© 2017 University of South Africa

All rights reserved

Printed and published by the

University of South Africa
Muckleneuk, Pretoria

AUE3701/1/2018

70533792

InDesign

MNB_Style
CONTENTS

Page

TOPIC 1: Introduction 1

TOPIC 2: The Preliminary audit engagement 8

TOPIC 3: Planning an audit 16

TOPIC 4: Obtaining audit evidence 98

TOPIC 5: Internal control concepts 122

TOPIC 6: Tests of controls in cycles 151

Attachment 1 189

Attachment 2 194

(iii) AUE3701/1/2018
(iv)
TOPIC 1
Introduction

1 WELCOME
Dear Student

It is with great pleasure that we welcome you to Module AUE3701: Audit planning and
tests of controls. The preface outlines the links to other auditing modules, our teaching
strategy and useful hints that will help you to have a more positive learning experience.

We wish to congratulate you on successfully completing your AUE200 studies. We

simultaneously want to warn you that studying auditing at third-year level is more intense:
this is because we want to enhance your knowledge level to enable you to integrate
various aspects of auditing in scenario-based questions and in auditing practice.

2 PURPOSE OF THE MODULE

This module is intended for trainee accountants and auditors or such individuals in related
fields, for example people who are interested in qualifying as chartered accountants or
registered auditors, to enable them to develop the necessary basic competencies. The
purpose of this module is to provide you with knowledge and skills in auditing theory
and practice, including basic auditing concepts, statutory requirements, guidelines and
auditing standards.

3 LINK TO OTHER MODULES

The content in this module advances the content of the various auditing modules that
you have already passed to a higher academic level. The learning outcomes are therefore
aimed at further developing your expertise and abilities in the field of auditing.

A brief outline of the Auditing 200, 300 and 400 modules offered by the Department of
Auditing is provided below:

Auditing 200

AUE2601: Auditing theory and practice

Students credited with this module will know the basic auditing concepts, will be able
to apply their knowledge of the role, duties and responsibilities of a registered auditor
and apply the International Standards on Auditing in the statutory audit of an ordinary
company trading in goods and services.

1 AUE3701/1
AUE2602: Corporate governance and the auditor
The purpose of this module is to provide learners with knowledge and skills in the principles
of corporate governance, statutory matters and internal controls in the accounting cycles
from the auditor’s perspective, including evaluating internal controls.

Auditing 300

AUE3701: Audit planning and tests of controls

The purpose of this module is to provide learners with knowledge and skills in audit
planning and the performance of tests of controls, which include auditing concepts,
statutory requirements, guidelines and international standards on auditing.

AUE3702: Substantive procedures and finalising the audit

The purpose of this module is to provide learners with knowledge and skills in the
performance of substantive procedures and the finalisation of an audit, which includes
auditing concepts, statutory requirements, guidelines and international standards on
auditing.

Auditing 400

AUE4861: Advanced auditing

The aim is to ensure that students obtain 70% of the auditing knowledge requirements of
the South African Institute of Chartered Accountants (SAICA) prescribed syllabus, in order
to produce competent professional accountants. AUE4861 also provides a foundation
of auditing knowledge that will enable students to continue to learn and adapt to
change throughout their professional lives. In particular, the module aims to develop core
competence (the acquisition of auditing knowledge and skills) in the field of auditing.

AUE4862: Applied auditing

The aim is to ensure that students obtain the other 30% of the auditing knowledge
requirements of the SAICA prescribed syllabus in order to produce competent professional
accountants. It will also provide a foundation of auditing knowledge that will enable
students to continue to learn and adapt to change throughout their professional lives. In
particular, the module aims not only to develop core competence in the field of auditing,
but also to integrate the knowledge obtained in Modules AUE4861 and AUE4862. Both
of these modules will enable a student to adhere to the SAICA requirements for auditing.

4 FRAMEWORK OF MODULE AUE3701

The topics in the two third-year modules, namely AUE3701 and AUE3702, have been
arranged to follow the logical flow of the audit process.

The following is a schematic representation of the content of the second- and third-year
modules.

2
Module AUE3701 covers the shaded blocks. These topics start with the auditor’s first
encounter with an audit client. The decision to accept or reject the engagement with
the audit client follows. When the decision has been taken to accept the engagement,
the audit is planned at a date that will allow sufficient time to finalise the audit. After the
planning has been finalised, the first phase in obtaining audit evidence is performed,
namely the performance of tests of controls.

Below is more detail about the auditor’s conduct during the stages of the audit process
in this module:

3 AUE3701/1
 An auditor has to apply his or her mind carefully
during the preliminary audit engagement stage to
make sure he or she preserves his or her own
business (the audit firm) by accepting appropriate
clients.

During the planning phase of an audit, the auditor

performs various procedures (study units 3.2 to
3.8) to gain an understanding of the entity and its
environment, identify and assess risks and finally
develop an audit strategy that in turn results in
an audit plan. The audit plan details the audit
procedures that will be performed during the audit.

The audit procedures that will be covered in module

AUE3701 are the tests of controls.

Throughout the audit the auditor continuously reassesses the audit risk to determine
whether or not he or she achieves the objective of reducing the audit risk to an acceptable
level. If this desired result is not achieved, the auditor has to revisit the drawing board to
determine whether:

• The risks were correctly identified initially; and/or

• The audit procedures were correctly designed to address the identified risks.
The result of the above revisit should lead to corrective action. This will ensure that an
audit is performed in the most efficient and effective manner.

Module AUE3702 covers the performance of substantive testing, the evaluation of audit
evidence gathered, concluding and reporting.

