Understanding Audit: Nature, Scope, Objectives
Uploaded by
technicalprash666Understanding Audit: Nature, Scope, Objectives
Uploaded by
technicalprash666CHAPTER 1
NATURE, OBJECTIVE
AND SCOPE OF AUDIT
LEARNING OUTCOMES
After studying this chapter, you would be able to understand-
♦ Meaning, nature and scope of audit
♦ Objectives of audit
♦ Inherent Limitations of audit
♦ Benefits of audit
♦ Meaning of assurance engagements
♦ Difference between reasonable assurance engagement and
limited assurance engagement
♦ Meaning and basic purpose of engagement and quality control
standards
♦ Practicality of above concepts by studying through examples
and case studies
© The Institute of Chartered Accountants of India
1.2 AUDITING AND ETHICS
CHAPTER OVERVIEW
Meaning
Objective &
SA 200
Scope
AUDIT
Audit with
reference to Need &
Standards Benefits
on Auditing
Inherent Qualities of
Limitations Auditor
Sameer, a young CA aspirant, takes interest in events happening around him.
Business and financial dealings of corporate world interest him very much. He
regularly reads a newspaper publishing mainly business and economic news. He
also keeps track of particularly such news on social media handles.
During last one year or so, he has seen audited financial results of many companies
listed on stock exchanges being published in newspaper. He also visited web sites
of some companies to go through their annual reports. The annual reports also,
inter alia, contained audit reports signed by Chartered Accountants as auditors of
companies.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.3
He was also eagerly tracking financial results of an IT company. The annual audited
results of the company were declared on one Friday evening. However, shares of
company took a beating on Monday as soon as markets opened. Curiosity led him
to find reason for such an adverse market reaction. He got to know that audited
profits of company were below market expectations and auditors had remarked
adversely on some matters which was not taken kindly by markets.
One of his uncles was expanding business and needed funds to meet business
expansion requirements. Anticipating urgent financial needs, he approached a
bank. Credit officer of bank requested for audited financial statements of past years
of business to consider his loan application.
He was also thinking that companies must be paying taxes on profits shown in their
audited financial statements. A few months back, he was reading a news report
pointing out substantial increase in direct tax collections of government as
highlighted in Union Budget.
Higher taxes paid by companies on basis of audited results may have been a
significant contributing factor of such increase in direct tax collections, he thought
in his mind. He was wondering upon enormous responsibility of auditors in this
regard. He kept on pondering over significant role of auditors in economy and
nation building.
1. INTRODUCTION
What do such real-life situations highlight? Such instances underline importance of
auditing in today’s complex business environment. Be it investors desirous of
investing their money in companies, shareholders anxious to know financial
position of companies they have invested in, banks or financial institutions willing
to lend funds to credit-worthy organizations, governments desirous of collecting
taxes from trade and industry in accordance with applicable laws, trade unions
negotiating with corporate managements for better wages or insurance companies
wanting to settle property claims caused by fire or other disasters- range of diverse
users in equally diverse fields rely upon audited financial statements.
Can you figure out reason behind such reliance? It is due to the fact that audited
financial statements provide confidence to users of financial statements; audited
financial statements provide assurance to users who may take their decisions on
© The Institute of Chartered Accountants of India
1.4 AUDITING AND ETHICS
the basis of such audited financial statements. Herein lies the importance of
auditing. You can very well understand how significant is role of auditing profession
and auditors in modern world involving multitude of economic activities being
carried out in equally dynamic legal and regulatory environments.
Here, comes a vital question. What do we mean by auditing? What is its nature and
scope? What it includes and What it does not? What are its limitations? We shall
try to find out answers to these questions in succeeding paras.
2. ORIGIN OF AUDITING
Before we get to understand meaning and nature of auditing, let’s travel back in
time to know about origin of auditing. Auditing has existed even in ancient times
in many societies of world including India. The reference to auditing is found in
Kautilya’s Arthshastra even in 4th century BC. It talks about fixed accounting year, a
process for closure of accounts and audit for the same. Concepts of periodical
checking and verification existed even in those times. Even there are references in
his monumental work to misstatements in financial statements due to abuse of
power. Wasn’t he far ahead of his times?
The word “audit” originates from Latin word “audire” meaning “to hear”. In medieval
times, auditors used to hear the accounts read out to them to check that employees
were not careless and negligent. Industrial revolution in Europe led to astronomical
expansion in volume of trade and consequently demand of auditors.
Coming to more recent history, the first Auditor General of India was appointed in
British India in 1860 having both accounting and auditing functions. Later on, office
of Auditor General was given statutory recognition. Presently, Comptroller and
Auditor General of India is an independent constitutional authority responsible for
auditing government receipts and expenditures.
The Institute of Chartered Accountants of India was established as a statutory body
under an Act of Parliament in 1949 for regulating the profession of Chartered
Accountancy in the country.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.5
3. MEANING AND NATURE OF AUDITING
“An audit is an independent examination of financial information of any entity,
whether profit oriented or not, and irrespective of its size or legal form, when such an
examination is conducted with a view to expressing an opinion thereon”.
An incisive analysis of above meaning of auditing brings out following points clearly: -
♦ Audit is an independent examination of financial information.
Independence, here, implies that the judgement of a person is not subordinate
to the wishes or direction of another person who might have engaged him.
The auditor should be independent of entity whose financial statements are
subject to audit so that he can form an opinion without being affected by any
influence. Independence increases auditor’s ability to act objectively without
creeping in of any biases.
Consider, for example, a person who requests his brother, a Chartered
Accountant, to audit accounts of his proprietary concern and issue a report.
Can CA audit accounts of concern in which his brother is sole proprietor? No,
he cannot. It is due to the fact that there would be no independence in such
a case due to relationship by birth between CA and his brother. He would be
subject to influence from his brother.
Take another case where a CA has invested in shares of a company. Can he
audit accounts of such a company in which he holds shares? The answer is
resounding NO. It is due to the fact that by holding shares of the company,
his own self-interest gets involved. His own money is invested in the company
and he may not be able to form judgment independently on the financial
statements of the company.
♦ The entity whose financial information is examined need not necessarily be
profit oriented like in case of a business. It can be a non-profit organization
like an NGO or a charitable trust. Audit can be undertaken in respect of any
organization be it a small, medium or large. Further, it can be conducted for
any entity irrespective of its legal structure i.e. such an entity may be a
proprietary concern, a partnership firm, a LLP, a private company, a public
company, a society or a trust.
♦ The purpose of audit is to express an opinion on the financial statements.
© The Institute of Chartered Accountants of India
1.6 AUDITING AND ETHICS
Understand that preparation and presentation of financial statements of an
entity is responsibility of management of entity. The auditor expresses an
opinion on financial statements by means of written audit report.
In doing so, he has to see that financial statements would not mislead
anybody by ensuring that: -
o the accounts have been drawn up with reference to entries in the books
of account;
o the entries in the books of account are adequately supported by
sufficient and appropriate evidence;
o none of the entries in the books of account has been omitted in the
process of compilation;
o the information conveyed by the statements is clear and unambiguous;
o the financial statement amounts are properly classified, described and
disclosed in conformity with accounting standards; and
o the statement of accounts presents a true and fair picture of the
operational results and of the assets and liabilities.
Auditing provides assurance. Its basic nature lies in providing assurance to users -
providing confidence to users of financial statements. Such an assurance lends
credibility to financial statements. Audited financial statements provide confidence to
users that financial information reflected in financial statements can be relied upon.
4. INTERDISCIPLINARY NATURE OF AUDITING-
RELATIONSHIP WITH DIVERSE SUBJECTS
Auditing is interdisciplinary in nature. It draws from diverse subjects including
accountancy, law, behavioural science, statistics, economics and financial
management and makes use of these subjects. Since audit of financial statements
is concerned with financial information, a sound knowledge of accounting
principles is a fundamental requirement for an auditor of financial statements to
conduct audit and express an opinion. Similarly, good knowledge of business laws
and various taxation laws helps auditor to understand financial statements in a
better way in accordance with applicable laws.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.7
During course of audit, auditor has to interact with lot of persons for seeking
information and making inquiries. This can be done only if one has knowledge of
human behaviour. Auditors use statistical methods to draw samples in a scientific
manner. It is not possible for an auditor to check each and every transaction. So,
use of statistical methods to draw samples for conducting audit is made.
Knowledge of subject like economics helps auditor to be familiar with overall
economic environment in which specific business is operating. Financial
management deals with issues such as funds flow, working capital management,
ratio analysis etc. and an auditor is expected to be knowledgeable about these for
applying some of audit procedures and carrying out audit effectively. Besides,
knowledge of financial markets comprised in study of financial management is
expected from a professional auditor.
Accounting
Production Law
Financial
Management Auditing Economics
Data Behavioural
Processing Science
Statistics &
Mathematics
Auditing and Accounting: Auditing reviews the financial statements which are
nothing but a result of the overall accounting process.
Auditing and Law: An auditor should have a good knowledge of business laws
affecting the entity.
Auditing and Economics: Auditor is expected to be familiar with the overall
economic environment of the client.
© The Institute of Chartered Accountants of India
1.8 AUDITING AND ETHICS
Auditing and Behavioural Science: Knowledge of human behaviour is essential
for an auditor to effectively discharge his duties.
Auditing and Statistics & Mathematics: Auditor is also expected to have the
knowledge of statistical sampling for meaningful conclusions and mathematics for
verification of inventories.
Auditing and Data Processing: EDP auditing in itself is developing as a discipline
in itself.
Auditing and Financial Management : Auditor is expected to have knowledge
about various financial techniques such as working capital management, funds
flow, ratio analysis, capital budgeting etc.
Auditing and Production: Good auditor is one who understands the client and his
business functions such as production, cost system, marketing etc.
5. OBJECTIVES OF AUDIT
In conducting audit of financial statements, objectives of auditor in accordance with
SA-200 “Overall Objectives of the Independent auditor and the conduct of an audit
in accordance with Standards on Auditing” are: -
(a) To obtain reasonable assurance about whether the financial statements as a
whole are free from material misstatement, whether due to fraud or error,
thereby enabling the auditor to express an opinion on whether the financial
statements are prepared, in all material respects, in accordance with an
applicable financial reporting framework; and
(b) To report on the financial statements, and communicate as required by the
SAs, in accordance with the auditor’s findings.
An analysis of above brings out following points clearly: -
(1) Auditor’s objective is to obtain a reasonable assurance whether financial
statements as a whole are free from material misstatement whether due to
fraud or error.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.9
Reasonable assurance is to be distinguished from absolute assurance. Absolute
assurance is a complete assurance or a guarantee that financial statements
are free from material misstatements. However, reasonable assurance is not
a complete guarantee. Although it is a high-level of assurance but it is not
complete assurance.
Audit of financial statements is carried out by the auditor with professional
competence and skills in accordance with Standards on Auditing. Audit
procedures are applied in accordance with SAs, audit evidence is obtained
and evaluated. On basis of that, conclusions are drawn and opinion is formed.
It leads to high level of assurance which is called as reasonable assurance but
it is not absolute assurance.
(2) Misstatements in financial statements can occur due to fraud or error or both.
The auditor seeks to obtain reasonable assurance whether financial
statements as a whole are free from material misstatements caused by fraud
or error. He has to see effect of misstatements on financial statements as a
whole, in totality.
(3) Obtaining reasonable assurance that financial statements as a whole are free
from material misstatements enables the auditor to express an opinion on
whether the financial statements are prepared, in all material respects, in
accordance with an applicable financial reporting framework.
(4) The opinion is reported and communicated in accordance with audit findings
through a written report as required by Standards on Auditing. (You would be
studying about these in subsequent parts of this Chapter).
An Overview of Objectives of Audit
Checkbox Objectives of audit
Obtaining a reasonable assurance that financial statements as a whole
are free from material misstatement due to fraud or error
Gaining a reasonable assurance leads to formation of opinion whether
financial statements are prepared, in all material respects, in accordance
with applicable financial reporting framework
To report on the financial statements
Reporting of opinion in accordance with audit findings
© The Institute of Chartered Accountants of India
1.10 AUDITING AND ETHICS
Communication of reporting
Reporting and communication in accordance with Standards on
Auditing
6. SCOPE OF AUDIT-WHAT IT INCLUDES
Scope refers to range or reach of something. The purpose of an audit is to enhance
the degree of confidence of intended users in the financial statements. Users of
financial statements may be shareholders, employees, customers, government and
regulatory authorities, bankers etc. Enhancing of degree of confidence is achieved
by the expression of an opinion by the auditor on whether the financial statements
are prepared, in all material respects, in accordance with an applicable financial
reporting framework.
(Applicable financial reporting framework means a framework adopted in the
preparation and presentation of the financial statements that is acceptable in view
of the nature of the entity and the objective of the financial statements, or that is
required by law or regulation.)
For example, in case of companies in India, financial reporting framework is
provided under Schedule III of Companies Act,2013.
The following points are included in scope of audit of financial statements: -
(1) Coverage of all aspects of entity
Audit of financial statements should be organized adequately to cover all
aspects of the entity relevant to the financial statements being audited.
(2) Reliability and sufficiency of financial information
The auditor should be reasonably satisfied that information contained in
underlying accounting records and other source data (like bills, vouchers,
documents etc.) is reliable and sufficient basis for preparation of financial
statements.
The auditor makes a judgment of reliability and sufficiency of financial
information by making a study and assessment of accounting systems and
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.11
internal controls and by carrying out appropriate tests, enquiries and
procedures.
(3) Proper disclosure of financial information
The auditor should also decide whether relevant information is properly
disclosed in the financial statements. He should also keep in mind applicable
statutory requirements in this regard.
It is done by ensuring that financial statements properly summarize
transactions and events recorded therein and by considering the judgments
made by management in preparation of financial statements.
The management responsible for preparation and presentation of financial
statements makes many judgments in this process of preparing and
presenting financial statements. For example, choosing of appropriate
accounting policies in relation to various accounting issues like choosing
method of charging depreciation on fixed assets or choosing appropriate
method for valuation of inventories.
The auditor evaluates selection and consistent application of accounting
policies by management; whether such a selection is proper and whether
chosen policy has been applied consistently on a period-to-period basis.
Understand that financial statements of an entity are prepared on historical
financial information basis. “Historical financial information” means
information expressed in financial terms in relation to a particular entity,
derived primarily from that entity’s accounting system, about economic
events occurring in past time periods or about economic conditions or
circumstances at points in time in the past.
For example, when purchases and sales are reflected in financial statements
of an entity, these are examples of historical financial information. These are
about transactions which have occurred in past.
Since financial statements are prepared on the basis of historical financial
information, it is logical that audit of financial statements is also based upon such
historical financial information. Therefore, audit of financial statements is based
upon historical financial information.
© The Institute of Chartered Accountants of India
1.12 AUDITING AND ETHICS
6.1 Scope of audit-What it does not include
Auditor is not expected to perform duties which fall outside domain of his
competence. For example, physical condition of certain assets like that of
sophisticated machinery cannot be determined by him. Similarly, it is not expected
from an auditor to determine suitability and life of civil structures like buildings.
These require different skillsets which may be performed by qualified engineers in
their respective fields.
An auditor is not an expert in authentication of documents. The genuineness of
documents cannot be authenticated by him because he is not an expert in this field.
An audit is not an official investigation into alleged wrong doing. He does not have
any specific legal powers of search or recording statements of witness on oath
which may be necessary for carrying out an official investigation.
Audit is distinct from investigation. Investigation is a critical examination of the
accounts with a special purpose. For example, if fraud is suspected and it is
specifically called upon to check the accounts whether fraud really exists, it takes
character of investigation.
The objective of audit, on the other hand, as has already been discussed, is to
obtain reasonable assurance about whether the financial statements as a whole are
free from material misstatement, whether due to fraud or error, thereby enabling
the auditor to express an opinion.
The scope of audit is general and broad whereas scope of investigation is specific
and narrow.
An Overview of Scope of Audit
Check box Scope of audit of financial statements
Coverage of all aspects of entity relevant to the financial statements
being audited.
Reliability and Sufficiency of financial information
Proper disclosure of financial information
Expression of an opinion on financial statements
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.13
X Responsibility of preparation and presentation of financial
statements
X Duties outside scope of competence of auditor
X Expertise in authentication of documents
X Investigation
Test Your Understanding 1
Lalji Bhai has purchased shares of a company listed on NSE. The audited financial
statements of the company provide picture of healthy financial performance having
robust turnover, low debt and good profits. On above basis, he is absolutely
satisfied that money invested by him is safe and there is no chance of losing his
money. Do audited results and audit reports of companies provide such assurance
to investors like Lalji Bhai? Is thinking of Lalji Bhai correct?
Test Your Understanding 2
Good deeds Limited is engaged in business of recycling of wastes from dumping
grounds of municipal corporation of Indore to usable manure. It is, in this way,
also, helping to make the city clean.
During course of audit by Zoha & Zoha, a firm of auditors, it is observed by auditors
that company has received a notice from Central Bench of National Green Tribunal
for not following certain environmental regulations involving imposition of hefty
monetary penalty on the company. The company is yet to reply to the notice. The
auditors point out that same is not stated in notes to accounts in financial
statements. The company points out that auditors are going beyond scope of their
work. Does such a matter fall within scope of audit?
Test Your Understanding 3
A huge fire broke out in NOIDA plant of KT Limited. Plant assets comprising
building, machinery and inventories were insured from branch of a public sector
insurance company. Apart from an insurance surveyor who was deputed for
assessing loss, the regional office of insurance PSU also appointed a CA for
verification of books of accounts/ financial records of the company and
circumstances surrounding the loss. He was also requested to submit an early
report. Would the report by CA in nature of audit report?
© The Institute of Chartered Accountants of India
1.14 AUDITING AND ETHICS
7. INHERENT LIMITATIONS OF AUDIT
The process of audit suffers from certain inbuilt limitations due to which an auditor
cannot obtain an absolute assurance that financial statements are free from
misstatement due to fraud or error. These fundamental limitations arise due to the
following factors: -
(1) Nature of financial reporting
Preparation of financial statements involves making many judgments by
management. These judgments may involve subjective decisions or a degree
of uncertainty. Therefore, auditor may not be able to obtain absolute
assurance that financial statements are free from material misstatements due
to frauds or errors.
One of the premises for conducting an audit is that management
acknowledges its responsibility of preparation of financial statements in
accordance with applicable financial reporting framework and for devising
suitable internal controls. However, such controls may not have operated to
produce reliable financial information due to their own limitations.
Consider, for example, that management of a company has devised a control
that all purchase bills should reflect stamp and signatures of an authorised
person in “Goods Receiving Section” of the company stating the date and
time of receiving goods in premises. It is an example of internal control
devised by the company to ensure that only those purchase bills are produced
for payment for which goods have been actually received. Now, what
happens if concerned accountant and authorised person in “Goods Receiving
Section” collude. It is a case of overriding of internal controls devised by the
company due to collusion between two persons. Such a probable collusion is
one of limitations of internal controls itself.
(2) Nature of Audit procedures
The auditor carries out his work by obtaining audit evidence through
performance of audit procedures. However, there are practical and legal
limitations on ability of auditor to obtain audit evidence. For example, an
auditor does not test all transactions and balances. He forms his opinion only
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.15
by testing samples. It is an example of practical limitation on auditor’s ability
to obtain audit evidence.
Management may not provide complete information as requested by auditor.
There is no way by which auditor can force management to provide complete
information as may be requested by auditor. In case he is not provided with
required information, he can only report. It is an example of legal limitation
on auditor’s ability to obtain audit evidence.
The management may consist of dishonest and unscrupulous people and may
be, itself, involved in fraud. It may be engaged in concealing fraud by
designing sophisticated and carefully organized schemes which may be hard
to detect by the auditor. It may produce fabricated documents before auditor
to lead him to believe that audit evidence is valid. However, in reality, such
documents could be fake or non-genuine.
We have already discussed under section on scope of audit that an auditor is
not an expert in authentication of documents. Therefore, he may be led to
accept invalid audit evidence on the basis of unauthentic documents.
It is quite possible that entity may have entered into some transactions with
related parties. Such transactions may be only paper transactions and may
not have actually occurred. The auditor may not be aware of such related
party relationships or audit procedures may not be able to detect probable
wrong doings in such transactions.
(3) Not in nature of investigation
As already discussed, audit is not an official investigation. Hence, auditor
cannot obtain absolute assurance that financial statements are free from
material misstatements due to frauds or errors.
(4) Timeliness of financial reporting and decrease in relevance of
information over time
The relevance of information decreases over time and auditor cannot verify
each and every matter. Therefore, a balance has to be struck between
reliability of information and cost of obtaining it.
© The Institute of Chartered Accountants of India
1.16 AUDITING AND ETHICS
Consider, for example, an auditor who is conducting audit of a company since
last two years. During these two years, he has sought detailed information
from management of company regarding various matters. During his third-
year stint, he chooses to rely upon some information obtained as part of audit
procedures of second year. However, it could be possible that something new
has happened and that information is not relevant. So, the information being
relied upon by auditor is not timely and may have lost its reliability.
(5) Future events
Future events or conditions may affect an entity adversely. Adverse events
may seriously affect ability of an entity to continue its business. The business
may cease to exist in future due to change in market conditions, emergence
of new business models or products or due to onset of some adverse events.
Therefore, it is in view of above factors, that an auditor cannot provide a
guarantee that financial statements are free from material misstatements due
to frauds or errors.
Inherent Limitations of Audit (SA 200 “Overall Objectives of the Independent
Auditor and the Conduct of an Audit in Accordance with Standards on Auditing”):
The auditor is not expected to, and cannot, reduce audit risk to zero because there
are inherent limitations of an audit. The inherent limitations of an audit arise from:
The Nature of Financial Reporting: The preparation of financial statements involves
judgment by management.
The Nature of Audit Procedures: There are practical and legal limitations on the
auditor’s ability to obtain audit evidence such as:
Possibility that management or others may Fraud may involve sophisticated
not provide, intentionally or unintentionally, and carefully organised schemes.
the complete information relevant for
preparation and presentation of FS.
Not in the nature of Investigation: An audit is not an official investigation into
alleged wrongdoing.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.17
Timeliness of financial reporting and decrease in relevance of information
over time: Relevance of information, and thereby its value, tends to diminish
over time, and there is a balance to be struck between the reliability of
information and its cost.
Future events: Future events or conditions may affect an entity adversely. Adverse
events may seriously affect ability of an entity to continue its Business.
8. WHAT IS AN ENGAGEMENT?
Engagement means an arrangement to do something. In the context of auditing, it
means a formal agreement between auditor and client under which auditor agrees
to provide auditing services. It takes the shape of engagement letter.
8.1 External audit engagements
The purpose of external audit engagements is to enhance the degree of
confidence of intended users of financial statements. Such engagements are also
reasonable assurance engagements. For example, in India, companies are required
to get their annual accounts audited by an external auditor. Even non-corporate
entities may choose to have their accounts audited by an external auditor because
of benefits of such an audit.
9. BENEFITS OF AUDIT-WHY AUDIT IS NEEDED?
♦ Audited accounts provide high quality information. It gives confidence to
users that information on which they are relying is qualitative and it is the
outcome of an exercise carried out by following Auditing Standards
recognized globally.
♦ In case of companies, shareholders may or may not be involved in daily affairs
of the company. The financial statements are prepared by management
consisting of directors. As shareholders are owners of the company, they need
an independent mechanism so that financial information is qualitative and
reliable. Hence, their interest is safeguarded by an audit.
♦ An audit acts as a moral check on employees from committing frauds for the
fear of being discovered by audit.
© The Institute of Chartered Accountants of India
1.18 AUDITING AND ETHICS
♦ Audited financial statements are helpful to government authorities for
determining tax liabilities.
♦ Audited financial statements can be relied upon by lenders, bankers for making
their credit decisions i.e. whether to lend or not to lend to a particular entity.
♦ An audit may also detect fraud or error or both.
♦ An audit reviews existence and operations of various controls operating in
any entity. Hence, it is useful at pointing out deficiencies.
10. AUDIT- MANDATORY OR VOLUNTARY?
It is not necessary that audit is always legally mandatory. There are entities like
companies who are compulsorily required to get their accounts audited under law.
Even non-corporate entities may be compulsorily requiring audit of their accounts
under tax laws. For example, in India, every person is required to get accounts
audited if turnover crosses certain threshold limit under income tax law.
It is also possible that some entities like schools may be required to get their
accounts audited for the purpose of obtaining grant or assistance from the
Government.
Audit is not always mandatory. Many entities may get their accounts audited
voluntarily because of benefits from the process of audit. Many such concerns have
their internal rules requiring audit due to advantages flowing from an audit.
11. WHO APPOINTS AN AUDITOR?
Generally, an auditor is appointed by owners or in some cases by constitutional or
government authorities in accordance with applicable laws and regulations. For
example, in case of companies, auditor is appointed by members (shareholders) in
Annual General Meeting (AGM). Shareholders are owners of a company and
auditor is appointed by them in AGM.
However, in case of government companies in India, auditor is appointed by
Comptroller and Auditor General of India (CAG), an independent constitutional
authority.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.19
Take case of a firm who engages an auditor to audit its accounts. In such a case,
auditor is appointed by partners of firm.
There may be a situation in which auditor may be appointed by a government
authority in accordance with some law or regulation. For example, an auditor may
be appointed under tax laws by a government authority.
12. TO WHOM REPORT IS SUBMITTED BY AN
AUDITOR?
The outcome of an audit is written audit report in which auditor expresses an opinion.
The report is submitted to person making the appointment. In case of companies,
these are shareholders- in case of a firm, to partners who have engaged him.
We shall now discuss understanding reached so far from a case study involving
discussion among students regarding nature, scope, limitations, benefits of
auditing and other related matters.
CASE STUDY-1
Rohit, Gurpreet, Ali and Goreti are friends since their school days based in Mumbai.
They have cleared CA foundation exams in the same attempt and now plan to
appear for CA Intermediate exams. All of them are avid news listeners and regularly
keep track of business news even on social media.
They are trying to understand new subjects including auditing. Rohit, Gurpreet and
Ali have also started attending Live Coaching Classes (LCC) being conducted by
Board of studies of ICAI. Goreti has not been able to join Live Coaching Classes yet
as she was away on a holiday with her parents. However, she plans to catch it up
with her friends very soon. Ali had also joined the classes but he had skipped some
lectures.
During one informal get together, their discussions centred around new subject of
auditing. They discussed many things regarding its nature, scope, benefits and
other general practical issues. Goreti was regular in keeping track of audited results
of companies being published in leading newspapers. Her view was that audited
financial statements of companies give 100% guarantee to different stake holders.
It is the main reason behind so much reliance upon auditing. But she could not
© The Institute of Chartered Accountants of India
1.20 AUDITING AND ETHICS
understand why wrong doings in financial matters are being discovered after many
years have gone by.
Ali also concurred with her view and added that when financial statements are
audited, each and every transaction appearing in books of accounts is verified.
However, he could not give clarity to Goreti.
Gurpreet was of the opinion that audit was conducted on the basis of sample
checking. He was also of the view that audited financial statements are not a
guarantee against probable wrong doings in financial matters of the companies.
Not to be left behind, Rohit also jumped in the fray. He supported Gurpreet and
also added something of his own.
Based on above, answer the following questions: -
1. Gurpreet was of the view that audited financial statements are not a guarantee
against probable wrong doings in financial matters of companies. What kind
of assurance does audit of financial statements provide?
(a) It provides reasonable assurance meaning a moderate level of assurance.
(b) It provides reasonable assurance meaning a low level of assurance.
(c) It provides reasonable assurance meaning a high level of assurance.
(d) It provides reasonable assurance meaning an absolute level of assurance.
2. Rohit added that auditor can force an employee of the company to provide him
required information and documents. Can he do so?
(a) Yes, he can do so. It is necessary to obtain audit evidence.
(b) Yes, he can do so. There are express rights given to him in this respect.
(c) No, he cannot do so. He can only request for providing him with necessary
information and documents. But it cannot be forced by him.
(d) No, he cannot do so. He has no right of seeking information and
documents. Therefore, question of forcing does not arise.
3. Ali had listened in one of the classes that audit covers all aspects of an entity
and concluded that each and every transaction of entity is verified by auditor.
Goreti also seemed to be in agreement with him but she was of the view that
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.21
besides this, it also meant that audit should be so organized to cover all areas
of an entity. Which of following statements is appropriate in this regard?
(a) Only view of Ali is correct.
(b) Only view of Goreti is correct.
(c) Views of both Ali and Goreti are correct.
(d) Views of both Ali and Goreti are incorrect.
4. All of them also discussed about benefits of auditing. Which of the following is
not a likely benefit of auditing?
(a) Since auditing is connected to future events, audited information can be
easily relied upon by users.
(b) Errors or frauds may be discovered during audit.
(c) Government authorities can make use of audited accounts for different
purposes.
(d) It can help in bringing out deficiencies in maintenance of financial
records.
5. Goreti told her friends that she had read a news report about how a company
had misled its auditors by producing some fabricated documents. Which of
following statements seems to be appropriate in this regard?
(a) It was wrong on the part of auditor to rely upon fabricated documents.
He must have discovered it as the same falls within the scope of his duties.
(b) Although it was wrong on the part of auditor to rely upon fabricated
documents, he cannot do anything in the matter. He has to report on the
basis of documents provided to him. He has no duty in this regard.
(c) Auditor has to conduct audit by exercising professional skill. But he is not
an expert in discovering genuineness of documents. Hence, management
consisting of dishonest persons may have led him to rely upon fabricated
documents deliberately.
(d) Management cannot mislead auditor due to high level of knowledge and
expertise possessed by him. The above is an outlier case-one of the rare
odd cases.
© The Institute of Chartered Accountants of India
1.22 AUDITING AND ETHICS
Answer to Questions involving Case Studies
1. (c) 2. (c) 3. (d) 4. (a) 5. (c)
Test Your Understanding 4
Zeeba Products is a partnership firm engaged in trading of designer dresses. The firm
has appointed JJ & Co, Chartered accountants to audit their accounts for a year. The
auditors were satisfied with control systems of firm, carried out required procedures
and necessary verifications. In particular, they carried out sample checking of
purchases, traced purchase bills to GST portal and also made confirmations from
suppliers. They were satisfied with audit evidence obtained by them as part of audit
exercise. An audit report was submitted to the firm giving an opinion that financial
statements reflected true and fair view of state of affairs of the firm.
However, later on, it was discovered that purchase manager responsible for
procuring dresses from one location was also booking fake purchases of small
values by colluding with unethical dealers. Payments to these dealers were also
made in connivance with accountant through banking channel.
The partners of firm blame auditors for futile audit exercise. Are partners of firm
correct in their view point? Imagine any probable reason for such a situation.
Audit is a type of assurance engagement under which auditor gives an opinion as
to whether financial statements give a true and fair view of state of affairs of the
concern. However, assurance engagements are not restricted to audit alone. We
shall now discuss meaning of assurance engagement and different types of
assurance engagements.
13. MEANING OF ASSURANCE ENGAGEMENT
“Assurance engagement” means an engagement in which a practitioner expresses a
conclusion designed to enhance the degree of confidence of the intended users
other than the responsible party about the outcome of the evaluation or
measurement of a subject matter against criteria.
It means that the practitioner gives an opinion about specific information due to
which users of information are able to make confident decisions knowing well that
chance of information being incorrect is diminished.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.23
13.1 Elements of an Assurance Engagement
Following elements comprise an assurance engagement: -
1 A three party relationship involving a practitioner, a responsible party,
and intended users
An assurance engagement involves abovesaid three parties. A practitioner is
a person who provides the assurance. The term practitioner is broader than
auditor. Audit is related to historical information whereas practitioner may
provide assurance not necessarily related to historical financial information.
A responsible party is the party responsible for preparation of subject matter.
Intended users are the persons for whom an assurance report is prepared.
These persons may use the report in making decisions.
2. An appropriate subject matter
It refers to the information to be examined by the practitioner. For example,
financial information contained in financial statements while conducting
audit of financial statements.
3. Suitable criteria
These refer to benchmarks used to evaluate the subject matter like standards,
guidance, laws, rules and regulations.
4. Sufficient appropriate evidence
The practitioner performs an assurance engagement to obtain sufficient
appropriate evidence. It is on the basis of evidence that conclusions are
arrived and an opinion is formed by auditor.
“Sufficient” relates to quantity of evidence obtained by auditor.
“Appropriate” relates to quality of evidence obtained by auditor. One
evidence may be providing more comfort to auditor than the other evidence.
The evidence providing more comfort is qualitative and, therefore,
appropriate. Evidence should be both sufficient and appropriate.
© The Institute of Chartered Accountants of India
1.24 AUDITING AND ETHICS
5. A written assurance report in appropriate form
A written report is provided containing conclusion that conveys the assurance
about the subject matter. A written assurance report is the outcome of an
assurance engagement.
Overview of Elements of assurance engagement
Checkbox Elements of an assurance engagement
Three Party relationship
An appropriate subject matter
Suitable Criteria
Sufficient appropriate evidence
Written assurance report in appropriate form
13.2 Meaning of Review; Audit Vs. Review
We have learnt that audit is a reasonable assurance engagement. It provides
reasonable assurance. However, review is a limited assurance engagement. It
provides lower level of assurance than audit. Further, review involves fewer
procedures and gathers sufficient appropriate evidence on the basis of which
limited conclusions can be drawn up. However, both “audit” and “review” are
related to financial statements prepared on the basis of historical financial
information.
13.3 Types of Assurance Engagements- Reasonable assurance
engagement vs. Limited assurance engagement
As already discussed, assurance engagements provide assurance to users. The
difference is of degree. Reasonable assurance engagement like audit provides
reasonable assurance which is a high level of assurance. Limited assurance
engagement like review provides lower level of assurance than audit. It is only a
moderate level of assurance.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.25
Reasonable assurance engagement Limited assurance engagement
Reasonable assurance engagement Limited assurance engagement provides
provides high level of assurance. lower level of assurance than reasonable
assurance engagement.
It performs elaborate and extensive It performs fewer procedures as
procedures to obtain sufficient compared to reasonable assurance
appropriate evidence. engagement.
It draws reasonable conclusions on the It involves obtaining sufficient
basis of sufficient appropriate evidence. appropriate evidence to draw limited
conclusions.
Example of reasonable assurance Example of limited assurance
engagement is an audit engagement. engagement is review engagement.
Besides reasonable assurance engagements and limited assurance engagements,
there is another kind of assurance which is related to matters other than historical
financial information. Such an assurance may relate to prospective financial
information and not to historical financial information. It may relate to providing
assurance on internal controls in an entity.
“Prospective financial information” means financial information based on
assumptions about events that may occur in the future and possible actions by an
entity. It can be in the form of a forecast or projection or combination of both.
It is to be noted that in such type of assurance engagements, examination is not of
historical financial information.
Here, it is important to note the difference between “Historical financial
information” and “Prospective financial information.” The former relates to
information expressed in financial terms of an entity about economic events,
conditions or circumstances occurring in past periods. The latter relates to financial
information based on assumptions about occurrence of future events and possible
actions by an entity.
Therefore, historical financial information is rooted in past events which have
already occurred whereas prospective financial information is related to future
events.
© The Institute of Chartered Accountants of India
1.26 AUDITING AND ETHICS
In assurance reports involving prospective financial information, the practitioner
obtains sufficient appropriate evidence to the effect that management’s
assumptions on which the prospective financial information is based are not
unreasonable, the prospective financial information is properly prepared on the
basis of the assumptions and it is properly presented and all material assumptions
are adequately disclosed.
Prospective financial information relates to future events. While evidence may be
available to support the assumptions on which the prospective financial
information is based, such evidence is itself generally future- oriented. The auditor
is, therefore, not in a position to express an opinion as to whether the results shown
in the prospective financial information will be achieved.
Therefore, in such assurance engagements, practitioner provides a report assuring
that nothing has come to practitioner’s attention to suggest that these assumptions
do not provide a reasonable basis for the projection.
Hence, such type of assurance engagement provides only a “moderate” level of
assurance.
Examples of assurance engagements
Checkbox Example of assurance Type of assurance engagement
engagement
Audit of financial Reasonable assurance engagement
statements
Review of financial Limited assurance engagement
statements
Examination of Prospective Provides assurance regarding
financial information reasonability of assumptions forming
basis of projections and related matters
Report on controls Provides assurance regarding design and
operating at an operation of controls
organization
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.27
Assurance Engagements
Reasonable Assurance Limited Assurance Assurance Engagements
Engagement Engagement dealing with matters other
than historical financial
information
Audit Review
Examination of prospective
financial information (like
forecast) or assurance
regarding operations of
controls
Test Your Understanding 5
The management of Exotic Tours and Travels Limited requests its auditor Raja &
Co.to provide an assurance report on the financial information for first quarter of a
year by skipping required detailed procedures.
Can Raja & Co. provide such a report? What would be nature of such a report? Would
it be necessary for them to obtain sufficient appropriate evidence in such a case?
14. QUALITIES OF AUDITOR
An auditor is concerned with the reporting on financial matters of business and
other institutions. Financial matters inherently are to be set with the problems of
human fallibility; errors and frauds are frequent.
Tact, caution, firmness, good temper, integrity, discretion, industry, judgement,
patience, clear headedness and reliability are some of qualities which an auditor
© The Institute of Chartered Accountants of India
1.28 AUDITING AND ETHICS
should have. In short, all those personal qualities that go to make a good
businessman contribute to the making of a good auditor.
In addition, he must have the shine of culture for attaining a great height. He must
have the highest degree of integrity backed by adequate independence.
The auditor, who holds a position of trust, must have the basic human qualities
apart from the technical requirement of professional training and education. He is
called upon constantly to critically review financial statements and it is obviously
useless for him to attempt that task unless his own knowledge is that of an expert.
An exhaustive knowledge of accounting in all its branches is the sine qua non of
the practice of auditing. He must know thoroughly all accounting principles and
techniques.
15. ENGAGEMENT AND QUALITY CONTROL
STANDARDS: AN OVERVIEW
The following Standards issued under authority of ICAI Council are collectively
known as Engagement Standards: -
1. Standards on auditing (SAs) which apply in audit of historical financial
information.
2. Standards on review engagements (SREs) which apply in review of historical
financial information.
3. Standards on Assurance engagements (SAEs) which apply in assurance
engagements other than audits and review of historical financial information.
4. Standards on Related Services (SRSs) which apply in agreed upon procedures
to information, compilation engagements and other related service
engagements.
