Postgraduate Diploma

in Risk Management

AUDITING FOR RISK

Module Guide

Copyright © 2020
MANAGEMENT COLLEGE OF SOUTHERN AFRICA
All rights reserved; no part of this book may be reproduced in any form or by any means, including photocopying machines, without
the written permission of the publisher. Please report all errors and omissions to the following email address:
[email protected]
 Auditing for Risk

Postgraduate Diploma
in Risk Management
AUDITING FOR RISK

Preface............................................................................................................................................................... 2

Unit 1: Introduction to Auditing ........................................................................................................................... 9

Unit 2: The Code of Professional Conduct ....................................................................................................... 25

Unit 3: Corporate Governance – KING IV Code ............................................................................................... 43

Unit 4: General Principles of Auditing............................................................................................................... 58

Unit 5: The Important Elements of the Internal Process ................................................................................... 80

Unit 6: Revenue and Receipts Cycle................................................................................................................ 95

Unit 7: Acquisitions and Payment Cycle ......................................................................................................... 109

Unit 8: Inventory and Production Cycle .......................................................................................................... 124

Unit 9: Human Resources Cycle .................................................................................................................... 135

Unit 10: Computer Auditing ............................................................................................................................ 147

References..................................................................................................................................................... 175

i
Auditing for Risk

List of Contents
List of Tables

Table 1.1 Elements of assurance angegement ............................................................................................................ 16

Table 1.2 Comparison of professional accounting bodies ............................................................................................ 19

Table 1.3 The Public Interest Score:............................................................................................................................. 21

Table 1.4 Sufficient Appropriate Evidence .................................................................................................................... 65

Table 1.5: Nature, Extent, and Timing of Evidence ...................................................................................................... 65

Table 1.7 Internal controls and tests of control ........................................................................................................... 127

List of Figures and Illustrations

Figure 1.1 Buying a car online VS What is auditing (Griffiths, 2016) ........................................................................... 12

Figure 1.2 Buying a car online VS What is auditing ...................................................................................................... 13

Figure 1.3: Categories of controls ................................................................................................................................ 61

Figure 1.4: The audit process ....................................................................................................................................... 82

Figure 1.5 Assertions .................................................................................................................................................... 85

Figure 1.6 Revenue and Receipts Flowchart ............................................................................................................. 101

Figure 1.7: Acquisition and payment flow chart .......................................................................................................... 113

Figure 1.8 Inventory production flow chart .................................................................................................................. 126

Figure 1.9 Human resources flow chart ...................................................................................................................... 137

1 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Preface
A. Welcome

Dear Student
It is a great pleasure to welcome you to Auditing for Risk (AFR8). To make sure that you share our passion about this
area of study, we encourage you to read this overview thoroughly. Refer to it as often as you need to since it will certainly
make studying this module a lot easier. The intention of this module is to develop both your confidence and proficiency in
this module.

The field of Auditing for Risk is extremely dynamic and challenging. The learning content, activities and self- study
questions contained in this guide will therefore provide you with opportunities to explore the latest developments in this
field and help you to discover the field of Auditing as it is practiced today.

This is a distance-learning module. Since you do not have a tutor standing next to you while you study, you need to apply
self-discipline. You will have the opportunity to collaborate with each other via social media tools. Your study skills will
include self-direction and responsibility. However, you will gain a lot from the experience! These study skills will contribute
to your life skills, which will help you to succeed in all areas of life.

We hope you enjoy the module.

B. Module Overview

The module is a 15 credit module at NQF level 8

This module is concerned with the external and internal audit of various entities, and the ethics of business managers and
auditors. The aim of the course is to develop a knowledge and understanding of auditing, including the legal framework,
the standard setting process and business environment in which auditing is conducted. The students will gain knowledge
and understanding of the process of carrying out assurance engagements and the value of auditing for validating financial
accounts and improving control over businesses. Also, an appreciation of the relationship of ethical standards in business
with establishing and verifying control is developed.

This course provides the fundamental knowledge needed to become effective in performing risk-based audits.
Fundamental concepts such as the audit framework, standards and regulation, ethics, risk assessment, substantive audit,
audit evidence and audit review and finalisation are provided to help you understand the application to the audit
engagement.

During this course, you will participate in interactive activities and real-life scenarios. Be prepared to walk away with best
practices and key takeaways you can apply to your organization and its audit function. In addition, you will learn the value
this approach brings to your organization. This course is designed for audit practitioners who want to learn the principles
and concepts of audit, fraud, risk and risk management, as well the tools and techniques used to perform a risk-based
audits.

MANCOSA – Postgraduate Diploma in Risk Management 2

Auditing for Risk

C. Exit Level Outcomes and Associated Assessment Criteria of the Programme

Exit Level Outcomes (ELOs) Associated Assessment Criteria (AACs)

Understand the evolution and importance of Evolution and importance of establishing a risk
establishing a risk management culture management culture is understood to assist in
controlling and managing risk

Display an understanding of the risk management Growth in an organisation is promoted by assessing

framework and risk specific modelling as a means of risks using risk models and through the implementation
assessing risk so as to promote and grow the of a risk management framework
organisation

Employ integrated knowledge to solve complex risk Integrated knowledge is employed to assist in solving
management problems in an organisation and pose and providing solutions for risk management problems
viable solutions that an organisation is faced with

Identify and mitigate risk relating to an individual Risk relating to an individual project and an
project or organisation as a whole organisation are identified and mitigated in order to
reduce the likelihood and impact of the risk in the future

Understand the role of management and leadership Role of management and leadership is understood to
in organisational success establish the manner in which it contributes to an
organisations success

Demonstrate an understanding of varying risks Understanding of the various risks that exist within
within the different corporate levels of an different corporate levels of an organisation are
organisation demonstrated to encourage the risk control processes

Possess the ability to identify and manage the Ability to identify and manage fraud in an organisation
various types of fraud that is prevalent within an is processed to assist in preventing any future
organisational context fraudulent activities from occurring

Demonstrate an appreciation and understanding of Appreciation of ethics, compliance and accountability is

ethics, compliance and accountability demonstrated to promote a healthy organisational
environment

Apply the concepts of risk mapping and risk Concepts of risk mapping and modelling are applied to
modelling to process information for decision- enable management to make an informed decision with
making regard to the risk process.

3 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

D. Learning Outcomes and Associated Assessment Criteria of the Module Guide

LEARNING OUTCOMES OF THE MODULE ASSOCIATED ASSESSMENT CRITERIA OF THE MODULE

Understand the relevance and importance of Relevance and importance of forensic auditing is
forensic auditing to risk management in theory understood to evaluate the theory of risk management in
and industry association to the appropriate industry
Distinction is made between the different types of fraud
Distinguish between the various types of fraud
that exist in an organisation to assist in developing the
found in an organisation
appropriate fraud assessment criteria

Ability to detect and correct the various types of fraud in

Demonstrate the ability to detect and correct
an organisation is demonstrated in order to mitigate fraud
the various types of fraud within an organisation
that could impact on an organisations operations
negatively

Duties and responsibilities of an auditor are recognised in

Recognise the duties, responsibilities and
order to apply the relevant fraud and risk management
applicability of an auditor to fraud auditing and
principles and reduce risks to an acceptable level
risk management

Importance of managing risk is understood to handle fraud

Understand the importance of being able to
and prevent negative synergies that can affect an
handle fraud and prevent any negative synergy
organisations operation
that can arise

MANCOSA – Postgraduate Diploma in Risk Management 4

Auditing for Risk

E. Notional Learning Hours

Learning

Types of learning activities time

Lectures/Workshops (face to face) 25

Tutorials/Practicals (smaller groups) 5

Syndicate groups -

Practical workplace experience (experiential learning/work-based learning etc.) -

Independent self-study of standard texts and references (study guides, books, journal 30
articles)

Independent self-study of specially prepared materials (case studies, multi-media, etc.) -

Assessment: 40

Actual Tests, Examinations and/or Continuous Assessments

Preparation for Tests and Examinations

Assignments- preparation and/or presentations

Online: Teaching and Learning Strategy -

Other: -

TOTAL 100

F. Acronyms
AFS Annual Financial Statements

CAATs Computer Assisted Audit Techniques

CPC Code of Professional Conduct

EFT Internet Fund Transfer

GAAP Generally Accepted Accounting Practice

GRN Goods Received Notes

IFRS International Financial Reporting Standard

IESBA International Ethics Standards Board for Accountants

INC. Incorporated

5 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

IoDSA Institute of Directors of Southern Africa

ISA International Standard on Auditing

ISO Internal Sales Order

IRBA Independent Regulatory Board of Auditors

ISRE International Standards on Review Engagements

Ltd Limited

PC Personal Computer

PI Public Interest

Pty Proprietary

SME Small Medium Enterprise

G. How to Use this Module

This Module Guide was compiled to help you work through your units and textbook for this module, by breaking
your studies into manageable parts. The Module Guide gives you extra theory and explanations where necessary, and so
enables you to get the most from your module.

The purpose of the Module Guide is to allow you the opportunity to integrate the theoretical concepts from the prescribed
textbook and recommended readings. We suggest that you briefly skim read through the entire guide to get an overview
of its contents.
At the beginning of each Unit, you will find a list of Learning Outcomes and Assessment Standards. This outlines the main
points that you should understand when you have completed the Unit/s. Do not attempt to read and study everything at
once. Each study session should be 90 minutes without a break

This module should be studied using the recommended textbook/s and the relevant sections of this Module Guide. You
must read about the topic that you intend to study in the appropriate section before you start reading the textbook in detail.
Ensure that you make your own notes as you work through both the textbook and this module. In the event that you do
not have the prescribed textbook, you must make use of any other source that deals with the sections in this module. If
you want to do further reading, and want to obtain publications that were used as source documents when we wrote this
guide, you should look at the reference list and the bibliography at the end of the Module Guide. In addition, at the end of
each Unit there is a link to the PowerPoint presentation and other useful reading.

H. Study Material
The study material for this module includes tutorial letters, programme handbook, this Module Guide, prescribed textbook
which is supplemented by recommended readings. The Module Guide is written based on a prescribed textbook which is
supplemented by recommended readings.

MANCOSA – Postgraduate Diploma in Risk Management 6

Auditing for Risk

I. Prescribed and Recommended Textbook/Readings

There is at least one prescribed and recommended textbooks/readings allocated for the module.
The prescribed and recommended readings/textbooks presents a tremendous amount of material in a simple, easy-to-
learn format. You should read ahead during your course. Make a point of it to re-read the learning content in your module
textbook. This will increase your retention of important concepts and skills. You may wish to read more widely than just
the Module Guide and the prescribed and recommended textbooks/readings, the Bibliography and Reference list provides
you with additional reading.

The prescribed and recommended textbooks/readings for this module is:

Auditing Notes for South African students 10th Edition – Jackson and Stent, LexisNexis Publishers, 2016.

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic Accounting. 4th Edition. Wiley & Sons
Publishing.
Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic Accounting: new Tools and Techniques.
Wiley & Sons
Auditing Fundamentals in a South African context (Second edition), 2018
Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting: Understanding the Theory and Application of
data analysis. Pearson.
Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud Examination. 2nd Edition. McGraw-
Hill.
Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016). Fraud Examination. 5th Edition. Cengage
Learning

J Special Features
In the Module Guide, you will find the following icons together with a description. These are designed to help you study. It
is imperative that you work through them as they also provide guidelines for examination purposes.

Special Feature Icon Explanation

LEARNING The Learning Outcomes indicate what aspects of the particular Unit you
OUTCOMES have to master and demonstrate that you have mastered them.

ASSOCIATED The Associated Assessment Criteria is the evaluation of student

ASSESSMENT understanding with respect to agreed-upon outcomes. The Criteria set the
CRITERIA standard for the successful demonstration of the understanding of a concept
or skill.

7 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

THINK POINT A think point asks you to stop and think about an issue. Sometimes you are
asked to apply a concept to your own experience or to think of an example.

ACTIVITY You may come across activities that ask you to carry out specific tasks. In
most cases, there are no right or wrong answers to these activities. The aim
of the activities is to give you an opportunity to apply what you have learned.

READINGS At this point, you should read the reference supplied. If you are unable to
acquire the suggested readings, then you are welcome to consult any
current source that deals with the subject. This constitutes research.

PRACTICAL Real examples or cases will be discussed to enhance understanding of this

APPLICATION Module Guide.
OR EXAMPLES

SELF-TEST You may come across self-test questions at the end of each Unit that will
QUESTIONS test your knowledge. You should refer to the module for the answers or your
textbook(s).

REVISION You may come across self-assessment questions that test your
QUESTIONS understanding of what you have learned so far. These may be attempted
with the aid of your textbooks, journal articles and Module Guide.

CASE STUDY Case studies are included in different sections in this module guide. This
activity provides students with the opportunity to apply theory to practice.

MANCOSA – Postgraduate Diploma in Risk Management 8

 Auditing for Risk

Unit
1: Introduction to Auditing

9 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Explain what is auditing Illustrations and activities are provided to assist the
student in understanding and explaining the concept
of auditing.

Explain the different components in financial audit Tables and activity is provided to help understand the
components of a financial audit

Explain the aims and objectives of the auditing Case study is provided to assist in understanding the
profession as a whole aims and objectives of the auditing profession

Discuss various corporate scandals collapses, as Activity and case study is provided to assist in the
a result of poor/insufficient audit practices discussion of corporate scandals and inefficient audit
practices.

Summary
The Unit is an introduction to Auditing. It will introduce important aspects of auditing theory, terms and concepts in
auditing. These will be further expanded on in sebsequent Units.

Prescribed / Recommended Readings

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic

Accounting. 4th Edition. Wiley & Sons Publishing.
Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic
Accounting: new Tools and Techniques. Wiley & Sons
Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting:
Understanding the Theory and Application of data analysis. Pearson.
Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.
Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016).
Fraud Examination. 5th Edition. Cengage Learning

MANCOSA – Postgraduate Diploma in Risk Management 10

Auditing for Risk

1.1 Introduction to Auditing

Theory and philosophy of auditing
Without a doubt we all have some idea about what an auditor is and what an auditor does, but these ideas are usually
based on what we see in the media, and are often vague or clouded with misconceptions! We hear or read that the
“auditors are investigating the matter”, or that the Auditor General “tabled his report in parliament”. On television, for
example, the national lottery shows or Miss South Africa pageant, we are told that “the auditors are standing by to verify
the results” and we occasionally read in the newspaper that an “environmental audit” has been carried out for a large
industrial company. Auditors seem to be involved in numerous different activities and there seem to be numerous different
kinds of “auditor”. But, do we really know what an Auditor is?

We start of by taking an example that has nothing to do with what an auditor does on daily basis. Let’s assume you want
to buy a car, and instead of going to a dealership, you decide to go online website to search for your dream car. This will
be very convenient, however it comes with a few risks which will be of concern to you as a buyer i.e. are the sellers going
to be honest and reliable to you? You might not see the car yourself in person, also you might not be an expert or
knowledgeable about the good state of the car. In order to make your decision, you will have a list of criteria i.e. you will
only buy a red car, it must be a 2018 model, it must be at a certain price range, with certain accessories and in a certain
condition. The problem is, there will be numerous cars that will meet your criteria online. The burning question will be; can
you rely on the information you are looking at? But you will feel a lot better if there was a third party who will look at the
car for you and tell you if it meets your criteria and if the information furnished can somehow be relied on. You will in
essence be looking for some kind of reasonable assurance from that third party as before you part with your money, you
want to make sure that what the seller is saying is reliable and if the information furnished can be relied on. However, be
careful that the third party is actually telling you that “yes” the car is red, 2018 model, within your price range, with your
intended accessories and the condition you require.

The third party is not telling you if you should be buying a red car, 2018 model, at that price, with those accessories and
in that condition. It is not their job to tell you what kind of a car to buy. The question that remains is…” Why would you
trust a third party?” …” Why would you rely on what they say?” It is the fact that they are independent. Furthermore, the
more independent they are means they have nothing to gain or lose by you choosing or not choosing to buy this car.
Lastly, they knowledge about cars is very important to you.

11 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

1Figure 1.1 Buying a car online VS What is auditing

(Griffiths, 2016)

The above example is very simple, but it introduced us to a couple of cencepts (in bold). We know that the information
needs to reliable, because the concern is you will be making a decision. We spoke about placing trust on third parties
as they are independent and the fact that they give us reasonable assurance on the information given as they are well
knowleadgable.

Now if we look at this example in auditing terms, it wouldn’t be a car that you buying online, but it would be a set of Annual
Financial Statements (AFS) that you are looking at. Also you not looking to buy a car, but you looking to invest in a
company or offer a loan to a company. You will be making your decision based on their AFS. The rest is the same, you
need to know if you can rely on the information in the AFS, that the directors are actually telling you what is the truth and
what you want to hear. The third party would be auditors, who will be independent of what the directors say in the AFS.
Auditors will be giving you assurance on the reliability of those AFS. Why trust the auditors? Because you expect them to
be independednt and have the knowlegeable to asses those AFS. Again, you do not expect them to give you advice on if
you invest or offer a loan to the company, as they are job is to tell you that these AFS are reliable!

MANCOSA – Postgraduate Diploma in Risk Management 12

Auditing for Risk

2
Figure 1.2 Buying a car online VS What is auditing
(Griffiths, 2016)

What is an auditor?
A person who gives reasonable assurance by comparing what is with what should be (a standard) and expressing an
opinion/conclusion (Jackson & Stent, 2016).

1.1.1. Types of auditors (Jackson & Stent, 2016)

a. registered (external) auditors – auditors who express an independent opinion on whether the annual financial
statements of a company, fairly present the financial position and results of the company’s operations. The
external auditor is not an employee of the company.

b. internal auditors – auditors who perform independent assignments on behalf of the board of directors of the
company. These assignments are varied but usually relate to the evaluation of the efficiency, economy and
effectiveness of the company’s internal control systems and business activities and to the evaluation of whether
the company has identified and is responding to the business risks faced by the company.

c. government auditors – government auditors perform a role similar to that of the internal auditor – but within
government departments. They will evaluate and investigate the financial affairs of government departments,
reporting their findings to senior government.

d. forensic auditors – forensic auditors concentrate on investigating and gathering evidence where there has been
alleged financial mismanagement, theft or fraud. Forensic audits may be carried out in any government or
business entity, but it should be obvious to you that the forensic auditor needs to be independent of the entity
under investigation.

13 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

e. special purpose auditors – these are auditors who specialise in a particular field such as environmental
auditors, who audit compliance with environmental regulations, and VAT auditors who work for the South African
Revenue Services and who audit vendors’ VAT returns.

Note: This study guide deals primarily with registered auditors, the external audit of financial statements and the
assurance (opinion) given for this common engagement.

1.1.2. Why is there a need for auditors?

a. The split between ownership and management
The need for modern day auditors, both external and internal, arose out of the natural development of owner-
managed businesses into entities which were owned by people who did not manage the business.

b. Confidence in financial information

In order to maintain the confidence of those who invest in business, whether they are members of the general
public or investment companies, assurance is required that the financial information produced by business
organisations is reliable and credible. It is the auditor of the financial information who provides this assurance
(credibility).

c. Accountability
The dominant reason for this is that the world at large requires accountability. Directors must be held accountable
for the way in which they run their businesses, the government must be held accountable for the way it spends
taxpayers’ money, and companies whose activities affect the environment must be held accountable for the way
in which they adhere to environmental regulation and legislation.
In a nutshell, auditors add credibility to financial information.

1.1.3. Auditing Postulates

To postulte is defined by the webster online dictionary as:
to assume or claim as true, existent, or necessary (Von Wielligh & Prinsloo, 2014).
Mautz and sharaf dodumented the auditing postulates in the philosophy of auditing ,which was published by the american
accounting association in 1961. These postulates provide the outline for the theory of auditing. They also form the basis
of the IFAC International Code of Ethics for Professional Accountants, which was adopted (with a few modifications) by
the South African Institute of Chartered Accountants and in part by the IndependeT Regulatory Board for Auditors in South
Africa (these are discussed in Unit 2 of this study guide. The postulates (‘assumed truths’) can be summarised as follows:
Truth and fairness
o Financial statements and financial data are verifiable.
o This postulates refers to the fact that it is possible to verify the client’s financial statements. This is
necessary to make it possible to perform an audit, as the auditor verifies whether the financial statements
are true and fair or not .

MANCOSA – Postgraduate Diploma in Risk Management 14

Auditing for Risk

The financial statements and other information submitted for verification are free from collusive and other
irregularities.
o When starting the audit, the auditor can assume that management has taken the necessary steps to
ensure that there has been no deliberate attempt to misstate the financial statements.
Constistent application of generally accepted accounting principles results in the fair presentation of financial position
and the results of operations .
o This assumes that if the client applies one of the financial accounting frameworks (e.g ifrs), fair financial
presentation will occur.
In the absence of clear evidence is found to the contrary, what has held true in the past for the enterprise under
examination will hold true in the future.
o If no evidence is found to the contrary, the auditor assumes that the intergrity of the management of the
company will stay the same in the future years.
Independence
o There is no conflict of interest between the auditors and the managent of the the management of the
interprise under audit.
o This assumes that the management of the company and the auditor of the company share the same
goal, namely that the financial statements provide a fair presentation.
The professional status of the independent auditor imposes commensurate proffessional obligations.
o The professional status of the auditor brings the responsibility of professional behavior, professional
competence and due care, objectivity, confidentiality and integrity. This also assume that he or she has
the knowledge and capabilities to perform the audit.
When examining financial data for the purpose of expresssing an independent opinion thereon ,the auditors act
exclusively in the capacity of auditor.
o In order for the audit opinion to be reliable, the the auditor needs to be, and be seen to be, objective.
The focus of the auditor should be express an opinion on the financial statements and not on other
services he or she can provide to the audit client.

1.2. Financial statement audit engagement – Assurance engagements

We have mentioned thtote word “assurance” on several occasions when discussiing what an auditor is. In terms of the
International Framework for Assurance Engagements, an assurance engagement is one in which the professional
accountant “expresses a conclusion designed to enhance the degree of confidence of the intended users, other
than the responsible party, about the outcome of the evaluation or measurement of a subject matter against the
criteria”. Perhaps the easiest way to understand this rather tedious definition, is to break it down into its elements and
relate it to the audit or review of a set of financial statements.

15 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

1Table 1.1 Elements of assurance angegement

Element Example - audit Example - review
* three party relationship
professional accountant registered auditor registered auditor
responsible party directors responsible for AFS directors
intended user shareholders shareholders
* a subject matter * financial position, results of * financial position,
operations etc. results of operations etc.
* suitable criteria * International Financial International Financial
Reporting Standards Reporting Standards for
SMEs
* sufficient appropriate * the evidence the practitioner The evidence the reviewer needs to
evidence needs to be in a position to express a conclusion on whether
form an opinion as to anything has come to his attention
whether the financial statements are which causes him to believe the
free of financial statements are not prepared
material misstatement and in accordance with IFRS for SMEs.
are “presented fairly” in
terms of IFRS
* a written assurance report * the audit opinion report on The review conclusion
fair presentation (limited assurance)
(reasonable assurance)
(Jackson & Stent, 2016)

1.2.1. Types of engagements

a) The audit engagement: In assurance engagement, the auditor gathers sufficient appropriate evidence to form
an opinion on whether the directors, who are responsible for the financial statements, have applied IFRS
appropriately in presenting the financial position, financial performance, changes in equity, cash flows and
disclosure notes/ (subject matter). The opinion formed is then reported by the auditor to the shareholders in the
audit report (Jackson & Stent, 2016).
It is important to note that
for the auditor to form an opinion on fair presentation he must have suitable criteria in terms of which to
judge fair presentation. The auditor cannot just say that fair presentation has been achieved, fairness
can only be judged in terms of a benchmark or standard and this is where the accounting framework
comes in. The most common frameworks are IFRS and IFRS for SMEs.
the auditor must perform the audit in the prescribed manner. How he goes about this is laid down in the
International Standards on Auditing (ISAs) with which the auditor must comply in all aspects of the audit
i.e. planning, risk assessment, gathering evidence and reporting.
the audit engagement provides reasonable assurance.

MANCOSA – Postgraduate Diploma in Risk Management 16

Auditing for Risk

b) The review engagement: In a review engagement the reviewer (who will very often be a registered auditor)
gathers sufficient appropriate evidence to form a conclusion on whether anything has come to his attention
which causes him to believe that the financial statements prepared by the directors are not prepared in
accordance with IFRS for SMEs (or IFRS).
Again it is important to note that
the reviewer forms his conclusion in terms of defined criteria, in this case IFRS for SMEs. (Could also
be IFRS.)
the reviewer must perform the review in the prescribed manner. How he goes about it is laid down in
ISRE 2400 – International Standards on Review Engagements. Although some of the concepts or
procedures in the ISAs are relevant, the ISAs are auditing standards and are not applicable to a review
engagement.
the review engagement provides only limited assurance.

c) Non-assurance engagements: These include taxation services and a wide range of advisory services relating
to accounting, business performance, corporate finance, etc. These services can be classified as non-assurance
engagements.

Non-assurance engagements are engagements which do not meet the definition of an assurance engagement,
or do not contain the elements of assurance engagements. For example, in an advisory engagement the
practitioner does not normally report to a third party, or the client may not require any assurance, or there may
be no suitable criteria (benchmarks or framework) against which the subject matter of the engagement can be
reliably measured.

1.2.2. Types of assurances

a) Reasonable assurance: ISA 200 – Overall Objectives of the Independent Auditor, defines reasonable assurance
as a “high but not absolute” level of assurance. Reasonable assurance can only be given when the practitioner
has gathered sufficient appropriate evidence to satisfy himself that the risk that he expresses an inappropriate
opinion on the subject matter is acceptably low. In the context of an audit of financial statements this means that
the auditor carries out comprehensive procedures to gather evidence so that he can express an opinion, that the
financial statements are fairly presented (not materially misstated) in a positive form. The nature and extent of
the audit procedures he conducts, must satisfy the auditor that the risk that he will express an opinion that the
financial statements are fairly presented when in fact they are not, is low (Jackson & Stent, 2016).
reasonable assurance – audit – positive expression. A reasonable level of assurance is conveyed by
the use of the phrase in our opinion the financial statements present fairly …….

b) Limited assurance: Limited assurance is a level of assurance which is lower than reasonable assurance but
which is still "meaningful" to users (ISRE 2400). It has also been described as moderate assurance. Limited
assurance is given when the practitioner has gathered enough evidence to satisfy himself that the risk that he
expresses an inappropriate conclusion on the subject matter is greater than for a reasonable assurance
engagement, but still at an acceptably low level for the particular engagement (Jackson & Stent, 2016).

17 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Because limited assurance is required for a review engagement the nature and extent of procedures conducted
by the reviewer will be far less comprehensive than for an audit, but the reviewer must still be satisfied that he
has gathered sufficient, appropriate evidenced to support his conclusion.
limited assurance – review – negative expression
A limited level of assurance is conveyed by not using the phrase "In our opinion ……"and replacing it
with “Nothing came to our attention which causes us to believe that these financial statements do not
present fairly…."

c) Absolute assurance: Having read the above discussion you may be wondering why the auditor cannot certify
or confirm that the financial statements are 100% correct. Why is the auditor restricted to providing reasonable
assurance? By carrying out more procedures couldn’t he actually confirm that the financial statements are
correct? Essentially the reason that the auditor cannot certify (provide absolute assurance) is that an audit has
inherent limitations which prevent the auditor from certifying or confirming the 100% correctness of a set of
financial statements. ISA 200 provides the basis for the following explanation of the inherent limitations of an
audit (Jackson & Stent, 2016).

1.2.3 Limitations of an audit

What are the limitations of auditing? As we know that audit is the independent examination of financial information of any
entity, whether profit oriented or not, and irrespective of its size, or legal form, when such an examination is conducted
with a view to expressing an opinion thereon. There are many advantages of auditing but there is also several limitations
of auditing (Jackson & Stent, 2016). These follow:
a) The nature of financial reporting - In the preparation of financial statements, management must apply
judgement in applying the relevant reporting framework, and financial statements contain many account
balances which are subjective.
b) The nature of audit procedures - There is always the possibility that management may not provide complete
information that is relevant to the preparation of the financial statements, and accordingly the auditor cannot be
certain that all relevant information has been received.
c) Audit evidence is usually persuasive rather than conclusive - an auditor is “persuaded” that an event or
transaction took place by the presence of documents or information provided by management, rather than by
actually witnessing the event.
d) The use of testing - due to financial and time constraints, therefore it is necessary to “test” check i.e. perform
procedures on only a sample of transactions and balances.
e) The inherent limitations of accounting and internal control systems - The auditor is obliged to place reliance
on the systems which the client has put in place to provide financial information; these systems have inherent
limitations which may result in the failure to detect errors or fraud.
f) Timeliness of financial reporting and the balance between benefit and cost - To be of any value the audit
opinion must be reported within a reasonable time after the financial year-end, and the benefit derived from the
audit must exceed the cost. To meet these practical requirements will generally lead to some compromise in the
audit, but it is compromise which users understand and accept.

MANCOSA – Postgraduate Diploma in Risk Management 18

Auditing for Risk

g) Other matters that affect the inherent limitations of an audit - There are frequently aspects of the audit or
assertions in the financial statements which are inherently difficult for the auditor to gather sufficient appropriate
evidence and which compound the limitations of the audit.

1.3 The Auditing profession in South Africa

1.3.1 Accounting bodies in South Africa
Professional accounting bodies have the statutory right to set admission criteria, rules of conduct and continued
education requirements that must be met before a person is deemed qualified (Jackson & Stent, 2016).
The professional accounting bodies so licenced include:
Southern African Institute for Business Accountants (SAIBA)
South African Institute of Chartered Accountants (SAICA)
South African Institute of Professional Accountants (SAIPA)
Chartered Institute of Management Accountants (CIMA)
Association of Chartered Certified Accountants (ACCA)
Institute of Accounting and Commerce (IAC)
South African Institute of Government Auditors (SAIGA)
Institute of Chartered Secretaries of South Africa (ICSA)

As government has given regulatory responsibility to these organisations, they in effect act as Self-Regulating
Organisations (SRO). Professional self-regulation under law is differentiated from other forms of self-regulation by the
fact that it is compulsory and is enforced through law under the authority of the state. As SROs the bodies are required
to set admission criteria, CPD requirements, discipline members, be financially viable and commit to the development of
the profession.

The following table provides a comparison of the professional accounting bodies:

2Table 1.2 Comparison of professional accounting bodies
Members Represent

SAICA 32 000 CFOs, FDs, CA, auditors

SAIPA 8 000 General accountants, SME practitioner

CIMA 1 500 Management accountants

IAC 800 General accountants, SME practitioner

ACCA 500 CFOs, FDs, CA, auditors

ICB 3 000 (mostly students) Bookkeepers and entry level accountants

(Von Wielligh & Prinsloo, 2014)

19 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

1.3.2 The public interest score

The Companies Act No. 71 of 2008 (New Companies Act) commenced on 1 May 2011, and introduced the concept of
the public interest score of a company. This is an important new development, as it will be crucial in determining the
financial reporting standards that the company must adopt (these provisions apply equally to close corporations). The
public interest score of a company will also determine whether the company is required to appoint a social and ethics
committee.
Under this system, a company is allocated points according to the number of its employees, its annual turnover, its
stakeholders and the level of third party liabilities at the end of the financial year.
The Public Interest Score is calculated thus:
1 point for each employee or the average number of employees throughout the year.
1 point per million rand of third party liability. This is the money owed in terms of loans, debentures, and other
financing.
1 point for each million rand of turnover during the financial year. If the turnover is half a million rand, score ½ point.
1 point for every individual who, at the end of the year, is known to have a direct or indirect beneficial interest in the
company. This will include shareholders, beneficiaries of a trust where a trust is a shareholder and other
stakeholders.

Companies scoring 350 points or more are required to have an audit.

Any company, whatever its points score, that holds funds of R5 million or more for a client in a fiduciary capacity, at any
time during the year, is also required to have an audit.

A company with a public interest score of between 100 and 349 points (both inclusive), must have its annual financial
statements audited only if they were internally compiled. In terms of the Regulations, annual financial statements are
“internally compiled” unless they are prepared by an independent accounting professional on the basis of financial records
provided by the company in question, and in accordance with relevant financial reporting standards.

MANCOSA – Postgraduate Diploma in Risk Management 20

Auditing for Risk

Companies scoring less than 100 points are required to have an independent review conducted by anyone who qualifies
as an accounting officer, unless circumstances indicate otherwise.

3Table 1.3 The Public Interest Score:

Public Interest Score in Points Company Close Corporations and owner

managed companies

Less than 100 Review No assurance engagement

required
100 to 349 Audit – if AFS are internally Audit – if AFS are internally
compiled compiled
Review – if AFS are externally No assurance if AFS are externally
compiled compiled
350 and above Audit – regardless of who Audit – regardless of who
compiled the AFS compiled the AFS
(Jackson & Stent, 2016)

1.4 Corporate Scandals

2017 was The Year of Corporate Scandals in South Africa. The five biggest ones were:
Steinhoff
KPMG
McKinsey
Bank currency rigging
Naspers

1.4.1 Steinhoff
Firstly, profits were inflated. The main source of inflated profits was from what he was led to believe was an external buying
group, which payed additional rebates to operating entities, which recorded a profit. “The buying group appears to be non-
existent and funded by loans from Steinhoff,” he said. These contributions flowed into all divisions, with the bulk being in
Europe.

Secondly, there were transactions where assets were acquired at inflated values.
Thirdly, there were a number of transactions where La Grange thought the parties Steinhoff was dealing with were valid
third parties, but in fact they were related to or influenced by Jooste (Von Wielligh & Prinsloo, 2014).

1.4.2 KPMG
KPMG’s South African branch came under fire and suffered a severe reputational hit after becoming caught up in a
growing corruption scandal surrounding one of the country’s most powerful families, the Guptas.

21 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

KPMG was accused of facilitating the Gupta family in tax evasion and corruption. While the firm denied any wrongdoing,
it admitted to missing several “red flags” in relation to the family’s accounts. At least eight senior KPMG South Africa
officials resigned in the wake of the scandal, including CEO Trevor Hoole.

The Gupta family, once called South Africa’s “shadow government” by former General Secretary of the Congress of South
African Trade Unions Zwelinzima Vavi, is a very wealthy and politically influential family with close ties to South African
president Jacob Zuma. It was alleged that the family exerts undue influence over government policies and dictates high
level governmental appointments in exchange for commercial opportunities.

The family’s empire ranges across multiple sectors, including technology and mining. No strangers to scandal, a campaign
for a Gupta family company brought down PR company Bell Pottinger earlier this year, following accusations of a racially
divisive campaign (Von Wielligh & Prinsloo, 2014).

KPMG audited Gupta companies for 15 years, finally terminating the relationship in 2016 amid growing concerns about
the family’s links to Zuma. In a statement KPMG said: “KPMG South Africa regrets that its association with the Guptas
and their business entities went on for far too long.”

1.4.3 McKinsey
South Africa’s political opposition Democratic Alliance says McKinsey steered funds to Trillian in order to secure an inflated
contract with Eskom that could have totalled 9.4 billion rand ($705 million) over four years, a draft McKinsey-Trillian
partnership document, seen by Reuters, showed.

McKinsey ended up earning around 1 billion rand and Trillian 564 million rand for a “Turnaround Plan” carried out at Eskom
between January and July 2016.

McKinsey says it has put aside its fee and will repay it if the contract with Eskom is found to be illegal.