Notes
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
…………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………
……………………………………………………………………………………………………

4
STUDY UNIT 1.1
Auditing concepts

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Explain various auditing concepts that students will encounter later

in their auditing studies.

INTRODUCTION
“wud pcm b4 l cul”: Does this look familiar? Some SMS “language” is hard to understand
if you have not been introduced to it (wud pcm b4 l cul = what are you doing? Please call
me before lunch. See you later).

The same applies to auditing, where you need to learn the meaning that auditors assign
to certain words. An example is the term “material”. Seamstresses can make clothing from
material, but an auditor uses the term “material” to indicate the significance of amounts
or events.

Refer to Topic 4 in AUE2601, where you learned about various auditing concepts, and
revise these before studying the references below. During your studies you will have to
refer to the explanation of these concepts frequently to fully understand what you learn
and read in the International Standards on Auditing, the International Standards on Quality
Control etc. and in textbooks.

OBJECTIVES OF THE INDEPENDENT AUDITOR

Study

ISA 200: par. 3 and par. A1 to find what the purpose of performing an audit is.
ISA 200: par. 5 and par. A30–A54 to learn what is meant by “reasonable
assurance”.
ISA 200: par. 6 for an explanation of materiality.
ISA 200: par. 7 to learn about “professional judgment”, “professional scepticism”
and “risk of material misstatement”.

5 AUE3701/1
 ISA 200: par. 8 and par. A12-A13 to find out what a form of opinion is.
ISA 200: par. 13 contains important definitions that will help you understand
the study material in this and other auditing modules.

Who do you think an engagement partner is? Could it be a party to an

upcoming marriage?

Study

Study ISA 220: par. 7. Also take note of the other definitions in par. 7 because
this International Standard on Auditing deals with quality control of audit
engagements.

QUALITY CONTROL
The quality of work performed by auditors on an engagement has to be controlled to
preserve the value that audits can add to entities that are being audited. The International
Auditing and Assurance Board (IAASB) issued the International Standards on Quality
Control (ISQC) to provide guidance to auditors on how to ensure that their work is of the
desired quality. Please note that ISQC 1 gives guidance at audit-firm level.

Study

Study the definitions given in ISQC 1: par. 12. These definitions are important
for your continued studies, as stated previously.

Also refer to AUE2601 in study unit 2.4, where quality control was discussed, to make
certain that you understand the requirements to be met by audit firms to ensure the
quality of audit work.

COMMUNICATION
An auditor has to establish two-way communication between “those charged with
governance” (the organisation) and him- or herself on a variety of matters:

• Developing both the working relationship and the understanding of the auditor and
the organisation being audited of matters related to the audit (read ISA 260:4(a))
• Obtaining information for audit purposes about the organisation (read ISA 260:4(b))
• Assisting the organisation to fulfil its financial reporting duties to reduce the risk of
material misstatement of the financial statements (read ISA 260:4(c))

6
This communication occurs throughout the process of performing an audit. You must
keep this in mind during your studies. Although ISAs also contain guidelines on reporting,
you should always refer to ISA 260 to see if it stipulates additional communication duties.
Refer to Appendix 1 of ISA 260 for a list of the other ISAs that contain stipulations about
communication.

THE INTERNATIONAL FRAMEWORK FOR ASSURANCE

ENGAGEMENTS
You should keep in mind that this framework defines and describes the elements and
objectives of an assurance engagement, of which a statutory audit is only one kind.

Study

Revise study unit 1 of AUE2601 which dealt with the framework.

Summary

In this learning unit we discussed and explained various auditing concepts

that will help you to understand learning material containing these concepts.

1 Self-assessment

After having worked through the study unit and the references to the prescribed study
material, determine if you can do the following:

(1) Explain various auditing concepts that you will encounter later in your auditing
studies.

7 AUE3701/1
TOPIC 2
The preliminary audit engagement
This topic explains the first stage of the audit process, namely the preliminary audit
engagement stage, as illustrated in Figure 2.1.

FIGURE 2.1: Stages of the audit process

THIS TOPIC IS PRESENTED IN ONE STUDY UNIT:

Study unit Title

2.1 The preliminary audit engagement stage

8
Study unit 2.1 in this topic explains the aspects that the auditor has to consider before he
or she can decide whether to accept a new client or whether or not a relationship with
an existing client should be continued. Several legal and ethical considerations related
to this decision are also explained.

Learning outcomes

The learning outcomes of this study unit are set out in the separate study unit.

STUDY UNIT 2.1

THE PRELIMINARY AUDIT ENGAGEMENT STAGE

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Evaluate whether a prospective audit client can be accepted.

• Evaluate whether a long-term relationship with an existing audit client
should be continued.
• Evaluate whether the audit firm is able to perform an audit in terms
of the International Standards on Auditing.
• Evaluate if the audit engagement agreement is properly formalised
in an engagement letter.

INTRODUCTION
Imagine for a moment that you own a spaza shop. To make sure your business survives
in the long term, you will have to plan for a variety of factors. Firstly, you will plan the
layout of your shop to avoid customers stealing cash and stock. Secondly, you will make
sure that your affairs are in order with the authorities, to prevent them from closing your
business down. Thirdly, you will plan to have the correct stock to offer to your customers
to convince them to support you over the long term.

Similarly, an audit firm has to make sure it safeguards its own business to be sustainable in
the long term. Therefore, audit firms perform procedures to ensure that they only accept
clients that will not cause harm to the firm and that the firm performs quality work.

