Vous êtes sur la page 1sur 70

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.1

Module 3

Understanding the entity, assessing risk and responding to risks

Contents
Preview
Introduction Objectives Teaching materials

3.3

Overview of standards covering risk assessment and response to assessed risks Planning an audit of nancial statements Audit materiality
Materiality concepts Application of materiality concepts Performance materiality

3.4 3.5 3.8

Financial statement assertions Identifying and assessing the risks of material misstatement through understanding the entity and its environment
Perform risk assessment procedures Discuss the susceptibility of the entitys nancial statements to material misstatement Understand specied aspects of the entity and its environment, including internal control Controls in an IT environment Assess the risks of material misstatement Identify signicant risks

3.12 3.15

Strategic analysis Techniques used in strategic analysis

SWOT analysis PEST analysis Porters ve forces model for industry analysis Value chain analysis Simple comparisons Reasonableness tests Ratio analysis

3.33 3.36

Analytical procedures

3.43

Responding to assessed risks


Key principles Tests of control Substantive procedures

3.52

Evaluation of misstatements identied during the audit Review References

3.55 3.57 3.57

Suggested answers

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.3

Preview
Introduction
In this module we introduce the concept of a business risk and how it: impacts on the auditors knowledge and understanding of the client; and relates to the risk of material misstatement. Obtaining an understanding of the business assists the auditor in: assessing risks and identifying problems; planning and performing the audit both effectively and efciently; and evaluating audit evidence This module provides an overview of some techniques for obtaining an understanding of the entity and its environment, including analytical procedures. As a number of the large audit rms have adopted a strategic systems audit approach based on risk analysis, this approach is discussed in this module. Strategic analysis is an important part of risk analysis. Emphasis is placed on the following techniques used in strategic analysis to identify business risks: SWOT analysis; PEST analysis; Porters ve forces; and value chain analysis While the management literature employs these types of analysis to identify investing and operating opportunities, auditors consider threats to the auditees business as a source of audit risk. After discussing the planning of an audit and audit materiality, substantial emphasis is placed in this module on ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and ISA 330 The Auditors Responses to Assessed Risks. As internal control is a means of mitigating business risk, we examine the components of internal control using the framework set out in ISA 315. We then consider these internal controls in an IT environment. An important topic is audit assertions. Following ISA 330, this module discusses the auditors response to assessed risks. There are two major classes of audit procedures: tests of control and substantive tests. The purpose of tests of controls is to support an assessed level of control risk (or the risk of material misstatement) as determined by the evaluation of internal controls. Substantive tests of transactions and balances involve substantively verifying the associated dollar values. The auditor will outline in the audit plan the most efcient and effective combination of audit procedures to achieve a desired level of audit risk. Finally, issues related to the evaluation of misstatements identied during an audit are discussed.

3.4

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Objectives
After completing this module, you should be able to: explain the importance of audit planning; explain what a material misstatement is; identify and describe the key audit assertions; explain the aspects of the entity and its environment that the auditor needs to have an understanding of; explain what is meant by a business risk and how it impacts on the audit; outline the strategic systems approach to auditing and the importance of strategic analysis; apply the following techniques for carrying out strategic analysis: SWOT analysis; PEST analysis; Porters ve forces; and value chain analysis describe the types of analytical procedures of the audit process; describe the types of control that may exist in an IT environment; dene internal control and outline the elements of an internal control system; identify the various ways the auditor can respond to assessed risks; explain the concepts of test of controls and the meaning of the term substantive test; explain the different types of substantive tests; and evaluate misstatements identied during an audit.

Teaching materials
Relevant standards ISA 300 Planning an Audit of Financial Statements ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment ISA 320 Materiality in Planning and Performing an Audit ISA 330 The Auditors Responses to Assessed Risks ISA 450 Evaluation of Misstatements Identied during the Audit AASB 1031 Materiality Learning tasks Learning tasks are available in My Online Learning for this module. Please check My Online Learning at least once a week, as more learning tasks may be added during the semester.

Overview of standards covering risk assessment and response to assessed risks


In this module we start with ISA 300 Planning an Audit of Financial Statements. The major focus of this module is ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment. The remainder of the module covers materiality (ISA 320), responses to audit risks (ISA 330) and evaluation of misstatements identied (ISA 450). More detailed coverage of the procedures is given in Module 4, which looks at the 500 series of the ASAs.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.5

Planning an audit of nancial statements


ISA 300 Planning an Audit of Financial Statements, paragraph 4, states that the auditor is to plan the audit so that it will be performed in an effective manner. This involves developing an overall audit strategy (ISA 300.7) and developing an audit plan (ISA 300.9) in order to reduce audit risk to an acceptably low level. The reason for planning is to ensure appropriate attention is given to important areas of the audit, to identify potential problems on a timely basis, to organise and manage the engagement properly, assisting in the selection of team members, facilitating their supervision and assisting in the coordination of work done (ISA 300.2). The nature and extent of planning activities will vary with: the size and complexity of the entity (i.e. greater complexity may result in more planning); the auditors previous experience with the entity (e.g. on a new audit one would expect planning to be more extensive); and changes in circumstances that occur during the audit engagement (e.g. if the entity increases the level of management bonuses and their correlation with protability levels, the auditor needs to consider this in the audit plan); this situation increases the incentive for fraud and auditors must adjust their gathering of evidence accordingly. You should note the continual and iterative nature of planning. It is not a discrete phase of the audit but a continuous process often beginning shortly after the completion of the previous audit and continuing to the completion of the current audit. As new information becomes available, the audit plan is updated on an iterative basis. For example, the auditor may initially assess that the entity has effective internal controls and the audit plan prescribes tests of controls to be carried out with reduced substantive tests. However, weaknesses in the internal control system found when carrying out tests of controls will result in the audit plan being changed (e.g. increased substantive testing). Less reliance may also be placed on analytical procedures if the weaknesses in internal control affect the data on which the analytical procedures are being executed. As another example, the auditor may nd during substantive testing that controls are not working during a particular time of the year. Consequently the audit plan will need to be revised if these controls were previously relied on. While we note above the iterative nature of an audit plan, you should understand that certain audit planning activities and procedures need to be coordinated early in the audit process, for example: conducting preliminary analytical procedures as part of risk assessment; obtaining an understanding of the legal and regulatory framework applicable to the entity; determining materiality levels; and considering the need to involve experts and specialists prior to identifying and assessing risks (e.g. in the mining industry an auditor may need to consult a geologist prior to assessing risks related to inventory and non-current assets). ISA 300.6 requires the auditor to perform the following activities at the beginning of audit engagements:
I

Perform procedures regarding the continuance of the client relationship and the specic audit engagement Evaluate compliance with relevant ethical requirements relating to the audit engagement, including independence Establish an understanding of the terms of the engagement (ISA 300.6).

3.6

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

The aims of these procedures are to ensure:


I

The auditor maintains the necessary independence and ability to perform the engagement. There are no issues with management integrity that may affect the auditors willingness to continue the engagement. There is no misunderstanding with the client as to the terms of the engagement (ISA 300.A6).

The auditor is required to establish the overall strategy for the audit (ISA 300.7). The overall audit strategy sets the scope, timing and direction of an audit. In particular, the establishment of the audit strategy must involve the following (ISA 300.9 and A8A11): Identify the characteristics of the engagement that dene its scope, such as the nancial reporting framework used, industry-specic reporting requirements and the locations of the components of the entity. Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications requiredsuch as deadlines for interim and nal reportingand key dates for expected communications with management and those charged with governance. Consider the factors that are signicant in directing the focus of the engagement teams efforts, such as determination of appropriate materiality levels, preliminary identication of areas where there may be higher risks of material misstatement, preliminary identication of material components and account balances, evaluation of whether the auditor may plan to obtain evidence regarding the effectiveness of internal control, and identication of recent signicant entity-specic, industry, nancial reporting or other relevant developments. Consider the results of preliminary engagement activities (e.g. client continuance activities, compliance with relevant ethical requirements, and establishing an understanding of the term of engagement). Ascertain the nature, timing and extent of resources needed (e.g. staff needs, experts). The appendix of ISA 300 lists examples of matters the auditor may consider in establishing the overall audit strategy. The appendix is divided into four sections: 1 Characteristics of the engagement. 2 Reporting objectives, timing of the audit and nature of communications. 3 Signicant factors, preliminary engagement activities and knowledge gained on other engagements. 4 Nature, timing and extent of resources. Read the appendix of ISA 300 now to gain an understanding of the above four points. The auditor is required to develop an audit plan (ISA 300.9). The audit strategy guides the development of this more detailed audit plan. The audit plan documents the auditors initial assessment of the evidence necessary to form an opinion, and the method of obtaining this evidence. Although audit planning is the rst stage in the audit process, the audit plan must be a dynamic document if it is to reect the impact of information gathered during the course of the audit. For example, a weakness identied in the internal controls may necessitate increased substantive audit procedures for the accounts involved. This will require a modication of the audit plan.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.7

The audit plan needs to include a description of (ISA 300.9):


I

the nature, timing and extent of planned risk assessment procedures sufcient to assess the risks of material misstatement, as determined under ISA 315 the nature, timing and extent of planned further audit procedures at the assertion level under ISA 330 The plan for further audit procedures reects the auditors decision whether to test the operating effectiveness of controls, and the nature, timing and extent of planned substantive procedures other audit procedures required to be carried out for the engagement in order to comply with ISAs.

While the actual content of the audit plan will vary, it will generally include an outline of the general audit approach to be followed without going into specic detail about the exact audit procedures that will be used. In this sense, the audit plan acts as an overview of the audit, indicating: the major objectives of the audit; the constraints within which the audit must be performed; materiality and risk considerations; and an estimate of the resources required to carry out the audit.

Question 3.1
The auditor of LRS Ltd has completed the audit strategy and audit plan and is presently carrying out substantive procedures. The auditor discovers some errors that suggest that the original audit plan may have incorrectly assumed that the controls over inventory were strong. Is it too late to change the audit plan?
An important part of planning relates to direction, supervision and review. Specically, ISA 300.11 requires the auditor to plan the nature, timing and extent of direction and supervision of engagement team members and review of their work, wherein: nature refers to type of direction and supervision (e.g. very detailed step-by-step; or a more global approach concentrating on key issues); timing refers to whenwhile direction and supervision are likely to be ongoing, review can take place at different times (e.g. real time review as the work is done or at the end of the audit); and extent refers to how much. Review can be done face-to-face where the reviewer asks questions of the preparer verbally, or by looking at the working papers (manual or electronic) in the absence of the preparer and preparing written review notes to be answered/cleared. Various factors including the size and complexity of the entity, the area of the audit (e.g. inventory, nancial instruments), the risks of material misstatement, and the capabilities and competence of personnel performing the work (e.g. prior industry audit experience) all have an impact. For example, if the work related to inventory and the preparer was an audit manager with extensive manufacturing experience, the level of direction, supervision and review would be less than if the preparer was an assistant whose previous audit experience was with banks and insurance companies. Where there is an increase in the assessed risk of material misstatement for the area of audit risk, you would expect increases in the extent and timeliness of direction and supervision of engagement team members and a more detailed review of their work.

3.8

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

The auditor is required to document the overall audit strategy and the audit plan, including any signicant changes made during the audit engagement (ISA 300.12). To gain a better understanding of the above documentation you should now refer to ISA 300.A16.A19. One other issue relates to the communications regarding audit planning with those charged with governance and management. ISA 300.A3 states that an auditor may discuss elements of planning with an entitys management. These discussions may include overall audit strategy and timing of the audit. While the auditor often needs to have these discussions with management to facilitate the conduct of the audit, it is important that the auditor not compromise the effectiveness of the audit. For example, the auditor should not compromise the effectiveness of the audit by making the audit too predictable (ISA 300.A3). Case Study 3.1 provides an illustration of issues for consideration in planning for an audit. Complete the case study now.

Case Study 3.1: LM Ltd


You are planning the audit of LM Ltd, a soft drink manufacturer with bottling plants throughout the world. Each country has its own bottling plant together with an accounting and administrative centre. Each country prepares nancial data monthly and submits it to head ofce in Sydney. The nancial data from each country has been shown to be very accurate in previous audits. You are planning the June 20X9 audit and it is now April 20X9. Your tasks For each of the following facts, state what would be the impact on your overall audit plan for 20X9: 1 As a result of budget cuts and reduced employee numbers in some countries, management has expressed some concern about recent nancial data it has been receiving. 2 The cost of labour has been increasing quickly in some countries with the result that proposals are being put forward to rationalise the number of plants across the world. 3 The US bottling plant has entered into a two-year contract with a local sugar supplier to maintain a supply of quality sugar at predetermined prices. 4 A new low-carb soft drink accounts for over 20 per cent of total revenues. At a recent sporting event in the United Kingdom, there were large numbers of customers taken to hospital after having an allergic reaction to the drink. This has been traced to a new ingredient used worldwide and the product has been temporarily taken off the market.
Audit materiality and audit assertions are two key issues in auditing which are discussed below.

Audit materiality
In this section materiality is discussed through the Australian accounting standard AASB 1031 Materiality. The Preface of AASB 1031 states that the international Framework for the Preparation and Presentation of Financial Statements has limited guidance on materiality in comparison to AASB 1031 Materiality (AASB 2004, p. 4).

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.9

Materiality concepts
The concept of materiality is of fundamental importance to both preparers and auditors. However, there are no universally agreed-upon numeric guidelines or specic criteria for determining whether a given fact is material. Further, materiality judgments are signicantly inuenced by surrounding facts and circumstances. In general terms, audit materiality may be dened as the highest level of misstatement that, in the auditors judgment, will be tolerated by the user of the nancial statements. If the decision-maker would reach a different decision, were that person aware of the fact in question, then the fact is material. However, this general denition does little to reduce the degree of judgment required. Nevertheless, audit materiality is directly related to the concept of materiality in nancial statements as covered by AASB 1031 Materiality. The concept of materiality set out in AASB 1031 is concerned with the point at which errors or distortions in nancial statements will alter users decisions. Review AASB 1031 before proceeding. AASB 1031 outlines the following guidelines on materiality: an amount which is equal to or greater than 10 per cent of the appropriate base amount may be presumed to be material unless there is evidence or convincing argument to the contrary; and an amount which is equal to or less than 5 per cent of the appropriate base amount may be presumed not to be material unless there is evidence, or convincing argument, to the contrary (AASB 1031.15). The appropriate base amounts for income statement items suggested in AASB 1031 are the more appropriate of the: (i) prot or loss and the appropriate income or expense amount for the current reporting period; and

(ii) average prot or loss and the average of the appropriate income or expense amounts for a number of reporting periods (including the current reporting period) (AASB 1031.13). For balance sheet items, the appropriate base amount suggested in AASB 1031.13 is the more appropriate of the recorded amount of equity and the appropriate asset or liability class total. For audit planning purposes, some audit rms use a rule-of-thumb approach to determine planning materiality. Common rules of thumb for establishing a planning materiality gure are as follows: 510 per cent of prot; 0.51 per cent of revenue; and 0.51 per cent of assets. While some auditors use one of the above bases of calculation, others use a blend of these, making several calculations on a variety of bases and then taking the average of them. Others use a sliding scale, such as a declining percentage of total assets.