The purpose of issue of these standards is to establish high quality standards and
guidance in the areas of financial statement audits and in other types of assurance
services.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.29
15.1 Standards on Auditing
Standards on Auditing apply in the context of an audit of financial statements by
an independent auditor. It is important to remember that Standards on Auditing
apply in audit of historical information. These establish high quality benchmarks
and are followed by auditors in conducting audit of financial statements.
Standards on Auditing have been issued on wide spectrum of issues in the field of
auditing ranging from overall objectives of independent auditor, audit
documentation, planning an audit of financial statements, identifying and assessing
risk of material misstatement, audit sampling, audit evidence and forming an
opinion and reporting on financial statements. These cover all significant aspects
of audit of financial statements.
Some examples of Standards on Auditing are: -
♦ SA 200 Overall Objectives of the Independent Auditor and the Conduct of an
Audit in accordance with Standards on Auditing
♦ SA 230 Audit Documentation
♦ SA 315 Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment
♦ SA 500 Audit Evidence
♦ Revised SA 700 Forming an Opinion and Reporting on Financial Statements
15.2 Standards on Review Engagements
Standards on review engagements apply in the context of review of financial
statements. We have already understood that review is a limited assurance
engagement and it provides assurance which is lower than that provided by audit.
It is due to the fact that review involves fewer procedures as compared to audit.
Since a review also provides assurance to users, it also involves obtaining sufficient
appropriate evidence. For example, when an auditor performs review of interim
financial information of an entity.
Examples of Standards on Review engagements are:
♦ SRE 2400 (Revised) Engagements to Review Historical Financial Statements
♦ SRE 2410 Review of Interim Financial Information Performed by the
Independent Auditor of the Entity
© The Institute of Chartered Accountants of India
1.30 AUDITING AND ETHICS
It is to be noted that both Standards on auditing and Standards on review
engagements apply to engagements involving historical financial information.
15.3 Standards on Assurance Engagements
There is another set of standards which apply in assurance engagements dealing
with subject matters other than historical financial information. Such assurance
engagements do not include “audit” or “review” of historical financial information.
These standards are known as Standards on Assurance Engagements. For example,
an assurance engagement relating to examination of prospective financial
information.
It is to be noted that in such type of assurance engagements, examination is not of
historical financial information or engagement may relate to providing assurance
regarding non-financial matters like design and operation of internal control in an
entity.
Examples of Standards on Assurance Engagements are:
♦ SAE 3400 The Examination of Prospective Financial Information
♦ SAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma
Financial Information Included in a Prospectus
15.4 Standards on Related Services
Lastly, there are standards on related services. These standards apply in
engagements to perform agreed-upon procedures regarding financial information.
For example, an engagement to perform agreed-upon procedures may require the
auditor to perform certain procedures concerning individual items of financial data,
say, accounts payable, accounts receivable, purchases from related parties and
sales and profits of a segment of an entity, or a financial statement, say, a balance
sheet or even a complete set of financial statements.
An engagement in which practitioner may be called upon to assist management
with the preparation and presentation of historical financial information without
obtaining assurance on that information. Such type of compilation engagements
fall in the category of related services and practitioner issues a report clearly stating
that it is not an assurance engagement and no opinion is being expressed.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.31
These types of services are called related services and standards have been issued
to deal with practitioner’s responsibilities in this regard.
Examples of Standards on related services are:
♦ SRS 4400 Engagements to perform agreed-upon procedures regarding
financial information
♦ SRS 4410 (Revised) Compilation engagements
It is to be clearly understood that all the above standards i.e., Standards on Auditing
(SAs), Standards on Review Engagements (SREs), Standards on Assurance
Engagements (SAEs) and Standards on related services (SRSs) are collectively
known as the Engagement Standards.
Engagement Standards issued under the authority of Council of ICAI deal with
responsibilities of auditor/practitioner.
15.5 Standards on Quality Control
Standards on Quality Control (SQCs) have been issued to establish standards and
provide guidance regarding a firm’s responsibilities for its system of quality control
for the conduct of audit and review of historical financial information and for other
assurance and related service engagements.
SQC 1 has been issued in this regard. It requires auditors/practitioners to establish
system of quality control so that firm and its personnel comply with professional
standards and regulatory & legal requirements and reports issued are appropriate.
Its basic objective is that while rendering services, to which engagement standards
apply, there should be a system of quality control with in firms to ensure complying
with professional standards/legal requirements. System of quality control ensures
issuing of appropriate reports in the circumstances.
Further, it is also to be remembered that Standards on Quality Control (SQCs) are
to be applied for all services covered by Engagement Standards.
15.6 Why are Standards needed?
• Standards ensure carrying out of audit against established benchmarks at par
with global practices.
© The Institute of Chartered Accountants of India
1.32 AUDITING AND ETHICS
• Standards improve quality of financial reporting thereby helping users to
make diligent decisions.
• Standards promote uniformity as audit of financial statements is carried out
following these Standards.
• Standards equip professional accountants with professional knowledge and
skill.
• Standards ensure audit quality.
15.7 Duties in relation to Engagement and Quality Control
Standards
It is the duty of professional accountants to see that Standards are followed in
engagements undertaken by them. Ordinarily, these are to be followed by
professional accountants. However, a situation may arise when a specific procedure
as required in Standards would be ineffective in a particular engagement. In such a
case, he is required to document how alternative procedures performed achieve
the purpose of required procedure. Also, reason for departure has also to be
documented unless it is clear. Further, his report should draw attention to such
departures. It is also to be noted that a mere disclosure in the report does not
absolve a professional accountant from complying with applicable Standards.
Overview of Engagement and Quality Control Standards
Checkbox Engagement and Quality Control Standards
Standards on auditing (SAs) apply in audit of historical financial
information.
Standards on review engagements (SREs) apply in review of
historical financial information.
Standards on assurance engagements (SAEs) apply in engagements
dealing in matters other than historical financial information.
Standards on related services (SRSs) apply in engagements to
perform agreed-upon procedures regarding financial information
and other services like assisting management in preparation and
presentation of financial statements.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.33
Standards on Quality control (SQC) apply for all services covered by
engagement standards i.e. SAs, SREs, SAEs and SRSs.
Duty of professional accountants to follow Standards. If not
followed, reason for departure to be stated in reports.
Test Your Understanding 6
CA. P Babu is conducting audit of financial statements of Quick Buy Private Limited.
He was not able to obtain external confirmations from certain debtors due to
practical difficulties and peculiar circumstances. However, such a procedure is
mandated under one of Standards on Auditing.
Unable to obtain external confirmations from these debtors, he relied upon sale
details to these parties, e-invoices, e-way bills and also traced payments from these
parties in bank accounts of the company. He was reasonably satisfied with audit
evidence obtained. Is there any other reporting duty cast upon him relating to not
following a mandated procedure in one of Standards on Auditing?
CASE STUDY-2
Me and You Private Limited has been newly incorporated. The plant of the company
has recently started production with the help of funds provided by a bank for
purchase and installation of machinery. Further, the company is also utilizing
working capital credit facilities from the same bank for meeting its day to day
working capital requirements like for purchase of raw materials, labour payment
etc. However, just within six months of its operations, the management feels that
working capital funds are inadequate and situation is creating liquidity issues in the
company.
The management of the company has approached its bankers and requested for
enhancement in working capital credit facilities. The bank manager is insisting upon
financial statements of the company for half year along with report providing
assurance in this respect duly signed by Chartered Accountant as audit is far away.
It also requires projected financial statements for coming years along with a report
from CA providing assurance regarding these projections to consider request of
management.
© The Institute of Chartered Accountants of India
1.34 AUDITING AND ETHICS
The management approaches CA P, who has qualified recently and started
practising. Reports providing assurance for half yearly results and projected
financial statements are sought from CA P. The Management provides necessary
information and records to him in this regard.
Assume, in above case, the company only provides trial balance, financial
statements in draft/preliminary form along with accompanying records for the
relevant half year to CA P and requests him to provide duly signed financial
statements with a report for mutually agreed professional fees.
Based on above, answer the following questions: -
1. The management of company has engaged CA P to issue a duly signed report
for half year, as referred to in last para of case study. Which of the following
standards, if any, issued by ICAI are relevant for CA P?
(a) Standards on Review Engagements
(b) Standards on Auditing
(c) Standards on Related Services
(d) There are no standards for issuing report in such situation.
2. Which of the following statements is MOST APRROPRIATE in given case
situation?
(a) CA P can assist management in preparation of financial statements of
the company. However, issue of a report in such a case is outside the
scope of work.
(b) CA P can assist management in preparation of financial statements of
the company and he can issue an audit report.
(c) CA P can assist management in preparation of financial statements of
the company and he can issue a compilation report in this respect.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.35
(d) The responsibility of preparation of financial statement is of company’s
management. CA P cannot assist management in preparation of financial
statements of the company. However, he can issue a review report.
3. In the above said scenario for issuance of signed financial statements for half
year by CA P, as discussed in last para of Case Study, identify the MOST
APPROPRIATE statement: -
(a) Standard on Quality control (SQC 1) is not applicable as CA P cannot
issue audit report.
(b) Standard on Quality Control (SQC 1) is not applicable as CA P cannot
issue review report.
(c) Standard on Quality Control (SQC 1) is applicable in such type of
engagement.
(d) Standard on Quality Control (SQC 1) is not applicable as CA P is barred
from issuing any report in such type of engagement.
4 The banker of company has also requested for projected financial statements
for coming years along with a report from CA regarding these projections to
consider request of management. Which of the following standards issued by
ICAI are relevant for CA P in such a situation, if any?
(a) Standards on Review Engagements
(b) There are no standards for issuing such type of reports.
(c) Standards on Related Services
(d) Standards on Assurance Engagements
5. Suppose CA P also accepts work of issuing projected financial statements with
a report to be signed by him. The management has projected turnover of `100
core for the next year, `150 crore & `200 crore for following years respectively
as compared to present turnover of `25 crore in current half year. Identify the
MOST APPROPRIATE statement in this situation: -
(a) CA P has to satisfy himself regarding arithmetical accuracy of projected
data.
(b) CA P has to satisfy himself regarding reasonableness of assumptions
underlying projected turnover and its consistency with actuals.
© The Institute of Chartered Accountants of India
1.36 AUDITING AND ETHICS
(c) CA P has to satisfy himself regarding arithmetical accuracy of data along
with its proper presentation to banker.
(d) CA P has to satisfy himself regarding reasonableness of assumptions
underlying projected turnover, its consistency with actuals, disclosure and
presentation.
Answer to Questions involving Case Study 2
1. c 2. c 3. c 4. d 5. d
SUMMARY
♦ An audit is an independent examination of financial information of any entity,
whether profit oriented or not, and irrespective of its size or legal form, when
such an examination is conducted with a view to expressing an opinion
thereon.
♦ An audit provides assurance. It provides confidence to users of financial
statements.
♦ Assurance is provided by audit by means of written audit report.
♦ The basic purpose of an audit of financial statements is to express an opinion
on the financial statements.
♦ The independent audit of financial statements provides reasonable assurance.
It is to be distinguished from absolute or complete assurance. However,
reasonable assurance is a high level of assurance.
♦ An auditor is not expected to perform duties falling outside scope of his
competence.
♦ There are inherent limitations in process of audit due to nature of financial
reporting itself, nature of audit procedures, audit not being in nature of
investigation and other factors. It is due to these reasons audit does not
provide absolute assurance.
♦ Audit is a type of assurance engagement. It is a reasonable assurance
engagement.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.37
♦ Assurance engagement means an engagement in which a practitioner
expresses a conclusion designed to enhance the degree of confidence of the
intended users other than the responsible party about the outcome of the
evaluation or measurement of a subject matter against criteria.
♦ Assurance engagement consists of five elements consisting of- a three party
relationship, an appropriate subject matter, suitable criteria, sufficient
appropriate evidence and a written assurance report in appropriate form.
♦ Limited assurance engagement provides lower level of assurance than
reasonable assurance engagement.
♦ Audit is a reasonable assurance engagement. Review is a limited assurance
engagement.
♦ Assurance engagements consist of reasonable assurance engagements,
limited assurance engagements and assurance engagements dealing with
matters other than historical financial information.
♦ Standards on auditing, Standards on review engagements, Standards on
assurance engagements and Standards on related services are collectively
known as engagement standards. These deal with responsibilities of
auditor/practitioner.
♦ Standards on quality control have been issued to establish standards and
provide guidance regarding a firm’s responsibilities for its system of quality
control in providing services dealt by engagement standards.
♦ Standards are needed for carrying out audit against established benchmarks,
for improving quality of financial reporting, for promoting uniformity, for
equipping professional accountants with professional knowledge & skill and
for ensuring audit quality.
TEST YOUR KNOWLEDGE
MCQs based Questions
1. Which of the following is not an advantage of audit?
(a) It provides high quality financial information.
(b) It acts as a moral check on employees.
© The Institute of Chartered Accountants of India
1.38 AUDITING AND ETHICS
(c) It enhances risk of management bias.
(d) It helps in safeguarding interests of shareholders.
2. Which of the following is NOT TRUE about an assurance engagement?
(a) It relates to providing assurance about historical financial information
only.
(b) The practitioner obtains sufficient appropriate evidence.
(c) There is some information to be examined by practitioner.
(d) A written assurance report in appropriate form is issued by practitioner.
3. Which of the following is TRUE about Engagement Standards?
(a) Engagement standards ensure proper rights to practitioners in course of
performance of their duties.
(b) Engagement standards ensure preparation and presentation of financial
statements in a standardized manner.
(c) Engagement standards ensure uniformity by practitioners in course of
performance of their duties.
(d) Engagement standards ensure savings in resources of clients.
4. Consider following statements in relation to “Limited assurance engagement”:-
Statement I - It involves obtaining sufficient appropriate evidence to draw
reasonable conclusions.
Statement II - Review of interim financial information of a company is an
example of limited assurance engagement.
(a) Statement I is correct. Statement II is incorrect.
(b) Both Statements I and II are correct.
(c) Both Statements I and II are incorrect.
(d) Statement I is incorrect. Statement II is correct.
5. Which of the following is TRUE about Standards on auditing?
(a) These deal mainly with voluntary responsibilities of auditors.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.39
(b) These deal mainly with mandatory responsibilities of auditors.
(c) Their sole purpose is to help government authorities in augmenting
revenues.
(d) These deal mainly in carrying out audit according to legal provisions.
Correct /Incorrect
State with reasons (in short) whether the following statements are correct
or incorrect:
(i) The basic objective of audit does not change with reference to nature, size or
form of an entity.
(ii) The purpose of an audit is to enhance the degree of confidence of intended
users in the financial statements.
(iii) The auditor is not expected to, and cannot, reduce audit risk to zero and cannot
therefore obtain absolute assurance that the financial statements are free from
material misstatement due to fraud or error.
Theoretical Questions
1. “Choosing of appropriate accounting policies in relation to accounting issues is
responsibility of management”. Do you agree? Discuss duty of auditor, if any,
in relation to accounting policies.
2. Assurance engagements are not restricted to audit of financial statements
alone. Discuss.
3. An assurance engagement involves a three party relationship. Discuss meaning
of three parties in such an engagement.
4. A Chartered Accountant is specifically asked to check accounts whether fraud
exists. State with reasons whether it is an example of reasonable assurance
engagement.
5. An audit does not provide absolute assurance. Discuss how nature of audit
procedures itself is one of the reasons due to which audit cannot provide
absolute assurance.
© The Institute of Chartered Accountants of India
1.40 AUDITING AND ETHICS
ANSWERS/ SOLUTIONS
Answers to the MCQs based Questions
1. (c) 2. (a) 3. (c) 4. (d) 5. (b)
Answers to Correct/Incorrect
(i) Correct: An audit is an independent examination of financial information of
any entity, whether profit oriented or not, and irrespective of its size or legal
form, when such an examination is conducted with a view to expressing an
opinion thereon. It is clear that the basic objective of auditing, i.e., expression
of opinion on financial statements does not change with reference to nature,
size or form of an entity.
(ii) Correct: As per SA 200 “Overall Objectives of the Independent Auditor and
the Conduct of an Audit in Accordance with Standards on Auditing”, the
purpose of an audit is to enhance the degree of confidence of intended users
in the financial statements. This is achieved by the expression of an opinion
by the auditor on whether the financial statements are prepared, in all
material respects, in accordance with an applicable financial reporting
framework.
(iii) Correct: As per SA 200 “Overall Objectives of the Independent Auditor and
the Conduct of an Audit in Accordance with Standards on Auditing”, the
auditor is not expected to, and cannot, reduce audit risk to zero and cannot
therefore obtain absolute assurance that the financial statements are free
from material misstatement due to fraud or error. This is because there are
inherent limitations of an audit, which result in most of the audit evidence on
which the auditor draws conclusions and bases the auditor’s opinion being
persuasive rather than conclusive.
Answers to the Theoretical Questions
1. Choosing of appropriate accounting policies is responsibility of management.
The role of auditor lies in evaluating selection and consistent application of
accounting policies by management- Refer to scope of audit- what it
includes.
© The Institute of Chartered Accountants of India
NATURE, OBJECTIVE AND SCOPE OF AUDIT 1.41
2. Refer to examples on assurance engagements.
3. Refer to elements of assurance engagement.
4. It is not a reasonable assurance engagement. It is in nature of investigation.
5. Refer to second point of inherent limitations of audit.
Answers to Questions involving Test Your Understanding
1. An audit does not provide assurance to investor in shares regarding safety of
his money. Share prices of securities are affected by range of factors. An audit
only provides reasonable assurance that financial statements are free from
material misstatement whether due to fraud or error. Hence, thinking of Lalji
Bhai is not correct.
2. Proper disclosure of financial information is well within scope of audit.
3. Appointment of CA for verification of books of accounts/financial records and
circumstances surrounding the loss is for a specific objective to determine
genuineness of loss and any issue affecting liability of insurance company. It
is an investigation and not in nature of audit report.
4. It is example of failure of internal controls of the firm. The internal control has
not operated due to collusion between employees which is a limitation of
internal control itself. The auditor has relied upon internal controls. It is very
nature of financial reporting that management is responsible for devising
suitable internal controls. This is an inherent limitation of audit.
5. Such report would be in nature of “review”. However, auditors would have to
obtain sufficient appropriate evidence.
6. He is required to document how alternative procedures performed achieve
the purpose of required procedure. Reason for departure has to be
documented unless it is clear. His report should draw attention to such
departure.
© The Institute of Chartered Accountants of India
CHAPTER a
2
AUDIT STRATEGY,
AUDIT PLANNING
AND AUDIT
PROGRAMME
LEARNING OUTCOMES
After studying this chapter, you would be able to -
Understand the Audit Planning and its benefits.
Learn about Planning Process and its Elements.
Learn about establishing overall strategy and developing
audit plan in detail.
Learn about audit programme.
Gain the knowledge of control of quality of audit work w.r.t
delegation and supervision of audit work.
Practicality of above concepts by studying through examples
and case studies.
© The Institute of Chartered Accountants of India
a
2.2 AUDITING AND ETHICS
CHAPTER OVERVIEW
Planning an audit involves:
Establishing the overall audit strategy
Developing an audit plan
The auditor should plan his work to enable him to
conduct an effective audit in an efficient and timely
manner.
Plans should be based on knowledge of
the client's business.
Plans should be further developed and
revised as necessary during the course of
the audit.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.3
PROGRAMME
By now, Sameer had grasped basic nature of auditing. It was crystal clear to him
that objective of an audit of financial statements is to express an opinion on the
same. He could easily visualize that a complex process like audit needs to be
performed methodically. “Carrying out an audit ought to be a logical and
systematic process leading from one step to another. Performing a complex
process effectively, would certainly, be involving planning. Planning helps one to
achieve desired objectives. Audits should be no different”- He was talking to
himself.
Besides, he was pretty sure that there must be timelines in which audits were to
be completed for different entities. He remembered his father had held few shares
of some blue-chip companies. He was able to recall that notices of annual general
meetings of these companies used to be delivered at their ancestral home in
Rajkot and those also related to consideration and adoption of audited accounts.
Linking that, he had reasonably concluded that audits were required to be
performed in a timely manner. The whole audit process, therefore, must be
properly planned to ensure its effectiveness.
He was curious to learn about how planning for an audit is undertaken. What are
the basic elements of planning? What are likely matters to be included therein?
He was aware about CA students undergoing articled training. Most of the
students must be going for audit work of different entities as part of their practical
training. A thought came to his mind- “How do students who have freshly joined
their articles carry out audit work? There must be some mechanism, some sort of
detailed set of instructions for carrying out audit. What is it known as?” His
inquisitive mind was constantly engaged in such kind of questions.
He was also anxious to know what would happen to audit plan if some new
information comes to light of auditor during course of audit which was hitherto
unknown to him at time of planning? Is audit plan flexible? Can it be changed as
audit progresses? Another question raging in his mind was whether all such
information was necessary to be put in writing by the auditor.
© The Institute of Chartered Accountants of India
a
2.4 AUDITING AND ETHICS
1. AUDITOR’S RESPONSIBILITY TO PLAN AN
AUDIT OF FINANCIAL STATEMENTS
SA 300- Planning an audit of financial statements deals with the auditor’s
responsibility to plan an audit of financial statements. It states that objective of the
auditor is to plan the audit so that it will be performed in an effective manner.
1.1 Why Planning an audit is necessary? - Its Benefits
Planning an audit is necessary to carry out it effectively in a timely manner. Besides
ensuring compliance with professional standards, it helps in performing audit
engagement effectively.
Adequate planning benefits the audit of financial statements in several ways,
including the following: -
1. Helping the auditor to devote appropriate attention to important areas of the
audit.
2. Helping the auditor identify and resolve potential problems on a timely basis.
3. Helping the auditor properly organize and manage the audit engagement so
that it is performed in an effective and efficient manner.
4. Assisting in the selection of engagement team members with appropriate
levels of capabilities and competence to respond to anticipated risks, and the
proper assignment of work to them.
5. Facilitating the direction and supervision of engagement team members and
the review of their work.
6. Assisting, where applicable, in coordination of work done by others such as
experts
Therefore, planning an audit ensures that audit risk is reduced to an acceptable low
level. When audit work is adequately and properly planned, it reduces the risk of
inappropriate opinion by the auditor.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.5
PROGRAMME
Appropriate attention
to important areas
Coordination with Identify and
other Auditors and Resolve Potential
Experts Problems
Benefits of
Planning
Direction and Efficient and
Supervision of Team Effective Audit
& Review of work Selection of
Team
Members
1.2 Nature of Audit Planning- A Continuous and iterative
process
Planning is not a discrete phase of an audit, but rather a continual and iterative
process that often begins shortly after (or in connection with) the completion of
the previous audit and continues until the completion of the current audit
engagement. Planning, however, includes consideration of the timing of certain
activities and audit procedures that need to be completed prior to the performance
of further audit procedures. For example, planning includes the need to consider,
prior to the auditor’s identification and assessment of the risks of material
misstatement, such matters as: -
1. The analytical procedures to be applied as risk assessment procedures.
2. Obtaining a general understanding of the legal and regulatory framework
applicable to the entity and how the entity is complying with that framework.
3. The determination of materiality.
4. The involvement of experts.
5. The performance of other risk assessment procedures.
© The Institute of Chartered Accountants of India
a
2.6 AUDITING AND ETHICS
Risk assessment procedures are audit procedures performed to obtain an
understanding of the entity and its environment, including the entity’s internal
control, to identify and assess the risks of material misstatement, whether due to
fraud or error at the financial statement and assertion levels.
Therefore, planning includes consideration of matters such as obtaining knowledge
about legal framework in which entity is operating. Consider for example- Telecom
companies and Banks. Such entities operate in different legal and regulatory
frameworks. TRAI (Telecom Regulatory Authority of India) and RBI (Reserve Bank of
India) are regulators for telecom and banking industry respectively.
Planning also includes need to consider determination of material or significant
matters. It also involves considering whether experts need to be involved taking
into account complexity of business. Further, it also involves considering need to
perform risk assessment procedures for identifying and assessing risks of material
misstatement.
Planning is not a separate or distinct phase of an audit. It is to be viewed as a
continual and repetitive process. It is a continuous process that begins with
completion of previous audit and continues till the completion of current audit
engagement.
Involvement of key engagement team members in planning audit
The engagement partner and other key members of the engagement team shall be
involved in planning the audit including planning and participating in the
discussion among engagement team members. The involvement of the
engagement partner and other key members of the engagement team in planning
the audit draws on their experience and insight, thereby enhancing the
effectiveness and efficiency of the planning process.
Discussion of elements of planning with entity’s management
The auditor may decide to discuss elements of planning with the entity’s
management to facilitate the conduct and management of the audit engagement.
When discussing matters included in the overall audit strategy or audit plan, care
is required in order not to compromise the effectiveness of the audit.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.7
PROGRAMME
2. Planning Process- Elements of Planning
The elements of planning can be categorized as under: -
(I) Preliminary engagement activities
(II) Planning activities
(I) Preliminary engagement activities
The auditor considers whether relationship with client should be continued and
whether ethical requirements including independence continue to be complied
with. It includes: -
(A) Performing procedures regarding the continuance of the client relationship
(B) Evaluating compliance with ethical requirements, including independence
(C) Establishing an understanding of terms of engagement
Preliminary engagement activities include the following: -
(A) Performing procedures regarding the Continuance of Client
Relationships and Audit Engagements
Acceptance and Continuance of Client Relationships and Audit
Engagements
It should be ensured that appropriate procedures regarding the acceptance
and continuance of client relationships and audit engagements have been
followed and that conclusions reached in this regard are appropriate.
The firm should obtain information considered necessary in the
circumstances before accepting an engagement with a new client, when
deciding whether to continue an existing engagement, and when considering
acceptance of a new engagement with an existing client.
Matters such as integrity of principal owners and key management,
competence of engagement team to perform the audit engagement and
implications of matters that have arisen during current and previous audit
engagement may need to be considered.
© The Institute of Chartered Accountants of India
a
2.8 AUDITING AND ETHICS
Besides, in case of initial engagements, communication with predecessor
auditor should be made, where there has been a change of auditors.
(B) Evaluating compliance with ethical requirements including
independence
The auditor shall continuously evaluate compliance with ethical requirements
including independence. “Independence” means that the judgement of a
person is not subordinate to the wishes or direction of another person who
might have engaged him.
Throughout the audit engagement, the engagement partner shall remain
alert, through observation and making inquiries as necessary, for evidence of
non-compliance with relevant ethical requirements by members of the
engagement team. If matters come to the engagement partner’s attention
that indicate that members of the engagement team have not complied with
relevant ethical requirements, the engagement partner, in consultation with
others in the firm, shall determine the appropriate action.
The engagement partner shall form a conclusion on compliance with
independence requirements that apply to the audit engagement. In doing so,
the engagement partner shall: -
(i) Obtain relevant information from the firm to identify and evaluate
circumstances and relationships that create threats to independence
(ii) Evaluate information on identified breaches, if any, of the firm’s
independence policies and procedures to determine whether they
create a threat to independence for the audit engagement and
(iii) Take appropriate action to eliminate such threats or reduce them to an
acceptable level by applying safeguards, or, if considered appropriate,
to withdraw from the audit engagement, where withdrawal is permitted
by law or regulation. The engagement partner shall promptly report to
the firm any inability to resolve the matter for appropriate action.
Besides, consideration for client continuance and compliance with ethical
requirements, preliminary engagements activities also include establishing an
understanding of terms of engagement.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.9
PROGRAMME
(C) Establishing an understanding of terms of engagement
It is in the interests of both the entity and the auditor that the auditor sends
an audit engagement letter before the commencement of the audit to help
avoid misunderstandings with respect to the audit. It ensures that there is no
confusion with the client regarding terms of the engagement.
Performing preliminary engagement activities assists the auditor in
identifying and evaluating events or circumstances that may affect auditor’s
ability to plan and perform audit engagement.
An overview of Preliminary engagement activities
Checkbox What is included in Preliminary engagement activities?
✓ Performing procedures regarding the continuance of client
relationship
✓ Evaluating Compliance with ethical requirements including
independence
✓ Establishing an understanding of terms of engagement with the
client to ensure there are no misunderstandings
(II) Planning activities
Planning activities involve: -
[A] Establishing the overall audit strategy
[B] Developing an audit plan
(A) Establishing the overall audit strategy- Assistance for the auditor
Overall audit strategy sets the scope, timing and direction of the audit, and
guides the development of the more detailed audit plan.
The auditor shall establish an overall audit strategy that sets the scope, timing
and direction of the audit, and that guides the development of the audit plan.
The process of establishing the overall audit strategy assists the auditor to
determine, subject to the completion of the auditor’s risk assessment
procedures, such matters as: -
© The Institute of Chartered Accountants of India
a
2.10 AUDITING AND ETHICS
(i) The resources to deploy for specific audit areas, such as the use of
appropriately experienced team members for high-risk areas or the
involvement of experts on complex matters
(ii) The amount of resources to allocate to specific audit areas, such as the
number of team members assigned to observe the inventory count at
material locations, the extent of review of other auditors’ work in the
case of group audits, or the audit budget in hours to allocate to high
risk areas
(iii) When these resources are to be deployed, such as whether at an interim
audit stage or at key cut-off dates
(iv) How such resources are managed, directed and supervised, such as
when team briefing and debriefing meetings are expected to be held,
how engagement partner and manager reviews are expected to take
place (for example, on-site or off-site), and whether to complete
engagement quality control reviews
Factors to be taken into consideration by auditor for establishing audit
strategy
The auditor shall take following factors into consideration while establishing
audit strategy: -
(a) Identify the characteristics of the engagement that define its scope
It is important for auditor to identify scope of the engagement. Only a
well identified scope can lead to establishment of a sound audit
strategy. There are many characteristics of engagement defining its
scope. Some of characteristics are as under: -
➢ Applicable financial reporting framework applicable to the entity
➢ Nature of business segments to be audited including the need for
specialized knowledge
➢ Industry specific reporting requirements required by industry
regulators
➢ Expected use of audit evidence obtained in previous audits
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.11
PROGRAMME
(b) Ascertain the reporting objectives of the engagement to plan the
timing of the audit and the nature of the communications required.
The ascertaining of reporting objectives of engagement helps the
auditor to plan timing of different audit procedures and also nature of
communications. Some of the instances are given under: -
➢ The entity’s timetable for reporting
➢ Organization of meetings to discuss of nature, timing and extent
of audit work with management
➢ Discussion with management regarding the expected type and
timing of reports to be issued including the auditor’s report
➢ Discussion with management regarding the expected
communications on the status of audit work throughout the
engagement.
➢ Expected nature and timing of communications among
engagement team members, including the nature and timing of
team meetings and timing of the review of work performed.
(c) Consider the factors that, in the auditor’s professional judgment,
are significant in directing the engagement team’s efforts
The auditor needs to direct efforts of engagement team towards
matters that in his professional judgment are significant. Preliminary
identification of material classes of transactions, account balances and
disclosures help auditor in establishing overall audit strategy. More
energies need to be devoted to significant matters to obtain desired
outcomes. Few examples are listed as under: -
➢ Volume of transactions which may determine whether it is more
efficient for the auditor to rely on internal control
© The Institute of Chartered Accountants of India
a
2.12 AUDITING AND ETHICS
➢ Significant industry developments such as changes in industry
regulations and new reporting requirements.
➢ Significant changes in the financial reporting framework, such as
changes in accounting standards.
➢ Other significant relevant developments, such as changes in the
legal environment affecting the entity.
(d) Consider the results of preliminary engagement activities and,
where applicable, whether knowledge gained on other
engagements performed by the engagement partner for the entity
is relevant
Considering results of preliminary engagement activities and
knowledge gained from similar engagements goes a long way in
establishing sound audit strategy. Examples are listed as under: -
➢ Results of previous audits that involved evaluating the operating
effectiveness of internal control, including the nature of identified
deficiencies and action taken to address them.
➢ The manner in which the auditor emphasizes to engagement team
members the need to maintain a questioning mind and to exercise
professional skepticism in gathering and evaluating audit
evidence.
(e) Ascertain the nature, timing and extent of resources necessary to
perform the engagement.
Selection of engagement team and assignment of audit work to team
members is a significant factor in establishing overall audit strategy.
Experienced team members may be assigned in areas where there is
higher risk of material misstatement. Similarly, engagement budgeting
and devotion of more time to areas of higher risk of material
misstatement are to be kept in mind.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.13
PROGRAMME
In establishing the overall audit strategy, the auditor shall:
Ascertain the
Consideration of Consider the nature, timing
Ascertain the
Identify the significant factors results of and extent of
reporting
scope of the in directing the preliminary resources
objectives of the
engagement engagement engagement required for
engagement
team’s efforts activities the
engagement.
ILLUSTRATION 1
The auditor T of Hand Fab Ltd is worried as to management of key resources to be
employed to conduct audit.
Required
How the audit strategy would be helpful to the auditor?
SOLUTION
Refer - Establishing the overall audit strategy- Assistance for the auditor for solution.
(B) Development of Audit plan
Once the overall audit strategy has been established, an audit plan can be
developed to address the various matters identified in the overall audit
strategy, taking into account the need to achieve the audit objectives through
the efficient use of the auditor’s resources.
Understanding client’s business is one of the important principles in
developing an audit plan. In fact, without adequate knowledge of client’s
business, a proper audit is not possible. Gaining knowledge of client’s business
is, therefore, one of the foremost requirements to develop audit plan.
SA-300 states that auditor shall develop an audit plan that shall include
description of-
(i) The nature, timing and extent of planned risk assessment procedures
(ii) The nature, timing and extent of planned further audit procedures at
assertion level
© The Institute of Chartered Accountants of India
a
2.14 AUDITING AND ETHICS
(iii) Other planned audit procedures that are required to be carried out so
that the engagement complies with SAs.
The auditor plans what type of audit procedures are to be performed, their
timing and how much work should be done taking into account sample size etc.
The audit plan is more detailed than the overall audit strategy that includes
the nature, timing and extent of audit procedures to be performed by
engagement team members. Planning for these audit procedures takes place
over the course of the audit as the audit plan for the engagement develops.
For example, planning of the auditor's risk assessment procedures occurs
early in the audit process. However, planning the nature, timing and extent
of specific further audit procedures depends on the outcome of those risk
assessment procedures. In addition, the auditor may begin the execution of
further audit procedures for some classes of transactions, account balances
and disclosures before planning all remaining further audit procedures.
Elements of Planning
Preliminary
Planning activities
engagement activities
Establishing overall Developing audit
audit strategy plan
Test Your Understanding 1
MG & Co, a firm of auditors, having a standing of 30 years is appointed as a
statutory auditor of company engaged in manufacturing of defence equipment.
Due to opening of defence sector by government to private players in recent times,
many new companies have entered the fray to manufacture sophisticated defence
equipment. Considering technical and complex nature of operations, the auditors
recognize that involvement of experts in the audit is required. Does consideration
for involvement of experts by auditors fall in the domain of planning audit?
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.15
PROGRAMME
Test Your Understanding 2
CA Kartik is planning for audit of a company engaged in manufacturing of
cosmetics. Considering nature of operations of the company, he had planned to
include testing of controls of the company over purchases, sales and inventories.
One fine day, he reaches the corporate office and asks for manuals and required
documentation to ensure surprise element in testing. He had never shared with
management his intention to carry out above procedures. Is approach of CA Kartik
proper?
3. RELATIONSHIP BETWEEN AUDIT STRATEGY
AND AUDIT PLAN
Audit strategy sets the broad overall approach to the audit whereas audit plan
addresses the various matters identified in the overall audit strategy. Audit strategy
determines scope, timing and direction of audit. Audit plan describes how strategy
is going to be implemented. The audit plan is more detailed than the overall audit
strategy that includes the nature, timing and extent of audit procedures to be
performed by engagement team members. Planning for these audit procedures
takes place over the course of the audit as the audit plan for the engagement
develops.
Once the overall audit strategy has been established, an audit plan can be
developed to address the various matters identified in the overall audit strategy,
taking into account the need to achieve the audit objectives through the efficient
use of the auditor’s resources.
The establishment of the overall audit strategy and the detailed audit plan are not
necessarily discrete or sequential processes, but are closely inter-related since
changes in one may result in consequential changes to the other.
4. OVERALL AUDIT STRATEGY AND THE AUDIT
PLAN- THE AUDITOR’S RESPONSIBILITY
The overall audit strategy and the audit plan remain the auditor’s responsibility. It is
the auditor who is responsible for establishing overall audit strategy and developing
© The Institute of Chartered Accountants of India
a
2.16 AUDITING AND ETHICS
audit plan. However, as discussed earlier, auditor may discuss elements of planning
with entity’s management without compromising effectiveness of audit.
ILLUSTRATION 2
W, the auditor of SKM Ltd. asks its finance and audit head to prepare audit strategy
for conducting audit of SKM Ltd. W also insists him to draw detailed audit procedures.
On the request of auditor W completes audit strategy as well as audit procedures as
prepared by finance head of the company. Subsequently, auditor realizes that
effectiveness of the audit is compromised and it was his responsibility to prepare the
overall audit strategy. Comment.
SOLUTION
Refer - Overall audit strategy and the audit plan- The auditor’s responsibility -
Accordingly, approach of W was wrong and he should have prepared overall audit
strategy and detailed audit procedures.
5. CHANGES TO PLANNING DECISIONS
DURING THE COURSE OF AUDIT
The auditor shall update and change the overall audit strategy and the audit plan
as necessary during the course of the audit. As a result of unexpected events,
changes in conditions, or the audit evidence obtained from the results of audit
procedures, the auditor may need to modify the overall audit strategy and audit
plan and thereby the resulting planned nature, timing and extent of further audit
procedures, based on the revised consideration of assessed risks. This may be the
case when information comes to the auditor’s attention that differs significantly
from the information available when the auditor planned the audit procedures. For
example, audit evidence obtained through on detailed checking may contradict the
audit evidence obtained through testing internal controls.
6. PLANNING SUPERVISION AND REVIEW OF
WORK OF ENGAGEMENT TEAM MEMBERS
The auditor shall plan the nature, timing and extent of direction and supervision of
engagement team members and the review of their work. The nature, timing and
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.17
PROGRAMME
extent of the direction and supervision of engagement team members and review
of their work vary depending on many factors, including: -
1. The size and complexity of the entity.
2. The area of the audit.
3. The assessed risks of material misstatement
4. The capabilities and competence of the individual team members performing
the audit work.
7. DOCUMENTATION
The auditor shall document: -
(a) the overall audit strategy
(b) the audit plan and
(c) any significant changes made during the audit engagement to the overall
audit strategy or the audit plan, and the reasons for such changes.