9 AUE3701/1
The preliminary engagement stage is a very important stage of an audit. During this
stage an audit firm should follow three steps, namely:

1. Investigate the client to determine whether the client should be accepted, or

whether the firm should continue its relationship with an existing client.
2. Determine skills, competence & resources to determine whether the audit firm
will be able to perform the audit in compliance with standards and can comply with
ethical requirements.
3. Establish the terms of the engagement and formalise the agreement in an
engagement letter.

Study

Refer to study unit 4.2 in AUE2601, where you learned about the preliminary
engagement stage of an audit, and revise it before studying the references
below.

Please note that for this study unit you only have to study selected paragraphs from
various standards and the framework, because only those paragraphs are relevant to
the preliminary engagement stage of an audit. Don’t be too concerned about the parts
that you do NOT have to study now. They will be dealt with in the relevant study units.

Note the following in the study sources that follow:

• The considerations to ensure that the business continuity of an audit firm will not
be threatened by accepting or keeping a client (Jackson & Stent; ISA 220: par. 11, A6).
• Audit firms should judge the integrity of the client’s managers and perform procedures
to assess their integrity (Jackson & Stent; ISQC 1: A19–A20; ISA 220: par. 12, A8).
• Audit firms should evaluate the ethical conduct and competence of their own staff
(Jackson & Stent, ISA 220: paras 9–10; par. 14; A4–A9, ISQC 1: paras 26–28, A18).

10
Study sources:

• The relevant section dealing with “Preliminary engagement activities” in Chapter 6 of

Auditing Notes by Jackson and Stent
• The relevant section dealing with “Acceptance and continuance of client relationships”
in Chapter 6 of Auditing Notes by Jackson and Stent
• International Standard on Quality Control (ISQC 1, par. 20–31; A7–A22)
• International Standard on Auditing (ISA): Agreeing the terms of engagements (ISA 210,
all paras and Appendix 1)
• International Standard on Auditing (ISA): Quality control for an audit of financial statements
(ISA 220: paras 12–13, A8–A9)
• International Standard on Auditing (ISA) Planning an audit of financial statements
(ISA 300: par. 6)
• SAICA Handbook: International Framework for assurance engagements (Frame)
(par. 17–19)

Activity 1

You have been approached by Ms Sparkle to accept Atomic Limited, a company

manufacturing radioactive products, as a client. She informs you that the company
has not registered according to the stipulations of the law regulating dangerous and
environmentally threatening substances.
REQUIRED
(1) Based on the scenario, describe one aspect in terms of ISQC 1 that you will consider
to determine whether you should accept Atomic Limited as a client.
(2) Now, based on the scenario, describe one aspect in terms of ISA 220 that you will
consider to determine whether you should accept Atomic Limited as a client.

1 Feedback on Activity 1

ISQC1 deals with quality controls for audit firms, whereas ISA 220 deals with
quality control at engagement level. Although these standards deal with different
levels of quality control, some requirements are applicable to both levels and appear in
both standards.

1.1 Because Ms Sparkle did not register Atomic Limited as required by legislation, the
integrity of the client is questionable (ISQC 1: A19).
1.2 The same answer as in 1.1 is found in paragraph A8 of ISA 220.

NOTE: In order to pass this module, it is important that you study all the
references to become familiar with the Auditing Standards, the
Standards on Quality Control and the Framework. Don’t wait until
next year because you will not have the time to go back to all this
work in your postgraduate studies.

11 AUE3701/1
 However, when you study and make summaries, use the opportunity to
note where the same content is repeated in the various study references.
This will prevent you from studying similar content repeatedly when you
revise the study unit later.

Activity 2

Your audit firm has performed the audit for Jingle Limited for the past eight years.
During a meeting with the CEO, he told you that Jingle Limited has appointed a new
CFO, Ms Mamabolo.
You learn later that Ms Mamabolo’s sister is married to the only senior audit manager
in your audit firm who is qualified to perform the audit.
REQUIRED
(1) Explain, in terms of ISA 220, whether your firm should continue with the audit of
this existing client. You may assume that the audit firm will not be able to acquire
the services of another suitably qualified audit manager.

2 Feedback on Activity 2

(1) In terms of ISA 220: par. A8, your firm should not continue with the audit of this existing
client because the relationship between the CEO and the audit manager is a threat to
the audit firm’s independence.

Activity 3

To determine whether auditing standards on quality control are complied with, de-
scribe four main aspects to be evaluated when considering accepting a new client or
continuing the relationship with an existing client.

3 Feedback on Activity 3
Integrity: Consider the integrity of the client’s management (Jackson & Stent chapter 6;
ISA 220: par. A8; ISQC 1: par. A19).
Competence: Is the audit firm competent to perform the engagement? (Jackson & Stent
chapter 6; ISA 220: par. A8; ISQC 1: par. A18)
Ethics: Do any ethical threats exist between the audit firm and the client? (Jackson & Stent
chapter 6; ISA 220: par. A8)
Significant matters: Did any such matters arise during the current or previous engagement,
the implications of which affect the continuance of the relationship? (ISA 220: par. A8)

12
Activity 4

BACKGROUND
Letterhead (Una Auditors)
Mr Zippo Lighter
Financial Director of Petersons (Pty) Limited
Petersons (Pty) Limited
P O Box 4477
MODIMOLLE
0510

Dear Sir

We are pleased to announce our acceptance of Petersons (Pty) Limited as a client and
hope to add value to your business. This letter, once signed by you and returned to
us, serves as a formal letter of appointment.