3.10

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

The choice of rule of thumb depends on value judgments about relevance, stability and predictability. Prot may be the most relevant base for a company with publicly traded securities. However, because prot can uctuate signicantly from year to year, it may lack stability. It is not relevant to some entities such as not-for-prot organisations. In practice, size-related bases such as total assets or total revenue are preferred because of their relative stability. Use of a rule of thumb as a decision aid in general planning is not universal in auditing practice. However, materiality has to be reduced to an explicit dollar amount as a practical necessity in conducting the audit. As different approaches to calculating materiality can result in substantially different amounts, the auditors judgment in the circumstances is critical. The amount considered material does not remain xed after its initial calculation. The auditor may revise this judgment based on the results of audit tests and new information as the audit progresses and the auditors approach in evaluation at the completion of the audit may be considerably different. This means the amount estimated for planning materiality should not be confused with the amount used in the evaluation of the materiality of individual misstatements. The auditors use of materiality in evaluation will be inuenced by qualitative considerations, additional information, and the nature of the decisions to be made. Qualitative considerations, for example, may include the nature of the transaction (such as related-party transactions or possible illegal acts). While, in general, materiality is concerned with the highest level of misstatement that can be tolerated and hence the nancial statements still fairly presented, equal regard should be given to a number of other factors: The nature of the item in question should be considered. An item could be material because of its nature. For example, in Australia for listed companies, a Corporations Act 2001 (Cwlth) disclosure item has to be disclosed (e.g. audit fees), irrespective of whether it is material in dollar amount. Where nancial limits are prescribed, like the borrowing limits set down in trust deeds, regard should be given to the effect of identied errors of such limits even though the errors would not otherwise be material. The breach of such limits can have signicant consequence to companies and could even lead to a questioning of the going concern basis. The materiality of an item in relation to the nancial statements taken as a whole affects the auditors judgment as to what is sufcient appropriate audit evidence, in accordance with ISA 500 Audit Evidence. Those gures that are most material require more evidence, both in quantity and quality. We have seen that audit risk is present to a greater or lesser extent in every audit and that absolute certainty in auditing is rarely attainable. The auditor is concerned that the audit examination will provide reasonable assurance that the nancial statements is not misstated to a degree of materiality which, had it been identied, would have resulted in a modied audit opinion. The auditor should therefore plan the audit to minimise the risk of failure to detect errors that, in aggregate, exceed an acceptable degree of materiality. Obviously, the lower the degree of materiality deemed acceptable, the more audit work will have to be performed and the higher the cost to the entity.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.11

The decision as to what constitutes an acceptable degree of materiality will vary depending on the circumstances of each engagement. The auditor must, in the nal analysis, decide on an acceptable level of materiality using individual professional judgment. However, some guidelines are provided in ISA 320 Materiality in Planning and Performing an Audit.

Application of materiality concepts


Materiality issues are covered in ISA 320 and ISA 450. ISA 320 covers the auditors responsibility to apply the concept of materiality in planning and performing an audit of nancial statements. ISA 450 (discussed later in this module) covers how materiality is applied in evaluating the effect of identied misstatements on the audit (ISA 320.1). The concept of materiality is applied in the following situations: audit planning; performing the audit; evaluating the effect of identied misstatements on the audit and of unrecorded misstatements, if any, on the nancial statements; and in forming the opinion in the auditors report (ISA 320.5). Some key actions for the auditor related to audit materiality are: when establishing audit strategy, determining materiality for the nancial statements as a whole and in some circumstances (see ISA 320.10) materiality levels for particular classes of transactions, account balances and disclosures; determining performance materiality (as dened in ISA 320.9) for the purposes of assessing the risk of material misstatement and determining the nature, timing and extent of further audit procedures (ISA 320.11); revising materiality levels when the auditor becomes aware of information during the audit that would have changed their initial materiality estimates (ISA 320.12) and to consider whether to revise performance materiality and the nature, extent and timing of audit procedures (ISA 320.3). Determining the levels of materiality requires the exercise of professional judgments. These are judgments related to what is an appropriate benchmark and the percentage to be applied to the chosen benchmark (e.g. 5% of prot before tax, 1% of revenues, x% of total assets). Examples of potential benchmarks are provided in ISA 320.A4 and factors that have an impact on the appropriate benchmark are given in ISA 320.A10.

Performance materiality
There is a distinction between materiality and performance materiality (as noted above). Performance materiality takes into account that planning the audit solely to detect individual material misstatements overlooks the following: the aggregate of individually immaterial misstatements may cause the nancial statements to be materially misstated; and consideration of the possibility of undetected misstatements. For example, if we consider the materiality of the nancial statements as a whole, performance materiality means the amount: set by the auditor at less than materiality for the nancial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected or undetected misstatements exceeds materiality (ISA 320.9). This concept is further explained in ISA 320.A12.

3.12

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Financial statement assertions


Financial statement assertions are representations, explicit or otherwise, that are embodied in the nancial statements, as used by the auditor to consider the different types of potential misstatements that may occur (ISA 315.4). Given the importance of the term assertion for understanding ISA 315 we introduce the concept here. Assertions used by the auditor are classied under three categories: (i) class of transactions and events for the period under audit (e.g. revenue and expenses); (ii) account balances at the period end (e.g. assets, liabilities); and (iii) presentation and disclosure (e.g. income statement, balance sheet, notes). ISA 315.A111 sets out the following assertions: (a) Assertions about classes of transactions and events for the period under audit: (i) Occurrencetransactions and events that have been recorded have occurred and pertain to the entity.

(ii) Completenessall transactions and events that should have been recorded have been recorded. (iii) Accuracyamounts and other data relating to recorded transactions and events have been recorded appropriately. (iv) Cutofftransactions and events have been recorded in the correct accounting period. (v) Classicationtransactions and events have been recorded in the proper accounts. (b) Assertions about account balances at the period end: (i) Existenceassets, liabilities, and equity interests exist.

(ii) Rights and obligationsthe entity holds or controls the rights to assets, and liabilities are the obligations of the entity. (iii) Completenessall assets, liabilities and equity interests that should have been recorded have been recorded. (iv) Valuation and allocationassets, liabilities, and equity interests are included in the nancial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. (c) Assertions about presentation and disclosure: (i) Occurrence and rights and obligationsdisclosed events, transactions, and other matters have occurred and pertain to the entity.

(ii) Completenessall disclosures that should have been included in the nancial statements have been included. (iii) Classication and understandabilitynancial information is appropriately presented and described, and disclosures are clearly expressed. (iv) Accuracy and valuationnancial and other information are disclosed fairly and at appropriate amounts. By way of example, we consider the assertions about asset and liability account balances at period end. As auditors are particularly interested in overstatement of assets, assertions related to existence and valuation are particularly important.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.13

In establishing occurrence, the auditor is concerned with obtaining evidence that a transaction or event which relates to the entity during the relevant period took place. Occurrence is similar to existence (see below) except that it relates to transactions and events (transactions and events occur) rather than balance sheet items (which exist). For example, we are interested in the occurrence of sales (i.e. Did the sale actually occur?). In establishing completeness, which relates to both classes of transactions and events for the period under audit and account balances at the period end, the auditor is concerned with obtaining evidence that all amounts that should be included are included. This objective requires evidence that there are no unrecorded assets, liabilities, transactions or other events, or undisclosed items. This is generally one of the hardest assertions to test forlooking for things that are not included but should be. In testing for omitted assets, liabilities, transactions or events, the auditor must generally rely on the study and evaluation of accounting controls (such as a sequence check of pre-numbered documents) and substantive procedures of transactions (such as a search of transactions in the next accounting period that relate to the accounting period under audit). Completeness is particularly important for liabilities and expenses as understatement of these items results in prots being overstated. In establishing the accuracy assertion, the auditor is concerned that the details of the transactions under review are completely correct. It is surprising how easily small errors of detail can arise and how signicant the impact of the mistakes can be. Consider the calculation of sales revenue by multiplying sales price by quantity sold. If the decimal point is left out of the sales price, it is possible that sales revenue may be inated by a factor of 100. Accuracy is also considered with valuation under the heading of assertions about presentation and disclosure. Here, the auditor is concerned with the accuracy of the details of the item being presented. In establishing the cutoff assertion, the auditor is concerned that the details of the transaction under review are recorded in the correct period. It is essential that in this test the auditor ensures that double counting does not occur. For example, if a sale occurs before year end, the auditor should ensure that it is not only recorded correctly in that period but that the related inventory is removed from the year-end physical count if it has not yet been transferred from the warehouse. The auditor needs to consider potential management incentives to put revenues or expenses in the wrong period. In establishing the classication assertion, the auditor is concerned that the correct account is used in recording a transaction. This is not always a simple matter. Consider, for example, the decision relating to whether certain types of overhead costs should be capitalised or expensed. The classication assertion is also considered under the presentation and disclosure grouping where it is included with understandability. In establishing the understandability assertion under the presentation and disclosure grouping, the auditor is concerned that the disclosures are clearly expressed. In establishing existence, the auditor is concerned with obtaining evidence that an asset or a liability exists at a given date (generally at the end of the nancial period). Generally, observation is the primary audit procedure for substantiating the existence of physical assets such as inventory and xed assets (i.e. Do they exist at year end?). For other nancial balances, such as cash at bank and accounts receivable, external conrmation is a primary procedure. Such procedures are designed to detect errors that cause balances to be overstated.

3.14

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

In establishing rights and obligations, the auditor is concerned with obtaining evidence that recorded assets are future economic benets controlled by the entity, and that liabilities are the future sacrices of economic benets that an entity is presently obliged to make as a result of past transactions or other past events. The auditor needs to obtain evidence that the accounting recognition is appropriate. The rights and obligations objective usually involves procedures to provide evidence that assets in the clients possession that have been sold or pledged are not reported as assets. For example, accounts receivable may be sold, that is the receivables are factored out, but the client may continue to make collections. The audit procedures used to obtain evidence of rights and obligations may also include examining land tax assessments, rate notices, title deeds, correspondence and minutes of meetings of the board of directors, and making inquiries of the clients management. In establishing the appropriate valuation and allocation of assets and liabilities, the auditor is concerned that the carrying value of balances is in conformity with generally accepted accounting principles. Satisfying this objective may require the exercise of audit judgment in evaluating the reliability of estimates and the appropriateness of accounting methods. For example, some assets, such as inventory, are required to be stated at the lower of cost and net realisable value, and many allocations, such as depreciation or the allowance for doubtful debts, can be made with a variety of measurement methods. The auditor needs to obtain evidence that supports each of the assertions for every material component of the nancial statements. A component of the nancial statements may be an account balance (or group of account balances) or a class of transactions. The categories of assertions provide a framework for developing specic audit objectives for each material account balance or class of transaction. The auditors assessment of risk is used to determine those assertions that require greater audit attention. A useful way of thinking about the class of assertions about presentation and disclosure is that they primarily relate to the presentations and disclosures contained in the notes to the accounts. In establishing the occurrence and rights and obligations about presentation and disclosure, the auditor is concerned that all disclosed events and transactions have occurred and pertain to the entity. In establishing the completeness of presentation and disclosure, the auditor is concerned that all disclosures that should have been included in the nancial statements have in fact been included. In establishing the classication and understandability of presentation and disclosure, the auditor is concerned that all nancial information is appropriately presented and described, and disclosures are clearly expressed. In establishing the accuracy and valuation around presentation and disclosure, the auditor is concerned that nancial and other information is disclosed fairly and at appropriate amounts.

Case Study 3.2: Beta Ltd


The auditor of Beta Ltd carried out audit procedures for sales and inventory and detected the following misstatements: 1 Some inventory items were out on consignment and were not counted during the physical inventory. 2 During the physical count, the clients employees mistakenly counted some items twice. 3 The basis of inventory valuation was not included in the draft nancial statements. 4 Included in the inventory counts were some items that were held on consignment. 5 Some inventory items were listed at cost, but the realisable value was lower. 6 It was recognised that some sales were being recorded before they were shipped. 7 The sales price recorded for sales transactions was different to that agreed with the customer. It was found to be taken from an outdated version of the sales price le. Your task For each misstatement, identify the broad category of nancial statement assertion involved.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.15

Question 3.2
Your initial audit plan for sales transactions placed substantial reliance on the system of internal control and the use of analytical procedures rather than substantive tests of detail. Your testing of the internal control system for sales has found a signicant number of instances where customers credit ratings have not been checked. The sales manager states that these changes have been the result of difculties in maintaining past sales levels. 1 Identify the balance sheet account and the relevant assertion most at risk given the above information. 2 Discuss how your initial planned strategy would change given the additional information in regard to the results of testing of controls.

Identifying and assessing the risks of material misstatement through understanding the entity and its environment
ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment establishes mandatory requirements and provides application and explanatory material to the auditor on obtaining an understanding of the entity and its environment, including its internal control, and on assessing the risks of material misstatement in the nancial statements.

Perform risk assessment procedures


ISA 315 requires the auditor to perform risk assessment procedures to provide a basis for the identication and assessment of risks of material misstatement (both error and fraud) at the nancial statement and at the assertion level. In carrying out these risk assessment procedures the auditor obtains an understanding of the entity and its environment, including the entitys internal control. This understanding provides the frame of reference for planning and exercising professional judgment throughout the audit, for example, when: assessing risks of material misstatements; determining the level of materiality; considering the appropriateness of accounting policy choices and disclosures; identifying areas where special audit consideration may be necessary; developing expectations for use when performing analytical procedures; responding to the assessed risks of material misstatements including obtaining sufcient appropriate audit evidence; and evaluating the sufciency and appropriateness of audit evidence. (ISA 315.A1) You should note the continual references to the importance of audit judgments. This idea was introduced in Module 1 and you should note the range of judgments made by auditors. The following risk assessment procedures are mandated: Inquiries of management and others within the entityOthers include: those charged with governance; internal audit personnel; employees involved in initiating, processing or recording complex or unusual transactions; in-house legal counsel; marketing or sales personnel. The types of inquiries are discussed in ISA 315.A6. Analytical proceduresEvaluations of nancial information made by a study of plausible relationships among both nancial and non-nancial data. Analytical procedures include comparisons of the entitys nancial information with prior period information, budgeted information and similar industry information.

3.16

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

They also include a consideration of the relationship, such as between elements of nancial information where one would expect a predictable pattern (e.g. gross margin to sales) and between nancial and non-nancial information (e.g. payroll costs and employee numbers). Given the importance of analytical procedures to a number of areas of the audit we discuss these procedures in a separate section later in this module. Observation and inspectionObservation and inspection may support the enquiries discussed above and provide information about the entity and its environment. ISA 315.A11 suggests that such audit procedures include observation and inspection of: the entitys operations; documents; reports prepared by management and those charged with governance; and the entitys premises and plant facilities.

Question 3.3
Provide examples of each of the above four procedures related to observation and inspection.

Question 3.4
How is risk assessment impacted if the engagement partner has performed other engagements for the entity?

Discuss the susceptibility of the entitys nancial statements to material misstatement


ISA 315 also requires the engagement team to discuss the susceptibility of the entitys nancial statements to material misstatement both at the nancial statement and assertion level. ISA 315.10 requires that the members of the engagement team shall discuss the susceptibility of the entitys nancial statements to material misstatement. The material misstatement may result from fraud or error. The aim of the discussion is to gain a better understanding of potential fraud or errors, and how they could be perpetrated. Further, it gives the more experienced members of the audit team the opportunity to provide insights and for team members to exchange information about business risks, including how the nancial statements may be susceptible to material misstatement (including fraud, as per ISA 240 as discussed in Module 2). Two key components of the above discussion are professional judgment and professional scepticism. Professional judgment is required in order to decide who to include in the discussion, how and when the discussion occurs and its extent. In Module 2, the importance of professional scepticism in planning and performing an audit was noted. The above discussion among team members should emphasise professional scepticism, which includes being alert to information that may indicate a material misstatement and the rigorous follow-up of these indications.

Question 3.5
Provide at least three examples of professional judgment by the auditor responsible for organising this discussion among the engagement team.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.17

In Module 2, the importance of the consultation process during audit engagements was emphasised as part of the quality control process. The discussion among the engagement team about the susceptibility of the entitys nancial statements to material misstatement raises some specic consultation issues as: it allows the team members to exchange information about business risks and about how and where the nancial statements might be susceptible to misstatement due to error or fraudthe where refers to where in the nancial statements and the how refers to how the error or fraud occurred (e.g. How could management manipulate the sales gure?); and engagement team members obtain new information throughout the audit that may affect the assessment of risks of material misstatement and it is important that they share this information with other team members. You should now refer to ISA 315.A14 for further details on this discussion among engagement team members.

Understand specied aspects of the entity and its environment, including internal control
An understanding of specied aspects of the entity and its environment, including the internal control components, is required.