The documentation of the overall audit strategy is a record of the key decisions
considered necessary to properly plan the audit and to communicate significant
matters to the engagement team.
The documentation of the audit plan is a record of the planned nature, timing and
extent of risk assessment procedures and further audit procedures at the assertion
level in response to the assessed risks. It also serves as a record of the proper
planning of the audit procedures that can be reviewed and approved prior to their
performance. The auditor may use standard audit programs and/or audit
completion checklists, tailored as needed to reflect the particular engagement
circumstances.
A record of the significant changes to the overall audit strategy and the audit plan,
and resulting changes to the planned nature, timing and extent of audit procedures,
explains why the significant changes were made, and the overall strategy and audit
plan finally adopted for the audit. It also reflects the appropriate response to the
significant changes occurring during the audit.
© The Institute of Chartered Accountants of India
a
2.18 AUDITING AND ETHICS
Test Your Understanding 3
CA Mary, while planning audit of a company, feels that she would inquire from
inhouse legal counsel of the company status of pending litigation matters against
the company to identify and assess risks of material misstatements. Considering
above description, are you able to identify said procedures? Where these identified
procedures are included in planning in accordance with SA-300?
Test Your Understanding 4
CA Shubhendu is statutory auditor of a social media company. Due to change in
information technology regulations by government, it has become mandatory for
such companies to constitute “grievance redressal mechanism” for users of social
media platform of the company. Failure to comply with regulations can potentially
lead to civil and criminal liabilities against the company. Is above factor to be
considered by auditor while framing audit strategy?
8. AUDIT PROGRAMME
It is desirable that in respect of each audit and more particularly for bigger audits,
an audit programme should be drawn up. Audit programme is a list of examination
and verification steps to be applied and set out in such a way that the
interrelationship of one step to another is clearly shown and designed, keeping in
view the assertions discernible in the statements of account produced for audit or
on the basis of an appraisal of the accounting records of the client.
An audit programme consists of a series of verification procedures to be applied to
the financial statements and accounts of a given entity for the purpose of obtaining
sufficient evidence to enable the auditor to express an informed opinion on
financial statements.
In other words, an audit programme is a detailed plan of applying the audit
procedures in the given circumstances with instructions for the appropriate
techniques to be adopted for accomplishing the audit objectives.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.19
PROGRAMME
8.1 Evolving one audit programme- Not Practicable for
All businesses
Businesses vary in nature, size and composition; work which is suitable to one
business may not be suitable to others; efficiency and operation of internal controls
and the exact nature of the service to be rendered by the auditor are the other
factors that vary from assignment to assignment. On account of such variations,
evolving one audit programme applicable to all business under all circumstances is
not practicable. However, it becomes a necessity to specify in detail in the audit
programme the nature of work to be done so that no time will be wasted on matters
not pertinent to the engagement and any special matter or any specific situation
can be taken care of.
8.2 The Assistant to keep an open mind
To start with, an auditor having regard to the nature, size and composition of the
business and the dependability of the internal control and the given scope of work,
should frame a programme which should aim at providing for a minimum essential
work which may be termed as a standard programme. As experience is gained by
actually carrying out the work, the programme may be altered to take care of
situations which were left out originally, but are found relevant for the particular
concern. Similarly, if any work originally provided for proves beyond doubt to be
unnecessary or irrelevant, it may be dropped. The assistant engaged in the job should
be encouraged to keep an open mind beyond the programme given to him. He
should be instructed to note and report significant matters coming to his notice, to
his seniors or to the partners or proprietor of the firm engaged for doing the audit.
8.3 Periodic review of the audit programme
There should be periodic review of the audit programme to assess whether the
same continues to be adequate for obtaining requisite knowledge and evidence
about the transactions. Unless this is done, any change in the business policy of the
client may not be adequately known, and consequently, audit work may be carried
on, on the basis of an obsolete programme and, for this negligence, the whole audit
may be held as negligently conducted and the auditor may have to face legal
consequences.
© The Institute of Chartered Accountants of India
a
2.20 AUDITING AND ETHICS
The utility of the audit programme can be retained and enhanced only by keeping
the programme as also the client’s operations and internal control under periodic
review so that inadequacies or redundancies of the programme may be removed.
However, as a basic feature, audit programme not only lists the tasks to be carried
out but also contains a few relevant instructions, like the extent of checking, the
sampling plan, etc. So long as the programme is not officially changed by the
principal, every assistant deputed on the job should unfailingly carry out the
detailed work according to the instructions governing the work. Many persons
believe that this brings an element of rigidity in the audit programme. This is not
true provided the periodic review is undertaken to keep the programme as up-to-
date as possible and by encouraging the assistants on the job to observe all salient
features of the various accounting functions of the client.
8.4 Constructing an audit programme
The audit planning ideally commences at the conclusion of the previous year’s
audit, and along with the related programme, it should be reconsidered for
modification as the audit progresses. Such consideration is based on the auditor’s
review of the internal control, his preliminary evaluation thereof, and the results of
his compliance and substantive procedures.
While developing an audit programme, the auditor may conclude that relying on
certain internal controls is an effective and efficient way to conduct his audit.
However, the auditor may decide not to rely on internal controls when there are
other more efficient ways of obtaining sufficient appropriate audit evidence. The
auditor should also consider the timing of the procedures, the coordination of any
assistance expected from the client, the availability of assistants, and the
involvement of other auditors or experts.
Further, the auditor normally has flexibility in deciding when to perform audit
procedures. However, in some cases, the auditor may have no discretion as to
timing, for example, when observing the taking of inventories by client personnel
or verifying the securities and cash balances at the year-end.
For the purpose of programme construction, the following points should be kept
in mind:
(1) Stay within the scope and limitation of the assignment.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.21
PROGRAMME
(2) Prepare a written audit programme setting forth the procedures that are
needed to implement the audit plan.
(3) Determine the evidence reasonably available and identify the best evidence
for deriving the necessary satisfaction.
(4) Apply only those steps and procedures which are useful in accomplishing the
verification purpose in the specific situation.
(5) Include the audit objectives for each area and sufficient details which serve
as a set of instructions for the assistants involved in audit and help in
controlling the proper execution of the work.
(6) Consider all possibilities of error.
(7) Co-ordinate the procedures to be applied to related items.
Stay within the
scope and
limitation of the
assignment.
Co-ordinate
the Prepare a
procedures to written audit
be applied to programme.
related items.
Determine the
evidence
Consider all
reasonably
possibilities
available and
of error.
identify the best
evidence.
Apply only those
Include the steps which are
audit useful in
objectives for accomplishing
each area. the verification
purpose.
© The Institute of Chartered Accountants of India
a
2.22 AUDITING AND ETHICS
8.5 Audit Programme- Designed to provide audit
evidence
Audit evidence may be defined as the information used by the auditor in arriving
at the conclusions on which the auditor’s opinion is based. Audit evidence includes
both information contained in the accounting records underlying the financial
statements and other information.
Evidence is the very basis for formulation of opinion and an audit programme is
designed to provide for that by prescribing procedures and techniques. What is
best evidence for testing the accuracy of any assertion is a matter of expert
knowledge and experience. This is the primary task before the auditor when he
draws up the audit programme. Transactions are varied in nature and impact;
procedures to be prescribed depend on prior knowledge of what evidence is
reasonably available in respect of each transaction.
In most of the assertions much of the evidence be drawn and each one should be
considered and weighed to ascertain its weight to prove or disprove the assertion. In
this process, an auditor would be in a position to identify the evidence that brings the
highest satisfaction to him about the appropriateness or otherwise of the assertion.
An auditor picks up evidence from a variety of fields and it is generally of the
following broad types:
(a) Documentary examination
(b) Physical examination
(c) Statements and explanation of management, officials and employees
(d) Statements and explanations of third parties
(e) Arithmetical calculations by the auditor
(f) State of internal controls and internal checks
(g) Inter-relationship of the various accounting data
(h) Subsidiary and memorandum records
(i) Minutes
(j) Subsequent action by the client and by others.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.23
PROGRAMME
Example
1. For cash in hand, the best evidence is ‘count’.
2. For investment pledged with a bank, the banker’s certificate.
3. For verifying assertions about book debts, the client’s ledger invoices, debit
notes, credit notes, monthly accounts statement sent to the customers are all
evidence: some of these are corroborative, other being complementary. In
addition, balance confirmation procedure is often resorted to, to obtain
greater satisfaction about the reliability of the assertion.
The auditor, however, has to place appropriate weight on each piece of evidence
and accordingly should prescribe the priority of verification. It is true that in all
cases one procedure may not bring the highest satisfaction and it may be
dangerous for the auditor to ignore any evidence that is available. By the word
“available”, we do not mean that the evidence available with the client is the only
available evidence. The auditor should know what normally should be available in
the context of the transaction having regard to the circumstances and usage.
8.6 Advantages and disadvantages of an audit
programme
The advantages of an audit programme are: -
(a) It provides the assistant carrying out the audit with total and clear set of
instructions of the work generally to be done.
(b) It is essential, particularly for major audits, to provide a total perspective of
the work to be performed.
(c) Selection of assistants for the jobs on the basis of capability becomes easier
when the work is rationally planned, defined and segregated.
(d) Without a written and pre-determined programme, work is necessarily to be
carried out on the basis of some ‘mental’ plan. In such a situation there is
always a danger of ignoring or overlooking certain books and records. Under
a properly framed programme, such danger is significantly less and the audit
can proceed systematically.
© The Institute of Chartered Accountants of India
a
2.24 AUDITING AND ETHICS
(e) The assistants, by putting their signature on programme, accept the
responsibility for the work carried out by them individually and, if necessary,
the work done may be traced back to the assistant.
(f) The principal can control the progress of the various audits in hand by
examination of audit programmes initiated by the assistants deputed to the
jobs for completed work.
(g) It serves as a guide for audits to be carried out in the succeeding year.
(h) A properly drawn up audit programme serves as evidence in the event of any
charge of negligence being brought against the auditor. It may be of
considerable value in establishing that he exercised reasonable skill and care
that was expected of professional auditor.
Some disadvantages are also there in the use of audit programmes but most of
these can be removed by following some concrete steps.
The disadvantages are: -
(a) The work may become mechanical and particular parts of the programme
may be carried out without any understanding of the object of such parts in
the whole audit scheme.
(b) The programme often tends to become rigid and inflexible following set
grooves; the business may change in its operation of conduct, but the old
programme may still be carried on. Changes in staff or internal control may
render precaution necessary at points different from those originally decided
upon.
(c) Inefficient assistants may take shelter behind the programme i.e., defend
deficiencies in their work on the ground that no instruction in the matter is
contained therein.
(d) A hard and fast audit programme may kill the initiative of efficient and
enterprising assistants.
All these disadvantages may be eliminated by imaginative supervision of the work
carried on by the assistants; the auditor must have a receptive attitude as regards
the assistants; the assistants should be encouraged to observe matters objectively
and bring significant matters to the notice of supervisor/principal.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.25
PROGRAMME
Test Your Understanding 5
Rohit, undergoing practical training, is part of an engagement team conducting
audit of a company engaged in manufacturing of paints. He has been provided with
audit programme pertaining to sales. It lists out various items to be checked and
verified by him including invoices, rate lists, posting in debtors accounts,
correlation of invoices with e-way bills on sample basis etc.
During verification, he notices that many e-way bills have been cancelled by the
company within 24 hours of their generation in month of March. There is no specific
instruction in audit programme in this regard. He keeps mum. Is attitude of Rohit
proper?
Extract of Sample audit programme pertaining to sales of an entity
Name of concern Fine Industries
Financial year 2021-22
Prepared by P (with date)
Reviewed by Q (with date)
Approved by R (with date)
Serial Nature of Procedure Extent of Basis of Done by
number Check sample
(a) Vouch few sales invoices from
copies available in record of the
concern.
(b) Trace these invoices into the
account books of the concern.
(c) Verify few invoices with e-way bills
generated on the e- way bill portal.
(d) Trace few sales invoices into the
stock records to ensure that sold
quantities have been reduced from
stocks.
(e) Trace also few sales invoices into
accounts of buyers
© The Institute of Chartered Accountants of India
a
2.26 AUDITING AND ETHICS
CASE STUDY
Kaur & Associates, a sole proprietor firm of Simran Kaur, is offered appointment as
auditor of a company engaged in manufacturing of automobile components for
the first time. She is fact checking about the integrity of promoters of the company
and key managerial persons. Matters such as competence of staff to perform the
engagement are also considered by her. The appointment is subsequently accepted
by her.
She is also taking into account number and location of branches of the company,
requirements of Schedule III of Companies Act, 2013 and expected time by which
audit has to be completed keeping in view statutory requirements. Initially, she has
thought it proper to inquire key employees of the company in procurement and
marketing departments and planned for the same. She has also planned to visit
three plants of the company. The purpose of planned inquiry and visit is to identify
and assess risk of material misstatements.
A detailed set of instructions has been prepared by her office and it has been
handed over to assistants in engagement team. These set of instructions include
details of extent of checking and nature of audit procedures to be performed
regarding purchases, sales, items of income, items of expenditure etc. During the
course of execution of above set of instructions, it has been brought to her notice
that company is also producing substantial quantities of scrap generated during
manufacturing process. However, no instructions have been given to engagement
team in this regard.
Based on above, answer following questions:
1. Auditor is fact checking about promoters and key managerial persons. She is
also considering competence of staff to perform engagement. What is she trying
to do?
(a) She is establishing audit strategy.
(b) She is conducting preliminary engagement activities.
(c) She is designing audit plan.
(d) She is checking her compliance of ethical requirements.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.27
PROGRAMME
2. Consideration of number and location of branches, requirements of financial
reporting framework and expected time of completion are relevant factors
primarily for which of the following -
(a) Developing audit plan
(b) Establishing overall audit strategy
(c) Designing audit programme
(d) Designing risk assessment procedures
3. Taking into account description of planned inquiry and visit, which of the
following statements is TRUE?
(a) Planned inquiry and visit fall in area of audit strategy.
(b) Planned inquiry and visit are planned risk assessment procedures and fall
in field of audit plan.
(c) The said description is not related to audit planning.
(d) Planned inquiry and visit fall in scope of audit programme.
4. What is detailed set of instructions given to assistants in engagement team
known as?
(a) Audit guidelines
(b) Audit plan
(c) Audit Programme
(d) Audit Procedures
5. The issue of generation of scrap has been overlooked in detailed set of
instructions given to engagement team. What should be proper course of action
by CA Simran Kaur?
(a) She should ignore this information as audit has already begun.
(b) She should modify earlier set of instructions.
(c) She should leave the matter to wisdom of engagement team.
(d) She should put the ball in court of management as she was not provided
with complete information earlier.
© The Institute of Chartered Accountants of India
a
2.28 AUDITING AND ETHICS
Answers to Questions involving case study
1. (b) 2. (b) 3. (b) 4. (c) 5. (b)
SUMMARY
SA-300 states that objective of the auditor is to plan the audit so that it will
be performed in an effective manner.
Planning is not a discrete phase of an audit, but rather a continual and iterative
process.
Elements of planning include preliminary engagement activities and planning
activities.
Preliminary engagement activities include performing procedures regarding
continuance of client relationship, evaluating compliance with ethical
requirements including independence and establishing an understanding of
terms of engagement with the client so that there are no misunderstandings.
Planning activities include establishing overall audit strategy and developing
audit plan.
Audit strategy sets scope, timing and direction of audit.
Audit plan addresses various matters identified in overall audit strategy.
Audit plan includes nature, timing and extent of planned risk assessment
procedures, planned further audit procedures and planned other audit
procedures in accordance with SAs.
The establishment of the overall audit strategy and the detailed audit plan
are not necessarily discrete or sequential processes, but are closely inter-
related since changes in one may result in consequential changes to the
other.
Overall audit strategy, audit plan and changes made shall be documented by
auditor.
An audit programme consists of a series of verification procedures to be
applied to the financial statements and accounts of a given entity for the
purpose of obtaining sufficient evidence to enable the auditor to express an
informed opinion on financial statements.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.29
PROGRAMME
TEST YOUR KNOWLEDGE
MCQs based Questions
1. Which of the following is not considered in planning an audit generally?
(a) Understanding of legal and regulatory framework of an entity
(b) Need to consider determination of materiality
(c) Evaluating audit evidence
(d) Need to consider involvement of expert
2. Which of the following is true about audit plan?
(a) Once an audit plan has been finalized for an engagement, changes
cannot be made to it.
(b) Audit plan includes scope, timing and direction of planned risk
assessment procedures.
(c) Changes in audit plan cannot lead to change in audit strategy.
(d) Audit plan has to be documented by auditor.
3. Which of the following is not included in an audit programme normally?
(a) Extent of checking
(b) Date of checking
(c) Nature or type of procedure
(d) Planning of risk assessment procedures
4. Which of the following is not an advantage of an audit programme?
(a) It acts as a guide for audit of coming years.
(b) It fixes responsibility of assistants.
(c) It serves as a shelter for assistants.
(d) It serves a proof of work done by auditor.
5. Which of the following is most important principle for formulating an audit
plan?
(a) Gaining knowledge of client’s workforce
© The Institute of Chartered Accountants of India
a
2.30 AUDITING AND ETHICS
(b) Gaining knowledge of client’s business
(c) Gaining knowledge of client’s vendors
(d) Gaining knowledge of tax laws applicable to client
Correct/Incorrect
State with reasons (in short) whether the following statements are correct
or incorrect:
1. The establishment of the overall audit strategy and the detailed audit plan are
not necessarily discrete or sequential processes, but are closely inter-related
since changes in one may result in consequential changes to the other.
2. Establishing an overall audit strategy that sets the scope, timing and direction
of the audit, and that guides the development of the audit plan is prerogative
of the management.
3. Planning is a discrete phase of an audit.
4. A detailed Audit Programme once prepared for a business can be used for all
business under all circumstances.
5. The audit plan is more detailed than the overall audit strategy.
Theoretical Questions
1. Discuss how performing preliminary engagement activities as part of planning
an audit assists auditor.
2. Discuss how an engagement partner ensures that firm complies with relevant
ethical requirements including independence in relation to client.
3. “Purported disadvantages of an audit programme can be overcome”. Do you
agree?
4. An auditor of a company fails to document audit strategy and audit plan. Briefly
outline consequences of such failure.
5. SA 300 states that auditor shall plan the nature, timing and extent of direction
and supervision of engagement team members and the review of their work.
Discuss few factors affecting such supervision and review of work of
engagement team members.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.31
PROGRAMME
ANSWERS/SOLUTIONS
Answers to the MCQs based Questions
1. (c) 2. (d) 3. (d) 4. (c) 5. (b)
Answers to Correct/Incorrect
1. Correct: Once the overall audit strategy has been established, an audit plan
can be developed to achieve the audit objectives through the efficient use of
the auditor’s resources. The establishment of the overall audit strategy and
the detailed audit plan are not necessarily discrete or sequential processes,
but are closely inter-related since changes in one may result in consequential
changes to the other.
2. Incorrect. The auditor shall establish an overall audit strategy that sets the
scope, timing and direction of the audit, and that guides the development of
the audit plan.
3. Incorrect. Planning is not a discrete phase of an audit, but rather a continual
and iterative process that often begin shortly after (or in connection with) the
completion of the previous audit and continues until the completion of the
current audit engagement. Planning, however, includes consideration of the
timing of certain activities and audit procedures that need to be completed
prior to the performance of further audit procedures.
4. Incorrect. Businesses vary in nature, size and composition; work which is
suitable to one business may not be suitable to others; efficiency and
operation of internal controls and the exact nature of the service to be
rendered by the auditor are the other factors that vary from assignment to
assignment. On account of such variations, evolving one audit programme
applicable to all business under all circumstances is not practicable.
5. Correct. The audit plan is more detailed than the overall audit strategy that
includes the nature, timing and extent of audit procedures to be performed by
engagement team members. Planning for these audit procedures takes place
over the course of the audit as the audit plan for the engagement develops.
© The Institute of Chartered Accountants of India
a
2.32 AUDITING AND ETHICS
Answers to the Theoretical Questions
1. Performing preliminary engagement activities assists the auditor in
identifying and evaluating events or circumstances that may affect auditor’s
ability to plan and perform audit engagement.
2. Refer to point on evaluating compliance with ethical requirements including
independence.
3. Purported disadvantages of audit programme may be eliminated by
imaginative supervision of the work carried on by the assistants; the auditor
must have a receptive attitude as regards the assistants; the assistants should
be encouraged to observe matters objectively and bring significant matters
to the notice of supervisor/principal.
4. Refer to point on documentation
5. Refer to point on Planning supervision and review of work of engagement
team members
Answers to Questions involving Test Your Understanding
1. Consideration for involvement of experts by auditors falls within domain of
planning. While planning an audit, auditor would have to consider whether
involvement of experts is necessary. In the stated case, company is involved
in technical and complex operations. Therefore, while planning an audit,
auditors would have to consider whether involvement of expert is necessary.
2. In the case, CA Kartik has reached office of the company without sharing with
management his intention to test the controls. The auditor may decide to
discuss elements of planning with the entity’s management to facilitate the
conduct and management of the audit engagement without compromising
effectiveness of audit. Sharing details of visit to test controls does not
compromise effectiveness of audit. It is for the better facilitation and conduct
of audit. Therefore, approach of CA Kartik is not proper.
3. These are planned risk assessment procedures to identify and assess risk of
material misstatement. The objective of planned inquiry of inhouse legal
counsel is to identify and assess risk of material misstatement. Such planned
risk assessment procedures are included in audit plan in accordance with
SA-300.
© The Institute of Chartered Accountants of India
AUDIT STRATEGY, AUDIT PLANNING AND AUDIT 2.33
PROGRAMME
4. Changes in laws and regulations affecting the company is a factor to be
considered while establishing overall audit strategy. There has been change
in information technology regulations applicable to the company. Non-
compliance of the same can have implications in form of civil and criminal
liabilities. Such an important matter concerning changes in laws and
regulations is to be considered by auditor while establishing overall audit
strategy.
5. Attitude of Rohit is not proper. The assistants should observe matters
objectively and bring significant matters to the notice of supervisor/principal.
Reasons for cancellation of many e-way bills in month of March need to be
looked into. Matter should be informed to engagement partner.
© The Institute of Chartered Accountants of India
© The Institute of Chartered Accountants of India
CHAPTER 3
RISK ASSESSMENT
AND INTERNAL
CONTROL
LEARNING OUTCOMES
.. After studying this chapter, you would be able to understand-
♦ Meaning of audit risk and variables affecting it.
♦ Risk assessment procedures.
♦ Concept of materiality in planning and performing an audit.
♦ Importance of understanding the entity and its environment.
♦ Meaning, objectives, benefits and limitations of internal control.
♦ Components of internal control.
♦ Whether all the controls are relevant to an audit.
♦ Nature and Extent of the Understanding of Relevant Controls.
♦ Risks that require special audit consideration.
♦ Evaluation of Internal control system-Benefits and methods.
♦ Testing of internal control.
♦ Automated environments-its key features.
♦ Risks arising from use of IT Systems.
♦ Types of Controls in an automated environment.
♦ Importance of data analytics for audit.
♦ Internal financial controls as per regulatory requirements.
♦ Auditor’s responses to assessed risks.
♦ Practicality of above concepts by studying through examples and case studies.
© The Institute of Chartered Accountants of India
3.2 AUDITING AND ETHICS
CHAPTER
♦ OVERVIEW
Audit Risk
Risk Assessment
Understanding the
& Identify & Assess
Entity and its
Internal Control Risk of Material
Environment
Misstatement
Risk Assessment
Procedures
Automated
Environment
SA - 315, SA
IT Related
320 &
Risks
SA 330
Data
DIGITAL Controls &
AUDIT
Types of IT
Analytics
Controls
Testing Impact on
Methods Controls
Internal
Financial
Controls
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.3
Sameer had now subscribed to online subscription of a pink newspaper using his
android phone. He was getting regular news updates pertaining to financial matters
of companies. While going through such updates, he stumbled upon one report
relating to audited accounts of a listed company. Scrolling the same, he gathered
that SEBI had referred the matter to regulator for further action.
He was flummoxed. He had learnt that audit is carried out after proper planning
and performing audit procedures. However, the news report was hinting at
possibility of inappropriate opinion expressed by the auditor. Was it a single odd
case? Or is there a chance of inappropriate opinion being expressed by an auditor
when there are significant wrong doings in financial statements in every audit?
What is this risk known as? What causes presence of this risk? Can’t it be eliminated
completely? How this risk can be addressed? He needed answers to such
questions.
It was clear to him that a meaningful and effective audit is possible only after
gaining knowledge about client’s business. What are the specifics about it? It
cannot be limited merely to understanding about nature of client’s business. Apart
from this, it must include a study and evaluation of client’s systems and controls.
What system has been devised and put into operation by the client to carry out its
business efficiently and effectively? How the client is ensuring reliability of financial
reporting? All these questions should be important to an auditor.
Whether gaining knowledge of client’s systems and controls is enough? Shouldn’t
it be followed up with actual testing of client’s controls? It is only when controls
are actually tested, these can be relied upon. A thought was gaining in his mind
how auditor responds to the risks. Is testing of controls enough or something more
to be done?
He already knew how actively business entities are using technology to develop
their systems with minimal human intervention. Shouldn’t use of technology ease
up the things? Can use of technology also involve risks which may be relevant to
an auditor so that he doesn’t give an inappropriate opinion? To satiate his mind,
he turned to Chapter 3.
© The Institute of Chartered Accountants of India
3.4 AUDITING AND ETHICS
1. AUDIT RISK
Audit risk means the risk that the auditor gives an inappropriate audit opinion when
the financial statements are materially misstated.
It means that an auditor expresses an unmodified opinion when financial
statements are materially misstated. In such a case, not only reputation of auditor
would be damaged, but he could also invite regulatory action from professional
body and could face probable legal action by intended users.
To avoid such unpleasant consequences, the auditor will plan and perform the audit
in such a way that audit risk is reduced to an acceptably low level. SA-200 states
that the auditor shall obtain sufficient appropriate audit evidence to reduce audit
risk to an acceptably low level and thereby enable the auditor to draw reasonable
conclusions on which to base the auditor’s opinion.
Consider, for example, that profits of a company have been increased artificially by
showing fake revenues of sizeable amounts in its financial statements. In such a
case, financial statements are materially misstated. The probability, that auditor in
such a case, expresses an inappropriate audit opinion is referred to as audit risk. It
is the possibility that auditor expresses an unmodified opinion even when
financial statements are materially misstated.
Audit risk is a function of the risks of material misstatement and detection risk.
1.1 Risks of material misstatement
SA 200 states that risk of material statement is the risk that the financial statements
are materially misstated prior to audit. It simply means that there is a probability
of frauds or errors in financial statements before audit.
What is meant by misstatement?
Misstatement refers to a difference between the amount, classification,
presentation, or disclosure of a reported financial statement item and the amount,
classification, presentation, or disclosure that is required for the item to be in
accordance with the applicable financial reporting framework. Misstatements can
arise from error or fraud.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.5
Few examples of misstatements could be: -
Charging of an item of capital expenditure to revenue or vice-versa
Difference in disclosure of a financial statement item vis-à-vis its requirement in
applicable financial reporting framework
Selection or application of inappropriate accounting policies
Difference in accounting estimate of a financial statement item vis-à-vis its
appropriateness in applicable financial reporting framework
Intentional booking of fake expenses in statement of profit and loss
Overstating of receivables in financial statements by not writing off irrecoverable
debts
Overstating or understating inventories
The risks of material misstatement may exist at two levels: -
(i) The overall financial statement level
(ii) The assertion level for classes of transactions, account balances, and
disclosures.
Risks of material misstatement at the overall financial statement level refer to
risks of material misstatement that relate pervasively to the financial statements as
a whole and potentially affect many assertions.
Risks of material misstatement at the assertion level are assessed in order to
determine the nature, timing, and extent of further audit procedures necessary to
obtain sufficient appropriate audit evidence. This evidence enables the auditor to
express an opinion on the financial statements at an acceptably low level of audit
risk.
1.2 Components of risk of material misstatement
The risk of material misstatement at assertion level comprises of two
components i.e., inherent risk and control risk. Both inherent risk and control
risk are the entity’s risks and they exist independently of the audit of financial
statements. Inherent risk and control risk are influenced by the client. These are
entity’s risks and are not influenced by the auditor.
© The Institute of Chartered Accountants of India
3.6 AUDITING AND ETHICS
1.2A Inherent risk
Inherent risk is the susceptibility of an assertion about a class of transaction,
account balance or disclosure to a misstatement that could be material, either
individually or when aggregated with other misstatements before consideration of
any related controls as described in SA-200.
There is always a risk that before considering any existence of internal control in an
entity, a particular transaction, balance of an account or a disclosure required to be
made in the financial statements of an entity have a chance of being misstated and
such misstatement can be material. This risk is known as inherent risk.
Inherent risk is higher for some assertions and related classes of transactions,
account balances, and disclosures than for others. For example, it may be higher
for complex calculations.
Inherent risk factors are considered while designing tests of controls and
substantive procedures. Category of auditor’s assessment lower or higher, each
category covers a range of degrees of inherent risk. Auditor may assess the inherent
risk of two different assertions as lower while recognizing that one assertion has
less inherent risk than the other, although both have been assessed as lower.
It is important to consider the reason for each identified inherent risk even if the
risk is lower, when auditor designs tests of controls and substantive procedures.
External circumstances giving rise to business risks may also influence inherent risk.
For example, technological developments might make a particular product
obsolete. Factors in the entity and its environment may also influence the inherent
risk related to a specific assertion.
Few examples of inherent risks could include: -
An accounting standard provides guidance on some complex issue which
might not be understood by the management. Therefore, recording of this
issue in financial statements carries inherent risk of being misstated.
There are large number of business failures in an industry. Therefore,
assertions in financial statements of an entity operating in such an industry
carry an inherent risk of being misstated.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.7
1.2B Control risk
In accordance with SA-200, control risk is the risk that a misstatement that could
occur in an assertion about a class of transaction, account balance or disclosure
and that could be material, either individually or when aggregated with other
misstatements, will not be prevented, or detected and corrected, on a timely basis
by the entity’s internal control.
Control risk is a risk that internal control existing and operating in an entity would
not be efficient enough to stop from happening, or find and then rectify in an
appropriate time, any material misstatement relating to a transaction, balance of
an account or disclosure required to be made in the financial statements of that
entity. Therefore, in a way, it can be said that there exists an inverse relation
between control risk and efficiency of internal control of an entity. When efficiency
of internal control of an entity is high, the control risk is low and when efficiency of
internal control of that entity is low, the control risk is high.
Examples of control risk could include: -
A company has devised control that cash and cheque books should be kept
in a locked safe and access is granted to authorized personnel only. There is
risk that control is not being followed.
An entity has devised a control that fire extinguishers and smoke detectors
are in place and are in working condition at all times to reduce the risk of
damage to inventories caused by fire. There is a risk that fire extinguishers in
place are expired and are not being refilled. Similarly, there is a possibility
that smoke detectors are not working.
A company has devised a control relating to petty cash that items of
expenditure of only less than ` 10000 should be routed through imprest
system of petty cash. There is a risk that control is not being followed.
1.3 Detection risk
SA 200 defines detection risk as the risk that the procedures performed by the
auditor to reduce audit risk to an acceptably low level will not detect a
misstatement that exists and that could be material, either individually or when
aggregated with other misstatements.
For example, auditor of a company uses certain audit procedures for the purpose
© The Institute of Chartered Accountants of India
3.8 AUDITING AND ETHICS
of obtaining audit evidence and reducing audit risk, but still there will remain a risk
that audit procedures used by the auditor may not be able to detect a misstatement
which by nature is material, then that risk is known as detection Risk.
Detection risk comprises sampling and non-sampling risk.
Sampling risk is the risk that the auditor’s conclusion based on a sample may
be different from the conclusion if the entire population were subjected to the
same audit procedure. It simply means that the sample was not representative
of the population from which it was chosen.
Non-sampling risk is the risk that the auditor reaches an erroneous conclusion
for any reason not related to sampling risk. Like an auditor may reach an
erroneous conclusion due to application to some inappropriate audit procedure.
Examples of detection risk could include: -
Sizeable work-in-progress inventories are expected in financial statements of a
company. However, auditor of the company does not devote time to attending
inventory count. Instead, he chooses to rely upon alternative audit procedures.
The auditor of a company has audited revenue of a company by taking a
sample. However, there is a risk that sample of revenue is not representative
of overall revenue.
The auditor can only influence detection risk. Inherent risk and control risk belong
to the entity and are influenced by the entity. Therefore, auditor must reduce
detection risk in order to keep audit risk at low level. Detection risk may be
reduced by increasing area of checking, testing larger samples and by
including competent and experienced persons in the engagement team.
1.4 Audit risk-What is not included?
Audit risk is a technical term related to the process of auditing; it does not refer to
the auditor’s business risks such as loss from litigation, adverse publicity, or other
events arising in connection with the audit of financial statements.
For purposes of the SAs, audit risk does not include the risk that the auditor might
express an opinion that the financial statements are materially misstated when they
are not. This risk is ordinarily insignificant.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.9
1.5 Assessment of risks- A matter of professional
Judgment
As discussed at the outset, audit risk is a function of the risks of material
misstatement and detection risk. The assessment of risks is based on audit
procedures to obtain information necessary for that purpose and evidence
obtained throughout the audit. The assessment of risks is a matter of professional
judgment, rather than a matter capable of precise measurement. The distinguishing
feature of the professional judgment expected of an auditor is that it is exercised
by an auditor whose training, knowledge and experience have assisted in
developing the necessary competencies to achieve reasonable judgments.
An Overview of Audit risk
Checkbox Audit risk- What is included?
Audit risk is the risk that the auditor gives an inappropriate audit
opinion when the financial statements are materially misstated.
A function of risks of material misstatement and detection risk.
X Auditor’s business risks such as loss from litigation, adverse publicity, or
other events arising in connection with the audit of financial statements.
X Risk that the auditor might express an opinion that the financial
statements are materially misstated when they are not.
Audit risk
Risks of material
Detection risk
misstatement
Non-Sampling
Inherent risk Control risk Sampling risk
risk
© The Institute of Chartered Accountants of India
3.10 AUDITING AND ETHICS
1.5.1 Combined Assessment of the Risk of Material Misstatement
Standards on auditing do not ordinarily refer to inherent risk and control risk
separately, but rather to a combined assessment of the “risks of material
misstatement”. However, the auditor may make separate or combined assessments
of inherent and control risk depending on preferred audit techniques or
methodologies and practical considerations. The assessment of the risks of material
misstatement may expressed in quantitative terms, such as in percentages, or in
non-quantitative terms. In any case, the need for the auditor to make appropriate
risk assessments is more important than the different approaches by which they
may be made.
It can be concluded from the above that: -
Audit risk = Risks of material misstatement X Detection risk
Since risks of material misstatement is a function of inherent risk and control risk,
it can also be shown as: -
Audit risk = Inherent risk X Control risk X Detection risk
ILLUSTRATION 1
XYZ Ltd is engaged in the business and running several stores dealing in variety of
items such as ready made garments for all seasons, shoes, gift items, watches etc. There
are security tags on each and every item. Moreover, inventory records are physically
verified on monthly basis.
Discuss the types of inherent, control and detection risks as perceived by the auditor.
SOLUTION
Inherent Risk: Because items may have been misappropriated by employees,
therefore, risk to the auditor is that inventory records would be inaccurate.
Control Risk: There is a security tag on each item displayed. Moreover, inventory
records are physically verified on monthly basis. Despite various controls being
implemented at the stores, still collusion among employees may be there and risk
to auditor would again be that inventory records would be inaccurate.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.11
Detection Risk: Auditor checks the efficiency and effectiveness of various control
systems in place. He would do that by making observation, inspection, enquiry, etc.
In addition to these, the auditor would also employ sampling techniques to check
few sales transactions from beginning to end. However, despite all these
procedures, the auditor may not detect the items which have been stolen or
misappropriated.
ILLUSTRATION 2
A Partnership Firm of Chartered Accountants HT and Associates was appointed to
audit the books of accounts of Wind and Ice Limited for the financial year 2020-21.
There was a risk that HT and Associates would give an inappropriate audit opinion if
the financial statements of Wind and Ice Limited are materially misstated. State the
Risk mentioned in the question
SOLUTION
The risk mentioned in the question is known as Audit Risk, because risk that auditor
of a company will give an inappropriate audit opinion if the financial statements of
that company are materially misstated is known as Audit Risk.
Test Your Understanding 1
Wear & Tear Private Limited is a “start-up” engaged in providing holistic solutions
to problem of paddy stubble burning mainly catering to needs of farmers of North
western India. Due to importance given by governments to this issue, companies
have entered in the market in past few years. Many of these companies have not
been successful and have gone bust. As an auditor of the company, can you spot
the component of risks of material misstatement involved in above?
Test Your Understanding 2
A company has devised a control that its inventory of perishable goods is stored in
appropriate conditions- in a controlled environment to prevent any damages to
inventory. Responsibility is fixed on two persons to monitor environment using
sensors and to report on deviations. Identify the component of risks of material
misstatement involved as an auditor of the company.
© The Institute of Chartered Accountants of India
3.12 AUDITING AND ETHICS
Test Your Understanding 3
Shree Foods Private Limited is engaged in manufacturing of garlic bread. The
auditors of company have planned audit procedures in respect of recognition of
revenues of the company. Despite that, there is a possibility that misstatements in
revenue recognition are not identified by planned audit procedures. Which risk is
being alluded to?
1.6 Identifying and assessing the risk of material
misstatement
As per SA 315 “Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and its Environment”, the objective of the
auditor is to identify and assess the risks of material misstatement, whether due to
fraud or error, at the financial statement and assertion levels, through
understanding the entity and its environment, including the entity’s internal
control, thereby providing a basis for designing and implementing responses to
the assessed risks of material misstatement. This will help the auditor to reduce the
risk of material misstatement to an acceptably low level.
The objective of the auditor as stated in SA 315 is to identify and assess the risks
of material misstatement.
(i) The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level
(b) the assertion level for classes of transactions, account balances, and
disclosures
to provide a basis for designing and performing further audit procedures
(ii) For the purpose of identifying and assessing the risks of material
misstatement, the auditor shall: -
(a) Identify risks throughout the process of obtaining an understanding of
the entity and its environment, including relevant controls that relate to
the risks, and by considering the classes of transactions, account
balances, and disclosures in the financial statements
(b) Assess the identified risks, and evaluate whether they relate more
pervasively to the financial statements as a whole and potentially affect
many assertions
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.13
(c) Relate the identified risks to what can go wrong at the assertion level,
taking account of relevant controls that the auditor intends to test and
(d) Consider the likelihood of misstatement, including the possibility of
multiple misstatements, and whether the potential misstatement is of a
magnitude that could result in a material misstatement.