Our appointment is based on the following terms and conditions:

(1) Petersons (Pty) Limited’s memorandum of incorporation (MOI) requires an audit

to be performed.
(2) We will conduct the audit for the year ended 31 August.
(3) On 15 October we will sign off the financial statements comprising the statement
of financial position, statement of comprehensive income, statement of changes in
equity, statement of cash flows, and a summary of significant accounting policies
and explanatory notes.
(4) Our role is to certify the fair presentation of the financial statements presented to
us by your chief financial officer.
(5) We will perform the audit in accordance with the International Standards on
Auditing (ISA) and we will comply with all the relevant ethical requirements. We
will plan and perform the audit to obtain reasonable assurance that the financial
statements are free from material misstatements. The audit procedures that we
will select will depend on our judgment and include the assessment of the risks
of material misstatements.
(6) You should provide us with the draft financial statements prepared in accordance
with the International Financial Reporting Standards by 15 September, and allow
us to access all the financial information and persons within the entity that we
determine necessary to per form our duties.
(7) You are also responsible for the internal controls necessary to enable the preparation
of financial statements that are free from material misstatements.
(8) Our fees will be based on the previous year’s invoice for the audit, adjusted for
inflation.
(9) The form and content of our report will depend upon our audit findings.
Kindly sign the letter and return it to us.

Kind regards

Mike Blimey
Senior Audit Manager

Signed........................................................

13 AUE3701/1
 Zippo Lighter
Financial Director of Petersons (Pty) Limited
REQUIRED
List the shortcomings of the engagement letter in terms of ISA 210.

4 Feedback on Activity 4

Weaknesses in the proposed audit engagement letter

Reference: ISA 210
(1) The letter is not dated. (1)
(2) The letter is not addressed to the appropriate representative of
management, i.e. the board of directors or the audit committee. (1)
(3) It does not indicate the year to be audited. (1)
(4) This is the first audit, and imposing a deadline by promising sign-off of the
AFS on 15 October is inappropriate. (1)
(5) Auditors do not “certify”, they give an opinion on fair presentation. (1)
(6) It is not mentioned that an audit includes evaluating the appropriateness of
accounting policies, the reasonableness of accounting estimates and
overall presentation of the financial statements. (3)
(7) The letter does not alert the client to the fact that, because of the inherent
limitations of an audit together with the inherent limitations of internal
control, there is still the unavoidable risk that some material misstatements
may not be detected, even though the audit is properly planned and
performed. (3)
(8) There is no indication that written confirmation of representations of
management will be requested. (1)
(9) No reference is made to the use of an expert should this be appropriate. (1)
(10) No reference is made to the use that will be made of the internal auditors. (1)
(11) No indication is given that management should inform the auditor of
subsequent events. (1)
(12) Basing the fees on prior years, particularly in the case of a first audit, is not an
appropriate method of fee charging. Fees should be negotiated with the audit
committee based on time, skill and experience. (2)
(13) The explanation of why the letter must be signed and returned does not refer
to the acknowledgement of the terms of the engagement. (1)
(14) The letter should be signed by the designated auditor and not the senior
audit manager. (1)
(15) The designated auditor is not identified. (1)

Summary

In this study unit we discussed and explained the considerations and

procedures pertaining to the preliminary engagement stage of an audit.

14
2 Self-assessment

After having worked through the study unit and the references to the prescribed study
material, determine if you can do the following:

(1) Determine whether or not a prospective audit client should be accepted.

(2) Determine whether or not a long-term relationship with an existing audit client
should be continued.
(3) Determine whether or not the audit firm is able to perform an audit in terms of
the International Standards on Auditing.
(4) Determine whether or not the audit engagement agreement is properly drafted
in an engagement letter.

15 AUE3701/1
TOPIC 3
Planning an audit

Topic 1 identified that the audit process consists of four stages.

FIGURE 3.1: Stages of the audit process

In the previous topic the first stage of the audit process, namely the preliminary engagement
stage, was explained. The aim of this topic is to explain the second stage of the audit
process, namely the planning stage.

16
THIS TOPIC IS DIVIDED INTO THE FOLLOWING STUDY UNITS:

Study unit Title

3.1 Planning an audit of financial statements

Understanding the entity and its environment, including the entity's

3.2
internal control

3.3 Identification and assessment of risk

3.4 The auditor’s responsibilities with respect to fraud

3.5 Consideration of laws and regulations in an audit of financial statements

3.6 Materiality

3.7 The overall audit strategy

3.8 The audit plan

3.9 Audit documentation

Communicating deficiencies in internal control to those charged with

3.10
governance and management

Planning an audit of financial statements can be divided into different phases. In this topic,
the first study unit provides a general overview of the planning phases when planning
an audit (study unit 3.1). Thereafter the different aspects of the planning stage of an
audit are discussed (study units 3.2 to 3.8). After this the general requirements of audit
documentation that should be kept in mind throughout the stages of the audit process
are explained (study unit 3.9). Lastly, study unit 3.10 refers to communicating deficiencies
in internal control to those charged with governance and management. Please note
that deficiencies in internal control can be identified during both the planning and the
execution phase of the audit.

Learning outcomes

The learning outcomes of each of the study units are set out in the separate study units.

17 AUE3701/1
STUDY UNIT 3.1
PLANNING AN AUDIT OF FINANCIAL STATEMENTS

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Describe …
– the role and timing of audit planning
– the auditor’s objective in planning an audit
– who is involved in the planning of an audit.
• Identify the phases in the planning stage of an audit.

INTRODUCTION
This study unit gives a general overview of planning an audit of financial statements.