McKinsey says it stopped working with Trillian after the company failed due diligence in March 2016. McKinsey said on
Tuesday it now regrets ever working alongside the Gupta-firm.

The size of the contract - $120 million for six months of advice - has also been heavily-criticized (Von Wielligh & Prinsloo,
2014).

1.4.4 Bank currency rigging

It has emerged that as many as 17 banks – including large international and South African banks – were involved in rigging
the rand. The country’s Competition Commission had revealed that global multinationals as well as South African-
headquartered banks had been involved in price fixing and market allocation in the trading of foreign currency pairs – for
at least a decade.

MANCOSA – Postgraduate Diploma in Risk Management 22

Auditing for Risk

The news came at a bad time for South Africa’s commercial banks, as they had been at loggerheads with the ANC elite
for refusing to do business with politically connected Oakbay. President Jacob Zuma had taken direct swipes at some of
these banks and would like to see the way opened for Oakbay to access commercial banking facilities. Oakbay was
controlled by Zuma’s friends, the Gupta brothers – accused of benefiting at the expense of taxpayers in a dossier on state
capture. The collusion and currency manipulation has been going on for a long time, suggesting that these practices were
entrenched and that therefore they cannot be blamed on rogue traders (Von Wielligh & Prinsloo, 2014).

1.4.5 Naspers
Naspers was being probed by a US law firm over whether Africa’s biggest company by market value was involved in
unlawful business practices related to a contract with South Africa’s politically connected Gupta family.

Pomerantz was investigating claims on behalf of investors after Naspers’s TV unit MultiChoice started its own probe into
the contract with ANN7, a 24-hour news channel formerly owned by the Guptas. Reports in South African media have
alleged that MultiChoice had a corrupt relationship with ANN7, which the family sold earlier this year.

“The investigation concerns whether Naspers and certain of its officers and/or directors have engaged in securities fraud
or other unlawful business practices,” Pomerantz said in a statement on Tuesday (Von Wielligh & Prinsloo, 2014).

1.5 Summary
This Unit introduced the theory, terms and concepts in auditing. It forms the basis of what will be exapnded on in the
subsequent Units.

Activity
You may come across activities that ask you to carry out specific tasks. In most cases,
there are no right or wrong answers to these activities. The aim of the activities is to
give you an opportunity to apply what you have learned.

The following are some of the key terms used in describing an external audit:
1. Independence
2. Public interest score
3. Inquiry
4. Sufficient appropriate audit evidence
5. International Standards on Auditing (ISAs)
6. Opinion
7. Reasonable assurance

You are required to:

Combine the above terms, plus any others you deem suitable to provide a clear description of the external audit function
for a company. (8 Marks)

23 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

1.6 Answers to Activity

An external audit is the term given to the examination of the private company’s financial statements by a registered auditor,
with the intention of expressing an opinion on the fair presentation of the financial statements. The audit opinion is not a
certification of the correctness of the financial statements, but it does provide the user of the financial statements with
reasonable assurance that fair presentation has been achieved. In the case of a private company the requirement for an
external audit will (usually) arise because its public interest score is 350 points or more; or its public interest score is from
100 to 349 and the company compiles its AFS internally. As the objective of the audit function is to add credibility to the
financial statements, the independence of the auditor is essential. If the auditor is not independent, his opinion will be of
little value to users.

To be in a position to express an opinion, the auditor must gather sufficient appropriate evidence on which to base his
opinion. There are a number of audit procedures which can be adopted to gather evidence amongst which are inquiry,
observation, inspection. To ensure that the audit is carried out to an acceptable standard, the auditor must comply with
the requirements of the International Standards on Auditing.

Case Study
Case Studies will give you an opportunity to apply theory to practice.

Case study 1.1

You are chatting with a close friend of yours, Andile Ndabezitha an engineer, after a game of tennis one evening and he
tells that he is purchasing a majority (75%) holding in a private company. In addition, he tells you he will be the managing
director but will retain the services of the two existing directors, neither whom are shareholders. There are four other
shareholders).

He also informs you that the company has, besides himself, 27 employees and that the expected turnover for the year is
R36 million and that the only liabilities which the company has are current creditors of just less than R1 million and long
term loans of R4.8 million. Andile has just been told by his lawyer, who is responsible for the formalities related to the
purchase of the company, that at the next annual general meeting of the company, an auditor will have to be appointed.
Andile is concerned about this and, knowing that you are in the auditing profession, he asks you the following questions:
1. Must the company have an auditor and if so, is it external r internal auditor the company must have?
(10 Marks)
2. Even if we aren’t required to appoint an auditor, can we still appoint one? Could I appoint you as the auditor?
(4 Marks)
3. Whose responsibility would it be to appoint the auditor and must there be an agreement amongst the directors as to
who the auditor should be? (2 Marks)
4. What benefit would there be from an audit for the company and for me, bearing in mind that I am the majority
shareholder and managing director? (6 Marks)

MANCOSA – Postgraduate Diploma in Risk Management 24

Auditing for Risk

Unit
2: The Code of Professional
Conduct

25 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Explain the steps in the Code of Professional Prescribed reading and activity is provided to assist
Conduct in explaining the steps of the professional code of
conduct that should be followed by an auditor.

Use the guidance of the Code of Professional Examples and activity are provided to assist in
Code to various scenarios understanding how the code of professional conduct
is applied to various ethical scenarios

Summary
The Unit looks at the guidelines of the Code of Professional Conduct of auditors and seeks to give guidance on how they
should conduct themselves in various scenarios that they face in the profession.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic

Accounting. 4th Edition. Wiley & Sons Publishing.
Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic
Accounting: new Tools and Techniques. Wiley & Sons
Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting:
Understanding the Theory and Application of data analysis. Pearson.
Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.
Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016).
Fraud Examination. 5th Edition. Cengage Learning

MANCOSA – Postgraduate Diploma in Risk Management 26

Auditing for Risk

2.1 The Code of Professional Conduct

2.1.1 Introduction
The Board of the South African Institute of Chartered Accountants (“SAICA”) has adopted the International Ethics
Standards Board for Accountants’ (“IESBA”) Code of Ethics for Professional Accountants as amended in 2017, in its
entirety but have however included additional guidance in Part A to assist in the local application of certain requirements
applicable to all Chartered Accountants.

This Unit contains the Code of Professional Conduct (“Code”) of SAICA.

The Code is applicable to all SAICA members and associates and trainee accountants. A contravention of, or failure to
comply with any requirements of the Code, may be regarded as an offence in terms of section 34.10 of the SAICA By-
laws and as such may be investigated and if appropriate the member/associate/traineemay be found guilty and may be
liable for penalties as described in the By-laws.

The Code also conforms to the Independent Regulatory Board for Auditors (IRBA) Code of Professional Conduct for
Registered Auditors (Von Wielligh & Prinsloo, 2014).

This Code is based on:

Parts A (Sections 100 to 150) – General application of the Code
Parts B (Sections 200 to 291) – Chartered accountants in public practice
Parts C (Sections 300 to 350) – Chatered accountants in business
This Unit will focus on Parts A & B oF the Code of Professional Accountants of the International Ethics Standards Board
of Accountants (the “IESBA Code”) published by the International Federation of Accountancts (IFAC) in 2017 and is used
with the permission of IFAC.
To the extent that the Code contains provisions not contained in the IESBA Code of Ethics for Professional Accountants,
insertions in the Code are italisised and underlined.

Application:
In Part B, reference to audit services shall be applicable only to Chartered Accountants who are registered with the
Independent Regulatory Board for Auditors as Registered Auditors.
Reference to the term Chartered Accountant throughout the Code shall also refer to associate/trainee accountant to the
extent that the context applies.

2.2 The SAICA Code of Professional Conduct (Section A & B)

2.2.1 Part A – General Application of the Code
Introduction and Fundamentals Principles (Von Wielligh & Prinsloo, 2014)
A distinguishing mark of the accountancy profession is its acceptance of the responsibility to act in the public interest.
Therefore, a chartered accountant’s responsibility is not exclusively to satisfy the needs of an individual client or employer.
In acting in the public interest, a chartered accountant shall observe and comply with this Code. If a chartered accountant
is prohibited from complying with certain parts of this Code by law or regulation, the chartered accountant shall comply
with all other parts of this Code.

27 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

This Code contains three parts. Part A establishes the fundamental principles of professional ethics for chartered
accountants and provides a conceptual framework that chartered accountants shall apply to:
(a) Identify threats to compliance with the fundamental principles;
(b) Evaluate the significance of the threats identified; and
(c) Apply safeguards, when necessary, to eliminate the threats or reduce them to an acceptable level.

Safeguards are necessary when the chartered accountant determines that the threats are not at a level at which a
reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances available
to the chartered accountant at that time, that compliance with the fundamental principles is not compromised.

A chartered accountant shall use professional judgment in applying this conceptual framework.

Part B and C describe how the conceptual framework applies in certain situations.

They provide examples of safeguards that may be appropriate to address threats to compliance with the fundamental
principles.

They also describe situations where safeguards are not available to address the threats, and consequently, the
circumstance or relationship creating the threats shall be avoided. Part B applies to chartered accountants in public
practice.

Part C applies to chartered accountants in business. Chartered Accountants in public practice may also find Part C relevant
to their particular circumstances.

Fundamental Principles
A chartered accountant shall comply with the following fundamental principles:
(a) Integrity – to be straightforward and honest in all professional and business relationships.
(b) Objectivity – to not allow bias, conflict of interest or undue influence of others to override professional or business
judgments.
(c) Professional Competence and Due Care – to maintain professional knowledge and skill at the level required to
ensure that a client receives competent professional services based on current developments in practice,
legislation and techniques and act diligently and in accordance with applicable technical and professional
standards.
(d) Confidentiality – to respect the confidentiality of information acquired as a result of professional and business
relationships and, therefore, not disclose any such information to third parties without proper and specific
authority, unless there is a legal or professional right or duty to disclose, nor use the information for the personal
advantage of the chartered accountant or third parties.
(e) Professional Behaviour – to comply with relevant laws and regulations and avoid any conduct that discredits the
accountancy profession.

MANCOSA – Postgraduate Diploma in Risk Management 28

Auditing for Risk

Each of these fundamental principles is discussed in more detail in Sections 110 – 150 below.

SECTION 110
Integrity
The principle of integrity imposes an obligation on all chartered accountants to be straightforward and honest in all
professional and business relationships. Integrity implies fair dealing and truthfulness.
A chartered accountant shall not knowingly be associated with reports, returns, communications or other information where
the chartered accountant believes that the information:
(a) Contains a materially false or misleading statement;
(b) Contains statements or information furnished recklessly; or
(c) Omits or obscures information required to be included where such omission or obscurity would be misleading.
When a chartered accountant becomes aware that the chartered accountant has been associated with such information,
the chartered accountant shall take steps to be disassociated from that information.

SECTION 120
Objectivity
The principle of objectivity imposes an obligation on all chartered accountants not to compromise their professional or
business judgment because of bias, conflict of interest or the undue influence of others.
A chartered accountant may be exposed to situations that may impair objectivity. It is impracticable to define and prescribe
all such situations.

A chartered accountant shall not perform a professional service if a circumstance or relationship biases or unduly
influences the chartered accountant’s professional judgment with respect to that service.

SECTION 130
Professional Competence and Due Care
The principle of professional competence and due care imposes the following obligations on all chartered accountants:
(a) To maintain professional knowledge and skill at the level required to ensure that clients receive competent
professional service; and
(b) To act diligently in accordance with applicable technical and professional standards when providing professional
services.

Competent professional service requires the exercise of sound judgment in applying professional knowledge and skill in
the performance of such service. Professional competence maybe divided into two separate phases:
(a) Attainment of professional competence; and
(b) Maintenance of professional competence.
The maintenance of professional competence requires a continuing awareness and an understanding of relevant technical,
professional and business developments.

29 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Continuing professional development enables a chartered accountant to develop and maintain the capabilities to perform
competently within the professional environment.

Diligence encompasses the responsibility to act in accordance with the requirements of an assignment, carefully,
thoroughly and on a timely basis.

A chartered accountant shall take reasonable steps to ensure that those working under the chartered accountant’s
authority in a professional capacity have appropriate training and supervision.

Where appropriate, a chartered accountant shall make clients, employers or other users of the chartered accountant’s
professional services aware of the limitations inherent in the services

A chartered accountant shall not undertake or continue with any engagement which the chartered accountant is not
competent to perform, unless the chartered accountant obtains advice and assistance which enables the chartered
accountant to carry out the engagement satisfactorily.

SECTION 140
Confidentiality
The principle of confidentiality imposes an obligation on all chartered accountants to refrain from:
(a) Disclosing outside the firm confidential information acquired as a result of professional and business relationships
without proper and specific authority or unless there is a legal or professional right or duty to disclose; and
(b) Using confidential information acquired as a result of professional and business relationships to their personal
advantage or the advantage of third parties.

A chartered accountant shall maintain confidentiality, including in a social environment, being alert to the possibility of
inadvertent disclosure, particularly to a close business associate or a close or immediate family member.

A chartered accountant shall maintain confidentiality of information disclosed by a prospective client or employer.

A chartered accountant shall maintain confidentiality of information within the firm or employing organisation.
A chartered accountant shall take reasonable steps to ensure that staff under the chartered accountant’s control and
persons from whom advice and assistance is obtained respect the chartered accountant’s duty of confidentiality.

The need to comply with the principle of confidentiality continues even after the end of relationships between a chartered
accountant and a client. When a chartered accountant acquires a new client, the chartered accountant is entitled to use
prior experience.

The chartered accountant shall not, however, use or disclose any confidential information either acquired or received as
a result of a professional or business relationship.

MANCOSA – Postgraduate Diploma in Risk Management 30

Auditing for Risk

As a fundamental principle, confidentiality serves the public interest because it facilitates the free flow of information from
the chartered accountant’s client or employing organization to the chartered accountant. Nevertheless, the following are
circumstances where chartered accountants are or may be required to disclose confidential information or when such
disclosure may be appropriate:
(a) Disclosure is permitted by law and is authorized by the client or the employer;
(b) Disclosure is required by law, for example:
(i) Production of documents or other provision of evidence in the course of legal proceedings; or
(ii) Disclosure to the appropriate public authorities of infringements of the law that come to light; and
(c) There is a professional duty or right to disclose, when not prohibited by law:
(i) To comply with the quality review of a member body or professional body;
(ii) To respond to an inquiry or investigation by a member body or regulatory body;
(iii) To protect the professional interests of a chartered accountant in legal proceedings; or
(iv) To comply with technical and professional standards, including ethical requirements.

In deciding whether to disclose confidential information, relevant factors to consider include:

Whether the interests of all parties, including third parties whose interests may be affected, could be harmed
if the client consents to the disclosure of information by the chartered accountant;
Whether all the relevant information is known and substantiated, to the extent it is practicable. When the
situation involves unsubstantiated facts, incomplete information or unsubstantiated conclusions, professional
judgment shall be used in determining the type of disclosure to be made, if any;
The type of communication that is expected and to whom it is addressed; and
Whether the parties to whom the communication is addressed are appropriate recipients.

SECTION 150
Professional Behaviour
The principle of professional behavior imposes an obligation on all chartered accountants to comply with relevant laws
and regulations and avoid any conduct that the chartered accountant knows or should know may discredit the profession.
This includes conduct that a reasonable and informed third party, weighing all the specific facts and circumstances
available to the chartered accountant at that time, would be likely to conclude adversely affects the good reputation of the
profession.
In marketing and promoting themselves and their work, chartered accountants shall not bring the profession into disrepute.
Chartered accountants shall be honest and truthful and not:
(a) Make exaggerated claims for the services they are able to offer, the qualifications they possess, or experience they
have gained; or
(b) Make disparaging references or unsubstantiated comparisons to the work of others.

31 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

2.2.2 Part B – Chartedred accounts in public practice

SECTION 200
Introduction
This Part of the Code describe show the conceptual framework contained in Part A applies in certain situations to chartered
accountants in public practice, hereinafter referred to as “chartered accountant”. This Part does not describe all of the
circumstances and relationships that could be encountered by a chartered accountant that create or may create threats
to compliance with the fundamental principles. Therefore, the chartered accountant is encouraged to be alert for such
circumstances and relationships.
A chartered accountant shall not knowingly engage in any business, occupation, or activity that impairs or might impair
integrity, objectivity or the good reputation of the profession and as a result would be incompatible with the fundamental
principles.

Threats and Safeguards

Compliance with the fundamental principles may potentially be threatened by a broad range of circumstances and
relationships. The nature and significance of the threats may differ depending on whether they arise in relation to the
provision of services to an audit client and whether the audit client is a public interest entity, to an assurance client that is
not an audit client, or to a non-assurance client.
Threats fall into one or more of the following categories:
(a) Self-interest;
(b) Self-review;
(c) Advocacy;
(d) Familiarity; and
(e) Intimidation.

These threats are discussed further in Part A of this Code.

Examples of circumstances that create self-interest threats for a chartered accountant include:
A member of the assurance team having a direct financial interest in the assurance client.
A firm having undue dependence on total fees from a client.
A member of the assurance team having a significant close business relationship with an assurance client.
A firm being concerned about the possibility of losing a significant client.
A member of the audit team entering into employment negotiations with the audit client.
A firm entering into a contingent fee arrangement relating to an assurance engagement.
A chartered accountant discovering a significant error when evaluating the results of a previous professional
service performed by a member of the chartered accountant’s firm.

Examples of circumstances that create self-review threats for a chartered accountant include:
A firm issuing an assurance report on the effectiveness of the operation of financial systems after designing or
implementing the systems.
A firm having prepared the original data used to generate records that are the subject matter of the assurance
engagement.

MANCOSA – Postgraduate Diploma in Risk Management 32

Auditing for Risk

A member of the assurance team being, or having recently been, a director or officer of the client.
A member of the assurance team being, or having recently been, employed by the client in a position to exert
significant influence over the subject matter of the engagement.
The firm performing a service for an assurance client that directly affects the subject matter information of the
assurance engagement.

Examples of circumstances that create advocacy threats for a chartered accountant include:
The firm promoting shares in an audit client.
A chartered accountant acting as an advocate on behalf of an audit client in litigation or disputes with third
parties.

Examples of circumstances that create familiarity threats for a chartered accountant include:
A member of the engagement team having a close or immediate family member who is a director or officer of the
client.
A member of the engagement team having a close or immediate family member who is an employee of the client
who is in a position to exert significant influence over the subject matter of the engagement.
A director or officer of the client or an employee in a position to exert significant influence over the subject matter
of the engagement having recently served as the engagement partner.
A chartered accountant accepting gifts or preferential treatment from a client, unless the value is trivial or
inconsequential.
Senior personnel having a long association with the assurance client.

Examples of circumstances that create intimidation threats for a chartered accountant include:
A firm being threatened with dismissal from a client engagement.
An audit client indicating that it will not award a planned non-assurance contract to the firm if the firm continues
to disagree with the client’s accounting treatment for a particular transaction.
A firm being threatened with litigation by the client.
A firm being pressured to reduce inappropriately the extent of work performed in order to reduce fees.
A chartered accountant feeling pressured to agree with the judgment of a client employee because the employee
has more expertise on the matter in question.
A chartered accountant being informed by a partner of the firm that a planned promotion will not occur unless the
chartered accountant agrees with an audit client’s inappropriate accounting treatment.
Safeguards that may eliminate or reduce threats to an acceptable level fall into two broad categories:
(a) Safeguards created by the profession, legislation or regulation; and
(b) Safeguards in the work environment.
Examples of safeguards created by the profession, legislation or regulation are described in Part A of this Code.

33 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

SECTION 210
Professional Appointment
Client Acceptance and Continuance
Before accepting a new client relationship, a chartered accountant in public practice shall determine whether acceptance
would create any threats to compliance with the fundamental principles. Potential threats to integrity or professional
behavior may be created from, for example, issues associated with the client (its owners, management or activities) that,
if known, could threaten compliance with the fundamental principles. These include, for example, client involvement in
illegal activities (such as money laundering), dishonesty, questionable financial reporting practices or other unethical
behavior.

A chartered accountant in public practice shall evaluate the significance of any threats and apply safeguards when
necessary to eliminate them or reduce them to an acceptable level.
Examples of such safeguards include:
• Obtaining knowledge and understanding of the client, its owners, managers and those responsible for its
governance and business activities; or
• Securing the client’s commitment to address the questionable issues, for example, through improving corporate
governance practices or internal controls.

SECTION 220
Conflicts of Interest
A chartered accountant may be faced with a conflict of interest when performing a professional service. A conflict of interest
creates a threat to objectivity and may create threats to the other fundamental principles. Such threats may be created
when:
The chartered accountant provides a professional service related to a particular matter for two or more clients
whose interests with respect to that matter are in conflict; or
The interests of the chartered accountant with respect to a particular matter and the interests of the client for
whom the chartered accountant provides a professional service related to that matter are in conflict.

A chartered accountant shall not allow a conflict of interest to compromise professional or business judgment.
When the professional service is an assurance service, compliance with the fundamental principle of objectivity also
requires being independent of assurance clients in accordance with Sections 290 or 291 as appropriate.

MANCOSA – Postgraduate Diploma in Risk Management 34

Auditing for Risk

Examples of situations in which conflicts of interest may arise include:

Providing a transaction advisory service to a client seeking to acquire an audit client of the firm, where the firm
has obtained confidential information during the course of the audit that may be relevant to the transaction.
Advising two clients at the same time who are competing to acquire the same company where the advice might
be relevant to the parties’ competitive positions.
Providing services to both a vendor and a purchaser in relation to the same transaction.
Preparing valuations of assets for two parties who are in an adversarial position with respect to the assets.
Representing two clients regarding the same matter who are in a legal dispute with each other, such as during
divorce proceedings or the dissolution of a partnership.
Providing an assurance report for a licensor on royalties due under a license agreement when at the same time
advising the licensee of the correctness of the amounts payable.
Advising a client to invest in a business in which, for example, the spouse of the chartered accountant in public
practice has a financial interest.
Providing strategic advice to a client on its competitive position while having a joint venture or similar interest with
a major competitor of the client.
Advising a client on the acquisition of a business which the firm is also interested in acquiring.

SECTION 225
Responding to non-Compliance with laws and regulations
Purpose
A chartered accountant in public practice may encounter or be made aware of non-compliance or suspected non-
compliance with laws and regulations in the course of providing a professional service to a client. The purpose of this
section is to set out the chartered accountant’s responsibilities when encountering such non-compliance or suspected
non-compliance, and guide the chartered accountant in assessing the implications of the matter and the possible courses
of action when responding to it. This section applies regardless of the nature of the client, including whether or not it is a
public interest entity.

Non-compliance with laws and regulations (“non-compliance”) comprises acts of omission or commission, intentional or
unintentional, committed by a client, or by those charged with governance, by management or by other individuals working
for or under the direction of a client which are contrary to the prevailing laws or regulations.

In some jurisdictions, there are legal or regulatory provisions governing how chartered accountant should address non-
compliance or suspected non-compliance which may differ from or go beyond this section. When encountering such non-
compliance or suspected non-compliance, the chartered accountant has a responsibility to obtain an understanding of
those provisions and comply with them, including any requirement to report the matter to an appropriate authority and any
prohibition on alerting the client prior to making any disclosure, for example, pursuant to anti-money laundering legislation.

35 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

SECTION 230
Second Opinions
Situations where a chartered accountant is asked to provide a second opinion on the application of accounting, auditing,
reporting or other standards or principles to specific circumstances or transactions by or on behalf of a company or an
entity that is not an existing client may give rise to threats to compliance with the fundamental principles. For example,
there may be a threat to professional competence and due care in circumstances where the second opinion is not based
on the same set of facts that were made available to the existing accountant or is based on inadequate evidence. The
existence and significance of any threat will depend on the circumstances of the request and all the other available facts
and assumptions relevant to the expression of a professional judgment.

When asked to provide such an opinion, a chartered accountant shall evaluate the significance of any threats and apply
safeguards when necessary to eliminate them or reduce them to an acceptable level. Examples of such safeguards include
seeking client permission to contact the existing accountant describing the limitations surrounding any opinion in
communications with the client and providing the existing auditor with a copy of the opinion.

If the company or entity seeking the opinion will not permit communication with the existing accountant, a chartered
accountant shall determine whether, taking all the circumstances into account, it is appropriate to provide the opinion
sought.

SECTION 240
Fees and Other Types of Remuneration
When entering into negotiations regarding professional services, a chartered accountant may quote whatever fee is
deemed appropriate. The fact that one chartered accountant may quote a fee lower than another is not in itself unethical.
Nevertheless, there may be threats to compliance with the fundamental principles arising from the level of fees quoted.
For example, a self-interest threat to professional competence and due care is created if the fee quoted is so low that it
may be difficult to perform the engagement in accordance with applicable technical and professional standards for that
price.
The existence and significance of any threats created will depend on factors such as the level of fee quoted and the
services to which it applies. The significance of any threat shall be evaluated and safeguards applied when necessary to
eliminate the threat or reduce it to an acceptable level. Examples of such safeguards include:
Making the client aware of the terms of the engagement and, in particular, the basis on which fees are charged
and which services are covered by the quoted fee; or
Assigning appropriate time and qualified staff to the task.

Contingent fees are widely used for certain types of non-assurance engagements.They may, however, create threats to
compliance with the fundamental principles in certain circumstances. They may create a self-interest threat to objectivity.
The existence and significance of such threats will depend on factors including:
The nature of the engagement.
The range of possible fee amounts.

MANCOSA – Postgraduate Diploma in Risk Management 36

Auditing for Risk

The basis for determining the fee.

Whether the outcome or result of the transaction is to be reviewed by an independent third party.

SECTION 250
Marketing Professional Services
When a chartered accountant solicits new work through advertising or other forms of marketing, there may be a threat to
compliance with the fundamental principles. For example, a self-interest threat to compliance with the principle of
professional behaviour is created if services, achievements, or products are marketed in a way that is inconsistent with
that principle.

A chartered accountant shall not bring the profession into disrepute when marketing professional services. The chartered
accountant shall be honest and truthful and shall not:
(a) Make exaggerated claims for services offered, qualifications possessed, or experience gained; or
(b) Make disparaging references or unsubstantiated comparisons to the work of another.

If the chartered accountant is in doubt about whether a proposed form of advertising or marketing is appropriate, the
chartered accountant shall consider consulting with the Regulatory Board or relevant professional body.

SECTION 260
Gifts and Hospitality
A chartered accountant, or an immediate or close family member, may be offered gifts and hospitality from a client. Such
an offer may create threats to compliance with the fundamental principles. For example, a self-interest or familiarity threat
to objectivity may be created if a gift from a client is accepted; an intimidation threat to objectivity may result from the
possibility of such offers being made public.

The existence and significance of any threat will depend on the nature, value, and intent of the offer. Where gifts or
hospitality are offered that a reasonable and informed third party, weighing all the specific facts and circumstances, would
consider trivial and inconsequential, a chartered accountant may conclude that the offer is made in the normal course of
business without the specific intent to influence decision making or to obtain information. In such cases, the chartered
accountant may generally conclude that any threat to compliance with the fundamental principles is at an acceptable level.

A chartered accountant shall evaluate the significance of any threats and apply safeguards when necessary to eliminate
the threats or reduce them to an acceptable level. When the threats cannot be eliminated or reduced to an acceptable
level through the application of safeguards, a chartered accountant shall not accept such an offer.

SECTION 270
Custody of Client Assets
A chartered accountant shall not assume custody of client monies or other assets unless permitted to do so by law and, if
so, in compliance with any additional legal duties imposed on a chartered accountant holding such assets.

37 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

The holding of client assets creates threats to compliance with the fundamental principles. For example, there is a self-
interest threat to professional behaviour and may be a self-interest threat to objectivity arising from holding client assets.
A chartered accountant entrusted with money (or other assets) belonging to others shall therefore:
(a) Keep such assets separately from personal or firm assets;
(b) Use such assets only for the purpose for which they are intended;
(c) At all times be ready to account for those assets and any income, dividends, or gains generated, to any persons entitled
to such accounting; and
(d) Comply with all relevant laws and regulations relevant to the holding of and accounting for such assets.

SECTION 280
Objectivity—All Services
A chartered accountant shall determine when providing any professional service whether there are threats to compliance
with the fundamental principle of objectivity resulting from having interests in, or relationships with, a client or its directors,
officers or employees. For example, a familiarity threat to objectivity may be created from a family or close personal or
business relationship.
A chartered accountant who provides an assurance service shall be independent of the assurance client. Independence
of mind and in appearance is necessary to enable the chartered accountant to express a conclusion, and be seen to
express a conclusion, without bias, conflict of interest, or undue influence of others. Sections 290 and 291 provide specific
guidance on independence requirements for chartered accountants when performing assurance engagements.

The existence of threats to objectivity when providing any professional service will depend upon the particular
circumstances of the engagement and the nature of the work that the chartered accountant is performing.

A chartered accountant shall evaluate the significance of any threats and apply safeguards when necessary to eliminate
them or reduce them to an acceptable level. Examples of such safeguards include:
Withdrawing from the engagement team.
Supervisory procedures.
Terminating the financial or business relationship giving rise to the threat.
Discussing the issue with higher levels of management within the firm.
Discussing the issue with those charged with governance of the client.

If safeguards cannot eliminate or reduce the threat to an acceptable level, the chartered accountant shall decline or
terminate the relevant engagement.

MANCOSA – Postgraduate Diploma in Risk Management 38

Auditing for Risk

2.3 Summary
This Unit introduced the fundumental principles of independence, threaths as faced by auditors on daily basis and
possible safegurds in order to comply with the Code of Professional Conduct.

Activity
You may come across activities that ask you to carry out specific tasks. In most cases, there are
no right or wrong answers to these activities. The aim of the activities is to give you an
opportunity to apply what you have learned.

Andile Ndabezitha Incorporated (AN Inc.), a small firm of registered auditors with a single office in Durban, is the auditor
of the 2018 financial statements of FinBond Limited (FB Ltd). FB Ltd was incorporated in 2002, the company develops
small shopping centres in medium-sized towns. Until four years ago, it has been relatively small, operating on in and
around the Durban area. They then appointed a new Managing Director, Miss Rose Thangavalu, under whose leadership
the company expanded its operations to other provinces, thereby attracting in excess of R250 million in new investments
from non-institutional investors. FB Ltd is now AN Inc.’s largest client by far.

Mr Andile Ndabezitha has been the engagement partner on FB Ltd audit since the incorporation of the company. Since
the appointment of Miss Thangavalu as Managing Director, Mr Ndabezitha has increasingly became uncomfortable with
the developments at the company. First, Mr Ndabezitha has found Miss Thangavalu to be abrupt, unco-operative and
sometimes aggressive. Secondly, Mr Ndabezitha has experienced problems dealing with FB Ltd’s new computerised
accounting system, as he is not comfortable with computer-assisted audit techniques (CAATs). In his response to these
problems, Mr Ndabezitha has decided delegate all other responsibilities for the audit of FB Ltd to Mr Sandile Gumede,
who is in a third year of his traineeship.

Mr Gumede was placed in charge of the fieldwork for the current year’s audit of FB Ltd. Being a rather timid person, he is
also struggling to deal with the difficult Miss Thangavalu, as well as other managers at FB Ltd. Sandile, then plugged up
the courage to tell Mr Ndabezitha of his woes at FB Ltd, however, through Sandile’s surprise, Mr Ndabezitha said, “Sandile,
stop moaning. You are a third year trainee accountant now, this is your client and you must learn to handle senior
management”

You are required to:

Discuss any concerns exhibited in the scenario, With reference to the SAICA Code of Professional Conduct
(16 Marks)

39 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

(a) With reference to the SAICA Code of Professional Conduct, discuss any concerns exhibited in the
scenario.
1. There is a self-interest threat to professional competence and due care owing to increase in the size of the
client entity and its larger geographical spread.
a) AN Inc., is described as a small firm; and
b) There is an increased public interest with FB Ltd.
Safeguard(s):
a) Obtain assistance from other audit firm; and
b) Appoint additional staff to deal with the increased workload.
2. There is a self-interest threat to independence owing to FB Ltd being AN Inc.’s largest client.
a) There is a potential intimidation threat to independence.
Safeguard(s):
AN Inc. should try to actively increase the firm’s client base

3. There is a familiarity threat to independence, as Mr Ndabezitha has been the engagement partner for a
long period of time.
Safeguard(s):
a) Mr Ndabezitha would need to be replaced as the engagement partner.
b) The threat is significant.

4. There is intimidation threat to independence and professional behaviour as the engagement partner and the
staff leading the fieldwork find the Managing Director a difficult person to deal with.
a) The threat is significant, as even the engagement partner has experience the difficulty of the MD.
Safeguard(s):
a) Mr Ndabezitha needs to assign another senior engagement partner to the audit of FB Ltd.
b) He may also discuss their concerns with those charged with governance of FB Ltd.

5. There is a further self-interest threat to professional competence and due care owing to the client entity
having implemented a new computer system.
The threat is significant because;
a) AN Inc. is not comfortable using CAATs
b) AN Inc. is described as a small entity; and
c) There is increase public interest in the client
Safeguard(s):
c) Assign partner with adequate skills to the audit of FB Ltd.
d) Seek outside assistance (especially with CAATs)

MANCOSA – Postgraduate Diploma in Risk Management 40

Auditing for Risk

2.4 Answers to Activities

Case study 2.1

Case Study
Case Studies will give you an opportunity to apply theory to practice.

You have recently joined an established medium-sized firm of auditors as a trainee accountant. Because of your
impressive knowledge of the SAICA Code of Professional Conduct (information obtained during your interview), Samantha
King, the senior partner has asked you to assist fellow trainee accountants evaluate the following unrelated matters relating
to professional conduct. These matters are used as examples in the in-house training programme for trainee accountants.

Matter 1 – Andrew Waterhouse

Andrew Waterhouse was a trainee on the audit of French Cars Ltd, a large distributor of Renault vehicles. Andrew
Waterhouse recently joined PFY Inc. (an audit firm). French Cars Ltd recently ran a competition as part of a marketing
and social responsibility campaign. For R5, a member of the public could obtain a ticket to the competition. The competition
required entrants to estimate how many inflated mini-footballs could be packed into a Renault Kadjar (vehicle type). Very
few if any, correct estimates were expected as the vehicle has numerous storage compartments where the mini-footballs
could be placed. The first correct or closest entry drawn, would receive R10 000 in cash and four tickets to the upcoming
Justin Bieber concert.

Whilst physically inspecting new vehicles in the showroom, Andrew Waterhouse overheard the marketing manager
dictating a letter about the competition to his secretary. At the end of the afternoon when the marketing manager and
secretary had left, Andrew Waterhouse suspecting that the answer to the question might be in the letter, entered the
secretary’s office, went through a file marked “confidential” which was in her top drawer, and found the “correct estimate”.
He immediately phoned his girlfriend, Mandy Fowler, told her to buy four tickets to the competition in her name, one with
the correct answer which he gave her, and three with an incorrect answer.

When the competition draw was made, his girlfriend was declared as the winner. On Andrew Waterhouse’s insistence,
she sold the Justin Bieber concert tickets she had won, and with the R10 000 the two paid for a holiday in Cape Town.