1.7 Risk Assessment Procedures
You have already gained a little knowledge about risk assessment procedures in
Chapter 2.
The audit procedures performed to obtain an understanding of the entity and its
environment, including the entity’s internal control, to identify and assess the risks
of material misstatement, whether due to fraud or error, at the financial statement
and assertion level are defined as risk assessment procedures.
Risk assessment procedures are a basis for the identification and assessment of
risks of material misstatement at the financial statement and assertion levels The
auditor shall perform risk assessment procedures to provide a basis for the
identification and assessment of risks of material misstatement at the financial
statement and assertion levels. Risk assessment procedures by themselves,
however, do not provide sufficient appropriate audit evidence on which to base the
audit opinion.
The risks to be assessed include both those due to error and those due to
fraud.
What is included in risk assessment procedures?
The risk assessment procedures shall include the following:
(a) Inquiries of management and of others within the entity who in the auditor’s
judgment may have information that is likely to assist in identifying risks of
material misstatement due to fraud or error.
(b) Analytical procedures.
(c) Observation and inspection.
(a) Inquiries of Management and Others Within the Entity: Much of the
information obtained by the auditor’s inquiries is obtained from management
and those responsible for financial reporting. However, the auditor may also
© The Institute of Chartered Accountants of India
3.14 AUDITING AND ETHICS
obtain information, or a different perspective in identifying risks of material
misstatement, through inquiries of others within the entity and other
employees with different levels of authority.
Inquiries directed toward internal audit personnel may provide
information about internal audit procedures performed during the year
relating to the design and effectiveness of the entity’s internal control
and whether management has satisfactorily responded to findings from
those procedures.
Inquiries of employees involved in initiating, processing or recording
complex or unusual transactions may help the auditor to evaluate the
appropriateness of the selection and application of certain accounting
policies.
Inquiries directed toward in-house legal counsel may provide
information about such matters as litigation, compliance with laws and
regulations, knowledge of fraud or suspected fraud affecting the entity,
warranties, post-sales obligations, arrangements (such as joint
ventures) with business partners and the meaning of contract
Inquiries directed towards marketing or sales personnel may provide
information about changes in the entity’s marketing strategies, sales
trends, or contractual arrangements with its customers.
Inquiries directed to the risk management function (or those
performing such roles) may provide information about operational and
regulatory risks that may affect financial reporting.
Inquiries directed to information systems personnel may provide
information about system changes, system or control failures, or other
information system- related risks.
(b) Analytical Procedures: Analytical procedures performed as risk assessment
procedures may identify aspects of the entity of which the auditor was
unaware and may assist in assessing the risks of material misstatement in
order to provide a basis for designing and implementing responses to the
assessed risks. Analytical procedures performed as risk assessment
procedures may include both financial and non-financial information, for
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.15
example, relationship between sales and square footage of selling space or
volume of goods sold.
Analytical procedures may help identify the existence of unusual transactions
or events, and amounts, ratios, and trends that might indicate matters that
have audit implications. Unusual or unexpected relationships that are
identified may assist the auditor in identifying risks of material misstatement,
especially risks of material misstatement due to fraud. However, when such
analytical procedures use data aggregated at a high level (which may be the
situation with analytical procedures performed as risk assessment
procedures), the results of those analytical procedures only provide a broad
initial indication about whether a material misstatement may exist.
Accordingly, in such cases, consideration of other information that has been
gathered when identifying the risks of material misstatement together with
the results of such analytical procedures may assist the auditor in
understanding and evaluating the results of the analytical procedures.
(c) Observation and Inspection: Observation and inspection may support
inquiries of management and others, and may also provide information about
the entity and its environment. Examples of such audit procedures include
observation or inspection of the following:
The entity’s operations.
Documents (such as business plans and strategies), records, and internal
control manuals.
Reports prepared by management (such as quarterly management reports
and interim financial statements) and those charged with governance
(such as minutes of board of director’s meetings)
The entity’s premises and plant facilities.
1.8 Information obtained by performing risk assessment
procedures - Used as audit evidence
Information obtained by performing risk assessment procedures and related
activities may be used by the auditor as audit evidence to support assessments of
the risks of material misstatement. In addition, the auditor may obtain audit
evidence about classes of transactions, account balances, or disclosures and related
© The Institute of Chartered Accountants of India
3.16 AUDITING AND ETHICS
assertions and about the operating effectiveness of controls, even though such
procedures were not specifically planned as substantive procedures or as tests of
controls. The auditor also may choose to perform substantive procedures or tests
of controls concurrently with risk assessment procedures because it is efficient to
do so.
Test Your Understanding 4
Jo Jo Limited is planning to list on Bombay Stock Exchange next year. As an auditor
of Jo Jo Limited, identify any one reason of increased audit risk due to listing of the
company next year.
Test Your Understanding 5
On perusing financial statements of Jo Jo Limited put up for audit, it is observed by
the auditor that current ratio has improved from 1.20:1 (in preceding year) to 1.75:1
(in current year). Identify what kind of risk assessment procedures are being
performed by auditor? Has it any relation with listing of the company next year on
Bombay Stock Exchange?
2. MATERIALITY
2.1 What is meant by materiality?
SA 320 Materiality in Planning and Performing an Audit states that
misstatements, including omissions, are considered to be material if they,
individually or in the aggregate, could reasonably be expected to influence the
economic decisions of users taken on the basis of the financial statements.
The objective of an independent auditor is to obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement,
whether due to fraud or error, thereby enabling the auditor to express an opinion
on whether the financial statements are prepared, in all material respects, in
accordance with an applicable financial reporting framework.
Herein, lies the significance of materiality. The auditor has to obtain reasonable
assurance that financial statements as a whole are free from material misstatement
whether due to fraud or error. As a result, an audit strives to identify significant
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.17
risks of material misstatement and audit procedures are geared towards it.
Materiality is not always a matter of relative size. For example, a small amount lost
by fraudulent practices of certain employees can indicate a serious flaw in the
enterprise’s internal control system requiring immediate attention to avoid greater
losses in future.
2.2 Materiality in Planning and performing an audit-
Auditor’s responsibility
The concept of materiality is applied by the auditor both in planning and
performing the audit, and in evaluating the effect of identified misstatements on
the audit and of uncorrected misstatements, if any, on the financial statements and
in forming the opinion in the auditor’s report. SA 320 deals with auditor’s
responsibility to apply the concept of materiality in planning and performing an
audit of financial statements.
Financial reporting frameworks often discuss the concept of materiality in the
context of the preparation and presentation of financial statements. Although
financial reporting frameworks may discuss materiality in different terms, they
generally explain that:
• Misstatements, including omissions, are considered to be material if they,
individually or in the aggregate, could reasonably be expected to influence the
economic decisions of users taken on the basis of the financial statements;
• Judgments about materiality are made in the light of surrounding circumstances,
and are affected by the size or nature of a misstatement, or a combination of
both; and
• Judgments about matters that are material to users of the financial statements
are based on a consideration of the common financial information needs of users
as a group. The possible effect of misstatements on specific individual users,
whose needs may vary widely, is not considered.
Such a discussion, if present in the applicable financial reporting framework,
provides a frame of reference to the auditor in determining materiality for the audit.
If the applicable financial reporting framework does not include a discussion of the
concept of materiality, the characteristics referred to above provide the auditor
with such a frame of reference.
© The Institute of Chartered Accountants of India
3.18 AUDITING AND ETHICS
In planning the audit, the auditor makes judgments about the size of misstatements
that will be considered material. These judgments provide a basis for:
(a) Determining the nature, timing and extent of risk assessment procedures;
(b) Identifying and assessing the risks of material misstatement; and
(c) Determining the nature, timing and extent of further audit procedures.
The materiality determined when planning the audit does not necessarily establish
an amount below which uncorrected misstatements, individually or in aggregate,
will always be evaluated as immaterial. The circumstances related to some
misstatements may cause the auditor to evaluate them as material even if they are
below materiality. Although, it is not practicable to design audit procedures to
detect misstatements that could be material solely because of their nature, the
auditor considers not only the size but also the nature of uncorrected
misstatements, and the particular circumstances of their occurrence, when
evaluating their effect on the financial statements.
The auditor has to apply his professional judgement in determining materiality,
choosing appropriate benchmark and determining level of benchmark. Materiality
forms the basis for determination of audit scope and the levels of testing the
transactions.
While judging materiality, the significance of an item has to be viewed from
different perspectives. Materiality of an item may be judged by considering the
impact on the profit and loss, or on the balance sheet, or in the total of the category
of expenditure or income to which it pertains, and on its comparison with the
corresponding figure for the previous year.
If there is any statutory requirement of disclosure, it is to be considered material
irrespective of the value of amount. Examples are given below: -
As per Division I of schedule III of Companies Act, 2013, any item of income
or expenditure which exceeds one percent of the revenue from operations or
` 1,00,000, whichever is higher, needs to be disclosed separately.
A company should disclose in notes to accounts, shares in the company held
by each shareholder holding more than 5 per cent shares specifying the
number of shares held as per requirements of Division I of Schedule III of
Companies Act,2013.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.19
2.3 Determination of materiality- a matter of professional
judgment
The auditor’s determination of materiality is a matter of professional judgment, and
is affected by the auditor’s perception of the financial information needs of users
of the financial statements. In this context, it is reasonable for the auditor to assume
that users:
(a) Have a reasonable knowledge of business and economic activities and
accounting and a willingness to study the information in the financial
statements with reasonable diligence;
(b) Understand that financial statements are prepared, presented and audited to
levels of materiality;
(c) Recognize the uncertainties inherent in the measurement of amounts based
on the use of estimates, judgment and the consideration of future events; and
(d) Make reasonable economic decisions on the basis of the information in the
financial statements.
2.4 Performance Materiality
Practically, it is difficult for auditors to design tests to identify individual material
misstatements. It is likely that misstatements are material in aggregate. It takes us
to the concept of “performance materiality.”
Performance materiality means the amount or amounts set by the auditor at less
than materiality for the financial statements as a whole to reduce to an
appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeds materiality for the financial statements as a
whole. If applicable, performance materiality also refers to the amount or amounts
set by the auditor at less than the materiality level or levels for particular classes of
transactions, account balances or disclosures.
Performance materiality is set at a value lower than overall materiality. It lowers the
risk that auditor will not be able to identify misstatements that are material when
added together.
© The Institute of Chartered Accountants of India
3.20 AUDITING AND ETHICS
2.5 Determining Materiality and Performance Materiality
when Planning the Audit
When establishing the overall audit strategy, the auditor shall determine materiality
for the financial statements as a whole. If, in the specific circumstances of the entity,
there is one or more particular classes of transactions, account balances or
disclosures for which misstatements of lesser amounts than the materiality for the
financial statements as a whole could reasonably be expected to influence the
economic decisions of users taken on the basis of the financial statements, the
auditor shall also determine the materiality level or levels to be applied to those
particular classes of transactions, account balances or disclosures.
2.6 Use of Benchmarks in Determining Materiality for the
Financial Statements as a Whole
Determining materiality involves the exercise of professional judgment. A
percentage is often applied to a chosen benchmark as a starting point in
determining materiality for the financial statements as a whole. Factors that may
affect the identification of an appropriate benchmark include the following:
The elements of the financial statements like assets, liabilities, equity,
revenue, expenses
Whether there are items on which the attention of the users of the particular
entity’s financial statements tends to be focused. For example, for the
purpose of evaluating financial performance users may tend to focus on
profit, revenue or net assets.
The nature of the entity, where the entity is at in its life cycle, and the industry
and economic environment in which the entity operates, the entity’s
ownership structure and the way it is financed. For example, If an entity is
financed solely by debt rather than equity, users may put more emphasis on
assets, and claims on them, than on the entity’s earnings;
The relative volatility of the benchmark.
Examples of benchmarks that may be appropriate, depending on the circumstances
of the entity, include categories of reported income such as profit before tax, total
revenue, gross profit and total expenses, total equity or net asset value.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.21
Profit before tax from continuing operations is often used for profit-oriented
entities. When profit before tax from continuing operations is volatile, other
benchmarks may be more appropriate, such as gross profit or total revenues.
2.6.1 Chosen Benchmark – Relevant financial data
In relation to the chosen benchmark, relevant financial data ordinarily includes: -
Prior periods’ financial results and financial positions,
The period to-date financial results and financial position, and
Budgets or forecasts for the current period,
Adjusted for significant changes in the circumstances of the entity (for
example, a significant business acquisition) and relevant changes of
conditions in the industry or economic environment in which the entity
operates.
Consider, for example, when, as a starting point, the materiality for the financial
statements as a whole is determined for a particular entity based on a percentage
of profit before tax from continuing operations, circumstances that give rise to an
exceptional decrease or increase in such profit may lead the auditor to conclude
that the materiality for the financial statements as a whole is more appropriately
determined using a normalized profit before tax from continuing operations figure
based on past results.
2.6.2 Determining a percentage to be applied to a chosen benchmark
involves the exercise of professional judgment.
There is a relationship between the percentage and the chosen benchmark, such
that a percentage applied to profit before tax from continuing operations will
normally be higher than a percentage applied to total revenue.
Consider, for example, that the auditor may consider 5% of profit before tax from
continuing operations to be appropriate for a profit-oriented entity in a
manufacturing industry, while the auditor may consider 1% of total revenue or total
expenses to be appropriate for a not-for-profit entity. Higher or lower percentages,
however, may be deemed appropriate in different circumstances.
© The Institute of Chartered Accountants of India
3.22 AUDITING AND ETHICS
2.7 Materiality Level or Levels for Particular Classes of
Transactions, Account Balances or Disclosures
Factors that may indicate the existence of one or more particular classes of
transactions, account balances or disclosures for which misstatements of lesser
amounts than materiality for the financial statements as a whole could reasonably
be expected to influence the economic decisions of users taken on the basis of the
financial statements include the following:
1. Whether law, regulations or the applicable financial reporting framework
affect users’ expectations regarding the measurement or disclosure of certain
items like in case of related party transactions, and the remuneration of
management and those charged with governance.
2. The key disclosures in relation to the industry in which the entity operates.
For example, research and development costs for a pharmaceutical company.
3. Whether attention is focused on a particular aspect of the entity’s business
that is separately disclosed in the financial statements like in case of newly
acquired business.
2.8 Revision in Materiality level as the Audit Progresses
Materiality for the financial statements as a whole (and, if applicable, the materiality
level or levels for particular classes of transactions, account balances or disclosures)
may need to be revised as a result of a change in circumstances that occurred
during the audit (for example, a decision to dispose of a major part of the entity’s
business), new information, or a change in the auditor’s understanding of the entity
and its operations as a result of performing further audit procedures.
If during the audit it appears as though actual financial results are likely to be
substantially different from the anticipated period end financial results that were
used initially to determine materiality for the financial statements as a whole, the
auditor revises that materiality.
If the auditor concludes that a lower materiality for the financial statements as a
whole (and, if applicable, materiality level or levels for particular classes of
transactions, account balances or disclosures) than that initially determined is
appropriate, the auditor shall determine whether it is necessary to revise
performance materiality, and whether the nature, timing and extent of the further
audit procedures remain appropriate.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.23
2.9 Documenting the Materiality
The audit documentation shall include the following amounts and the factors
considered in their determination:
(a) Materiality for the financial statements as a whole
(b) If applicable, the materiality level or levels for particular classes of
transactions, account balances or disclosures
(c) Performance materiality and
(d) Any revision of (a)-(c) as the audit progressed
2.10 Materiality and Audit Risk
The concept of materiality is applied by the auditor both in planning and
performing the audit, and in evaluating the effect of identified misstatements on
the audit and of uncorrected misstatements, if any, on the financial statements and
in forming the opinion in the auditor’s report. In conducting an audit of financial
statements, the overall objectives of the auditor are to obtain reasonable assurance
about whether the financial statements as a whole are free from material
misstatement, whether due to fraud or error, thereby enabling the auditor to
express an opinion on whether the financial statements are prepared, in all material
respects, in accordance with an applicable financial reporting framework; and to
report on the financial statements, and communicate as required by the SAs, in
accordance with the auditor’s findings. The auditor obtains reasonable assurance
by obtaining sufficient appropriate audit evidence to reduce audit risk to an
acceptably low level.
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when
the financial statements are materially misstated. Audit risk is a function of the risks
of material misstatement and detection risk.
Materiality and Audit Risk are considered throughout the audit, in particular,
when:
(a) Identifying and assessing the risks of material misstatement;
(b) Determining the nature, timing and extent of further audit procedures; and
(c) Evaluating the effect of uncorrected misstatements, if any, on the financial
statements and in forming the opinion in the auditor’s report.
© The Institute of Chartered Accountants of India
3.24 AUDITING AND ETHICS
ILLUSTRATION 3
One of the team members of auditors of Highly Capable Limited was of the view that
Materiality and Audit Risk are only considered at planning stage of an audit.
Comment as an auditor
SOLUTION
The concept of materiality is applied by the auditor both in planning and
performing the audit, and in evaluating the effect of identified misstatements on
the audit and of uncorrected misstatements, if any, on the financial statements and
in forming the opinion in the auditor’s report.
Test Your Understanding 6
CA A. Raja is auditor of Build Well Forgings Private Limited having a revenue of
` 25 crore. The company has been sanctioned a term loan of ` 50 lacs from a bank.
However, as at end of the year, only ` 1 lac was availed due to delay in procurement
of asset. The financial statements of the company do not disclose nature of security
against which loan has been taken. Schedule III of Companies Act,2013 requires
disclosure in this respect. Discuss, whether, non-disclosure of nature of security is
material for auditor.
3. UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT
SA 315 Identifying and Assessing the Risks of Material Misstatement Through
Understanding the Entity and its Environment states that the auditor shall obtain
an understanding of the following: -
(a) Relevant industry, regulatory, and other external factors including the
applicable financial reporting framework
Relevant industry factors include industry conditions such as the competitive
environment, supplier and customer relationships, and technological
developments.
Examples of matters the auditor may consider include market and
competition, whether entity is engaged in seasonal activities, product
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.25
technology relating to the entity’s products. The industry in which the entity
operates may give rise to specific risks of material misstatement arising from
the nature of the business or the degree of regulation.
Relevant regulatory factors include the regulatory environment. The
regulatory environment includes, among other matters, the applicable
financial reporting framework and the legal and political environment.
Examples of matters the auditor may consider include accounting principles
and industry specific practices, regulatory framework for a regulated industry,
legislation and regulation that significantly affect the entity’s operations,
including direct supervisory activities, taxation, government policies currently
affecting the conduct of the entity’s business, environmental requirements
affecting the industry and the entity’s business.
Examples of other external factors affecting the entity that the auditor may
consider include the general economic conditions, interest rates and
availability of financing, and inflation etc.
(b) The nature of the entity, including: -
(i) its operations;
(ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make,
including investments in special-purpose entities; and
(iv) the way that the entity is structured and how it is financed; to enable
the auditor to understand the classes of transactions, account balances,
and disclosures to be expected in the financial statements.
An understanding of nature of entity enables the auditor to understand
whether entity has a complex structure for example, whether it has
subsidiaries. Complex structures often introduce issues that may give rise to
risks of material misstatement. It also helps in understanding matters relating
to the ownership, and relations between owners and other people or entities.
This understanding assists in determining whether related party transactions
have been identified and accounted for appropriately.
Examples of matters that the auditor may consider while obtaining
understanding of nature of entity include: -
© The Institute of Chartered Accountants of India
3.26 AUDITING AND ETHICS
Business operations such as nature of revenue sources, products or
services, conduct of operations, location of production facilities, key
customers and suppliers of goods and services
Investment and investment activities such as capital investment
activities and planned or recently executed acquisitions
Financing and financing activities such as major subsidiaries, debt
structure etc.
Financial reporting such as accounting principles and revenue
recognition practices
(c) The entity’s selection and application of accounting policies, including
the reasons for changes thereto
The auditor shall evaluate whether the entity’s accounting policies are
appropriate for its business and consistent with the applicable financial
reporting framework and accounting policies used in the relevant industry.
(d) The entity’s objectives and strategies, and those related business risks
that may result in risks of material misstatement.
The entity conducts its business in the context of industry, regulatory and
other internal and external factors. To respond to these factors, the entity’s
management define objectives, which are the overall plans for the entity.
Strategies are the approaches by which management intends to achieve its
objectives. The entity’s objectives and strategies may change over time.
Business risk is broader than the risk of material misstatement of the financial
statements, though it includes the latter. Business risk may arise from change
or complexity.
An understanding of the business risks facing the entity increases the
likelihood of identifying risks of material misstatement, since most business
risks will eventually have financial consequences and, therefore, an effect on
the financial statements. However, the auditor does not have a responsibility
to identify or assess all business risks because not all business risks give rise
to risks of material misstatement.
Examples of matters that the auditor may consider when obtaining an
understanding of the entity’s objectives, strategies and related business risks
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.27
that may result in a risk of material misstatement of the financial statements
include: -
Industry developments (a potential related business risk might be, for
example, that the entity does not have the personnel or expertise to
deal with the changes in the industry).
New products and services (a potential related business risk might be,
for example, that there is increased product liability).
Expansion of the business (a potential related business risk might be,
for example, that the demand has not been accurately estimated).
(e) The measurement and review of the entity’s financial performance
Management and others will measure and review those things they regard as
important. Performance measures, whether external or internal, create
pressures on the entity. These pressures, in turn, may motivate management
to take action to improve the business performance or to misstate the
financial statements. Accordingly, an understanding of the entity’s
performance measures assists the auditor in considering whether pressures
to achieve performance targets may result in management actions that
increase the risks of material misstatement, including those due to fraud.
Examples for measuring and reviewing financial performance which may be
used by an auditor may include: -
Key performance indicators (financial and non-financial) and key ratios,
trends and operating statistics.
Period-on-period financial performance analyses.
Budgets, forecasts, variance analyses, and departmental or other level
performance reports.
Credit rating agency reports
3.1 Why understanding the entity and its environment is
significant?
Understanding the entity and the environment in which it operates is very
significant. It helps the auditor in planning the audit and in identifying areas
requiring special attention. Gaining knowledge about client’s business is one of the
© The Institute of Chartered Accountants of India
3.28 AUDITING AND ETHICS
important principles in developing an overall audit plan. In fact, without adequate
knowledge of client’s business, a proper audit is not possible.
3.2 Understanding the entity-a continuous process
Obtaining an understanding of the entity and its environment, including the entity’s
internal control (referred to hereafter as an “understanding of the entity”), is a
continuous, dynamic process of gathering, updating and analysing information
throughout the audit. The understanding establishes a frame of reference within
which the auditor plans the audit and exercises professional judgment throughout
the audit, for example, when:
Assessing risks of material misstatement of the financial statements
Determining materiality in accordance with SA 320
Considering the appropriateness of the selection and application of
accounting policies
Identifying areas where special audit consideration may be necessary, for
example, related party transactions, the appropriateness of management’s
use of the going concern assumption, or considering the business purpose of
transactions
Developing expectations for use when performing analytical procedures
Evaluating the sufficiency and appropriateness of audit evidence obtained
such as the appropriateness of assumptions and of management’s oral and
written representations.
ILLUSTRATION 4
The auditor of ABC Textiles Ltd chalks out an audit plan without understanding the
entity’s business. Since he has carried out many audits of textile companies, there is
no need to understand the nature of business of ABC Ltd. Advise the auditor how he
should proceed.
SOLUTION
Obtaining an understanding of the entity and its environment, including the entity’s
internal control (referred to hereafter as an “understanding of the entity”), is a
continuous, dynamic process of gathering, updating and analysing information
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.29
throughout the audit. The auditor should proceed accordingly.
ILLUSTRATION 5
While auditing the books of accounts of Heavy Material Limited for the financial year
2022-23, a team member of the auditor of Heavy Material Limited showed no
inclination towards understanding the business and the business environment of the
above mentioned company. Is the approach of team member of the auditor of Heavy
Material Limited correct or incorrect? Also give reason for your answer.
SOLUTION
The approach of team member of the auditor of Heavy Material Limited is incorrect
because understanding the business and the business environment of company
whose audit is to be conducted is very important, as it helps in planning the audit
and identifying areas requiring special attention during the course of audit of that
company.
ILLUSTRATION 6
Prince Blankets is engaged in business of blankets. Its major portion of sales is taking
place through internet. Advise the auditor how he would proceed in this regard as to
understanding the entity and its environment.
SOLUTION
While understanding entity and its environment, internet sales is being perceived
as risky area by the auditor and thereby would be spending substantial time and
extensive audit procedures on this particular area.
4. INTERNAL CONTROL
4.1 Meaning of Internal Control
As per SA-315, “Identifying and Assessing the Risk of Material Misstatement
Through Understanding the Entity and its Environment”, the internal control
may be defined as “the process designed, implemented and maintained by those
charged with governance, management and other personnel to provide reasonable
assurance about the achievement of an entity’s objectives with regard to reliability
of financial reporting, effectiveness and efficiency of operations, safeguarding of
assets, and compliance with applicable laws and regulations. The term “controls”
© The Institute of Chartered Accountants of India
3.30 AUDITING AND ETHICS
refers to any aspects of one or more of the components of internal control.”
4.2 As derived from above definition, the purpose of
Internal Control is as under
Internal control is designed, implemented and maintained to address identified
business risks that threaten the achievement of any of the entity’s objectives that
concern:
The reliability of the entity’s financial reporting;
The effectiveness and efficiency of its operations;
Its compliance with applicable laws and regulations; and
Safeguarding of assets.
The way in which internal control is designed, implemented and maintained varies
with an entity’s size and complexity.
4.3 Benefits of Understanding of Internal Control
An understanding of internal control assists the auditor in: -
(i) Identifying types of potential misstatements;
(ii) Identifying factors that affect the risks of material misstatement, and
(iii) Designing the nature, timing, and extent of further audit procedures.
4.4 Limitations of Internal Control
(i) Internal control can provide only reasonable assurance
Internal control, no matter how effective, can provide an entity with only
reasonable assurance about achieving the entity’s financial reporting
objectives. The likelihood of their achievement is affected by inherent
limitations of internal control.
(ii) Human judgment in decision-making
Realities that human judgment in decision-making can be faulty and that
breakdowns in internal control can occur because of human error. For
example, there may be an error in the design of, or in the change to, a control.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.31
(iii) Lack of understanding the purpose
Equally, the operation of a control may not be effective, such as where
information produced for the purposes of internal control (for example, an
exception report) is not effectively used because the individual responsible
for reviewing the information does not understand its purpose or fails to take
appropriate action.
(iv) Collusion among People
Additionally, controls can be circumvented by the collusion of two or more
people or inappropriate management override of internal control. For
example, management may enter into side agreements with customers that
alter the terms and conditions of the entity’s standard sales contracts, which
may result in improper revenue recognition. Also, edit checks in a software
program that are designed to identify and report transactions that exceed
specified credit limits may be overridden or disabled.
(v) Judgements by Management
Further, in designing and implementing controls, management may make
judgments on the nature and extent of the controls it chooses to implement,
and the nature and extent of the risks it chooses to assume.
(vi) Limitations in case of Small Entities
Smaller entities often have fewer employees due to which segregation of
duties is not practicable. However, in a small owner-managed entity, the
owner-manager may be able to exercise more effective oversight than in a
larger entity. This oversight may compensate for the generally more limited
opportunities for segregation of duties. On the other hand, the owner-
manager may be more able to override controls because the system of
internal control is less structured. This is taken into account by the auditor
when identifying the risks of material misstatement due to fraud.
ILLUSTRATION 7
Auditor GR and Associates, appointed for audit of PNG Ltd, a manufacturing company
engaged in manufacturing of various food items. While planning an audit, the auditor
does not think that it would be necessary to understand internal controls. Advise the
auditor in this regard.
© The Institute of Chartered Accountants of India
3.32 AUDITING AND ETHICS
SOLUTION
The auditor shall obtain an understanding of internal control relevant to the audit.
Although most controls relevant to the audit are likely to relate to financial
reporting, not all controls that relate to financial reporting are relevant to the audit.
It is a matter of the auditor’s professional judgment whether a control, individually or
in combination with others, is relevant to the audit.
ILLUSTRATION 8
The team member of the auditor of Simple and Easy Limited was of the view that
understanding the internal control of the company would not help them in any
manner in relation to audit procedures to be applied while conducting the audit.
SOLUTION
The view of the team member of the auditor is incorrect because understanding
the internal control of the company would help the auditor and his team members
in designing the nature, timing and extent of audit procedures to be applied while
conducting the audit of the company.
4.5 Components of Internal Control
The division of internal control into the following five components provides a useful
framework for auditors to consider how different aspects of an entity’s internal
control may affect the audit: -
(A) The control environment
(B) The entity’s risk assessment process
(C) The information system, including the related business processes, relevant to
financial reporting, and communication
(D) Control activities
(E) Monitoring of controls
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.33
Components of
Internal control
Entity's risk Information
Control Monitoring of
assessment system and Control activities
environment controls
process communiaction
4.5(A) Control Environment
The auditor shall obtain an understanding of the control environment. As part of
obtaining this understanding, the auditor shall evaluate whether:
(i) Management has created and maintained a culture of honesty and ethical
behaviour and
(ii) The strengths in the control environment elements collectively provide an
appropriate foundation for the other components of internal control.
What is included in Control Environment?
The control environment includes:
(i) the governance and management functions and
(ii) the attitudes, awareness, and actions of those charged with governance and
management.
(iii) the control environment sets the tone of an organization, influencing the
control consciousness of its people.
Elements of the Control Environment
Elements of the control environment that may be relevant when obtaining an
understanding of the control environment include the following:
(a) Communication and enforcement of integrity and ethical values
The effectiveness of controls cannot rise above the integrity and ethical
values of the people who create, administer, and monitor them. Integrity and
© The Institute of Chartered Accountants of India
3.34 AUDITING AND ETHICS
ethical behaviour are the product of the entity’s ethical and behavioural
standards, how they are communicated, and how they are reinforced in
practice. The enforcement of integrity and ethical values includes, for
example, management actions to eliminate or mitigate incentives or
temptations that might prompt personnel to engage in dishonest, illegal, or
unethical acts. The communication of entity policies on integrity and ethical
values may include the communication of behavioural standards to personnel
through policy statements and codes of conduct and by example.
(b) Commitment to competence
Matters such as management’s consideration of the competence levels for
particular jobs and how those levels translate into requisite skills and
knowledge.
(c) Participation by those charged with governance
It includes attributes of those charged with governance such as their
independence from management, their experience and stature, the extent of
their involvement and the information they receive and the scrutiny of
activities.
(d) Management’s philosophy and operating style
Management’s philosophy and operating style encompass a broad range of
characteristics. For example, management’s attitudes and actions towards
financial reporting- what approach is taken by management in selecting
accounting policies, approach in developing accounting estimates etc.
Matters such as approach of management to taking and managing business
risks, management’s attitude towards information processing and accounting
function and personnel reflects upon management’s philosophy and
operating style.
(e) Organisational structure
The framework within which an entity’s activities for achieving its objectives
are planned, executed, controlled, and reviewed. Establishing a relevant
organisational structure includes considering key areas of authority and
responsibility and appropriate lines of reporting. The appropriateness of an
entity’s organisational structure depends, in part, on its size and the nature
of its activities.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.35
(f) Assignment of authority and responsibility
Matters such as how authority and responsibility for operating activities are
assigned and how reporting relationships and authorisation hierarchies are
established.
(g) Human resource policies and practices
Policies and practices that relate to, for example, recruitment, orientation,
training, evaluation, counselling, promotion, compensation, and remedial
actions. Human resource policies and practices often demonstrate important
matters in relation to the control consciousness of an entity.
For example, standards for recruiting the most qualified individuals – with
emphasis on educational background, prior work experience, past
accomplishments, and evidence of integrity and ethical behaviour –
demonstrate an entity’s commitment to competent and trustworthy people.
Training policies that communicate prospective roles and responsibilities and
include practices such as training schools and seminars illustrate expected
levels of performance and behaviour. Promotions driven by periodic
performance appraisals demonstrate the entity’s commitment to the
advancement of qualified personnel to higher levels of responsibility.
Existence of a satisfactory control environment-not an absolute deterrent to
fraud
The existence of a satisfactory control environment can be a positive factor when the
auditor assesses the risks of material misstatement. However, although it may help
reduce the risk of fraud, a satisfactory control environment is not an absolute
deterrent to fraud. Conversely, deficiencies in the control environment may
undermine the effectiveness of controls, in particular in relation to fraud. For
example, management’s failure to commit sufficient resources to address IT security
risks may adversely affect internal control by allowing improper changes to be made
to computer programs or to data, or unauthorized transactions to be processed.
The control environment in itself does not prevent, or detect and correct, a material
misstatement. It may, however, influence the auditor’s evaluation of the
effectiveness of other controls (for example, the monitoring of controls and the
operation of specific control activities) and thereby, the auditor’s assessment of the
risks of material misstatement.
© The Institute of Chartered Accountants of India
3.36 AUDITING AND ETHICS
4.5(B) The Entity’s Risk Assessment Process
The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives
(b) Estimating the significance of the risks
(c) Assessing the likelihood of their occurrence
(d) Deciding about actions to address those risks
The entity’s risk assessment process forms the basis for the risks to be managed. If
that process is appropriate, it would assist the auditor in identifying risks of material
misstatement. Risks can arise or change due to factor such as new technology, new
business models, products or activities, changes in operating environment etc.
Whether the entity’s risk assessment process is appropriate to the circumstances is
a matter of judgment.
4.5(C) The information system, including the related
business processes, relevant to financial reporting and
communication
The auditor shall obtain an understanding of the information system, including the
related business processes, relevant to financial reporting, including the following
areas: -
(a) The classes of transactions in the entity’s operations that are significant to
the financial statements
(b) The procedures by which those transactions are initiated, recorded,
processed, corrected as necessary, transferred to the general ledger and
reported in the financial statements
(c) The related accounting records, supporting information and specific accounts
in the financial statements that are used to initiate, record, process and report
transactions
(d) How the information system captures events and conditions that are
significant to the financial statements
(e) The financial reporting process used to prepare the entity’s financial
statements
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.37
(f) Controls surrounding journal entries.
An information system consists of infrastructure (physical and hardware
components), software, people, procedures, and data. Many information systems
make extensive use of information technology (IT). Information system should
provide qualitative financial information. The quality of system-generated
information affects management’s ability to make appropriate decisions in
managing and controlling the entity’s activities and to prepare reliable financial
reports.
The auditor shall obtain an understanding of how the entity communicates financial
reporting roles and responsibilities. It may take such forms as policy manuals,
accounting and financial reporting manuals, and memoranda. Communication also
can be made electronically, orally, and through the actions of management.
4.5(D) Control Activities
The auditor shall obtain an understanding of control activities relevant to the audit,
which the auditor considers necessary to assess the risks of material misstatement.
An audit requires an understanding of only those control activities related to
significant class of transactions, account balance, and disclosure in the financial
statements and the assertions which the auditor finds relevant in his risk
assessment process. Control activities are the policies and procedures that help
ensure that management directives are carried out. Control activities, whether
within IT or manual systems, have various objectives and are applied at various
organisational and functional levels.
Control activities relevant to audit generally include policies and procedures
relating to performance reviews (reviews of actual performance with budgets),
information processing (for example controls over checking arithmetical accuracy
of records, program change controls etc), physical controls( like controls over
physical security of assets) and segregation of duties (controls over ensuring that
different people are assigned the responsibilities of authorising transactions,
recording transactions and maintaining custody of assets)
4.5(E) Monitoring of Controls
The auditor shall obtain an understanding of the major activities that the entity
uses to monitor internal control over financial reporting.
© The Institute of Chartered Accountants of India
3.38 AUDITING AND ETHICS
Monitoring of controls is a process to assess the effectiveness of internal control
performance over time. It helps in assessing the effectiveness of controls on a
timely basis. It involves assessing the effectiveness of controls on a timely basis and
taking necessary remedial actions. It includes considering whether controls are
operating as intended and that they are modified as appropriate for change in
conditions.
Management accomplishes monitoring of controls through ongoing activities,
separate evaluations, or a combination of the two. Ongoing monitoring activities
are often built into the normal recurring activities of an entity and include regular
management and supervisory activities.
Management’s monitoring activities may include using information from
communications from external parties such as customer complaints and regulator
comments that may indicate problems or highlight areas in need of improvement.
Test Your Understanding 7
CA Smriti is auditor of a company. As part of audit, she is going through company
policies and practices regarding employee recruitment, training, orientation and
related matters. She seems to be very much interested in finding out whether
company hires best candidates from applicant pool. Identify what she is trying to
do? How gaining knowledge about this aspect is useful to her as an auditor?
Test Your Understanding 8
During the audit of same company, CA Smriti is keen to find out whether there
exists a proper system of segregation of duties in the company. She wants to be
sure that a person responsible for recording a transaction is different from the
person authorising it. Discuss what she is trying to do and how its understanding
is significant to her as an auditor.
4.6 Are all Controls Relevant to the audit?
There is a direct relationship between an entity’s objectives and the control it
implements to provide reasonable assurance about their achievement. The entity’s
objectives, and therefore controls, relate to financial reporting, operations and
compliance; however, not all of these objectives and controls are relevant to the
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.39
auditor’s risk assessment.
Factors relevant to the auditor’s judgment about whether a control, individually or
in combination with others, is relevant to the audit may include such matters as the
following:
Materiality.
The significance of the related risk.
The size of the entity.
The nature of the entity’s business, including its organisation and ownership
characteristics.
The diversity and complexity of the entity’s operations.
Applicable legal and regulatory requirements.
The circumstances and the applicable component of internal control.
The nature and complexity of the systems that are part of the entity’s internal
control, including the use of service organisations.
Whether, and how, a specific control, individually or in combination with
others, prevents, or detects and corrects, material misstatement.
4.7 Controls over the completeness and accuracy of
information
Controls over the completeness and accuracy of information produced by the entity
may be relevant to the audit if the auditor intends to make use of the information
in designing and performing further procedures. For example, in auditing revenue
by applying standard prices to records of sales volume, the auditor considers the
accuracy of the price information and the completeness and accuracy of the sales
volume data. Controls relating to operations and compliance objectives may also
be relevant to an audit if they relate to data the auditor evaluates or uses in
applying audit procedures.