How important is planning in your everyday life? Think about a few examples of your
planning and discuss these with your fellow students in the discussion forum. Also discuss
why you think it is important to plan an audit of financial statements.
In the same way that important events in your life must be planned, an audit also has to
be planned. You cannot just walk into the audit client’s offices and demand all of their
information. As the auditor, you need to plan the audit to ensure that you request the
correct and applicable information and perform the applicable audit procedures that
will support your audit opinion.
The International Standard on Auditing (ISA), Planning an audit of financial statements
(ISA 300), requires the auditor to plan an audit of financial statements (ISA 300, paragraph
01).

Study

International Standard on Auditing (ISA), Planning an audit of financial

statements (ISA 300) paragraphs 02, 04, 05, 11, A1 to A4, A14 and the relevant
section dealing with planning in Chapter 6 of Auditing Notes by Jackson and
Stent.
Note the following in the above study sources:
• The role and timing of planning (ISA 300, paragraph 02, A1 to A3).

18
• The auditor’s objective in planning an audit (ISA 300, paragraph 04).
• Members involved in planning an audit (ISA 300, paragraph 05, A4).
• The nature, timing and extent of the direction and supervision of the audit team
and the review of their work should also be planned (ISA 300, paragraph 11 and A16).
(ISA 220 contains further guidance on the direction, supervision and review of audit
work).
Planning should be seen as a continuous process which starts at the beginning of an
audit engagement and ends upon the completion of the current audit engagement. It
is continuous in the sense that it might sometimes be necessary to modify the planned
audit due to unforeseen circumstances.

The planning stage of an audit has different phases (Figure 1).

FIGURE 1: The phases in the planning stage of an audit

Note: Figure 1 shows the phases in the planning stage of an audit in chronological
order. However, the different phases should not be seen as “stand-alone” units,
as they are all interrelated.

19 AUE3701/1
 Activity 1

Answer the following questions:

(a) Describe the role and timing of the planning stage of an audit.
(b) Describe the auditor’s objective in planning an audit.
(c) Who is involved in planning an audit?

5 Feedback on Activity 1

(a) Refer to ISA 300, paragraph 02, A1 to A3.

(b) Refer to ISA 300, paragraph 04.
(c) Refer to ISA 300, paragraph 05, A4.

Summary

This study unit provided a general overview of planning an audit of financial

statements. Planning an audit is essential for the auditor in order to conduct
the audit effectively.
In this study unit we established that the planning stage in the audit process
consists of different phases. These phases will be explained in the study
units that follow.

3 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following

(1) Describe the role and timing of audit planning, the auditor’s objective in planning
an audit and who is involved in the planning of an audit.
(2) Identify the phases in the planning stage of an audit.

20
STUDY UNIT 3.2
UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT, INCLUDING THE ENTITY’S
INTERNAL CONTROL

LEARNING OUTCOME:

In this study unit we focus on the following learning outcome:

• Describe, in relation to an entity, what the auditor should come to

understand during the planning phase of the audit.

INTRODUCTION
We have already established that the International Standard on Auditing (ISA), Planning
an audit of financial statements (ISA 300), requires the auditor to plan an audit of financial
statements (refer to study unit 3.1). We also identified that the planning stage consists
of different phases.

21 AUE3701/1
FIGURE 1: The phases in the planning stage of an audit

The aim of this study unit is to explain the auditing principles related to the first phase of
the planning stage of an audit, namely understanding the entity and its environment
during the planning phase of an audit.

During the planning phase of the audit, an auditor obtains an understanding of the
entity and its environment (which includes the internal control environment) in order to
identify and assess the risk of material misstatement at the financial statement level and
at the assertion level (risk at the financial statement level and the assertion level will be
dealt with in study unit 3.3).

Apart from the planning stage of the audit, internal control also has an influence on the
execution of the audit plan (dealt with in Topic 6) (see Table 1).

22
TABLE 1: Influence of internal control on the audit process

Stage of the audit

Influence of internal control
process

Planning stage While performing risk assessment procedures, the auditor:

• Obtains an understanding of the internal control at the enterprise,
since the information can be useful in identifying the risk of
material misstatement (at both financial statement level and
assertion level) as a result of fraud and/or errors.
• Evaluates the design of the entity’s internal control and determines
whether the internal controls have been implemented. The auditor
should determine whether a control, singly or in combination
with other controls, is sufficient to effectively prevent, detect
and correct material misstatement. This also helps the auditor
to develop an audit strategy and an audit plan to decide on the
nature, timing and extent of any further audit procedures that
are required.

Execution of the audit While performing further audit procedures in response to the assessed
plan risk, the auditor:
• Performs tests of controls when he or she is of the opinion that
the execution of substantive procedures alone is not sufficient to
provide relevant audit evidence, because it would not be possible
or practical to reduce the risk of material misstatement at the
financial statement level by carrying out substantive procedures
alone.
• Performs tests of controls when he or she expects the risk of
material misstatement to be lower because the company has
effective controls in place.

Study

International Standard on Auditing (ISA), Identifying and assessing the risks of

material misstatement (ISA 315) paragraphs .11–.24 and the relevant section
dealing with “understanding the entity and its environment” in Chapter 7
of Auditing Notes by Jackson and Stent.

Note the following in the above study sources:

• Without adequate knowledge of an entity and its environment, a proper identification
and assessment of the risk of material misstatement is impossible.
• The sources which an auditor can utilise to gain useful information about a client.
• The type of information that should be gathered by the auditor.
• The components of internal control (also dealt with in AUE2602).