The entity and its environment


Under ISA 315.11 the understanding of the entity and its environment includes the following aspects:
I

Industry, regulatory and other external factors, including the applicable nancial reporting framework (discussed in ISA 315.A17-A22). Nature of the entity: operations, ownership, governance structures, types of investments, organisation structure and nancing arrangements (discussed in ISA 315.A23-A27). The entitys selection and application of accounting policies (discussed in ISA 315.A28). Objectives and strategies and the related business risks that may result in risks of material misstatement (discussed in ISA 315.A29-A35). Measurement and review of the entitys nancial performance (discussed in ISA 315.A36-A41).

The auditor is required to obtain an understanding of the entitys objectives and strategies, and those related business risks that may result in risks of material misstatement (ISA 315.11d). Given that an entity conducts its business in the context of industry, regulatory and other internal and external factors, management in responding to these factors needs to dene its objectives (which are the overall plans for the entity) and strategies (which are the operational approaches by which management intends to achieve its objectives). Business risks are risk[s] resulting from signicant conditions, events, circumstances, actions or inactions that could adversely affect an entitys ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies (ISA 315.4).

Question 3.6
What is the relationship between business risk and the risk of material misstatement?

3.18

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Appendix 2 of ISA 315 provides a detailed list of conditions and events that may indicate risks of material misstatement. You should now read Appendix 2 of ISA 315 Conditions and Events That May Indicate Risks of Material Misstatement to gain an understanding of the conditions and events that may indicate a risk of material misstatement. Later in this module we discuss in detail the various techniques used in understanding a clients business. In addition, a strategic systems approach to auditing, which places substantial emphasis on understanding business risks, is discussed.

Question 3.7
Your client is a manufacturer of golf equipment accessories including golf bags, golf buggies and various attachments (e.g. water bottle holders, score card holders). The year 20X9 has been particularly protable with the introduction of a golf bag with wheels attached that has proven particularly popular with travellers. Suggest some potential business risks faced by the client.

Question 3.8
How might an understanding of the internal and external environment of the audit client facilitate the identication, assessment and evaluation of the risk of nancial statement misstatement due to fraudulent activity or the misappropriation of assets?

Internal controls
ISA 315.12 requires that the auditor shall obtain an understanding of internal control relevant to the audit. This understanding of internal control is used by the auditor to identify types of potential misstatements and factors that affect the risks of material misstatement, and in designing the nature, timing and extent of audit procedures (ISA 315.A42). Internal control consists of the following ve components (ISA 315.A51): 1 control environment; 2 the entitys risk assessment process; 3 information system; 4 control activities; and 5 monitoring of controls. The requirements for each of these ve components are covered in ISA 315.14 to .24 with the relevant application and explanatory material in ISA 315.A69 to .A104. You should read these sections now. In the above paragraphs there are certain requirements outlining what an auditor must have an understanding of. These are: the control environment, including organisational structure, managements philosophy and operating style (ISA 315.14); whether the entity has a process for: identifying business risks relevant to nancial reporting objectives; estimating the signicance of the risks; assessing the likelihood of their occurrence; deciding the actions to address these risks (ISA 315.15)various different actions are required by the auditor depending on whether the entity has established such a process (ISA 315.16.17);

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.19

an understanding of the information systemincluding the related business processesrelated to nancial reporting (ISA 315.18.19); an understanding of control activities relevant to the audit which are the ones the auditor judges to be necessary to understand in order to assess the risks of material misstatement at the assertion level, and design further audit procedures responsive to those assessed risks (ISA 315.20)further elaboration of risks arising from IT are referred to in ISA 315.A95.A97; an understanding of the major activities that the entity uses to monitor internal control over nancial reporting (ISA 315.22); where internal audit exists, an understanding of the nature of internal audit responsibilities, reporting structure and activities performed (ISA 315.23); and an understanding of the sources of information used in the entitys monitoring activities (ISA 315.24). Appendix 1 of ISA 315 further explains the components of internal controls as they relate to a nancial statement audit. The ve components of internal control are discussed below.

Control environment
The control environment sets the tone of an organisation. It includes the governance and management functions as well as the attitudes, awareness and actions of management (and those charged with governance) concerning an entitys internal control and its importance within the entity (ISA 315.A69). The auditor considers the following in evaluating the design of the entitys control environment: Communication and enforcement of integrity and ethical values (e.g. existence and implementation of codes of conduct and other policies regarding acceptable business practice, conicts of interest, or expected standards of ethical and moral behaviour). Commitment to competence (e.g. job descriptions or other means of dening tasks that comprise particular jobs; staff selection procedures). Participation by those charged with governance (e.g. the independence of the board from management, such that necessary, even difcult and probing, questions are raised). Managements philosophy and operating style (e.g. nature of business risks accepted; attitudes and actions toward nancial reporting, including the aggressiveness of the choice of accounting policies). Organisational structure (e.g. appropriateness of the entitys organisational structure, and its ability to provide the necessary information ow to inform managers). Assignment of authority and responsibility (e.g. assignment of responsibility and delegation of authority throughout the organisation). Human resource policies and practices (e.g. the extent to which policies and procedures for hiring, training, promoting and compensating employees are in place) (ISA 315.A70).

The entitys risk assessment process


In evaluating the entitys risk assessment process it is important to consider the adequacy of the mechanism for identifying risks arising from both external and internal sources and the thoroughness of the risk analysis process including estimating the signicance of the risks, the likelihood of them occurring and determining needed action (ISA 315.15.17). Techniques such as SWOT analysis and Porters ve forces (discussed later in this module) are very useful for identifying risks.

3.20

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Information system
This includes: the information system relevant to nancial reporting objectives, including the accounting system (see ISA 315.A81); journal entries (see ISA 315.A82); and related business processes (see ISA 315.A84). You should refer to ISA 315.A81.A84 for further discussions on the above items.

Control activities
Control activities are the policies and procedures that help ensure management directives are carried out (ISA 315.A88). They include: Authorisation (e.g. level of management with authority to authorise expenses to a particular level). Performance reviews (e.g. actual performance versus budgets, forecasts, prior periods and competitors; major initiatives are tracked to measure the extent to which targets are being reached). Information processing (e.g. controls performed to check accuracy, completeness and authorisation of transactions; a customers order is only accepted after reference to an approved customer le and credit limit). Physical controls (e.g. equipment, inventories, cash and other assets are secured physically such as in a secure location). Segregation of duties (e.g. duties are divided among different people to reduce the risk of error; responsibilities for authorising transactions, recording transactions and handling the related asset are segregated). You should refer to ISA 315.A89 to .A91 for a discussion of which control activities are relevant to the auditor.

Monitoring of control
Monitoring assesses the quality of a systems performance over time. It involves assessing the design and operation of the controls on a timely basis. Necessary corrective action may need to be taken for changes in conditions. Monitoring is used to ensure that the internal controls continue to operate effectively (ISA 315.A98). Examples of ongoing monitoring activities include regular management supervisory activities, communication from external parties which corroborate internally generated information (e.g. a client paying an invoice indicates the invoice is likely to be correct) and comparison of records with physical assets (e.g. inventory stocktake).

Question 3.9
Discuss the main factors that may result in an internal control system failing.
The use of IT has the potential to affect the way that control activities are implemented (ISA 315.A95). The next section discusses the controls in an IT environment.

Controls in an IT environment
The auditor is required to obtain an understanding of the entitys response to risks arising from IT (ISA 315.21). Think about your organisation or any other organisation with which you are familiar. Consider whether the IT environment affects the audit of your organisation. If so, which aspects of auditing have been affected by IT in your organisation (or in any other)? Keep these in mind while reading the following sections.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.21

Impact of an IT environment on internal control and control procedures


The IT environment inuences the internal control and the procedures adopted by an entity. The reasons are discussed in the following eight factors: 1 There is a breakdown of the traditional division of duties between personnel and departments and a concentration of the recording, processing and control functions within the IT department. This concentration of functions has resulted in a greater reliance being placed on programmed controls (which encompass the general authorisation of transactions) by users to ensure the reliability of IT outputs. The human scrutiny and checking inherent in manual systems disappears. This loss of human involvement, coupled with the lack of visible evidence in IT, may reduce the potential to detect errors, and increase the potential for individuals to gain unauthorised access to information and assets or alter information to the detriment of the entity. The concentration of system expertise and control within the IT department, coupled with the concentration of computer resources in one of a few locations within the entity, may increase the potential risk of fraud or error and make detection difcult. The partial or complete loss of traditional audit trails, as well as the temporary nature of such audit trails in IT and the absence of source documents and visible output, will have a direct bearing on the auditors assessment of the risks of material misstatements. Access to computer programs and data les by multiple users via online terminals increases the potential for unauthorised access to, and alteration of, data and programs in the absence of appropriate controls. IT ensures that all transactions entered are subject to the same processing procedures, thus increasing the reliability of the system through the reduction of random errors. Poor programming, however, may result in the occurrence of systematic errors, the effect of which can be greater than random errors if not discovered. IT may be designed to permit the single transaction update of multiple or database computer les as well as the automatic initiation and execution of transactions. A risk is that an error in one data item can potentially affect a number of different applications across the entity. Data les and programs may be stored on portable or xed-storage media. These media are vulnerable to theft, loss and intentional or accidental destruction.

Types of controls
Controls over IT systems are effective when they maintain the integrity of information and the security of the data such as systems process, and include effective general IT controls and application controls (ISA 315.A95). General controls refer to the overall controls an entity has over its entire IT environment. These controls affect all applications processed by the IT department. The purpose of general IT controls is to establish a framework of overall control of the IT activities and to provide a reasonable level of assurance that the overall objectives of internal control are achieved. Application controls refer to controls that are specic to individual accounting applicationsthat is, they relate to, and are unique to, particular accounting systems (e.g. debtors, creditors, payroll and inventory). The purpose of IT application controls is to establish specic control procedures over the accounting applications in order to provide reasonable assurance that transactions are authorised and recorded and are processed completely, accurately and on a timely basis.

3.22

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Table 3.1 details the basic categories of general controls and application controls.

Table 3.1 General and application control categories


General: Controls applying to all parts of the IT environment Organisational and management controls Computer operation controls System software controls Data entry and program controls The integrity of the system output and nancial statement representations depends on the effectiveness of general controls. Because of the pervasive impact of general controls, signicant weaknesses in general controls may affect the reliability of application controls due to the potential risk of undetected fraud or error in processing transactions. Application: Controls applying to a class of transactions, such as accounts receivable or accounts payable Input controls Output controls

Systems development and program maintenance controls Processing controls

General controls
Organisational and management controls
Organisational and management controls are designed to establish the: organisational structure of IT activities; policies and procedures necessary to ensure the performance of duties; and segregation of incompatible functions. Two factors need to be considered. The IT department should be: 1 independent of the functions of initiating or authorising transactions and maintaining custody of assetsit should not change or correct data that originated outside the department; and 2 segregated and separated from other user departmentsthere should be clearly dened lines of authority and responsibility between IT personnel. Within the IT department the following functions should be segregated: systems analyst (program development); applications programmer (program maintenance); operators (program operations); data control and le library function; quality control over development of new systems and maintenance of existing systems; control group (supervises and reviews inputs, processing and distribution of outputs); data security (maintains integrity of software access controls); and database administrator. In an IT environment, it is important to separate the systems development, systems maintenance, database administration and operating functions. In the case of small IT installations (e.g. in a small business environment), it may not be possible to achieve a satisfactory segregation of duties. If any degree of segregation can be achieved, however, it should be between programming and operations. Adequate supervision may compensate for a lack of segregation of duties.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.23

Systems development and program maintenance controls


Systems development and program maintenance controls are designed to establish control over: program changes; the conversion, testing, implementation and documentation of new or revised systems, and access to system documentation; the authorisation and approval of new or revised IT systems; and adherence to a formal development process that ensures system design standards, programming standards and documentation standards are met. A steering committee of senior management may be established to formulate a strategic plan for the organisation and appraise and approve the development of a system through its life cycle. A systems development methodology should be established to monitor and control the development process. This methodology should include clearly dened phases, each with a measurable end product, appropriate review and control points for the overall evaluation of the system, and be exible enough to accommodate different kinds of projects and management reporting procedures. There should be dened responsibilities for all participants, user department representation and participation, and proper documentation standards. Program changes are of particular interest to the auditor, as data may be lost or altered when a new program is introduced. The objectives of program change controls are to ensure that all changes to programs are properly approved and authorised, and that all authorised changes are completed, tested and correctly implemented. Users should participate in authorising, testing and approving the implementation of program changes.

Computer operation controls


Computer operation controls are designed to ensure the proper operation of systems by operators. More specically, they are designed to ensure that IT systems are used for authorised purposes only, that access to computer operations is restricted to authorised personnel and that errors are detected during processing. There should be clearly dened procedures for activities such as: daily operations; problem handling; backup and recovery; and activity logging, which could include maintenance of a diary of all operator activity (i.e. recording major events during the shift). Operator activity should be appropriately restricted and/or monitored (e.g. through access control software), responsibilities for operational duties should be clearly dened, all operating tasks should be scheduled, and operator logs should be reviewed and compared to schedules. Only authorised work should be scheduled and run. Physical access should be controlled, for example, by the use of security keys and identication cards. Computer access should be controlled by the use of passwords.

System software controls


System software relates to operating systems that are designed to translate program languages into machine-readable form, allocate computer resources to users and applications, and manage job scheduling and multiprocessing. The operating system should protect itself from users, and users from each other and themselves as well as other inuences (e.g. environmental factors).

3.24

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Examples of system software controls include restricting access to system software and related documentation to authorised personnel through the control of access privileges and passwords. System software changes should be controlled by a formal system of authorisation, approval, testing, implementation and documentation. Monitoring keystrokes, events and modications to system software through the use of software logs would help to provide an audit trail.

Data entry and program controls


Data entry and program controls are concerned with the authorisation of transactions entered into the system (inputs should be received on a timely basis and reviewed to ensure they are from an authorised source) and restricting access to: data and programs to only authorised personnel; terminals and other computer hardware to only authorised individuals, computer operators and supervisors; les and library; and documentation. Access may be controlled by physical or electronic means. Physical access controls could include: use of security guards; automated key cards; manual key locks; use of ngerprint, palm print or voice print access devices; terminal locks; and dedicated terminals (such as read-only or restricted-access terminals). The user ID governs what les, programs and utilities a given user may access and their authority to perform specic activities, such as reading, modifying, adding or deleting data. Passwords are effective only if combined with procedures to reduce the likelihood of discovery or use by unauthorised persons.

Other general IT controls


To maintain continuity of operations, management should ensure that the entity has adequate backup and recovery procedures, physical safeguards against loss or destruction, and contingency plans. Backup and recovery procedures Adequate procedures should be in place to enable restoration of the availability and integrity of applications and data in the event of a system or application failure. A disaster recovery plan should clearly document the actions to be taken before, during and after a disaster. Examples of backup and recovery procedures include: copies of application data, production libraries, system software and other relevant les, to be made at appropriate intervals consistent with the criticality of recovery; well-dened, documented and tested procedures for performing recovery, including establishment of a disaster recovery team; offsite storage arrangements for copies of critical system and data resources, full system copies, documentation of procedures for recovery, security authorities, and IT manuals; and an automated transaction logging and recovery capability.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.25

Physical safeguards The proper construction of the computer centre can reduce the risk of damage from security or environmental hazards. Appropriate measures for protecting the physical environment would include: strong walls, ceilings and oors in rooms without windows and with restricted access if at all possible; re-detection and suppression equipment; and alarms for detection of problems concerning air-conditioning, water, power, humidity and temperature. Contingency plans The continuity of computer and related business functions should be protected against unscheduled interruptions by adequate contingency plans, which include provision for complete loss of central site computer facilities. These contingency plans require, among other things: development of user fall-back procedures for critical systems (for use when unavailability is prolonged); formal written agreements for the provision of alternative and/or replacement computer facilities; and a documented disaster recovery plan that is regularly reviewed and tested, and securely stored, and details of recovery procedures for hardware, the computer environment, the communications network, critical applications and necessary resources. Case Study 3.3 deals with the identication and the purpose of controls adopted by Acme Ltd which is planning to computerise its payroll system. Read the case study and complete the tasks.