Matter 2: Gary Moloi

While performing certain tax services for Siyabonga Msomi, a client of Duma & Dube Inc., Gary Moloi (a partner in Duma
& Dube Inc.) had advised Siyabonga Msomi to consult Strini Pillay, an investment broker, about retirement planning. In
response to a question from Siyabonga Msomi as to the commission that Paul McKay would receive from Strini Pillay,
Garry Moloi had indignantly denied that he received any reward for referring clients to Strini Pillay. George Benson, a
newly appointed partner at the firm has since learned that Strini Pillay pays Duma & Dube Inc. a 5% commission on all
investments placed with him as a result of referrals by Duma & Dube Inc. staff and partners.

41 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Matter 3: Clear Images (Pty) Ltd

At a partners meeting Paul McKay (a partner in the audit firm PFY Inc.) informed the other partners that he had been
approached by the financial director of Clear Images (Pty) Ltd to provide a second opinion on some financial information
which it was submitting to the bank. Clear Images (Pty) Ltd is not a client of PFY Inc. and the first opinion had been
provided by its auditors. Paul McKay told the meeting that he had talked the matter through with the financial director of
Clear Images (Pty) Ltd and provided an opinion acceptable to the financial director. He also told the meeting that he had
not charged a fee for this service, as he was “working on the financial director to recommend to the shareholders that PFY
Inc. take over the audit of Clear Images (Pty) Ltd”. Clear Images (Pty) Ltd.’s public interest score requires that the company
have its annual financial statements externally audited

Matter 4: Phahla & Brown

A firm of auditors, Phahla & Brown is considering an advertising campaign to promote a range of services the entity offers.
As part of the planned advertising campaign, the company aims to include a catchy slogan to be included in company
letterheads and documentation. Upon engaging a well-known marketing specialist, the company came up with and is
considering the following two slogans:
Slogan 1 - Phahla & Brown – “Bigger and better audits – simply no competition”
Slogan 2 – Phahla & Brown – “For low audit fees - trusted by SARS”

You are required to:

Discuss each of the above unrelated matters (1 – 4) in terms of the SAICA Code of Professional Conduct. Your answer
must be in point form.
Matter 1 (5 Marks)
Matter 2 (5 Marks)
Matter 3 (7 Marks)
Matter 4 (4 Marks)

MANCOSA – Postgraduate Diploma in Risk Management 42

Auditing for Risk

Unit
3: Corporate Governance –
KING IV Code

43 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Explain corporate governance Illustrations and activity are provided to assist in

understanding and explaining the concept of
corporate governance

Can apply KING IV Code and Report of Prescribed reading and activity are provided to help
Governance understand how the King IV report on corporate
governance is applied in practice

Can apply all the necessary principles (1 to 17) of Case study and activity are provided to help apply
KING IV the necessary principles of corporate governance to
an entity

Summary
The Unit looks at the history of corporate governance. Where it started and how it has evolved over decades. It also
focuses on the South African KING IV Code.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic

Accounting. 4th Edition. Wiley & Sons Publishing.
Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic
Accounting: new Tools and Techniques. Wiley & Sons
Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting:
Understanding the Theory and Application of data analysis. Pearson.
Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.
Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016).
Fraud Examination. 5th Edition. Cengage Learning

MANCOSA – Postgraduate Diploma in Risk Management 44

Auditing for Risk

3.1 Section 1: Introduction to corporate governance

Corporate governance is the mechanisms, processes and relations by which corporations are controlled and directed.
Governance structures and principles identify the distribution of rights and responsibilities among different participants in
the corporation (such as the board of directors, managers, shareholders, creditors, auditors, regulators, and other
stakeholders) and includes the rules and procedures for making decisions in corporate affairs. Corporate governance
includes the processes through which corporations' objectives are set and pursued in the context of the social, regulatory
and market environment. Governance mechanisms include monitoring the actions, policies, practices, and decisions of
corporations, their agents, and affected stakeholders. Corporate governance practices are affected by attempts to align
the interests of stakeholders. Interest in the corporate governance practices of modern corporations, particularly in relation
to accountability, increased following the high-profile collapses of a number of large corporations during 2001–2002, most
of which involved accounting fraud; and then again after the recent financial crisis in 2008 (Jackson & Stent, 2016).

Corporate scandals of various forms have maintained public and political interest in the regulation of corporate
governance. In the U.S., these include Enron and MCI Inc. (formerly WorldCom). Their demise led to the enactment of the
Sarbanes-Oxley Act in 2002, a U.S. federal law intended to restore public confidence in corporate governance.
Comparable failures in Australia (HIH, One.Tel) are associated with the eventual passage of the CLERP 9 reforms.[5]
Similar corporate failures in other countries stimulated increased regulatory interest (e.g., Parmalat in Italy).

Since 2001, corporate governance has received rehabilitated global importance, due to a plethora of corporate collapses.
Enron and WorldCom in the US and Saambou Bank and Fidentia in South Africa are examples of noticeable corporate
collapses. These corporations were accused because of their fraudulent accounting practices, weak regulations and a
general lack of business ethics (Marx, 2008). This era also became a wake-up call for many in emerged economies or
countries because, preceding these high profile collapses and insolvencies, numerous critics had only blamed emerging
countries for lack of disclosure, transparency and poor corporate governance practice.

The requirement for robust corporate governance is demonstrated by the numerous corporate governance standards and
reforms which were advanced at both international and of late national levels, such as: the Sarbanes-Oxley Act in the
U.S.A., Corporate Law Economic Reform Program Act 2004 [CLERP 9] in Australia, Combined Code in the U.K., the
Organization for Economic Co-operation and Development [OECD] Code and King I to IV. The urgency of corporate
governance gained thrust as a result of the on-going global economic recession and it is now a first order issue in most of
the economies where firms are often run by controlling shareholders (Albuquerue & Wang, 2008). More corporations in
an increasing number of countries, are progressively attempting to adopt better corporate governance practices (Garay &
González, 2008).

3.1.1 Corporate Governance in South Africa

The Governance Framework in South Africa was developed in July 1993 when Mervyn E. King (retired Supreme Court
judge of South Africa) was asked to chair a committee on corporate governance, by the Institute of Directors in Southern
Africa (IoDSA). His view on this was to educate the newly democratic South African public on the working of a free
economy. The committee released its first report in 1994, King I, King II in 2002, King III in 2009 and recently King IV in
2016 which are all aimed at promoting the highest standards of corporate governance in South Africa. Ethical and effective

45 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

leadership were the core foundation of King I, II and III. King IV is also not any different as its fundamental focus areas
are:
Ethical Leadership
The role of the organization and Society
Company Citizenship
Sustainable Development
Stakeholder Inclusivity
Integrated Thinking and Integrated Reporting

Evidently, good leadership, which is supported by the principles of good corporate governance, is similarly most valuable
in all types of organisations, not to only those in the private sector. Similarly, the principles of good governance are equally
essential, and equally applicable in both private and public organisations.

3.2 KING IV Code and Report of Governance

3.2.1 Why the need for King IV™?
King IV™ builds on King III™. It has been revised to bring it up to date with international governance codes and best
practice; to align it to shifts in the approach to capitalism (towards inclusive, integrated thinking across the six capitals)
and to take account of specific corporate governance developments in relation to effective governing bodies, increased
compliance requirements, new governance structures (e.g. Social and Ethics Committee), emerging risks and
opportunities from new technologies and new reporting and disclosure requirements e.g. Integrated Reporting.

3.2.2 What is the applicability of King IV™?

King IV™ is structured as a Report that includes a Code, with additional, separate sector supplements for SME’s, NPO’s,
State-Owned Entities, Municipalities and Retirement Funds. The King Code™ contains both principles and recommended
practices aimed at achieving governance outcomes.

Whilst King IV™ is voluntary (unless prescribed by law or a stock exchange Listings Requirement) it is envisaged that it
will be applicable to all organisations irrespective of their form or manner of incorporation. The King Code™ principles of
good governance are presumed to apply, whilst the practices should be applied on a ‘proportionality’ basis depending on
the nature, size and complexity of the organization.

3.2.3 When is the effective date of King IV™?

King IV™ was released on 1 November 2016. It is effective for financial years commencing from 1 April 2017.

3.2.4 What is the link between King I to King IV™

The link in King I, II and III is implicit; King IV pursues to make it more explicit. Particularly because the King Committee
was requested by many organisations outside of the private sector to draft King IV in such a way that it is more easily
applicable to all organisations: private and public, small and large, for-profit and not-for-profit. King IV has progressed from

MANCOSA – Postgraduate Diploma in Risk Management 46

Auditing for Risk

“apply or explain” to “apply and explain”, but condensed the 75 principles in King III to only 17 basic principles in King IV,
one of which applies to institutional investors only. Any organisation can apply sixteen (16) of these basic principles, and
all are mandated to substantiate a claim that good governance is being accomplished (“apply and explain”). This vital
explanation allows stakeholders to make cognisant decision as to whether or not the entity is accomplishing the four good
governance outcomes as required by King IV. Explanation also helps to encourage entities to see corporate governance
as an act that will produce good outcomes only if it is advanced mindfully, with due reflection of the entities’ environment,
rather than as an act of tedious compliance.

3.2.5 How is King IV™ structured?

Contains both principles and recommended practices aimed at achieving governance outcomes as follows
17 Principles and
214 Practices

3.3 Section 2: Principles 1 to 17

Principle No 1
The governing body should lead ethically and effectively
RECOMMENDED PRACTICES:
Cultivate and exhibit collectively and individually, characteristics of integrity, competence,
responsibility, accountability, fairness and transparency
Offer leadership that results in achievement of strategy and outcomes over time
Disclose how they are being held to account for their leadership

Principle No 2
Govern the ethics of the organisation in a way that supports the establishment of an ethical culture
RECOMMENDED PRACTICES:
Set the direction for ethics
Approve codes of conduct and ethics policies
Stakeholders made familiar with the codes of conduct and ethics policies
Delegate implementation of codes of conduct and ethics policies to management and provide ongoing
oversight of this management
Disclose how ethics are being managed

Principle No 3
Ensure that the organisation is and is seen to be a responsible corporate citizen
RECOMMENDED PRACTICES:
Set the direction for good corporate citizenship
Constitution, laws, standards and own policies and procedures
Oversee and monitor (using agreed performance indicators and targets)
Disclose how corporate citizenship is managed.

47 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Principle No 4
Appreciate of the organisation’s core purpose
RECOMMENDED PRACTICES:
Steer and set the direction, purpose and strategy of the organization
Delegate to management the formulation and thereafter approval of strategy with six capitals
Approve managements policies and operational plans
Delegate the implementation of policy and plans to management

Principle No 5
Reports issued enable stakeholders to make informed assessments
RECOMMENDED PRACTICES:
Set the direction, approach and conduct for the organisation’s reporting
Approve the reporting frameworks to be used
Oversee that the various reports are compliant with legal reporting requirements
Ensure that an annual integrated report is issued
Approve the bases for determining materiality for the purposes of including in reports
Ensure the integrity of external reports
Oversee publication and access by stakeholders either from website or other appropriate platform/media

Principle No 6
Serve as the focal point and custodian of the corporate governance
RECOMMENDED PRACTICES:
Exercise its leadership role
Have an approved charter
Charter must specify number of meetings
Disclose the number of its meetings and attendance thereof, whether it is satisfied that

Principle No 7
Governing body
RECOMMENDED PRACTICES:
1. Composition of the governing body
Direct and approve an appropriate composition
Consider an appropriate size for itself
Comprise of a majority of non-executive members, most of whom should be independent
Appoint as a minimum the CEO and one other executive
Promote diversity in its membership
Periodic and staggered rotation of its membership
Establish a succession plan for its membership

MANCOSA – Postgraduate Diploma in Risk Management 48

Auditing for Risk

Principle No 8
Committees of the Board
The recommended practices that the governing body should perform, are summarised as:
General
Determine delegation to individual members, groups of members, standing or ad-hoc committees
Assume all the responsibilities itself if no delegations are made
Provide and approve formal terms of reference to committees, and record in writing details of delegation to a
member or group of members
Ensure that composition, roles and responsibilities of committees are complimentary, not fragmented or
duplicated and that there is no undue reliance or dominance by any individual member
Ensure that each committee has a minimum of three members and sufficient capability and capacity to function
effectively
Allow any member to attend any committee meeting as an observer, and allow management to attend by
standing or ad-hoc invitation
Apply its mind to the information and results provided to it by its committees as delegation to a committee does
not discharge the governing body of its accountability
Disclose for every committee its role and responsibilities, composition (with members qualifications and
experience), advisors and attendees, areas of focus, number of and attendance at meetings, whether it is
satisfied that it has fulfilled its responsibilities.

Principle No 9
Evaluation of performance
RECOMMENDED PRACTICES:
Assume responsibility for performance evaluations of itself, its committees, its chair and individual members
Appoint a lead independent director – for chair
Ensure that every two years an externally facilitated performance evaluation
Disclose the results and plans for performance evaluations

Principle No 10
Appointment & delegation
RECOMMENDED PRACTICES:
CEO appointment and role
Lead strategy implementation and reporting
Agree membership of other governing bodies
CEO cant be Chair of Governing body or member of these REMCO, AUDITCO & NOMCO
CEO be evaluated at least once a year
Gov body must have a CEO succession plan

49 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

RECOMMENDED PRACTICES:
Appointment and Delegation
Reserve certain powers and matters and not delegate everything
Delegate to management via the CEO
Approve a delegation of authority framework and policy
Oversee that key management functions are led by a competent and appropriately individual
Satisfy itself on succession planning for executive management and key positions
Disclose compliance with delegation of authority framework
Access to professional and independent guidance on legal and corporate governance matters.
Consider appointing a company secretary/ other appropriate professional (NB: Sec 86-89 of Companies Act)
Approve the corporate governance services
Remove the company secretary/other professional
Ensure the company secretary/other professional has access to and reports to the governing body
Evaluate annually the performance and independence of the company secretary/other professional
Disclose the access to professional corporate governance services and the view on effectiveness thereof.

Principle No 11
Risk Governance
RECOMMENDED PRACTICES:
Set the approach for risk governance
Treat risk as integral part of decision making and adherence to duties
Delegate to management risk management implementation
Oversee the risk management
Consider receiving periodic and independent assurance on risk
Disclose nature and extent of risks and opportunities

Principle No 12
Technology & Information Governance
RECOMMENDED PRACTICES:
Set the approach and approve the policy for technology and information
Delegate to management effective technology and information implementation.
Oversee results of managements implementation
Oversee management of information (including use, information architecture, protection of privacy and security)
Oversee management of technology
Consider receiving periodic, independent assurance on the effectiveness of the technology and information,
including outsourcing
Disclose overview of governance and management

MANCOSA – Postgraduate Diploma in Risk Management 50

Auditing for Risk

Principle No 13
Compliance Governance
RECOMMENDED PRACTICES:
Direct the governance of compliance to laws, adopted non-binding rules, codes and standards
Approve policy that directs compliance
Delegate to management the responsibility for implementation
Oversee compliance management
Disclose an overview of compliance management

Principle No 14
Remuneration Governance
RECOMMENDED PRACTICES:
Remuneration policy
Set the direction and approach for remuneration
Design the remuneration policy to attract and retain human capital
In the remuneration policy, address organization-wide remuneration
In the remuneration policy set out all elements of remuneration
Oversee implementation of the policy
Disclose the remuneration report in three parts;- background statement, overview of the policy and an
implementation report

Remuneration report
Background statement
Provide information on context and decision-making factors,
Results of voting on the policy and implementation report and responses
Overview of remuneration policy
Disclose an overview of the main policy provisions
Implementation report
Disclose the remuneration of each executive member including vested and unvested award details

Voting on remuneration
Fees for non exec must tabled to shareholders via a special resolution two years preceding payment.
Table annually the remuneration policy and implementation report at the AGM
If dissenting votes are 25% and above against policy or implementation report REMCO must take action
Disclose in the background statement, actions taken to engage with and address concerns in the event of 25%
or more dissenting vote.

51 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Principle No 15
Assurance
RECOMMENDED PRACTICES:

Combined Assurance
Direct assurance services and functions and delegate to the audit committee.
Ensure a combined assurance model is applied that covers the significant risks and material matters
Assess output of the combined assurance and form their own opinion on integrity of information and reports.
Assurance of External Reports
Direct how assurance of external reports should be done taking account of legal requirements.
Assess the effectiveness of the combined assurance approach
Disclose in external reports the type of assurance applied

Internal Audit
Direct internal audit and delegate oversight to the audit committee
Approve an internal audit charter and ensure internal audit has sufficient and adequate skills
If there is a CAE and internal audit function, ensure that it is independent of management
Approve the appointment, contract and remuneration of the CAE
Ensure the CAE has access to the audit committee chair, but that the CAE is not a member of the executive
Ensure that if internal audit is outsourced that there is clarity on who is the CAE
Ensure that the CAE reports to the chair of the audit committee on internal audit duties and on other matters to
a designated executive
Be responsible for removal of the CAE
Monitor that internal audit follows a risk-based plan
Ensure internal audit makes an annual statement on the effectiveness of the governance, risk management
and controls
Ensure that the internal audit is externally and independently reviewed every 5 years
Confirm annually with the CAE that the internal audit function conforms to a code of ethics

Principle No 16
Stakeholders
RECOMMENDED PRACTICES:

Stakeholders relationships
Direct the stakeholder approach and approve policies
Delegate to management effective stakeholder relationship management
Oversee the management of stakeholder relationships
Disclose an overview of stakeholder management

MANCOSA – Postgraduate Diploma in Risk Management 52

Auditing for Risk

Shareholder relationships
Proactive shareholder engagements
Ensure that all directors are available at the AGM, that the external audit partner is at the AGM and that there
are minutes of the AGM

Principle No 17
Responsibilities of Institutional Investors
RECOMMENDED PRACTICES:
Direct how responsible investing will take place
Implement a responsible investing policy
Ensure accountability for complying
Disclose the responsible investment code adopted and its application thereof

3.4 Summary
This Unit introduced the theory around corporate governance, King IV and the related principles of King IV.

Activity

You may come across activities that ask you to carry out specific tasks. In most cases,
there are no right or wrong answers to these activities. The aim of the activities is to
give you an opportunity to apply what you have learned.

You are an audit trainee at Cebo Thembi Zamahlanga Auditors (‘CTZ’) and part of the external audit team of Sporty Electric
Trendsetters (Pty) Ltd (‘SET’). CTZ was appointed as auditor of SET in September 2014. Phakamile Shandu CA (SA) [PK]
is the senior audit manager of the SET audit. PK informs the team that the management of SET has requested that the
audit for the financial year ended 30 September 2018 (‘FY2018’) be completed as soon as possible after the year-end, as
the company’s bankers urgently require the financial statements in order to assess an application for finance received
from SET.
SET is a rapidly growing company in the information technology (IT) sector and a manufacturer of wearable connected
devices for sport, fitness and wellness. The company was formed ten years ago by five friends who met at university. The
company has recently been growing rapidly through mergers and acquisition of competitors in the sector that SET
operates. The company operates from leased premises in the new Midlands Mall, which house the manufacturing
operations, the warehouse and the administrative offices.

SET has since incorporation been funded by the shareholders from savings and personal borrowings, but as a result of
the rapid growth of its operations, the shareholders urgently need capital to fund its operations and to stimulate future
growth. SET has exhausted all its overdraft facilities, and the bank has indicated that additional facilities will only be
considered if the company receives a clean audit report. SET is as the end of this current credit limit after borrowing a total
of R 62.6 million from all external lenders including banks and individual creditors.

53 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

You are required to:

In preparation for her meeting with the directors of SET about listing requirements, PK has asked you to prepare notes
that she can utilise during the meeting when discussing the requirements of The King IV Report on Corporate Governance
for South Africa 2016. She requires these notes to focus particularly on:
i) Composition of the governing body
ii) Establishment of Audit committee.

Hint: Mark are only awarded for indicating the requirements of KING IV. (12 Marks)

3.5 Answers to Activity

1. The purpose of the GB is to direct and approve the processes for attaining an appropriate composition
Consider an appropriate size for itself, with reference to the optimal mix of
knowledge, skills, experience, diversity, independence (i.e. executive, nonexecutive and independent non-
2.
executive members), sufficiency in numbers for its committees, quorum requirements, regulatory requirements
and diversity targets
Comprise of a majority of non-executive members, most of whom should be
3.
independent
4. Appoint as a minimum the CEO and one other executive to the governing body
Promote diversity in its membership (age, culture, race, gender and fields of
5.
expertise) and set targets for race and gender representation in its composition
6. Arrange for periodic and staggered rotation of its membership
7 Establish a succession plan for its membership
(ii) Establishment of Audit committee
Must in terms of KING establish an audit committee for SET (and should consider establishing one for those
8. that issue audited financial statements) that has as its role to provide independent oversight of the assurance
functions and on the integrity of the annual financial statements and other external reports
GB may delegate (in addition to any statutory duties where applicable) other governance responsibilities such
9. as approval of annual financial statements and risk governance (whilst ensuring sufficient time for the latter)
but remains accountable
10. the audit committee oversees risks that may affect the integrity of external reports
The audit committee as a whole has to have the necessary financial literacy, skills and experience, and that
11.
all members are independent non-executive members of the governing body
12. AC must have an independent non-executive chair
13. the audit committee meets annually with external and internal auditors without management
AC must disclose all the above general matters relating to AC plus a statement on the independence and
14. specific particulars thereof for the external auditor; significant annual financial statement matters and how
addressed; views on quality of external audit, effectiveness of the chief audit executive and internal audit;

MANCOSA – Postgraduate Diploma in Risk Management 54

Auditing for Risk

effectiveness of the design and implementation of internal financial controls….; effectiveness of the CFO and
finance function and on combined assurance and the effectiveness thereof

Case Study

Case Studies will give you an opportunity to apply theory to practice.

Case study 3.1

You are an audit trainee at Sasha’s Auditors Inc. (SSAS) a medium sized audit firm. Early in 2016, you were assigned
to the audit of Baldavoo Nutrition Ltd (BNL) a dominant player in the high performance nutrition and supplement
market in South Africa. The year-end is 31 December 2016. Miss Ayesha Raboteng is the senior audit manager and
Miss Phakamile Mhlongo is the audit engagement partner on BNL. BNL became a client of SSAS for the first time in
early 2016.
In relation to the audit, you receive the following from Miss Raboteng:
1. Electronic working paper 1200 – Understanding the entity and its environment.
2. Extracts from the minutes of the board meeting on the 3 January 2017

Miss Raboteng added that you would be auditing the research expense account. This research expense account
on the income statement has increased dramatically this year to an amount of R 5, 235, 234.45 with a 27% increase.
As a result, it is material (very important) to the audit. This is a very risky account balance as there are significant
accounting judgements that are made in determination of this value and management has an incentive to understate
this balance.

1. ELECTRONIC WORKING PAPER 1200 - UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

Client: Prepared by:

Baldavoo Nutrition Ltd
Graham Van Rensburg Date: 21
December 2016
Year ended: Reviewed by:
31 December 2016
Ayesha Raboteng Date: 14
January 2017

55 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

1.1. Background information.

BNL is a South African incorporated company, which is listed on the Johannesburg Stock Exchange. BNL specialises
in the manufacture of nutritional supplements, which are sold to South African customers. BNL is a leader in
research and development in its industry; it generates new products every quarter without fail. It does this by limiting
the costly pharmaceutical tests that other competitors put their new products through. Rather products are sold which
then brings in money for these pharmaceutical tests. The directors are of the belief that doing business requires
risk-taking and untested products is just another risk. Eventually the products are tested.

BNL is the only South African nutritional supplement country that has won numerous international awards for its
ground breaking and innovative products four years in a row. BNL’s vision is to dominate the international market by
2020.

BNL operates in a highly regulated industry. The directors admit that the nutritional supplement industry has too many
regulations much of these regulations mirror the pharmaceutical industry. None of the directors have a detailed
knowledge of the laws and regulations of the nutritional supplement industry or the pharmaceutical industry.

1.2. Company leadership.

Members of the board of directors.
Mr Marc Williams (chief executive officer and chairperson of the board)

Mr Michael Wiseman (company secretary)

Mr Peter Wood (chief financial officer)

Mr Kendal Franks (human resources consultant)

Dr Bradley Hilda (lead non-executive director and deputy chairperson of the board)

Mr James Biscuits (independent non-executive)

Audit committee members

Mr Umar Mohammed Karim (chairperson)

Mr James Biscuits
Mr Biscuits was appointed to the audit committee by Mr Williams, after he indicated that he wanted to go back to
university and has registered for a B Com Acc at the University of Kwa-Zulu Natal (UKZN). He as aspirations of
becoming a CA (SA). Mr Williams thought that by working with Mr Karim, he would gain valuable financial and
technical experience.

MANCOSA – Postgraduate Diploma in Risk Management 56

Auditing for Risk

2. EXTRACT FROM THE MINUTES OF THE BOARD MEETING ON THE 3 JANUARY 2017

Dr Hilda congratulated Mr Williams who married his youngest daughter on the weekend. He also conveyed the
apologies of Mr Franks, his stepson. The reason submitted for Mr Franks’ absence was that he was busy at the board
meeting of Eskom. Mr Franks was recently appointed to the Eskom board, following his four awarding winning books
on renewable energy in China.

Mr Wiseman suggested that the company considers appointing a remuneration committee. He added that he was
being paid very little considering that he is both a director and the company secretary.

Mr Williams seconded the proposal by Mr Wiseman. Mr Williams also volunteered to be chair of the remuneration
committee. Other directors agreed that Mr. Williams could act as the remuneration committee.

Mr Wood congratulated Mr Biscuit on registering for his degree. He indicated that he wants to register for a PhD at
UKZN too. In addition, he stated that his research in to plant life cycles would continue from his master’s degree in
agriculture.

Mr Wood expressed deep concern about the IT equipment that was being utilised in the company. He stated that
the aggressive research has led to a deterioration of all IT equipment. He estimates that the company would need to
replace all IT equipment in the next two weeks.

Mr Williams said that IT is a luxury and the company should know how to function without it. He added that when
he created this company there were no computers and he would like it to stay that way.

Activity

You are required to:

Prepare a memorandum to Miss Phakamile Mhlongo in which you describe any non- compliance and
potential non-compliance by BNL with the King Code IV, Report on Corporate Governance for South
Africa 2016. (22 Marks)

57 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit
4: General Principles of Auditing

MANCOSA – Postgraduate Diploma in Risk Management 58

Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Identify what internal controls are Illustrations and activities are provided to help identify
internal controls

Explain the necessity of Audit evidence Relevant activity and tables are provided to assist in
the explanation of audit evidence

Can utilise various audit tools to various audit Case study and activities are provided to help utilise
scenarios. the various audit tools available in applicable
scenarios

Summary
The Unit looks at the internal control employed by entities. What the auditor does when gatherings evidence to form and
opinion. Lastly, the mechanisms that are employed by auditors to gather such evidence.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic Accounting.

4th Edition. Wiley & Sons Publishing.

Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic Accounting:

new Tools and Techniques. Wiley & Sons

Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting: Understanding

the Theory and Application of data analysis. Pearson.

Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.

Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016). Fraud

Examination. 5th Edition. Cengage Learning

59 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

4.1 Internal control

The Turnbull Report, first published in 1999, defined internal control and its scope as follows:
‘The policies, processes, tasks, behaviours and other aspects of an organisation that taken together:
Facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational,
financial, compliance and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that
liabilities are identified and managed (Von Wielligh & Prinsloo, 2014).

Ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and
processes that generate a flow of timely, relevant and reliable information from both internal and external sources.

Ensure compliance with applicable laws and regulations and also with internal policies.’
Turnbull’s explanation focuses on the positive role that internal control has to play in an organisation. Facilitating efficient
operations implies improvement, and, properly applied, internal control processes add value to an organisation by
considering outcomes against original plans and then proposing ways in which they might be addressed.

At the same time, Turnbull also conceded that there is no such thing as a perfect internal control system, as all
organisations operate in a dynamic environment: just as some risks recede into insignificance, new risks will emerge,
some of which will be difficult or impossible to anticipate. The purpose of any control system should therefore be to provide
reasonable assurance that the organisation can meet its objectives.

4.1.1 Responsibilities for internal control

In many smaller, unincorporated businesses such as sole traders and unlimited partnerships, the responsibility for internal
controls often lies with the owners themselves. In most cases, the owners are fully engaged in the business itself, and if
employees are engaged, it is usually within the capability of the owners to remain fully aware of transactions and the
overall state of the business (Von Wielligh & Prinsloo, 2014).

As organisations grow, the need for internal controls increases, as the degree of specialisation increases and it becomes
impossible to remain fully aware of what is going on in every part of the business.

In a limited company, the board of directors is responsible for ensuring that appropriate internal controls are in place.
Their accountability is to the shareholders, as the director act as their agents. In turn, the directors may consider it prudent
to establish a dedicated internal control function. The point at which this decision is taken will depend on the extent to
which the benefits of function will outweigh the costs.
The directors must pay due attention to the control environment. If internal controls are to be effective, it is necessary to
create an appropriate culture and embed a commitment to robust controls throughout the organisation.

4.1.2 Generic control categories

Controls and be categorised in many different ways. Figure 1 described five categories that are often used.

MANCOSA – Postgraduate Diploma in Risk Management 60

Auditing for Risk

Figure
3Figure 1.3: Categories of controls
(Von Wielligh & Prinsloo, 2014)

Internal controls can be:

Mandatory or voluntary: Mandatory controls are those which must be applied, irrespective of circumstances. These are
widely used to prevent breached of laws or policy, as well as to minimise risks relating to health and safety. Voluntary
controls are applied according to the judgement of the organisation and its managers.

Discretionary or non-discretionary: Managers may be permitted discretion according to their interpretation or judgement
of risks in given circumstances. Non-discretionary controls must be applied.

Manual or automated: Manual controls are applied by the individual employee whereas automated controls are
programmed into the systems of the organisation. Some systems combine the two: for example, when deciding on whether
a customer should be permitted days on hand for payment, there could be automated ‘accept’ above a specified credit
rating or ‘decline’ or below a specified credit rating, and an intermediate range in which a manager may be able to override
the automated system.

General controls or application controls: This classification of controls applies specifically to information systems.
General controls help to ensure the reliability of data generated by systems, helping to ascertain whether systems operate
as intended and output is reliable. Application controls are automated and designed to ensure the complete and accurate
recording of data from input to output.

61 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

4.1.3 Common control procedures

Physical controls: These controls include restrictions on access to buildings, specified office or factory areas or
equipment, such as turnstiles at the entrance to the premises, swipe cards and passwords. They also include physical
restraints, such as fixing non-current assets to prevent removal.

Authorisation and approval limits: Many employees must adhere to authorisation limits, and these will usually be
specified in the terms of employment. For example, a junior manager may be permitted to book business flights up to the
value of $500, but for tickets costing more than this, the purchase may have to be approved by someone more senior.

Segregation of duties: To minimise the risk of errors and fraud, duties associated with cash handling are often
segregated. For example, in the post room of a company that received cash by post, the employee recording the cash will
be a different person to the one who opens the post. Segregation is also relevant to other functions. At executive level, it
is now best practice to segregate the roles of chairman and chief executive officer, and as an independent assurance
function, internal audit should be totally segregated from the finance department, with a reporting line direct to the board
of directors or the audit committee.

Management controls: These controls are operated by managers themselves. An example is variance analysis, through
which a manager may be required as part of their job to consider differences between planned outcomes and actual
performance. Performance management of subordinates is also an integral part of many managerial positions. Further
down the chain of command, supervision controls are exercised in respect of day-to-day transactions. Organisation
controls operate according to the configuration of the organisation chart and line/staff responsibilities.

Arithmetic and accounting controls: These controls are in place to ensure accurate recording and processing of
transactions. Procedures here include reconciliations and trial balances.

Human resources controls: Controls are implemented for all aspects of human resources management. Examples
include qualifications verification, references and criminal record checks on recruits, checks on staff who have to be
attested for competence and training effectiveness.
Internal check: Internal check is a system through which the accounting procedures of an organisation are so laid out
that the accounts procedures are not under the absolute and independent control of any person. The work of one employee
is complementary of that of another, enabling a continuous audit of the business to be made.
The essential elements of an internal check are:
checks are implemented on day-to-day transactions
checks operate continuously as a part of the system
the work of each person is complementary to the work of another.

By allocating duties in this way, no one person has exclusive control over any transaction.

MANCOSA – Postgraduate Diploma in Risk Management 62

Auditing for Risk

4.1.4 Limitation of internal controls

A system of controls does not provide absolute assurance that the control objectives of an organization will be met. Instead,
there are several inherent limitations in any system that reduce the level of assurance. These inherent limitations are as
follows (Von Wielligh & Prinsloo, 2014):
Collusion. Two or more people who are intended by a system of control to keep watch over each other could
instead collude to circumvent the system.
Human error. A person involved in a control system could simply make a mistake, perhaps forgetting to use a
control step. Or, the person does not understand how a control system is to be used, or does not understand the
instructions associated with the system.
Management override. Someone on the management team who has the authority to do so could override any
aspect of a control system for his personal advantage.
Missing segregation of duties. A control system might have been designed with an insufficient segregation of
duties, so that one person can interfere with its proper operation.

Consequently, it must be accepted that no system of internal controls is perfect. There is always a way in which it can fail
or be circumvented.

4.2 Audit evidence

Audit evidence is evidence obtained by auditors during a financial audit and recorded in the audit working papers.
Auditors need audit evidence to see if a company has the correct information considering their financial transactions
so an auditor can confirm their financial statements.
In the audit engagement acceptance or reappointment stage, audit evidence is the information that the auditor
considers for the appointment. For example, change in the entity control environment, inherent risk and nature of the
entity business, and scope of audit work.
In the audit planning stage, audit evidence is the information that the auditor must consider for the most effective and
efficient audit approach. For example, reliability of internal control procedures, and analytical review systems.
In the control testing stage, audit evidence is the information that the auditor is to consider for the mix of audit test of
control and audit substantive tests.
In the substantive testing stage, audit evidence is the information that the auditor needs to support the appropriation
of financial statement assertions. For examples, existence, rights and obligations, occurrence, completeness,
valuation, measurement, presentation and disclosure of a particular transaction or account balance.
In the conclusion and opinion formulation stage, audit evidence is information that the auditor is to consider whether
the financial statements as a whole present with completeness, validity, accuracy and consistency with the auditor's
understanding of the entity.

63 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Audit evidence generally refers to the information collected for reviewing the financial transactions of a company in addition
to its internal control practices and other essential factors required for the certification of financial statements. The type
and amount of the considered auditing evidence varies significantly on the basis of the type of organization being audited
in addition to the required scope of the audit. The audit evidence are important to be collected by an auditor during the
process of his auditing work (Von Wielligh & Prinsloo, 2014).

The main objective of any audit is to find out the compliance of a company’s financial statements with the GAAP applicable
to the jurisdiction of the entity. The publicly traded companies are usually required to present fully audited financial
statements to shareholders at regular intervals.

4.2.1 Methods of obtaining Audit Evidence (Jackson & Stent, 2016)

Audit evidence is one of the basic principles that govern an audit. There are various methods that can be adopted to
obtain audit evidence. The most common ones include:
Inspection
This is the most efficient method of obtaining audit evidence. Inspection refers to checking all the documents, records,
and physical assets. The reliability of these documents and records depends upon the nature and effectiveness of
internal control.

Observation
Another important method of obtaining audit evidence is observation. This method involves the auditor to look at a
process of procedure being executed by others. This method can be exemplified by the auditors’ presence at the clients’
physical stock count.

Inquiry and confirmation

The two aspects of this method include searching about the info from a knowledgeable person inside or outside the
company, and responding to any inquiry to substantiate information in the accounting records. These responses might
provide the auditor with info which is not previously possessed by him or even with corroborative evidence.