4.8 Internal control over safeguarding of assets
Internal control over safeguarding of assets against unauthorised acquisition, use,
or disposition may include controls relating to both financial reporting and
© The Institute of Chartered Accountants of India
3.40 AUDITING AND ETHICS
operations objectives. The auditor’s consideration of such controls is generally
limited to those relevant to the reliability of financial reporting. For example, use
of access controls, such as passwords, that limit access to the data and programs
that process cash disbursements may be relevant to a financial statement audit.
Conversely, safeguarding controls relating to operations objectives, such as
controls to prevent the excessive use of materials in production, generally are not
relevant to a financial statement audit.
4.9 Controls relating to objectives that are not relevant to
an audit
An entity generally has controls relating to objectives that are not relevant to an
audit and therefore need not be considered. For example, an entity may rely on a
sophisticated system of automated controls to provide efficient and effective
operations (such as an airline’s system of automated controls to maintain flight
schedules), but these controls ordinarily would not be relevant to the audit. Further,
although internal control applies to the entire entity or to any of its operating units
or business processes, an understanding of internal control relating to each of the
entity’s operating units and business processes may not be relevant to the audit.
In certain circumstances, the statute or the regulation governing the entity may
require the auditor to report on compliance with certain specific aspects of internal
controls as a result, the auditor’s review of internal control may be broader and
more detailed.
4.10 Nature and Extent of the Understanding of Relevant
Controls
Evaluating the design of a control involves considering whether the control,
individually or in combination with other controls, is capable of effectively
preventing, or detecting and correcting, material misstatements. Implementation
of a control means that the control exists and that the entity is using it. There is
little point in assessing the implementation of a control that is not effective, and so
the design of a control is considered first.
An improperly designed control may represent a significant deficiency in internal
control. Risk assessment procedures to obtain audit evidence about the design and
implementation of relevant controls may include-
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.41
Inquiring of entity personnel.
Observing the application of specific controls.
Inspecting documents and reports.
Tracing transactions through the information system relevant to financial
reporting.
Inquiry alone, however, is not sufficient for such purposes.
Obtaining an understanding of an entity’s controls is not sufficient to test their
operating effectiveness, unless there is some automation that provides for the
consistent operation of the controls. For example, obtaining audit evidence about
the implementation of a manual control at a point in time does not provide audit
evidence about the operating effectiveness of the control at other times during the
period under audit. However, because of the inherent consistency of IT processing,
performing audit procedures to determine whether an automated control has been
implemented may serve as a test of that control’s operating effectiveness,
depending on the auditor’s assessment and testing of controls such as those over
program changes.
5. RISKS THAT REQUIRE SPECIAL AUDIT
CONSIDERATION
As part of the risk assessment, the auditor shall determine whether any of the risks
identified are, in the auditor’s judgment, a significant risk. In exercising judgment as
to which risks are significant risks, the auditor shall consider at least the following:
(a) Whether the risk is a risk of fraud
(b) Whether the risk is related to recent significant economic, accounting, or
other developments like changes in regulatory environment, etc., and,
therefore, requires specific attention
(c) The complexity of transactions
(d) Whether the risk involves significant transactions with related parties
(e) The degree of subjectivity in the measurement of financial information
related to the risk, especially those measurements involving a wide range of
measurement uncertainty and
© The Institute of Chartered Accountants of India
3.42 AUDITING AND ETHICS
(f) Whether the risk involves significant transactions that are outside the normal
course of business for the entity, or that otherwise appear to be unusual.
5.1 Identifying Significant Risks
Significant risks often relate to significant non-routine transactions or judgmental
matters. Non-routine transactions are transactions that are unusual, due to either
size or nature, and that therefore occur infrequently. Judgmental matters may
include the development of accounting estimates for which there is significant
measurement uncertainty. Significant risks are inherent risks with both a higher
likelihood of occurrence and a higher magnitude of potential misstatement. The
auditor assesses assertions affected by a significant risk as higher inherent risk. The
following are always significant risks:
Risks of material misstatement due to fraud
Significant transactions with related parties that are outside the normal course
of business for the entity
5.2 Risks of Material Misstatement – Greater for
Significant Non-Routine Transactions
Risks of material misstatement may be greater for significant non-routine
transactions arising from matters such as the following:
Greater management intervention to specify the accounting treatment.
Greater manual intervention for data collection and processing.
Complex calculations or accounting principles.
The nature of non-routine transactions, which may make it difficult for the
entity to implement effective controls over the risks.
5.3 Risks of material misstatement– Greater for Significant
Judgmental Matters
Risks of material misstatement may be greater for significant judgmental matters
that require the development of accounting estimates, arising from matters such
as the following:
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.43
Accounting principles for accounting estimates or revenue recognition may
be subject to differing interpretation.
Required judgment may be subjective or complex, or require assumptions
about the effects of future events, for example, judgment about fair value.
6. EVALUATION OF INTERNAL CONTROL
SYSTEM
So far as the auditor is concerned, the examination and evaluation of the internal
control system is an indispensable part of the overall audit programme. The auditor
needs reasonable assurance that the accounting system is adequate and that all
the accounting information which should be recorded has in fact been recorded.
Internal control normally contributes to such assurance.
6.1 Benefits of Evaluation of Internal Control to the
Auditor
The review of internal controls will enable the auditor to know:
(i) whether errors and frauds are likely to be located in the ordinary course of
operations of the business
(ii) whether an adequate internal control system is in use and operating as
planned by the management
(iii) whether an effective internal auditing department is operating
(iv) whether any administrative control has a bearing on his work (for example, if
the control over worker recruitment and enrolment is weak, there is a
likelihood of dummy names being included in the wages sheet and this is
relevant for the auditor)
(v) whether the controls adequately safeguard the assets
(vi) how far and how adequately the management is discharging its function in
so far as correct recording of transactions is concerned
(vii) how reliable the reports, records and the certificates to the management can
be
© The Institute of Chartered Accountants of India
3.44 AUDITING AND ETHICS
(viii) the extent and the depth of the examination that he needs to carry out in the
different areas of accounting
(ix) what would be appropriate audit technique and the audit procedure in the
given circumstances
(x) what are the areas where control is weak and where it is excessive and
(xi) whether some worthwhile suggestions can be given to improve the control
system.
ILLUSTRATION 9
Mr. Y, one of the team member of the auditors of What and Where Limited was very
keen in knowing whether the internal control of the company would safeguard the
company’s assets. Advise Mr. Y.
SOLUTION
The review of internal controls will enable the auditors to know whether the
controls adequately safeguard the assets.
ILLUSTRATION 10
Mr. H, a team member of the auditor of There and Here Limited was of the view that
evaluation of internal control of the company would help in identifying the areas
where internal control is weak. Advise
SOLUTION
The review of internal controls will enable the auditor to know what are the areas
where control is weak and where it is excessive.
Formulate Audit Program after understanding Internal Control
The auditor can formulate his entire audit programme only after he has had a
satisfactory understanding of the internal control systems and their actual
operation. If he does not care to study this aspect, it is very likely that his audit
programme may become unwieldy and unnecessarily heavy and the object of the
audit may be altogether lost in the mass of entries and vouchers. It is also important
for him to know whether the system is actually in operation. Often, after installation
of a system, no proper follow up is there by the management to ensure compliance.
The auditor, in such circumstances, may be led to believe that a system is in
operation which in reality may not be altogether in operation or may at best
operate only partially. This state of affairs is probably the worst that an auditor may
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.45
come across and he would be in the midst of confusion, if he does not take care.
It would be better if the auditor can undertake the review of the internal control
system of client. This will give him enough time to assimilate the controls and
implications and will enable him to be more objective in the framing of the audit
programme. He will also be in a position to bring to the notice of the management
the weaknesses of the system and to suggest measures for improvement. At a
further interim date or in the course of the audit, he may ascertain how far the
weaknesses have been removed.
From the foregoing, it can be concluded that the extent and the nature of the audit
programme is substantially influenced by the internal control system in operation.
In deciding upon a plan of test checking, the existence and operation of internal
control system is of great significance. A proper understanding of the internal
control system in its content and working also enables an auditor to decide upon
the appropriate audit procedure to be applied in different areas to be covered in
the audit programme.
In a situation where the internal controls are considered weak in some areas, the
auditor might choose an auditing procedure or test that otherwise might not be
required; he might extend certain tests to cover a large number of transactions or
other items than he otherwise would examine and at times he may perform
additional tests to bring him the necessary satisfaction.
For example, normally the distribution of wages is not observed by the auditor. But
if the internal control over wages is so weak that there exists a possibility of dummy
workers being paid, the auditor might include observation of wages distribution in
his programme in order to find out the workers who do not turn up for receipt of
wages.
On the other hand, if he is satisfied with the internal control on sales and trade
receivables, the auditor can get trade receivables’ balances confirmed at almost any
time reasonably close to the balance sheet date. But if the control is weak, he may
feel that he should get the confirmation exactly on the date of the year closing so
that he may eliminate the risk of errors and frauds occurring between the
intervening period. Also, he may in that situation, decide to have a large coverage
of trade receivables by the confirmation procedure.
© The Institute of Chartered Accountants of India
3.46 AUDITING AND ETHICS
6.2 Evaluation of Internal Control– Methods
A review of the internal control can be done by a process of study, examination and
evaluation of the control system installed by the management. The first step
involves determination of the control and procedures laid down by the
management. By reading company manuals, studying organisation charts and flow
charts and by making suitable enquiries from the officers and employees, the
auditor may ascertain the character, scope and efficacy of the control system.
The auditor must ask the right people the right questions if he is to get the
information he wants. It would be better if he makes written notes of the relevant
information and procedures contained in the manual or ascertained on enquiry. To
facilitate the accumulation of the information necessary for the proper review and
evaluation of internal controls, the auditor can use one of the following to help him
to know and assimilate the system and evaluate the same:
(A) Narrative record
(B) Check List
(C) Internal Control questionnaire and
(D) Flow chart
Methods of evaluation of
internal control
Narrative Internal Control
Check list Flow Chart
record questionnaire
6.2(A) The Narrative Record
This is a complete and exhaustive description of the system as found in operation
by the auditor. Actual testing and observation are necessary before such a record
can be developed. It may be recommended in cases where no formal control system
is in operation and would be more suited to small business.
The basic disadvantages of narrative records are:
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.47
(i) To comprehend the system in operation is quite difficult.
(ii) To identify weaknesses or gaps in the system.
(iii) To incorporate changes arising on account of reshuffling of manpower, etc.
6.2(B) Check List
This is a series of instructions and/or questions which a member of the auditing
staff must follow and/or answer. When he completes instruction, he initials the
space against the instruction. Answers to the check list instructions are usually
Yes, No or Not Applicable. This is again an on-the-job requirement and
instructions are framed having regard to the desirable elements of control.
Example
A few examples of check list instructions are given hereunder:
1. Are tenders called before placing orders?
2. Are the purchases made on the basis of a written order?
3. Is the purchase order form standardised?
4. Are purchase order forms pre-numbered?
5. Are the inventory control accounts maintained by persons who have nothing
to do with custody of work, receipt of inventory, inspection of inventory and
purchase of inventory?
The complete check list is studied by the Principal/Manager/Senior to ascertain
existence of internal control and evaluate its implementation and efficiency.
6.2(C) Internal Control Questionnaire
This is a comprehensive series of questions concerning internal control. This is the
most widely used form for collecting information about the existence, operation
and efficiency of internal control in an organisation. An important advantage of the
questionnaire approach is that oversight or omission of significant internal control
review procedures is less likely to occur with this method. With a proper
questionnaire, all internal control evaluation can be completed at one time or in
sections. The review can more easily be made on an interim basis. The questionnaire
form also provides an orderly means of disclosing control defects. It is the general
© The Institute of Chartered Accountants of India
3.48 AUDITING AND ETHICS
practice to review the internal control system annually and record the review in
detail. In the questionnaire, generally questions are so framed that a ‘Yes’ answer
denotes satisfactory position and a ‘No’ answer suggests weakness. Provision is
made for an explanation or further details of ‘No’ answers. In respect of questions
not relevant to the business, ‘Not Applicable’ reply is given. The questionnaire is
usually issued to the client and the client is requested to get it filled by the
concerned executives and employees. If on a perusal of the answers, inconsistencies
or apparent incongruities are noticed, the matter is further discussed by auditor’s
staff with the client’s employees for a clear picture. The concerned auditor then
prepares a report of deficiencies and recommendations for improvement.
Few illustrative examples of Internal Control Questionnaire in different areas
of an entity are given as under:
Examples of Extracts of Internal Control Questionnaire in respect of purchases,
creditors, inventories and fixed assets
A. Purchases
(1) Are purchases centralised in the Purchase Department?
(2) (a) Are purchases made only from approved suppliers?
(b) Is a list of approved suppliers maintained for this purpose?
(c) Does the master list contain more than one source of supply for all
important materials?
(3) Are the purchase orders based on valid purchase requisitions duly signed by
authorised persons in this behalf?
(4) Are purchases based on competitive quotations from two or more suppliers?
(5) Are purchase orders pre-numbered?
(6) Are purchase orders signed only by employees authorized in this behalf?
(7) Are all materials received only in the Receiving Department?
(8) Are persons connected with receipt of materials and the keeping of receiving
records denied authority to issue purchase orders or to approve invoices?
(9) Are materials inspected and counted, weighed or measured in the Receiving
Department?
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.49
(10) Are receipt of materials evidenced by pre-numbered Goods Received Note?
B. Creditors
(1) (a) Are suppliers’ invoices routed direct to the Accounts Department?
(b) Are they entered in a Bill register before submitting them to other
departments for check and/or approval?
(c) Are advance and partial payments entered on the invoices before they
are submitted to other departments?
(2) Does the system ensure that all invoices are duly processed?
(3) In respect of raw material and supplies, are reconciliations made of quantities
and/or values received as shown by purchase invoices with receipt into stock
records?
(4) Does the Accounts Department match the invoices of supplies with Goods
Received Notes and purchase orders?
(5) Do all invoices bear evidence of being checked for prices, freight, terms etc.?
(6) Are all advance payments duly authorized by persons competent to authorize
such payments?
(7) Are duplicate invoices marked immediately on receipt to avoid payment
against them?
(8) Are all supplier’s statements compared with ledger accounts?
(9) Is there any follow-up action to investigate difference, if any, between the
suppliers’ statements and the ledger accounts?
(10) Is a list of unpaid creditors prepared and reconciled periodically?
C. Inventories
(1) Are stocks stored in assigned areas?
(2) Are stocks insured comprehensively against different risks? If some risk is not
insured, whether it is due to specific decision taken by a senior official?
(3) Is a record maintained for the insurance policies?
(4) Is the record reviewed periodically?
(5) Is there an official who decides on the value for which stocks are to be
insured?
© The Institute of Chartered Accountants of India
3.50 AUDITING AND ETHICS
(6) Is the adequacy of insurance cover reviewed periodically?
(7) Are perpetual stock records kept for raw materials, work-in-progress, finished
goods and stores?
(8) Are stock records periodically reconciled with accounting records?
(9) Where there is a system of perpetual inventory count:
(a) Is there a periodical report of shortages/excess?
(b) If so, are these differences investigated?
(c) Are these differences adjusted in the stock records and in the financial
accounts?
(d) Is written approval obtained from a responsible official to adjust these
differences?
(10) Are there norms for stock levels to be held?
D. Fixed Assets
(1) Are budgets for capital expenditure approved?
(2) Is the authority to incur capital expenditure restricted to specified officials?
(3) Are purchases of capital expenditure subject to same controls as applicable
to purchases of raw materials, stores etc.?
(4) Is there proper check to see that amounts expended do not exceed the
amount authorized?
(5) Are fixed assets verified periodically?
(6) Is there a written procedure for such verification?
(7) Are reports prepared on such verification?
(8) Do such reports indicate damaged/obsolete items of fixed assets?
(9) Are discrepancies disclosed by such reports investigated?
(10) Are the records and financial accounts corrected with appropriate authority?
Note: The Internal Control questionnaire is usually issued to the client and the
client is requested to get it filled by the concerned executives and employees by
giving replies as Yes/No/Not applicable along with explanatory notes, if any.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.51
6.2(D) Flow Chart
It is a graphic presentation of each part of the company’s system of internal control.
A flow chart is considered to be the most concise way of recording the auditor’s
review of the system. It minimises the amount of narrative explanation and thereby
achieves a consideration or presentation not possible in any other form.
It gives bird’s eye view of the system and the flow of transactions and integration
and in documentation, can be easily spotted and improvements can be suggested. It
is also necessary for the auditor to study the significant features of the business
carried on by the concern, the nature of its activities and various channels of goods
and materials as well as cash, both inward and outward and also a comprehensive
study of the entire process of manufacturing, trading and administration. This will
help him to understand and evaluate the internal controls in the correct perspective.
ILLUSTRATION 11
In order to evaluate the Internal Control of Your and My Limited, a team member of
the auditors used a method according to which, number of questions relating to
internal control of the company were required to be answered by the employees of
the company. After obtaining the answers there was a discussion relating to those
answers between team member of the auditor and employees of the company for a
clear picture. State the method of evaluation of internal control as discussed above.
SOLUTION
The method of evaluation of internal control used in the above question is known
as Internal Control Questionnaire because in questionnaire method, a number of
questions relating to internal control of a company are required to be answered by
employees of that company and when answers to the questions are obtained, there
is a discussion relating to those answers between team members of the auditors
and employees of that company for a clear picture.
ILLUSTRATION 12
Healthy and Useful Limited is into small manufacturing as well as trading business.
For the purpose of evaluating the internal control of Healthy and Useful Limited, a
team member of the auditors of the company used a method according to which
the whole description of internal control that was operating in the said company
was to be recorded. Identify the method of evaluation of internal control as
mentioned above.
© The Institute of Chartered Accountants of India
3.52 AUDITING AND ETHICS
SOLUTION
The method of evaluation of internal control referred above is known as Narrative
Record because in Narrative Record method, a whole description of internal control
operating in an entity is recorded. Narrative Record method is also appropriate for
small manufacturing as well as trading business as is mentioned in the question
above case.
7. TESTING OF INTERNAL CONTROL
After assimilating the internal control system, the auditor needs to examine
whether and how far the same is actually in operation. For this, he resorts to actual
testing of the system in operation. This he does on a selective basis: he can plan
this testing in such a manner that all the important areas are covered in a period
of, say, three years.
Test of controls are performed to obtain audit evidence about the effectiveness of
the:-
(i) Design of the accounting and internal control system
(ii) Operation of the internal control throughout the period
Test of controls include tests of elements of the control environment where
strengths in the control environment are used by auditors to reduce control risk.
Some of the procedures performed to obtain the understanding of the accounting
and internal control systems may not have been specifically planned as tests of
control but may provide audit evidence about the effectiveness of the design and
operation of internal controls relevant to certain assertions and, consequently,
serve as tests of control. For example, in obtaining the understanding of the
accounting and internal control systems pertaining to cash, the auditor may have
obtained audit evidence about the effectiveness of the bank reconciliation process
through inquiry and observation. When the auditor concludes that procedures
performed to obtain the understanding of the accounting and internal control
systems also provide audit evidence about the suitability of design and operating
effectiveness of policies and procedures relevant to a particular financial statement
assertion, the auditor may use that audit evidence, provided it is sufficient to
support a control risk assessment at less than a high level.
Test of controls may include:
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.53
Inspection of documents supporting transactions and other events to gain
audit evidence that internal controls have operated properly, for example,
verifying that a transaction has been authorised.
Inquiries about, and observation of, internal controls which leave no audit
trail, for example, determining who actually performs each function and not
merely who is supposed to perform it.
Re-performance involves the auditor’s independent execution of procedures
or controls that were originally performed as part of the entity’s internal
control, for example, reconciliation of bank accounts, to ensure they were
correctly performed by the entity.
Testing of internal control operating on specific computerised applications or
over the overall information technology function, for example, access or
program change controls.
While obtaining audit evidence about the effective operation of internal controls,
the auditor considers how they were applied, the consistency with which they were
applied during the period and by whom they were applied. The concept of effective
operation recognises that some deviations may have occurred. Deviations from
prescribed controls may be caused by such factors as changes in key personnel,
significant seasonal fluctuations in volume of transactions and human error. When
deviations are detected, the auditor makes specific inquiries regarding these
matters, particularly, the timing of staff changes in key internal control functions.
The auditor then ensures that the tests of control appropriately cover such a period
of change or fluctuation.
Based on the results of the tests of control, the auditor should evaluate whether
the internal controls are designed and operating as contemplated in the
preliminary assessment of control risk. The evaluation of deviations may result in
the auditor concluding that the assessed level of control risk needs to be revised.
In such cases, the auditor would modify the nature, timing and extent of planned
substantive procedures.
Before the conclusion of the audit, based on the results of substantive procedures
and other audit evidence obtained by the auditor, the auditor should consider
whether the assessment of control risk is confirmed. In case of deviations from the
prescribed accounting and internal control systems, the auditor would make
specific inquiries to consider their implications. Where, on the basis of such
© The Institute of Chartered Accountants of India
3.54 AUDITING AND ETHICS
inquiries, the auditor concludes that the deviations are such that the preliminary
assessment of control risk is not supported, he would amend the same unless the
audit evidence obtained from other tests of control supports that assessment.
Where the auditor concludes that the assessed level of control risk needs to be
revised, he would modify the nature, timing and extent of his planned substantive
procedures.
8. WHAT IS AN AUTOMATED ENVIRONMENT?
An automated environment basically refers to a business environment where the
processes, operations, accounting and even decisions are carried out by using
computer systems – also known as Information Systems (IS) or Information
Technology (IT) systems. Nowadays, it is very common to see computer systems
being used in almost every type of business.
8.1 Key features of an automated environment
The fundamental principle of an automated environment is the ability to carry out
business with less manual intervention and more system driven. The complexity of
a business environment depends on the level of automation i.e., if a business
environment is more automated, it is likely to be more complex. Key features of an
automated environment are as under: -
Enables faster business operation
Accuracy in data processing and computation
Ability to process large volume of transactions
Integration amongst business operations
Better security and controls
Less prone to human errors
Provides latest information
Connectivity and networking capability
If a company uses an integrated enterprise resource planning system (ERP) viz.,
SAP, Oracle etc., then it is considered more complex to audit. On the other hand, if
a company is using an off-the-shelf accounting software, then it is likely to be less
automated and hence less complex environment.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.55
8.2 Understanding and documenting automated
environment
In an audit of financial statements, an auditor is required to understand the entity
and its business, including IT. Understanding the entity and its automated
environment involves understanding how IT department is organised, IT activities,
the IT dependencies, relevant risks and controls. Given below are some of the points
that an auditor should consider to obtain an understanding of the company’s
automated environment:
Information systems being used (one or more application systems and what
they are)
Their purpose (financial and non-financial)
Location of IT systems - local vs global
Architecture (desktop based, client-server, web application, cloud based)
Version (functions and risks could vary in different versions of same
application).
Interfaces within systems (in case multiple systems exist).
In-house vs Packaged.
Outsourced activities (IT maintenance and support).
Key persons (CIO, CISO, Administrators).
The understanding of a company’s IT environment that is obtained should be
documented.
8.3 Risks arising from use of IT Systems
Having obtained an understanding of the IT systems and the automated environment
of a company, the auditor should now understand the risks that arise from the use
of IT systems. Given below are some such risks that should be considered:
Inaccurate processing of data, processing inaccurate data, or both.
Unauthorized access to data.
Direct data changes (backend changes).
Excessive access / Privileged access (super users).
© The Institute of Chartered Accountants of India
3.56 AUDITING AND ETHICS
Lack of adequate segregation of duties.
Unauthorized changes to systems or programs.
Failure to make necessary changes to systems or programs.
Loss of data.
8.4 Impact of IT related risks
The above risks have to be mitigated. If not mitigated, such risks, could have an
impact on audit in different ways discussed as under: -
Impact on substantive checking
Inability to address above discussed risks may lead to non-reliance of data obtained
from systems. In such a case, all information, data, and reports would have to be
tested thoroughly for their completeness and accuracy. It could lead to increased
substantive checking i.e., detailed checking.
Impact on controls
It can lead to non-reliance on automated controls, system calculations and
accounting procedures built into applications. It may result in additional audit work.
Impact on reporting
Due to regulatory requirements in respect of internal financial controls (discussed
in subsequent paras) in case of companies, it may lead to modification of auditor’s
report in some instances.
8.5 Types of Controls in an automated environment
Controls in an automated environment can be categorized as under: -
(A) General IT controls
(B) Application controls
(C) IT-dependent controls
8.5(A) General IT controls
General IT controls are policies and procedures that relate to many applications
and support the effective functioning of application controls. General IT-controls
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.57
that maintain the integrity of information and security of data commonly include
controls over the following:
Data centre and network operations
Program change
Access security
Application system acquisition, development, and maintenance (Business
Applications)
These are IT controls generally implemented to mitigate the IT specific risks and
applied commonly across multiple IT systems, applications and business processes.
Hence, General IT controls are known as “pervasive” controls or “indirect” controls.
(a) Controls over Data centre and network operations
The objective of controls over Data centre and network operations is to ensure that
production systems are processed to meet financial reporting objectives. These
include activities such as overall management of computer operation activities,
preparing, scheduling and executing of batch jobs, monitoring, storage and
retention of backups. Such controls also help in performance monitoring of
operating system, database and networks. Matters such as BCP (Business continuity
plan) and DRP (Disaster recovery plan) which deal with recovery from failures are
also taken care of by such type of controls.
(b) Program Change
The objective of program change controls is to ensure that modified systems
continue to meet financial reporting objectives. It includes activities such as change
management process, recording, managing and tracking change requests, making
and testing changes etc.
(c) Access Security
The objective of controls over access security is to ensure that access to programs
and data is authenticated and authorized to meet financial reporting objectives. It
includes activities such as security organization & management, security policies &
procedures, application security, data security, operating system security, network
security, physical security etc.
© The Institute of Chartered Accountants of India
3.58 AUDITING AND ETHICS
(d) Application system acquisition, development, and maintenance
The objective of such controls is to ensure that systems are developed, configured
and implemented to meet financial reporting objectives. It includes overall
management of development activities, project initiation, analysis & design,
construction, testing & quality assurance etc.
8.5(B) Application Controls
Application controls include both automated or manual controls that operate at a
business process level. Automated Application controls are embedded into IT
applications viz., ERPs and help in ensuring the completeness, accuracy and
integrity of data in those systems. Examples of automated applications include edit
checks and validation of input data, sequence number checks, user limit checks,
reasonableness checks, mandatory data fields.
8.5(C) IT dependent Controls
IT dependent controls are basically manual controls that make use of some form of
data or information or report produced from IT systems and applications. In this
case, even though the control is performed manually, the design and effectiveness
of such controls depends on the reliability of source data. Due to the inherent
dependency on IT, the effectiveness and reliability of automated application
controls and IT dependent controls require the General IT controls to be effective.
8.6 General IT Controls vs. Application Controls
These two categories of control over IT systems are interrelated.
The relationship between the application controls and the General IT Controls
is such that General IT Controls are needed to support the functioning of
application controls, and both are needed to ensure complete and accurate
information processing through IT systems.
8.7 Testing methods in an automated environment
Having learnt about the various IT risks and controls, let us understand the different
ways testing is performed in an automated environment. There are basically four
types of audit tests that should be used. These are inquiry, observation, inspection
and reperformance.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.59
Inquiry is the most efficient audit test but it also gives the least audit evidence.
Hence, inquiry should always be used in combination with any one of the other
audit testing methods. Inquiry alone is not sufficient. Reperformance is most
effective as an audit test and gives the best audit evidence. However, testing by
reperformance could be very time consuming and least efficient most of the time.
Generally, applying inquiry in combination with inspection gives the most effective
and efficient audit evidence. However, which audit test to use, when and in what
combination is a matter of professional judgement and will vary depending on
several factors including risk assessment, control environment, desired level of
evidence required, history of errors/misstatements, complexity of business,
assertions being addressed etc. The auditor should document the nature of test (or
combination of tests) applied along with the judgements in the audit file.
When testing in an automated environment, some of the more common methods
are as follows:
♦ Obtain an understanding of how an automated transaction is processed by
doing a walkthrough of one end-to-end transaction using a combination of
inquiry, observation and inspection.
♦ Observe how a user processes transactions under different scenarios.
♦ Inspect the configuration defined in an application.
Where the general IT controls are not existing or existing but ineffective, the auditor
should assess the impact of IT risks and complexity of the automated environment
in which the business operations take place and plan alternative audit procedures
in order to rely on the system-based information.
9. CHARACTERISTICS OF MANUAL AND
AUTOMATED ELEMENTS OF INTERNAL
CONTROL RELEVANT TO THE AUDITOR’S
RISK ASSESSMENT
An entity’s system of internal control contains manual elements and often contains
automated elements. The characteristics of manual or automated elements are
relevant to the auditor’s risk assessment and further audit procedures based
thereon. The use of manual or automated elements in internal control also affects
© The Institute of Chartered Accountants of India
3.60 AUDITING AND ETHICS
the manner in which transactions are initiated, recorded, processed, and reported:
(a) Controls in a manual system may include such procedures as approvals and
reviews of transactions, and reconciliations and follow-up of reconciling
items. Alternatively, an entity may use automated procedures to initiate,
record, process, and report transactions, in which case records in electronic
format replace paper documents.
(b) Controls in IT systems consist of a combination of automated controls (for
example, controls embedded in computer programs) and manual controls.
Further, manual controls may be independent of IT, may use information
produced by IT, or may be limited to monitoring the effective functioning of
IT and of automated controls, and to handling exceptions.
9.1 Manual elements vs automated elements in entity’s
internal control
Manual elements in internal control may be more suitable where judgment and
discretion are required such as for the following circumstances:
Large, unusual or non-recurring transactions.
Circumstances where errors are difficult to define, anticipate or predict.
In changing circumstances that require a control response outside the scope of
an existing automated control.
In monitoring the effectiveness of automated controls.
Manual elements in internal control may be less reliable than automated elements
because they can be more easily bypassed, ignored, or overridden and they are
also more prone to simple errors and mistakes. Consistency of application of a
manual control element cannot therefore be assumed. Manual control elements
may be less suitable for the following circumstances:
High volume or recurring transactions, or in situations where errors that can
be anticipated or predicted can be prevented, or detected and corrected, by
control parameters that are automated.
Control activities where the specific ways to perform the control can be
adequately designed and automated.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.61
The extent and nature of the risks to internal control vary depending on the nature
and characteristics of the entity’s information system. The entity responds to the
risks arising from the use of IT or from use of manual elements in internal control
by establishing effective controls in light of the characteristics of the entity’s
information system.
10. AUDIT APPROACH IN AN AUTOMATED
ENVIRONMENT
11. DATA ANALYTICS FOR AUDIT
In today’s digital age when companies rely on more and more on IT systems and
networks to operate business, the amount of data and information that exists in
these systems is enormous. The combination of processes, tools and techniques
that are used to tap vast amounts of electronic data to obtain meaningful
information is called data analytics. While it is true that companies can benefit
immensely from the use of data analytics in terms of increased profitability, better
customer service, gaining competitive advantage, more efficient operations, etc.,
even auditors can make use of similar tools and techniques in the audit process
and obtain good results.
© The Institute of Chartered Accountants of India
3.62 AUDITING AND ETHICS
The tools and techniques that auditors use in applying the principles of data
analytics are known as Computer Assisted Auditing Techniques or CAATs in short.
Data analytics can be used in testing of electronic records and data residing in IT
systems using spreadsheets and specialised audit tools viz., IDEA and ACL to
perform the following:
Check completeness of data and population that is used in either test of
controls or substantive audit tests.
Selection of audit samples – random sampling, systematic sampling.
Re-computation of balances – reconstruction of trial balance from transaction
data.
Reperformance of mathematical calculations – depreciation, bank interest
calculation.
Analysis of journal entries
Fraud investigation.
Evaluating impact of control deficiencies.
12. DIGITAL AUDIT
Entities are embracing digitization as part of their operations to keep pace with
changing times. New technologies are helping companies revamp their
operations and rethink the way business is conducted. Companies are
restructuring their business models driven by technology. Automation is key to
digitization.
In such a business environment, use of digital technology is being made by
auditors right from planning to expression of final opinion. Auditors are making
use of artificial intelligence, data analytics and other latest technologies to help
understand business processes in a better way. By using such tools, auditors can
conduct audit in a better way and devote more attention to areas requiring
greater focus. Digital audit is helping auditors to better identify risks making use
of technology.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.63
13. INTERNAL FINANCIAL CONTROLS AS PER
REGULATORY REQUIREMENTS
The term Internal Financial Controls (IFC) basically refers to the policies and
procedures put in place by companies for ensuring:
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
Safeguarding of assets
Prevention and detection of frauds
The Companies Act, 2013 has placed a greater emphasis on the effective
implementation and reporting on the internal controls for a company. The term
“internal financial controls” is used at some places in Companies Act, 2013 casting
responsibilities as under: -
Relevant provision of Nature of Responsibility
Companies Act,2013
Section 134 (5)(e) In case of listed Companies, the Directors’
responsibility statement shall state that the Directors
had laid down Internal financial controls to be followed
by the company and that such Internal financial
controls are adequate and were operating effectively.
Section 143(3)(i) of the The auditor’s report shall state whether the company
Act has adequate Internal financial controls system in
place and also on the operating effectiveness of such
controls.
This requirement shall not apply to a private company
which –
(i) is One Person Company or a small company; or
(ii) has turnover less than ₹ 50 crore as per latest
audited Financial Statements; and which has
aggregate borrowings from banks or financial
institutions or any body corporate at any point
© The Institute of Chartered Accountants of India
3.64 AUDITING AND ETHICS
of time during the financial Year for less than ₹
25 crore.
Section 177(4)(vii) of Every audit Committee shall act in accordance with the
the Act terms of reference specified in writing by the Board
which shall, inter alia, include - evaluation of internal
financial controls and risk management systems.
As per Section 149(8) of The company and independent directors shall abide by
the Act the provisions specified in Schedule IV which lays
down the Code for independent Directors. As per this
code, the role and functions of independent directors
include that they shall satisfy themselves on the
integrity of financial information and that financial
controls and the systems of risk management are
robust and defensible.
The directors and management have primary responsibility of implementing and
maintaining an effective internal controls framework and auditors are expected to
evaluate, validate and report on the design and operating effectiveness of internal
financial controls.
14. DOCUMENTING THE RISKS
The auditor shall document:
(a) The discussion among the engagement team and the significant decisions
reached
(b) Key elements of the understanding obtained regarding each of the aspects
of the entity and its environment and of each of the internal control
components, the sources of information from which the understanding was
obtained; and the risk assessment procedures performed
(c) The identified and assessed risks of material misstatement at the financial
statement level and at the assertion level and
(d) The risks identified, and related controls about which the auditor has
obtained an understanding.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.65
15. ASSESS AND REPORT AUDIT FINDINGS
At the conclusion of each audit, it is possible that there will be certain findings or
exceptions in IT environment and IT controls of the company that need to be
assessed and reported to relevant stakeholders including management and those
charged with governance viz., Board of directors, Audit committee .
Some points to consider are as follows:
Are there any weaknesses in IT controls?
What is the impact of these weaknesses on overall audit?
Report deficiencies to management – Internal controls memo or
Management letter.
Communicate in writing any significant deficiencies to those Charged with
governance.
The auditor needs to assess each finding or exception to determine impact on the
audit and evaluate if the exception results in a deficiency in internal control.
A deficiency in internal control exists if a control is designed, implemented or
operated in such a way that it is unable to prevent, or detect and correct,
misstatements in the financial statements on a timely basis; or the control is
missing. Evaluation and assessment of audit findings and control deficiencies
involves applying professional judgement that include considerations for
quantitative and qualitative measures. Each finding should be looked at individually
and in the aggregate by combining with other findings/deficiencies.
16. THE AUDITOR’S RESPONSES TO ASSESSED
RISKS
SA 330- The auditor’s responses to assessed risks deals with the auditor’s
responsibility to design and implement responses to the risks of material
misstatement identified and assessed by the auditor in accordance with SA 315,
“Identifying and Assessing Risks of Material Misstatement Through Understanding
the Entity and Its Environment” in a financial statement audit.
© The Institute of Chartered Accountants of India
3.66 AUDITING AND ETHICS
The objective of the auditor is to obtain sufficient appropriate audit evidence about
the assessed risks of material misstatement, through designing and implementing
appropriate responses to those risks.
SA 330 states that: -
(a) The auditor shall design and implement overall responses to address the
assessed risks of material misstatement at the financial statement level.
(b) The auditor shall design and perform further audit procedures whose nature,
timing and extent are based on and are responsive to the assessed risks of
material misstatement at the assertion level.
In designing the further audit procedures to be performed, the auditor shall:
(a) Consider the reasons for the assessment given to the risk of material
misstatement at the assertion level for each class of transactions, account
balance, and disclosure, including:
(i) The likelihood of material misstatement due to the particular
characteristics of the relevant class of transactions, account balance, or
disclosure (i.e., the inherent risk); and
(ii) Whether the risk assessment takes into account the relevant controls
(i.e., the control risk), thereby requiring the auditor to obtain audit
evidence to determine whether the controls are operating effectively
(i.e., the auditor intends to rely on the operating effectiveness of
controls in determining the nature, timing and extent of substantive
procedures); and
(b) Obtain more persuasive audit evidence the higher the auditor’s assessment
of risk.
The auditor shall design and perform tests of controls to obtain sufficient
appropriate audit evidence as to the operating effectiveness of relevant
controls when:
(a) The auditor’s assessment of risks of material misstatement at the assertion
level includes an expectation that the controls are operating effectively (i.e.,
the auditor intends to rely on the operating effectiveness of controls in
determining the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit
evidence at the assertion level.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.67
In designing and performing tests of controls, the auditor shall obtain more
persuasive audit evidence the greater the reliance the auditor places on the
effectiveness of a control.
A higher level of assurance may be sought about the operating effectiveness of
controls when the approach adopted consists primarily of tests of controls, in
particular, where it is not possible or practicable to obtain sufficient appropriate
audit evidence only from substantive procedures.
16.1 Nature and Extent of Test of Controls
In designing and performing test of controls, the auditor shall:
(a) Perform other audit procedures in combination with inquiry to obtain audit
evidence about the operating effectiveness of the controls, including:
(i) How the controls were applied at relevant times during the period
under audit.
(ii) The consistency with which they were applied.
(iii) By whom or by what means they were applied.
(b) Determine whether the controls to be tested depend upon other controls
(indirect controls), and if so, whether it is necessary to obtain audit evidence
supporting the effective operation of those indirect controls.