Case Study 3.3: Acme Ltd


Acme Ltd is planning to computerise its entire accounting system. All computer hardware will be purchased from a national vendor. All software will be written by members of the organisations IT staff. The computerisation of the accounting function will take place in phases, with the payroll function being completed rst. The computerised payroll system will function in the following sequence: An employees immediate supervisor will review and approve time cards. The time cards will be sent to the payroll department where they will be reviewed for completeness and obvious errors. The time cards will then be batched by the payroll department and sent for data processing. Data-processing operations will convert data from time cards to a transaction le by a key-to-disk operation. The transaction le will then be input to the payroll application. Hardcopy output will include: cheques; a payroll journal; payroll summary; and error listings. Your tasks For the development and operation of this IT system, for each of the listed general control categories (organisational, system development, operations, and data entry and program): 1 list the specic control(s) required; 2 state the purpose that each control serves; and 3 identify the techniques that would be used to assess each control.
Source: Adapted from the CIA exam of Institute of Internal Auditors, USA.

3.26

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Application controls
The purpose of application controls is to provide reasonable assurance that transactions are appropriately authorised and recorded, and are processed accurately, completely and in a timely manner, and that incorrect transactions are rejected, corrected and resubmitted. Application controls include controls over: input; processing and computer les; and output. Prior to relying on the general and application controls, the auditor should conduct a preliminary evaluation of the controls to determine whether they are effective and efcient. Weakness in the general controls may preclude reliance on application controls.

Input controls
Input controls are designed to provide reasonable assurance that transactions are authorised, and accurately and completely converted into machine-readable form, that is, not: lost; added to; duplicated; or improperly changed; and that incorrect transactions are rejected, corrected and resubmitted. Proper authorisation Proper authorisation can be achieved through the following procedures: Duties are segregated. Access controls, data entry and program controls are used. These include input validation checks such as eld tests, reasonableness tests, limit tests, validity tests, completeness tests and sequence tests. Transactions are authorised. Transactions should be prepared in accordance with managements general or specic authorisation. Authorisation may be evidenced by afxing a signature or stamp onto source documents. (If the documents are electronic, a digital signature and time stamp can be attached.) Transactions are approved. Individual transactions should be approved either by a responsible supervisor or through the use of special forms, access to which is restricted to those designated to initiate transactions (e.g. the use of batch control sheets or batch transmittal forms to provide evidence of batch approval). Accurate conversion Accurate conversion requires the following: Adequate document design (standardisation). This is a very important input control that aids in safeguarding assets and in contributing to the accuracy of output information. Forms should be pre-printed and standardised to reduce and monitor errors. Unchanged information can be pre-printed as formatted forms which are more readable, and all documents should be pre-numbered and sequentially accounted for. Adequate training and supervision. Data entry manuals (written procedures). These deal with data conversion and the correction of errors. Appropriate chart of accounts. Using one of these to code data can greatly reduce transcription and transposition errors.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.27

Completeness of data The following controls are designed to ensure the completeness of data: Turnaround documents are documents produced by the computer system that are later resubmitted into the system. This minimises errors in data preparation when the output that has already been veried becomes input. Most bills, including domestic power and telephone bills, are turnaround documents. Control totals are effective in ensuring that all data are accurate and complete: that data have not been lost, suppressed, duplicated, added or otherwise improperly changed. One control total is manually computed while another is accumulated by the computer and the two are compared. Control totals deal with value elds (e.g. total cash receipts, sales, accounts payable). These include the following: Record counts. Transactions or records entered are counted before and after entry and processing then reconciled. Batch totals. An information eld is totalled, usually in dollar amounts, for all records of a batch. Batch totals scan similar items and verify totals after each processing step. Hash totals. Non-nancial elds are totalled for control purposes only (e.g. all sales invoice numbers in a batch). Check digits. These are redundant digits inserted in account numbers (e.g. part number, le number) and veried for correctness by a key-entry device prior to processing or by a computer edit run during processing (e.g. a sufx digit related algorithmically to the preceding digits of the number). A check digit permits the detection of data coding errors by ensuring the integrity of codes. Error correction and data resubmission The following controls relate to error correction and data resubmission: Responsibility for error correction should be assigned to a group, such as the control group, or to a specic individual such as an internal auditor. Error log. An error log should be maintained for all data rejected during processing. As they are entered in the log, the errors should be fully accounted for, and then checked off as they are corrected and re-entered into the system. Review and approval of corrections should be done by an independent ofcial who should approve the re-entry of corrected items. Prompt re-entry of corrections into the system. A well-dened procedure should be established for promptly re-entering corrections as input into the system.

Processing controls
Processing controls are designed to ensure the accuracy and reliability of data processingthat is, that all authorised transactions are properly processed; that no authorised transactions are omitted, duplicated or improperly changed; and that no unauthorised transactions are added. Processing errors should be identied, corrected and resubmitted on a timely basis. Reliable processing ensures that data processed are: accurate; complete; reasonable; and correct in all material respects.

3.28

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Completeness and accuracy of data The following controls relate to completeness and accuracy of data: Control totalsensure the accuracy and completeness of data. Run to run controlsuse batch control totals to monitor each processing step; at each processing checkpoint, errors are recorded in an error le and the batch control totals adjusted. The batch totals are recalculated and compared to the original totals to determine the accuracy and completeness of batch processing. Field size testtests the number of characters in a eld to ensure that the eld size is as specied. If a eld should have ve characters and the test indicates there are only three, an error condition is indicated. Field sign testensures that the arithmetic sign is correct (e.g. some items should always be positive or negative). If the opposite sign is present an error condition is indicated. Transaction codesare veried at each processing step to ensure the right application process is being applied. Check-digit test (see under Input controls). Valid character testensures that a data eld only contains certain valid characters; that is, that characters are of the appropriate type for that eld (e.g. alphabetic only, numerical or alphanumeric). Sequence testveries that the elds in sequential items are in the proper alphanumeric sequence (e.g. pre-numbered purchase orders in sequence). Validity testtests ID numbers or transaction codes for validity by comparing these with known authorised or correct IDs and codes. Cross-footing testchecks the arithmetical accuracy by totalling rows and columns and comparing the sums are in agreement, then the totals of each row and column are most likely correct. Zero-balancing test(closely related to the cross-footing test) checks, for example, that the sum of net wages plus deductions minus gross wages equals zero. Audit trailautomatic transactions may be logged or uniquely identied by the use of tags. Completeness testensures that all mandatory data elds are complete. If a mandatory data eld is blank, an error condition is indicated. Rounding testensures that rounding errors are properly controlled through the use of a balancing equation to prevent an out-of-balance situation. Per cent error testensures that if the number of errors in a particular batch of input data exceeds a predetermined standard, an error condition is indicated. Maintaining accuracy during processing The following controls relate to the maintenance of accuracy during processing: Control totals (see Completeness of data under Input controls above). Console messagesare indicated on console input/output devices such as video display units (VDUs) or printers. Console messages attempt to reduce the possibility of operator errors, such as loading incorrect les or incorrect batches of data. Many programs are interactive and should prompt operators to take action. Error logerrors detected during processing are generated to an error log, usually kept on magnetic tape. At the conclusion of processing, the errors are investigated, and the data are corrected and re-entered into the system. Limit test (see Reasonableness of data below). Reasonableness test (see Reasonableness of data below).

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.29

Reasonableness of data The following controls relate to the reasonableness of data: Limit testensures that an item in a data eld is not greater or less than a predetermined limit (e.g. hours worked per week should not exceed 70 hours). Range testis related to a limit test. A limit test species a lower or upper limit whereas a range test species both limits (e.g. employees should work between 30 and 60 hours per week). Reasonableness (logic) testdetermines whether various data items are normal or reasonable. It ensures that illogical combinations of inputs are rejected by checking the logical relationship between items (e.g. Do net payroll deductions exceed 30 per cent of gross pay?). Updating correct les The following controls relate to updating correct the les: Proper training and supervision. File run and control instructions aid in ensuring that correct les are processed, updated and properly controlled and should specify the following for each le: le name and number; updating cycle; and retention cycle for data. Internal labels consist of a header label and a trailer label. A header label is the rst record in a le and indicates le contents, identication number and le destruction data. This label ensures that the correct les are mounted and updated and that les are not inadvertently destroyed. A trailer label is the last record in a le and contains record counts, other control totals, and an end-ofle code. The trailer label separates one le from another and thus ensures that the entire le is processed and that les are not commingled. Internal labels are automatically checked for correctness by the computer. External labels are written on the side of tape reels or disks, or on the containers of tape les or disk les. This label identies le contents, le identication number and le retention data. An external label assists in locating les, in preventing their early destruction, and in returning them to their proper location in the le library. An unlabelled le is assumed to be a scratch le, that is, available for reuse.

Output controls
Output controls are designed to ensure that the results of processing are reliable, distributed to authorised personnel only, and are not lost, corrupted or their condentiality compromised. Output control may be exercised where the control group (or clerk) or users reconcile output control totals with input and processing control totals. Output may be compared to details on source documents. The review of output by control groups and users is important in determining the overall reasonableness of processing results. The review may be done by visual scanning, or manual or electronic editing. User departments should scan output for exceptions or unusual items and should anticipate reports at designated times. System output should be tested at proper times by the control group to ensure that it has been distributed only to authorised user departments. The supervision of output and the shredding of waste or discarded reports are essential to prevent the loss of condentiality and misdirection of output.

3.30

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Learning task: Controls in an IT environment


This learning task provides an overview of the controls in an IT environment. There are also activities to reinforce your understanding. Go to My Online Learning to complete it.
Case Study 3.4 requires you to discuss the controls in an IT environment. Read the background information presented below and then complete the task.

Case Study 3.4: CWC


China Wide Consortium (CWC) has recently converted its phone sales ordering service to an e-commerce system wherein customers can place their orders and get them processed over the internet. Under this new system, online customer purchases are initiated when customers access CWCs home page, click on the Customer order icon, order the goods on the relevant template and then click on the Submit icon. Clicking on the Submit icon transfers the customers order to CWCs central processing facility. This then responds to customers, via an email message, informing them that the order has been received and the goods will be delivered within a specied time frame. This process also initiates the electronic credit card transfer of monies from the customer bank account into CWCs bank account. The customer banking details are obtained when customers sign up for the online sales and delivery service. Before CWC began providing this online sales-order service, the general manager (Angie Fung) hired Jing Wu, an old school friend who had recently been made redundant, to take care of the computer side of things. CWC also hired Melissa, a recent computer studies graduate, to help supervise data entry and local area network (LAN) operations. All sales orders are processed using the CWC computer system. The system is in a separate ofce space next to the accounts department above the cafeteria. In this ofce, 20 personal computers are linked via a LAN. Because customer demand is constant, 18 computer operators work three shifts, accepting sales orders around the clock. In an attempt to maintain the computer operators enthusiasm, Jing allows the operators to bring in their own computer games to play during times when orders are light on. The staff appreciate this gesture and as a consequence respect Jing and her endeavours to keep their work interesting even though they work in very poor physical conditions. In particular, temperature variations are always extremetoo cold in winter and too hot in summer. In an attempt to make conditions more pleasant in the summer months, Jing allows staff to open windows to let a breeze ow through the ofce. Jing set up CWCs home page and wrote the programs for processing customer orders. Additionally, she prepares just-in-time orders from suppliers, updates and controls inventory records, transfers credit card receipts to CWCs bank account and reconciles credit card deposits with individual customer sales accounts. Jing also helps Melissa maintain the LAN. Because Jing was asked to set up the computer system in such a short time frame, most of the details of the system are in Jings head, and the documentation, where it does exist, is sketchy and difcult to interpret. On the advice of Jing, Angie copies monthly backup les and keeps these in her ofce until they are replaced with the following months backup les. Since the online system is relatively new, Jing is working 12 hours a day, seven days a week to keep the system functioning smoothly. Angie is so impressed with Jings work ethic that she has asked Jing if she can prepare and complete the companys bank reconciliation. Jing agrees to do this for an increased salary of $10 000 per annum as it will help pay off her $450 000 mortgage in a shorter time span. Your task Explain any control concerns you may have in relation to the above facts.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.31

Assess the risks of material misstatement


ISA 315.25 requires the auditor to assess the risks of material misstatements, both at the nancial statement level and assertion level for transactions, account balances and disclosures to provide a basis for designing and performing further audit procedures. ISA 315.26 sets out the steps required by the auditor in identifying and assessing the risk of material misstatement, which are to: identify risks throughout the process of obtaining an understanding of the entity and its environment; assess the identied risks; relate the identied risks to what can go wrong at the assertion level; and consider the likelihood and magnitude of the potential misstatement. Note that earlier in this module assertions were discussed, and you should again refer to ISA 315.A111 if you need further revision on the types of assertions. Consider that the following two risks were identied by the auditor: 1 A risk that the allowance for doubtful debts is understated. Through the information obtained by the auditor and his/her industry knowledge, the auditor becomes aware that the entity does not know that a large debtor may not be in a position to pay the amount they owe. This is an example of a potential material misstatement due to error. 2 A risk that ctitious sales have been included in sales revenue. It has come to the auditors attention that the documentation related to certain sales close to year-end may have been falsied by management to increase prots to the level needed to meet analyst expectations and receive related incentive bonuses. Having identied the rst risk, the auditor would need to assess whether it relates more pervasively to the nancial statements as a whole. This error is unlikely to affect assertions besides valuation of accounts receivable and completeness of doubtful debts expense. The auditor then needs to consider the likelihood of misstatement and whether the magnitude is such that it will be a material misstatement. The likelihood of multiple misstatements is relatively low given that this error is due to a specic internal factor. The second identied risk will affect the assertion of occurrence of sales and existence of accounts receivable. There is also some likelihood of it relating to the nancial statements as a whole given that management fraud may exist for other nancial statement amounts. There is also, given the incentives, the possibility of multiple misstatementsthat is, the auditor has seen some documents that appear to be falsied and would likely look closely at documentation for other sales transactions.

Question 3.10
Consider each of the following items and describe how it affects the auditors assessment at the nancial statement level and/or assertion level for transactions, account balances and disclosures: 1 Management has a poor reputation in the business community over the integrity of recent decisions. 2 Repairs and maintenance accounts were misstated in previous audits. 3 Management lacks experience. 4 The entity is facing a cash ow problem. 5 The inventory consists of a range of expensive jewellery.

3.32

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

6 Taxation calculations are extremely complex. 7 The entity is a computer manufacturer. 8 There are signicant related party transactions. 9 Managements rewards are heavily dependent on nancial results. 10 Provisions are a material liability. 11 The company has built a number of ofce blocks which it retains as investments. 12 The entity has a range of transactions that are not part of normal processes. 13 The entity has just opened a major retail outlet in the United States.

Identify signicant risks


The auditor is required as part of the risk assessment to determine if any of the risks identied are a signicant risk (ISA 315.27). First, it is necessary to consider what is a signicant risk. This is a matter for the auditors professional judgement. Some of the matters to be considered in exercising this professional judgment are described in ISA 315.28. They include whether the risk is a risk of fraud, whether related to recent signicant economic, accounting or other developments, complexity of transaction, extent of related parties, degree of subjectivity or unusual transactions. Further, signicant risks often relate to signicant non-routine transactions and judgment matters. Non-routine transactions refer to transactions that are unusual because of their size or nature and therefore occur infrequently. An example would be a one-off event such as notice of a signicant lawsuit. The importance of the above discussion is that if the auditor has determined that a signicant risk exists, the auditor shall obtain an understanding of the entitys controls, including control activities, relevant to that risk (ISA 315.29). To identify business risks it is important to gain an understanding of the systematic properties of the clients operating environment including the nature and effectiveness of the interactions between the external environment and the clients internal business processes. Bell et al. (1997) provide the following framework for the auditor to develop a comprehensive understanding of the clients position within its value chain, and its ability to create and sustain a competitive advantage within its environment: Understand the clients strategic advantage: What is the clients plan for creating value? What are its niches and what are its advantages that make it better suited than its competitors to occupy these niches? Understand the risks that threaten attainment of the clients business objectives: What might prevent the client from creating targeted value? What forces are challenging its competitive advantages? How effective are its risk management, strategic management and information management processes? Understand the key processes and related competencies needed to realise strategic advantage: What competencies and process advantages must the client possess to create targeted value? What are the business risks threatening attainment of its process objectives? Are its process objectives properly aligned with its strategic objectives? How effective are process controls at controlling process risks? Measure and benchmark process performance: Is there evidence that the expected value is actually being created? That is, how well are the processes actually performing, in terms of strategic goals, compared to the competition? How much abovenormal prot is earned as a result of the realised strategic advantage and related process efciencies?