Computation
This method of obtaining evidence involves the examination of arithmetical accuracy of source documents and
accounting records. The method might also involve performing individual calculations.

Analytical review
This method involves conducting a study of important ratios and trends and examining unusual fluctuations and items.

4.2.2 Sufficient appropriate evidence

Remember that an auditor is not an absolute guarantor. In fact, in the auditor’s report, the auditor will use phrases such
as “reasonable assurance” or “audit evidence we have obtained is sufficient and appropriate to provide a basis of our audit
opinion.” Hence, normally an auditor will rely more on audit evidence that is persuasive rather than on evidence that is
100% conclusive. The sufficiency of evidence relates to the quantity, and the appropriateness of evidence relates to the
quality of the evidence.

MANCOSA – Postgraduate Diploma in Risk Management 64

Auditing for Risk

4Table 1.4 Sufficient Appropriate Evidence

Sufficient (Quantity) Appropriate (Quality)

How much evidence is enough? Relates to relevance and reliability

Judgment is involved and factors impacting the sample size

Relevance – The audit evidence assists the auditor in
include the auditor’s expectation of errors, and the
achieving the management assertion
effectiveness of client’s internal controls

Reliability – Depends on the nature (documentary,

Larger sample size means more audit work and higher costs visual, oral) and source (auditor, third party, and client)
of the audit evidence

(Jackson & Stent, 2016)

4.2.3 Nature, extent and timing of evidence
Recall that the auditor’s role is to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions
on which to base their audit opinion. The auditor needs to obtain evidence to support each assertion that management is
proposing.

What exactly constitutes evidence? Audit Evidence refers to the source documents and accounting records (i.e.,
ledgers, journals) that support the financial statements and all other information that is pertinent to the audit. In deciding
how to collect this evidence, an auditor must plan three important factors: the nature, extent, and timing of the audit
evidence.
5Table 1.5: Nature, Extent, and Timing of Evidence

Definition Example

Which audit procedure to use? An audit Confirm the accounts receivable balance with the
Nature procedure is a detailed instruction for the customer or check accounts receivable collections
collection of particular audit evidence. after year end

An accounts receivable balanced over a threshold

a) Sample size such as R10, 000 may be labelled as one with “high-
Extent
b) Which items to select from the population? value” that will be tested. Other non-high-value
items will be selected from a population

At year end or interim phase. For example, an

When to perform the particular audit
Timing inventory count observation at December 31 or
procedure and NOT how long it takes to do?
October 31?
(Jackson & Stent, 2016)

65 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

4.3 The auditor’s toolbox

4.3.1 Auditing technique
Auditing technique is defined as any technique used by auditors to determine deviations from actual accounting and
controls established by a business or organization as well as uncovering problems in established processes and controls.
Auditing techniques can be used to aid organizations by uncovering errors in business practices and providing a means
of correction. Some businesses have used irregular accounting methods to hide certain monetary transactions and non-
compliant behaviour which has been uncovered by the use of varied auditing techniques. Other businesses have found
new ways to save money and streamline business practices through various auditing techniques which have found waste
in certain processes.

Auditing techniques can be used to uncover these issues in order to ensure ethical business practices and to minimize
waste or possible oversights within an organization. The applied techniques can determine if any income is hidden or
improperly categorized or reported; transactions are being completed between the organization and regulated or prohibited
persons, groups, or countries; uncovering of environmental waste discrepancies; finding of data inconsistencies; or any
other business practice that can be considered as a process error, oversight, or violation of ethics, regulations, and laws.
In the past, the ISAs listed some techniques as being controls testing techniques, and others as substantive testing
techniques. This distinction is no longer made in the ISAs, but I think it could help you:
o Controls testing techniques (listed in order from the weakest to the strongest technique):
Inquiry (about the design of a control, or compliance by staff).
Observation (of the control activity being performed).
Inspection (of documents, generally for a signature indicating that a control activity was performed).
Reperformance (of a control activity).

o Substantive testing techniques:

Inquiry.
External confirmation (typically used for bank and receivables).
Reperformance.
Recalculation.
Inspection (of a document or a tangible asset).
Analytical procedures.
Analytical procedures can be used as a testing technique (see below for more on this), but it can also be
used for other purposes.

The testing techniques do not produce equally "strong" evidence. You must understand why this is the case.

MANCOSA – Postgraduate Diploma in Risk Management 66

Auditing for Risk

4.3.2 Stages of an audit

The following are the stages of a typical audit:
Phase I Plan and Design an Audit Approach
o Accept Client and Perform Initial Planning.
o Understand the Client’s Business and Industry.
What should auditors understand?
The relevant industry, regulatory, and other external factors including the applicable financial reporting
framework
The nature of the entity
The entity's selection and application of accounting policies
The entity's objectives and strategies, and the related business risks that may result in material misstatement
of the financial statements
The measurement and review of the entity's financial performance
Internal control relevant to the audit
o Assess Client’s Business Risk
o Set Materiality and Assess Accepted Audit Risk (AAR) and Inherent Risk (IR).
o Understand Internal Control and Assess Control Risk (CR).
o Develop Overall Audit Plan and Audit Program

Phase II Perform Test of Controls and Substantive Test of Transactions

o Test of Control: if the auditor plan to reduce the determined control risk, then the auditor should perform the test of
control, to assess the operating effectiveness of internal controls (e.g. authorisation of transactions, account
reconciliations, segregation of duties) including IT General Controls. If internal controls are assessed as effective,
this will reduce (but not entirely eliminate) the amount of 'substantive' work the auditor needs to do (see below).

o Substantive test of transactions: evaluate the client’s recording of transactions by verifying the monetary amounts of
transactions, a process called substantive tests of transactions. For example, the auditor might use computer
software to compare the unit selling price on duplicate sales invoices with an electronic file of approved prices as a
test of the accuracy objective for sales transactions. Like the test of control in the preceding paragraph, this test
satisfies the accuracy transaction-related audit objective for sales. For the sake of efficiency, auditors often perform
tests of controls and substantive tests of transactions at the same time.

o Assess Likelihood of Misstatement in Financial Statement.

Notes:
o At this stage, if the auditor accepts the CR that has been set at the phase I and does not want to reduce the controls
risk, then the auditor may not perform test of control. If so, then the auditor performs substantive test of transactions.
o This test determines the amount of work to be performed i.e. substantive testing or test of details.

67 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Phase III Perform Analytical Procedures and Tests of Details of Balances

o where internal controls are strong, auditors typically rely more on Substantive Analytical Procedures (the
comparison of sets of financial information, and financial with non-financial information, to see if the numbers 'make
sense' and that unexpected movements can be explained)
o where internal controls are weak, auditors typically rely more on Substantive Tests of Detail of Balance (selecting a
sample of items from the major account balances, and finding hard evidence (e.g. invoices, bank statements) for those
items)

Notes:
o Some audits involve a 'hard close' or 'fast close' whereby certain substantive procedures can be performed before
year-end. For example, if the year-end is 31 December, the hard close may provide the auditors with figures as at 30
November. The auditors would audit income/expense movements between 1 January and 30 November, so that after
year end, it is only necessary for them to audit the December income/expense movements and 31 December balance
sheet. In some countries and accountancy firms these are known as 'rollforward' procedures.

Phase IV Complete the Audit and Issue an Audit Report

After the auditor has completed all procedures for each audit objective and for each financial statement account and
related disclosures, it is necessary to combine the information obtained to reach an overall conclusion as to whether the
financial statements are fairly presented. This highly subjective process relies heavily on the auditor’s professional
judgment. When the audit is completed, the auditor must issue an audit report to accompany the client’s published financial
statements.

4.3.3 Audit Sampling

Audit sampling is the application of an audit procedure to less than 100 percent of the items within an account balance or
class of transactions for the purpose of evaluating some characteristic of the balance or class. This section provides
guidance for planning, performing, and evaluating audit samples.

The auditor often is aware of account balances and transactions that may be more likely to contain misstatements. He
considers this knowledge in planning his procedures, including audit sampling. The auditor usually will have no special
knowledge about other account balances and transactions that, in his judgment, will need to be tested to fulfil his audit
objectives. Audit sampling is especially useful in these cases.

There are two general approaches to audit sampling: nonstatistical and statistical. Both approaches require that the auditor
use professional judgment in planning, performing, and evaluating a sample and in relating the evidential matter produced
by the sample to other evidential matter when forming a conclusion about the related account balance or class of
transactions. Either approach to audit sampling can provide sufficient evidential matter when applied properly. This section
applies to both nonstatistical and statistical sampling.

MANCOSA – Postgraduate Diploma in Risk Management 68

Auditing for Risk

The sufficiency of evidential matter is related to the design and size of an audit sample, among other factors. The size of
a sample necessary to provide sufficient evidential matter depends on both the objectives and the efficiency of the sample.
For a given objective, the efficiency of the sample relates to its design; one sample is more efficient than another if it can
achieve the same objectives with a smaller sample size. In general, careful design can produce more efficient samples.

In a strict sense, the sample evaluation relates only to the likelihood that existing monetary misstatements or deviations
from prescribed controls are proportionately included in the sample, not to the auditor's treatment of such items. Thus, the
choice of nonstatistical or statistical sampling does not directly affect the auditor's decisions about the auditing procedures
to be applied, the appropriateness of the evidential matter obtained with respect to individual items in the sample, or the
actions that might be taken in light of the nature and cause of particular misstatements.

Note: Audit Evidence, discusses the appropriateness of audit evidence, and Evaluating Audit Results, discusses the
auditor's responsibilities for evaluating the sufficiency and appropriateness of audit evidence.

Uncertainty and Audit Sampling

Some degree of uncertainty is implicit in the concept of "a reasonable basis for an opinion" referred to in the third standard
of field work. The justification for accepting some uncertainty arises from the relationship between such factors as the cost
and time required to examine all of the data and the adverse consequences of possible erroneous decisions based on the
conclusions resulting from examining only a sample of the data. If these factors do not justify the acceptance of some
uncertainty, the only alternative is to examine all of the data. Since this is seldom the case, the basic concept of sampling
is well established in auditing practice.

Audit risk includes both uncertainties due to sampling and uncertainties due to factors other than sampling. These aspects
of audit risk are sampling risk and nonsampling risk, respectively.

Note: Audit Risk, describes audit risk and its components in a financial statement audit – the risk of material misstatement
(consisting of inherent risk and control risk) and detection risk.

Sampling risk arises from the possibility that, when a test of controls or a substantive test is restricted to a sample, the
auditor's conclusions may be different from the conclusions he would reach if the test were applied in the same way to all
items in the account balance or class of transactions. That is, a particular sample may contain proportionately more or
less monetary misstatements or deviations from prescribed controls than exist in the balance or class as a whole. For a
sample of a specific design, sampling risk varies inversely with sample size: the smaller the sample size, the greater the
sampling risk.

Nonsampling risk includes all the aspects of audit risk that are not due to sampling. An auditor may apply a procedure to
all transactions or balances and still fail to detect a material misstatement. Nonsampling risk includes the possibility of
selecting audit procedures that are not appropriate to achieve the specific objective. For example, confirming recorded

69 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

receivables cannot be relied on to reveal unrecorded receivables. Nonsampling risk also arises because the auditor may
fail to recognize misstatements included in documents that he examines, which would make that procedure ineffective
even if he were to examine all items. Nonsampling risk can be reduced to a negligible level through such factors as
adequate planning and supervision and proper conduct of a firm's audit practice

Sampling Risk

The auditor should apply professional judgment in assessing sampling risk. In performing substantive tests of details the
auditor is concerned with two aspects of sampling risk:
The risk of incorrect acceptance is the risk that the sample supports the conclusion that the recorded account
balance is not materially misstated when it is materially misstated.
The risk of incorrect rejection is the risk that the sample supports the conclusion that the recorded account
balance is materially misstated when it is not materially misstated.

The auditor is also concerned with two aspects of sampling risk in performing tests of controls when sampling is used:
The risk of assessing control risk too low is the risk that the assessed level of control risk based on the sample is
less than the true operating effectiveness of the control.
The risk of assessing control risk too high is the risk that the assessed level of control risk based on the sample
is greater than the true operating effectiveness of the control.

The risk of incorrect rejection and the risk of assessing control risk too high relate to the efficiency of the audit. For example,
if the auditor's evaluation of an audit sample leads him to the initial erroneous conclusion that a balance is materially
misstated when it is not, the application of additional audit procedures and consideration of other audit evidence would
ordinarily lead the auditor to the correct conclusion. Similarly, if the auditor's evaluation of a sample leads him to
unnecessarily assess control risk too high for an assertion, he would ordinarily increase the scope of substantive tests to
compensate for the perceived ineffectiveness of the controls. Although the audit may be less efficient in these
circumstances, the audit is, nevertheless, effective.
The risk of incorrect acceptance and the risk of assessing control risk too low relate to the effectiveness of an audit in
detecting an existing material misstatement. These risks are discussed in the following paragraphs.

Sampling in Substantive Tests of Details

Planning involves developing a strategy for conducting an audit of financial statements.
When planning a particular sample for a substantive test of details, the auditor should consider
The relationship of the sample to the relevant audit objective.
Tolerable misstatement.
The auditor's allowable risk of incorrect acceptance.
Characteristics of the population, that is, the items comprising the account balance or class of transactions of
interest.

MANCOSA – Postgraduate Diploma in Risk Management 70

Auditing for Risk

When planning a particular sample, the auditor should consider the specific audit objective to be achieved and should
determine that the audit procedure, or combination of procedures, to be applied will achieve that objective. The auditor
should determine that the population from which he draws the sample is appropriate for the specific audit objective. For
example, an auditor would not be able to detect understatements of an account due to omitted items by sampling the
recorded items. An appropriate sampling plan for detecting such understatements would involve selecting from a source
in which the omitted items are included. To illustrate, subsequent cash disbursements might be sampled to test recorded
accounts payable for understatement because of omitted purchases, or shipping documents might be sampled for
understatement of sales due to shipments made but not recorded as sales.

Evaluation in monetary terms of the results of a sample for a substantive test of details contributes directly to the auditor's
purpose, since such an evaluation can be related to his or her judgment of the monetary amount of misstatements that
would be material. When planning a sample for a substantive test of details, the auditor should consider how much
monetary misstatement in the related account balance or class of transactions may exist, in combination with other
misstatements, without causing the financial statements to be materially misstated. This maximum monetary misstatement
for the account balance or class of transactions is called tolerable misstatement.

Consideration of Materiality in Planning and Performing an Audit, describe the auditor's responsibilities for determining
tolerable misstatement at the account or disclosure level. When the population to be sampled constitutes a portion of an
account balance or transaction class, the auditor should determine tolerable misstatement for the population to be sampled
for purposes of designing the sampling plan. Tolerable misstatement for the population to be sampled ordinarily should be
less than tolerable misstatement for the account balance or transaction class to allow for the possibility that misstatement
in the portion of the account or transaction class not subject to audit sampling, individually or in combination with other
misstatements, would cause the financial statements to be materially misstated.

The second standard of field work states, "A sufficient understanding of the internal control structure is to be obtained to
plan the audit and to determine the nature, timing, and extent of tests to be performed." After assessing and considering
the levels of inherent and control risks, the auditor performs substantive tests to restrict detection risk to an acceptable
level. As the assessed levels of inherent risk, control risk, and detection risk for other substantive procedures directed
toward the same specific audit objective decreases, the auditor's allowable risk of incorrect acceptance for the substantive
tests of details increases and, thus, the smaller the required sample size for the substantive tests of details. For example,
if inherent and control risks are assessed at the maximum, and no other substantive tests directed toward the same specific
audit objectives are performed, the auditor should allow for a low risk of incorrect acceptance for the substantive tests of
details. Thus, the auditor would select a larger sample size for the tests of details than if he allowed a higher risk of incorrect
acceptance.

The sufficiency of tests of details for a particular account balance or class of transactions is related to the individual
importance of the items examined as well as to the potential for material misstatement. When planning a sample for a
substantive test of details, the auditor uses his judgment to determine which items, if any, in an account balance or class
of transactions should be individually examined and which items, if any, should be subject to sampling. The auditor should

71 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

examine those items for which, in his judgment, acceptance of some sampling risk is not justified. For example, these may
include items for which potential misstatements could individually equal or exceed the tolerable misstatement. Any items
that the auditor has decided to examine 100 percent are not part of the items subject to sampling. Other items that, in the
auditor's judgment, need to be tested to fulfil the audit objective but need not be examined 100 percent, would be subject
to sampling.

The auditor may be able to reduce the required sample size by separating items subject to sampling into relatively
homogeneous groups on the basis of some characteristic related to the specific audit objective. For example, common
bases for such groupings are the recorded or book value of the items, the nature of controls related to processing the
items, and special considerations associated with certain items. An appropriate number of items is then selected from
each group.

To determine the number of items to be selected in a sample for a particular substantive test of details, the auditor should
take into account tolerable misstatement for the population; the allowable risk of incorrect acceptance (based on the
assessments of inherent risk, control risk, and the detection risk related to the substantive analytical procedures or other
relevant substantive tests); and the characteristics of the population, including the expected size and frequency of
misstatements.

Table 1 of the Appendix describes the effects of the factors discussed in the preceding paragraph on sample sizes in a
statistical or non-statistical sampling approach. When circumstances are similar, the effect on sample size of those factors
should be similar regardless of whether a statistical or non-statistical approach is used. Thus, when a non-statistical
sampling approach is applied properly, the resulting sample size ordinarily will be comparable to, or larger than, the sample
size resulting from an efficient and effectively designed statistical sample.

Sample Selection
Sample items should be selected in such a way that the sample can be expected to be representative of the population.
Therefore, all items in the population should have an opportunity to be selected. For example, haphazard and random-
based selection of items represents two means of obtaining such samples.

Performance and Evaluation

Auditing procedures that are appropriate to the particular audit objective should be applied to each sample item. In some
circumstances the auditor may not be able to apply the planned audit procedures to selected sample items because, for
example, supporting documentation may be missing. The auditor's treatment of unexamined items will depend on their
effect on his evaluation of the sample. If the auditor's evaluation of the sample results would not be altered by considering
those unexamined items to be misstated, it is not necessary to examine the items. However, if considering those
unexamined items to be misstated would lead to a conclusion that the balance or class contains material misstatement,
the auditor should consider alternative procedures that would provide him with sufficient evidence to form a conclusion.
The auditor also should evaluate whether the reasons for his or her inability to examine the items have (a) implications in
relation to his or her risk assessments (including the assessment of fraud risk), (b) implications regarding the integrity of
management or employees, and (c) possible effects on other aspects of the audit.

MANCOSA – Postgraduate Diploma in Risk Management 72

Auditing for Risk

The auditor should project the misstatement results of the sample to the items from which the sample was selected. There
are several acceptable ways to project misstatements from a sample. For example, an auditor may have selected a sample
of every twentieth item (50 items) from a population containing one thousand items. If he discovered overstatements of
R3,000 in that sample, the auditor could project a R60,000 overstatement by dividing the amount of misstatement in the
sample by the fraction of total items from the population included in the sample. The auditor should add that projection to
the misstatements discovered in any items examined 100 percent. This total projected misstatement should be compared
with the tolerable misstatement for the account balance or class of transactions, and appropriate consideration should be
given to sampling risk. If the total projected misstatement is less than tolerable misstatement for the account balance or
class of transactions, the auditor should consider the risk that such a result might be obtained even though the true
monetary misstatement for the population exceeds tolerable misstatement. For example, if the tolerable misstatement in
an account balance of R1 million is R50,000 and the total projected misstatement based on an appropriate sample (see
paragraph .23) is R10,000, he may be reasonably assured that there is an acceptably low sampling risk that the true
monetary misstatement for the population exceeds tolerable misstatement. On the other hand, if the total projected
misstatement is close to the tolerable misstatement, the auditor may conclude that there is an unacceptably high risk that
the actual misstatements in the population exceed the tolerable misstatement. An auditor uses professional judgment in
making such evaluations.

In addition to the evaluation of the frequency and amounts of monetary misstatements, consideration should be given to
the qualitative aspects of the misstatements. These include (a) the nature and cause of misstatements, such as whether
they are differences in principle or in application, are errors or are caused by fraud, or are due to misunderstanding of
instructions or to carelessness, and (b) the possible relationship of the misstatements to other phases of the audit. The
discovery of fraud ordinarily requires a broader consideration of possible implications than does the discovery of an error.

If the sample results suggest that the auditor's planning assumptions were incorrect, he should take appropriate action.
For example, if monetary misstatements are discovered in a substantive test of details in amounts or frequency that is
greater than is consistent with the assessed levels of inherent and control risk, the auditor should alter his risk
assessments. The auditor should also consider whether to modify the other audit tests that were designed based upon
the inherent and control risk assessments. For example, a large number of misstatements discovered in confirmation of
receivables may indicate the need to reconsider the control risk assessment related to the assertions that impacted the
design of substantive tests of sales or cash receipts.

The auditor should relate the evaluation of the sample to other relevant audit evidence when forming a conclusion about
the related account balance or class of transactions.

Projected misstatement results for all audit sampling applications and all known misstatements from non-sampling
applications should be considered in the aggregate along with other relevant audit evidence when the auditor evaluates
whether the financial statements taken as a whole may be materially misstated.

73 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

4.3.4 Sampling in Tests of Controls

Planning Samples
When planning a particular audit sample for a test of controls, the auditor should consider
The relationship of the sample to the objective of the test of controls.
The maximum rate of deviations from prescribed controls that would support his planned assessed level of control
risk.
The auditor's allowable risk of assessing control risk too low.
Characteristics of the population, that is, the items comprising the account balance or class of transactions of
interest.

For many tests of controls, sampling does not apply. Procedures performed to obtain an understanding of internal control
sufficient to plan an audit do not involve sampling. Sampling generally is not applicable to tests of controls that depend
primarily on appropriate segregation of duties or that otherwise provide no documentary evidence of performance. In
addition, sampling may not apply to tests of certain documented controls. Sampling may not apply to tests directed toward
obtaining evidence about the design or operation of the control environment or the accounting system. For example,
inquiry or observation of explanation of variances from budgets when the auditor does not desire to estimate the rate of
deviation from the prescribed control.

When designing samples for tests of controls the auditor ordinarily should plan to evaluate operating effectiveness in terms
of deviations from prescribed controls, as to either the rate of such deviations or the monetary amount of the related
transactions. In this context, pertinent controls are ones that, had they not been included in the design of internal control
would have adversely affected the auditor's planned assessed level of control risk. The auditor's overall assessment of
control risk for a particular assertion involves combining judgments about the prescribed controls, the deviations from
prescribed controls, and the degree of assurance provided by the sample and other tests of controls.

The auditor should determine the maximum rate of deviations from the prescribed control that he would be willing to accept
without altering his planned assessed level of control risk. This is the tolerable rate. In determining the tolerable rate, the
auditor should consider (a) the planned assessed level of control risk, and (b) the degree of assurance desired by the
evidential matter in the sample. For example, if the auditor plans to assess control risk at a low level, and he desires a
high degree of assurance from the evidential matter provided by the sample for tests of controls (i.e., not perform other
tests of controls for the assertion), he might decide that a tolerable rate of 5 percent or possibly less would be reasonable.
If the auditor either plans to assess control risk at a higher level, or he desires assurance from other tests of controls along
with that provided by the sample (such as inquiries of appropriate entity personnel or observation of the application of the
policy or procedure), the auditor might decide that a tolerable rate of 10 percent or more is reasonable.

In assessing the tolerable rate of deviations, the auditor should consider that, while deviations from pertinent controls
increase the risk of material misstatements in the accounting records, such deviations do not necessarily result in
misstatements. For example, a recorded disbursement that does not show evidence of required approval may

MANCOSA – Postgraduate Diploma in Risk Management 74

Auditing for Risk

nevertheless be a transaction that is properly authorized and recorded. Deviations would result in misstatements in the
accounting records only if the deviations and the misstatements occurred on the same transactions. Deviations from
pertinent controls at a given rate ordinarily would be expected to result in misstatements at a lower rate.

In some situations, the risk of material misstatement for an assertion may be related to a combination of controls. If a
combination of two or more controls is necessary to affect the risk of material misstatement for an assertion, those controls
should be regarded as a single procedure, and deviations from any controls in combination should be evaluated on that
basis.
Samples taken to test the operating effectiveness of controls are intended to provide a basis for the auditor to conclude
whether the controls are being applied as prescribed. When the degree of assurance desired by the evidential matter in
the sample is high, the auditor should allow for a low level of sampling risk (that is, the risk of assessing control risk too
low).

To determine the number of items to be selected for a particular sample for a test of controls, the auditor should consider
the tolerable rate of deviation from the controls being tested, the likely rate of deviations, and the allowable risk of assessing
control risk too low. When circumstances are similar, the effect on sample size of those factors should be similar regardless
of whether a statistical or non-statistical approach is used. Thus, when a non-statistical sampling approach is applied
properly, the resulting sample size ordinarily will be comparable to, or larger than, the sample size resulting from an efficient
and effectively designed statistical sample.

Sample Selection
Sample items should be selected in such a way that the sample can be expected to be representative of the population.
Therefore, all items in the population should have an opportunity to be selected. Random-based selection of items
represents one means of obtaining such samples. Ideally, the auditor should use a selection method that has the potential
for selecting items from the entire period under audit. The Auditor's Responses to the Risks of Material Misstatement,
describe the auditor's responsibilities for performing procedures between the interim date of testing and period end.

Performance and Evaluation

Auditing procedures that are appropriate to achieve the objective of the test of controls should be applied to each sample
item. If the auditor is not able to apply the planned audit procedures or appropriate alternative procedures to selected
items, he should consider the reasons for this limitation, and he should ordinarily consider those selected items to be
deviations from the prescribed policy or procedure for the purpose of evaluating the sample.

The deviation rate in the sample is the auditor's best estimate of the deviation rate in the population from which it was
selected. If the estimated deviation rate is less than the tolerable rate for the population, the auditor should consider the
risk that such a result might be obtained even though the true deviation rate for the population exceeds the tolerable rate
for the population. For example, if the tolerable rate for a population is 5 percent and no deviations are found in a sample
of 60 items, the auditor may conclude that there is an acceptably low sampling risk that the true deviation rate in the
population exceeds the tolerable rate of 5 percent. On the other hand, if the sample includes, for example, two or more

75 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

deviations, the auditor may conclude that there is an unacceptably high sampling risk that the rate of deviations in the
population exceeds the tolerable rate of 5 percent. An auditor applies professional judgment in making such an evaluation.

In addition to the evaluation of the frequency of deviations from pertinent procedures, consideration should be given to the
qualitative aspects of the deviations. These include (a) the nature and cause of the deviations, such as whether they are
errors or irregularities or are due to misunderstanding of instructions or to carelessness, and (b) the possible relationship
of the deviations to other phases of the audit. The discovery of an irregularity ordinarily requires a broader consideration
of possible implications than does the discovery of an error.

If the auditor concludes that the sample results do not support the planned assessed level of control risk for an assertion,
he should re-evaluate the nature, timing, and extent of substantive procedures based on a revised consideration of the
assessed level of control risk for the relevant financial statement assertions.

Selecting a Sampling Approach

As discussed in paragraph .03, either a non-statistical or statistical approach to audit sampling, when properly applied,
can provide sufficient evidential matter.

Statistical sampling helps the auditor (a) to design an efficient sample, (b) to measure the sufficiency of the evidential
matter obtained, and (c) to evaluate the sample results. By using statistical theory, the auditor can quantify sampling risk
to assist himself in limiting it to a level he considers acceptable. However, statistical sampling involves additional costs of
training auditors, designing individual samples to meet the statistical requirements, and selecting the items to be examined.
Because either non-statistical or statistical sampling can provide sufficient evidential matter, the auditor chooses between
them after considering their relative cost and effectiveness in the circumstances.

Audit sampling is the use of an audit procedure on a selection of the items within an account balance or class of
transactions. The sampling method used should yield an equal probability that each unit in the sample could be selected.
The intent behind doing so is to evaluate some aspect of the information. Audit sampling is needed when population sizes
are large, since examining the entire population would be highly inefficient. There are multiple ways to engage in audit
sampling, including the following:
Block sampling. A consecutive series of items are selected for review. Though this approach may be efficient,
there is a risk that a block of items will not reflect the characteristics of the entire population.
Haphazard sampling. There is no structured approach to how items are selected. However, the person doing the
selections will probably skew the selections (even if inadvertently), so the selections are not truly random.
Personal judgment. The auditor uses her own judgment to select items, perhaps favouring items that have larger
monetary values or which appear to have a higher level of risk associated with them.
Random sampling. A random number generator is used to make selections. This approach is the most
theoretically correct, but can require more time to make selections.

MANCOSA – Postgraduate Diploma in Risk Management 76

Auditing for Risk

Stratified sampling. The auditor splits the population into different sections (such as high value and low value)
and then selects from each section.
Systematic sampling. Selections are taken from the population at fixed intervals, such as every 20th item. This
tends to be a relatively efficient sampling technique.

4.5 Summary
This Unit introduced the notion of internal controls with an entity, audit eveidence that is needed by auditors to express
an opinion and the tools used by auditors in collecting such evidence.

You are required to:

Activity
You may come across activities that ask you to carry out specific tasks. In most cases,
there are no right or wrong answers to these activities. The aim of the activities is to
give you an opportunity to apply what you have learned.

An auditor’s audit opinion and report are based on audit evidence that the auditor collected during the “obtaining audit
evidence” phase of the audit process, and which is contained in the auditor’s working papers (audit documentation).

Describe the requirements for audit evidence. (8 Marks)

77 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Answers to Activity

1. The audit evidence needs to be:

a) Sufficient (in quantity); and
b) Appropriate (in quality).

2. The sufficiency and appropriateness of audit evidence are interrelated.

3. The quantity of audit evidence required is affected by the auditor’s assessment of risk of material misstatement
(the higher the assessed risks, the more audit evidence is likely to be required.

4. The quantity of audit evidence required is affected by the quality of evidence (the higher the quality, the less audit
evidence may be required)

5. When determining the quality (appropriateness) of audit evidence, the relevance (1) and reliability (1) of such
evidence is taken into account.

6. The relevance of the audit evidence refers to the logical connection to, or bearing upon, the purpose of the audit
procedure and, where appropriate, the assertion under consideration.

7. The reliability of audit evidence is influenced by the source, the nature of the evidence, external evidence and
evidence developed by the auditors.
Available
Maximum

MANCOSA – Postgraduate Diploma in Risk Management 78

Auditing for Risk

Case Study

Case Studies will give you an opportunity to apply theory to practice.

Case study 4.1

E-buy sells retail products online via its website and mobile application called E-mobile. There are 25 categories of
products, ranging from electronics, lifestyle, media and computer games to fashion items. E-buy owns all the products it
sells to its customers. E-buy outsources the delivery of purchased products to Fast Delivery (Pty) Ltd (‘Fast Delivery’), a
company that specialises in the delivery of e-commerce retailers’ sale products. E-buy has one warehouse in
Johannesburg and another in Cape Town.

E-buy makes use of an enterprise resource planning (ERP) programme called SmartCount. SmartCount was specifically
tailored to the needs of the business so as to provide seamless and direct access to both E-buy warehouses by Fast
Delivery via a wide area network (WAN). SmartCount is hosted on a server situated at E-buy’s head office in
Johannesburg. E-buy makes use of firewalls to prevent unauthorised access to the SmartCount system, the WAN
connection and its server. The firewalls are updated regularly by E-buy’s IT department.

It is E-buy’s policy that all employee profiles and passwords should comply with E-buy’s data protection policy. These
profiles determine their access levels and authorisation limits. The policy includes password composition, password validity
timeframes, password automatic system changes and secrecy of passwords.

The process that customers follow is exactly the same for purchases of E-buy products via the E-buy website and E-
mobile. Market research has shown that most customers prefer using E-mobile. E-buy only accepts payment by credit
card.

You are required to:

Describe, with reference to the information provided under the headings: background, registering a profile, shopping,
checkout and payment, the tests of controls you would perform to test the occurrence of E-buy’s sales for FY2017.
(15 Marks)

79 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit
5: The Important Elements
of the Internal Process

MANCOSA – Postgraduate Diploma in Risk Management 80

Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Detail all step of the audit process Illustrations and activities are provided to help
understand the steps of the audit process

Use preliminary engagement activities to Case study and examples are provided to assist in
accept or continue a client utilising preliminary engagements activities when
deciding on whether an audit should be accepted or
not

Describe what are audit assertions and what Examples and activities are provided to help
are they used for describe the different audit assertions which can be
used when conducting an audit

Understanding audit risk Case study is provided to understand audit risk

Understand the concept of materiality and its Activities and case study are provided to understand
uses the concept of materiality

Summary
The Unit explores the various stages of an audit process. The various aspects are being considered by auditors when they
accept or continue a relationship with a client. The role that is played by audit risk on an entire audit and lastly, how auditors
utilise materiality in audit scenarios.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic Accounting. 4th
Edition. Wiley & Sons Publishing.
Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic Accounting: new
Tools and Techniques. Wiley & Sons
Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting: Understanding the
Theory and Application of data analysis. Pearson.
Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud Examination.
2nd Edition. McGraw-Hill.
Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016). Fraud
Examination. 5th Edition. Cengage Learning

81 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

5.1. Overview of the audit process

Although every audit project is unique, the audit process is similar for most engagements and normally consists of four
stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report, and Follow-up Review. Client
involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of
time being diverted from your department's usual routine. One of the key objectives is to minimize this time and avoid
disrupting ongoing activities. The following figure depicts the process:

4Figure 1.4: The audit process

(Von Wielligh & Prinsloo, 2014)

MANCOSA – Postgraduate Diploma in Risk Management 82

Auditing for Risk

5.1.1 THE ROLE OF THE INTERNATIONAL STANDARDS ON AUDITING (ISAs) IN THE AUDIT PROCESS
South Africa has adopted the IFAC auditing standards (ISAs). The standards provide guidance on how the audit process
is to be conducted. The statements in which the standards are documented, do not contain detailed lists of procedures.
They stipulate an objective and provide explanatory comment on how the standard should be achieved. There are
standards which are directly applicable to each stage of the audit, for example (this list is by no means exhaustive):

Preliminary stage ISA 210 – Agreeing the terms of audit engagements

ISA 220 – Quality control for an audit of financial statements
Planning stage ISA 300 – Planning an audit of financial statements
ISA 315 (Revised) – Identifying and assessing the risks of material
misstatement through understanding the entity and its environment
ISA 320 – Materiality in planning and performing an audit
Responding to risk stage ISA 330 – The auditor’s responses to assessed risks
ISA 500 – Audit Evidence
ISA 530 – Audit Sampling
Concluding stage ISA 450 – Evaluation of misstatements identified during the audit
ISA 700 – Forming an opinion and reporting on financial statements
ISA 705 – Modifications to the opinion in the independent auditor’s report

5.2. Preliminary engagement activities

5.2.1 ISA 210 – Agreeing the terms of the audit
Planning an audit involves establishing the overall audit strategy for the engagement and developing an audit plan.
Adequate planning benefits the audit of financial statements in several ways, including the following:
Helping the auditor to devote appropriate attention to important areas of the audit.
Helping the auditor identify and resolve potential problems on a timely basis.
Helping the auditor properly organize and manage the audit engagement so that it is performed in an effective
and efficient manner.
Assisting in the selection of engagement team members with appropriate levels of capabilities and competence
to respond to anticipated risks, and the proper assignment of work to them.
Facilitating the direction and supervision of engagement team members and the review of their work.
Assisting, where applicable, in coordination of work done by auditors of components and experts.