Inquiry alone is not sufficient to test the operating effectiveness of controls.
Accordingly, other audit procedures are performed in combination with inquiry.
In this regard, inquiry combined with inspection or reperformance may provide
more assurance than inquiry and observation, since an observation is pertinent
only at the point in time at which it is made.
The nature of the particular control influences the type of procedure required to
obtain audit evidence about whether the control was operating effectively.
For example, if operating effectiveness is evidenced by documentation, the
auditor may decide to inspect it to obtain audit evidence about operating
effectiveness.
When more persuasive audit evidence is needed regarding the effectiveness of a
control, it may be appropriate to increase the extent of testing of the control as
well as the degree of reliance on controls.
© The Institute of Chartered Accountants of India
3.68 AUDITING AND ETHICS
Matters the auditor may consider in determining the extent of test of controls
include the following:
The frequency of the performance of the control by the entity during the
period.
The length of time during the audit period that the auditor is relying on the
operating effectiveness of the control.
The expected rate of deviation from a control.
The relevance and reliability of the audit evidence to be obtained regarding
the operating effectiveness of the control at the assertion level.
The extent to which audit evidence is obtained from tests of other controls
related to the assertion.
16.2 Timing of Test of Controls
The auditor shall test controls for the particular time, or throughout the period, for
which the auditor intends to rely on those controls in order to provide an
appropriate basis for the auditor’s intended reliance. Audit evidence pertaining
only to a point in time may be sufficient for the auditor’s purpose, for example,
when testing controls over the entity’s physical inventory counting at the period
end. If, on the other hand, the auditor intends to rely on a control over a period,
tests that are capable of providing audit evidence that the control operated
effectively at relevant times during that period are appropriate. Such tests may
include tests of the entity’s monitoring of controls.
16.3 Using Audit Evidence Obtained in Previous Audits
In determining whether it is appropriate to use audit evidence about the operating
effectiveness of controls obtained in previous audits, and, if so, the length of the
time period that may elapse before retesting a control, the auditor shall consider
the following:
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.69
(a) The effectiveness of other elements of internal control, including the control
environment, the entity’s monitoring of controls, and the entity’s risk
assessment process
(b) The risks arising from the characteristics of the control, including whether it
is manual or automated
(c) The effectiveness of general IT-controls
(d) The effectiveness of the control and its application by the entity, including
the nature and extent of deviations in the application of the control noted in
previous audits, and whether there have been personnel changes that
significantly affect the application of the control
(e) Whether the lack of a change in a particular control poses a risk due to
changing circumstances and
(f) The risks of material misstatement and the extent of reliance on the control
If the auditor plans to use audit evidence from a previous audit about the operating
effectiveness of specific controls, the auditor shall establish the continuing
relevance of that evidence by obtaining audit evidence about whether significant
changes in those controls have occurred subsequent to the previous audit.
16.4 Evaluating the Operating Effectiveness of Controls
When evaluating the operating effectiveness of relevant controls, the auditor shall
evaluate whether misstatements that have been detected by substantive
procedures indicate that controls are not operating effectively. The absence of
misstatements detected by substantive procedures, however, does not provide
audit evidence that controls related to the assertion being tested are effective. A
material misstatement detected by the auditor’s procedures is a strong indicator of
the existence of a significant deficiency in internal control.
16.5 Specific inquiries by auditor when deviations from
controls are detected
When deviations from controls upon which the auditor intends to rely are detected,
the auditor shall make specific inquiries to understand these matters and their
© The Institute of Chartered Accountants of India
3.70 AUDITING AND ETHICS
potential consequences, and shall determine whether:
(a) The test of controls that have been performed provide an appropriate basis
for reliance on the controls
(b) Additional test of controls are necessary or
(c) The potential risks of misstatement need to be addressed using substantive
procedures.
Irrespective of the assessed risks of material misstatement, the auditor shall design
and perform substantive procedures for each material class of transactions, account
balance, and disclosure.
This requirement reflects the facts that:
(i) the auditor’s assessment of risk is judgmental and so may not identify all risks
of material misstatement and
(ii) there are inherent limitations to internal control, including management
override.
Substantive procedures are audit procedures designed to detect material
misstatements at the assertion level. Substantive procedures comprise: (i) Tests of
details (of classes of transactions, account balances, and disclosures), and (ii)
Substantive analytical procedures.
16.6 Tests of Details
Tests of details are further classified into tests of transactions i.e., vouching and
tests of balances i.e., verification.
For example, a purchase transaction may be verified by examining the related
purchase invoice, goods received note, inward gate entry register. Such tests of
transactions help in establishing the authenticity of transactions recorded in books
of accounts.
Tests of balances consist of verification of assets as well as liabilities. Verification of
an item of fixed asset, for example, would help in establishing existence of that
asset as on date of balance sheet. This may be obtained by reviewing entity’s plan
for performing physical verification of fixed assets and obtaining evidence for
performance of physical verification of fixed assets by management.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.71
16.7 Substantive analytical procedures
Substantive analytical procedures refer to analytical procedures used as substantive
procedures by auditor. The term “analytical procedures” means evaluations of
financial information through analysis of plausible relationships among both
financial and non-financial data. Analytical procedures also encompass such
investigation as is necessary of identified fluctuations or relationships that are
inconsistent with other relevant information or that differ from expected values by
a significant amount.
The use of widely recognised ratios (such as profit margins for different types of
retail entities) can often be used effectively in substantive analytical procedures to
provide evidence to support the reasonableness of recorded amounts.
Analytical procedures involving, for example, the prediction of total rental income
on a building divided into apartments, taking the rental rates, the number of
apartments and vacancy rates into consideration, can provide persuasive evidence
and may eliminate the need for further verification by means of tests of details.
Substantive analytical procedures are generally more applicable to large volumes
of transactions that tend to be predictable over time.
16.7.1 Nature and extent of Substantive procedures
Depending on the circumstances, the auditor may determine that:
• Performing only substantive analytical procedures will be sufficient to reduce
audit risk to an acceptably low level. For example, where the auditor’s
assessment of risk is supported by audit evidence from tests of controls.
• Only tests of details are appropriate.
• A combination of substantive analytical procedures and tests of details are
most responsive to the assessed risks.
Because the assessment of the risk of material misstatement takes account of
internal control, the extent of substantive procedures may need to be increased
when the results from test of controls are unsatisfactory.
In designing tests of details, the extent of testing is ordinarily thought of in terms
of the sample size. However, other matters are also relevant, including whether it
is more effective to use other selective means of testing.
© The Institute of Chartered Accountants of India
3.72 AUDITING AND ETHICS
Auditor's responses
to assessed risks
Substantive
Tests of Controls
Procedures
Substantive
Tests of Details
analytical procedures
Tests of
Tests of balances
transactions
i.e.verification
i.e.vouching
Test Your Understanding 9
Zomba Products Private limited is a small company. The control systems in the
company are rudimentary. How, you as an auditor of the company, would proceed
to evaluate internal control of the company?
Test Your Understanding 10
A Chartered accountant during course of audit of a company finds that cash is not
deposited into bank frequently although concerned staff of company was required
to do so. Further, the official responsible for ensuring performance of above
function, has also not paid any attention to it. Discuss what does it represent from
auditor’s perspective.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.73
CASE STUDY-1
CA Paritosh is auditor of a company. The financial statements of the company have
just been received for audit. Following issues have been flagged pertaining to the
financial statements of the company for purpose of risk assessment: -
(i) The revenue of company has fallen from ` 50 crore in last year to ` 5 crore in
current year (for which financial statements have been received for audit) due
to lack of demand in the market for company’s products.
(ii) Due to advent of new products in the market, company’s products are fast
becoming outdated.
(iii) A large customer having an outstanding balance of ` 5 crore has failed to pay
to the company despite efforts made by the company.
(iv) Inventory holding period has increased from 30 days in last year to 90 days.
(v) The company also gets carried out job operations from third parties.
Therefore, parts of inventories are lying with third parties.
Based on above, answer the following questions: -
1. Regarding drastic fall in revenue of the company, which of the following is an
audit risk?
(a) Fall in revenue would result in fall of profits for the company.
(b) Drastic fall in revenue may imply that company is not able to carry out
its operations in foreseeable future due to lack of demand in the market
for company’s products. There is a risk that going concern disclosure is
omitted to be made in financial statements.
(c) The company can explore some new line of activity, if demand of its
products is falling.
(d) Fall in revenue would mean lower tax liabilities for the company.
2. The company’s products are getting outdated in the market. Which of the
following is an audit risk?
(a) The company should devise strategies to sell products in the market.
(b) Inventories may be understated in such a scenario.
© The Institute of Chartered Accountants of India
3.74 AUDITING AND ETHICS
(c) Inventories may be overstated in such a scenario.
(d) The company should launch a 1+1 free offer for its customers.
3. A large customer has failed to pay to the company. Identify audit risk from
below:
(a) Receivables may be misstated if irrecoverable debt is not written off.
(b) Receivables may be overstated if irrecoverable debt is not written off.
(c) Writing off irrecoverable debt would impact profits of company adversely.
(d) Failure to recover outstanding debt would impact cash flows of company
adversely.
4. Identify audit risk involved when inventory holding period has increased from
30 days to 90 days.
(a) There is a risk of overstatement of inventories.
(b) There is a risk relating to existence of inventories.
(c) There is a risk that slow movement of stocks would increase tax liability
when GST rates are increased.
(d) There is a risk relating to holding and storage cost of inventories.
5. Part of inventories are lying with third parties. Identify audit risk involved.
(a) There is a risk that third parties do not manufacture according to
specifications of the company.
(b) There is a risk that by getting job work done from third parties, company
is increasing its costs.
(c) There is a risk that sufficient and appropriate evidence would not be
available in respect of quantity and condition of inventories lying with
third parties.
(d) There is a risk that sufficient and appropriate evidence would not be
available for quality control in respect of inventories lying with third
parties.
Answers to Questions involving Case Study 1
1. (b) 2. (c) 3. (b) 4. (a) 5. (c)
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.75
CASE STUDY-2
CA Piyush is understanding internal controls as part of audit exercise of a company.
It is a new client. He has studied controls in place in various operational areas of
the company. After studying and gaining an understanding of such controls, he has
decided to test few controls to actually see whether these are operating as intended
by the management.
Till now, he has studied controls over inventories and bank. Few of such controls
are listed below: -
Nature of Control Control description
Control over inventories Inventories of the company lying at each location
should be insured.
Control over inventories There should be inventory counts on a regular
basis for each location of the company.
Control over Bank operations Bank reconciliations are to be performed at
regular intervals.
Based on above, answer the following questions: -
1. Which of the following most appropriately describes test of control regarding
insurance of inventories?
(a) Inspect insurance policies to verify that inventories at each location are
insured for fire and burglary. The sum insured and period of validity of
policy are not relevant.
(b) Inspect insurance policies to verify that inventories at each location are
comprehensively insured. Ensure adequacy of sum insured by comparing
it with value of inventories. Also ensure policy period has not expired.
(c) Inspect insurance policies to verify that inventories at each location are
comprehensively insured. Ensure policy period has not expired.
(d) Inspect insurance policies to verify that inventories at each location are
insured for fire and burglary. Ensure policy period has not expired.
© The Institute of Chartered Accountants of India
3.76 AUDITING AND ETHICS
2. Which of the following most appropriately describes test of control regarding
inventory counts?
(a) Obtain detail of inventory counting procedure and ensure that inventory
count is carried out according to laid down procedure.
(b) Obtain detail of inventory counting procedure and ensure that inventory
count is carried out according to laid down procedure. Attend inventory
count.
(c) Obtain detail of inventory counting procedure and ensure that inventory
count is carried out according to laid down procedure. Attend inventory
count and perform test count.
(d) Attend inventory count and perform test count.
3. While testing control over bank reconciliations, it has been noticed that bank
reconciliations are not being performed at regular intervals. Identify the most
appropriate description of “control deficiency” in this regard: -
(a) Bank reconciliations are not being performed regularly as concerned staff
is overburdened.
(b) Bank reconciliations are not being performed regularly as concerned staff
is overburdened. It could result in errors.
(c) Bank reconciliations are not being performed regularly as concerned staff
is overburdened. It could result in errors. It may result in misstatement of
cash and bank balance in financial statements.
(d) Bank reconciliations are not being performed regularly as concerned staff
is overburdened. These should be performed monthly and reviewed by
senior accountant.
4. Since the company is a new client, which of the following statements is most
appropriate?
(a) There is reduced detection risk.
(b) There is increased detection risk.
(c) There is no effect on detection risk.
(d) Detection risk should be increased to lower audit risk.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.77
5. Which of the following statements is most appropriate regarding auditor’s
response to assessed risk of a new client?
(a) More substantive procedures would require to be performed.
(b) Less substantive procedures would require to be performed.
(c) There is no effect on substantive procedures.
(d) There is no effect on substantive procedures as audit risk is low.
Answers to Questions involving case study 2
1. (b) 2. (c) 3. (c) 4. (b) 5. (a)
SUMMARY
♦ Audit risk means the risk that the auditor gives an inappropriate audit opinion
when the financial statements are materially misstated. Audit risk is a function
of the risks of material misstatement and detection risk.
♦ Risks of material misstatements consists of two components i.e., inherent risk
and control risk.
♦ There is always a risk that before considering any existence of internal control
in an entity, a particular transaction, balance of an account or a disclosure
required to be made in the financial statements of an entity have a chance of
being misstated and such misstatement can be material. This risk is known as
inherent risk.
♦ Control risk is a risk that internal control existing and operating in an entity
would not be efficient enough to stop from happening, or find and then
rectify in an appropriate time, any material misstatement relating to a
transaction, balance of an account or disclosure required to be made in the
financial statements of that entity.
♦ Detection risk is the risk that the procedures performed by the auditor to
reduce audit risk to an acceptably low level will not detect a misstatement
that exists and that could be material, either individually or when aggregated
with other misstatements. It comprises of sampling and non-sampling risk.
♦ The assessment of risks is a matter of professional judgment, rather than a
matter capable of precise measurement.
© The Institute of Chartered Accountants of India
3.78 AUDITING AND ETHICS
♦ Misstatements, including omissions, are considered to be material if they,
individually or in the aggregate, could reasonably be expected to influence
the economic decisions of users taken on the basis of the financial
statements.
♦ Performance materiality means the amount or amounts set by the auditor at
less than materiality for the financial statements as a whole to reduce to an
appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeds materiality for the financial statements as
a whole.
♦ Obtaining an understanding of the entity and its environment, including the
entity’s internal control is a continuous, dynamic process of gathering,
updating and analysing information throughout the audit.
♦ Internal control is the process designed, implemented and maintained by
those charged with governance, management and other personnel to provide
reasonable assurance about the achievement of an entity’s objectives with
regard to reliability of financial reporting, effectiveness and efficiency of
operations, safeguarding of assets, and compliance with applicable laws and
regulations.
♦ Significant risks often relate to significant nonroutine transactions or
judgmental matters.
♦ A proper understanding of the internal control system in its content and
working also enables an auditor to decide upon the appropriate audit
procedure to be applied in different areas to be covered in the audit
programme.
♦ Methods of evaluating internal control include narrative record, checklist,
internal control questionnaire and flow chart.
♦ Test of controls are performed to obtain audit evidence about the
effectiveness of the design of the accounting and internal control system and
operation of the internal control throughout the period.
♦ The complexity of a business environment depends on the level of
automation i.e., if a business environment is more automated, it is likely to be
more complex.
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.79
♦ Controls in an automated environment include general IT controls,
application controls and IT-dependent controls.
♦ The combination of processes, tools and techniques that are used to tap vast
amounts of electronic data to obtain meaningful information is called data
analytics.
♦ The objective of the auditor is to obtain sufficient appropriate audit evidence
about the assessed risks of material misstatement, through designing and
implementing appropriate responses to those risks.
TEST YOUR KNOWLEDGE
MCQs based Questions
1. Which of the following is true regarding materiality?
(a) It is unaffected by nature of an item.
(b) It is unaffected by requirements of law or regulations.
(c) It is not a matter of professional judgment.
(d) It is not always a matter of relative size.
2. The operations of a company are automated substantially. Which of the
following statements is most appropriate in this respect?
(a) It results in complex business environment.
(b) It results in simple business environment and easier audit.
(c) Automation has no relationship with complexity of business environment.
(d) It results in simple business environment. However, it increases
complexity of audit.
3. Who is responsible for maintaining effective internal financial controls?
(a) Statutory auditor
(b) Audit Committee
(c) Management
(d) Shareholders
© The Institute of Chartered Accountants of India
3.80 AUDITING AND ETHICS
4. Which of the following is not a risk to a company’s internal control due to its
IT environment?
(a) Potential loss of data
(b) Inability to access data when required
(c) Unauthorized access to data
(d) Processing of large volumes of data
5. Which of the following is not an example of “General IT controls”?
(a) Controls pertaining to Disaster recovery plan
(b) Controls pertaining to batch preparation
(c) Controls pertaining to data security
(d) Controls pertaining to validation of input data in an application
Correct/Incorrect
State with reasons (in short) whether the following statements are
correct or incorrect:
(i) There is direct relationship between materiality and the degree of audit risk.
(ii) Control risk is the susceptibility of an account balance or class of transactions
to misstatement that could be material either individually or, when aggregated
with misstatements in other balances or classes, assuming that there were no
related internal controls.
(iii) Tests of control are performed to obtain audit evidence about the effectiveness
of Internal Controls Systems.
(iv) Maintenance of Internal Control System is the responsibility of the Statutory
Auditor.
Theoretical Questions
1. Discuss how “analytical procedures” performed as “risk assessment procedures”
can be useful to an auditor.
2. Is materiality required to be documented by the auditor? What factors have to
be considered this regard?
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.81
3. Discuss relationship between “General IT controls” and “application controls”
in an automated environment.
4. A company functions in an automated environment. Discuss in what areas data
analytics can be useful for auditor of the company.
5. What is understood by “non-routine” transactions? Briefly outline why risks of
material misstatement is greater for such transactions.
6. The auditor shall obtain an understanding of the major activities that the entity
uses to monitor internal control over financial reporting” Explain.
7. “Risk of material misstatement consists of two components” Explain clearly
defining risk of material misstatement.
8. “The SAs do not ordinarily refer to inherent risk and control risk separately, but
rather to a combined assessment of the “risks of material misstatement””
Explain
9. “The auditor shall obtain an understanding of the control environment” Explain
stating what is included in control environment.
10. Internal control over safeguarding of assets against unauthorised acquisition,
use, or disposition may include controls relating to both financial reporting and
operations objectives. Explain stating clearly the objectives of Internal Control.
ANSWERS/SOLUTIONS
Answers to the MCQs based Questions
1. d 2. a 3. c 4. d 5. d
Answers to Correct/Incorrect
(i) Incorrect: There is an inverse relationship between materiality and the degree
of audit risk. The higher the materiality level, the lower the audit risk and vice
versa. For example, the risk that a particular account balance or class of
transactions could be misstated by an extremely large amount might be very
low but the risk that it could be misstated by an extremely small amount
might be very high.
© The Institute of Chartered Accountants of India
3.82 AUDITING AND ETHICS
(ii) Incorrect: Inherent risk is the susceptibility of an account balance or class of
transactions to misstatement that could be material either individually or,
when aggregated with misstatements in other balances or classes, assuming
that there were no related internal controls. Control risk, on the other hand
is the risk that a misstatement that could occur in an assertion about a class of
transaction, account balance or disclosure and that could be material, either
individually or when aggregated with other misstatements, will not be
prevented, or detected and corrected, on a timely basis by the entity’s internal
control.
(iii) Correct: Tests of Control are performed to obtain audit evidence about the
effectiveness of:
(a) the design of the accounting and internal control systems that is
whether, they are suitably designed to prevent or detect or correct
material misstatements and
(b) the operation of the internal controls throughout the period.
(iv) Incorrect: The management is responsible for maintaining an adequate
accounting system incorporating various internal controls to the extent
appropriate to the size and nature of the business. Maintenance of Internal
Control System is responsibility of management because the internal control
is the process designed, implemented and maintained by those charged with
governance/management to provide reasonable assurance about the
achievement of entity’s objectives.
Answers to Theoretical Questions
1. Refer to heading on “What is included in risk assessment procedures” and
gather usefulness of analytical procedures performed as risk assessment
procedures.
2. Refer to heading on “documenting the materiality”.
3. Refer to heading on “General IT controls vs. Application controls”.
4. Refer to heading on “data analytics”
5. Refer to heading on “identifying significant risks”.
6. Refer to heading on “Internal Control”
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.83
7. Refer to heading “Components of risk of material misstatement”.
8. Refer to heading on “Combined Assessment of the Risk of Material
Misstatement”.
9. Refer to heading on “Internal Control”.
10. Objectives of Internal Control
Internal control over safeguarding of assets against unauthorised acquisition,
use, or disposition may include controls relating to both financial reporting and
operations objectives. The auditor’s consideration of such controls is generally
limited to those relevant to the reliability of financial reporting. For example,
use of access controls, such as passwords, that limit access to the data and
programs that process cash disbursements may be relevant to a financial
statement audit. Conversely, safeguarding controls relating to operations
objectives, such as controls to prevent the excessive use of materials in
production, generally are not relevant to a financial statement audit.
Objectives of Internal Control are :
(i) transactions are executed in accordance with managements general or
specific authorization;
(ii) all transactions are promptly recorded in the correct amount in the
appropriate accounts and in the accounting period in which executed
so as to permit preparation of financial information within a framework
of recognized accounting policies and practices and relevant statutory
requirements, if any, and to maintain accountability for assets;
(iii) assets are safeguarded from unauthorised access, use or disposition;
and
(iv) the recorded assets are compared with the existing assets at reasonable
intervals and appropriate action is taken with regard to any differences.
Answers to Questions involving Test your Understanding
1. It has been stated that many companies engaged in providing holistic
solutions to problem of stubble burning have not been successful. It shows
that line of activity is inherently risky. Therefore, there is a greater possibility
© The Institute of Chartered Accountants of India
3.84 AUDITING AND ETHICS
of misstatements. The component of risks of material misstatement involved
is “inherent risk.”
2. The company has devised a control that its inventory of perishable goods is
stored in appropriate conditions and responsibility is fixed on two persons to
monitor environment using sensors and to report on deviations. There is a
possibility that persons given responsibility do not perform their work and
report deviations. The component of risks of material misstatement is “control
risk”.
3. There is a possibility that planned audit procedures may not achieve desired
result and fail to detect misstatements in revenue recognition. The risk
alluded to it is “detection risk”.
4. Jo Jo Limited is planning to list on Bombay Stock Exchange next year. There
is a greater chance of misstatements in the financial statements due to
planned listing next year. There could be a possibility of intentional
manipulation of financial statements so that good response is received to
proposed issue. Therefore, there is increased audit risk i.e., risk of expressing
inappropriate opinion by the auditor when financial statements are materially
misstated.
5. It is noticed by the auditor that current ratio has improved from 1.20:1 (in
preceding year) to 1.75:1 (in current year). The auditor is using “analytical
procedures” as risk assessment procedures. Current ratio has improved from
previous year. There could be a possibility of misstatement in current assets
and current liabilities. It is possible that improvement in current ratio is
artificial due to misstatements and has been done to secure good response
to the proposed issue of company next year.
6. If there is any statutory requirement of disclosure, it is to be considered
material. Schedule III mandates disclosure of nature of security in relation to
loan. The amount involved is irrelevant.
7. The study of company policies and practices regarding employee recruitment,
training, orientation and related matters including hiring of best candidates
is part of understanding HR function of the company. It, in turn, helps in
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 3.85
understanding control environment of the company. By gaining such a
knowledge, she can better understand internal control of the company.
8. She is keen to find out whether there exists a proper system of segregation
of duties in the company. She is gaining an understanding of internal control
of the company. In particular, she is understanding “control activities”. When
a person recording a transaction is different from one authorizing it, she gains
confidence that there exists a system for preventing misstatements. It helps
her in gaining insight into the internal control system of the company.
9. In a small company, control systems are basic and not formalized. Therefore,
auditor should proceed to evaluate internal control using narrative record.
10. Cash is not deposited into bank frequently, although, concerned staff of
company was required to do so. Further, the official responsible for ensuring
performance of above function, has also not paid any attention to it. It means
that control is not working as planned. It would not be able to prevent
misstatement and very purpose of control is defeated. It represents a “control
deficiency”.
© The Institute of Chartered Accountants of India
CHAPTER a
6
AUDIT
DOCUMENTATION
LEARNING OUTCOMES
After studying this chapter, you would be able to understand-
Audit Documentation.
Nature and purpose of audit documentation.
Form, content and extent of audit documentation.
Audit documentation summary.
Audit file.
Assembly of the final audit file.
Ownership of audit documentation.
Practicality of above concepts by studying through examples
and case studies.
© The Institute of Chartered Accountants of India
a 6.2 AUDITING AND ETHICS
CHAPTER OVERVIEW
W
OBJECTIVE
A sufficient and appropriate record
of the basis for the auditor’s report
Evidence that the audit was planned
and performed in accordance with
SAs and applicable legal and
regulatory requirements
Property of the
Sufficient
Auditor
Audit Documentation Audit Evidence
Appropriate
Completion
Audit File
Memorandum
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.3 a
Sameer received a news alert on his mobile pointing to unconfirmed media reports of
providing a Digi locker type facility to auditors for keeping audit documentation in
times to come. He immediately grasped the idea as Aadhar card, senior secondary
school mark sheet and driving license were being stored by him in such an electronic
locker. “Such a facility, if it happened to materialize in future in whatever form, would
provide many benefits which come with such an electronic storage”, he pondered.
Audit evidence which an auditor obtains by performing various audit procedures along
with details of those procedures have to be put into writing. Further, inferences drawn
upon by the auditor from evidence obtained and conclusions reached are also
documented. Sameer was spontaneously nodding that auditing was, indeed, a logical
process.
Without proper documentation, an audit has no legs to stand upon. It is audit
documentation which serves as a record of audit work performed. He was also mulling
over that, in fact, audit documentation throws up a sort of protective shield around
auditors. If an auditor plans and performs his work professionally, his working papers
will come to his rescue, in case such a situation arises. Conclusions reached by him can
be traced to his working papers.
“Oh! That is importance of documentation”, he exclaimed. Now, he understood why
Shekhar’s seniors used to prompt him to make correspondence with company’s
officers on mail. Because, it is the documentation that makes the difference. They were
right because consequences of not making proper documentation were known to
them and poor guys like us were still on learning curve.
1. AUDIT DOCUMENTATION
SA 230 on “Audit Documentation”, deals with the auditor’s responsibility to prepare
audit documentation for an audit of financial statements. It is to be adapted as
necessary in the circumstances when applied to audits of other historical financial
information. The specific documentation requirements of other SAs do not limit the
application of this SA. Laws or regulations may establish additional documentation
requirements.
© The Institute of Chartered Accountants of India
a 6.4 AUDITING AND ETHICS
1.1 Definition of Audit Documentation:
Audit Documentation refers to the record of audit procedures performed, relevant
audit evidence obtained, and conclusions the auditor reached. (terms such as
“working papers” or “work papers” are also sometimes used.)
1.2 Objective of the Auditor:
The objective of the auditor is to prepare documentation that provides:
(a) A sufficient and appropriate record of the basis for the auditor’s report; and
(b) Evidence that the audit was planned and performed in accordance with SAs
and applicable legal and regulatory requirements.
• To prepare documentation that
provides:
a) A sufficient and appropriate
Objective of record of the basis for the
the Auditor auditor’s report; and
b) Evidence that the audit was
planned and performed in
accordance with SAs.
1.3 Nature of Audit Documentation
Audit documentation provides:
(a) evidence of the auditor’s basis for a conclusion about the achievement of the
overall objectives of the auditor; and
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.5 a
(b) evidence that the audit was planned and performed in accordance with SAs
and applicable legal and regulatory requirements.
1.4 Purpose of Audit Documentation
The following are the purpose of Audit documentation:
1. Assisting the engagement team to plan and perform the audit.
2. Assisting members of the engagement team to direct and supervise the audit
work, and to discharge their review responsibilities.
3. Enabling the engagement team to be accountable for its work.
4. Retaining a record of matters of continuing significance to future audits.
5. Enabling the conduct of quality control reviews and inspections in accordance
with SQC 1.
6. Enabling the conduct of external inspections in accordance with applicable
legal, regulatory or other requirements.
ILLUSTRATION 1
A new team member of the auditors of Extremely Vibrant Limited was of the view
that Audit Documentation does not help in planning the audit of any company.
Explain whether Audit Documentation has any relation with regard to planning the
audit of a company.
SOLUTION
Audit Documentation helps in planning the audit of a company in a proper manner
and also helps in conducting the audit of that company in a more effective way.
1.5 Form, Content and Extent of Audit Documentation
The auditor shall prepare audit documentation that is sufficient to enable an
experienced auditor, having no previous connection with the audit, to
understand:
(a) The nature, timing and extent of the audit procedures performed.
(b) The results of the audit procedures performed and the audit evidence
obtained and
© The Institute of Chartered Accountants of India
a 6.6 AUDITING AND ETHICS
(c) Significant matters arising during the audit and the conclusions reached
thereon and significant professional judgements made in reaching
those conclusions.
Further in documenting the nature, timing and extent of audit procedures
performed, the auditor shall record:
(a) The identifying characteristics of the specific items or matters tested.
(b) Who performed the audit work and the date such work was completed;
and
(c) Who reviewed the audit work performed and the date and extent of
such review.
The auditor shall document discussions of significant matters with
management, those charged with governance, and others, including the
nature of the significant matters discussed and when and with whom the
discussions took place.
If the auditor identified information that is inconsistent with the auditor’s final
conclusion regarding a significant matter, the auditor shall document how
the auditor addressed the inconsistency
The form, content and extent of audit documentation depend on
factors such as:
1. The size and complexity of the entity.
2. The nature of the audit procedures to be performed.
3. The identified risks of material misstatement.
4. The significance of the audit evidence obtained.
5. The nature and extent of exceptions identified.
6. The need to document a conclusion or the basis for a conclusion not readily
determinable from the documentation of the work performed or audit
evidence obtained.
7. The audit methodology and tools used.
1.6 Examples of Audit Documentation
Audit documentation may be recorded on paper or on electronic or other media.
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.7 a
Example
Audit Documentation include:
Audit programmes.
Analyses.
Issues memoranda.
Summaries of significant matters.
Letters of confirmation and representation.
Checklists.
Correspondence (including e-mail) concerning significant matters.
The auditor may include copies of the entity’s records (for example, significant and
specific contracts and agreements) as part of audit documentation. Audit
documentation is not a substitute for the entity’s accounting records.
The auditor need not include in audit documentation superseded drafts of working
papers and financial statements, notes that reflect incomplete or preliminary
thinking, previous copies of documents corrected for typographical or other errors,
and duplicates of documents.
Audit
Correspondence programmes
(including e-mail)
concerning Analyses
significant
matters
AUDIT
DOCUMENTATION
INCLUDE
Checklists Issues
memoranda
Letters of Summaries
confirmation of
and significant
representation matters
© The Institute of Chartered Accountants of India
a 6.8 AUDITING AND ETHICS
1.7 Timely Preparation of Audit Documentation
The auditor shall prepare audit documentation on a timely basis. Preparing
sufficient and appropriate audit documentation on a timely basis helps to enhance
the quality of the audit and facilitates the effective review and evaluation of the
audit evidence obtained and conclusions reached before the auditor’s report is
finalised. Documentation prepared after the audit work has been performed is likely
to be less accurate than documentation prepared at the time such work is
performed.
1.8 Audit File
Audit file may be defined as one or more folders or other storage media, in physical
or electronic form, containing the records that comprise the audit documentation
for a specific engagement.
one or more folders or other storage media
in physical or electronic form, containing the record
that comprise
the audit documentation for a specific engagement
ILLUSTRATION 2
While auditing the books of accounts of Very Careful Limited for the financial year
2020-21, a team member of the auditors of Very Careful Limited was of the view that
with regard to audit of the company, no relation exists between Audit File and Audit
Documentation. Explain the relationship between Audit File and Audit
Documentation.
SOLUTION
Audit file may be defined as one or more folders or other storage media, in physical
or electronic form, containing the records that comprise the audit documentation
for a specific engagement. The auditor shall assemble the audit documentation in
an audit file and complete the administrative process of assembling the final audit
file on a timely basis after the date of the auditor’s report.
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.9 a
1.9 Assembly of the Final Audit File
The auditor shall assemble the audit documentation in an audit file and complete
the administrative process of assembling the final audit file on a timely basis after
the date of the auditor’s report.
SQC 1 “Quality Control for Firms that perform Audits and Review of Historical
Financial Information, and other Assurance and related services”, requires
firms to establish policies and procedures for the timely completion of the
assembly of audit files.
An appropriate time limit within which to complete the assembly of the final
audit file is ordinarily not more than 60 days after the date of the auditor’s
report. The completion of the assembly of the final audit file after the date of
the auditor’s report is an administrative process that does not involve the
performance of new audit procedures or the drawing of new conclusions.
Changes may, however, be made to the audit documentation during the final
assembly process, if they are administrative in nature.
Examples of such changes include:
• Deleting or discarding superseded documentation.
• Sorting, collating and cross-referencing working papers.
• Signing off on completion checklists relating to the file assembly
process.
• Documenting audit evidence that the auditor has obtained, discussed
and agreed with the relevant members of the engagement team before
the date of the auditor’s report.
After the assembly of the final audit file has been completed, the auditor shall
not delete or discard audit documentation of any nature before the end of its
retention period.
SQC 1 requires firms to establish policies and procedures for the retention of
engagement documentation. The retention period for audit engagements
ordinarily is no shorter than seven years from the date of the auditor’s report,
or, if later, the date of the group auditor’s report.
© The Institute of Chartered Accountants of India
a 6.10 AUDITING AND ETHICS
1.10 Documentation of Significant Matters and Related
Significant Professional Judgements
Judging the significance of a matter requires an objective analysis of the facts and
circumstances.
Examples of significant matters include:
Matters that give rise to significant risks.
Results of audit procedures indicating (a) that the financial statements could
be materially misstated, or (b) a need to revise the auditor’s previous
assessment of the risks of material misstatement and the auditor’s responses
to those risks.
Circumstances that cause the auditor significant difficulty in applying
necessary audit procedures.
Findings that could result in a modification to the audit opinion or the
inclusion of an Emphasis of Matter Paragraph in the auditor’s report.
An important factor in determining the form, content and extent of audit
documentation of significant matters is the extent of professional judgement
exercised in performing the work and evaluating the results.
Documentation of the professional judgements made, where significant, serves to
explain the auditor’s conclusions and to reinforce the quality of the judgement.
Such matters are of particular interest to those responsible for reviewing audit
documentation, including those carrying out subsequent audits, when reviewing
matters of continuing significance (for example, when performing a retrospective
review of accounting estimates).
Some examples of circumstances in which it is appropriate to prepare audit
documentation relating to the use of professional judgement include, where
the matters and judgements are significant:
The rationale for the auditor’s conclusion when a requirement provides that the
auditor ‘shall consider’ certain information or factors, and that consideration is
significant in the context of the particular engagement.
The basis for the auditor’s conclusion on the reasonableness of areas of subjective
judgements (for example, the reasonableness of significant accounting estimates).
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.11 a
The basis for the auditor’s conclusions about the authenticity of a document when
further investigation (such as making appropriate use of an expert or of
confirmation procedures) is undertaken in response to conditions identified during
the audit that caused the auditor to believe that the document may not be
authentic.
1.11 Completion Memorandum or Audit Documentation
Summary
The auditor may consider it helpful to prepare and retain as part of the audit
documentation a summary (sometimes known as a completion memorandum) that
describes-
the significant matters identified during the audit and
how they were addressed.
Such a summary may facilitate effective and efficient review and inspection of the
audit documentation, particularly for large and complex audits. Further, the
preparation of such a summary may assist auditor’s consideration of the significant
matters. It may also help the auditor to consider whether there is any individual
relevant SA objective that the auditor cannot achieve that would prevent the
auditor from achieving the overall objectives of the auditor.
1.12 Ownership of Audit Documentation
Standard on Quality Control (SQC) 1 provides that, unless otherwise specified
by law or regulation, audit documentation is the property of the auditor.
He may at his discretion, make portions of, or extracts from, audit
documentation available to clients, provided such disclosure does not
undermine the validity of the work performed, or, in the case of assurance
engagements, the independence of the auditor or of his personnel.
© The Institute of Chartered Accountants of India
a 6.12 AUDITING AND ETHICS
Standard on Quality Control
(SQC) 1 provides that audit
documentation is the property of He may make portions of, or
the auditor. extracts from, audit documentation
available to clients subject to some
conditions.
ILLUSTRATION 3
A director of Very Different Limited was of the view that Audit Documentation of a
company is the property of that company. Comment on the contention of the director
regarding the audit documentation of the company.
SOLUTION
Audit Documentation of a company is not the property of the company rather Audit
Documentation is the property of Auditor of that company.
Test Your Understanding 1
During the course of audit of a company, an issue arose relating to treatment of
interest costs of company on its restructured loans taken from a bank. This
important matter was discussed with CFO of the company and was properly
resolved. Is it necessary for the auditor to include in its working papers?
Test Your Understanding 2
CA Sonali Morarka has completed audit of a listed company. The audit report dated
15th July, 2022 has been issued. However, audit working papers including record
of discussions with management, details of audit procedures performed to obtain
audit evidence and conclusions reached by her have not been properly assembled.
More than six months have elapsed after issue of audit report. Subsequently, she
has received a letter from regulator in connection with audit of the company
requesting her to share copy of audit file.
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.13 a
The letter has woken up her from deep slumber. She hurriedly assembled audit file
and inserted some more papers which were necessary. However, she put current
date on these inserted papers and the copy of audit file was sent to regulator.
Discuss, the issues involved, in context of “audit documentation”.
CASE STUDY
CA Rajan Pillai is heading the engagement team conducting audit of a company.
While audit is in progress, consider following issues regarding audit
documentation:-
(A) Audit programme was prepared assigning responsibilities for different types
of works to be performed to team members. The engagement team consists
of 4 members Mohit (CA final student), Rohit (CA final student), Shobhit (Paid
CA) and CA Rajan Pillai (partner of audit firm).
(B) The team has determined materiality for financial statements as a whole.
(C) The team has assessed risks of material misstatements to be low.
(D) CA Shobhit is responsible for attending inventory count process and putting
down its documentation part.
(E) During the course of audit, many related party transactions have come to
notice.