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.33

Document the understanding of the clients ability to create value and generate future cash ows using a client business model, process analyses, key performance indicators and a business risk prole: Create a comprehensive business knowledge decision frame to serve as a strategic-systems lens through which professional judgments about management assertions can be made. Use the comprehensive business knowledge decision frame to develop expectations about key assertions embodied in the overall nancial statements. Compare reported nancial results to expectations and design additional audit test work to address any gaps between expectations and reported results (Bell et al. 1997, pp. 312). With knowledge of the way an organisation creates value and the sustainability of its competitive advantage the auditor is in a much better position to make professional judgments about: the risks faced by the entity and the entitys responses; appropriate recording of transactions; the appropriateness of assumptions underlying accounting estimates; the valuation of assets; the clients ability to continue as a going concern; and the likelihood of management fraud. To illustrate the relationship between business risks and risk of material misstatement, consider the following valuation assertion example. Assume a client whose strategic objectives rely heavily on maintaining harmonious relations with an alliance partner responsible for distributing its products. The auditor would monitor relations with the supplier, because any breakdown in relations would increase business risks. For example, such disputes could affect the valuation of accounts receivable from the alliance partner and the appropriateness of recognising alliance-related revenues. Risk of material misstatement could also be affected with respect to equipment asset valuation, if previously anticipated revenues related to the alliance were no longer expected. Another key SSA principle is anticipating how other organisations actions and business risks can impact on the auditees business risks and hence risk of material misstatement (Bell et al. 2002). The importance of understanding strategy is outlined in ISA 315.11 which requires an understanding of the entitys objectives and strategies, and those related business risks that may result in material misstatement (ISA 315.11d). We will now consider the gathering and use of knowledge about the clients strategies and business processes for the purpose of understanding the entity and its environment.

Strategic analysis
As part of strategic analysis of the client, the auditor obtains information about the: broad environment in which the client operates; industry within which the organisation operates; markets in which it operates; organisations products and services; external forces that impact on it; nature of suppliers, customers and alliance partners; clients strategy to achieve its sustainable comparative advantages; business risks that threaten the success of the strategy; and organisations response to these risks.

3.34

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

At the conclusion of the strategic analysis the auditor should have a good understanding of where the organisation is situated in its environment and its strategic direction by taking into account such factors as the: broad economic environment and industry condition; organisations position and role within each industry segment; existing threats to its current position; total productive capacity for the organisation and its competitors in each market segment; organisations competitive advantages and whether they are sustainable; and managements specic strategies. After completing this strategic analysis it is important for the auditor to consider: the implication of the organisations strategy and business risks for underlying accounting choices and nancial statement assertions; whether accounting estimates and valuations are consistent with the signicant business risks; and how the business risks impact on additional work at the business process or transaction levels. Consider the following potential impacts of strategic analysis on the audit process: Expectations: Knowledge of specic business risks affects what an auditor will expect to see in the nancial statements. For example, increased competition from lower priced competitors should result in the auditor expecting to see lower margins and/or lower turnover. The better the auditor understands the clients strategy, the more likely they will know how the client will react to price cutting and the likely impacts. Going concern: Some threats have the potential to seriously affect prots and may indicate that the organisation is not viable given its present strategies and markets. Going concern issues may need to be addressed. Audit risks: Some threats provide a direct indication that a nancial statement assertion is incorrect. For example, loss of brand reputation can negatively inuence sales, resulting in inventory valuation issues and, potentially, equipment valuation issues due to impairment resulting from the lost sales. Control environment: Some threats put pressure on management related to holding their jobs and receiving potential bonuses, with the potential for inappropriate responses (Knechel 2007). Table 3.2 below, outlines a series of business risks and the potential audit implications that result from these risks.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.35

Table 3.2 Risk assessment: Strategic risks and potential audit implications

** PLEASE REFER TO THE PRINTED STUDY GUIDE FOR THIS TABLE **

Source: Adapted from Knechel, Salterio & Ballou (2007), Auditing: Assurance and Risk, Figure 5-9, Thomson South-Western, Mason, Ohio, pp. 1701.

3.36

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Case Study 3.5 provides you with an opportunity to look at the sources of risks and threats and their potential implications for the audit. Complete the case study now.

Case Study 3.5: ProGolf Ltd


Your client is an Australian distributor of US-manufactured golf equipment. Their golf clubs are at the top end of the market. At present they have 30 per cent of the Australian market, are used by two of the top 10 golfers in the world, and 18 per cent of the top 100 golf professionals. Over the last 10 years these golf clubs have always accounted for over 20 per cent of world sales of golf equipment. Your tasks For each of the business risks/threats listed below identify: a the source of the threat; and b the potential audit implication. 1 The Australian economy is entering a recession. 2 The Professional Golf Association is putting restrictions on the size and weight of golf clubs. Some of the present designs will be banned in two years under the new regulations. 3 Tennis racquet manufacturers are also using the new graphite composition resulting in a potential shortage of the raw material. 4 One of their top 10 professional golfers who uses the equipment is suffering a form slump. He is thinking of changing equipment to arrest the form slump. 5 Large retail golf outlets are developing in all large capital cities and signicantly impacting on the local pro shop at golf courses. 6 Golf ball manufacturers are developing balls that respond to more standard clubs. 7 There are new rules lengthening hit off interval times imposed by insurance companies. 8 There have been complaints that one of the new revolutionary clubs causes the ball to go dramatically to the left causing a greater percentage of balls to go on roads and into houses.

Techniques used in strategic analysis


The auditor is required to develop an understanding of the clients business strategies and identify the external forces that threaten the success of these strategies. Using this knowledge, the auditor identies the key competencies and related business processes that drive the organisations implementation of its strategy and its interactions with its environment. Techniques used in strategic analysis to identify business risks are: SWOT analysis; PEST analysis; Porters ve forces; and value chain analysis.

SWOT analysis
We have noted the importance of examining both the organisations external environment and its internal capabilities. One useful technique for combining these factors is to use SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis. SWOT analysis is used to determine whether the organisations strategies are producing a good t between an organisations resource capability (in terms of resource strengths and weaknesses) and its external environment (including opportunities in the market and threats to market share and protability).

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.37

Strengths refer to characteristics, expertise, assets etc. that provide a competitive advantage (e.g. technological know-how, natural resources, strong management, good location, valuable brands, superior products, strong alliances). A weakness is a condition that puts it at a competitive disadvantage (e.g. lack of technological know-how, poor location). Firms have a range of market opportunities and they need to appraise the prot potential of the opportunities most likely to be successful. Organisations face threats from the environment to their protability and competitiveness. These include: changing tastes; new technologies; greater competition; unfavourable demographic shifts; and adverse exchange rate changes. Table 3.3 provides a list of the major issues to consider in a SWOT analysis. Just making lists of the strengths, weaknesses, opportunities and threats is not sufcient. It is important to determine what we learn from the four lists about the organisations situation and what actions are required to be undertaken in response.

Table 3.3 SWOT analysisWhat to look for in sizing up a companys strengths, weaknesses, opportunities and threats

** PLEASE REFER TO THE PRINTED STUDY GUIDE FOR THIS TABLE **

3.38

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

** PLEASE REFER TO THE PRINTED STUDY GUIDE FOR THIS TABLE **

Source: Adapted from A. Thompson & A. J. Strickland III (2001), Strategic Management: Concepts and Cases, Table 4.1, 12th edn, McGraw-Hill Higher Education, p. 95.

Identifying strengths and threats and their potential impact on the audit are important steps in a SWOT analysis. Complete Case Study 3.6 now.

Case Study 3.6: Cosmic Electronics Ltd


Cosmic Electronics Ltd is a high technology electronic components manufacturer located in Hong Kong. It has established a strong brand name based on its reputation for reliability and value for money. However, one of its competitors has just produced a low-cost high-quality substitute for its leading selling component. Your task Using a SWOT analysis, identify one strength and one threat for Cosmic Electronics Ltd. Indicate the impact of each on the audit.

PEST analysis
For many years organisations have carried out a PEST (political, economic, social and technological) analysis as a way of understanding their external environment. Table 3.4 provides examples of environmental factors that are affecting the organisation. However, as the use of the PEST framework can lead to an under-emphasis on environmental and legal issues, the use of PESTEL (political, economic, social, technological, environmental, legal) analysis is used by some organisations as a framework for asking questions about important forces existing in the macro-environment.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.39

Table 3.4 Macro-environmental InuencesPEST analysis


1 What environmental factors are affecting the organisation? 2 Which of these are the most important at the present time? In the next few years? Political Government outsourcing Government policy Social welfare policies Taxation laws, GST Economic factors Business cycles Disposable income and savings rates Ination rates Interest rates Money supply Unemployment levels Technological Government and industry focus on technological effort Government and industry spending on research and development New discoveries/development Obsolescence rates for equipment Speed of technology transfer

Social factors Attitudes to work and leisure balance Education levels Income distribution trends Lifestyle changes Mobility of the labour force Population demographics, ageing Workforce diverts

Table 3.4 can be converted to a PESTEL framework by adding an environmental category (e.g. energy consumption, environmental issues, waste disposal) and a legal category (e.g. employment laws, health and safety issues, industry deregulation, product safety). In carrying out a PEST/PESTEL analysis, it is important to consider which environmental factors are affecting the organisation at the present and which factors are going to be most important over the next few years. It should also be noted that some factors will be especially important for some organisations but not others. For example, environmental protection laws are critical for mining and chemical companies; interest rates for banks; life-style changes for sports goods manufacturers; rates of obsolescence for computer manufacturers; safety for an airline. Interest rate changes are more important for organisations with high debt/equity levels than those with low debt/equity levels; foreign trade regulations are important to importers/exporters. Case Study 3.7 focuses on a PESTEL analysis, a useful framework for asking questions about important forces existing in the macro-environment. Complete the case study now.

Case Study 3.7: Airline industry


Your task Carry out a PESTEL analysis for the airline industry.

3.40

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Porters ve forces model for industry analysis


Porter (1985) developed a technique for analysing ve forces which affect industry protability. Known as the ve forces model, it is superior analytically to the conventional idea of considering only the organisations competitive position. The ve forces are the: 1 threat of new entrants to the industry; 2 power of suppliers to the industry; 3 power of buyers from the industry; 4 power of substitutes for the industrys products and services; and 5 intensity of industry rivalry between competitors. This has been the dominant tool used in business strategy for conducting industry analysis for many years. While not every factor will be important in any particular industry, the lists cover not only well-known economic factors, but also many factors which reect the competitive behaviour, psychological make-up and values of the organisations in the industry. Some of these forces are discussed below.

Threat of new entrants


The protability of the existing industry may be eroded because new rms will enter the market and compete for prots. The number and probability of new entrants is often determined through consideration of entry barriers. Entry barriers make it difcult for a potential competitor to enter an industry. Typical entry barriers include: Economies of scale: New entrants with little market share will not enjoy the cost advantages of these established competitors. Product differentiation: Well-established brand names and trade marks make it difcult for a new entrant to establish brand awareness and thereby capture sales. Capital requirements: Some industries require high capital investment to be able to deliver a product or service. Access to distribution channels: New entrants may have difculty distributing their goods and services through established distribution channels as those have already been locked in by existing competitors. Government policy: Government can restrict new entrants through licensing restrictions (such as in radio and TV broadcasting) and through policies (e.g. limiting foreign investment).

Power of suppliers
Suppliers provide products or services to the industry. They include labour and capital suppliers. If a supplier is particularly important to the industry, it will have bargaining power and this will work to reduce the protability of the industry.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.41

Suppliers can affect the returns to any competitors within an industry through their ability to raise prices and determine quality. Circumstances that increase a suppliers power include: The supplier industry is dominated by a few companies but sells to many customers. Its product or service is unique and the switching costs are high. Substitutes are not readily available. A purchasing industry only buys a small percentage of the suppliers output and is therefore relatively unimportant to the supplier.

Power of buyers
Buyers are the customers of the industry. If buyers are particularly important to the industry, they will have power over the industry, thus tending to reduce the protability of the industry. The bargaining power of buyers is essentially the mirror image of the bargaining power of suppliers. Circumstances that increase a buyers power include: A buyer purchases a large proportion of the sellers product or service. A buyer has the potential to backward integrate, which means the ability to make or supply the suppliers product or service themselves. There are many alternative suppliers because the product is standard. There are few costs of changing suppliers (switching costs).

Power of substitutes
Substitutes are other products or services which can be used instead of the products or services of the particular industry. For instance, for the local stockbroking industry, direct investment in property or consulting nancial planners are substitutes. The more substitutes the buyers have for the industrys products or services, the higher the buyer bargaining power. A substitute can be dened as a direct substitute, such as Pepsi for Coke, or a substitute which fulls the same need for the buyer. For example, an email would be a substitute for a letter.

Intensity of industry rivalry


Intensity of industry rivalry is the degree of competitiveness that is found between existing industry competitors. The way the existing rms compete with each other will also determine the level of returns available to any one competitor. An action by one rm may generate a reaction from other competitors. For example, in the airline industry, attempts to offer discount fares are readily met. For each of the ve forces, an assessment can be made whether its power is high, average or low. After doing this for all ve forces, one can then draw a conclusion about the current industry protability. If all ve forces are rated high, industry protability should be very low. Conversely, if all forces are rated low, industry protability should be very high. However, at this point the key causes of the level of industry protability and business risks associated with the entitys activities would have been identied.

3.42

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Case Study 3.8: Timber oors


Your client is FB Ltd, a manufacturer of timber ooring. Over 90 per cent of its production is supplied to one customer LR Ltd (a larger retailer of home furnishings). There are many alternative suppliers and LR Ltd often mentions the possibility of switching to another supplier. Your task 1 For which of Porters ve forces would the power be classied as high? 2 What impact does this have on identifying risks faced by FB Ltd?

Value chain analysis


A value chain is usually considered as the series of activities or processes within and around an organisation which creates a product or service that is valued by customers. Figure 3.1 shows primary and support activities that form the value chain within an organisation.

Figure 3.1 The value chain within an organisation


Firm infrastructure Human resource management

Ma

Technology development Procurement

rgin
Ma

Inbound logistics

Operations

Outbound logistics

Marketing and sales

rgi n

Services

Source: Porter, M. E. (1985), Competitive Advantage: Creating and Sustaining Superior Performance, The Free Press, New York, p. 37. Reprinted and adapted with the permission of the Free Press, a Division of Simon & Schuster Inc. Copyright 1985 by Michael E. Porter.

Primary activities are directly concerned with the creation or delivery of a product or service: Inbound activities: Receiving, storing and distribution of materialsincludes material handling and inventory control. Operations: Converting inputs into the nal product or serviceincludes machinery, packaging, assembly and testing. Outbound logistics: Collecting, storing and distributing the product to customers includes warehousing, material handling and transport in the case of products. Marketing and sales: Activities making customers aware of the product/service and able to purchase themincludes advertising, selection of distribution channels, selling. Service: Activities to enhance or maintain the value of a product or service includes installation, repairs, training. Primary activities cannot be successfully undertaken without the benet of support activities.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.43

Support activities are those that improve the effectiveness and efciency of the primary activities: Firm infrastructure: Planning, nance, accounting, quality control, information management aimed to support the entire value chain. Human resource management: Activities involved with recruiting, training, staff development, rewarding. Technology development: Improving products and processes used in production (e.g. research and development, product design, process development). Procurement: Activities/processes for acquiring inputs needed to produce the organisations products/services. Case Study 3.9 focuses on the audit implications of a breakdown in an organisations value chain. Complete the case study now.