23 AUE3701/1
 Activity 1

Describe, in relation to an entity, what an auditor should gain an understanding of

during the planning phase of an audit.

6 Feedback on Activity 1

Refer to ISA 315, paragraphs .11 and .12 and the section dealing with “understanding the
entity and its environment” in Chapter 7 of Auditing Notes by Jackson and Stent.

Comments on Activity 1
If you know the theory, you should have been able to answer this question.
Can you see that it is important to study the sources provided?

Reflect

Think about reasons why an auditor should obtain an understanding of the

accounting and internal control systems as part of the audit process.

7 Feedback on reflection

You will remember that the ultimate objective of an audit of financial statements is to enable
the auditor to express an opinion on whether or not the financial statements fairly present,
in all material respects, the financial position of the entity at a specific date, and the results
of its operations and cash flow information for the period ended on that date, in accordance
with an identified financial reporting framework and/or statutory requirements. This opinion
is expressed upon concluding the audit.
In order to express this opinion, the auditor performs certain procedures and activities aimed
at obtaining evidence relating to the financial statement assertions (financial statement
assertions were dealt with in AUE2601) on which the financial information is based.
When auditing the financial statements, the auditor’s sole concern is with the accounting
and internal control systems that are relevant to the financial statement assertions.
When an auditor studies the accounting and internal control systems, he or she gains
knowledge of the design and operations of the systems.

24
 Knowledge and understanding of the accounting and internal control systems that are
applicable to all the classes of transactions and account balances of an undertaking will
therefore assist the auditor to …
• evaluate the adequacy and suitability of the systems as a basis for compiling reliable fi-
nancial information, in other words assess the systems as a basis for confidence in controls;
• understand the control risk (a term that is explained later on in the study unit) and design
audit procedures accordingly;
• formulate the most suitable audit approach, based on the suitability of the accounting
and internal control systems, in other words decide on the nature, extent and timing of
the tests of internal controls and substantive procedures;
• plan the audit efficiently;
• ultimately, express an opinion on the fair presentation of the financial statements.

Read

Internal control aspects relevant to an auditor

In AUE2602 the following internal control aspects relevant to an auditor were discussed:

• The controls in a manual and an automated (computerised) environment within

the various transaction cycles:
– If an entity’s accounting system is partly or entirely computerised (automated), an
auditor must obtain an understanding of the computer environment and the com-
puterised (automated) applications that take place in that environment. This un-
derstanding is part of an auditor’s assessment of the capacity of the accounting
system to generate reliable financial information. A preliminary understanding of
the computer environment and computerised (automated) applications is required
to enable the auditor to design audit procedures.
– If an auditor intends to rely on the entity’s internal control systems, whether com-
puterised (automated) or influenced by computer processing, he or she should
study those controls in the same way as the internal controls in a manual system
would be studied.
– The auditor cannot simply accept that all transactions included in computerised
(automated) reports are authorised, have occurred and are complete and accurate.
He or she must first test the application controls.
– Remember that as the auditor you should be able to formulate tests of controls
(Topic 6) in order to evaluate (i.e. test) the manual controls, general controls and
application controls. You therefore need to identify the manual, general and ap-
plication controls a client has in place from a given scenario, in order to formulate
these tests of controls.

25 AUE3701/1
• General and application controls:
A requirement for confidence in the automated (computerised) application controls is
confidence in the general controls. This requires that the general controls should first be
assessed by the auditor before any application controls can be tested and a decision can
be taken to rely on them.

In summary: if the general controls cannot be relied upon, substantive testing must
be considered. If neither the general controls nor the application controls can be relied
upon, substantive testing must be applied as well.

Audit approaches to be followed by the auditor can be graphically illustrated as in Figure 2:

FIGURE 2: Audit approaches to be followed

The audit approaches to be followed form part of the auditor’s audit plan, which is
discussed in study unit 3.8.

Read

The relationship between internal control and control risk

Control risk is defined as follows:

The risk that a misstatement that may occur in a financial statement assertion that may
be material, either individually or in combination with other misstatements, will not be

26
prevented or detected and timeously corrected by the accounting and internal control
systems.

Once an understanding of the accounting and internal control systems has been obtained,
the auditor should decide to what extent he or she can expect to trust the systems and
should form a preliminary evaluation of control risk. Control risk is first determined at the
overall financial statement level and then at assertion level.

On account of the inherent limitations of internal control (dealt with in AUE2602), there
is always a risk that material misstatements in an account balance or class of transactions
will not be prevented or detected and corrected by the accounting and internal control
systems.

This is important to an auditor, because he or she decides on an acceptable level of

audit risk and if the control risk is increased, the auditor should manage it by decreasing
the detection risk. It is important that an auditor should obtain an understanding of the
accounting and internal control systems of the auditee, and decide on the basis of an
evaluation of the systems whether they can be expected to be reliable.

If the accounting and internal control systems are not believed to be functioning effectively,
the auditor would assess the control risk as high. The opposite is also true: if the accounting
and internal control systems are expected to be functioning effectively to prevent, detect
and correct material misstatements, the auditor would assess the control risk as lower.
The control risk is therefore directly dependent on the design and functioning of the
accounting and internal control systems.

Table 2, summarises the way auditors evaluate control risk.

TABLE 2: Evaluating control risk

Control risk: Reason:

Low (Note 1) Internal controls, related to the assertion, are present which should prevent
a material misstatement, or should detect and correct it.

High (Note 2) Accounting system and internal controls are ineffective.

High (Note 2) The auditor has decided not to rely on the internal controls because it
would serve no purpose, but rather to carry out extensive substantive
procedures to reduce the overall audit risk to an acceptable level.