On the basis of above, answer the following questions:
(1) Work relating to verification of revenue was assigned to Mohit in audit
programme. However, it is being performed by Rohit actually. Verification of
trade receivables was planned to be carried out by Rohit in audit programme.
However, it being performed by CA Rajan Pillai due to last minute practical
issues. Which of the following statements is most appropriate in this regard
relating to audit documentation?
(a) Audit programme contains names of persons and work to be performed.
It is immaterial whether work assigned to one person is performed by
another person.
(b) Audit programme was already prepared. Only persons assigned specific
responsibilities can perform those duties.
© The Institute of Chartered Accountants of India
a 6.14 AUDITING AND ETHICS
(c) It is necessary that audit programme be suitably updated or notes are
given in working papers to this effect so that planned duties are in
accordance with actual work performance.
(d) Changes in audit programme or notes clarifying the matter are required
only when a person not forming part of engagement team is deputed to
perform a duty. Otherwise, this issue of inter-shuffling of team members
is frivolous.
(2) As regards materiality, which of the following statements is most appropriate
in context of audit documentation?
(a) Materiality has already been determined. There is no need to put it into
working papers.
(b) Materiality depends upon professional judgment of auditor. Whatever
amount has been determined can be documented in working papers.
(c) Materiality arrived on basis of professional judgment along with factors
considered in the determination has to be documented.
(d) Materiality has been arrived upon professional judgment. It also depends
upon professional judgment of auditor whether he wants to document it
or not.
(3) As regards team’s assessment that risk of material misstatements is low, which
of the following statements is odd one relating to documentation of risk?
(a) Discussion amongst engagement team members and detail of significant
decisions reached has to be documented.
(b) Details of risk assessment procedures have to be documented.
(c) Details about how understanding of each component of internal control
was obtained has to be documented.
(d) Precise calculation of risk of material misstatements has to be
documented.
(4) CA Shobhit is responsible for attending physical inventory count of the
company. Which of the following is not true in this regard relating to audit
documentation?
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.15 a
(a) Dates on which physical inventory count process was attended by him
should be documented. It may also include photographs of that date
showing his attendance of inventory counting process at a particular
location.
(b) Detail of test counting undertaken should form part of audit
documentation.
(c) Detail of obsolete goods found should form part of audit documentation.
(d) Reports showing that stocks conform to quality control standards in
accordance with law are essential part of audit documentation.
(5) As regards related party transactions, which of the following should not be part
of audit documentation?
(a) Management representation letter in this regard
(b) Related party transaction policy of the company
(c) Documentation to show that such transactions are at arm’s length basis
(d) Documentation to show that such transactions are at close length basis.
Answers to Questions involving case study
1. c 2. c 3. d 4. d 5. d
SUMMARY
SA 230 on “Audit Documentation”, deals with the auditor’s responsibility to
prepare audit documentation for an audit of financial statements.
Audit documentation refers to the record of audit procedures performed,
relevant audit evidence obtained, and conclusions the auditor reached. Terms
such as “working papers” or “work papers” are also sometimes used.
The objective of auditor is to prepare audit documentation that provides a
sufficient and appropriate record of the basis for auditor’s report and
evidence that audit was planned and performed in accordance with Standards
on Auditing and applicable legal and regulatory requirements.
The form, content and extent of audit documentation depend on number of
factors.
© The Institute of Chartered Accountants of India
a 6.16 AUDITING AND ETHICS
Audit documentation may be recorded on paper or on electronic or other
media.
The auditor shall prepare audit documentation on a timely basis. Preparing
sufficient and appropriate audit documentation on a timely basis helps to
enhance the quality of the audit and facilitates the effective review and
evaluation of the audit evidence obtained and conclusions reached before
the auditor’s report is finalized.
Audit file may be defined as one or more folders or other storage media, in
physical or electronic form, containing the records that comprise the audit
documentation for a specific engagement.
The auditor shall assemble the audit documentation in an audit file and
complete the administrative process of assembling the final audit file on a
timely basis after the date of the auditor’s report.
An appropriate time limit within which to complete the assembly of the final
audit file is ordinarily not more than 60 days after the date of the auditor’s
report. The completion of the assembly of the final audit file after the date of
the auditor’s report is an administrative process that does not involve the
performance of new audit procedures or the drawing of new conclusions.
After the assembly of the final audit file has been completed, the auditor shall
not delete or discard audit documentation of any nature before the end of its
retention period.
The retention period of documentation for audit engagements ordinarily is
no shorter than seven years from the date of the auditor’s report, or, if later,
the date of the group auditor’s report.
Unless otherwise specified by law or regulation, audit documentation is the
property of the auditor. He may at his discretion, make portions of, or extracts
from, audit documentation available to clients, provided such disclosure does
not undermine the validity of the work performed, or, in the case of assurance
engagements, the independence of the auditor or of his personnel.
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.17 a
TEST YOUR KNOWLEDGE
MCQs based Questions
(1) Which of the following statement is appropriately suited to preparation of audit
documentation?
(a) Audit documentation has to be prepared simultaneously as audit
progresses.
(b) Audit documentation has to be prepared 60 days after date of audit
report.
(c) Audit documentation has to be prepared when information is required by
regulator.
(d) Audit documentation has to be prepared 60 days after completion of
audit work.
(2) Audit documentation is owned by: -
(a) Client
(b) Auditor
(c) Team member responsible for documentation
(d) Regulator
(3) Which of the following is least likely to be included in audit documentation of
a company engaged in manufacturing and export of goods?
(a) Previous years audited financial statements
(b) Projected cash flow statement for next twelve months provided by
management in support of going concern assumption
(c) Statements showing dispatch of overseas consignments in accordance
with delivery schedules of overseas buyers
(d) Statement showing verification of ageing of trade receivables as on date
of balance sheet
© The Institute of Chartered Accountants of India
a 6.18 AUDITING AND ETHICS
(4) Which of the following is false in relation to audit documentation when an
external auditor relies upon work of internal auditor?
(a) Evaluation of objectivity and competence of internal auditor has to be
documented.
(b) Nature of work used and reason for relying upon work used forms part of
documentation.
(c) Documentation on whether quality control is exercised in internal audit
work forms part of audit documentation.
(d) Documentation on what specific recommendations were given by internal
auditor for risk assessment to external auditor forms part of audit
documentation.
Correct/Incorrect
State with reasons (in short) whether the following statements are correct
or incorrect:
(i) As per SA 230 on “Audit Documentation”, the working papers are not the property
of the auditor.
(ii) Mr. A is a statutory auditor of ABC Ltd. The branch of ABC Ltd. is audited by
Mr. B, another Chartered Accountant. Mr. A requests for the photocopies of the
audit documentation of Mr. B pertaining to the branch audit.
Theoretical Questions
1. The form, content and extent of audit documentation depends upon number of
factors. List out any four such factors.
2. Discuss any two purposes of audit documentation.
3. Define audit documentation. Also give some examples.
4. “Audit documentation summary may facilitate effective and efficient reviews
and inspections of the audit documentation, particularly for large and complex
audits”. Explain.
© The Institute of Chartered Accountants of India
AUDIT DOCUMENTATION 6.19 a
ANSWERS/ SOLUTIONS
Answers to the MCQs based Questions
1. a 2. b 3. c 4. d
Answers to Correct/Incorrect
(i) Incorrect: As per SA 230 on “Audit Documentation” the working papers are
the property of the auditor and the auditor has right to retain them. He may
at his discretion can make available working papers to his client. The auditor
should retain them long enough to meet the needs of his practice and legal
or professional requirement.
(ii) Incorrect: SA 230 issued by ICAI on Audit Documentation, and “Standard on
Quality Control (SQC) 1, provides that, unless otherwise specified by law or
regulation, audit documentation is the property of the auditor. He may at his
discretion, make portions of, or extracts from, audit documentation available
to clients, provided such disclosure does not undermine the validity of the
work performed, or, in the case of assurance engagements, the independence
of the auditor or of his personnel.
Answers to Theoretical Questions
1. Refer to heading “Form, content and extent of audit documentation”
2. Refer to heading “Purpose of audit documentation”
3. Audit Documentation refers to the record of audit procedures performed,
relevant audit evidence obtained, and conclusions the auditor reached. (terms
such as “working papers” or “work papers” are also sometimes used.)
Refer Heading – Examples of Audit Documentation
4. Refer Heading – Completion Memorandum or Audit Documentation
Summary
Answers to Questions involving Test your Understanding
(1) The auditor shall document discussions of significant matters with
management, those charged with governance, and others, including the
© The Institute of Chartered Accountants of India
a 6.20 AUDITING AND ETHICS
nature of the significant matters discussed and when and with whom the
discussions took place.
In the instant case, an important matter regarding treatment of interest costs
of company on its restructured loans taken from a bank directly impacting
profits of the company was discussed. Although issue was resolved, it is
necessary to document the same by including detail of the person with whom
discussions took place along with date.
(2) An appropriate time limit within which to complete the assembly of the final
audit file is ordinarily not more than 60 days after the date of the auditor’s
report.
Further, preparing sufficient and appropriate audit documentation on a
timely basis helps to enhance the quality of the audit and facilitates the
effective review and evaluation of the audit evidence obtained and
conclusions reached before the auditor’s report is finalized. Documentation
prepared after the audit work has been performed is likely to be less accurate
than documentation prepared at the time such work is performed.
In the given case, even after passage of more than six months, she has not
assembled audit file. Besides, she has put in some papers with current date
which is not permissible at all. It shows that part of audit documentation has
been prepared afterwards putting a question mark on quality of audit.
© The Institute of Chartered Accountants of India
© The Institute of Chartered Accountants of India
© The Institute of Chartered Accountants of India
CHAPTER a
11
ETHICS AND TERMS
OF AUDIT
ENGAGEMENTS
LEARNING OUTCOMES
After studying this chapter, you would be able to understand-
Meaning of “Ethics”
Need for Professional Ethics
Fundamental Principles of Professional Ethics
Independence of Auditors
Threats to Independence
Safeguards to Independence
Professional Skepticism
SA 210 Agreeing the Terms of Audit Engagement
About Preconditions for an Audit
Basic overview of SQC 1
Basic overview of SA 220
Practicality of above concepts using examples and case studies.
© The Institute of Chartered Accountants of India
a 11.2 AUDITING AND ETHICS
CHAPTER OVERVIEW
Independence
Independence AUDITOR'S
in
of MIND INDEPENDENCE
APPEARANCE
Self- Self-
Interest Review
Threats Threats
Threats
To
Independence
Intimidation Advocacy
Threats Threats
Familiarity
Threats
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.3
a
Human civilization is built upon ethics. We cannot think of our daily lives without
ethics. Think of any endeavour of human activity- be it imparting of education,
running a business, engaging in a profession or carrying out public administration
affairs- ethics have a role to play in every field. Ethics guide us and help in building
trust.
Consider the case of business. Can a company which does not take care of its
workforce or hear its customers achieve heights in its respective trade? A business
which dishes out substandard products instead of promised ones would not be
able to stay in market for too long. Or take the case of a lawyer who fails to attend
legal proceedings of a client without reasonable cause putting his client’s interests
in jeopardy. Is his conduct ethical? Ultimately, such unprofessional behaviour would
tarnish his reputation and credibility.
Sameer was trying to understand importance of ethics in profession of Chartered
Accountancy. He was wondering whether a code of ethics exists for Chartered
accountants and if so, how exhaustive it would be. Based upon his understanding
of auditing till now, he was certain that an auditor must comply with ethical
requirements while conducting audit of financial statements. He knew that auditor
should be a person of unimpeachable integrity. He gives opinion on financial
statements of entities and to maintain sanctity and credibility of his signatures, it is
necessary that an auditor should comply with ethics.
A parallel stream of thoughts was also gaining momentum in his mind. Should an
auditor follow only those requirements which have been clearly laid down in the
rule book? What about situations for which little has been laid down? Thinking
about “independence” of auditors, he seemed pretty sure that it was not possible
to codify every situation affecting independence of auditor. What approach should
auditor follow so that users continue to repose faith? Is there more than one
perspective of concept of “independence”? And most importantly, how should an
auditor proceed in a situation where he finds his “independence” on a sticky wicket
due to extraneous factors?
Performing professional work following ethics also leads to qualitative audits
conforming to professional standards. Are there any pronouncements on quality
control to be followed by Chartered Accountants? He was yearning to learn about
these.
© The Institute of Chartered Accountants of India
a 11.4 AUDITING AND ETHICS
1. MEANING OF ETHICS – A STATE OF MIND
The term “Ethics” means moral principles which govern a person’s behaviour or his
conducting of an activity. It is the branch of knowledge that deals with moral
principles. Ethics is something which comes from an individual intrinsically. It has
to be inculcated in the habit and temperament of an individual, so that there is an
overall culture of ethics; the force has to be strong enough to withstand any selfish
motive or temptation. It is a state of mind to act and perform in accordance with
moral principles. Ethics is the science of morals in human conduct. Such moral
principles and rules of conduct impose obligations upon individuals.
2. NEED FOR PROFESSIONAL ETHICS
Professions like law, medicine have their code of ethics. Auditing profession is no
exception. Rather, in the profession of auditing, requirement of ethics is manifold.
It is due to the reason that society in general, governments, clients, taxing
authorities, employees, investors, the business and financial community in
particular, have reposed tremendous trust in services rendered by Chartered
Accountants.
The purpose of assurance engagements is to enhance confidence of the intended
users. Therefore, users need to trust the person who is providing such services.
Professional ethics are based on morality. Human nature being what it is, a man,
often, places his personal gain above service. Therefore, persons who as individuals
and as a class, are willing to place public good above their personal gain have
enjoyed respect and honour. But such a relationship can be maintained or
enhanced only if the professional body to which they belong would interpret the
concept of public interest as broadly as possible. The respect and confidence
enjoyed by a profession, to a great extent, is dependent on the strictness and
scrupulousness with which such ethics are adhered to by self-discipline.
A distinguishing feature of the accountancy profession is its acceptance of the
responsibility to act in the public interest. Professional ethics seek to protect the
interests of the profession as a whole and act as a shield that enables us to
command respect.
A Chartered Accountant, either in practice or in service, has to abide by ethical
behaviours. They are expected to follow the fundamental principles of professional
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.5
a
ethics while performing their duties. Service users of professionals should be able
to feel secure that there exists a framework of professional ethics which governs
the provision of those services.
It is in this spirit of things that the Institute of Chartered Accountants of India (ICAI)
requires its members to comply with the principles of ethics while performing their
duties. The ethics for Chartered Accountants have, therefore, been codified as
ethical compliance has always been a philosophy of the profession. Chartered
accountants, whether in practice or in service, are required to comply with the
provisions of Code of Ethics.
Any deviation from the ethical responsibilities brings the disciplinary mechanism
into action against the Chartered Accountants which may result into fines,
suspension of membership, removal from membership or other disciplinary actions.
3. PRINCIPLES BASED APPROACH VS RULES
BASED APPROACH TO ETHICS (ETHICAL OR
LEGAL)
Ethical guidance may follow principles-based approach or rules-based approach.
The essence of principles-based approach to ethics is that it requires compliance
with spirit of ethics. It requires accountants to exercise professional judgment in
every situation based upon their professional knowledge, skill and expertise. It
requires that accountants should use professional judgment to evaluate every
situation to arrive at conclusions.
However, rules-based approach to ethics strictly follows clearly established rules. It
may lead to a narrow outlook and spirit of ethics may be overlooked while strictly
adhering to rules. Further, rules- based approach is somewhat rigid as it may not
be possible to deal with every practical situation relying upon rules.
Therefore, it is necessary that spirit of code is followed.
4. FUNDAMENTAL PRINCIPLES OF PROFESSIONAL
ETHICS
The fundamental principles of ethics establish the standard of behaviour expected
© The Institute of Chartered Accountants of India
a 11.6 AUDITING AND ETHICS
of a professional accountant. A professional accountant shall comply with each of
the fundamental principles. The fundamental principles of professional ethics are
as under: -
Integrity
Objectivity
Professional
competence and
due care
Confidentiality
Professional
Behaviour
1. Integrity
A professional accountant shall comply with the principle of integrity, which
requires an accountant to be straightforward and honest in all professional
and business relationships. Integrity implies fair dealing and truthfulness.
A professional accountant shall not knowingly be associated with reports,
returns, communications or other information where the accountant believes
that the information contains a materially false or misleading statement;
contains statements or information provided negligently or omits or obscures
required information where such omission or obscurity would be misleading.
2. Objectivity
The principle of objectivity requires an auditor not to compromise
professional judgment because of bias, conflict of interest or undue influence
of others.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.7
a
It requires that a professional accountant shall not undertake a professional
activity if a circumstance or relationship unduly influences the accountant’s
professional judgment regarding that activity.
3. Professional competence and due care
A professional accountant shall comply with the principle of professional
competence and due care, which requires an accountant to attain and
maintain professional knowledge and skill at the level required to ensure that
a client or employing organization receives competent professional service,
based on current technical and professional standards and relevant
legislation; and act diligently and in accordance with applicable technical and
professional standards.
Diligence includes responsibility to act carefully, thoroughly and on a timely
basis in accordance with requirements of an assignment.
4. Confidentiality
Confidentiality principle requires a professional accountant to respect the
confidentiality of information acquired as a result of professional or business
relationships. Confidentiality serves the public interest because it facilitates
the free flow of information from the professional accountant’s client or
employing organization to the accountant with the understanding that the
information will not be disclosed to a third party.
However, such confidential information may be disclosed, for example, when
it is required by law, when it is permitted by law and is authorised by the
client or employer or there is a professional duty or right to disclose when
not prohibited by law.
5. Professional Behaviour
It requires an accountant to comply with relevant laws and regulations and
avoid any conduct that the accountant knows or should know might discredit
the profession. A professional accountant shall not knowingly engage in any
employment, occupation or activity that impairs or might impair the integrity,
objectivity or good reputation of the profession, and as a result would be
incompatible with the fundamental principles.
© The Institute of Chartered Accountants of India
a 11.8 AUDITING AND ETHICS
Test Your Understanding 1
CA P. Suryakantam has conducted audit of accounts of an entity for a particular
year. ICAI has issued a letter to him relating to certain matters concerning audit. He
didn’t even bother to reply to the letter despite reminders. Discuss which
fundamental principle governing professional ethics is disregarded by him.
Test Your Understanding 2
A Chartered accountant in practice issued a certificate showing original cost of
plant and machinery installed in premises of a client for Rs. 9 crores to save some
regulatory fees for his client. However, original cost of plant and machinery was
Rs.15 crore as per records of client. Which fundamental principle governing
professional ethics is violated in this case?
5. INDEPENDENCE OF AUDITORS
Professional integrity and independence are essential characteristics of all the
professions but are more so in the case of accountancy profession. Independence
implies that the judgement of a person is not subordinate to the wishes or direction
of another person who might have engaged him, or to his own self-interest.
It is not possible to define “independence” precisely. Rules of professional conduct
dealing with independence are framed primarily with a certain objective. The rules,
by themselves, cannot create or ensure the existence of independence.
Independence is a condition of mind as well as personal character and should not
be confused with the superficial and visible standards of independence which are
sometimes imposed by law. These legal standards may be relaxed or strengthened
but the quality of independence remains unaltered.
There are two interlinked perspectives of independence of auditors, one,
independence of mind and two, independence in appearance.
Independence is:
(a) Independence of mind – the state of mind that permits the provision of an
opinion without being affected by influences that compromise professional
judgment, allowing an individual to act with integrity, and exercise objectivity
and professional skepticism; and
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.9
a
(b) Independence in appearance – the avoidance of facts and circumstances
that are so significant that a reasonable and informed third party, having
knowledge of all relevant information, including any safeguards applied,
would reasonably conclude a firm’s, or a member of the assurance team’s,
integrity, objectivity or professional skepticism had been compromised.
Independence of the auditor has not only to exist in fact, but also appear to
so exist to all reasonable persons. The relationship between the auditor and
his client should be such that firstly, he is himself satisfied about his
independence and secondly, no unbiased person would be forced to the
conclusion that, on an objective assessment of the circumstances, there is
likely to be an abridgement of the auditors’ independence.
Independence of an auditor assumes significance in context of providing
confidence to users of financial statements. As statutory auditor of a listed
company, for example, the Chartered Accountant would cease to perform any
useful function if the persons who rely upon the accounts of the company do
not have any faith in the independence and integrity of the Chartered
Accountant. In such cases, he is expected to be objective in his approach,
fearless, and capable of expressing an honest opinion based upon the
performance of work such as his training and experience enables him to do
so.
Independence is dependent on the state of mind and character of a person and
is a very subjective matter. One person might be independent in a particular set
of circumstances, while another person might feel he is not independent in
similar circumstances. It is therefore the duty of every Chartered Accountant to
determine for himself whether or not he can act independently in the given
circumstances of a case and quite apart from legal rules, in no case to place
himself in a position which would compromise his independence.
6. THREATS TO INDEPENDENCE
Many different circumstances, or combination of circumstances, may be relevant
and accordingly it is impossible to define every situation that creates threats to
independence and specify the appropriate mitigating action that should be taken.
In addition, the nature of assurance engagements may differ and consequently
different threats may exist requiring the application of different safeguards.
© The Institute of Chartered Accountants of India
a 11.10 AUDITING AND ETHICS
Following five types of threats to independence of auditors are discussed
below: -
1. Self-interest threats
Self-interest threats occur when an auditing firm, its partner or associate
could benefit from a financial interest in an audit client. Examples include
(i) direct financial interest or materially significant indirect financial interest in
a client
(ii) loan or guarantee to or from the concerned client
(iii) undue dependence on a client’s fees and, hence, concerns about losing
the engagement
(iv) close business relationship with an audit client
(v) potential employment with the client and
(vi) contingent fees for the audit engagement
2. Self-review threats
Self-review threats occur when during a review of any judgement or
conclusion reached in a previous audit or non-audit engagement, or when a
member of the audit team was previously a director or senior employee of
the client. Non audit services include any professional services provided to an
entity by an auditor, other than audit or review of the financial statements.
These include management services, internal audit, investment advisory
service etc. Instances where such threats come into play are: -
(i) when an auditor having recently been a director or senior officer of the
company.
(ii) when auditors perform services that are themselves subject matters of
audit.
3. Advocacy threats
Advocacy threats occur when the auditor promotes, or is perceived to
promote, a client’s opinion to a point where people may believe that
objectivity is getting compromised, e.g., when an auditor deals with shares or
securities of the audited company, or becomes the client’s advocate in
litigation and third party disputes. In such situations, auditor can be perceived
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.11
a
as backing and championing causes of auditee client and it may lead to belief
that auditor is not acting and working objectively.
4. Familiarity threats
Familiarity threats are self-evident, and occur when auditors form
relationships with the client where they end up being too sympathetic to the
client’s interests. This can occur in many ways including:
(i) close relative of the audit team working in a senior position in the client
company
(ii) former partner of the audit firm being a director or senior employee of the
client
(iii) long association between specific auditors and their specific client
counterparts and
(iv) acceptance of significant gifts or hospitality from the client company, its
directors or employees.
Provisions in Companies Act, 2013 regarding rotation of auditors mainly
address these very familiarity threats. Such provisions prescribe that auditor
is rotated after a certain number of years so that auditors do not become too
familiar with their clients.
5. Intimidation threats
Intimidation threats occur when auditors are deterred from acting objectively
with an adequate degree of professional skepticism. Basically, these could
happen because of threat of replacement over disagreements with the
application of accounting principles, or pressure to disproportionately reduce
work in response to reduced audit fees or being threatened with litigation.
Such threats attempt to intimidate auditors to deter them from acting
objectively.
7. SAFEGUARDS TO INDEPENDENCE
Chartered Accountants have a responsibility to remain independent by taking into
account the context in which they practice, the threats to independence and the
safeguards available to address the threats.
Safeguards are actions, individually or in combination, that the professional
© The Institute of Chartered Accountants of India
a 11.12 AUDITING AND ETHICS
accountant takes that effectively reduce threats to comply with the fundamental
principles to an acceptable level.
To address the issue, the following guiding principles are to be applied: -
• For the public to have confidence in the quality of audit, it is essential that
auditors should always be and appears to be independent of the entities that
they are auditing.
• Before taking on any work, an auditor must conscientiously consider whether it
involves threats to his independence.
• When such threats exist, the auditor should either desist from the task or
eliminate the threat or at the very least, put in place safeguards which reduce
the threats to an acceptable level. All such safeguards measures need to be
recorded in a form that can serve as evidence of compliance with due process.
• If the auditor is unable to fully implement credible and adequate safeguards,
then he must not accept the work.
8. PROFESSIONAL SKEPTICISM
Professional skepticism refers to an attitude that includes a questioning mind,
being alert to conditions which may indicate possible misstatement due to error or
fraud, and a critical assessment of audit evidence.
It signifies that auditor has to remain alert forever. The auditor’s attitude should be
of questioning mind- of challenging the things in light of available evidence.
The auditor shall plan and perform an audit with professional skepticism
recognising that circumstances may exist that cause the financial statements to be
materially misstated.
Professional skepticism includes being alert to, for example:
• Audit evidence that contradicts other audit evidence obtained.
• Information that brings into question the reliability of documents and responses
to inquiries to be used as audit evidence.
• Conditions that may indicate possible fraud.
• Circumstances that suggest the need for audit procedures in addition to those
required by the SAs.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.13
a
Maintaining professional skepticism throughout the audit is necessary if the
auditor is to reduce the risks of:
• Overlooking unusual circumstances.
• Over generalising when drawing conclusions from audit observations.
• Using inappropriate assumptions in determining the nature, timing, and extent
of the audit procedures and evaluating the results thereof.
Professional skepticism is necessary to the critical assessment of audit evidence. It
also includes consideration of the sufficiency and appropriateness of audit evidence
obtained in the light of the circumstances, for example in the case where fraud risk
factors exist and a single document, of a nature that is susceptible to fraud, is the
sole supporting evidence for a material financial statement amount. The auditor
may accept records and documents as genuine unless the auditor has reason to
believe the contrary.
Nevertheless, the auditor is required to consider the reliability of information to be
used as audit evidence. In cases of doubt about the reliability of information or
indications of possible fraud, the SAs require that the auditor investigate further
and determine what modifications or additions to audit procedures are necessary
to resolve the matter.
The auditor cannot be expected to disregard past experience of the honesty and
integrity of the entity’s management and those charged with governance.
Nevertheless, a belief that management and those charged with governance are
honest and have integrity does not relieve the auditor of the need to maintain
professional skepticism.
Test Your Understanding 3
CA Raman Gupta is offered appointment as auditor of a company. One of his distant
uncles held some shares in the same company. Holding of such shares, by a distant
relative, is not prohibited under provisions of law nor does it affect his
independence. Before he could accept appointment, he received unfortunate news
of death of his uncle who had died without any children. He came to know that he
was nominee of these shares having substantial value. It landed him in a tricky
situation. What should be proper course of action for him?
© The Institute of Chartered Accountants of India
a 11.14 AUDITING AND ETHICS
Test Your Understanding 4
A Chartered accountant receives about 40% of his total audit fees from a single
client. Discuss how it could affect independence of Chartered accountant as
auditor of this client. What are such types of threats referred to as?
Test Your Understanding 5
CA Murli Madhavan provides accounting and book keeping services to a leading
NGO engaged in environmental protection work. He is also offered audit of the
accounts of NGO. Identify and discuss what kind of threat to independence may be
involved in accepting such an engagement.
Test Your Understanding 6
The auditors of a company have only relied upon management representation
letter regarding treatment of certain tax matters under appeal by the company. The
auditors have not carried out any other audit procedures to justify management’s
treatment of the said tax matters under appeal in the financial statements. What is
lacking on part of auditors in such a situation?
AUDIT ENGAGEMENT AND TERMS OF AUDIT ENGAGEMENT
An audit engagement involves engaging an auditor by a client for audit of its
financial statements. Audit engagement terms can include matters such as
objective and scope of audit of financial statements, responsibilities of auditor,
responsibilities of management, identification of applicable financial reporting
framework for preparation of financial statements and reference to expected form
and contents of report to be issued by auditor.
9. AGREEING THE TERMS OF AUDIT
ENGAGEMENTS
SA 210 deals with the auditor’s responsibilities in agreeing the terms of the audit
engagement with management and, where appropriate, those charged with
governance. This includes establishing that certain preconditions for an audit,
responsibility for which rests with management and, where appropriate, those
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.15
a
charged with governance, are present.
The objective of the auditor is to accept or continue an audit engagement only
when the basis upon which it is to be performed has been agreed, through:
(A) Establishing whether the preconditions for an audit are present and
(B) Confirming that there is a common understanding between the auditor and
management and, where appropriate, those charged with governance of the
terms of the audit engagement.
9A Preconditions for an audit
As per SA 210 “Agreeing the Terms of Audit Engagements”, preconditions for
an audit may be defined as the use by management of an acceptable financial
reporting framework in the preparation of the financial statements and the
agreement of management and, where appropriate, those charged with
governance to the premise on which an audit is conducted.
Preconditions for an audit
Use by management and the agreement of
in the preparation of
of an acceptable management to the
the financial
financial reporting premise on which an
statements
framework audit is conducted
In order to establish whether the preconditions for an audit are present, the
auditor shall:
(a) Determine whether the financial reporting framework is acceptable and
(b) Obtain the agreement of management that it acknowledges and understands
its responsibility:
(i) For the preparation of the financial statements in accordance with the
applicable financial reporting framework including where relevant their
fair representation;
© The Institute of Chartered Accountants of India
a 11.16 AUDITING AND ETHICS
(ii) For such internal control as management considers necessary to enable
the preparation of financial statements that are free from material
misstatement, whether due to fraud or error; and
(iii) To provide the auditor with:
➢ Access to all information of which management is aware that is
relevant to the preparation of the financial statements such as
records, documentation and other matters;
➢ Additional information that the auditor may request from
management for the purpose of the audit; and
➢ Unrestricted access to persons within the entity from whom the
auditor determines it necessary to obtain audit evidence.
9B. Agreement on audit engagement terms
Except in the cases where it is required under law to get accounts audited (for
example in case of companies), audit is a matter of contract between auditor and
client. It is, therefore, important, both for the auditor and client, that each party
should be clear about the nature of the engagement. It must be reduced to writing
and should exactly specify the scope of the work.
The auditor shall agree the terms of the audit engagement with management or
those charged with governance, as appropriate. The agreed terms of the audit
engagement shall be recorded in an audit engagement letter or other suitable form
of written agreement.
The audit engagement letter is sent by the auditor to his client. It is in the interest
of both the auditor and the client to issue an engagement letter so that the
possibility of misunderstanding is reduced to a great extent. Such a letter includes:-
(a) The objective and scope of the audit of the financial statements
(b) The responsibilities of the auditor
(c) The responsibilities of management
(d) Identification of the applicable financial reporting framework for the
preparation of the financial statements and
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.17
a
(e) Reference to the expected form and content of any reports to be issued by
the auditor and a statement that there may be circumstances in which a
report may differ from its expected form and content.
If law or regulation prescribes in sufficient detail the terms of the audit
engagement, the auditor need not record them in a written agreement, except for
the fact that such law or regulation applies and that management acknowledges
and understands its responsibilities.
10. EXAMPLE OF AN ENGAGEMENT LETTER
Given below is example of an engagement letter: -
PJ Shrimali & Co. 24, MG Road,
Chartered Accountants Mumbai
10th August XXXX
To the Board of Directors of Pristine Products Limited
The objective and scope of the audit
You have requested that we audit the financial statements of Pristine Products
Limited, which comprise the Balance Sheet as at March 31st, 20XX, the Statement
of Profit & Loss, Cash Flow Statement for the year then ended, and notes to the
financial statements, including a summary of significant accounting policies and
other explanatory information.
We are pleased to confirm our acceptance and our understanding of this audit
engagement by means of this letter. The objectives of our audit are to obtain
reasonable assurance about whether the financial statements as a whole are free
from material misstatement, whether due to fraud or error, and to issue an
auditor’s report that includes our opinion. Reasonable assurance is a high level of
assurance, but is not a guarantee that an audit conducted in accordance with
Standards on Auditing (SAs) will always detect a material misstatement when it
exists. Misstatements can arise from fraud or error and are considered material if,
individually or in the aggregate, they could reasonably be expected to influence
the economic decisions of users taken on the basis of these financial statements.
© The Institute of Chartered Accountants of India
a 11.18 AUDITING AND ETHICS
The responsibilities of the auditor
We will conduct our audit in accordance with Standards on Auditing (SAs) issued
by the Institute of Chartered Accountants of India (ICAI). Those Standards require
that we comply with ethical requirements. As part of an audit in accordance with
SAs, we exercise professional judgment and maintain professional skepticism
throughout the audit. We also:
• Identify and assess the risks of material misstatement of the financial
statements, whether due to fraud or error, design and perform audit
procedures responsive to those risks, and obtain audit evidence that is
sufficient and appropriate to provide a basis for our opinion. The risk of not
detecting a material misstatement resulting from fraud is higher than for
one resulting from error, as fraud may involve collusion, forgery, intentional
omissions, misrepresentations, or the override of internal control.
• Obtain an understanding of internal control relevant to the audit in order
to design audit procedures that are appropriate in the circumstances but
not for the purpose of expressing an opinion on the effectiveness of the
company’s internal control. However, we will communicate to you in writing
concerning any significant deficiencies in internal control relevant to the
audit of the financial statements that we have identified during the audit.
• Evaluate the appropriateness of accounting policies used and the
reasonableness of accounting estimates and related disclosures made by
management.
• Conclude on the appropriateness of management’s use of the going
concern basis of accounting and, based on the audit evidence obtained,
whether a material uncertainty exists related to events or conditions that
may cast significant doubt on the company’s ability to continue as a going
concern. If we conclude that a material uncertainty exists, we are required
to draw attention in our auditor’s report to the related disclosures in the
financial statements or, if such disclosures are inadequate, to modify our
opinion. Our conclusions are based on the audit evidence obtained up to
the date of our auditor’s report. However, future events or conditions may
cause the company to cease to continue as a going concern.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.19
a
• Evaluate the overall presentation, structure and content of the financial
statements, including the disclosures, and whether the financial statements
represent the underlying transactions and events in a manner that achieves
fair presentation.
Because of the inherent limitations of an audit, together with the inherent
limitations of internal control, there is an unavoidable risk that some material
misstatements may not be detected, even though the audit is properly planned
and performed in accordance with SAs.
The responsibilities of management
Our audit will be conducted on the basis that management and, where
appropriate, those charged with governance acknowledge and understand that
they have responsibility:
(a) For the preparation of financial statements that give a true and fair view in
accordance with the financial reporting Standards. This includes:
• The responsibility for the preparation of financial statements on a
going concern basis.
• The responsibility for selection and consistent application of
appropriate accounting policies, including implementation of
applicable accounting standards along with proper explanation
relating to any material departures from those accounting standards.
• The responsibility for making judgements and estimates that are
reasonable and prudent so as to give a true and fair view of the state
of affairs of the entity at the end of the financial year and of the profit
or loss of the entity for that period.
(b) For such internal control as management determines is necessary to enable
the preparation of financial statements that are free from material
misstatement, whether due to fraud or error and
(c) To provide us with:
(i) Access, at all times, to all information, including the books, accounts,
vouchers and other records and documentation, of the company,
whether kept at the head office of the company or elsewhere, of which
management is aware that is relevant to the preparation of the financial
statements such as records, documentation and other matters,
© The Institute of Chartered Accountants of India
a 11.20 AUDITING AND ETHICS
(ii) Additional information that we may request from management for the
purpose of the audit and
(iii) Unrestricted access to persons within the entity from whom we
determine it necessary to obtain audit evidence. This includes our
entitlement to require from the officers of the company such
information and explanations as we may think necessary for the
performance of our duties as auditor. As part of our audit process, we
will request from management and, where appropriate, those charged
with governance, written confirmation concerning representations
made to us in connection with the audit.
Fees
Our fees bill for ` XXXXXX (plus applicable taxes) and out of pocket expenses will
be raised after completion of audit work.
Reporting
We will report to the members of Pristine Products Limited as a body, whether in
our opinion, the financial statements give the information required by the
Companies Act, 2013 in the manner so required and give a true and fair view in
conformity with the accounting principles generally accepted in India, of the state
of affairs of the company as at March 31, 20XX, and its profit/loss, and its cash
flows for the year ended on that date. The form and content of our report may
need to be amended in the light of our audit findings.
Please sign and return the attached copy of this letter to indicate your
acknowledgement of, and agreement with, the arrangements for our audit of the
financial statements including our respective responsibilities.
For PJ Shrimali & Co.
Chartered Accountants
Firm’s Registration Number
(Signature)
(Name of the Member)
(Designation)
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.21
a
11. WHAT HAPPENS IF PRECONDITIONS FOR
AN AUDIT ARE NOT PRESENT?
If the preconditions for an audit are not present, the auditor shall discuss the matter
with management. Unless required by law or regulation to do so, the auditor shall
not accept the proposed audit engagement: -
(a) If the auditor has determined that the financial reporting framework to be
applied in the preparation of the financial statements is unacceptable or
(b) If the agreement of management is not obtained on matters relating to
understanding of responsibility of management on preparation of financial
statements, internal controls for preparation of financial statements,
providing access to all information to auditor and unrestricted access to
persons within the entity.
12. LIMITATION ON SCOPE PRIOR TO AUDIT
ENGAGEMENT ACCEPTANCE
If management or those charged with governance impose a limitation on the scope
of the auditor’s work in the terms of a proposed audit engagement such that the
auditor believes the limitation will result in the auditor disclaiming an opinion on
the financial statements, the auditor shall not accept such a limited engagement as
an audit engagement, unless required by law or regulation to do so.
13. ACCEPTANCE OF A CHANGE IN THE TERMS
OF THE AUDIT ENGAGEMENT
The auditor shall not agree to a change in the terms of the audit engagement where
there is no reasonable justification for doing so.
13.1 Request from Entity to change the Terms of Audit
Engagement-When Reasonable Justification Exists?
A request from the entity for the auditor to change the terms of the audit
engagement may result from a change in circumstances affecting the need for the
© The Institute of Chartered Accountants of India
a 11.22 AUDITING AND ETHICS
service, a misunderstanding as to the nature of an audit as originally requested or
a restriction on the scope of the audit engagement, whether imposed by
management or caused by other circumstances. The auditor considers the
justification given for the request, particularly the implications of a restriction on
the scope of the audit engagement.
A change in circumstances that affects the entity’s requirements or a
misunderstanding concerning the nature of the service originally requested may be
considered a reasonable basis for requesting a change in the audit engagement.