Case Study 3.9: Creamy Ltd


Creamy Ltd has produced a very popular fruit-based ice cream. However, due to problems with its distribution system, its ability to deliver on time has declined. This has resulted in a signicant drop in its customer satisfaction index. Your task Explain the audit implications of the breakdown in Creamy Ltds value chain.

Question 3.11
For each of the primary activities of the value chain, suggest possible audit problems that may arise: inbound logistics; operations; outbound logistics; marketing and sales; and service.

Analytical procedures
An important technique for understanding the client and the industry is analytical procedures. Analytical procedures refers to the investigation and analysis of uctuations and relationships to determine whether there are inconsistencies with other relevant information or deviations from predicted amounts. Analytical procedures include: comparisons with prior periods, anticipated results (e.g. budgets and forecasts) and industry comparisons; consideration of relationships between elements of nancial information that would be expected to follow a predictable pattern; and relationships between nancial information and relevant non-nancial information. Certain elements of nancial accounting would be expected to conform to predictable patterns, for example: gross margin and sales; sales commission and sales; accounts receivable and sales; and internal expense to borrowings.

3.44

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

For other costs such as advertising, training, and repairs and maintenance, the amount spent is more likely to be discretionary and the relationship of these amounts to sales is less predictable. There are also likely to be relationships between nancial information and non-nancial information, for example: payroll and staff numbers; motor vehicle costs and number of vehicles; and workers compensation insurance and staff numbers. Analytical procedures can be used for the following purposes: Planning the nature, extent and timing of other audit procedures. This will include obtaining a better understanding of the client and the industry, highlighting changes in protability trends and usual/unexpected relationships (ISA 315.A7.A8). Overall, the aim is to direct attention to areas with the highest potential for material misstatement. As a substantive procedure when their use can be more effective or efcient than tests of details for the specic nancial statement assertion. As a nal overall review at the completion of the audit. This is to give an indication of the reasonableness of the nancial statements taken as a whole. In this module we are most concerned with the audit planning aspects. In Module 4, analytical procedures, as part of substantive testing, are considered. Analytical procedures can be either evaluative or predictive. Evaluative techniques use past information to help the auditor to: understand the client and the industry; identify and assess potential risk; assess the extent of other audit tests; and corroborate other conclusions and ascertain the overall reasonableness of the nancial information. Predictive analytical procedure techniques are used to estimate activity levels or account balances based on trends or relationships. Generally, at the planning stage of the audit, evaluative techniques such as simple comparisons, ratio analysis, common-size statements and trend statements are used. Simple reasonableness tests can also be useful. Various techniques may be used in performing analytical procedures at the planning stage. The choice of techniques is a matter of professional judgment. The discussion below on simple comparisons, reasonableness tests and ratio analysis is based on Trotman (1990).

Simple comparisons
Simple comparisons generally involve comparison of a current year income statement (and balance sheet items) to an appropriate norm or standardfor example, actual results for prior periods, actual results for similar operating locations within the entity, budgets for the current year and actual results for the current or previous periods for other companies in the industry. Comparisons to prior periodsPercentage or dollar changes from prior periods can be an indicator of changes in circumstances, particular trends or errors. While unexpected deviations or uctuations may not necessarily indicate an error, the auditor should follow up to understand why these uctuations have occurred. The comparisons with prior periods normally should extend over a number of years. Where changes in either the economic environment or the organisations business have occurred, there is a need to adjust (even if only an approximation) the historical information prior to making the comparisons. Based on other work conducted by the auditor (e.g. strategic

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.45

analysis) auditors should have expectations about particular balances. For example, new protable contracts were signed earlier in the year and have been in operation for six months, therefore, the auditor may expect that sales gures are expected to be approximately X per cent greater than the previous year. Alternatively, there has been a sale of certain equipment with the expectation that depreciation expenses will decrease. Comparisons between locationsComparing nancial information between similar operating locations can be very effective in the planning stage of the audit in order to identify potential errors and the areas where audit work should be most concentrated. However, in making these comparisons (e.g. retail stores) differences between locations need to be considered. For example, the location of a retail store may allow it to have larger mark-ups than average. Comparisons to budgetsThe current years gures can be compared to the entitys budget to determine now the actual gures for the period compare with earlier expectations of management and to consider the audit implications of major variances. The auditor needs to determine the nature and past accuracy of the entitys budgeting system. For example, little, if any, reliance can be placed on these comparisons if the budgeting system historically has been inadequate due to such factors as poor preparation or frequent large variances. In addition, where management places considerable emphasis on the need to achieve budget, there is the possibility of manipulation of recorded results in order to achieve budget. Comparisons to industry guresComparison of nancial statement amounts and relationships for an entity or segments of that entity to industry gures can improve the auditors understanding of an entitys business and industry, indicate nancial strengths or weaknesses and highlight areas requiring audit attention. In particular, the highlighting of abnormal trends compared to industry may be informative. Comparisons to industry averages can be difcult in many circumstances due to the unique characteristics of the organisation and/or its diversied nature. However, the understanding of signicant variances from industry averages can be useful for the auditor, particularly in the planning stages.

Reasonableness tests
Generally, reasonableness tests are simple calculations using relevant nancial and operating data in order to develop an estimate of an amount. Many revenue and expense items can be reasonably estimated from one or a few other items. Examples include: income for hotels can be estimated from average room charges and occupancy rates; gross margin as a percentage of sales; professional service fees can be related to number of staff, average charge-out rates and average chargeable time; investment income can be related to average amounts invested and average interest rates; payroll expense can be related to the average number of employees and average pay rates; commission expense can be estimated from sales and commission rates; interest expense can be related to the average amount owing and average interest rates; and depreciation expense can be estimated by reference to asset balances, additions and deletions, and depreciation rates.

3.46

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Ratio analysis
For interpretation purposes, ratios need to be compared to some benchmark. This benchmark can be the same ratio computed in prior periods and/or ratios of other comparable organisations. Ratio analysis can be an effective method of increasing an auditors understanding of an entitys business. By identifying trends and unusual uctuations it is a useful technique for identifying areas that require particular attention. Auditors should consider changes in a group of related ratios rather than concentrating on single ratios. For example, an organisations quick ratio may appear satisfactory until it is viewed in the light of a declining net prot margin, a negative cash ow or a decrease in debtors turnover. Ratios can be classied into the following categories: protability; activity; liquidity; and nancing.

Protability ratios
Protability ratios generally provide an indication of an organisations protability and changes in protability. They include: Gross margin = Gross prot Sales Net operating prot Sales Each individual item of expense Sales Sales Total assets Operating prot before tax Total assets Net prot after tax Ordinary shareholders funds

Net prot

Operating expenses

Asset turnover

Return on total assets

Return on shareholders equity

The gross margin ratio is one ratio that is commonly used by auditors. For many rms this ratio will have a relatively stable and predictable pattern. Fluctuations may indicate changes in the nature of the business (e.g. competition, pricing policies, manufacturing efciencies, sales-mix changes) or nancial statement errors. The net prot ratios indicate trends in protability and the effectiveness with which the organisations resources are being used. Ratios of expenses to sales may provide reasons for changes in protability as well as possible nancial statement errors. For example, a large increase in the ratio of repairs and maintenance to sales may indicate that a capital item has been charged to the repairs and maintenance account.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.47

Activity ratios
Activity ratios provide an indication of an entitys efciency in using available resources. Examples include: Inventory turnover = Cost of goods sold Closing inventory Closing inventory 365 Cost of goods sold Credit sales Closing debtors Closing debtors 365 Credit sales Closing accounts payable 365 Credit purchases

Days sales in inventory

Debtors turnover

Average collection period in days

Average payment period in days

The inventory turnover ratio can be compared over time and with the industry average. If the ratio is substantially below those of past years or the industry averages, it can indicate obsolete and slow-moving stock. Generally, a high ratio is preferable as it indicates an efcient inventory management. However, it can also indicate problems such as unrecorded inventory. The ratio varies signicantly between industries and for some industries it will vary seasonally. Ratios may also vary within industries because of different methods of accounting for inventory (e.g. FIFO, weighted average). The debtors turnover ratio is an indication of an entitys credit control policy. The higher this ratio, the better the performance. A decrease in this ratio compared to prior years or industry average may indicate deciencies in the entitys credit and collection policies, possible uncollectability of some accounts, possible ctitious sales or incorrect cut-off or an increase in the credit period granted in order to increase sales. Fluctuations in these ratios may indicate changes in liquidity or cash management procedures.

Liquidity ratios
Liquidity ratios provide an indication of an organisations ability to meet current obligations as they fall due. Unusual or unexpected trends may also indicate over- or understatement of current assets and current liabilities. The ratios need to be reviewed with regard to the organisations current and projected cash ow. Liquidity ratios include: Current ratio = Current assets Current liabilities Cash + Marketable securities + Accounts receivable Current liabilities

Quick asset ratio

The quick asset ratio is a more conservative indication of liquidity than the current ratio. The comparative importance of these ratios depends on such factors as the inventory turnover ratio, the debtors turnover ratio and the predictability of future cash ows. For example, the larger the inventory turnover ratio the less relevant the current ratio; the less predictable the cash ow, the higher these ratios need to be in order to be acceptable.

3.48

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Financing ratios
Gearing ratios consider long-term nancial strength of an entity. They may indicate, for example, that there is an over-reliance on debt nance. Examples of gearing ratios include: Debt/Equity ratio = Total liabilities Shareholders equity Long-term liabilities Shareholders equity Total liability Total assets EBIT Interest expense

or

Debt/Assets ratio Number of times interest earned

= =

The rst two ratios indicate the gearing level. The third one considers the ability of the entity to meet its interest commitments as they fall due. Changes in these ratios may indicate business risk and the auditor needs to consider related audit risk.

Question 3.12
Whilst performing your preliminary analytical procedures (i.e. analytical procedures performed at the audit planning stage), you note that over the last few months there has been a substantial increase in goods returned as a percentage of total sales. What impact would this have on your audit?
Below are additional comments regarding analytical procedures. Many of these methods can be used both at the planning stage and as a substantive test (to be covered in Module 4). Reasonableness relationships such as interest to borrowings, fuel expenses to vehicles used and kilometres travelled can be useful calculations. However, care should be taken as the relationship gets more complex. For example, the relationship between interest expense and borrowings gets more complicated when different borrowings have different interest rates and new borrowings are taken out/repaid during the year. Similarly, a reasonableness test on the revenue for a large city hotel will depend on the number of rooms, occupancy rate and percentage of clients in various rate categories (e.g. government rate, range of corporate rates). Many ratios can be calculated in a number of different ways. For example, for return on asset (ROA) you could use earnings before income tax allowance (EBITA), earnings before income tax (EBIT), net prot before tax or net prot after tax. If you are unsure about the interpretation of any of the ratios you should consult any introductory nancial accounting textbook. Further information on textbooks is in the Segment Outline. In interpreting the set of ratios discussed above, it is important to consider the relationships between ratios. One way of doing this is to consider a DuPont analysis. The name is used because in the 1920s, DuPont in the United States was the rst company to formally integrate the linking of these ratios into its organisational control system. The DuPont analysis shows that return on equity (ROE) can be explained by two ratios, namely return on assets (ROA) and leverage. ROA can be explained by prot margin and total assets turnover.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.49

The relationship between the ROE ratio and its two components can be seen below (here operating prot after tax has been used in both ROE and ROA): ROE Operating prot after tax Shareholders equity = ROA Operating prot after tax Total assets Leverage Total assets Shareholders equity

The relationship between ROA and its two components is as follows:

ROA Operating prot after tax Total assets

Prot margin Operating prot after tax Sales

Total assets turnover Sales Total assets

An example of a trend analysis is as follows: 20X5 Sales Trend Statement Percentages using 20X5 as the base year $400 000 20X6 $480 000 20X7 $580 000 20X8 $640 000 20X9 $800 000

100%

120%

145%

160%

200%

Case Study 3.10: QRS Ltd


Assume you are the audit manager responsible for the audit of QRS Ltd, a wine producer. You have obtained the following nancial information from the client. QRS Ltd Balance Sheet Unaudited 30 June 20X9 $000 Current assets Cash Receivables Inventories Total current assets Non-current assets Property, plant and equipment Receivables Total non-current assets Total assets Current liabilities Bank borrowingsSecured Payables Provisions Total current liabilities 5 162 4 500 7 348 17 010 48 826 9 000 57 826 74 836 Audited 30 June 20X8 $000 4 480 4 000 4 294 12 774 50 134 9 000 59 134 71 908

14 748 10 000 1 928 26 676

18 000 10 092 1 830 29 922

3.50

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Non-current liabilities Interest-bearing liabilities Provisions Total non-current liabilities Total liabilities Net assets Shareholders equity Share capital Retained prot Total shareholders equity Prot and loss account Revenue Gross prot Operating expenses Net prot before tax Taxation Net prot after tax Retained prots at the beginning of the year Retained prots at the end of the period

32 000 1 314 33 314 59 990 14 846

28 000 1 240 29 240 59 162 12 746

10 000 4 846 14 846

10 000 2 746 12 746

21 228 5 808 2 808 3 000 900 2 100 2 746 4 846

19 393 3 733 2 137 1 596 479 1 117 1 629 2 746

Additional information: This is your rst year on the audit but QRS has been a client of your rm for over ve years. Sales have been gradually increasing due to the popularity in overseas markets of Australian wine. Exports now account for 40 per cent of sales. Overseas customers are invoiced in the importers currency. QRS has a new CEO who has a reputation for improving protability and share prices. He has considerable stock options and has announced he intends to retire in two years. The company uses a standard cost system for wine; raw materials are valued at cost. The company has recently updated its earnings expectations due to cheaper grapes resulting from an excess of the grape variety it uses. The company has received substantial criticism from some analysts for underperforming over the last few years. Discussion with management last year indicated that it intended to reduce its debt substantially during the current year. Some retailers have passed on customer concerns about the quality of some of the red wine and the percentage of bottles that were off. Staff at the winery have suggested that this may be due to the ageing equipment. Management has noted that they are not willing to move to new technology involving screw tops for the wine because of the capital investment outlay. The non-current receivable relates to an amount in dispute with the tax ofce. The company believes the amount was incorrectly assessed and has legal advice to support this. The amount was paid to avoid interest accumulating. Your tasks 1 Calculate the following ratios for 20X9 and 20X8: a Gross margin. b Net prot. c Asset turnover. d Return on total assets. e Current ratio. f Quick asset ratio. g Inventory turnover. h Debtors turnover.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.51

i j k

Debt to equity. Days in inventory. Days in debtor.

