
• Information concerning fraud
• Information about subsequent events.
• Considering other information

• This includes other information in the annual report apart from the
financial statements and their related note disclosures. If the auditor
finds information that contradicts with the financial statements, and
the client refuses to make amendments, the auditor may consider
adding a paragraph to emphasise that in the audit report (or qualify
the opinion if the error was in the financial statements or their notes).
 
After doing all that, the auditor evaluates the final results and issues
the report. He also communicates with the audit committee on:
• fraud and illegal acts
• internal control deficiencies
• other communication
This is to
• communicate auditor responsibilities in the audit of financial statements
• provide an overview of the scope and timing of the audit
• provide those charged with governance with significant findings arising during the audit.
• Obtain from those charged with governance information relevant to the audit.
 
Also, the auditor writes to the client about his recommendations about any part of the client’s
business.