27 AUE3701/1
 Notes: 1. If the auditor has assessed the control risk as low, he or she should perform
the tests of controls required to obtain sufficient appropriate audit evidence
to prove that the internal controls were operating effectively during the
audit period.
2. If the auditor has assessed the control risk as high, he or she should
determine which errors and irregularities are likely to occur as a result
of the weaknesses in the accounting system and internal controls, and
should determine appropriate substantive procedures that could detect
such errors and irregularities. Please note that the auditor will only perform
substantive procedures for the areas with weak internal controls for which
he or she considers the risk of material misstatement to be high.

Identification and assessment of risks are discussed in detail in study unit 3.3.

Read

Tests of controls

If an auditor decides to rely on an auditee’s internal control system and has therefore
assessed the control risk as low, he or she must test the system to establish whether or
not it is effective. We are referring here to tests of controls, which are procedures carried
out by the auditor to gather audit evidence on the design of the accounting and internal
control systems and the operation of the systems during the reporting period.

The tests of controls are discussed in Topic 6.

On the basis of the results of the tests of controls, the auditor should decide whether
his or her initial assessment of the control risk justifies his or her reliance on the internal
control system. If the auditor’s reliance on the internal control system is not justified, the
auditor must raise the control risk.

Control risk forms part of the following risk equation:

Audit risk (AR) = Inherent risk (IR) x Control risk (CR) x Detection risk (DR)
(refer to study unit 3.3 for a definition of these terms)

Despite the fact that there are three components (IR, CR and DR) to AR, the auditor only
has full control over the level of the DR. The auditor has no control over IR, and as the
system of controls is designed and implemented by the client, the auditor can only reduce
control risk to the extent that he or she tests controls and finds them to be effective.

The auditor sets AR at an acceptable level for each engagement. IR and CR must then be
looked at in combination to determine the level of the DR. For example:

28
• For a set level of AR if the CR and IR together are high, the DR must be reduced to
balance the risk equation.
• For a set level of AR if the CR and IR together are low, a higher level of DR will be
acceptable to balance the risk equation.

The level of DR determines the nature, extent and timing of the substantive procedures
that will be carried out:
• Where a lower level of DR is acceptable, the auditor will increase its substantive
procedures.
• Where a higher level of DR is acceptable, the auditor will reduce its substantive
procedures.
To summarise: If the auditor assesses CR as low, this will influence the nature, extent and
timing of the substantive procedures that have to be carried out.

Summary

In this study unit we described, in relation to an entity, what the auditor

should gain an understanding of during the planning phase of the audit.

4 Self-assessment

After having worked through the study unit and the references to the prescribed study
material, determine if you can do the following:

(1) Describe, in relation to an entity, what the auditor should gain an understanding
of during the planning phase of the audit.

29 AUE3701/1
STUDY UNIT 3.3
IDENTIFICATION AND ASSESSMENT OF RISK

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Identify risk indicators from a scenario, and for each identified risk
indicator describe the audit risks or risks of material misstatement
at the …
– financial statement level and
– assertion level.

INTRODUCTION
Study unit 3.1 identified that the planning stage consists of different phases.

30
FIGURE 1: The phases in the planning stage of an audit

The first phase in the planning stage of an audit, namely understanding the entity and its
environment, was explained in study unit 3.2. The aim of this study unit is to explain the
auditing principles related to the second phase of the planning stage of an audit, namely
identification and assessment of risk. This will enable you to identify risk indicators
from a scenario and describe the audit risks or risks of material misstatement at both the
financial statement and assertion levels.

Risks are all around us and form part of our everyday lives. Think about it for a moment
and discuss the risks that affect your life on a day-to-day basis with your fellow students
on the discussion forum.

8 Feedback

Different risks affect individuals differently. Some risks that affect most of our daily lives
include health risks, safety and security risks and financial risks. In order to address these
risks, we attempt to minimise the effect that they will have on our lives. For example, if you
feel sick, you will identify that a disease is threatening your health and you will go to the

31 AUE3701/1
 doctor to have it treated. In the same way as individuals, the business operations of entities
are also affected by risks. Management is responsible for identifying and assessing risks that
affect an entity’s business, and auditors are responsible for identifying and assessing risks
that have an effect on the entity’s financial statements.
The identification and assessment of risk is performed during the planning phase of an audit.
Once the engagement letter has been issued and signed, the auditor can start to identify
and assess risks by gaining an understanding of the entity and its environment, including
the entity’s internal control.
Assessment of risk should be performed at the overall financial statement level as well
as at the assertion level. The difference between risk at the overall financial statement
level and the assertion level is discussed in detail later in this study unit.
You will also learn that the auditor has to perform audit procedures to respond to risks once
the identification and assessment of risks are completed. This is dealt with in study unit 4.1.

Study

Before studying the sources below, refresh your memory on audit risk
concepts by referring to a previous auditing module, namely AUE2601
(study unit 3.6).

Refer to the following study sources for this study unit:

1. International Standard on Auditing (ISA), Identifying and assessing the risks of material
misstatement through understanding the entity and its environment (ISA 315) paragraphs
.03.–.10; .25–.32; A1–A16.
2. International Standard on Auditing (ISA), Overall objectives of the independent auditor
and the conduct of an audit in accordance with International Standards on Auditing
(ISA 200) paragraphs A33 to A46.
3. The section dealing with planning and conducting risk assessment procedures
in Chapter 6 of Auditing Notes by Jackson and Stent.
4. The section dealing with the components of audit risk in Chapter 7 of Auditing
Notes by Jackson and Stent.
5. The section dealing with significant risks in Chapter 7 of Auditing Notes by Jackson
and Stent.