2 Identify key risk factors that will have an impact on the audit.

Case Study 3.11: MNO Ltd


Shown below are common-size statements for MNO Ltd prepared in a time series format over four years and a cross-sectional form with two competitors. Your task Outline any trends the auditor would need to pay additional attention during the audit. MNO Ltd30 June 20X9 20X9 % Percentage common-size balance sheet Assets Cash Receivables Inventories Other current assets Property, plant and equipment 20X8 % 20X7 % 20X6 %

8.7 19.3 24.8 4.1 43.1 100.0

8.4 19.0 21.7 3.9 47.0 100.0

8.0 18.8 23.5 3.6 46.1 100.0

8.0 18.6 20.2 3.7 49.5 100.0

Liabilities and shareholders funds Payables Other current liabilities Non-current liabilities Deferred income tax Shareholders equity

15.2 8.9 33.0 4.0 38.9 100.0

13.9 9.1 34.5 4.0 38.5 100.0

19.7 9.5 31.0 3.8 36.0 100.0

20.3 9.6 30.7 3.7 35.7 100.0

Percentage common-size income statement Revenue Net sales Returns

97.2 2.8 100.0

98.6 1.4 100.0

98.1 1.9 100.0

98.2 1.8 100.0

Expenses Cost of goods sold Selling, administrative and general expenses Interest expense Depreciation Income tax Prot after tax

52.9 11.7 5.5 10.6 10.5 8.8 100.0

53.8 12.3 5.4 10.9 10.3 7.3 100.0

54.3 11.2 4.7 11.0 9.9 8.9 100.0

54.6 11.2 4.4 10.9 9.8 9.1 100.0

3.52

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

MNO Ltd30 June 20X9 MNO Ltd % Percentage common-size balance sheet Assets Cash Receivables Inventories Other current assets Property, plant and equipment Liabilities and shareholders funds Payables Other current liabilities Non-current liabilities Deferred income tax Shareholders equity Competitor 1 Competitor 2 % %

8.7 19.3 24.8 4.1 43.1 100.0 15.2 8.9 33.0 4.0 38.9 100.0

6.5 15.7 23.5 4.9 49.4 100.0 21.2 10.9 35.4 7.4 25.1 100.0

9.8 11.3 23.1 3.5 52.3 100.0 13.3 15.4 36.6 2.2 32.5 100.0

Percentage common-size income statement Revenue Net sales Returns Expenses Cost of goods sold Selling, administrative and general expenses Interest expense Depreciation Income tax Prot after tax

97.2 2.8 100.0 52.9 11.7 5.5 10.6 10.5 8.8 100.0

98.4 1.6 100.0 49.5 11.6 3.9 11.1 11.3 12.6 100.0

98.1 1.9 100.0 48.3 10.6 4.1 10.9 12.6 13.5 100.0

Responding to assessed risks


Key principles
ISA 330 The Auditors Responses to Assessed Risks outlines in detail the nature, timing and extent of evidence-gathering procedures that the auditor can undertake to respond to assessed risks. ISA 330.5 requires the auditor to design and implement overall responses to address the assessed risks of material misstatements at the nancial statement level. ISA 330.6 further requires the auditor to design and perform further audit procedures whose nature, timing and extent are based on and responsive to the assessed risks of material misstatement at the assertion level. Examples of overall responses to address the assessed risk of material misstatement at the nancial statement level are discussed in ISA 330.A1. You should read this now.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.53

ISA 330.A4 provides guidance concerning the nature, timing and extent of further audit procedures and identies the circumstances where tests of controls and/or substantive procedures are required. ISA 330.A5 states that: the nature of an audit procedure refers to its purpose (that is, tests of controls or substantive procedure) and its type (that is, inspection, observation, inquiry, conrmation, recalculation, reperformance, or analytical procedure). According to ISA 330.A6, timing refers to when [audit procedures] are performed, or the period or date to which the audit evidence applies. ISA 330.A7 indicates that the extent of audit procedures refers to the quantity of a specic audit procedure to be performed, for example, a sample size or the number of observations of a control activity. Various factors are considered when determining the extent of audit procedures, including: the judgment of the auditor after considering materiality; the assessed risk; and the degree of assurance the auditor plans to obtain. Audit procedures will normally increase as the risk of material misstatement increases, but this would be effective only if the increased procedures are relevant to the specic risk. Therefore, there is a relationship between the nature and the extent of audit procedures. It is important for the auditor to consider the nature of the evidence and the potential for the evidence to be manipulated. If the evidence is subject to management control (e.g. internal documentation), varying the nature of the evidence (e.g. external reports) may be more important than collecting more of the same type of evidence.

Tests of control
Once an understanding of the internal control that is sufcient for audit planning is obtained, the auditor must assess the control risk or the risk of material misstatement occurring. If the auditor assesses that control risk is less than high, it means he/she plans to rely to some extent on key controls in the control system. He/she needs evidence to support reliance on these controls; the tests to gather this evidence are called tests of control. If control risk is assessed as high, then no reliance is to be placed on these controls, there will be no testing of the controls, and more substantive testing will need to be undertaken. Some audits require the auditor to undertake tests of control. Where the auditor has determined that it is not possible or practicable to reduce risk of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the auditor shall perform tests of controls for operating effectiveness. Thus, for these key controls, it is not possible to evaluate control risk as high by default, and it would be necessary to undertake tests of controls. Further, where the auditor plans to rely on controls that have not changed since they were last tested, ISA 330.A37 requires that the auditor test the operating effectiveness of such controls at least every third audit. However, if the auditor plans to rely on controls that have changed since they were last tested, the auditor needs to test the operating effectiveness of such controls in the current audit (ISA 330.A36). You should review ISA 330.8.17 and the related explanatory paragraphs (ISA 330.A20.A41) to ensure that you are aware of the concepts contained in this key standard with regards to tests of controls.

3.54

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Substantive procedures
Substantive procedures are aimed at detecting material misstatement (at the assertion level) in the dollar value of the information contained in the accounting records or in the nancial statements. Thus, the risk of material misstatement is reduced by the auditor undertaking tests of controls and substantive procedures. If the auditor can gain condence that the controls in place will help reduce material misstatement, the auditor is able to reduce the level of substantive testing. Substantive procedures consist of two categories: substantive analytical procedures and tests of details (ISA 330.4). A more detailed discussion of actual procedures is included in Module 4. Analytical procedures are used to compare account balances and transactions with other nancial and non-nancial information in order to identify unusual uctuations or values. A common example is ratio analysis. These techniques are used to indicate areas of potential error that may require further audit investigation, and to assist the auditor in assessing the extent of tests of transactions and balances. Tests of details are tests of transactions and balances designed to obtain direct evidence to support the account balances shown in the nancial statements. Commonly, this will involve drawing conclusions from a sample of the transactions or account balances and projecting these results to the entire population. Irrespective of the assessed risks of material misstatement, the auditor [is required to] design and perform substantive, procedures for each material class of transactions, account balance and disclosure (ISA 330.18). If under ISA 315 it has been determined that the assessed risk of material misstatement at the assertion level is a signicant risk (e.g. signicant risk of material overstatement of sales) the auditor needs to perform substantive procedures that are specically responsive to that risk (ISA 330.21). These substantive tests related to signicant risks should be test of details only and/or in combination with analytical procedures. It is important to consider the nature, timing and extent of substantive tests. The nature of the tests refers to the use of substantive analytical procedures or test of details. The former are generally more applicable to large volumes of transactions that tend to be predictable over time whereas test of details are ordinarily more appropriate in obtaining evidence regarding certain assertions (e.g. existence and valuation) about account balances. Timing refers to when the evidence is collected. The auditor may perform substantive procedures at year end or at an interim date. In the latter situation, the auditor must perform further substantive procedures or substantive procedures combined with tests of controls to cover the remaining period to year end (ISA 330.22). For example, a debtors circularisation may be carried a month before year end and the additional evidence collected for the last month of the year related to that month. Such factors as the control environment and the assessed risk of a material misstatement affect whether substantive procedures are performed at year end. For example, if control procedures are weak and the risk of material misstatement is high, it is less likely that audit procedures would be performed at an interim date. The extent of substantive testing ordinarily increases when the risk of material misstatement is greater.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.55

Based on the audit procedures performed, the auditor is required to evaluate the sufciency and appropriateness of audit evidence obtained (ISA 330.25). However: If the auditor has not obtained sufcient appropriate audit evidence as to a material nancial statement assertion, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufcient appropriate audit evidence, the auditor shall express a qualied opinion or disclaim an opinion on the nancial statements (ISA 330.27). The auditors reporting determination is discussed further in Module 5. You should review ISA 330.18.23 to ensure that you are aware of the concepts contained in this key standard with regards to substantive procedures.

Question 3.13
Consider the following audit procedures: i ii examine large invoices for the two days prior to year end to determine if sales are recorded in the correct period; compare inventory turnover across products using monthly data for the last two years;

iii select a sample of trade debtors to be conrmed and follow up on non-replies; iv attend the annual inventory stocktake and ensure all procedures are complied with; v review any changes to the staff involved in authorising xed asset purchases and disposals;

vi for a sample of xed assets, determine if the depreciation rates used are consistent with the approved depreciation policy of the client; vii check arithmetic on a sample of sales invoices; and viii check authorisation signatures on a sample of travel reimbursements. 1 2 Which of the above procedures are tests of controls? For the procedures that are substantive tests, state the key nancial statement assertion being tested.

Evaluation of misstatements identied during the audit


Previously in this module, we considered ISA 320 which dealt with the auditors responsibility to apply the concept of materiality in planning and performing the audit. Here, ISA 450 Evaluation of Misstatements Identied during the Audit is considered. It deals with the auditors responsibility to evaluate the effect of identied misstatements (see ISA 450.4 for a description) and uncorrected misstatements (misstatements that the auditor has accumulated and that have not been corrected) (ISA 450.4). Misstatements can result from the following: inaccuracies in gathering and processing of data; omission of an amount or disclosure; incorrect accounting estimates; and judgments of management concerning accounting estimates (ISA 450.A1).

3.56

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

The auditor is required to accumulate misstatements identied during the audit, except where these are clearly trivial (ISA 450.5). Clearly trivial does not mean the same as not material (ISA 450.A2), that is, it will normally be a much smaller number (e.g. to classify $12 000 as an expense when it should be capitalised is likely to be clearly trivial if the companys net prot is $120 million). When evaluating the effect of the misstatements the auditor should consider the nature of the misstatement (e.g. factual, judgmental or projected misstatementssee ISA 450.A3). Factual items are likely to be more clear-cut than judgmental or projected items (e.g. management may be able to provide sound reasons for the differences in judgments between management and the auditor). Depending on the level of the misstatements and the circumstances of their occurrence there may be a need to revise the overall audit strategy and audit plan (ISA 450.6) as discussed earlier in ISA 300. For example, if many of the misstatements identied during the audit occurred in a particular month yet the original audit plan placed no particular emphasis on this month, a revised audit plan may be necessary. Auditors are required to communicate to management all misstatements accumulated and request management to correct those misstatements (ISA 450.8). If management refuses to correct some of the misstatements, the auditor needs to obtain an understanding of the reasons and take that into account in forming an opinion (ISA 450.9). Note that management may refuse to correct some misstatements because they genuinely believe they have made the correct judgments. This is much more likely to be the case where there are differences arising from the judgments of management concerning estimates compared to the auditors judgments. It may also relate to what is the appropriate accounting policy or treatment in areas where accounting standards are vague. These differences between auditors and management often lead to prolonged negotiations where additional evidence is collected by both sides and the accounting rms may draw on the expertise of the technical experts within their rms. The auditor also needs to consider uncorrected misstatements that are considered material, either individually or in aggregate. ISA 450.11 requires the auditor to: consider the size and nature of these misstatements; and consider the effect of uncorrected misstatements related to prior periods or the relevant classes of transactions, account balances or disclosures and the nancial statements as a whole. The auditor is required to communicate with those charged with governance uncorrected misstatements and the effect they may have on the auditors report (ISA 450.12). ISA 450.12 is a recent change to the auditing standards and is likely to put the auditor in a much stronger position in any disagreements with management over recording of misstatements. You should now refer to ISA 450.A11 to .A23 for more details on evaluating the effect of uncorrected misstatements.

ADVANCED AUDIT AND ASSURANCE

STUDY GUIDE

3.57

Review
This module considered the importance of business risk for the auditor. We considered the auditors role in understanding entities and their environments and assessing the risk of material statement. As audit rms have moved to a much greater emphasis on risk analysis, we outlined the steps in a strategic systems audit and outlined a variety of techniques for conducting strategic analyses in order to better understand these risks. Also analytical procedures were discussed as they play an important role in understanding business risk and the audit implications. Internal control is one way that management can mitigate business risks, and the auditing standards require the auditor to understand the entity and its environment, including internal control. Controls in an IT environment were also discussed. Having assessed the risks of material misstatement the auditor needs to develop procedures in response to the assessed risks.

References
Australian Accounting Standards Board (2004) AASB 1031 Materiality AASB, Melbourne. <http://www.aasb.com.au/Pronouncements/Old/Current-standards.aspx> (accessed November 2009). Bell, T. B., Marrs, F., Solomon, I. & Thomas, H. (1997) Auditing Organizations through a Strategic-Systems Lens The KPMG Business Measurement Process <http://www.business.uiuc.edu/kpmg-uiuccases/monograph.pdf> (accessed November 2010). Bell, T. B., Peecher, M. & Solomon, I. (2002) The strategic-systems approach to auditing In Cases in Strategic-Systems Auditing, edited by T. Bell and I. Solomon KPMG, Montvale, New Jersey, pp. 134. <http://www.business.uiuc.edu/kpmg-uiuccases/casebook.pdf> (accessed November 2010). International Federation of Accountants (IFAC) (2009) Handbook of International Standards on Auditing and Quality Control IFAC, New York. Knechel, Salterio, S. & Ballou, B. (2007) Auditing: Assurance and Risk 3rd edn, Cengage, Melbourne. Porter, M. (1980) Competitive Strategy The Free Press, New York.

3.58

STUDY GUIDE

ADVANCED AUDIT AND ASSURANCE

Porter, M. (1985) Competitive Advantage: Creating and Sustaining Superior Performance The Free Press, New York. Thompson, A. & Strickland III, A. J. (2001) Strategic Management: Concepts and Cases 12th edn, McGraw-Hill Higher Education, Columbus, Ohio. Trotman, K. T. (1990) Analytical Review Audit Monograph No. 1 Australian Accounting Research Foundation, June, Melbourne. Trotman, K. T. & Gibbins, M. (2009) Accounting: An Integrated Approach Thomson Learning, Melbourne.

ADVANCED AUDIT AND ASSURANCE

SUGGESTED ANSWERS

3.1

Module 3

Suggested answers

Question 3.1
The audit plan would need to be revised. ISA 300.10 states that the auditor shall update and change the overall audit strategy and the audit plan as necessary during the course of the audit (see also ISA 300.A13). Given there were incorrect assumptions in developing the original plan, it would need to be revised.

Question 3.2
1 Accounts receivablevaluation. Without appropriate credit checks there is a high likelihood of debtors not paying. Less reliance would be placed on tests of controls and more substantive testing would be required. The substantive testing would be more tests of details as analytical procedures is less reliable when internal control weaknesses exist (this will be discussed more in Module 4).

Question 3.3
Observation of production processes; sales processes at stores; stocktake procedures; operation of internal controls such as gatekeeping; employee time recording. Inspection of documents (e.g. business plans, strategy documents, records such as xed assets registers, internal control manuals). Reports prepared by management (e.g. monthly reports, balanced scorecard, variance analysis, capital investment analysis); reports prepared by those charged with governance (e.g. board minutes). Visits to the entitys premises (e.g. factory, retail outlet).

3.2

SUGGESTED ANSWERS

ADVANCED AUDIT AND ASSURANCE

Question 3.4
This is covered by ISA 315.8 and .9. ISA 315.8 refers specically to the situation where the auditor has performed other engagements for the entity (e.g. previous year audit, review or other assurance engagement) and the need to consider whether information obtained is relevant to identifying risks of material misstatement. If the auditor decides to use information obtained in previous audits, it is necessary to consider whether changes have occurred that affect the relevance of that information (ISA 315.9).

Question 3.5
The members of the engagement team to be included when the meeting occurs. The extent of the discussion (affected by roles, experience and information needs of the team). The role to be taken by the partner (e.g. lead the discussion, or be part of a round table discussion). Does the meeting need to be face-to-face, by telephone or computer link? Preparation expected prior to the meeting. Will it be more of a brainstorming session or a presentation by a senior staff member with follow-up discussion?

Question 3.6
Some of the key points are: business risk is broader than the risk of material misstatement (ISA 315.A30); an understanding of business risk increases the likelihood of identifying risks of material misstatement; and most business risks eventually have nancial consequences but these effects may not be immediate and they may not result in material misstatement.

Question 3.7
One of the clear business risks facing the client is increased competition with a likely result of substantial reductions in market share. There appear to be low barriers to entry because costs of adapting production processes are likely to be relatively low for other manufacturers and, as bags with wheels attached are quite common in the luggage industry, it is unlikely to be protected via patent etc. The risk is concerned with market share and margins being affected by competition. This could have an impact on the valuation of inventory and potential impairment of productive assets.