5.2.2 Preliminary Engagement Activities

The auditor shall undertake the following activities at the beginning of the current audit engagement:
(a) Performing procedures required by ISA 220 regarding the continuance of the client relationship and the specific audit
engagement;
(b) Evaluating compliance with relevant ethical requirements, including independence, in accordance with ISA 220;2 and
(c) Establishing an understanding of the terms of the engagement, as required by ISA 210.3

83 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

5.2.3 1.2.1.2 Planning Activities

The auditor shall establish an overall audit strategy that sets the scope, timing and direction of the audit, and that guides
the development of the audit plan.
In establishing the overall audit strategy, the auditor shall:
(a) Identify the characteristics of the engagement that define its scope;
(b) Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the
communications required;
(c) Consider the factors that, in the auditor’s professional judgment, are significant in directing the engagement team’s
efforts;
(d) Consider the results of preliminary engagement activities and, where applicable, whether knowledge gained on other
engagements performed by the engagement partner for the entity is relevant; and
(e) Ascertain the nature, timing and extent of resources necessary to perform the engagement.

9. The auditor shall develop an audit plan that shall include a description of:
(a) The nature, timing and extent of planned risk assessment procedures
(b) The nature, timing and extent of planned further audit procedures at the assertion level
(c) Other planned audit procedures that are required to be carried out so that the engagement complies with ISAs.
10. The auditor shall update and change the overall audit strategy and the audit plan as necessary during the course of
the audit.
11. The auditor shall plan the nature, timing and extent of direction and supervision of engagement team members and
the review of their work.

5.3. Audit assertions

In preparing financial statements, management is making implicit or explicit claims (i.e. assertions) regarding the
recognition, measurement and presentation of assets, liabilities, equity, income, expenses and disclosures in accordance
with the applicable financial reporting framework (e.g. IFRS).
For example, if a balance sheet of an entity shows buildings with carrying amount of R10 million, the auditor shall assume
that the management has claimed that:
The buildings recognized in the balance sheet exist at the period end;
The entity owns or controls those buildings;
The buildings are valued accurately in accordance with the measurement basis;
All buildings owned and controlled by the entity are included within the carrying amount of R10 million.

MANCOSA – Postgraduate Diploma in Risk Management 84

Auditing for Risk

Types & Examples

Assertions may be classified into the following types:

Assertions relating to classes of transactions

Assertions Explanation Examples: Salaries & Wages Cost

Salaries & wages expense has been incurred during the period in
Transactions recognized in the
respect of the personnel employed by the entity. Salaries and
Occurrence financial statements have occurred
wages expense does not include the payroll cost of any
and relate to the entity.
unauthorized personnel.

All transactions that were supposed

to be recorded have been Salaries and wages cost in respect of all personnel have been
Completeness
recognized in the financial fully accounted for.
statements.

Transactions have been recorded Salaries and wages cost has been calculated accurately. Any
Accuracy accurately at their appropriate adjustments such as tax deduction at source have been correctly
amounts. reconciled and accounted for.

Salaries and wages cost recognized during the period relates to

Transactions have been recognized the current accounting period. Any accrued and prepaid
Cut-off
in the correct accounting periods. expenses have been accounted for correctly in the financial
statements.

Salaries and wages cost has been fairly allocated between:

Transactions have been classified -Operating expenses incurred in production activities;
Classification and presented fairly in the financial -General and administrative expenses; and
statements. -Cost of personnel relating to any self-constructed assets other
than inventory.

5Figure 1.5 Assertions

(Jackson & Stent, 2016)

85 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Assertions relating to assets, liabilities and equity balances at the period end

Assertions Explanation Examples: Inventory balance

Assets, liabilities and equity

Existence Inventory recognized in the balance sheet exists at the period end.
balances exist at the period end.

All assets, liabilities and equity

All inventory units that should have been recorded have been
balances that were supposed to
recognized in the financial statements. Any inventory held by a
Completeness be recorded have been
third party on behalf of the audit entity has been included in the
recognized in the financial
inventory balance.
statements.

Entity has the right to ownership

Audit entity owns or controls the inventory recognized in the
or use of the recognized assets,
Rights & financial statements. Any inventory held by the audit entity on
and the liabilities recognized in
Obligations account of another entity has not been recognized as part of
the financial statements represent
inventory of the audit entity.
the obligations of the entity.

Inventory has been recognized at the lower of cost and net

realizable value in accordance with IAS 2 Inventories. Any costs
Assets, liabilities and equity that could not be reasonably allocated to the cost of production
Valuation balances have been valued (e.g. general and administrative costs) and any abnormal wastage
appropriately. has been excluded from the cost of inventory. An acceptable
valuation basis has been used to value inventory cost at the period
end (e.g. FIFO, AVCO, etc.)

(Jackson & Stent, 2016)

MANCOSA – Postgraduate Diploma in Risk Management 86

Auditing for Risk

Assertions relating to presentation and disclosures

Assertions Explanation Examples: Related Party Disclosures

Transactions and events disclosed in the Transactions with related parties disclosed in the
Occurrence financial statements have occurred and notes of financial statements have occurred during
relate to the entity. the period and relate to the audit entity.

All transactions, balances, events and other

All related parties, related party transactions and
matters that should have been disclosed
Completeness balances that should have been disclosed have
have been disclosed in the financial
been disclosed in the notes of financial statements.
statements.

The nature of related party transactions, balances

Disclosed events, transactions, balances
and events has been clearly disclosed in the notes
and other financial matters have been
of financial statements. Users of the financial
Classification & classified appropriately and presented
statements can clearly determine the financial
Understandability clearly in a manner that promotes the
statement captions affected by the related party
understandability of information contained in
transactions and balances and can easily ascertain
the financial statements.
their financial effect.

Transactions, events, balances and other Related party transactions, balances and events
Accuracy &
financial matters have been disclosed have been disclosed accurately at their appropriate
Valuation
accurately at their appropriate amounts. amounts.
(Jackson & Stent, 2016)

5.4. Understanding audit risk

Audit risk is the risk that the auditor will express an inappropriate audit opinion on financial statements that contain material
misstatements. From audit risk stems a concept called “acceptable level of audit risk.” The acceptable level of audit risk is
what the auditor determines is acceptable for the specific company being audited. The key point is that the auditor, not the
entity being audited, chooses what is an acceptable level of risk. The lower the level of acceptable audit risk, the higher
the desired level of assurance/certainty, and vice versa.

5.4.1 Explanation
Audit risk is the risk that an auditor issues an incorrect opinion on the financial statements. Examples of inappropriate
audit opinions include the following:
Issuing an unqualified audit report where a qualification is reasonably justified;
Issuing a qualified audit opinion where no qualification is necessary;
Failing to emphasize a significant matter in the audit report;
Providing an opinion on financial statements where no such opinion may be reasonably given due to a significant
limitation of scope in the performance of the audit.

87 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

5.4.2 Model
Audit Risk = Inherent Risk x Control Risk x Detection Risk
Audit risk may be considered as the product of the various risks which may be encountered in the performance of the
audit. In order to keep the overall audit risk of engagements below acceptable limit, the auditor must assess the level of
risk pertaining to each component of audit risk.

5.4.3 Components
Explanation of the 3 elements of audit risk is as follows:

a) Inherent Risk
Inherent Risk is the risk of a material misstatement in the financial statements arising due to error or omission as a result
of factors other than the failure of controls (factors that may cause a misstatement due to absence or lapse of controls are
considered separately in the assessment of control risk).

Inherent risk is generally considered to be higher where a high degree of judgment and estimation is involved or where
transactions of the entity are highly complex.

For example, the inherent risk in the audit of a newly formed financial institution which has a significant trade and exposure
in complex derivative instruments may be considered to be significantly higher as compared to the audit of a well-
established manufacturing concern operating in a relatively stable competitive environment.

b) Control Risk
Control Risk is the risk of a material misstatement in the financial statements arising due to absence or failure in the
operation of relevant controls of the entity.

Organizations must have adequate internal controls in place to prevent and detect instances of fraud and error. Control
risk is considered to be high where the audit entity does not have adequate internal controls to prevent and detect instances
of fraud and error in the financial statements.

Assessment of control risk may be higher for example in case of a small sized entity in which segregation of duties is not
well defined and the financial statements are prepared by individuals who do not have the necessary technical knowledge
of accounting and finance.

c) Detection Risk
Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.
An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud
or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining undetected
by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling
for the selection of transactions.
Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

MANCOSA – Postgraduate Diploma in Risk Management 88

Auditing for Risk

5.4.4 Application
Audit risk model is used by the auditors to manage the overall risk of an audit engagement.
Auditors proceed by examining the inherent and control risks pertaining to an audit engagement while gaining an
understanding of the entity and its environment.

Detection risk forms the residual risk after taking into consideration the inherent and control risks pertaining to the audit
engagement and the overall audit risk that the auditor is willing to accept.

Where the auditor's assessment of inherent and control risk is high, the detection risk is set at a lower level to keep the
audit risk at an acceptable level. Lower detection risk may be achieved by increasing the sample size for audit testing.
Conversely, where the auditor believes the inherent and control risks of an engagement to be low, detection risk is allowed
to be set at a relatively higher level.

5.5. The concept of materiality

Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and presentation
of financial statements. Although financial reporting frameworks may discuss materiality in different terms, they generally
explain that:
Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could
reasonably be expected to influence the economic decisions of users taken on the basis of the financial
statements;
Judgments about materiality are made in light of surrounding circumstances, and are affected by the size or
nature of a misstatement, or a combination of both; and
Judgments about matters that are material to users of the financial statements are based on a consideration of
the common financial information needs of users as a group. The possible effect of misstatements on specific
individual users, whose needs may vary widely, is not considered.

Such a discussion, if present in the applicable financial reporting framework, provides a frame of reference to the auditor
in determining materiality for the audit. If the applicable financial reporting framework does not include a discussion of the
concept of materiality, the characteristics referred to in paragraph 2 provide the auditor with such a frame of reference
(Jackson & Stent, 2016).
The auditor’s determination of materiality is a matter of professional judgment, and is affected by the auditor’s perception
of the financial information needs of users of the financial statements. In this context, it is reasonable for the auditor to
assume that users:
(a) Have a reasonable knowledge of business and economic activities and accounting and a willingness to study the
information in the financial statements with reasonable diligence;
(b) Understand that financial statements are prepared, presented and audited to levels of materiality;
(c) Recognize the uncertainties inherent in the measurement of amounts based on the use of estimates, judgment
and the consideration of future events; and
(d) Make reasonable economic decisions on the basis of the information in the financial statements.

89 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

5. The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the
effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements and
in forming the opinion in the auditor’s report.

6. In planning the audit, the auditor makes judgments about the size of misstatements that will be considered material.
These judgments provide a basis for:
(a) Determining the nature, timing and extent of risk assessment procedures;
(b) Identifying and assessing the risks of material misstatement; and
(c) Determining the nature, timing and extent of further audit procedures.

The materiality determined when planning the audit does not necessarily establish an amount below which uncorrected
misstatements, individually or in the aggregate, will always be evaluated as immaterial. The circumstances related to some
misstatements may cause the auditor to evaluate them as material even if they are below materiality. Although it is not
practicable to design audit procedures to detect misstatements that could be material solely because of their nature, the
auditor considers not only the size but also the nature of uncorrected misstatements, and the particular circumstances of
their occurrence, when evaluating their effect on the financial statements.

5.5.1 The nature of materiality

a) Materiality is subjective
Ten auditors would probably come up with ten different decisions when setting a materiality level (i.e. the level of
acceptable misstatement) at the planning stage, at the performance stage or deciding on whether a particular matter is
material to fair presentation at the evaluating stage. It is not a defined concept, and professional judgement will play a
large part in the decision. For example, if accounts receivable is reflected in the annual financial statements at R500 000,
would an overstatement of R5 000 be material? R10 000? R20 000? R50 000? There is no definite answer. Of course the
auditor does not decide on a materiality level by just choosing a nice round figure. Other factors will also have to be
considered, for example, the size of the accounts receivable balance in relation to the current assets and total assets, as
well as the profit or loss which has been made for the period.

b) Materiality is relative
What is “material” will vary from user to user and from audit client to audit client. What is regarded as material for the
financial statements of a medium sized company, may be totally insignificant to an international conglomerate, and a
matter which is material to a private investor may be insignificant to a “unit trust” investor.

Because materiality is relative, it is necessary to establish bases against which it can be measured, e.g. a misstatement
of R50 000 is material relative to net income of R500 000 but not material relative to net income of R5 000 000. We cannot
say that R1 000 000 is material just because it is a large amount (to us!) because in the case of a large company it is
simply not material. If a listed company’s net profit is misstated by R1 000 000, users decisions are unlikely to be
influenced.

MANCOSA – Postgraduate Diploma in Risk Management 90

Auditing for Risk

c) Materiality can be both quantitative and qualitative in nature

An amount which is quantitatively material will be one which exceeds the amount which the auditor determines is material,
i.e. the amount of misstatement which could influence the decisions of a user. For example, an overstatement in inventory
of R100 000 may exceed the pre-set materiality level of R80 000. If this is the basis on which materiality is determined, it
follows that an overstatement of R79 999 would not be material.

A matter which is qualitatively material will be one which is regarded as material when judged against a factor other than
an amount. For example, important disclosure may be omitted from the financial statements. If this omission would
influence a user, it becomes qualitatively material. Disclosure is not the only qualitative factor to be considered.

Both the quantitative and qualitative aspects of materiality should be considered by the auditor as a matter may be material
in respect of one and not the other. For example, assume that the amount of misstatement the auditor can accept in the
accounts receivable balance is R100 000. If the auditor discovers say, R90 000 of error in the balance arising from genuine
mistakes, e.g. receipts from debtors inadvertently not accounted for or credit notes not passed, even if the errors were not
corrected, the auditor would accept that the errors were quantitatively immaterial. If, however, the auditor identified
misstatement of R90 000 arising from the deliberate inclusion of fictitious debtors in the account balance, the auditor would
regard this as qualitatively material and would not accept it, despite the amount being below the R100 000 limit.

Another example might be that the auditor discovers an amount of R75 000 included in the accounts receivable balance,
which is actually a loan to a director. Loans to a director attract disclosure requirements and if these have not been met
(which is likely in this situation), the misstatement of accounts receivable would be qualitatively material, although not
quantitatively material.

5.6 Summary
This Unit introduced the overview of the audit process (included are various within an audit), assertions and materiality
as in important benchmark in an audit.

Activity
You may come across activities that ask you to carry out specific tasks. In most cases, there
are no right or wrong answers to these activities. The aim of the activities is to give you an
opportunity to apply what you have learned.

Pumla and Trevor (P&T) is a firm of registered auditors with offices in Durban, Pietermaritzburg and Richards Bay. In
October 2017, P&T applied for a tender to be the statutory auditors of Sabrina Limited (SAB) for 2018 financial year. The
previous auditors resigned due to being under resourced. It is probable that P&T will be awarded this tender.

Sabrina, a company listed on Johannesburg Stock Exchange (JSE) complies with KING IV Principles. The company
supplies paper that is manufactured at their plant in Johannesburg and has distribution outlets to ten major cities in South
Africa. Sabrina’s clientele comprises, amongst others, universities and corporate organisations. The Chief Executive

91 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Officer of the company is a qualified chartered accountant who is highly regarded in the industry. Since his appointment
twelve (12) years ago, Sabrina has been reporting favourable results, and has regularly awarded its shareholders a
handsome dividend.

P&T has allocated eight (8) audit team members, including the partner in charge, who has a 7.5% shareholding in Sabrina,
to the audit for the year ended 30 June 2018.

You are required to:

Discuss the factors that P&T should consider prior to accepting the statutory audit engagement of Sabrina Limited for the
year ended 30 June 2018. (12 Marks)

MANCOSA – Postgraduate Diploma in Risk Management 92

Auditing for Risk

Answers to Activity
1. Sabrina Limited – the industry
P&T will not have a problem associating itself with the industry that Sabrina Limited operates in as it is not in
dubious industry.
2. The integrity of Sabrina’s management
The CEO of Sabrina Limited appears to have integrity, as he is a qualified charted accountant, who is highly
regarded in the industry.
3. Communication with previous auditors
P&T needs to contact previous auditor in order to identify whether or not there is any reason why the engagement
of Sabrina Limited should not be accepted.
It is unlikely that there is any reason of concern, as the previous auditor resigned as a result of not having adequate
staff with which to service the company.
4. Sabrina’s ability to pay audit fees
Sabrina appears to be in a position to pay the audit fee, as the company has been paying its shareholders
handsome dividends for the past twelve years.
5. S&Ps ethical requirement
a) The partner in charge of the audit engagement of Sabrina has a 7.5% shareholding in the company.
b) This may create a self-interest threat to objectivity.
c) The threat is regarded as significant.
d) The safeguard that could be applied is this regards is to let the partner dispose of the shareholding, or not
let him/her be involved in the statutory audit of Sabrina Limited.
6. P&Ts skills, competence and resources
P&T needs to consider if it has adequate skills, competence and resources to service Sabrina Limited by taking into
account that:
a) The previous auditors resigned as a result of staff shortages.
b) Sabrina Limited has a manufacturing plant located in Johannesburg and distribution outlets in ten major cities
in South Africa.
7. Terms of Engagement
The client does not appear to be unethical or lack integrity as they comply with the principles of KING IV.
Due to management’s integrity and attitude, it is deduced that Sabrina Limited will be willing to agree to the terms of
the engagement.
8. Conclusion - P&T can accept the audit engagement of Sabrina Limited, as long as the threats to independence are
addressed as suggested in point 5 (above).

93 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Case Study

Case Studies will give you an opportunity to apply theory to practice.

Case study 5.1

You are a manager at Max Audits Incorporated, a medium sized audit firm with offices in Durban, Johannesburg and Cape
Town. Max Audits Incorporated is currently considering whether to accept the appointment as external auditor of Eyadini
Limited for Eyadini’s financial year ending 31 January 2018. This is as a result of Mr Bongz, the chief executive officer
(CEO) of Eyadini Limited, asking Zakes Bantwini in January 2018 to have Max Audits Incorporated tender for the position
of external auditor. Zakes Bantwini is a trainee accountant at Max Audits Incorporated and the nephew of Mr Bongz. Mr
Bongz also requested that Max Audits Incorporated should perform some secretarial and taxation services for Eyadini
Limited.

Eyadini is an entity manufacturing chutney and was formed in the early 1980s. The company had a turbulent period during
the first decade of operation, but profitability has increased steadily. Currently, the entity is highly profitable. Eyadini owns
approximately 35% of the chutney product market of South Africa and faces only one noteworthy competitor, Mr
Mashamplan Proprietary Limited. Eyadini Limited’s manufacturing plant is in Durban, and its head office is in
Johannesburg.

The entity imports all product ingredients from various countries around the world in order to ensure high quality of its final
product. Management has always promoted a strong internal control environment, and therefore, all import transactions
are hedged. Management also strives to fully comply with the requirements of King IV, and communicates ethical codes
to all levels of employees at Eyadini Limited. The deadline for completion of the financial statements is strictly adhered to
in accordance with the Companies Act.

Most of Max Audits Incorporated’s clients’ year-ends are between the end of December and the end of February each
year, and its clients’ type of industries range vastly, from retail to manufacturing to investments. The previous auditors of
Eyadini resigned due to a staff shortage, but are willing to meet Max Audits Incorporated, with Eyadini Limited’s permission,
in order to provide Max Audits Incorporated with relevant information and prior year working papers.

You are required to:

Discuss whether Max Audits Incorporated should accept the audit engagement of Eyadini Limited for its 31 January 2018
year-end.
Hint: Use “preliminary engagement activities” to make a decision. (15 Marks)

MANCOSA – Postgraduate Diploma in Risk Management 94

 Auditing for Risk

Unit
6: Revenue and Receipts Cycle

95 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Describe all steps in the revenue and receipts Prescribed reading and activity is provided to assist in
cycle understanding the steps of the revenue and receipts
cycle

Demonstrate an understanding of controls in this Examples and activity is provided to assist in

cycle understanding the steps of the revenue and receipts
cycle

Demonstrate an understanding of cash versus Activity is provided to help understand the cash
credit sales system versus credit sales system

Demonstrate and understanding of Controls Illustration and activities are provided to help
(manual and computerised understand computerised and manual internal
controls

Demonstrate a clear knowledge of risk related Activity is provided to help provide knowledge of the
with the cycle risks related to the revenue and receipts cycle

Demonstrate a clear knowledge of fraud related Prescribed reading and activity is provided to help
with the cycle provide knowledge of the risks related fraud with the
cycle

MANCOSA – Postgraduate Diploma in Risk Management 96

Auditing for Risk

Summary
The Unit explores the various controls of the revenue and receipts cycle. Weaknesses, together with having to make
proper recommendation for smooth operation with the cycle.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic

Accounting. 4th Edition. Wiley & Sons Publishing.

Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic

Accounting: new Tools and Techniques. Wiley & Sons

Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting:

Understanding the Theory and Application of data analysis. Pearson.

Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.

Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016).

Fraud Examination. 5th Edition. Cengage Learning

97 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

6.1. Introduction to the revenue and recipts cycle

A revenue and collections cycle represents the business activities associated with providing goods to customers and
collecting their payments. The revenue cycle processes should emphasize quick turnover of customer payment to ensure
a strong cash flow, but managers should also separate duties to deter any chance of internal fraud and theft in revenue
cycle. The following is what the cycle is all about:

1. Sales Orders
Customer orders are captured by a sales department. The customer may other telephonically or submit sales order. Either
way, the sales department should check the customer's credit before approving the order. If the customer has outstanding
debt with the company, they may demand immediate payment for any future goods. The sales department should also
ensure that adequate inventory is available before processing and submitting the order.

2. Dispatch
Once the sales order is complete, the company warehouse employees are responsible for dispatching the order. The
dispatch department should mark items as complete after they dispatch to reduce the possibility of duplication. Even at
small companies, it's critical that the employee that dispatches the order is not the same person that generates the invoice.
Having control over record-keeping and physical custody of the asset is a poor internal control that could lead to employee
theft.

3. Billing
If the company extended the customer a line of credit, they'll generate a sales invoice after the goods ship. The invoice
will indicate the amount to be paid, where to send the payment and the payment due date. Companies can generate
invoices using an open-item method or a balance-forward method. A balance-forward invoice is typically sent on a monthly
basis. Under the open-item invoice, a separate invoice is sent for each order. The open-item method is more conducive
to quick payment but can also become confusing for customers that purchase frequently.

4. Cash Collections
Companies need to carefully design their cash collection procedures to avoid the possibility of theft. If payments are sent
directly to the company, at least two employees should be present when opening the mail. An accounts receivable
employee should keep a log of all cash and checks received and prepare a deposit slip. Cash and checks should be stored
in a secure, locked area until the cash is deposited. At the end of the month, an accounting manager should reconcile the
bank account in order to ensure the accuracy of all deposits.

6.2. Revenue recognition

The revenue recognition principle states that, under the accrual basis of accounting, you should only record revenue when
an entity has substantially completed a revenue generation process; thus, you record revenue when it has been earned.
For example, a snow plowing service completes the plowing of a company's parking lot for its standard fee of R100. It can

MANCOSA – Postgraduate Diploma in Risk Management 98

Auditing for Risk

recognize the revenue immediately upon completion of the plowing, even if it does not expect payment from the customer
for several weeks.

A variation on the example is when the same snow plowing service is paid R1,000 in advance to plow a customer's parking
lot over a four-month period. In this case, the service should recognize an increment of the advance payment in each of
the four months covered by the agreement, to reflect the pace at which it is earning the payment.

If there is doubt in regard to whether payment will be received from a customer, then the seller should recognize an
allowance for doubtful accounts in the amount by which it is expected that the customer will renege on its payment. If there
is substantial doubt that any payment will be received, then the company should not recognize any revenue until a payment
is received.

Also under the accrual basis of accounting, if an entity receives payment in advance from a customer, then the entity
records this payment as a liability, not as revenue. Only after it has completed all work under the arrangement with the
customer can it recognize the payment as revenue.

Under the cash basis of accounting, you should record revenue when a cash payment has been received. For example,
using the same scenario as just noted, the snow plowing service will not recognize revenue until it has received payment
from its customer, even though this may be a number of weeks after the plowing service completes all work.

Similar Terms
The revenue recognition principle is also known as the revenue recognition concept.

6.3. Cash versus credit sales system

Transactions are the building blocks of our accounts. Any transactions that occur within our business should be present
in our accounting records.

There are many different types of transactions to keep track of such as sales, purchases, and even more. A regular point
of confusion that we come across when we talk to small businesses about their accounts is the difference between cash
and credit transactions. So, what is the difference?
The only difference between cash and credit transactions is the timing of the payment. A cash transaction is a transaction
where payment is settled immediately. On the other hand, payment for a credit transaction is settled at a later date.

Try not to think about cash and credit transactions in terms of how they were paid, but rather, when they were paid. For
example, you may buy some groceries at your local shop and pay for them in cash there and then, that’s a cash transaction.
However, what if you paid by card rather than cash? That can also be classified as a cash transaction because you paid
immediately.

99 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

On the other hand, credit transactions are paid at a later date than when the exchange of goods or services took place
and almost all of time an invoice for the transaction is issued. The time period before payment can vary depending on the
types of businesses or even the industry in which the transaction is taking place. Once again, when payment is finally
settled for the invoice, it may be done with cash or card, or any other payment method but it is still a credit transaction.

6.4. Control Activities in Revenue and Receipts Cycle

6.4.1. Main credit sale function
Initiating and credit control function – credit application
Ordering
Picking
Dispatch function - Delevery note
Invoiceing function – Credit invoice and monthly statements
Sales and accounts receivables recording function
Aloowances – Discounts / returns/ credit losses
Bad debts / Credit losses

Table 1.6 What documents are we dealing with?

Statement of profit and loss and other Statement of Financial position
comprehensive income
Credit sales Accounts receivables
Cash sales Inventory
Sales returns Bank
Discount allowed VAT
Credit losses Allowances for credit losses

MANCOSA – Postgraduate Diploma in Risk Management 100

Auditing for Risk

6Figure 1.6 Revenue and Receipts Flowchart

(Von Wielligh & Prinsloo, 2014)

6.4.2. Internal controls

Must establish a credit control department.
Every customer wishing credit facilities must complete an application form.
Give Personal details & trade references and earnings etc.
Credit department should investigate application and Check that details supplied are not fictitious
Check customers credit status
Assess the customer’s liquidity
That the credit limits approved are in terms of the company’s criteria
Approve /establish credit limit for customer

101 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Establish payment arrangements/agreement and discounts allowed etc.

Once Approved, Details should be added to Master file on computer and application filed by credit department.
Any changes in the details or credit limit of customer must be authorized by a senior credit controller.
May issue identification cards to customers, to be produced when ordering in person.
The manner, identification and authorised person of customer’s orders must be noted.

6.4.3. Ordering
For selected credit sales transactions, investigate the signatures for approval.
Must be authorised customer.
Test adherence to credit limits of selected customers by ascertaining that outstanding balances are within their
limits.
Ascertain and observe that customers are identified before orders are approved.
Sequentially number sales order
Make sure strict control is exercised to ensure that all orders are accounted for.
Separation of duties between granting credit and sales function

6.4.4. Authorisation
Inquire and inspect the credit application of customers.
Inspect credit references before order is processed
Signed internal sales order
Credit limit set and approved by management
Terms of payment – discount allowed

6.4.5. Warehousing
Picker initial picking slip for each item picked
Spot checks by supervisor
Second person to check goods picked to slip
Delivery noted based on picking slip

6.4.6. Dispatch
Enquire and observe that no order is executed unless credit approval is obtained
Check signature of dispatch clerk on delivery noted
Dispatch clerk should prepare delivery list, agreeing quantity and address to delivery note
Delivery staff should supervise loading and sign
There should be one exit at dispatch
The gate-keeper should check that goods leaving the warehouse are same to those on delivery note
Delivery staff to retain 2 copies of delivery note
Observe if the is separation of duties between sales. Dispatch and recording.

MANCOSA – Postgraduate Diploma in Risk Management 102

Auditing for Risk

6.4.7. Invoicing
Invoice clerk to maintain a copy of internal sales order (ISO)
Signed delivery note to be matched to ISO and maintained by invoice clerk
Frequently investigate ISO that are not addressed
Check prices per ISO to authorised price list
Prepare numerically sequenced invoice and agree to ISO and delivery note
Second person to check details per invoice and sign

6.4.8. Recording
Invoices must be recording in the sales journal in numerical sequence
Cancelled invoices, must be clearly marked “cancelled”
Total of all invoices must agree to total in sales journal
Control total must be calculated
An independent person to check journal entries, invoice entry and customer name on invoice.
Posting from sales journal to debtor’s ledger must be checked
Reconciliation of individual debtors to debtors control in the general ledger

6.4.9. Receipts of cash

Posts to be opened by 2 people
Remittance diary – to record amounts received
Cash summary sheet and cash register – tally rolls
Pre-numbered receipts issued to customers
Receipts must be banked daily
Remittance advices – credit customer payments
EFTs from customers must be followed and recorded
Photo copies of direct deposit slips in bank
Deposit slip not created by person opening the mail
Bank receipts daily and stamped deposit slips made by entity
Remittance register and receipts issued to be reconciled with the bank deposit slip by an independent
supervisory person to bank

6.4.10. Recording of receipts of cash

Accounting records – cash receipts journal must be updated daily
Receipt numbers must be in sequence
Cancelled receipts must be marked and all accounted for in receipt book
Test postings to debtor’s ledge and control accounts
Cash receipts journal to be reconciled with bank statements

103 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Queries from debtors – repayments to be followed by an independent person

Reconcile debtor’s ledger to debtors control regularly by an independent employee

6.4.11. Sales returns

All goods to be received by goods returned department
All returns must be checked for damage, counted and signed
Returned into stock and accounted for
Make out Goods returned Voucher (GRN), signed by customer and one copy retained
Credit note are made by accounting department
Must be cross referenced to original invoice
Supervisor must approve credit that is valid
Credit note to be recorded sequentially in the credit allowance journal
Credit allowance journal to be scrutinised on regular basis by supervisor
Inspect large and unusual amounts

6.4.12. Credit losses

Credit application controls must be in place
Monthly statements sent to debtors
Age analysis must be performed and follow up on long standing debtors
Credit manager must follow up on discrepancies
Long outstanding debtors must be handed over for legal collection
If not recovered, the amount must be recommended for write off
Each journal entry for write off should be authorized
The person approving it should not be involved in the receipts of cash
The senior person should sign the approval request

6.4.13. Stationery controls

A stationery register should be kept indicating the number of books and consecutive numbered invoices there
in received from the printers
All unused books should be kept under strict control of a senior official
Books in use should be signed for
The completely used books should be returned and indicated as such in the stationery register, and locked
away by the senior official
Only one (1) book should be in used at any given time
All cancelled invoices must be attached to the appropriate numbered copies in the book

MANCOSA – Postgraduate Diploma in Risk Management 104

Auditing for Risk

6.4.14. Credit management

Monthly statement sent to debtors
Follow up debtors exceeding credit terms (long outstanding)
Credit manager to follow up if no success
Hand over to attorneys for collection
If no luck, write off debtors with proper authorisation from financial manager

6.4.15. Cash sales – Internal controls

Cash register/tills should be placed near the exit of the business
Cash registers should display the amount of sale or print a till slip so that the customer can check the amount
charged
Cash registers should keep cumulative cash register totals
Individual sales and total sales can be printed into a tally roll
Only the authorised official may have a cash register key that permits access to the cash registers total
When taking the daily cash register reading the authorised official should reset the accumulative mechanism to
zero
The authorised official should lock each cash register after the reading has taken place
Each cashier should be responsible for a specific cash register, and not operate others
Each cash register should have a cash float
The authorized official and cashier should sign a cash float register for the receipt and return of the cash
register
The cashier drawers of cash registers should have locking facilities
They should be unlocked each day by the authorised supervisor in the presence of the cashier

6.5. Risks with the cycle

Understatement of sales (to reduce tax)
Overstatement of sales (to increase profits
Cash settlements (Cash may be stolen)
Returns of inventory (reverse sale) stolen
Credit settled (if the debtor cannot pay – write back sale)

6.6. Fraud with the cycle

There are a number of ways in which management can manipulate account balances and totals in this cycle
creating fictitious sales (occurrence) and the corresponding fictitious debtor (existence) – this increases profits
and current assets, and improves related ratios

105 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

understating sales (completeness) and the corresponding debtors (completeness) – the object here may be to
reduce taxation or present a less favourable picture of the company so as to reduce the “value” of the company
for say, negotiating a management buyout
understating the bad debt allowance (accuracy, valuation and allocation) – normally part of a trend of manipulating
allowances and provisions to improve profits, assets and related ratios
manipulating the recognition of revenue from sales (occurrence or completeness) – rather than create a “fictitious”
sale, the company may indulge in activities such as pre-invoicing (raising a sale at year end which is only going
to be made or which the company expects will be made in the next financial year, or by recording “lay-by” or
“appro sales” as sales). Management may also decide not to record sales which have actually been made
(completeness), depending on their motives.

6.7 Summary
This Unit introduced the the audit of the revenue and reciepts cycle, the internal controls withn the cycle and risks within
the cycle.

Activity
You may come across activities that ask you to carry out specific tasks. In most cases, there
are no right or wrong answers to these activities. The aim of the activities is to give you an
opportunity to apply what you have learned.

You are the internal auditor employed by South Peninsula Cleaning Services (Pty) Ltd (SP Cleaning), a provider of cleaning
services to office blocks in an around the South Peninsula area. The business has been in existence for the last five years
and has grown ten-fold over that period of time. The administrative function was performed and took place from the home
of the owner ad now Chief Executive Officer, Mrs Radcliff. When the business started up, Mrs Radcliff could perform the
administrative function because she only had one client. Today, Mrs Radcliff employs the following employees to perform
the administrative function of the business:
• Mrs Bray – Administrative Clerk;
• Mr Adams – Sales and Marketing Manager;
• Ms Britton – Operational Staff Co-ordinator; and
• Mr Jikijela – Financial Manager.

At the previous financial year-end, the external auditors were concerned about the revenue and receivable process and
requested SP Cleaning to map the process for their review for the following year’s statutory audit (i.e. the current audit).

All new and existing business is handled by Mr Adams. In his position as Sales and Marketing Manager, he is authorised
to enter into contractual agreements with customers to provide cleaning services to them. Customers can only make use
of SP Cleaning if they have a signed contractual agreement with the company.

On the first working day of each month, Mrs Bray creates a manual sales order based on the agreement between the
customers and SP Cleaning for cleaning services. The sales order is authorised by Mr Adams after he inspects the

MANCOSA – Postgraduate Diploma in Risk Management 106

Auditing for Risk

agreements to confirm the number of working days. The original sales order is kept in a book and the carbon copy is sent
to Ms Britton so that she can co-ordinate the cleaning staff for the month ahead.

Upon receipt of the sales order, Ms Britton plans the roster for the cleaning staff. The SP Cleaning model is based on two
shifts – a morning and a day shift. As only office blocks are serviced, the business model is designed to provide cleaning
services in the administrative offices before the customer’s staff arrive for work, as well as after the customer’s staff leave
work.

Ms Britton visits the office block locations on a regular basis to make sure that supervisors and cleaning staff are doing
their work and also to handle queries from customers. All customer queries are logged in a query book used by Ms Britton
to assess cleaning staff performance and also in cases where disputes arise with the Department of Labour.