In contrast, a change may not be considered reasonable if it appears that the change
relates to information that is incorrect, incomplete or otherwise unsatisfactory.
An example might be where the auditor is unable to obtain sufficient appropriate
audit evidence regarding receivables and the entity asks for the audit engagement
to be changed to a review engagement to avoid a qualified opinion or a disclaimer
of opinion.
13.2 What should auditor consider before agreeing to
change the audit engagement to the engagement
providing lower level of assurance?
If, prior to completing the audit engagement, the auditor is requested to change
the audit engagement to an engagement that conveys a lower level of assurance,
the auditor shall determine whether there is reasonable justification for doing so.
Before agreeing to change an audit engagement to a review or a related service,
an auditor who was engaged to perform an audit in accordance with SAs may also
need to assess any legal or contractual implications of the change.
If the auditor concludes that there is reasonable justification to change the audit
engagement to a review or a related service, the audit work performed to the date
of change may be relevant to the changed engagement. However, the work
required to be performed and the report to be issued would be those appropriate
to the revised engagement. In order to avoid confusing the reader, the report on
the related service would not include reference to:
(a) The original audit engagement or
(b) Any procedures that may have been performed in the original audit
engagement, except where the audit engagement is changed to an
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.23
a
engagement to undertake agreed- upon procedures and thus reference to
the procedures performed is a normal part of the report.
If the terms of the audit engagement are changed, the auditor and management
shall agree on and record the new terms of the engagement in an engagement
letter or other suitable form of written agreement.
13.3 Recourse available to auditor in situation of non-
agreement to a change in terms of engagement and lack
of permission from management to continue original
audit engagement
If the auditor is unable to agree to a change of the terms of the audit engagement
and is not permitted by management to continue the original audit engagement,
the auditor shall:
(a) Withdraw from the audit engagement where possible under applicable law
or regulation and
(b) Determine whether there is any obligation, either contractual or otherwise, to
report the circumstances to other parties, such as those charged with
governance, owners or regulators.
14. TERMS OF ENGAGEMENT IN RECURRING
AUDITS
Recurring audit is an audit which is performed by an auditor over years. On
recurring audits, the auditor shall assess whether circumstances require the terms
of the audit engagement to be revised and whether there is a need to remind the
entity of the existing terms of the audit engagement.
The auditor may decide not to send a new audit engagement letter or other written
agreement each period. However, the following factors may make it appropriate to
revise the terms of the audit engagement or to remind the entity of existing terms:
(i) Any indication that the entity misunderstands the objective and scope of the
audit.
(ii) Any revised or special terms of the audit engagement.
© The Institute of Chartered Accountants of India
a 11.24 AUDITING AND ETHICS
(iii) A recent change of senior management.
(iv) A significant change in ownership.
(v) A significant change in nature or size of the entity’s business.
(vi) A change in legal or regulatory requirements.
(vii) A change in the financial reporting framework adopted in the preparation of
the financial statements.
(viii) A change in other reporting requirements.
Test Your Understanding 7
Chirag, as part of articled training, is part of an engagement team conducting audit
of a company. He has read somewhere that engagement letter issued by auditor to
client also includes expected form and content of the auditor’s report. He was at a
loss to understand how could an auditor include form and content of the report
beforehand. Try to help Chirag by making things clear to him.
Test Your Understanding 8
The management of an entity feels that it is not necessary for it to give in writing
explicitly to the auditor that it understands its responsibilities for preparation of
financial statements in accordance with applicable financial reporting framework.
Discuss, whether, it is necessary for the management to do so. In case management
refuses, why should an auditor not accept the proposed engagement?
15. AUDIT QUALITY
The purpose of an independent audit is to provide confidence to users of audited
financial statements. Therefore, high audit quality is essential to maintain
confidence in the independent assurance provided by the auditors. It is the
responsibility of auditor to maintain high audit quality.
SQC 1 and SA 220 both deal with quality control. Whereas SQC 1 deals with all
engagements including audits, reviews and other assurance and related service
engagements, SA 220 applies to audit engagements only.
Further, SQC 1 applies to entire firm. However, SA 220 applies to a particular audit
engagement.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.25
a
16. SQC 1 – “QUALITY CONTROL FOR FIRMS
THAT PERFORM AUDITS AND REVIEWS OF
HISTORICAL FINANCIAL INFORMATION,
AND OTHER ASSURANCE AND RELATED
SERVICES ENGAGEMENTS”
SQC 1 requires that the firm should establish a system of quality control designed
to provide it with reasonable assurance that the firm and its personnel comply with
professional standards and regulatory and legal requirements and that reports
issued by the firm or engagement partners are appropriate in the circumstances.
Firm’s system of quality control should consist of policies designed to achieve these
objectives.
17. ELEMENTS OF SYSTEM OF QUALITY
CONTROL
The firm’s system of quality control should include policies and procedures
addressing each of the following elements: -
(A) Leadership responsibilities for quality within the firm
(B) Ethical requirements
(C) Acceptance and continuance of client relationships and specific engagements
(D) Human resources
(E) Engagement performance
(F) Monitoring
Quality control policies and procedures should be documented and communicated
to the firm’s personnel. By communicating, the firm recognizes the importance of
obtaining feedback on its quality control system from its personnel. Therefore, the
firm encourages its personnel to communicate their views or concerns on quality
control matters.
© The Institute of Chartered Accountants of India
a 11.26 AUDITING AND ETHICS
Elements of a System of Quality Control: The firm’s system of quality
control should include policies and procedures addressing each of the
following elements:
Leadership responsibilities for
quality within the firm.
Ethical requirements.
Acceptance and continuance of client
relationships and specific engagements.
Human resources.
Engagement performance.
Monitoring.
17A. Leadership responsibilities for quality within the firm
SQC 1 requires firms to establish policies and procedures designed to promote an
internal culture based on the recognition that quality is essential in performing
engagements. Such policies and procedures should require the firm’s chief
executive officer or the firm’s managing partners to assume ultimate responsibility
for the firm’s system of quality control. The example set by firm’s leadership
encourages an inner culture that recognizes high quality audit work. Further,
persons assigned operational responsibilities for the firm’s quality control system
by the firm’s chief executive officer or managing partners should have sufficient
and appropriate experience, ability and the necessary authority to assume that
responsibility.
17B. Ethical requirements
The firm should establish policies and procedures designed to provide it with
reasonable assurance that the firm and its personnel comply with relevant ethical
requirements contained in the Code of ethics issued by ICAI.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.27
a
The Code establishes the fundamental principles of professional ethics which
include integrity, objectivity, professional competence and due care, confidentiality
and professional behaviour.
Observance of “Independence” in all engagements is the basic requirement. The
firm should establish policies and procedures designed to provide it with
reasonable assurance that the firm, its personnel and (including experts contracted
by the firm and network firm personnel) maintain independence where required by
the Code. Such policies and procedures should enable the firm to: -
(a) Communicate its independence requirements to its personnel
(b) Identify and evaluate circumstances and relationships that create threats to
independence, and to take appropriate action to eliminate those threats or
reduce them to an acceptable level by applying safeguards, or, if considered
appropriate, to withdraw from the engagement.
There should exist a mechanism in the firm by which engagement partners provide
the firm with relevant information about client engagements and personnel of firm
promptly notify firm of circumstances and relationships that create a threat to
independence. All breaches of independence should be promptly notified to firm
for appropriate action. Its objective is to ensure that independence requirements
are satisfied.
At least annually, the firm should obtain written confirmation of compliance with
its policies and procedures on independence from all firm personnel required to be
independent in terms of the requirements of the Code.
17C. Acceptance and Continuance of Client Relationships
and Specific Engagements
A firm before accepting an engagement should acquire vital information about the
client. Such an information should help firm to decide about: -
• Integrity of Client
• Competence (including capabilities, time and resources) to perform engagement
• Compliance with ethical requirements
The firm should obtain such information as it considers necessary in the
circumstances before accepting an engagement with a new client, when deciding
© The Institute of Chartered Accountants of India
a 11.28 AUDITING AND ETHICS
whether to continue an existing engagement, and when considering acceptance of
a new engagement with an existing client. Where issues have been identified, and
the firm decides to accept or continue the client relationship or a specific
engagement, it should document how the issues were resolved.
With regard to the integrity of a client, matters that the firm considers include, for
example:
• The identity and business reputation of the client’s principal owners, key
management, related parties and those charged with its governance.
• The nature of the client’s operations, including its business practices.
• Information concerning the attitude of the client’s principal owners, key
management and those charged with its governance towards such matters as
aggressive interpretation of accounting standards and the internal control
environment.
• Whether the client is aggressively concerned with maintaining the firm’s fees as
low as possible.
• Indications of an inappropriate limitation in the scope of work.
• Indications that the client might be involved in money laundering or other
criminal activities.
• The reasons for the proposed appointment of the firm and non-reappointment
of the previous firm.
If there is any conflict of interest between the firm and client, it should be properly
resolved before accepting the engagement. Where the firm obtains information
that would have caused it to decline an engagement if that information had been
obtainable earlier, policies and procedures on the continuance of the engagement
and the client relationship should include consideration of:
(a) The professional and legal responsibilities that apply to the circumstances,
including whether there is a requirement for the firm to report to the person
or persons who made the appointment or, in some cases, to regulatory
authorities; and
(b) The possibility of withdrawing from the engagement or from both the
engagement and the client relationship.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.29
a
17D. Human resources
The firm should establish policies and procedures designed to provide it with
reasonable assurance that it has sufficient personnel with the capabilities,
competence, and commitment to ethical principles necessary to perform its
engagements in accordance with professional standards and regulatory and legal
requirements and to enable the firm or engagement partners to issue reports that
are appropriate in the circumstances. Such policies and procedures should address
relevant HR issues including recruitment, compensation, training, career
development, performance evaluation etc. There should be emphasis on the
continuing professional development of firm’s personnel.
17E. Engagement Performance
Consistency in quality of engagement performance is achieved through briefing of
engagement teams of their objectives, processes for complying with engagement
standards, processes of engagement supervision and training, methods of
reviewing performance of work, appropriate documentation of work performed.
Consultation should take place in difficult or contentious matters pertaining to an
engagement. Consultation includes discussion, at the appropriate professional
level, with individuals within or outside the firm who have specialized expertise, to
resolve a difficult or contentious matter.
A firm needing to consult externally, for example, a firm without appropriate
internal resources, may take advantage of advisory services provided by other firms
or professional and regulatory bodies.
Significant judgments made in an engagement should be reviewed by an
engagement quality control reviewer for taking an objective view before the report
is issued. The extent of the review depends on the complexity of the engagement
and the risk that the report might not be appropriate in the circumstances. The
review does not reduce the responsibilities of the engagement partner.
Engagement quality control review is mandatory for all audits of financial
statements of listed entities. In respect of other engagements, firm should devise
criteria to determine cases requiring performance of engagement quality control
review.
© The Institute of Chartered Accountants of India
a 11.30 AUDITING AND ETHICS
There might be difference of opinion within engagement team, with those
consulted and between engagement partner and engagement quality control
reviewer. The report should only be issued after resolution of such differences. In
case, recommendations of engagement quality control reviewer are not accepted
by engagement partner and matter is not resolved to reviewer’s satisfaction, the
matter should be resolved by following established procedures of firm like by
consulting with another practitioner or firm, or a professional or regulatory body.
Besides, the firm should establish policies and procedures for engagement teams
to complete the assembly of final engagement files on a timely basis after the
engagement reports have been finalized. The assembly of engagement files should
be completed in not more than 60 days after date of auditor’s report in case of
audit engagements and in other cases within the limits appropriate to
engagements.
Policies and procedures should be designed to maintain the confidentiality, safe
custody, integrity, accessibility and retrievability of engagement documentation.
Unless otherwise specified by law or regulation, engagement documentation is the
property of the firm. The firm may, at its discretion, make portions of, or extracts
from, engagement documentation available to clients, provided such disclosure
does not undermine the validity of the work performed, or, in the case of assurance
engagements, the independence of the firm or its personnel.
Engagement documentation has to be retained for a period of time sufficient to permit
those performing monitoring procedures to evaluate the firm’s compliance with its
system of quality control, or for a longer period if required by law or regulation.
In the specific case of audit engagements, the retention period ordinarily is no
shorter than seven years from the date of the auditor’s report, or, if later, the date
of the group auditor’s report.
17F. Monitoring
The firm should ensure that policies and procedures relating to the system of
quality control are relevant, adequate, operating effectively and complied with in
practice. Such policies and procedures should include an ongoing consideration
and evaluation of the firm’s system of quality control, including a periodic
inspection of a selection of completed engagements.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.31
a
18. SA 220- “QUALITY CONTROL FOR AN AUDIT
OF FINANCIAL STATEMENTS”
Based upon quality control system of firm, quality control policies pertaining to
audit engagements are decided by engagement teams. Engagement partner of a
team is responsible for quality control procedures of a particular audit engagement
in accordance with SA 220.
Therefore, SA 220 is premised on the basis that the firm is subject to SQC 1. Within
the context of the firm’s system of quality control, engagement teams have a
responsibility to implement quality control procedures that are applicable to the
audit engagement and provide the firm with relevant information to enable the
functioning of that part of the firm’s system of quality control relating to
independence.
As per SA 220, the objective of the auditor is to implement quality control
procedures at the engagement level that provide the auditor with reasonable
assurance that: -
(a) The audit complies with professional standards and regulatory and legal
requirements and
(b) The auditor’s report issued is appropriate in the circumstances.
SA 220 is modelled on lines of SQC 1. It describes responsibilities of engagement
partner in relation to following matters: -
(A) Leadership responsibilities for quality on audits
(B) Relevant ethical requirements
(C) Acceptance and continuance of client relationships and audit engagements
(D) Assignment of engagement teams
(E) Engagement performance
(F) Monitoring
18A. Leadership responsibilities for quality on audits
Leadership responsibility of an engagement partner is to take responsibility for the
overall quality on each audit engagement. The actions of the engagement partner
© The Institute of Chartered Accountants of India
a 11.32 AUDITING AND ETHICS
and appropriate messages to the other members of the engagement team, in
taking responsibility for the overall quality on each audit engagement, emphasise
(a) The importance to audit quality of: -
(i) Performing work that complies with professional standards and
regulatory and legal requirements;
(ii) Complying with the firm’s quality control policies and procedures as
applicable;
(iii) Issuing auditor’s reports that are appropriate in the circumstances; and
(iv) The engagement team’s ability to raise concerns without fear of
reprisals.
(b) The fact that quality is essential in performing audit engagements.
18B. Relevant ethical requirements
The responsibilities of an engagement partner in relation to ethical requirements
in an audit engagement are as under: -
• Identifying a threat to independence regarding the audit engagement that
safeguards may not be able to eliminate or reduce to an acceptable level.
• Reporting by engagement partner to the relevant persons within the firm to
determine appropriate action, which may include eliminating the activity or
interest that creates the threat, or withdrawing from the audit engagement,
where withdrawal is legally permitted.
18C. Acceptance and Continuance of Client Relationships
and audit Engagements
The responsibility of an engagement partner in this regard in an audit engagement
is on lines of SQC 1 which requires the firm should obtain such information as it
considers necessary in the circumstances before accepting an engagement with a
new client, when deciding whether to continue an existing engagement, and when
considering acceptance of a new engagement with an existing client.
Information like integrity of principal owners, competence of engagement team
and consideration of necessary capabilities including time and resources,
compliance with relevant ethical requirements and significant matters arisen during
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.33
a
current or previous audit engagement and their implications assist the engagement
partner in determining whether the conclusions reached regarding the acceptance
and continuance of client relationships and audit engagements are appropriate.
18D. Assignment of engagement teams
It should be ensured by engagement partner that the engagement team and any
auditor’s experts who are not part of the engagement team, collectively have the
appropriate competence and capabilities to perform the engagement in
accordance with professional standards and regulatory and legal requirements.
18E. Engagement Performance
Engagement partner has the responsibility for direction, supervision and
performance of audit engagement in accordance with professional standards and
regulatory and legal requirements. He is responsible for auditor’s report being
appropriate in circumstances. Further, review of audit documentation before issue
of audit report is his responsibility. It has to be ensured that sufficient appropriate
audit evidence has been obtained to support the conclusions reached and for
issuance of auditor’s report.
Engagement partner is also responsible for ensuring undertaking appropriate
consultation on difficult or contentious matters by engagement team not only
within the team but also with others at appropriate level within or outside the firm.
For audits of financial statements of listed entities, and those other audit
engagements, if any, for which the firm has determined that an engagement quality
control review is required, the engagement partner shall:
(a) Determine that an engagement quality control reviewer has been appointed.
(b) Discuss significant matters arising during the audit engagement, including
those identified during the engagement quality control review, with the
engagement quality control reviewer.
(c) Not date the auditor’s report until the completion of the engagement quality
control review.
If differences of opinion arise within the engagement team, with those consulted
or, where applicable, between the engagement partner and the engagement
quality control reviewer, the engagement team shall follow the firm’s policies and
procedures for dealing with and resolving differences of opinion.
© The Institute of Chartered Accountants of India
a 11.34 AUDITING AND ETHICS
18F. Monitoring
An effective system of quality control includes a monitoring process designed to
provide the firm with reasonable assurance that its policies and procedures relating
to the system of quality control are relevant, adequate, and operating effectively.
The engagement partner shall consider the results of the firm’s monitoring process
as evidenced in the latest information circulated by the firm and, if applicable, other
network firms and whether deficiencies noted in that information may affect the
audit engagement.
The engagement partner should document following matters pertaining to an audit
engagement: -
(a) Issues identified with respect to compliance with relevant ethical
requirements and how they were resolved.
(b) Conclusions on compliance with independence requirements that apply to
the audit engagement, and any relevant discussions with the firm that
support these conclusions.
(c) Conclusions reached regarding the acceptance and continuance of client
relationships and audit engagements.
(d) The nature and scope of, and conclusions resulting from, consultations
undertaken during the course of the audit engagement.
Test Your Understanding 9
CA PK Nair is offered appointment as auditor of a company engaged in providing
tourism services. While making due diligence of the proposed client, he comes to
know that there have been raids on premises of the company and residences of its
directors by National Investigation Agency (NIA) on suspicion of links with terror
outfits. It has been followed up with searches by Enforcement Directorate hunting
for illicit money trail. There is a strong suspicion of tourism services provided by
company being façade of terror funds. Should proposed offer be accepted by him?
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.35
a
Test Your Understanding 10
CA Arpita has joined a mid-sized CA firm recently. She finds that partners remain
too busy and the firm is proposing to accept audit work in areas in which it has no
experience or capabilities. The firm is proposing to accept audit of some entities
engaged in emerging “fin-tech” sector. Such audits may be requiring extensive use
of technology and data analytics. However, the said firm has no such capabilities
and trained personnel. Discuss, whether, firm should accept such audits with
reason.
CASE STUDY
Das & Co, a firm of auditors, is offered appointment as auditor of a company, a
prospective new client. CA Sukanya, one of partners, is dealing with new client.
While meeting with officers of the company, she comes to know that Sushant, CFO
of the company, was her class mate. In fact, both of them had started CA together.
However, Sushant had left CA mid-way due to repeated failures and tried his luck
to pursue MBA (finance) from one of leading institutions.
During initial discussions, it transpires that company is going to launch new services
in the field of “weather-forecasting”. Such services would be available on web site
of company and micro weather information would be available on payment of
charges. The company requests audit firm to be visibly associated with their
marketing blitz.
Assume that firm choses to accept the offer and writes to previous auditor, Walker
& Co., to advise whether there exist any professional reasons for them not to accept
the proposed offer. However, Walker & Co. do not reply to the request of Das &
Co.
During preliminary discussions, it also became known that the said company has
acquired all shares of another company. Under relevant provisions of law, financial
statements of both companies needed to be consolidated and audited. Despite
this knowledge, Das & Co. failed to advise their client regarding audit of
consolidated financial statements.
The company also offers auditors contract for providing IT services pertaining to
information system of company.
© The Institute of Chartered Accountants of India
a 11.36 AUDITING AND ETHICS
Based on above, answer following questions:
1. Considering discussion about Sukanya and Sushant, which of the following
statements seems most appropriate?
(a) The above discussion is irrelevant in context of proposed offer.
(b) The proposed offer should be accepted by firm. The engagement team
may be headed by CA Sukanya for better coordination and results.
(c) The proposed offer should be accepted by firm. The engagement team
may be headed by a different partner of the firm.
(d) The matter is too trivial to be reported by CA Sukanya to other partners
of firm.
2. Keeping in view request of the company to be visibly associated with company’s
new services, identify which type of threat is being faced by audit firm.
(a) Self-interest threat
(b) Familiarity threat
(c) Self-review threat
(d) Advocacy threat
3. The previous auditors, Walker & Co., have not replied to communication of Das
& Co. Which fundamental principle of professional ethics is not followed by
them?
(a) Objectivity
(b) Professional behaviour
(c) Professional competence and due care
(d) Integrity
4. Das & Co. have failed to advise the company regarding audit of consolida ted
financial statements. Which fundamental principle of professional ethics is
violated by Das & Co.?
(a) Professional behaviour
(b) Integrity
(c) Objectivity
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.37
a
(d) Professional competence and due care
5. Which of the following statements is most appropriate regarding providing
offer of work of IT services by auditors to the company?
(a) Such offer may create a self-review threat.
(b) Such offer may create an advocacy threat.
(c) Such offer does not constitute any threat.
(d) Such offer may create self-review and advocacy threats.
Answer to Questions involving Case Study
1. c 2. d 3. b 4. d 5. a
SUMMARY
Fundamental principles of professional ethics include integrity, objectivity,
professional competence and due care, confidentiality and professional
behaviour.
Independence implies that the judgement of a person is not subordinate to
the wishes or direction of another person who might have engaged him, or
to his own self-interest.
There are two interlinked perspectives of independence of auditors, one,
independence of mind and two, independence in appearance.
Independence of the auditor has not only to exist in fact, but also appear to
so exist to all reasonable persons.
Threats to independence of auditors include self-interest threats, self-review
threats, advocacy threats, familiarity threats and intimidation threats.
Chartered Accountants have a responsibility to remain independent by taking
into account the context in which they practice, the threats to independence
and the safeguards available to address the threats.
When such threats exist, the auditor should either desist from the task or
eliminate the threat or at the very least, put in place safeguards which reduce
the threats to an acceptable level.
© The Institute of Chartered Accountants of India
a 11.38 AUDITING AND ETHICS
Professional skepticism refers to an attitude that includes a questioning mind,
being alert to conditions which may indicate possible misstatement due to
error or fraud, and a critical assessment of audit evidence.
Professional skepticism is necessary to the critical assessment of audit
evidence. It also includes consideration of the sufficiency and
appropriateness of audit evidence obtained in the light of the circumstances.
Before accepting or continuing an audit engagement, it is necessary for
auditor to establish that preconditions for an audit are present and
confirmation that there is a common understanding between the auditor and
management and, where appropriate, those charged with governance of the
terms of the audit engagement. SA 210 deals with the auditor’s
responsibilities in agreeing the terms of the audit engagement with
management.
Preconditions for an audit may be defined as the use by management of an
acceptable financial reporting framework in the preparation of the financial
statements and the agreement of management and, where appropriate, those
charged with governance to the premise on which an audit is conducted.
The agreed terms of the audit engagement shall be recorded in an audit
engagement letter or other suitable form of written agreement.
The audit engagement letter is sent by the auditor to his client. It is in the
interest of both the auditor and the client to issue an engagement letter so
that the possibility of misunderstanding is reduced to a great extent.
The auditor shall not agree to a change in the terms of the audit engagement
where there is no reasonable justification for doing so.
If the auditor is unable to agree to a change of the terms of the audit
engagement and is not permitted by management to continue the original
audit engagement, the auditor shall withdraw from the audit engagement
where possible under applicable law or regulation and determine whether
there is any obligation, either contractual or otherwise, to report the
circumstances to other parties, such as those charged with governance,
owners or regulators.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.39
a
High audit quality is essential to maintain confidence in the independent
assurance provided by the auditors. It is the responsibility of auditor to
maintain high audit quality.
SQC 1 and SA 220 both deal with quality control. Whereas SQC 1 deals with
all engagements including audits, reviews and other assurance and related
service engagements, SA 220 applies to audit engagements only. SQC 1
applies to entire firm. However, SA 220 applies to a particular audit
engagement.
SQC 1 requires that the firm should establish a system of quality control
designed to provide it with reasonable assurance that the firm and its
personnel comply with professional standards and regulatory and legal
requirements and that reports issued by the firm or engagement partners are
appropriate in the circumstances.
TEST YOUR KNOWLEDGE
MCQs based Questions
(1) Identify the most appropriate statement: -
(a) SA 220 applies at the level of firm.
(b) SQC 1 is premised on the basis that firm is subject to SA 220.
(c) SA 220 is premised on the basis that firm is subject to SQC 1.
(d) SA 220 applies to all engagements.
(2) Professional skepticism includes-
(a) Overlooking unusual circumstances.
(b) Using inappropriate assumptions in determining extent of audit
procedures.
(c) Over generalising when drawing conclusions from audit observations.
(d) Being vigilant to conditions that might indicate possibilities of fraud.
© The Institute of Chartered Accountants of India
a 11.40 AUDITING AND ETHICS
(3) Which of the following is not a fundamental principle governing professional
ethics?
(a) Professional competence and due care
(b) Integrity
(c) Objectivity
(d) Safeguards to independence
(4) Which of the following is not necessary to establish preconditions for an audit?
(a) Acceptability of financial reporting framework.
(b) Acknowledgment of cooperation from management in designing audit
procedures.
(c) Acknowledgment from management of providing access to persons
within company.
(d) Acknowledgment of management in understanding its responsibility for
preparation of financial statements.
(5) Identify the most appropriate statement in context of SQC 1.
(a) Assembly of engagement files should be completed in not more than 60
days after date of auditor’s report in case of audit engagements.
(b) Engagement files should be completed before date of auditor’s report in
case of audit engagements.
(c) Engagement files should be completed in not more than 60 days after
completion of an engagement.
(d) Engagement files should be completed on date on which audit report is
signed in case of audit engagements.
Correct /Incorrect
State with reasons (in short) whether the following statements are
correct or incorrect:
(i) The audit engagement letter is sent by the client to auditor.
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.41
a
(ii) The Audit Engagement documentations should ordinarily be retained by the
auditor for minimum of six years from the date of the auditor's report or the
date of the group auditor's report, whichever is later.
Theoretical Questions
(1) Briefly outline how principles-based approach differs from rules-based
approach to ethics.
(2) How application of professional skepticism throughout audit is helpful in
reducing audit risk?
(3) A Chartered accountant is conducting audit of a client for last two years. Before
proceeding to start audit for next year, he notices that there is substantial
change in management. Besides, client has ventured into areas of business
activity which were not present at time of accepting initial audit engagement.
Discuss responsibility of auditor in this regard in context of SA 210.
(4) How does SQC 1 ensure that independence in engagements is not breached by
an audit firm?
(5) An engagement partner takes overall responsibility for maintaining audit
quality in an audit engagement in accordance with SA 220. What are his
objectives in taking and emphasizing such responsibility?
ANSWERS/SOLUTIONS
Answers to the MCQs based Questions
1. c 2. d 3. d 4. b 5. a
Answers to Correct/Incorrect
(i) Incorrect: As per SA 210 “Agreeing the Terms of Audit Engagements”, the
Audit engagement letter is sent by the auditor to his client.
(ii) Incorrect: SQC 1 requires firms to establish policies and procedures for the
retention of engagement documentation. The retention period for audit
engagements ordinarily is no shorter than seven years from the date of the
auditor’s report, or, if later, the date of the group auditor’s report.
© The Institute of Chartered Accountants of India
a 11.42 AUDITING AND ETHICS
Answers to Theoretical Questions
1. Refer to topic on principles-based approach vs. rules- based approach to
ethics.
2. Refer to topic on “Professional Skepticism”.
3. Refer to heading “terms of engagement in recurring audits”.
4. Refer to heading of Ethical requirements under “Elements of System of quality
control” in SQC 1.
5. Refer to heading of “Leadership responsibilities for quality on audits” under
SA 220.
Answers to Questions involving Test your understanding
1. Failure to reply to professional body smacks of lack of courtesy and
professional responsibility. The principle of “Professional behaviour” is
disregarded.
2. “Integrity” requires that a professional accountant shall not knowingly be
associated with reports, returns, communications or other information where
the accountant believes that the information contains a materially false or
misleading statement; contains statements or information provided
negligently or omits or obscures required information where such omission
or obscurity would be misleading.
In the given case, a false certificate is knowingly issued showing misstated
original cost of machinery. Therefore, fundamental principle of “integrity” is
violated.
3. When threats to independence exist, the auditor should either desist from the
task or eliminate the threat or at the very least, put in place safeguards which
reduce the threats to an acceptable level.
Holding of shares involves financial interest in the company and is in nature
of self-interest threat. He has come to hold shares due to nomination made
by his distant relative before accepting the appointment. Considering above,
he should take steps to eliminate the threat by selling shares immediately
before accepting appointment. Holding of shares of the same company for
© The Institute of Chartered Accountants of India
ETHICS AND TERMS OF AUDIT ENGAGEMENTS 11.43
a
which he is offered appointment as auditor constitutes threat to his
independence.
4. Undue dependence on fees of a client constitutes a threat as there is fear of
losing the client. Such threats are referred to as self-interest threats.
5. In this case, Chartered Accountant is already rendering accounting and book
keeping services to an NGO. If he accepts audit, he would be involved in
reviewing own work. Therefore, the same constitutes “self-review” threat.
6. In the given case, auditors have relied only upon management representation
letter regarding treatment of certain tax matters under appeal by the
company. No other audit procedures to verify management’s treatment of
such matters under appeal have been performed by auditors. It shows lack of
“professional skepticism” on part of auditors.
7. Engagement letter includes reference to expected form and content of audit
report. It merely states that auditor would provide opinion in this form.
However, engagement letter also includes statement that the form and
content of report may need to be amended in the light of audit findings.
Therefore, if in light of audit findings, auditor needs to give a modified
opinion, he shall do so.
8. It is necessary for management to give in writing explicitly to the auditor that
it understands its responsibilities for preparation of financial statements in
accordance with applicable financial reporting framework. It is a necessary
precondition for an audit in accordance with SA 210.
If the preconditions for an audit are not present, the auditor shall discuss the
matter with management. Unless required by law or regulation to do so, the
auditor shall not accept the proposed audit engagement: -
(a) If the auditor has determined that the financial reporting framework to
be applied in the preparation of the financial statements is
unacceptable or
(b) If the agreement of management is not obtained on matters relating to
understanding of responsibility of management on preparation of
financial statements, internal controls for preparation of financial
statements, providing access to all information to auditor and
unrestricted access to persons within the entity.
© The Institute of Chartered Accountants of India
a 11.44 AUDITING AND ETHICS
Unless required by law or regulation to do so, such a refusal on the part of
auditor is necessary as management is not willing to accept its responsibility
for preparation of financial statements in accordance with applicable financial
reporting framework. An audit is conducted on this basic premise according
to SA 210. When basic premise on which audit is conducted is not fulfilled,
refusal by auditor is necessary.
9. Integrity of principal owners has to be considered before accepting an audit
engagement in accordance with SA 220. In this regard, SA 220 states
requirements on lines of SQC 1. SQC 1 clearly states that in cases where there
are indications that the client might be involved in money laundering or other
criminal activities, appointment should not be accepted.
In the instant case, there have been raids of NIA on suspected links with terror
outfits which is a criminal activity. Further, raids by Enforcement Directorate
also point towards money laundering. Therefore, proposed offer should not
be accepted.
10. SQC 1 requires that before accepting an engagement, competence (including
capabilities, time and resources) to perform engagement have to be
considered.
In the given case, the proposed engagements involve use of technology and
data analytics. The firm has no prior experience of audits in emerging “fin-
tech” sector. The firm does not have trained personnel to carry out these
audits. Hence, offer for these audits should not be accepted.
© The Institute of Chartered Accountants of India
You might also like
- Operational Risk Management - Chapter 1 - Operational Risk ManagementNo ratings yetOperational Risk Management - Chapter 1 - Operational Risk Management49 pages
- Fraud Identifcation and Prevention, Jack Rick, La - FraudeNo ratings yetFraud Identifcation and Prevention, Jack Rick, La - Fraude332 pages
- Understanding Financial Risk ManagementNo ratings yetUnderstanding Financial Risk Management126 pages
- Central Bank Risk Management 1740311723No ratings yetCentral Bank Risk Management 1740311723282 pages
- Lending and Credit Management Study PackNo ratings yetLending and Credit Management Study Pack482 pages
- (BestMasters) Bohdan Popovych - Application of AI in Credit Scoring Modeling-Springer Gabler (2022)No ratings yet(BestMasters) Bohdan Popovych - Application of AI in Credit Scoring Modeling-Springer Gabler (2022)93 pages
- Measuring Operational Risk: Key InsightsNo ratings yetMeasuring Operational Risk: Key Insights77 pages
- The Meaning of Adult Education - E.C. Lindeman PDFNo ratings yetThe Meaning of Adult Education - E.C. Lindeman PDF262 pages
- Financial Data Analytics With R Monte-Carlo Validation (Jenny Chen) (Z-Library)No ratings yetFinancial Data Analytics With R Monte-Carlo Validation (Jenny Chen) (Z-Library)297 pages
- Islamic Banking Handbook Financial Sector Talent Enrichment ProgrammeNo ratings yetIslamic Banking Handbook Financial Sector Talent Enrichment Programme242 pages
- Risk Management and Corporate GovernanceNo ratings yetRisk Management and Corporate Governance31 pages
- Bank Audits - Expert Guidance For ProfessionalsNo ratings yetBank Audits - Expert Guidance For Professionals99 pages
- Islamic Banking: Principles and PracticesNo ratings yetIslamic Banking: Principles and Practices241 pages
- Advanced Introduction To Behavioral FinanceNo ratings yetAdvanced Introduction To Behavioral Finance176 pages
- Issb 2023 C Basis For Conclusions On Ifrs s1 General Requirements For Disclosure of Sustainability Related Financial Information Part CNo ratings yetIssb 2023 C Basis For Conclusions On Ifrs s1 General Requirements For Disclosure of Sustainability Related Financial Information Part C57 pages
- Artificial Intelligence in Economics and Finance Theories: Tankiso Moloi Tshilidzi MarwalaNo ratings yetArtificial Intelligence in Economics and Finance Theories: Tankiso Moloi Tshilidzi Marwala131 pages
- CGAP Operational Risk Management CourseNo ratings yetCGAP Operational Risk Management Course248 pages
- Audit Concept Book 2025 (1) - Compressed - 1749551228481No ratings yetAudit Concept Book 2025 (1) - Compressed - 1749551228481252 pages
- Stephane Goutte, Khaled Guesmi, Samir Saadi - Cryptofinance A New Currency For A New Economy-World Scientific Pub Co Inc (2019)No ratings yetStephane Goutte, Khaled Guesmi, Samir Saadi - Cryptofinance A New Currency For A New Economy-World Scientific Pub Co Inc (2019)232 pages
- Healthcare Management Engineering in ActionNo ratings yetHealthcare Management Engineering in Action356 pages
- Smart Banking AI & IoT: Challenges & OpportunitiesNo ratings yetSmart Banking AI & IoT: Challenges & Opportunities6 pages
- Chengqing Zong - Rui Xia - Jiajun Zhang - Text Data Mining-Springer SingaporeNo ratings yetChengqing Zong - Rui Xia - Jiajun Zhang - Text Data Mining-Springer Singapore528 pages
- Understanding Audit: Scope and ImportanceNo ratings yetUnderstanding Audit: Scope and Importance42 pages
- CH-1 - Nature, Objectives and Scope of AuditNo ratings yetCH-1 - Nature, Objectives and Scope of Audit48 pages
- Audit Nature, Objectives & Scope OverviewNo ratings yetAudit Nature, Objectives & Scope Overview16 pages
- 1) Nature, Objective and Scope of AuditNo ratings yet1) Nature, Objective and Scope of Audit10 pages
- Understanding Audit: Nature, Objectives, ScopeNo ratings yetUnderstanding Audit: Nature, Objectives, Scope10 pages
- Finex Advisors: Boutique Consulting FirmNo ratings yetFinex Advisors: Boutique Consulting Firm19 pages
- 3rdyr - 2ndMT - Auditing and Assurance Concepts and Application 2 - 2223No ratings yet3rdyr - 2ndMT - Auditing and Assurance Concepts and Application 2 - 222341 pages
- Review Questions: Internal Control Objectives, Principles, and ModelsNo ratings yetReview Questions: Internal Control Objectives, Principles, and Models7 pages
- Switching Costs in Auditing Market DynamicsNo ratings yetSwitching Costs in Auditing Market Dynamics27 pages
- Audit Management Question Bank Answers 1No ratings yetAudit Management Question Bank Answers 117 pages
- Luxasia Pte. Ltd. Financial Statements 2018No ratings yetLuxasia Pte. Ltd. Financial Statements 201873 pages
- Overview of Financial Accounting PrinciplesNo ratings yetOverview of Financial Accounting Principles27 pages
- Effect of Financial Accounting Information On Decision Making in Business OrganizationNo ratings yetEffect of Financial Accounting Information On Decision Making in Business Organization40 pages
- Critical Analysis of Non-Tax Revenues in DGRADNo ratings yetCritical Analysis of Non-Tax Revenues in DGRAD14 pages
- Financial Accounting (FA/FFA) : Syllabus and Study GuideNo ratings yetFinancial Accounting (FA/FFA) : Syllabus and Study Guide16 pages
- 5 - Analysis and Interpretation of Financial StatementsNo ratings yet5 - Analysis and Interpretation of Financial Statements36 pages
- Corporate Governance at Sonali Bank Ltd.No ratings yetCorporate Governance at Sonali Bank Ltd.74 pages
- USADF Africa Entrepreneurship Proposal TemplateNo ratings yetUSADF Africa Entrepreneurship Proposal Template10 pages
- Audit Planning and Risk Assessment GuideNo ratings yetAudit Planning and Risk Assessment Guide24 pages
- CS Executive Corporate Accounting GuideNo ratings yetCS Executive Corporate Accounting Guide95 pages
- BASEL NORMS - I, II, II.5 III, CCAR ERC - Summary - Notes - For - CompreNo ratings yetBASEL NORMS - I, II, II.5 III, CCAR ERC - Summary - Notes - For - Compre22 pages