ADVANCED AUDIT AND ASSURANCE

SUGGESTED ANSWERS

3.3

Question 3.8
A knowledge and understanding of the internal and external environment of the audit client may uncover: incentives or pressures; opportunities and attitudes; or rationalisation to engage in fraudulent activity or the misappropriation of assets. For individuals, incentives or pressures may be personal circumstances or unrealistic expectations of management. Incentives or pressures for management are often associated with nancial goals set by the organisation or market expectations. Opportunity usually arises when there is an absence of adequate or effective internal controls. Internal control deciencies are often related to positions held by trusted employees. Rationalisation is the process of neutralising or justifying fraudulent activities or the misappropriation of assets.

Question 3.9
1 Human judgments. The effectiveness of controls can be limited by the judgments made by individuals. Even well-designed controls can break down (e.g. staff misunderstanding, being careless, fatigued). Management override. This refers to the overruling of prescribed policies and procedures by management (e.g. No need for credit clearance for X who is an excellent client). Collusion. Individuals acting in collusion can often circumvent controls (e.g. separation of duties becomes ineffective when collusion occurs). Cost versus benet. Organisations have to consider the costs versus the benets of establishing and monitoring controls. Benets, in particular, can be difcult to measure.

3 4

Question 3.10
1 If management lacks integrity, it is more likely that they might be prepared to produce materially misstated or misleading nancial statements. Accounts that were misstated in previous audits are more likely to contain similar misstatements in the current year. Lack of experience and knowledge may affect preparation of the nancial statements. Further, if poor business decisions are made, this is likely to result in pressure to manipulate the results. If the entity is experiencing cash ow problems and poor liquidity, there may be an incentive to make the nancial position look better. Small, high-value products are more likely to be stolen than bulky, low-value items. Transactions that are subject to difcult calculations or have complex accounting standard requirements, such as tax-effect accounting, are more likely to have errors than simple repetitive transactions.

5 6

3.4

SUGGESTED ANSWERS

ADVANCED AUDIT AND ASSURANCE

Some businesses are inherently risky because the nature of their products may mean that they are subject to the inherent risk of obsolescence due to improvements in technology. The existence of related-party transactions would also increase risk as the transactions are not with an independent party and so may be subject to manipulation. In addition, the required related-party accounting disclosures are quite complex. If there is a management compensation scheme that is tied to earnings or share prices, there is a clear incentive for management to misstate the result so that they can get a bonus. Similarly, if management has substantial shareholdings in the company, they have a vested interest in reporting a good result as it will affect the dividends they receive and the value of their shares. Pressure may also be placed on management by head ofce, major investors or lenders to meet budgets, forecasts or targets. The more judgment involved in determining an account balance, the greater the possibility of an error. Accounting estimates, such as provision for long-service leave or provision for warranty, are more likely to be subject to manipulation than routine factual data. Decisions involving subjective judgments, such as whether to capitalise development expenditure or whether an entity has control of a subsidiary, also have a high inherent risk. Items or events that require using the work of an expert, such as the value of properties, are more susceptible to misstatement as it is difcult for the non-expert to assess the true value. Transactions that are not subject to normal processing are more susceptible to misappropriation or errors. If the entity buys or sells goods in a foreign currency, inherent risk will also increase as there is a risk of incurring foreign-exchange losses due to changing exchange rates. If hedges are taken out for those transactions, the hedging contracts may be complex. The complexity of the recording of the transactions under the relevant accounting standards also increases the chance of an error.

10

11

12

13

Question 3.11
Inbound logistics completeness and valuation of inventory; recognition of liabilities; and timing of expenses. Operations measurement of COGS; and cost allocation issues. Outbound logistics sales cut-off; revenue recognition; and allocation of delivery costs.

ADVANCED AUDIT AND ASSURANCE

SUGGESTED ANSWERS

3.5

Marketing and sales revenue recognition; and collectibility of accounts receivable. Service warranty expenses and liabilities.

Question 3.12
Risks: Valuation of inventorywhat is the remaining value of inventory on hand? Completeness of warranty provisionsmay need rework and replacement. Valuation of accounts receivableunhappy customers are less likely to pay. Valuation of property, plant and equipmentmay raise impairment issues if it has an impact on the generation of cash ows from equipment.

Question 3.13
1 2 Tests of controls: iv; v; vi; viii. Substantive tests: i cut-off; ii valuation and allocation; iii existence; vii accuracy.

Case Study 3.1: LM Ltd


1 The audit plan must allow for additional testing of the monthly data coming to head ofce. The materiality of the areas affected by the poor quality reporting needs to be determined. You would need to consider how far these plans have gone and the implications for the valuation of property, plant and equipment in those countries. Potential employee costs including redundancy payments need to be considered. You would need to review the contract to assess the impact on the audit. Is the entity complying with the contract and are there penalties for non-compliance? Are there exchange rate implications? You would need to consider issues related to contingent liabilities, inventory valuation, collection of debtors, brand name valuation and going concern.

3.6

SUGGESTED ANSWERS

ADVANCED AUDIT AND ASSURANCE

Case Study 3.2: Beta Ltd


1 2 3 4 5 6 7 Assertions about inventory account balances at the period end: Completeness. Assertions about inventory account balances at the period end: Existence. Assertions about presentation and disclosure: Completeness. Assertions about inventory account balances at the period end: Rights and obligations. Assertions about inventory account balances at the period end: Valuation and allocation. Assertions about sales transactions and events: Occurrence. Assertions about sales transactions and events: Accuracy.

Case Study 3.3: Acme Ltd


Control category General controls 1 Organisational Separation of duties between analyst, programmers, operators, library function, and central control group. User participation in system design. Preparation of documentation on system description. Operator manuals and instructions. Control features to monitor data and system changes. Physical measures. File protection. Avoid incompatible functions, prevent manipulation. Observation of operations or review organisational charts. Specic control Purpose of control Technique to assess control

2 System development

Assure that system meets user needs. Provide explanation of system design. Ensure proper and efcient use of IT. Ensure that data are controlled and changes authorised. Limit physical access. Limit access to le data or manipulation.

Review manuals. Review the system documentation.

3 Operations

Review manuals and observe operations. Review organisational functions and procedures. Attempt access. Verify procedures for passwords, locks, badges or guards.

4 Data entry and program

ADVANCED AUDIT AND ASSURANCE

SUGGESTED ANSWERS

3.7

Case Study 3.4: CWC


General control concerns
Segregation of functions
The use of information technology (IT) generally implies that, due to increased processing speed, fewer people will be required to carry out data-processing activities. In CWCs case, there is a concentration of functions and knowledge, which means many conventional controls, based on the segregation of incompatible functions, are no longer possible. In particular, Jing has too much control and a signicant amount of authority over the IT system and individual e-commerce application programs. Jing seems to be performing the role of an IT manager who is also responsible for writing application programs. Jing also seems to be performing the tasks that would normally be carried out by a systems analyst. These functions are incompatible and should be segregated. It represents a serious control problem that can only be corrected by employing more staff. People involved with running IT systems should be organisationally independent of user departments. Jing wrote the application programs that initiate the transfer of credit card receipts to CWCs bank account and reconcile credit card deposits with individual customer sales accounts. When one considers that Jing is also expected to manually prepare and complete CWCs bank reconciliation, a control issue again arises regarding incompatible functions. Jing should not be involved in maintaining the local area network and the website. This represents a serious control issueespecially given Jings other duties.

Location of computers
The location of the computers above the cafeteria could present a signicant security risk should there be a re. Also, the fact that staff need to open windows in summer raises issues regarding unauthorised access to the computers and staff safety.

Backup and recovery concerns


Backup copies should be taken on a regular basis (more frequently than monthly) and stored at a commercial offsite location. Other standard backup protocols should also be introduced.

Staff issues
Jing is working extremely long hours, which could ultimately lead to health and safety concerns. There appears to be a fairly strong argument to employ additional staff to support the work currently done by Jing and Melissa. Angie is relying on the fact that Melissa and, in particular, Jing are honest people who would not take advantage of their positions. Given the size of Jings mortgage this issue becomes all the more signicant.

Environmental conditions
CWC should install central-heating and air-conditioning systems which can reduce the risk of damage to its IT systems from environmental hazards.

3.8

SUGGESTED ANSWERS

ADVANCED AUDIT AND ASSURANCE

Specic control concerns


Dual system
It is of concern that no attempt has been made to protect the reputation of CWC by running together the phone sales-ordering system and the internet sales-ordering system for a period of six to 12 months. This would provide a backup arrangement should any teething problems with the internet sales-ordering system arise.

Documentation
The systems documentation that does exist is poor and difcult to understand. It is essential for Jing to maintain up-to-date documentation of the new system that is complete and accurate. All of the application programs and interface issues seem to be in Jings head, which is of little use to CWC should anything happen to Jing.

Physical security over data and programs


Staff are allowed to play games on their computers at work. Computer viruses probably represent the greatest single threat in a personal computer environment. It is therefore essential that controls be put in place to restrict and scan all input for viruses. The practice of allowing operators to bring in their own computer games to play should cease immediately.

Case Study 3.5: ProGolf Ltd


Source of threat 1 Economy Potential audit implications collectibility of receivables valuation of non-current assets related to impairment; and viability due to potential loss of customers (luxury item). valuation of inventory (prices drop quickly due to loss of potential second-hand market); valuation of equipment (some equipment may become redundant); and viability (depends on ability to adapt in a timely manner). control environment (pressure to cut corners to meet demand); potential impact on wastage rates; and implications for managing and follow-on effects. demand is sensitive to brand image, valuation of brand names; inventory valuation resulting from lower sales; and control environment. impact on margins as new retailers are more powerful, and control environment (pressure on staff to cut costs or increase sales to keep prots up). potential decrease in demand with potential impact on valuation of inventory and equipment; and control environment (pressure to increase sales).

Regulation, technology

Suppliers

Alliances, customers Retailers

Technology competition

ADVANCED AUDIT AND ASSURANCE

SUGGESTED ANSWERS

3.9

Source of threat 7 Suppliers of insurance

Potential audit implications Note: This has been included to show that you really need to know your clients industry to understand the implications for the audit. If you lengthen the time between golfers teeing off, you decrease the number of golfers that can play on a course and therefore potential overall demand. Calculations could be done on the total impact across a city to determine the potential affect on demand.

Legal, customer

increase in warranty costs; inventory valuation; accounts receivable valuation (collectibility more difcult after problems); and potential litigation.

Case Study 3.6: Cosmic Electronics Ltd


A strength of Cosmic Electronics Ltd is its strong brand name based on its reputation for reliability. This indicates that warranty claims and rework are likely to be low. Hence, audit risk in relation to warranty expenses and provisions will be low. A threat to Cosmic Electronics Ltd will be the entry of the low-cost substitute component. This threat is likely to affect sales, creating a downward pressure on prices and introducing the possibility of obsolete inventory. This threat will increase the audit risk associated with the valuation of inventory. As this is Cosmic Electronics Ltds leading selling component, it may ultimately affect the viability of Cosmic Electronics Ltd as a going concern.

Case Study 3.7: Airline industry


Political government stability in routes own; trafc rights and freedom (e.g. what countries can the aircraft land in); route restrictions (e.g. open sky agreements); airport restrictions; taxation on tickets; and terrorist activities. Economic ination, employment, economic growth etc; industry capacity; increased competition in general and on specic routes; world fuel prices; currency trends and uctuations; strength of aircraft suppliers; availability of staff (e.g. pilots); and greater competition.

3.10

SUGGESTED ANSWERS

ADVANCED AUDIT AND ASSURANCE

Sociocultural population demographics; attitude to leisure and work; changes in the propensity to travel; appeal of substitute products (e.g. rail, telephone conferences); rising expectations for plane comfort/services; changes in economic distribution; and employees requiring greater exibility. Technological new types of aircraft; new capabilities of aircraft; electronic tickets; better databases (e.g. frequent yers); upgrading of IT systems; integrated reservation systems with alliance partners; and availability of internet to compare prices. Environmental environment regulation related to noise and pollution emission; airport curfews related to noise level; community around airports; and fuel consumption. Legal safety regulations; foreign ownership regulations; and employment law.

Case Study 3.8: Timber oors


1 2 Power of buyers. Risks include: decreased protability; holding excess inventory; and potential for slow collection of debtors.

From an audit planning perspective this has implications for the valuation of both inventory and accounts receivable; there are potential going concern issues to be considered.

Case Study 3.9: Creamy Ltd


Failure to deliver products on time is likely to cause loss of customer satisfaction and erosion of market share in a competitive market. This is likely to lead to a loss of revenues and prots. From an audit perspective, it may lead to going concern problems. It also has implications for the impairment of non-current assets and collectibility of accounts receivable.

ADVANCED AUDIT AND ASSURANCE

SUGGESTED ANSWERS

3.11

Case Study 3.10: QRS Ltd


1 a Gross margin = Gross prot/Sales 20X9 = 5808 21 228 = 27.4% 20X8 = 3733 19 393 = 19.2% Net prot = Net operating prot after tax/Sales 20X9 = 2100 21 228 = 9.9% 20X8 = 1117 19 393 = 5.8% Asset turnover = Sales/Total assets 20X9 = 21 228 74 836 = 28.4% 20X8 = 19 393 71 908 = 27.0% Return on total assets = Operating prot before tax/Total assets 20X9 = 3000 74 836 = 4% 20X8 = 1596 71 908 = 2.2% Current ratio = current assets/current liabilities 20X9 = 17 010 26 676 = 0.64 20X8 = 12 774 29 922 = 0.43 Quick asset ratio = (cash + receivables)/current liabilities 20X9 = (5162 + 4500) 26 676 = 0.36 20X8 = (4480 + 4000) 29 922 = 0.28 Inventory turnover = COGS/Closing inventory 20X9 = (21 228 5808) 7348 = 2.1 times 20X8 = (19 393 3733) 4294 = 3.6 times Debtors turnover = Credit sales/Closing debtors* 20X9 = 21 228 4500= 4.7 times 20X8 = 19 393 4000 = 4.8 times Debt/Equity ratio = Long-term liabilities/Equity 20X9 = 33 314 14 846 = 2.2 20X8 = 29 240 12 746 = 2.3 Days in inventory = (Closing inventory 365)/COGS 20X9 = (7348 365) / (21 228 5808) = 174 days 20X8 = (4294 365) / (19 393 3733) = 100 days Days in debtors = (Closing debtors* 365)/Sales 20X9 = (4500 365) / 21 228 = 77 days 20X8 = (4000 365) / 19 393 = 75 days

* Note: Excludes non-current receivable which is represented by an amount in dispute with the tax ofce.

Current receivables (valuation and allocation): have increased by over 10 per cent; I slight decrease in debtors turnover; I days in debtors is high at 77 days; I retailers complaining about quality which may impact on collectibility; and I with many customers paying in foreign currencies, accuracy of currency translation is a risk.
I

3.12

SUGGESTED ANSWERS

ADVANCED AUDIT AND ASSURANCE

Non-current receivables (existence): I further evidence would be needed on the collectibility of this amount from the tax ofce. Inventory (valuation and allocation): inventory turnover is considerably slower (3.6 to 2.1 times); and I grape prices have dropped; carrying value of raw materials, work in progress and nished goods (at standard cost) needs to be checked.
I

Earnings management/fraud risk: reputation of CEO for increasing prot; I criticism of analysts; I stock options and impending retirement of CEO in two years; and I gross prot and net prot are growing much quicker than sales.
I

Going concern while there is an improvement in liquidity ratios, they are quite low; I concern about quality of the product; I debt not reduced in line with managements plans; I not moving to new technology because of capital investment outlays; and I decrease in debt/equity ratio.
I

Case Study 3.11: MNO Ltd


There is a trend upwards for both accounts receivable and inventory as a percentage of total assets, and both gures are higher than for competitors. Inventory and debtors turnover rates should be followed up. COGS is higher than for competitors but it is improving for MNO Ltd over the four year period. Interest is a higher percentage than for competitors but non-current liabilities are generally smaller. Depreciation is decreasing and is lower than competitors but so are non-current assets. Prot after tax is considerably lower than competitors (as a percentage of expenses). This should be considered in relation to the information obtained as part of the strategic analysis of MNO Ltd. There has been an increase in returns. The reasons should be ascertained.

Vous aimerez peut-être aussi