At the end of each month, all cleaning staff and supervisors complete their monthly time sheets and this is reviewed by
Ms Britton. She then uses this information to complete a service delivery form. The service delivery form reflects the
following:
• sales order number;
• month of service;
• cleaning staff and supervisor on duty for the specific office block; and
• amount of hours worked by each staff member based on the authorised time sheets.
The service delivery form is reviewed and signed off by Mrs Radcliff who is responsible for all senior staff, including Ms
Britton. The service delivery form is then sent to Mrs Bray for processing.
At month end, Mrs Bray creates the sales invoices to customers based on the following documents:
• Original sales order in the order book.
• Service delivery form sent to her from Mrs Radcliff.

The sales invoice is made out in duplicate in an invoice book. The carbon copy sales invoice is kept in the invoice book
and the original sales invoice is sent to the customer for payment.

The general customer payment terms are one calendar month from statement date. The debtor’s statement is created and
sent out with the original sales invoice on the last of every month.

There are no unpaid invoices from the previous months as all customers comply with their contractual agreement with SP
Cleaning. There is only a current balance on the debtor’s age analysis as a result of this.
Note: All documents are pre-printed and pre-numbered.

You are required to:

Identify the key internal control weaknesses that are prevalent at South Peninsula Cleaning Services (Pty) Ltd. For each
weakness(es) identified, explain the consequence(s) and make recommendation(s) for improvement.
(16 Marks)

107 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Answers to Activity
Weakness(es) in key internal Consequence(s) Recommendation(s)
controls
Credit management of customers Contractual agreements can be Before contractual agreements are entered
has not taken place. entered into with customers who by Mr Adams, Mrs Bray and Mr Jikijela
are unable to pay their debt. should assess the customer’s credit
worthiness.
The service delivery form is not Client does not accept delivery After Mrs Radcliff reviews the service delivery
signed by the customer. of services rendered to them. form, the customer should also sign off the
form as evidence of accepting that all
services have taken place.
Only one service delivery form is If the service delivery form is There should be multiple service delivery
completed. misplaced, there would be no forms completed for the following individuals
evidence of customer who should each have a copy:
acceptance of work completed. Ms Britton
Customer
Mrs Bray (sales and finance departments)
(2 max)
Sales invoice not approved. This could result in inaccurate Sales invoices must be approved by Mr
sales invoices being created and Jikijela.
sent to customers.
None of the documents are The sequence of events should Mrs Bray needs to perform a sequence test
sequence checked. be checked so that retrospective on the documents received before creating a
activities don’t take place. sales invoice.

Case Study

Case Studies will give you an opportunity to apply theory to practice.

Case study 6.1

Using the case study as per activity above.
You are required to:
Identify ten (10) internal controls in the revenue and receivables process of South Peninsula Cleaning Services (Pty) Ltd,
as outlined in the scenario, for the following activities: (10 Marks)
1. receiving and processing customer orders
2. granting of credit to customers
3. delivering the service

MANCOSA – Postgraduate Diploma in Risk Management 108

 Auditing for Risk

Unit
7: Acquisitions and Payment Cycle

109 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Understand the steps in the acquisition and Prescribed reading and activity is provided to assist in
payment cycle understanding the steps of the acquisition and payment
cycle

Correctly analyse if expenses and liabilities have Activity is provided to help analyse if expenses and
been recognised adequately liabilities have been correctly recognised

Apply proper audit procedures for cash and credit Illustration and activities are provided to assist in the
purchases application of audit procedures for cash and credit
purchases

Apply proper audit procedures in manual and Activity is provided to help in the application of manual
computerised control environment and computerised control procedures in the purchases
and payments cycle

Apply proper audit procedures to reduce risks to an Case study and activities are provided to assist in the
acceptable level application of audit procedures which can reduce risk
to a level that is acceptable

Summary
The Unit explores the various controls of the acquisition and payment cycle. Weaknesses, together with having to make
proper recommendation for smooth operation with the cycle.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic

Accounting. 4th Edition. Wiley & Sons Publishing.

Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic Accounting:

new Tools and Techniques. Wiley & Sons

Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting: Understanding

the Theory and Application of data analysis. Pearson.

Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.

Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016). Fraud

Examination. 5th Edition. Cengage Learning

MANCOSA – Postgraduate Diploma in Risk Management 110

Auditing for Risk

7.1 Introduction to the revenue and recipts cycle

The Acquisition and Payment Cycle (also referred to as the PPP Cycle for Purchases, Payables, and Payments) is mainly
comprised of two classes of transactions. The first class is the acquisition class. The typical journal entry for this class of
transactions is a debit to inventory or an expense and a credit to accounts payable. The classification assertion is highly
important in this scenario because there are many possible debits that can fulfil the journal entry.

The second class of transactions in the acquisition and payment cycle is the cash disbursements class. The typical journal
entry for this class is simply a debit to accounts payable and a credit to cash. All in all, this cycle is mainly about incurring
payables and paying off those payables with cash (Jackson & Stent, 2016).

7.2 Expenses and liability recognition

7.2.1 Expenses
Expense recognition is the act of converting an asset into an expense. This is done when the utility of an asset has been
consumed. Expense recognition can arise on a delayed basis, when expenditures are made for assets that are not
immediately consumed. Examples of this type of expense recognition are:
When the period covered by a prepaid rent payment is complete.
When the advertising activities associated with a prepaid ad payment have been completed.
When the period covered by a prepaid general liability insurance policy is complete.

Expense recognition can also take place as soon as an expenditure is made. Such recognition may arise because the
underlying utility of an acquired item was consumed within the same reporting period as the expenditure. This recognition
may also arise because the cost of the acquired item falls below the capitalization limit of a business, so that the
expenditure is always recorded as an expense as soon as it is incurred. Examples of this type of expense recognition are:
The purchase of office supplies
The incurrence of a liability associated with legal services already provided
The incurrence of a liability for utilities already consumed
The purchase of a laptop computer for which the cost is less than the corporate capitalization limit

Ideally, expense recognition should occur at the same time as the recognition of any revenue with which an expenditure
is associated (the matching principle). For example, the expense recognition for the cost of goods sold associated with
the sale of a product should be in the same period in which the sale was recognized.

When expense recognition occurs, the amount of the expense appears in the income statement, reducing the amount of
profit that would otherwise be recorded. For a longer-term asset, this means that an asset is being eliminated from the
balance sheet and moved to the income statement. For a shorter-term asset (such as office supplies) the asset is not
present long enough to appear on the balance sheet - it is simply recorded at once in the income statement.

111 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

The timing of expense recognition is one of the more common forms of financial statement fraud, since the managers of
a company may have an incentive to delay expense recognition in order to bolster the reported results of a reporting
period. This situation most commonly arises when the compensation of managers is closely tied to the reported results of
an organization.

Expense recognition can be delayed under the cash basis of accounting, where recognition occurs when an invoice is
paid, not when it is received (Jackson & Stent, 2016).

7.2.2 Liabilities
Apart from satisfying the definition of liability, the framework has also advised the following recognition criteria to be met
before a liability could be shown on the face of a financial statement:
The outflow of resources embodying economic benefits (such as cash) from the entity is probable.
The cost / value of the obligation can be measured reliably.

With regard to the first test, it is logical to recognize a liability only if it is likely that the entity will be required to settle it. The
second test ensures that only liabilities that can be objectively measured are recognized in the financial statements.

If an obligation meets the definition of a liability but fails to meet the recognition criteria, it is classified as a contingent
liability. Contingent liability is not presented as a liability in the statement of financial position but is instead disclosed in
the notes to the financial statements.

7.3 Cash versus credit purchases

Purchase is the cost of buying inventory during a period for the purpose of sale in the ordinary course of the business. It
is therefore a kind of expense and is hence included in the income statement within the cost of goods sold. Purchases
may include buying of raw materials in the case of a manufacturing concern or finished goods in the case of a retail
business.

However, in accounting, we have to differentiate between purchases as explained above and other purchases such as
those involving the procurement of a fixed assets (e.g. factory machine or building). Such purchases are capitalized in the
statement of financial position of the entity (i.e. recognized as assets of the entity) rather than being expensed in the
income statement.
As purchase results in increase in the expense and decrease in assets of the entity, expense must be debited while assets
must be credited. A purchase also results in increase in inventory, however the accounting for inventory is kept separate
from accounting for purchase as will be further discussed in the inventory accounting section.

A purchase may be made on Cash or on Credit.

MANCOSA – Postgraduate Diploma in Risk Management 112

Auditing for Risk

7.3.1 Cash Purchase

When a cash purchase is made, the following double entry is recorded:
Debit Purchases (Income Statement)
Credit Cash
Purchase is debited to account for the increase in expense.
Cash is credited to account for the decrease in cash of the entity.
7.3.2 Credit Purchase
In case of a credit purchase, the following double entry is recorded:
Debit Purchases (Income Statement)
Credit Payable
The double entry is same as in the case of a cash purchase, except that the credit entry is made in the payable ledger
rather than the cash ledger.
When the payable is paid his dues, the payable balance will be reduced to nil. The following double entry is recorded:
Debit Payable
Credit Cash

7.3.3 Recognition of Purchases

It may be confusing to identify the point when a purchase occurs. Do we recognize purchase when the goods are
dispatched by the supplier, when we receive the goods, or when we pay supplier in respect of those goods? In case of
purchase of goods, purchase is generally said to occur when the seller transfers the risks and rewards pertaining to the
asset sold to the buyer. This generally happens when buyer has received the asset. The payment to supplier is not relevant
to when purchase is recognized since expenses are recorded under the accruals basis (Jackson & Stent, 2016).

7.4 Controls (manuals and computerised)

7Figure 1.7: Acquisition and payment flow chart

(Von Wielligh & Prinsloo, 2014)

113 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

7.4.1 Internal controls

The authority to purchase should be vested only in certain specified employees or purchasing department
Orders should only be numbered consecutively and control should be exercised so that all orders are duly accounted
for
A stationary register should be kept and control over the issue of unused order books and goods received books

Separation of duties between personnel responsible for:

Ordering of goods
Inspection and storage of goods received
Checking invoices against orders, delivery notes and goods received
A record of goods received should be maintained
Invoices should be checked against appropriate delivery notes, goods received notes and orders. They should
be stamped that they are checked by the person responsible before transaction is entered in the journals
Proper record must be kept of invoices in dispute and of goods returned to suppliers. Debit notes must be issued.

7.4.2 Ordering
Order clerk only place order on receipt of authorised purchase requisition
Order matched to purchase requisition
Order authorised before sent (accurate and suitable)
Order placed from an approved supplier list
Order and requisition must be renumbered and sequentially filed

MANCOSA – Postgraduate Diploma in Risk Management 114

Auditing for Risk

7.4.3 Receiving of goods

Receiving are must be physically secured and access controlled
Goods off loaded in the presence of receiving clerk
Match quantity and type of goods to order
Inspect conditions of goods
Draw up goods received note, indicating only goods accepted
Sign deliver note and ensure delivery staff sign

7.4.4 Payment preparation

Creditors statement reconciled to supporting documentation
Creditors ledger reconciled to creditors statement
Creditors clerk identify creditors to be paid to comply with credit terms
Pre-numbered cheque requisition including details of cheque requested
Cheque requisition and supporting invoices given to cheque signatories for authorisation

7.4.5 Internal controls of cheques

If pre‐printed signed cheques are used, cheques must be in possession of authorized senior person and locked
away.
A register of unused and used cheques should be kept.
All cheques cancelled should be clearly marked “cancelled.”
All paid cheques must be filed numerically
Cheques should be crossed, preferably “not Transferable”
No changes or alterations on cheque forms allowed.
Never make out bearer or order cheques
Person signing cheques should always ensure cheque is crossed
Drawn cheques must be presented together with statements duly checked and stamped as such together with
a remittance advice to the person signing the cheques.
Person signing should ensure that:
• amounts agree as shown on remittance advice and
• that cheques are made put to the correct supplier
Supporting documentation – statements and remittance advice should be stamped “PAID”.
Large amounts on cheques should require two signatures of 2 senior officials
A separate bank account may be used for creditor’s payments and payroll.
Where computer equipment is used for generating and signing of cheques, the cheques should still be signed
electronically or otherwise by authorised signatory.

115 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

7.4.6 Actual payment

Two signatories for cheque payment
Signatories should agree details on cheque to requisition and supporting documentation
Cheques completed in ink with no gaps
Cheques issued in numbered order
Signed cheque to independent person to be mailed

7.4.7 Cheque payments

If printed signed cheques are used, cheques must be in possession of authorised senior person and locked
away
A register of unused and used cheque should be kept
All cancelled cheques should be clearly marked “cancelled”
All paid cheques must be filed numerically
Cheques should be crossed, preferably “Not Transferable”
No changes or alterations on cheque forms allowed
Never make out bearer or order cheques
Person signing cheques should always ensure cheque is crossed
Drawn cheques must be presented together with statements duly checked and stamped as such together with
a remittance advice to the person signing the cheque
Person signing should ensure that:
a. Amounts agree as shown on remittance advice and
b. That cheques are made to the correct supplier
Supporting documentation – statements and remittance advice should be stamped “PAID”
Large amounts on cheques should require two (2) signatories of 2 senior officials
A separate bank account may be used for creditors payments and payroll
Where computer equipment is used for generating and signing cheques, the cheques should still be signed
electronically

7.4.8 Credit purchase payments – By cheque

The clerk should first check that all invoices are accompanied by an order form, goods received note and delivery
note and duly signed & checked for receipt and amounts.
The invoices should be recorded in the Purchases Journal
All cheque requisition forms should be pre‐ numbered together with a reconciled remittance advice
Drawn cheques must be presented together with statements duly checked and stamped as such who prepared and
checked remittance, who prepared payment and who signed cheque and date of payment together with a
remittance advice to the person signing the cheques
A separate bank account may be used for creditors payments

MANCOSA – Postgraduate Diploma in Risk Management 116

Auditing for Risk

Only one cheque book should be in use.

Register of cheque books should be kept
Use of a rubber stamp can easily cause fictitious payments & not recommended
Must be signed by an official.
All cheques over a certain amount should require two signatures of 2 senior officials
Person signing should ensure that amounts agree as shown on remittance advice and that cheques are made
put to the correct supplier
Supporting documentation – statements and remittance advice should be stamped “PAID”.
Cheques must be made out “Crossed”
Person signing cheques should always ensure cheque is crossed
Never make out bearer or order cheques
All cancelled cheques should be clearly marked
And kept in the cheque book and not destroyed
All paid cheques must be filed numerically
The company should maintain a Purchases Journal and Trade Payables ledger.
Reconciliation of Trade Payable ledger with the Control in General Ledger should be performed regularly.
Remittance advise will also be prepared more accurately.
This will only reflect Inventory that is paid for.
A Purchases journal should be kept and posted to Trade Inventory to indicate all goods received by the company,
irrespective of whether it has been paid for.

7.4.9 Credit purchase payments – By Electric fund transfer (EFT)

An authorized person who prepares the documentation for payment
Entity must register on‐line access with bankers.
Access to internet must only be given to authorised senior persons other than person preparing documentation for
payment.
Access to PC terminal must be authorized by passwords to transfer funds from bank account
Amount of transfers from bank account should be restricted by authorization.
Certain amounts should need at least two signatories
Manual reconciliation of total of cheque payments captured to transaction listing of cheque payments made by
senior staff member.
Regular Bank reconciliations must be performed
Person authorizing EFT payment to review printout of each month for evidence of unusual and unauthorized
payments.
Only senior or authorized staff may add new supplier details on the EFT system Details must be supplied by the
supplier and kept in confidential file.

117 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Monthly reconciliation of statement balances to individual accounts payable balances in the Creditors ledger and to
control account in the general ledger.
Person signing authorization of payment must review all supporting documentation to support payment, includes
reconciliations or remittance advice before authorizing EFT payment.
EFT payment to be made by authorized person other than the person preparing the remittance.
Check up any irregular payments.
Supporting vouchers (invoices & recons) should be marked as “paid” by signatory to prevent resubmission.
Review accounts regularly.
Analytical analysis periodically. ‐ age analysis
Follow up odd or unusual balances, or unfamiliar supplier’s names

7.4.10 Recording
Cheques recorded numerically in Cash Payment Journal (CPJ)
CPJ reviewed regularly by management for missing cheque numbers
Reconciled cash book to bank statement – reviewed by independent staff
Returned cheques filled numerically and reviewed

7.5. Fraud with the cycle

The most common way of manipulating the financial statements in this cycle is the
Understatement of trade creditors (trade payables): this will usually be done to improve the ratios in the working
capital sector of the statement of financial position or to avoid a net liability position. Auditors will conduct
comprehensive completeness testing on creditors where they believe such a risk exists.
A common way of understating creditors is to manipulate “cut-off” at year-end, e.g. accounting after year-end
for a purchase of inventory made prior to year-end, but including the inventory purchased in the inventory on
hand at year-end. This also has the benefit of increasing profits, so all round the financial statements look much
better.
Of course if the director’s objective was to reduce profits they could do so by fraudulently increasing purchases.
Where companies trade with numerous related parties, manipulation of trade payables becomes much easier.

7.6 Summary
This Unit introduced the acqusition and payments cycle, the related controls and risks within the cycle.

Activity

You may come across activities that ask you to carry out specific tasks. In most cases, there
are no right or wrong answers to these activities. The aim of the activities is to give you an
opportunity to apply what you have learned.

MANCOSA – Postgraduate Diploma in Risk Management 118

Auditing for Risk

You are an experienced member of the team on the year-end audit of Giba Supplies (Pty) Ltd, a large retailer of bicycles,
bicycle spares, clothing and accessories. The company operates from a large outlet in Cape Town. Although Giba Supplies
(Pty) Ltd sells numerous items that are manufactured in other countries, it does not import any goods itself and does not
conduct cycle counts. The company does not have computerised inventory and wages systems and does not keep
perpetual inventory records. The salaries system is however computerised. Peter Taylor, the manager of Giba Supplies
(Pty) Ltd is a lawyer by training with virtually no computer knowledge. He is concerned that if the company computerises
the wages and inventory systems and places applications on the company’s network the risk of breaches of confidentiality
and fraud will be much greater.

The company employs full-time salaried employees (who are paid via EFT) and casual employees who are paid weekly
wages using pay-packets that are physically distributed. Wage employees are expected to physically present themselves
at the pay-out, to produce identification and to sign for their pay-packet upon receipt. Wages that are unclaimed at the end
of the week (Friday) are put in a box and sent in the internal mail to the petty cashier in the administration department on
Monday morning. The petty cashier adds the cash to her float and if necessary uses it for petty expenditures. Employees
wishing to claim their wages for a previous week are paid out of petty cash.

Inventory is carefully counted at year-end. The company’s inventory is very well laid out in the shop; there are separate
areas for bicycles, clothing, shoes, helmets and outdoor supplies. All inventory, other than workshop spares is kept in the
shop i.e. there is no other storage area. The company’s annual inventory count takes place as follows:

In the week preceding the year-end inventory count, Laura King, the shop’s very efficient administration manager, compiles
a list of all the different inventory items in the shop (she does not count any items). The list includes a clear description of
the item as well as part/serial numbers where applicable. Having done this, she produces a sequenced, printed “preliminary
inventory sheet” to be used at the inventory count. The year-end inventory count is controlled by Laura King and the count
is performed by sales and administration staff. These staff members are broken into teams of two, and two teams are
allocated to a designated area in the shop, e.g. accessories. Both of the teams (per designated area) are given a printed
preliminary inventory sheet; each team performs an independent count of each item and enters the quantity on their
inventory sheet. As each team completes the count of an inventory item, they attach a sticker to the rack or bin on which
the inventory is kept. The first count team uses red stickers and the second count team yellow stickers. When a designated
area has been counted Laura King compares the inventory sheets from the two teams and if there are any discrepancies
she sends both teams to recount and resolve the error. Detailed instructions are given to the count teams including the
need to identify on the inventory sheet, any damaged items. At the conclusion of the count she works her way through the
shop confirming that all racks, bins etc. have red and a yellow sticker. She enters the quantities from the preliminary
inventory sheets onto the final inventory sheets as well as the cost of each item. She then performs the quantity x cost
calculation for each item and enters the amount in the total cost column. She then adds the amounts in this column to
arrive at the total cost of the inventory.

119 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

In terms of sales, the company sells directly from the outlet on cash basis and through sales representatives. The
company’s fifteen sales representatives spend Monday to Thursday of each week on the road calling on the customers,
conducting shows and demonstrations and taking orders. Sales by sales representatives are only made on credit. Each
sales representative carries a sales order book and a catalogue which lists the inventory code, description and price for
every item which the company sells, e.g. Z3456, 20 litre cooler box, R239, 99. To take the order, the sales representative
completes a pre-printed, multi-part order form in triplicate by entering:
Auditing 200 (Main Exam) 2017
Page 3
• The customer name
• Inventory code, quantity and price of each item ordered
• The date
• The sales representative’s identity code

The sales representative does not calculate the total sale or VAT. The customer is then required to sign the order and is
given a copy. The other two copies remain in the order book. Each sales representative generally takes about thirty-five
orders a week.

On Friday mornings, the sales representatives return to the retail outlet. They hand their order books to Rajes Govender,
the sales administration clerk. She removes the second copy of each order and returns the order book to the sales
representatives. She then batches the orders before passing them to Marlen Moodliar for further processing. A picking
slip is generated, Zinhle Hurley then checks the physical goods picked against the picking slip and, if all is in order,
approves the picking slip. The goods and the picking slip are then transferred to the despatch area. Goods are then
delivered to customers.

You are required to:

1. Based on the information provided, indicate whether you are satisfied with the method adopted by Giba Supplies (Pty)
Ltd to conduct the year-end inventory count. Justify your answer. (7 Marks)
2. Discuss the benefits of conducting cycle counts. (2 Marks)

7.7 Answers to Activity

The junior trainee does not have a clear understanding of the assertions.
1. Fair value: * This is not an assertion and by the explanation given by the trainee, he appears to be
muddling the accuracy, valuation and allocation assertion and the completeness
assertion.
* The accuracy, valuation and allocation assertion asserts that the trade creditors (liabilities)
are included in the AFS at appropriate amounts. Creditors do not have a realisable value
as suggested by the trainee.

MANCOSA – Postgraduate Diploma in Risk Management 120

Auditing for Risk

* The completeness assertion asserts that all trade creditors (and any related disclosures)
which should have been included in the AFS have been included. The trainee has
expressed this as “not understated” which perhaps suggests he does have some
understanding.

2. Materiality: * This is not an assertion. It is a “concept” which acknowledges that FS intrinsically contain
a level of “inaccuracy” by virtue of the subjectivity involved in many of the account headings
used in the FS.
3. Rights: * This assertion applies to the assets of a company, and asserts that the entity holds or
controls the rights to the asset. The corresponding assertion for liabilities is obligation
which asserts that trade creditors included in the balance of R5 273 912 are obligations of
the entity (and nobody else).
* The rights assertion has nothing to do with the right of the creditor to be paid.

4. Classification: The trainee is correct in identifying classification as an assertion but his explanation is not
quite correct as he has included parts of the presentation assertion in his explanation.
Classification asserts that trade creditors have been recorded in the proper accounts e.g. not
included with short term loans payable (see 5 below).

5. Presentation: The presentation assertion represents that trade creditors have been appropriately
aggregated (summarised) into the line item “trade and other payables” which has been
appropriately described and presented in the statement of financial position and that related
disclosures (if any, for trade creditors) are relevant and understandable.

6. As can be seen from the above, the assertions relating to the trade creditors account heading are obligation,
completeness and accuracy, valuation and allocation, classification and presentation. The only additional
assertion relating to trade creditors is existence which asserts that at FS date, the trade creditors included in the
balance of R5 273 912 existed (they were not fictitious).

Case Study
Case Studies will give you an opportunity to apply theory to practice.

Case study 7.1

At the beginning of March 2018, the governing body of JV realised that the VJ housing facilities needed to be painted. The
governing body decide that the paint that will be used is Upende. Upende is a product invented in the United States of
America (USA). A number of different companies in the USA manufacture Upende. Upende will have to be imported as
currently no supplier in South Africa can manufacture this specialised paint. As a result, a new purchase process had to

121 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

be established for the purchase of Upende. The first year audit clerk that was assigned to complete the acquisitions and
payments audit has requested your assistance on auditing the working paper AP 100 (attached below).

Client: Van Jaarsveld (Pty) Ltd Year-end: 30 June 2018

Prepared by: Albert Pokeyou Date: 05 July 2018

AP 100
Reviewed by:

Acquisition Cycle of VJ for Upende

1. The task of determining the approved suppliers list was given to the purchasing manager. He researched all possible
suppliers and selected Ron Mac Ltd (hereafter RC) as the permanent supplier. He has also agreed a price listing with
RC.
2. The governing body has reviewed the supplier selection and all supporting documents.
3. Each facility manager will determine the amount of Upende required based on the size of the student’s residence. The
facility manager will fill out a requisition form stating the quantity of Upende needed. The branch manager signs the
requisition form as the proof of authorisation, after he confirms the quantities that are requested. The requisition form
is sent to the purchasing department situated at head office via email.
4. Upon receiving the requisition form, the purchasing clerk casts and recalculates the extensions on the requisition form.
He then immediately places an order with RC via telephone. The order is placed according the requisition form. This
step is done first to avoid delays in the shipping of Upende.
5. The purchasing clerk will then fill out a purchase order (PO) stating the quantity of Upende ordered and the price. The
price list obtained from RC is used to determine the total price. He then signs the purchase order as the preparer.
6. The purchase order is pre-printed, sequentially pre-numbered and prepared in triplicate.
7. The purchase order is signed and authorised by the purchase manager before the copies are sent to RC and the
receiving department.
8. A delivery note is attached to the boxes of Upende as its being shipped. The delivery notes state the number of Upende
bottles, the price per bottle and the loading date. The goods are delivered to VJ’s head office premise. There are no
agreed shipping terms yet with RC.
9. Due to the toxic nature of Upende it is shipped is special shock resistant containers. These containers are then stored
under the deck of the ship.
10. The receiving department and the recording department are located at the head office.
11. When the receiving staff receive, the delivery they prepare the goods received note stating the number of goods
received per the delivery note. Two copies are left being attached to the boxes while, another is sent to the recording
department
12. Upon receiving the goods received note, the recording clerk records the goods as being delivered.
13. The head office department ships the goods that were received to the individual housing facility.

MANCOSA – Postgraduate Diploma in Risk Management 122

Auditing for Risk

You are required to:

a) With reference to working paper AP 100, identify the controls that CURRENTLY exist in the acquisition cycle of Van
Jaarsveld (Pty) Ltd. For each control identified, indicate the risk that the control is mitigating.
(12 Marks)

Note to students - Use the following table:

Control present in cycle Risk mitigated

b) With reference to working paper AP 100, identify and describe the weaknesses in the acquisition cycle of Van
Jaarsveld (Pty) Ltd. For each weakness, make a recommendation for how management can rectify the weakness.
(12 Marks)

123 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit
8: Inventory and Production Cycle

MANCOSA – Postgraduate Diploma in Risk Management 124

Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Understand the valuation and measurements Activity is provided to assist in understanding the
principles of inventory valuation and measurement concept of inventory

Understand the link between inventory and other Illustration and activities are provided to assist in
cycles understanding the link which exist between the
inventory cycle and the purchases and payments
cycle

Understand the stock counts and its uses Case study, tables and activities are provided to help
in understanding the need for stock counts

Summary
The Unit explores the various controls of the inventory and production cycle. Weaknesses, together with having to make
proper recommendation for smooth operation with the cycle.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic

Accounting. 4th Edition. Wiley & Sons Publishing.

Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic

Accounting: new Tools and Techniques. Wiley & Sons

Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting:

Understanding the Theory and Application of data analysis. Pearson.

Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.
Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016).
Fraud Examination. 5th Edition. Cengage Learning

125 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

8.1. Inventory valuation and mesurement principles

The audit of inventories is usually regarded as one of the high risk areas of the audit:
(a) It is usually crucial to assure about an entity’s profit.
(b) Inventory is generally a major item on counting the working capital in the statement of financial position.
(c) It may be complex and creates significant auditing problems. For example, the inventory is in different locations
and this leads to problems in performing physical controls and physical counting.
(d) It is usually subject to a degree of estimation since inventory valuation is subject to factors such as
obsolescence and the allocation of manufacturing costs to inventory.
(e) The nature of inventory can also be very varied, e.g. jewellery, the costs of developing a computer game, cars,
chemicals, petrol, etc.

8.2. Link between inventory process and other business cycles

8Figure 1.8 Inventory production flow chart

(Von Wielligh & Prinsloo, 2014)

MANCOSA – Postgraduate Diploma in Risk Management 126

Auditing for Risk

8.3. Period versus perpertual inventory system

Internal Controls and Tests of Control for Inventory and Production Cycle
a) Inventories should be stated as lower of cost and NRV. When the inventories’ NRV is lower than the cost, the
company has to write down the value of inventory.
b) The amount to be written down is subject to management’s estimation.
c) The risk of material misstatement of the inventory at assertion level for valuation should be high, for example,
if a company has many inventories piled up and the economy was under recession, making the saleable value
hard to be determined.
d) However, it should be low if a company maintains an appropriate level of inventories and the saleable value
is easy to be determined.

6Table 1.7 Internal controls and tests of control

Assertions Internal Control Procedures Test of control
1. Existence Proper segregation of duties and Observe and evaluate proper
physical safeguards of inventory to segregation of duties and test
prevent fictitious inventory. procedures for transfer and issuing
Use pre-numbered and/or properly inventory.
approved receiving reports and Review authorized production
materials requisitions for inventory schedules and test procedures for
transfers establishing inventory levels and
inventory control.
2. Rights and Recorded inventory is supported by Check recorded inventory against
obligations suppliers’ invoices and goods suppliers invoices and goods
received notes. received notes.
3. Completeness Purchase requisition, purchase order, Check sequential controls over
receiving report and vouchers are pre- purchase requisition, purchase order,
numbered and accounted for receiving report and vouchers.
Procedures to include goods out on Test the control procedures for the
consignment and exclude goods led on consignment goods.
consignment.
4. Cut-off All receiving reports and delivery Check dates of receiving reports and
notes should be processed daily. delivery notes to dates to record the
inventory movements in perpetual
inventory records.
5. Accuracy Review of cost accumulation, standard Examine and test procedures for
costs, and variance reports by person of taking physical inventory,
appropriate level. accumulating costs, and developing
standard cost.

127 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

6. Valuation and Inventory management personnel Discuss with management and test
allocation review inventory for obsolete, slow- procedures for identifying obsolete
moving, or excess quantities. and slow-moving items.
Periodic or annual comparison of
goods on hand with perpetual inventory
record.
7. Classification Material requisitions and production Check that the classification of
data used to classify inventory into raw inventory is in compliance with
materials, WIP, and finished goods. accounting standard and company
accounting policies.
8. Presentation Inventory is properly classified, Review inventory items are properly
and disclosure disclosed and presented at fair value. classified, disclosed and presented at
fair value in the financial statements.
(Jackson & Stent, 2016)

8.4. Stock counts

The process by which management count physical goods on hand and compare them to the goods recorded in the
accounting system.
Why?
o May have overstated or understated assets
o Inventory may not exist
o Damaged inventory should be valued less (lower of cost or net realisable value)
o Maybe inventory has not been recorded
Year-end inventory count test for Existence, completeness, valuation and rights

MANCOSA – Postgraduate Diploma in Risk Management 128

Auditing for Risk

8.4.1 Inventory counts

Management perspective Auditors perspective
Planning: Planning:
o Set date, time and location o Enquire as to the date, time and
o Method of counting location
o How many counters o Organise audit staff
Supervision o Obtain written instructions
Prepare warehouse o Enquire as to stock not to be
Draft floor plan – inventory locations counted
Prepare written instructions and document
design
Stationery: Written instructions:
Inventory sheets – documents to be counted Provide this to staff in advance
Printed and numerically numbered Identify team and responsibilities
Number of quantity – write in space for 2 counts Method of counting
Inventory adjustment form to be authorised Goods not included
Sign inventory sheets
Date, time and location

During the count: During the count:

Count staff should be teams of two (1 count, 1 Observe written instructions if adhered to
document) Identify damaged inventory
Count stock 2 times Perform test counts (completeness & existence)
Mark counted (tagged) Inspect if all stock marked after counted
Identify damaged goods Sequence test on count sheets
Controller inspect all counted inventory Confirm inventory not be counted is excluded
Recount if different between 2 counts Inspect count sheets signed
Counters sign sheets

After the count: After the count:

Ensure all inventory is counted Count sheet changes signed off
Adjust records based on count Document count procedures and test counts
Damaged inventory identified
Cut off documentation numbered
GRN matched to invoice

129 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

8.4.2 Controls during the count

1. Inventory must be neatly packed and stacked, with similar items together & aisles kept clear
2. Inventory count forms must be pre‐numbered
3. A register must be kept to record all issued and returned pre‐numbered inventory count forms.
4. Persons receiving and returning inventory count forms must sign the register for receipts and Returns.
5. Segregation of duties between counter, writer functions and they must sign count cards
6. Reliable personnel must be used
7. Inventory count must take place according to originally planned.
8. Proper supervision of count must take place.
9. If differences arise during the recounts by counters these must be reported to supervisors and resolved.
10. The supervisors must do test counts and differences must be rectified.
11. There must be no movement of inventory during the count.
12. Slow moving, obsolete and damaged inventory must be identified and recorded as such.
13. All Inventory must be tagged according to the inventory count instructions.
14. The latest invoice/document numbers of purchases and sales must be recorded to control the inventory that will
be included or excluded from the inventory at year‐end.
15. Inventory in transit and inventory held on consignment at other premises must be identified and must be taken
into consideration.

8.5 Fraud in this cycle

Inventory presents the directors with an effective opportunity for reporting fraudulently by manipulating the inventory
balance. The inventory balance is used in the calculation of profit and is used in the statement of financial position and
therefore its manipulation can have a pervasive effect, e.g. on profits, important ratios and earnings per share. The
director’s may
include fictitious inventory (existence). This will increase profit and current assets and improve related ratios.
understate the write-downs of inventory for obsolescence, damage etc. (valuation). This will have the same effect as
above.
exclude inventory which should be included and/or overstate inventory write-downs (existence and valuation). This
will have the opposite effect, and will only arise when the directors are attempting to make the company look less
“valuable” than it is, e.g. if they are planning a management buyout. This approach could also be part of an overall
scheme to evade taxation.

There are hundreds of different ways of including fictitious inventory. As all directors know that the auditor will conduct
physical tests on inventory, many inventory frauds require quite intricate planning and a lot of deception to create the
“illusion” of inventory.

MANCOSA – Postgraduate Diploma in Risk Management 130

Auditing for Risk

8.6 Summary
This Unit introduced the inventory and production cycle, internal controls and related risks in this cycle.

Activity
You may come across activities that ask you to carry out specific tasks. In most cases, there are
no right or wrong answers to these activities. The aim of the activities is to give you an
opportunity to apply what you have learned.

You are an experienced member of the team on the year-end audit of Giba Supplies (Pty) Ltd, a large retailer of bicycles,
bicycle spares, clothing and accessories. The company operates from a large outlet in Cape Town. Although Giba Supplies
(Pty) Ltd sells numerous items that are manufactured in other countries, it does not import any goods itself and does not
conduct cycle counts. The company does not have computerised inventory and wages systems and does not keep
perpetual inventory records. The salaries system is however computerised. Peter Taylor, the manager of Giba Supplies
(Pty) Ltd is a lawyer by training with virtually no computer knowledge. He is concerned that if the company computerises
the wages and inventory systems and places applications on the company’s network the risk of breaches of confidentiality
and fraud will be much greater.

The company employs full-time salaried employees (who are paid via EFT) and casual employees who are paid weekly
wages using pay-packets that are physically distributed. Wage employees are expected to physically present themselves
at the pay-out, to produce identification and to sign for their pay-packet upon receipt. Wages that are unclaimed at the end
of the week (Friday) are put in a box and sent in the internal mail to the petty cashier in the administration department on
Monday morning. The petty cashier adds the cash to her float and if necessary uses it for petty expenditures. Employees
wishing to claim their wages for a previous week are paid out of petty cash.

Inventory is carefully counted at year-end. The company’s inventory is very well laid out in the shop; there are separate
areas for bicycles, clothing, shoes, helmets and outdoor supplies. All inventory, other than workshop spares is kept in the
shop i.e. there is no other storage area. The company’s annual inventory count takes place as follows:
In the week preceding the year-end inventory count, Laura King, the shop’s very efficient administration manager, compiles
a list of all the different inventory items in the shop (she does not count any items). The list includes a clear description of
the item as well as part/serial numbers where applicable. Having done this, she produces a sequenced, printed “preliminary
inventory sheet” to be used at the inventory count. The year-end inventory count is controlled by Laura King and the count
is performed by sales and administration staff. These staff members are broken into teams of two, and two teams are
allocated to a designated area in the shop, e.g. accessories. Both of the teams (per designated area) are given a printed
preliminary inventory sheet; each team performs an independent count of each item and enters the quantity on their
inventory sheet. As each team completes the count of an inventory item, they attach a sticker to the rack or bin on which
the inventory is kept. The first count team uses red stickers and the second count team yellow stickers. When a designated
area has been counted Laura King compares the inventory sheets from the two teams and if there are any discrepancies
she sends both teams to recount and resolve the error. Detailed instructions are given to the count teams including the
need to identify on the inventory sheet, any damaged items. At the conclusion of the count she works her way through the

131 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

shop confirming that all racks, bins etc. have red and a yellow sticker. She enters the quantities from the preliminary
inventory sheets onto the final inventory sheets as well as the cost of each item. She then performs the quantity x cost
calculation for each item and enters the amount in the total cost column. She then adds the amounts in this column to
arrive at the total cost of the inventory.

In terms of sales, the company sells directly from the outlet on cash basis and through sales representatives. The
company’s fifteen sales representatives spend Monday to Thursday of each week on the road calling on the customers,
conducting shows and demonstrations and taking orders. Sales by sales representatives are only made on credit. Each
sales representative carries a sales order book and a catalogue which lists the inventory code, description and price for
every item which the company sells, e.g. Z3456, 20 litre cooler box, R239, 99. To take the order, the sales representative
completes a pre-printed, multi-part order form in triplicate by entering:
Auditing 200 (Main Exam) 2017
Page 3
• The customer name
• Inventory code, quantity and price of each item ordered
• The date
• The sales representative’s identity code

The sales representative does not calculate the total sale or VAT. The customer is then required to sign the order and is
given a copy. The other two copies remain in the order book. Each sales representative generally takes about thirty-five
orders a week.
On Friday mornings, the sales representatives return to the retail outlet. They hand their order books to Rajes Govender,
the sales administration clerk. She removes the second copy of each order and returns the order book to the sales
representatives. She then batches the orders before passing them to Marlen Moodliar for further processing. A picking
slip is generated, Zinhle Hurley then checks the physical goods picked against the picking slip and, if all is in order,
approves the picking slip. The goods and the picking slip are then transferred to the despatch area. Goods are then
delivered to customers.

You are required to:

1. Based on the information provided, indicate whether you are satisfied with the method adopted by Giba Supplies (Pty)
Ltd to conduct the year-end inventory count. Justify your answer. (7 Marks)
2. Discuss the benefits of conducting cycle counts. (2 Marks)

MANCOSA – Postgraduate Diploma in Risk Management 132

Auditing for Risk

8.7 Answers to Activity

a)
1. Yes, I would have been satisfied with the method adopted to conduct the inventory count.
Justification:
1. The principles/procedures adopted were sound and their application would have resulted in accurate quantities of
inventory being recorded.
1.1 All items were subjected to two independent counts.
1.2 teams included members independent of the inventory function.
1.3 The count was controlled by a “very efficient” senior member of staff.
1.4 Count discrepancies were resolved by the count teams themselves (on instruction from the count controller).
1.5 Count teams were given count instructions, including an instruction to identify damaged goods
1.6 Properly prepared sequenced inventory sheets were used for recording quantities.
1.7 The use of coloured stickers enabled Michelle Rasmussen, the count controller, to check at the conclusion of the count
that all items had been counted.

b)
2. Cycle counts – benefits
• Comparison and reconciliation of physical and theoretical inventory on a regular basis enhances internal control in
the business, creating a stronger control environment
• Discrepancies between actual and theoretical inventory will be timeously identified and can be followed up
• Employees will be less likely to attempt theft if they know that it will be detected quickly
• Preventive measures can be put in place to reduce the possibility of discrepancies between theoretical and actual
inventory recurring.

Case Study

Case Studies will give you an opportunity to apply theory to practice.

Case study 8.1

You are the auditor of Energia Energy (Pty) Ltd (EE). EE is a manufacturer of renewable energy products such as solar
products and heat pumps. Management has asked you to review the system of internal control. While doing walk-through
testing you compiled the following system description:
1. The sales director informs the production manager on a Friday afternoon of which products sold well during the
previous week. Based on this, the production manager allocates responsibilities to the production department.
2. The raw materials used to produce the products are kept in the raw materials warehouse. The raw materials
warehouse has a head storeman and two other storemen working there. Whenever raw materials are needed for
production, the production foreman requests the items with verbal or written authorisation.

133 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

3. No perpetual inventory records are kept, but monthly inventory counts are done. You attended one of the inventory
counts and were satisfied with the controls surrounding the inventory count.
4. A re-order level has been set for each product. The head storeman of the raw materials warehouse compares the
inventory count sheets with the re-order levels. If the inventory according to the count is less than the re-order levels,
then a pre-numbered purchase requisition is prepared by one of the storeman and signed by the head storeman and
then sent to the purchases department.

You are required to:

List the shortcomings in the system of internal control and make recommendations to improve the purchase, receipt,
storage and issue of raw materials. (15 Marks)

Note to students - Use the following table:

Weaknesses Recommendations

MANCOSA – Postgraduate Diploma in Risk Management 134

 Auditing for Risk

Unit
9: Human Resources Cycle

135 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Unit Learning Outcomes and Associated Assessment Criteria

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Understand the payroll and personnel cycle Illustrations and activities are provided to assist in
understanding the payroll and personnel cycle

Understand employee benefit expense recognition Activities, case study and illustrations are provided to
principles assist in understanding the principles that are applied in
employee benefit and expense recognition

Understand salaries versus wages Case study and activity is provided to assist in
understanding the difference between salaries and
wages

Summary
The Unit explores the various controls of the human resources cycle. Weaknesses, together with having to make proper
recommendation for smooth operation with the cycle.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic
Accounting. 4th Edition. Wiley & Sons Publishing.

Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic

Accounting: new Tools and Techniques. Wiley & Sons

Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting:

Understanding the Theory and Application of data analysis. Pearson.

Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.

Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016).

Fraud Examination. 5th Edition. Cengage Learning

MANCOSA – Postgraduate Diploma in Risk Management 136

Auditing for Risk

9.1 Introduction to payroll and personnel cycle

People may think of audits as being mainly financial in nature, probing companies' financial statements and accounting
records to search for discrepancies, but any department in a business can be audited in some way. The human resources
department is no exception to the rule, although human resources (HR) audits involve a good deal of qualitative analysis
in addition to financial considerations. An introduction to human resource audits can familiarize you with the types of
information analysed in an HR audit.

9Figure 1.9 Human resources flow chart

(Von Wielligh & Prinsloo, 2014)

9.2. Risks in the cycle

Fictitious (dummy) employees included in payroll
Unauthorized changes to gross pay rates by an individual with access to the employee permanent file
Errors in processing of pay‐roll.
Payroll deductions may be incorrect and not authorized, resulting in incorrect returns and wage pay out.
Payroll payments may be made to the incorrect employee. This occurs especially where casual labour is hired.
Unclaimed wages are misappropriated if left unclaimed for long periods.
Incorrect amounts paid to payroll deduction accounts payable

137 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

9.2.1 Fraud in the cycle

Wages paid in cash are easy to steal
Internal cocuments – amend information to get paid more
Creat fictitious employees to get double salary/wage or do not process leave

9.3. Documents needed in the cycle

Employee personal form – details of employee
Employee changes form‐ any changes in employment are recorded
Clock card or smart card – identification & recording hours worked
Employee pay slip – Printout of wage calculation Payroll cheque or advice form or cash
Pay‐roll deduction returns – Eg: Medical, workmen’s compensation etc Pay packet‐
Tax certificate – year end IRP 5

9.4. Functions of the cycle

9.4.1. Initiating payroll transactions
Hiring of new employees
Termination of employees
Changes in employment
Data of contract – rates benefits etc

9.4.2. Recording of time worked or service provided

Supervising of Clocking in & out of workers present on day

9.4.3. Preparation and recording of payroll transactions

Capturing of individual hours worked with rates
Calculation of deductions/ allowances according to standard contract tariffs
Calculation of total wage pay‐out
Request & Drawing of cash for total wages
Completing & filling of pay‐roll packet/ envelope by independent person not responsible for pay‐roll preparation
/calculations.

9.4.4. Paying the payroll

Actual pay‐out to employees, by independent person
Employee to show some form of identification
Employees to sign for their wage pay‐out received
Unclaimed wages to be returned to cashier at head office

MANCOSA – Postgraduate Diploma in Risk Management 138

Auditing for Risk

9.5. Control activity in the cycle

All requests should originate from the department making the request
Requests signed by head of department
Changes to contract acted upon after consultation with relevant parties and considered laws
Changes must be autorised
File kept for each employee
o Employment contract
o Perfomance appraisals
o Personal details

9.5.1. Time keeping

Control activity:
Limit and supervise entry and exit points
Clock cards prepared by personnel department in terms of authorised list
Admin clerk to collect clock cards at the end of the week and
o Agree number of cards to list
o Calculate ordinary and overtime
o Complete batch control sheet
Section head authorise overtime and sign batch total as reviewed

9.5.2. General internal controls

Time registers or clock cards must be used
Maintenance of personnel records – wage rates to be checked by independent person
Calculation of wages payable should be checked by an independent person
A payslip is issued to enable an employee to check the amount being paid to him.
Identification of workers before disbursing wages
Disbursement must take place in presence of an authorised official.
Disbursements should be done by persons who have taken no part in preparing the wages
Employees should sign the record as evidence of having received their wages,
The disbursing clerk should mark the appropriate items in the wage record as having been paid.

9.5.3. Internal controls – personnel file

Separation of duties should be implemented.
The HR Department should be responsible for maintaining the personnel files
All relevant information regarding worker to be obtained and kept in file.
Access to factory should be limited to one entrance to control access
The factory foreman should supervise who clocks in & out, in order to control access to the factory

139 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

9.5.4. Payroll preparation

On receipt of batch total, check details
Wage clerk prepare
o Payroll
o Recon of difference between prior week and current week wages
Supervisor verify
o Hours and rates against the clock cards and employee list
o Verify deductions
o Reperform calculations
o Sign the payroll
Head of pyaroll review and sign payroll and recon
Cheque for wages for wages given to cheque signatories with payroll

9.5.5. Internal control – preparation of wage sheets

Pay sheets to be prepared by clerk or foreman.
Details of time worked, piece work and rates.
The wage clerk should recalculate the hours worked on the clock cards, compare them with wage sheet and initial
that task was properly performed
Separation of duty between calculation and recording function
Someone, ‐ manager should compare rates with personnel files.
From cards register is drawn up indicating names, rates, hours, deductions and advances.
The next clerk works out the pay due & totals.
Accountant should check wage sheet for accuracy of calculations performed by wage clerk and initial it.
Cashier checks the previous & makes out the cheques, or draw the cash required.
Cheques should not be made out to cash but rather to a person‐the accountant or person responsible for drawing
the cheque
Cheque must only be signed once the wage sheet is completed and satisfied with calculations
Particulars of rates X Hours etc should appear on the wage payout envelope so that employees may check them.
The factory foreman should sign for the money received
Payments made by wage clerk & person identified by foreman or other official.
Duties should be rotated.
Annual leave should be taken at one time so that irregularities can be discovered.
Official should take note of absenties.
Unclaimed wages should not be paid out to fellow employees.
Unclaimed wages should be investigated.
Wages should be signed for.
Wages paid should be signed for by person preparing them.

MANCOSA – Postgraduate Diploma in Risk Management 140

Auditing for Risk

9.5.6. Deductions
Monthly schedule for:
o Posting entries to raise liabilities for deductions
o Making necessary paymenys
o Supervisory checks on activities
Pyroll and return forms presented to signatories for review prior to signing cheques
Monthly review of General Ledger to confirm dedutions are being cleared promply

9.5.7. Payment preparation

Wage packets made by upto 2 wage clerks
On delivery of wage selection, Head should
o Agree number of packets to payroll
o Agree details on payroll to batch control
o Sign payroll
Packets locked away until pay
Payout performed by 2 staff members – foreman and paymaster
Employees present ID to collect pay, sign paroll as accepted and count cash
On conclusion the two employees must agree all unclaimed packets to payroll – unsigned and identify this on payroll
Details of unclaimed entered into unclaimed register
Two must sign payroll as performing all of the above
Unclaimed retained by paymaster in locked safe
On collection of unclaimed employees present ID
Unclained after two weeks banked

141 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

9.5.8. Wage payout

Management perspective Auditors perspective
Wage packets made up by 2 wage department members Arrive before payout
Locked up until delivery Agree packets to names,
On delivery of packets to site, section head to agree number Amounts in payroll
of packets to payroll Accopany paymaster to payout
Sign report Employee provide ID
Wage payout by 2 employees Unclaimed wages recorded in register
Employee to present ID, count cash and sign payroll Confirm unclaimed wages is banked
Pay master agree unclaimed to payroll, enter in regard and Select a sample from record agree
sign employee file / deduction list and sgree to
Unclaimed wages locked up payment
ID presented when collecting unclaimed wages Hours split normal and overtime
Bank unclained wages after 2 weeks Ensure deductions are equal to deduction
Wage clerk prepare payroll based on batch table
Supervisor verify: Recalculate net (Gross-Deductions)
o Hours to clock cards Recorded in correct General Ledger for
o Deductions against deductions table month it relates to
o Reperform calculations Payment to SARS – PAYE timeously
o Sign payroll

9.5.9. Internal controls - Wage payout (Occurrence, accuracya nd completeness)

Physical security must exist over cash for disbursement.
Amount due to each employee should be recorded on a payslip.
The factory foreman should sign for the money received
Some one else other than the foreman should be present at a wage payout
The employee must be identified and sign for his/her wage
disbursement should proceed in presence of the authorised official who supervises the distribution of wage
envelopes.
Disbursing clerk should mark off in the wage records all wages that are paid out.
Employees should sign the wage record as evidence of receipt.
Unclaimed wages should be recorded in an unclaimed wages register and signed by the foreman and other person
present at wage payout.
Unclaimed wages should be handed in to the cashier.
Unclaimed wages must be re‐banked after a time period if still unclaimed.

MANCOSA – Postgraduate Diploma in Risk Management 142

Auditing for Risk

9.5.10. Internal controls – Unclaimed wages

Unclaimed wage envelopes should be returned to the cashier
Cashier must record in unclaimed wage register
Cashier should sign the payroll record to acknowledge receipt thereof
wages still unclaimed at close of following week should be deposited in the bank
when unclaimed wages are subsequently paid, proper identification of the employee should be established.
employees should sign unclaimed register to acknowledge receipt.

9.6 Conclusion
This Unit introduced the human resources cycle, internal controls and related risks in the cycle.

Activity
You may come across activities that ask you to carry out specific tasks. In most cases, there are
no right or wrong answers to these activities. The aim of the activities is to give you an
opportunity to apply what you have learned.

You are an experienced member of the team on the year-end audit of Giba Supplies (Pty) Ltd, a large retailer of bicycles,
bicycle spares, clothing and accessories. The company operates from a large outlet in Cape Town. Although Giba Supplies
(Pty) Ltd sells numerous items that are manufactured in other countries, it does not import any goods itself and does not
conduct cycle counts. The company does not have computerised inventory and wages systems and does not keep
perpetual inventory records. The salaries system is however computerised. Peter Taylor, the manager of Giba Supplies
(Pty) Ltd is a lawyer by training with virtually no computer knowledge. He is concerned that if the company computerises
the wages and inventory systems and places applications on the company’s network the risk of breaches of confidentiality
and fraud will be much greater.

The company employs full-time salaried employees (who are paid via EFT) and casual employees who are paid weekly
wages using pay-packets that are physically distributed. Wage employees are expected to physically present themselves
at the pay-outs, to produce identification and to sign for their pay-packet upon receipt. Wages that are unclaimed at the
end of the week (Friday) are put in a box and sent in the internal mail to the petty cashier in the administration department
on Monday morning. The petty cashier adds the cash to her float and if necessary uses it for petty expenditures. Employees
wishing to claim their wages for a previous week are paid out of petty cash.

Inventory is carefully counted at year-end. The company’s inventory is very well laid out in the shop; there are separate
areas for bicycles, clothing, shoes, helmets and outdoor supplies. All inventory, other than workshop spares is kept in the
shop i.e. there is no other storage area. The company’s annual inventory count takes place as follows:
In the week preceding the year-end inventory count, Laura King, the shop’s very efficient administration manager, compiles
a list of all the different inventory items in the shop (she does not count any items). The list includes a clear description of
the item as well as part/serial numbers where applicable. Having done this, she produces a sequenced, printed “preliminary

143 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

inventory sheet” to be used at the inventory count. The year-end inventory count is controlled by Laura King and the count
is performed by sales and administration staff. These staff members are broken into teams of two, and two teams are
allocated to a designated area in the shop, e.g. accessories. Both of the teams (per designated area) are given a printed
preliminary inventory sheet; each team performs an independent count of each item and enters the quantity on their
inventory sheet. As each team completes the count of an inventory item, they attach a sticker to the rack or bin on which
the inventory is kept. The first count team uses red stickers and the second count team yellow stickers. When a designated
area has been counted Laura King compares the inventory sheets from the two teams and if there are any discrepancies
she sends both teams to recount and resolve the error. Detailed instructions are given to the count teams including the
need to identify on the inventory sheet, any damaged items. At the conclusion of the count she works her way through the
shop confirming that all racks, bins etc. have red and a yellow sticker. She enters the quantities from the preliminary
inventory sheets onto the final inventory sheets as well as the cost of each item. She then performs the quantity x cost
calculation for each item and enters the amount in the total cost column. She then adds the amounts in this column to
arrive at the total cost of the inventory.

In terms of sales, the company sells directly from the outlet on cash basis and through sales representatives. The
company’s fifteen sales representatives spend Monday to Thursday of each week on the road calling on the customers,
conducting shows and demonstrations and taking orders. Sales by sales representatives are only made on credit. Each
sales representative carries a sales order book and a catalogue which lists the inventory code, description and price for
every item which the company sells, e.g. Z3456, 20 litre cooler box, R239, 99. To take the order, the sales representative
completes a pre-printed, multi-part order form in triplicate by entering:
• The customer name
• Inventory code, quantity and price of each item ordered
• The date
• The sales representative’s identity code
The sales representative does not calculate the total sale or VAT. The customer is then required to sign the order and is
given a copy. The other two copies remain in the order book. Each sales representative generally takes about thirty-five
orders a week.

On Friday mornings, the sales representatives return to the retail outlet. They hand their order books to Rajes Govender,
the sales administration clerk. She removes the second copy of each order and returns the order book to the sales
representatives. She then batches the orders before passing them to Marlen Moodliar for further processing. A picking
slip is generated, Zinhle Hurley then checks the physical goods picked against the picking slip and, if all is in order,
approves the picking slip. The goods and the picking slip are then transferred to the despatch area. Goods are then
delivered to customers.

MANCOSA – Postgraduate Diploma in Risk Management 144

Auditing for Risk

You are required to:

1. State the internal controls which should be instituted by Giba Supplies (Pty) Ltd over unclaimed wages.
(4 marks)

Answers to Activity
Internal controls – Unclaimed wages
• Unclaimed wage envelopes should be returned to the cashier
• Cashier must record in unclaimed wage register
• Cashier should sign the payroll record to acknowledge receipt thereof
• wages still unclaimed at close of following week should be deposited in the bank
• when unclaimed wages are subsequently paid, proper identification of the employee should be established.
• employees should sign unclaimed register to acknowledge receipt.

Case Study
Case Studies will give you an opportunity to apply theory to practice.

Case study 9.1

You have been tasked with auditing the human resources cycle. The hierarchy and organisational structure is as follows:
the production manager is located at the head office (in Westville). Each facility has a manager that controls all the facility
staff and addresses all student complaints (hereafter facility manager). At each facility, there are a number of cleaning and
gardening staff that report to the facility manager. There are 500 staff members employed in total. Wages are paid every
Friday, based on the hours worked during the previous calendar week. Working paper HR 100 details the detailed
procedure of VJ in the human resources cycle (attached below). The following is the reporting hierarchy at VJ in a diagram:

Cleaners
Facility managers
Production manager
(total of 20)
Gardeners

Client: Van Jaarsveld (Pty) Ltd Year-end: 30 June 2018

Prepared by: Nana Joosub Date: 05 July 2018

HR 100
Reviewed by:

Human resources cycle.

145 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

1. The facility manager employs new employees, as he/she sees fit.

2. At the start of each working week (on Monday) each facility manager hands a blank clock card to each of his/her
employees.
3. The employees insert their names and employee numbers on the clock cards and then use the cards for that working
week. The clocking device is situated at the entrance of the facility premise.
4. Employees clock in and out at the entrance by inserting the clock cards into the clocking device.
5. The facility manager posts the used clock cards to a wage clerk on Monday mornings. The wage clerks are located
at the head office. Any wage clerk may receive the used clock cards.
6. Once clock cards from all facilities are collected. The clock cards are divided alphabetically amongst four wage clerks.
Each wage clerk is always allocated the same section of the alphabet for which he/she is fully responsible. This
allows the wage clerks to specialise in their capturing; this specialisation makes the capturing faster and helps to
identify inaccuracies.
7. The wage clerks perform the following control procedures on the clock cards:
7.1. Calculate the total number of hours worked per clock card and record this on the relevant clock card.
7.2. Enter the hours worked per individual (by employee number) into the weekly wages file on the computer.
8. After each wage clerk has entered the hours worked into the computer, the computer calculates each workers
gross pay, deductions and net pay by using the wage rates and deductions in accordance with the personnel
information kept on a database.
9. The computer then prints the weekly wages reports. These are kept in the wages department at the head office.
10. One of the wage clerks verbally informs the accountant of the amount needed for the week’s net wages.
11. The accountant then hands over cash notes for the exact amount of the week’s net wages directly to the wage
clerk.
12. The computer prints pay envelops for the workers to be paid, bearing the workers' names and the employee
number. Each wage clerk fills the pay envelopes according to the letters of the alphabet for which he/she is
responsible.
13. After all the pay envelopes are filled, no money should be left over. If a discrepancy occurs, the pay envelopes are
checked and corrected by the wage clerks.
14. The pay envelopes are sealed. On Friday afternoons the pay envelopes are hand delivered to the relevant facility
managers for the weekly pay-out. Each facility manager pays out the wages to the workers working for him.
Unclaimed wages are retained by the facility manager until the employee collects the pay check.

You are required to:

With reference to working paper HR 100, identify and describe the weaknesses in the human resources cycle of Van
Jaarsveld (Pty) Ltd. For each weakness, make a recommendation for how management can rectify the weakness.
(26 Marks)

MANCOSA – Postgraduate Diploma in Risk Management 146

 Auditing for Risk

Unit
10: Computer Auditing

147 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

LEARNING OUTCOMES OF THIS UNIT: ASSOCIATED ASSESSMENT CRITERIA OF THIS UNIT:

Understand the components of internal control Activity, case study and prescribe reading are
and information technology provided to assist in understanding the components of
internal controls

Describe what general controls are Prescribes reading and case study is provided to
assist in the description of general controls

Describe what application controls are Activity is provided to assist in the description of
application controls

Make use of Computer Assisted Audit Techniques Case study and activity is provided to assist in
(CAATs) to perform an audit utilising CAAT when performing an audit

Summary
The Unit explores the use of computers in an audit environment. It makes use of these techniques to assist auditors to
audit an information technology intensive environment and make use of information technology techniques.

Prescribed / Recommended Reading

Singleton, T. W. & Singleton, A. J. (2010). Fraud Auditing and Forensic

Accounting. 4th Edition. Wiley & Sons Publishing.

Bologna, G, T. & Lindquist, R, T. (1995). Fraud Auditing and Forensic

Accounting: new Tools and Techniques. Wiley & Sons

Dutta, S, K. (2013). Statistical Techniques for Forensic Accounting:

Understanding the Theory and Application of data analysis. Pearson.

Hopwood, W., Young, G. & Leiner, J. (2012). Forensic Accounting and Fraud
Examination. 2nd Edition. McGraw-Hill.

Albrecht, W, S., Albrecht, C, O., Albrecht, C, C. & Zimbelman, M, F, (2016). Fraud

Examination. 5th Edition. Cengage Learning

MANCOSA – Postgraduate Diploma in Risk Management 148

Auditing for Risk

10.1. Introduction
Computer auditing is a systematic and logical process that follows a risk based approach to determine whether the
information systems of an entity, including its detailed information technology processes, controls and activities, will
achieve its IT objectives and will thereby ultimately enable the organisation to achieve their organisational goals.
Although computer auditing is already a specialist field within auditing, there is a need for even further specialisation in
areas such as computer assisted audit techniques (CAATs), IT governance, risk and information systems control,
information security, information system continuity, disaster recovery, etc.

10.2. The components of internal control and information technology

10.2.1 Types of Computer Information Systems
Batch input – source documents are accumulated for input, processing may take place at regular (predetermined)
or irregular (random) intervals.
On-line input – transactions with immediate validation is permitted but actual update of the master file does not
take place at the time of on-line entry.
Data base system – centrally controlled series of related data or files.
Small computer systems – minicomputer has less storage capacity than a larger computer and operates at slower
processing speed.
Distributed processing systems – two or more computer systems linked together through the user of special
software, e.g. network.
Electronic funds transfer systems (EFTS) – computer-based network that enables payment system transactions.
Electronic business through internet

10.2.2 Nature of Risks and Control Characteristics in CIS Environment

Concentration of function, data and knowledge
(a) concentration of recording, processing and control functions within the CIS department.
(b) data may be concentrated in one department, i.e. CIS department.
(c) financial information may be centralized into one computer program, eliminating many conventional
controls based on adequate segregation of duties.
(d) greater reliance on programmed controls, to ensure the reliability of computer system outputs.
(e) may increase potential risk of fraud or error and make detection difficult.

Control procedures – decrease in human involvement eliminates most of the visual checking performed during processing
in manual systems, but may increase the potential for individuals to gain unauthorized access to information and alter
information to the detriment of the entity concerned.

System integration and generated transactions

(a) computer systems may permit the single transaction update of multiple or data base computer files. An erroneous
entry in such a system may create errors in several financial accounts.
(b) system generated transactions may not be specifically documented.

149 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Accessibility of data and computer programs

(a) unauthorized uses of terminal and transactions.
(b) unauthorized modification of previously entered transactions, alteration of data and programs, etc.
Transient nature or lack of hardcopy evidence
(a) Lack of documentation – i.e. no audit trail, is the name given to the facility to trace individual transactions through a
system from its origin to completion.
(b) Storage of processing procedures or programs rely on both a computer and a program to reveal.
(c) Results of processing may be highly summarized.
(d) On-line computer system may not be designed to provide printed reports.
(e) CIS auditor must frequently become involved in the early stages of systems design.

Vulnerability of data and program storage media – easy to theft, loss or intentional or accidental destruction.

10.2.3 Audit Trails

An audit trail allows auditors to investigate errors that they have discovered in more detail. Ideally the audit trail should
make it possible to trace all the reports and other information terms that have been affected by the error, and to trace the
cause of the error.

Audit around the computer

(a) performed by examining and reconciling the input to the computer with the output from it.
(b) concept means that auditors bypass the computer and treat it as a giant bookkeeping machine.
(c) This technique is used when the audit trail is complete, computer processing operations are straightforward and
system documentation is complete and readily available.

(d) The disadvantages

(i) auditor cannot determine how all transactions will be handed by computer programs
(ii) costly and time consuming to provide printouts for audit purposes where no ready audit trail exists
(iii) not adequate for use in advanced and sophisticated computer system

Audit through the computer

(a) focuses on the computer and its programs directly in the audit. E.g. submits data for processing and analyse
results to determine the processing reliability and accuracy of the computer program.
(b) on-line data entry, system designed with elimination or reduction of printouts and real-time updating.
(c) forced to adopted if there is an inability to locate the source documents or printouts.

MANCOSA – Postgraduate Diploma in Risk Management 150

Auditing for Risk

Auditing with the computer

(a) use the computer and its programs as a tool of the auditor, e.g. putting computers to work footing subsidiary
ledgers on magnetic tape or disk, calculating amounts such as depreciation, comparing the contents of two files
and computing the required ratios for analysis purpose.
(b) Some public accounting firms have developed generalized audit software to perform the tasks.

10.3. General controls

It refers to the environment within which computer applications are developed, maintained and operated, and within
which the application controls operate. The objectives are to ensure the proper development and implementation of
applications, and the integrity of programme and data files, and of computer operations.
It includes
a) organization and management controls – policies and procedures relating to controls over computer processing
functions.
b) system development and program maintenance controls – ensure the effective systems and programmes are
formally developed as authorized.
c) Computer operation controls – used for authorized purposes only; restricted to authorized personnel; ensured
that errors are detected.
d) System software controls over acquisition or development – changes are authorized, approved, tested,
implemented and documented.
e) Program library security controls – unauthorized changes cannot be made; separation of responsibilities between
programme libraries and programme changes; protect of back-up copies of programmes.
f) Data security controls – unauthorized changes cannot be made to data on files or databases.
g) Other general controls – e.g. offsite storage of data; protection against fire, theft, loss, etc.

10.4. Application controls

It refers to controls that are specific to individual accounting applications, and are therefore unique to particular
accounting applications or functions. The purpose is to ensure the completeness and accuracy of the accounting records
and the validity of the entries therein. They consist of a combination of manual and programmed procedures.
It classifies as:
(a) input controls
(i) completeness of input – e.g. record counts, control or batch totals, hash totals.
(ii) accuracy of input – e.g. validity check (customer no. checked to master file);
reasonableness tests; limit checks, etc.
(iii) Validity of input – e.g. authorization limits; clerical review of input transactions.
(b) Processing controls – e.g. input controls as above; control totals; error logs; cross footing tests.
(c) Output controls – e.g. compared with source documents, error logs or exception reports; scrutiny of output before
dispatch.

151 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

10.5. Computer Assisted Audit Techniques (CAATs)

10.5.1 Reasons for using CAATs
Loss of audit trails:
(a) when no visible audit trails, e.g. conventional vouching of transactions may not be possible, the transactions
input are stored on a log file with no listing of daily or periodic transactions.
(b) Where the audit trail is not available in the design of a computer system, test data may be used to check the
processes are being performed properly.

CIS controls – program controls may not be possible to review manually. Using test data or re-performing the processes
by programs may be the only method to test the control.
Volume of transactions and output – volume of transaction data is large.

10.5.2 Considerations in the use of CAATs

CAATs may be used during various audit procedures, such as:

(a) detailed testing of transactions and balances – use of audit software to test all or a sample of transactions
in a computer file, for example.
(b) analytical procedures – use of audit software to identify unusual fluctuations or items, for example.
(c) testing of application controls – use of test data to check the functioning of a programmed procedure.
(d) testing of general controls – analyse logs and to review program library access procedures.
10.5.3 Categories of computer-assisted audit techniques
(a) Test data
This technique is used where programmed controls are tested using simulated transactions which are processed
through the client’s computer system. Its primary use is in the testing of application controls.
The results of processing are compared with the predetermined results. Any differences could be the results of control
weaknesses or programming errors.

Advantages of test data techniques include:

(a) Objective evidence is provided of compliance with established policies of the client’s CIS.
(b) It verifies program specifications which include program controls such as edit and validation checks.
(c) User procedures which are supposed to be complied with according to the user manual or other documentation
may be examined.
(d) It increases the auditor’s understanding of the client’s applications system and related procedures.

Disadvantages of test data techniques include:

(a) It test only preconceived situations and may have the same oversights that exist in the documentation of the
application.
(b) It lacks objectivity in that tests are oriented only to documented controls.
(c) The preparation of comprehensive test data necessary to determine the specific areas to be tested may be time
consuming and expensive.

MANCOSA – Postgraduate Diploma in Risk Management 152

Auditing for Risk

(d) It tests the functioning of controls only at a specific point in time, not cover the entire audit period.
(e) The auditor requires detailed knowledge of application program logic routines in order to design a suitable test.
(f) It may become difficult to perform testing in complex computer systems.

Two methods of using test data:

(a) Dead data (i.e. dead testing) – uses copies of the client programs and transaction files and processes the test data
separate from the normal production run.
(i) Advantages – test will not interrupt with client’s system and the results can be interpreted easily.
(ii) Disadvantages – additional computer time is required and it has to be arranged before hand and there is
uncertainty as to whether the actual operational programs are being used for the test.

(b) Live data – at its simplest level the auditors could use real data that has been processed which involves the controls
they want to test. The auditor takes control of client data before it is processed. He then determines how the data
should be processed, enters the data and checks the output. Data which should be rejected by the system is also
entered, if the client has given permission.

(c) Integrated test facility (ITF)

An ITF uses test data input as part of a normal run which is then applied to dummy records set up by the auditor on the
client’s master files.

A dummy entity is created through which data are processed. For example, a fictitious employee, department or customer
is established and the auditor will process transactions against the entity under normal live operating conditions.
Therefore, ITF data are entered with the live data of the client and are processed in the same way.

(d) Generalised audit software programs

They consist of a set of computer programs designed to perform audit functions that would normally be performed
manually. The programs are essentially data manipulation and output programs which are adaptable to various data
formats and computer systems.

The functions include:

(a) Extract data from files based on criteria specified by the auditor.
(b) Perform calculations.
(c) Compare data.
(d) Select and print audit samples.
(e) Summarise data for audit analysis.
(f) Print reports in a format specified by the auditor.

153 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

(e) Specialised audit software programs

These are computer programs designed to perform audit tasks in specific circumstances. These programs may be
developed by the auditor, by the entity or by an outside programmer engaged by the auditors.

(f) Utility programs and existing entity programs

These programs are used by the entity to perform common data processing functions such as sort, create and print
computer files.

These computer programs are not designed for audit purposes and therefore may not contain such features as
automatic record counts or control totals.
(g) Embedded audit facilities
This consists of a module of a computer program written by the auditor which is incorporated into the client’s computer
system either temporarily or permanently. This technique allows tests to be made at the time the data is being
processed.

It is real time auditing. It is useful where the audit trail is deficient so that historical audit work is difficult, or where
files are constantly being updated.

(h) Expert systems

They are computer programs that emulate the thought processes of human experts in solving problems or achieving
goals.

They consist of two basic components:

(a) the knowledge base, which contains information, facts and rules necessary for solving problems and deriving
solutions; and
(b) the inference engine, which is a computer program that contains the analytical structure for providing the wanted
advice to users.

10.5.4 The advantages of CAATs to the auditor

In a computer based system, the large volume of transactions is likely to force the auditor to rely on programmed
controls.
The use of CAATs enables auditors to test a much larger number of items quickly and accurately.
It enables auditors to test the accounting system and its records rather than relying on testing printouts of what they
believe to be a copy of those records.
Once set up, CAATs are likely to be a cost effective way of obtaining audit evidence provided that the enterprise
does not regularly change its systems.
Careful planning by auditors should enable the results of their work using CAATs to be compared with results from
the traditional clerical audit work to increase confidence.

MANCOSA – Postgraduate Diploma in Risk Management 154

Auditing for Risk

10.6. Summary
This Unit introduced the theory, terms and concepts in auditing. It forms the basis of what will be exapnded on in the
subsequent Units.

Activity
You may come across activities that ask you to carry out specific tasks. In most cases, there
are no right or wrong answers to these activities. The aim of the activities is to give you an
opportunity to apply what you have learned.

You are the senior in charge of the audit of Kiddies Fashion (Pty) Ltd, a wholesale distributor of children’s clothing.
Computer assisted techniques refer to making use of the computer to assist in the carrying out of the audit. Your firm is
planning to use CAAT’s for their 2019 audits as they realized that it would simply be inadequate to perform an audit without
using CAAT’s. At a meeting with Karen Govender, the manager of the company, you discussed the upcoming audit for the
financial year-end 31 May 2017 and whether she was anticipating any problems with the financial year-end and the
preparation of the annual financial statements. She responded by indicating that: “During the year an employee who had
been in charge of accounts receivable, resigned to join another company that is not in the same sector as Kiddies Fashion
(Pty) Ltd.

Shortly thereafter Kiddies Fashion (Pty) Ltd received a call from Kevin Brown, an enthusiastic young accounting graduate
seeking employment with the company. Kiddies Fashion (Pty) Ltd.’s Human Resource Department asked him (Kevin
Brown) to pop in for a brief chat in the office that afternoon. Considering the urgency to fill the accounts receivable position,
he assumed his duties in this position the following day. The company’s management style is rather casual and it seemed
as if he would fit in well with the company. Kevin Brown was very hard working and dedicated, he was always willing to
assist wherever possible. Within a few months of his appointment he had re-defined his duties and reorganized the
accounts receivable department to the extent that he controlled the receipting and banking of payments from debtors, the
issue and authorization of credit notes, as well as the follow up of slow payers and the write-off of bad debts. The company
appreciated his “hands-on” nature as he was assisting, from time to time with things like data capture and reconciliations.
As the company’s, financial data is processed on small local area networks within each department, he proved most helpful
in sorting out minor problems with the system. Kevin Brown also volunteered to assist the Information Technology (IT)
specialists with the upgrade of the accounting system.

Due to his commitment and enthusiasm, the company noted positive changes, the collection period for debtors had
improved and there were far fewer complaints coming from debtors. However, things weren’t what they appeared to be!
Kevin Brown was stealing from Kiddies Fashion (Pty) Ltd and was smart enough to cover his theft in various ways. The
management of the company was very disappointed and after deliberating on the issue, the company unfortunately had
no option but to dismiss him.

155 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Kevin Brown was very upset about his dismissal and claimed that the company had no evidence to prove that he was
guilty. Shortly after his dismissal, an unfortunate incident occurred, an intruder entered the company’s offices, gained
access to the data files, and got up to all sorts of mischief. Upon investigation, it was determined that only information
relating to debtors was affected. Portions of the accounts receivables’ Masterfile had been deleted as well as a number of
transaction files. These are the only copies that are maintained by the company, as they do not actually backup documents.
In addition to that, a number of lever arch files containing hard copies of invoices, credit notes and debtors’ correspondence
had been removed. Further investigations are still on but the company is convinced that Kevin Brown is responsible for
this crime as had a key to the offices and was very upset about his dismissal, claiming that he was not responsible for any
of the allegations made against him by the company.
Source: Jackson and Stent, 2011. Significantly adapted.

You are required to:

a) Compare general and application controls in the context of a computerized audit environment. (2 marks)
b) Compare the following approaches which could be adopted by the external auditors in a computerised
environment:
1. Auditing through the computer. (2 marks)
2. Auditing with the computer. (2 marks)
c) Identify four security controls that must be put in place in order to protect data stored on computer devices.
(4 Marks)

10.7. Answers to Activity

a) Contrast: General controls and Application controls (2 marks)
GENERAL CONTROLS
• Controls that are effected to protect the entire system from risks.
• Not task-specific
• Should be in place before any processing takes place

APPLICATION CONTROLS
• Apply to the processing of specific computer application
• Task-specific controls (input, processing and output controls)
b) Auditing through the computer is concerned with testing the computer system by essentially passing
test data through the system.

This test data will contain “errors” which should be picked up by the program controls.
Auditing through the computer amounts to a test of controls.
• Auditing with the computer means harnessing the power of the computer to assist with the performance of the audit
e.g. interrogating client’s Masterfile’s using audit software and/or
• produce work papers, schedules, questionnaires etc.

MANCOSA – Postgraduate Diploma in Risk Management 156

Auditing for Risk

c) Security Controls
• Least privilege
• Fail safe
• Defence in depth
• Logging

Case Study

Case Studies will give you an opportunity to apply theory to practice.

Case study 10.1

Using the same case study as per activity above.

You are required to:

Critically evaluate the general controls of Kiddies Fashion (Pty) Ltd which have, or may have, contributed to the situation
in which the company finds itself, based on Karen Govender’s response to you.

NB: The answer should be presented under the general control headings. (16 marks)

157 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Answers to Revision Questions

Case study 1.1

1. 1.1 With regard to whether the company must appoint an external auditor, you will first have to calculate your
company’s public interest score. Without going into too much detail this is the sum of points which are allocated to 4
“characteristics” of your company as follows:
* one point is allocated for the average number of employees (28 points)
* one point for every R1m (or portion thereof) of turnover (36 points)
* one point for every R1m (or portion thereof) of liability to 3rd parties (6 points)
* one point for every individual who has a direct or indirect interest in the shares of the company (5 points)

1.2 If your company’s public interest score is below 100 there is no requirement that your AFS be audited. Your PIS
will be around 70 points. However, with this PIS it will be necessary for your company to appoint a registered auditor (or
a person who qualifies to act as an Accounting Officer of a close corporation) to independently review your financial
statements.

1.3 It is also possible that the company’s Memorandum of Incorporation has a clause which requires that the company
appoint an external auditor but this would be a requirement created by the shareholders. If this clause exists, your
company would have to comply, but as you will own 75% of the shares you could remove this clause if you wanted to.

1.4 As regards an internal auditor, there is no requirement which makes it obligatory for a private company to appoint
one.

1.5 Appointing an internal auditor will not be a substitute for having an independent review and the internal auditor may
not carry out the independent review because he is not independent of the company.

2. 2.1 You are certainly entitled to appoint an auditor and if the company already has one, you may retain the
existing auditor, provided the existing auditor is available for re-appointment.

2.2 Whilst there is nothing in the Companies Act which prevents you from appointing me as your auditor, I would not
be in a position to accept such an appointment.

2.3 For any audit opinion to be worthwhile (reliable) it must be given by someone who is independent of the company
about which the opinion is being expressed.
2.4 As you and I are close friends, I would not be, or be seen to be independent, and would therefore be in breach of
the requirement explained in 2.3 as well as my profession’s Code of Professional Conduct.

MANCOSA – Postgraduate Diploma in Risk Management 158

Auditing for Risk

2.5 If you end up only having to be independently reviewed (not audited) you could appoint the existing auditor to
conduct the review, but for the same reason as above, I could not perform the review. Note, that the review engagement
is, like an audit, an assurance engagement.

3. 3.1 The shareholders would appoint the auditor by general resolution. As the other directors are not
shareholders they have no say in the appointment.
3.2 As you hold 75% of the shares, it will be your decision. The MOI (if this is relevant) may lay down some
additional requirements for appointment of the auditor.

4. Benefits: Overall having your financial statements audited adds to the credibility of your company in its business
dealings.

4.1 For the company

* It is essential that the other shareholders know how the company is performing and audited annual financial
statements are an important mechanism for reporting to them.
* Whoever prepares the company's statements may make errors (or even hide frauds) which the audit may detect.
Thus the auditor's opinion on the fair presentation of the annual financial statements gives management greater
assurance on the validity of the company's results.
* Having the accounting records audited acts as a deterrent to employees attempting to defraud the company.
* The company will also benefit inasmuch as lenders of money e.g. your bank, will be far more inclined to extend credit.
They will almost certainly require audited financial information from you when considering your financial needs.
* The company will benefit from the advice on such matters as systems and tax that the auditor can offer. This kind
of advice becomes a positive by-product of the audit.

4.2 For you

* Even though you are the majority shareholder and managing director it is still possible for your fellow directors or
employees to "pull the wool over your eyes", particularly as, being an engineer, you know little about financial matters.
* The audit will give some assurance that this is not happening as it provides you with an independent “view” of the state
of your company, and you will receive reports on weaknesses in your company’s controls from the auditor.
4.3 A review engagement which is like a “watered down” audit does not provide the same level of independent assurance
that an audit does. This will be explained in the review report given by the registered auditor carrying out the review
so users of your financial statements may not be as confident about them as they would have been with an audited
set of financial statements.

Case study 2.1

Matter : Andrew Waterhouse
1. Confidentiality
In terms of Section 40, a chartered accountant should not disclose or make use of confidential information acquired as a
result of a professional relationship for his or her own personal advantage or the advantage of third parties.

159 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

By gaining access to the competition winning number and giving it to his girlfriend so that they could win the
competition, Andrew Waterhouse has breached this fundamental principle. Note: In terms of Sec 40, the chartered
accountant to whom Andrew Waterhouse reports must take reasonable steps to ensure “those he is supervising” respect
confidentiality; very difficult in this case.

2. Integrity
In terms of Section 0, chartered accountants should be straightforward, honest, fair and truthful. Andrew Waterhouse
has breached these requirements.
He has set up a plan to win the money without raising suspicion about his involvement (getting his girlfriend to
purchase the ticket, buying four tickets, not using the tickets to the concert himself). This is devious and dishonest.
He has been through the drawers of a client employee and accessed the information in a file marked “confidential”.

3. Objectivity
In terms of Section 20, a chartered accountant should not compromise his or her objectivity.
Andrew Waterhouse has allowed a self-interest threat to cloud his judgment.

4. Professional behaviour
In terms of Section 50, a chartered accountant should avoid any action which discredits the profession.
It is almost inevitable that the truth will come out and the reputation of the profession will be negatively affected
particularly in the eyes of the client. (5 marks)
Matter 2: Gary Moloi
Gary Moloi has failed to comply with the fundamental principle of integrity. as he has been dishonest (or at least deceptive)
with regard to the commission arrangements with Stini Pillay.

he states (indignantly) that he receives no commission, but in fact he does, by virtue of the fact that he is a partner of
the firm and the firm receives commission. The Code Sec 290 - Independence warns that referral commissions may
pose a threat to the chartered accountants objectivity as the commission, and not the quality of the service or product,
may be the motivating factor (or be seen to be the motivating factor.) The recommended safeguard is that the chartered
accountant inform the client of the referral fee in writing and the details thereof and obtain acknowledgement thereof.
These disclosures should be in advance of the transaction taking place. Gary Moloi has not done this – he has denied
it in fact! This is also a breach of professional behaviour. Deviousness on the part of a chartered accountant brings
discredit to the profession. (5 marks)

Matter 3: Clear Images (Pty) Ltd.

There are several breaches of the Code
1. Second opinion – Sec 230
A second opinion on work carried out by another chartered accountant can be given but Paul McKay clearly did not
consider the threats to his compliance with the fundamental principles or consider any appropriate safeguards.

MANCOSA – Postgraduate Diploma in Risk Management 160

Auditing for Risk

For example, he should have ensured that he would be giving an opinion under the same conditions as the auditors
opinion, i.e. same access, same documents; failing to do this was a threat to his professional competence and due care.

He should have:
obtained a written explanation from Clear Images (Pty) Ltd as to why the second opinion is needed.
Obtained Clear Images (Pty) Ltd.’s permission to contact its auditors and discuss the opinion, the circumstances under
which it was given etc.
Included a second member of PFY Inc. in the engagement to review the opinion (quality control).
In failing to do any of the above (he simply held a discussion with the financial director), Paul McKay has breached the
fundamental principles of professional competence and due care, objectivity and integrity.

2. Independence – Sec 290

The underlying cause of Paul McKay’s action appears to be that he wants to win Clear Images (Pty) Ltd.’s audit. He
has allowed this to override his objectivity (independence) by giving an opinion “acceptable to the financial director”
without doing the necessary work.

3. Fees – Sec 240

Again motivated by winning over the audit Paul McKay has breached the Code which requires that a fee be negotiated
which reflects the value of the work done.

Responsibility to colleagues – Sec 260

Members of the profession should be loyal to their colleagues and promote good relations.
Paul McKay, in not even alerting Clear Images (Pty) Ltd.’s auditors to the fact that he was giving a second opinion,
failed to protect his fellow chartered accountant to the threat that Clear Images (Pty) Ltd may have been intent on
discrediting their auditors opinion by using Paul McKay’s opinion.
He is also trying to take Clear Images (Pty) Ltd away from them (as an audit client) by underhand means.

Marketing professional services – Sec 250

Whilst it is acceptable for a chartered accountant to solicit new work, it must be done in manner which does not threaten
the principle of professional behaviour by bringing discredit to the profession. Paul McKay’s solicitation is underhand and
devious. .

Professional behaviour – Sec 50

The financial director of Clear Images (Pty) Ltd is no doubt fully aware that he is “using Paul McKay to his advantage”,
and is likely to have a poor opinion of Paul McKay’s professionalism whatever his own motives are. Paul McKay’s
actions are a discredit to the profession and a breach of his compliance with the fundamental principle of professional
behaviour.

161 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

Matter 4: Phahla & Brown

1. The overriding requirements for advertising by a professional firm are that the advertising reflects a due sense of
responsibility to the profession and to the public.
2. is in good taste; and
Must not reflect adversely on the good reputation of the profession and conforms to the accepted norms of legality,
decency, honesty and truthfulness.

In terms of Section 250 of the Code – Marketing Professional Services, advertising which does not comply with to .3
above could present a threat to the fundamental principle of professional behaviour and integrity.
2. The st slogan may breach the “good taste” requirement
It is extravagant and claims superiority over other audit firms.
Does not convey a professional image.

3. Because slogan compares the firm’s services offered by others it is clearly not in good taste and would be a breach of
the code.

4. Slogan 2 – claims association with SARS.

Case study 3.1

1.
Board of Directors
The chairman of the board Mr. Williams is the CEO CEO = Chair

.2. The chairman of the board is not an Chair not independent

independent non-executive director
.3. Mr Wiseman should not be allowed to be a director Secretary cannot be a
director
.4. Dr Bradley Hilda cannot be the lead as he is not LID is not independent
independent

He is related to the CEO and HR Directors.

The Chairperson in not an independent non- LID must be appointed if

executive director and there is no LID Chairperson is not a INED

.5. None of the directors have knowledge about the Lack of knowledge in breach of
applicable legislation KING IV

The company secretary is not knowledgeable about Secretary must guide the
the legislation and does not advice the directors on board on legal matters
legal matters
The board is not setting the tone with regard to Board must set the tone.
compliance governance.

MANCOSA – Postgraduate Diploma in Risk Management 162

Auditing for Risk

.6. It’s clear that the board does not have the required Board must as a collective have the
skills – CFO studding agriculture and there are no required qualifications
CA(SA) on the board. Very little finance skills.

The majority of the board is not non – Majority of the board must be
executives. non-executives with the majority
of the non- executives being
Mr. James Biscuits is not independent, related to CEO
independent.
and Dr Hilda. Thus there are no independent directors

The board is entirely white and male.

The board must be diverse and
The board is dominated by one family have race and gender
representation.
.7. Mr Wood is registered for a PhD and Mr James Biscuits is The directors cannot hold too
going to University, and on another board, these directors many other directorships and have
have conflicts of interests with regard to time. capacity for the discharge of
responsibilities
Also Mr Franks is writing numerous books that are
unrelated to BNL
.8. Board is risking the lives of customers with untested The board must set the tone as a
products good corporate citizen

Case study 4.1

1. Background

1.1 Firewalls: Attempt to override/pass the firewalls for both the SmartCount system, and the

WAN server connection. This can be done by IT audit experts, test data or reprocessing (how).

1.2 Access: Enquire from management and staff what controls are in place to prevent

unauthorised access to the E-buy server and SmartCount system.

Attempt to access the E-buy server and the SmartCount System by means of test data/reprocessing

1.3 Data protection policy: Read and discuss with management/staff to determine adequacy

thereof (This is to ensure that people cannot access the system to initiate an invalid sale.)

1.4 Inspect the user access profiles/tables to ensure that only authorised users have access on a least privilege basis
to the server and systems.

1.5 Password control: Inspect, a copy of the password policy of E-buy to ensure it is in place

163 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

By making use of test data/reprocessing test that the password criteria are being met in accordance with the password
policy,

Use of upper case, lower case, numeric and alpha digits, not too long, short, etc; (control over passwords);
Passwords are changed after a certain period of time.
Create low level security password as see if system rejects it
2.1 By making use of test data/reprocessing, attempt to create a customer profile without
completing all the required fields and confirm that it does not succeed/pass.
2.2 By making use of test data/reprocessing attempt to create a customer profile without accepting the terms and
conditions and confirms that it does not succeed/pass. (alternatively use

CAATS ensure no profiles exist where the customer did not accept T&C)

2.3 Create a fictitious profile to verify whether confirmation is received by customer.

3. Shopping, checkout and payment

3.1 Attempt to finalise a sale transaction by leaving the mandatory address field blank and
confirm that it does not succeed/pass.
3.2 Attempt to finalise a sale transaction by not providing credit card details and confirm that it
does not succeed/pass.
3.3 Attempt to complete the payment details field by using an invalid/expired credit card and

confirm that it does not succeed/pass.

3.4 Using CAATs/reprocessing inspect the sales invoice and dispatch note ledgers/files to ensure
transaction is not processed.
3.5 For approved credit card purchase, using CAATS/inspection agree the payments to the invoice that is
emailed and dispatch note sent to the warehouse manager.

3.6 Select invoices from the sales ledger and follow through to (the direction to test occurrence):

Invoice;
Credit card payment;
Despatch note;
Valid customer profile (registration document/number)
3.7 Verify that a sale that is not matched to a despatch note is reflected on the exception
report.
3.8 Enquire from Stephan of the effective operation on the control for listing and follow up on
unmatched invoices on the exception report.

MANCOSA – Postgraduate Diploma in Risk Management 164

Auditing for Risk

3.9 Inspect the exception report for the electronic signature of Stephan as approval of the report

3.10 Enquire from Stephan who approves the report when he is on leave/absent

3.11 Review the transaction/exception report log for approvals not done by Stephan.

3.11 Attempt to gain access to the approval function without Stephan’s password

3.12 Enquire from the accounting department what the process is when Stephan sends them

exception reports to investigate and correct

3.13 Inspect a sample of exception reports where a customer invoice was issued without an corresponding dispatch note
and verify that an appropriate staff member followed up the

discrepancy and noted the reasons for it.

Case study 5.1

The Client: Management’s Integrity

Eyadini Limited’s management seems to have good integrity:
1. Management promotes a strong internal control environment.
Management strives to comply fully with King IV.
Management communicates ethical codes to all levels of employees.
The Client: Ability to pay the audit fee
2. The entity is very profitable (35% market share & not many competitors) and therefore Eyadini Limited
would most likely be able to pay the audit fee.
The Auditor: Resources
Max Audits Incorporated was only approached during January, and can therefore not perform an interim
audit should it have been necessary.
The time available and number of staff members of Max Audits Incorporated may be restricted during
the time of Eyadini Limited’s year-end due to most of Max Audits Incorporated’s clients having a year-
end of between December and February.
However, Eyadini Limited only needs its financial statements by the end of July (6 months after year
3 end), and therefore Max Audits Incorporated should be able to perform the audit after its “busy period”.
Max Audits Incorporated seems to have sufficient knowledge, skills and experience for Eyadini Limited’s
industry (manufacturing entity) as the firm services a wide portfolio, including manufacturing entities.
Max Audits Incorporated has offices in the cities where Eyadini Limited have its head office and its
manufacturing plant which is conducive to an effective audit.
Therefore, it seems as though Max Audits Incorporated have sufficient resources, expertise and
knowledge to perform the audit.

165 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

The Auditor: Previous Auditor

The previous auditor is willing to communicate with Max Audits Incorporated.
4.
The reason for the previous auditor’s resignation gives no indication of concern: They resigned due to
a staff shortage and not as a result of a client-imposed restriction.
The Auditor: Independence
Mr Bongz and Zakes Bantwini are nephews, creating a familiarity threat to independence for Max Audits
Incorporated.

Also, performing secretarial and taxation services to Eyadini Limited will result in a self-review threat to
independence.
5.
Max Audits Incorporated may still accept the engagement, as long as:
o Zakes Bantwini is not on the engagement team.

o The secretarial and taxation services are either not accepted, or performed by another
department within Max Audits Incorporated. (Note: “secretarial services” in this context does
not involve acting as Company Secretary, which will not be allowed).
Terms of Engagement
6. Due to management’s integrity and attitude, it is deduced that Eyadini Limited will be willing to agree to the
terms of the engagement.
Conclusion:
7. Max Audits Incorporated can accept the audit engagement of Eyadini Limited, as long as the threats to
independence are addressed as suggested in point 5 (above).

Case study 6.1

1. Contractual agreements are entered before placing an order.

2. Pre-numbered duplicate manual sales order is created/placed.

3. Sales order is authorised after reviewing the contractual agreement.

Sales order is kept by Mrs Bray as she is both sales and finance, and a copy is sent to Ms Britton who is
4
operations.

5. The roster for cleaning staff is planned according to the authorised sales order.

6. Ms Britton visits locations on a regular basis for monitoring purposes.

7. Time sheets are created by cleaning staff at the end of each month.

8. Time sheets are reviewed and authorised by Ms Britton.

9. Pre-numbered service delivery form is completed by Ms Britton from time sheets.

10. Service delivery form is authorised as evidence of review by Mrs Radcliff.

MANCOSA – Postgraduate Diploma in Risk Management 166

Auditing for Risk

Case study 7.1

(a)
Internal Control Weakness mitigated
Determining the approved suppliers list The ordering staff members from making orders that
are not arm’s length or with a related party.
1. 1
The purchase of poor quality good or poor service.
Missing volume discounts.
Eliminates instability in the costing and budgeting
2. Determining an approved price (list) with RC 1
process.
The facility manager signs the requisition form as Independent review eliminates erroneous orders
3. a proof of authorisation, after he confirms the 1 being placed. There is a confirmation of the stock
quantities that are requested. needed before it is ordered.
Prevents human error and incorrect orders being
The purchasing clerk casts and checks the
4. 1 placed. Checks numerical accuracy. This is a
extensions on the requisition form.
recalculation or re-performance.
The order is placed according the requisition form. When the requisition is used to initiate the order then
this means that the head office does not order items
5 1
that are not actually required. There is truly a need to
for a given item in the company.
The purchasing clerk will then fill out a Purchase
This helps to assign responsibility to the preparer.
order stating the quantity of Upende ordered and
6 1 The order exists so that the steps in the process that
price as the price list obtained from RC. He then
follow have the order as an audit trail
signs the purchase order.
The purchase order is pre-printed, sequentially This minimum entry ensures that there is less chance
pre-numbered of human error.
7 1 This document design also assesses with making the
transaction easier to audit. As there is a trail that is
easy to follow.
The purchase order is signed and authorised by This ensures that only authorised and valid orders are
8 the purchase manager before the copies are sent 1 approved (though the order is already sent to the
to RC and the receiving department. creditor)
Due to the toxic nature of Upende it is shipped is
special shock resistant containers. These This prevent loss or damage of the goods during
9 1
container are then stored under the deck of the shipping.
ship.

167 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

The delivery note is attached to the goods. If the goods were ever lost of misplaced someone
would easily identify this by looking at the delivery
10 1
note.
This also prevents delivery to an incorrect location

Case study 8.1

(b)
Weakness Recommendations
1. The recording is done based on the GRN it Delivery note indicates the dates that the risk and
should be done based on the delivery note too rewards have transferred.

The delivery not would have the actual amounts that

were accepted into VJ therefore there is like
1 opportunity for the receiving clerk to take some of the
goods delivered and not record it on the GRN

The delivery note is the document that would detail the

contract (purchase) between your company and the
creditor.
No damage inspection is performed on the The staff receiving the goods should perform damage
2. 1
goods when they are received inspections on the stock
The goods received note is prepared without
Goods should be counted and compared to the
3. any counting or comparison to the physical 1
Delivery Note before the GRN is prepared.
goods
With foreign imports there needs to be strong VJ should have processes and procedures around the
4. 1
controls over foreign tax being paid. payment and recording taxes
The staff member who prepared the requisition
1
in the same staff member that receive the stock A separate staff member should receive the stock and
5 Lack of segregation of duty in this regard giving compare the stock received to the GRN to ensure it is
the opportunity for manipulation of the order and correct.
1
stock
The shortage of Upende is only assessed by VJ needs to have processes and procedures to identify
6 1
the branch manager the stock required or Upende.
The order is placed with the creditor before the
Orders should only be made after completion and
7 order form is completed and before the order is 1
authorisation of the order form.
authorised

MANCOSA – Postgraduate Diploma in Risk Management 168

Auditing for Risk

This is determining liability should anything go wrong

8 Shipping terms need to be agreed on with RC 1
with the shipment.
The controls that were in place for the shipment from
There are no controls around the shipment of
9 1 the US to SA need to be implemented for the
goods from the head office to the brunch
shipments to the branch.

Weaknesses Recommendations
1 No formal production planning takes place 2 A formal production schedule needs to be prepared
(1). The decision on what to manufacture is based on sales and current inventory levels.
made by the sales director based on items
which sold well the previous week. The
current inventory levels are not taken into
account (1).
2 Raw materials can be taken from the 1 Raw materials should only be allowed to leave the
warehouse with verbal authorisation from warehouse when a pre-numbered raw material requisition
the production foreman. has been made out by the production department in
twofold. One copy should stay behind in the production
department and one copy should be sent to the raw
materials warehouse.

The requisition must be pre-numbered and include the

quantity and description of the necessary items. The
production foreman must authorise the requisition.

The warehouse must then make out a pre-numbered

delivery note in twofold with the quantity and description
of the inventory as well as the issue date on the issue
note. The head storeman must approve the issue note.
One copy should stay behind in the warehouse and one
copy should accompany the inventory.

A security guard at the door of the warehouse must

check the physical inventory with the raw-material
requisition and delivery note.
3 No perpetual inventory records are kept 2 Perpetual inventory records should be instituted under
(1). The monthly inventory count does not control of a responsible official other than the storemen.
compensate for the lack of perpetual
The system should include all items including quantities
inventory records (1).
and values.

169 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

The totals in the perpetual inventory records should be

agreed with the General Ledger on a regular basis.

The perpetual inventory records should be agreed with

the physical inventory at the end of an inventory count.

Differences between the physical inventory and the

perpetual inventory records should be followed up and
then the perpetual inventory records should be adjusted if
they are incorrect.
4 Inventory is ordered based on re-order 1 Purchase requisitions should be based on the production
levels. Production levels can vary during schedule and quantities on hand as indicated on the
the year and the quantity ordered can thus perpetual inventory records.
be too few or too much for the current
production need.

MANCOSA – Postgraduate Diploma in Risk Management 170

Auditing for Risk

Case study 9.1

Weakness Recommendations

1. The facility manager has incompatible duties New workers should be employed by the production
(segregation of duties): manager after consultation with the facility manager.

a) employs new workers There needs to be strong stationary controls over the
blank clock cards
b) control blank clock cards.
The clock cards need to be prepared by the wage click
c) pay wages out on his/her own.
for each of the current employees. Each clerk should
1 have their name and employee numbers recorded on
the clock cards before it is given to the facility manager.

Wages should be paid out by a separate disbursement

clerk or one of the current wage clerks in the presence
and assistance of the facility manager.

There should be a separately employed wage clerk at

each facility.

Wage clerk should observe workers clocking in and out

Clocking in and out needs to be controlled at the
2. 1 to control that only one clock card is “clocked” by each
entrance
employee

The week’s clock cards are posted to any The facility manager should hand the weeks clock cards
3. 1
unspecified wage clerk to a specific wage clerk

Each wage clerk should only be responsible for certain

specific tasks in the wage system.

No clerk should perform all the tasks in the wages

Each wage clerk is solely responsible for all system from beginning to end.

4. sections of the wage process. This constitutes 1 The following tasks should be performed by different
undesirable segregation of duties. wage clerks:

1. The maintenance of a permanent record for each

working employee (example production manager’s
secretary)

171 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

A. All entries in the permanent record should be initialled

by a responsible official of the company.

B. Wage expenses should be reconciled periodically to

predetermined totals. Fluctuations in the wages
expenses should be confirmed and authorised before
payment. (wage manager)

C. Changes in the personnel records must be

authorised by a senior official.

2. The preparation of clock cards and observation of

workers clocking in and out (Wage Clerk one).

3. The calculation of total hours worked recording of

totals in the relevant clock cards and entering this into
the computer (Wage clerk two). Wage clerk four should
check the calculations and compare input to output.

4. Filling of pay envelopes and pay-out to employees

(wage clerk three)

5. Wage clerk two should review filling packets

6. Posting to the general ledger and overall control

should be performed by wage clerk four.

5 The calculation of the total number of hours

An independent wage clerk from the one that is
worked on an individual clock card is not verified
1 performing the calculation should check the calculation
by an independent person for accuracy and
and sign the clock card as proof of review.
validity

Overtime hour should be approved by the relevant

6 Overtime hours are not authorised. 1
foreman by initialling the clock cards

7 The hours worked are entered into the computer An employee other then the on that has entered the
although it is not compared to the computer hours worked into the computer should compare the
output 1 input hours from the supporting documentations to the
wage report. They should be signing as a proof of
review.

MANCOSA – Postgraduate Diploma in Risk Management 172

Auditing for Risk

8 The amount of net wages per the wages report A responsible official should review the weekly wage
is not approved by a responsible official 1 reports for reasonableness and sign it as evidence
thereof

9 The wage clerk verbally informs the accountant The accountant should only prepare and sign a wages
of the amount that is needed for the week’s cash after he has reviewed the approved wages report
wages pay-outs 1
He should sign the wages report as evidence of this
review

10 The wage cash amount is disbursed and handled There should be two people that are involved in
1
by one person. authorising the disbursement of cash amounts

11 Implement strong stationary and custody controls

Poor cash controls 1
around the handling and disbursement of cash.

12 The employees do not acknowledge the receipt Employees should sign a payroll register to confirm that
1
of pay envelopes they have received the amounts paid.

13 Unclaimed wages are not clearly marked as such The facility manager should reconcile the signatures to
to that the accountant can record that they were 1 the unclaimed wages on hand and send a copy of the
unclaimed unclaimed wages to accounting

14 All the unclaimed wages should be sent back to the

The facility manager retains the unclaimed wages 1 wages clerk for safe keeping until the worker comes to
collect.

15 The wages or payroll report is not signed off by The payroll report should be designed in such a way that
the disbursement clerk and the facility manager it requires these two signatures.
at the end of the pay-out
The wage clerk should not accept the payroll report if it
is not signed by the two people responsible. Or at least
it should be reported

1 At the end of each pay-out the disbursement clerk and

the facility manager should count all the unclaimed
wages and agree to the payroll report. Then they should
sign for :

1. The wages that are marked paid have in fact been

distributed.

173 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

2. the wages that are unclaimed about in the hands of

the distribution clerk or wage clerk

16 The weeks total wages is not reconciled to the A senior manager should reconcile the wage payable to
predetermined total for the week. the predetermined amount.

There should be an adjustment for increases,

1
absenteeism, new appointment and terminations

This official should place the pay-out on hold until the

discrepancies are resolved

17 Any changes to the permanent records of Production manager should print out all amendments as
employees are not authorised and reviewed by well a complete employee listing all amends should be
the production manager reviewed for invalid ones also they should be reviewed
1 as a whole for accuracy.

The production manager should sign the print outs as

proof of review

18 There seems to be not preventive controls for Logical and access controls on the employee database
invalid amendments to the employee database. 1 in to be installed. Only the production manager should
be allowed to make changes.

19 Senior management does not inspect the pay 1 Management should inspect the pay envelopes as well
envelopes as the pay out procedure on a sample or random
basis.
Management does not attend the pay outs
1

20 Workers don’t identify themselves when they are Workers need to produce their ID or employee card
1
receiving the pay before the money is handed to them

21 There seems to be poor controls over unclaimed There should be an unclaimed wages register
wages 1
And the money must be kept in a safe

Case study 10.1

General control weaknesses
The following weaknesses have, or may have contributed to the problem:
1. Personnel Practices
• The controls implemented by Kiddies Fashion (Pty) Ltd to employ only "honest, competent and trustworthy staff" are
inadequate.

• Kevin Brown was employed on the day he approached the company on the strength of a phone call, a brief visit to the
office, and because he would "fit in" with a casual management style.

MANCOSA – Postgraduate Diploma in Risk Management 174

Auditing for Risk

• Had proper recruitment policies been in place, such as a formal interview, the submission of a CV and a follow up on his
employment history this includes background and criminal checks, his lack of honesty MAY have been revealed.

2. Control Environment - management style

• A "casual management style" does not promote a strong control environment. Had management been more "control
aware", they would not have allowed the weaknesses discussed, to have occurred.

3. Control Environment - segregation of duties

• An important part of establishing a good control environment, is the implementation of sound segregation of duties.

• Management’s lack of control awareness enabled Kevin Brown to break down segregation of duties within his
department, to the extent that he had virtually total control over critical aspects of the receipts cycle.

• His control over banking, credit notes and bad debts, contributed directly to his ability to steal from the company and to
conceal the theft by manipulation of the records.
References

Albuquerue, R., & Wang, N. (2008). Agency conflicts, investment, and asset pricing. The Journal of Finance, 63(1), 1-40.
Garay, U., & González, M. (2008). Corporate governance and firm value: The case of Venezuela. Corporate
Governance: An International Review, 16(3), 194-209.
Griffiths, P. (2016). Risk-based auditing: Routledge.
Jackson, R. D. C., & Stent, W. J. (2016). Auditing notes for South African students: Audit Education.
Marx, B. (2008). An analysis of the development, status and functioning of audit committees at large listed companies in
South Africa. University of Johannesburg.
Von Wielligh, P., & Prinsloo, F. (2014). Auditing fundamentals in a South African context. Cape Town: Oxford University
Press Southern Africa (Pty) Ltd.

175 MANCOSA – Postgraduate Diploma in Risk Management

 Auditing for Risk

MANCOSA – Postgraduate Diploma in Risk Management 176