Note the following in the above study sources:

• The auditor’s objective in identifying and assessing the risks of material misstatement
(ISA 315, paragraph .03).
• The definitions of “business risk”, “risk assessment procedures” and “significant
risk” (ISA 315, paragraph .04).
• Risk assessment procedures include inquiries of management, analytical procedures
and observation and inspection (ISA 315, paragraph 06).
• The auditor should identify and assess risks of material misstatement at the financial
statement level and at the assertion level (ISA 315, paragraphs 05, 25–26, A122 to
A139 and ISA 200, paragraphs A36 to A39).

32
• The meaning of the different components of audit risk, namely inherent risk, control
risk and detection risk (ISA 200, paragraphs A40 to A46).
• Significant risks require special audit consideration (ISA 315, paragraphs 27–29,
A140 to A147).
• Identified and assessed risks of material misstatement should be documented
(ISA 315, paragraph 32).
To assist you with the concepts studied in the above study sources, we have included a
few additional explanations under the following headings:
1. Definitions of risk.
2. Risk of material misstatement at the financial statement level.
3. Risk of material misstatement at the assertion level.
4. Significant risks.

1. Definitions of risk
It is important to understand the following terms when identifying or assessing risk. (The
definitions of these terms can be found in the SAICA Handbook Volume 2, Glossary of
Terms, and ISA 200, paragraph 13.)

1.1 Audit risk

This is the risk that the auditor can express an inappropriate audit opinion when the
financial statements are materially misstated. Audit risk is a function of the risks of material
misstatement (RMM) and detection risk (DR).

Audit risk = RMM x DR

(RMM = IR x CR)

AUE2601 (study unit 3.6) explained the relationship between the components of
audit risk as follows:
“As stated in ISA 200: A44, there is an inverse relationship between detection risk
and the combined level of inherent and control risk. When inherent and control risk
are high, for example, the acceptable level of detection risk must be low in order to
reduce the audit risk to an acceptably low level (additional audit procedures must
be conducted).
However, if the inherent and control risks are low, the auditor could accept a higher
detection risk and still reduce the audit risk to an acceptably low level. (Because the
client’s internal controls, accounting and internal control systems are so efficient that
they should prevent/identify and timeously correct any material errors/omissions, the
auditor can accept a higher detection risk.)”
Refer to Activities 15 and 16 in AUE2601 study unit 3.6 for examples.

33 AUE3701/1
• Inherent risk (IR): This is the susceptibility of an assertion about a class of transactions,
account balance or disclosure to a misstatement that could be material, either
individually or when aggregated with other misstatements, before consideration of
any related controls.

In other words: Inherent risk involves the risks related to the entity, excluding the
risks related to weaknesses in the entity’s internal controls. For example, transactions
that require complex calculations, the use of estimates, going concern issues, external
circumstances etc. Refer to Table 1 in Section 2 of this study unit for detailed examples.

• Control risk (CR): This is the risk that a misstatement that could occur in an assertion
about a class of transactions, account balance or disclosure that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or
detected and corrected, on a timely basis by the entity’s internal controls.

In other words: Control risk involves the risks related to weaknesses in an entity’s
internal controls. Refer to Table 1 in Section 2 of this study unit for detailed examples.

• Detection risk (DR): This is the risk that the procedures performed by the auditor to
reduce audit risk to an acceptably low level will not detect a misstatement that could
be material, either individually or when aggregated with other misstatements.

In other words: Detection risk involves the risks related to detection of risks by the
auditor. Refer to Table 1 in Section 2 of this study unit for detailed examples.

Note: The only way for you to gain a better understanding of each risk component
is to work on and answer questions.

1.2 Risk of material misstatement

The risk of material misstatement has two components: inherent risk and control risk.

The risk of material misstatement may exist at two levels in the financial statements,
namely: the overall financial statement level and the assertion level. Refer to figure 2.

34
FIGURE 2: Risk of material misstatement

1.3 Significant risk

A significant risk is an identified and assessed risk of material misstatement which, in the
auditor’s judgement, requires special audit consideration (refer to ISA 315, paragraph 04.)

1.4 Business risk

A risk resulting from significant conditions, events, circumstances, actions or inactions
that could adversely affect an entity’s ability to achieve its objectives and execute its
strategies, or from the setting of inappropriate objectives and strategies (refer to ISA 315,
paragraph 04, A37–A42).

Students often ask me to explain the difference between business risk

and audit risk. Business risk is broader and relates mainly to management
and an entity’s goals and objectives, and includes the risks that may affect
the entity’s business operations. Audit risk relates to the auditor and the
entity’s financial statements and whether a specific condition, event,
circumstance, action or inaction might cause the financial statements of an
entity to be materially misstated.

Hint for the examination: It is very important to take note of the difference
between audit risk and risk of material misstatement. If we provide you with
a scenario and require you to describe audit risks, you should include inherent
risks, control risks and detection risks in your answer. But if we require you
to describe risks of material misstatement, you should describe inherent risks
and control risks only.

35 AUE3701/1
2. Risk of material misstatement at the overall financial statement
level

Read

ISA 315, paragraphs A122 to A125.

Risk at the overall financial statement level is the risk that affects the financial statements
as a whole.
Table 1 provides examples of conditions and events that may indicate the existence of
audit risk at the overall financial statement level. The examples provided cover a broad
range of conditions and events; however, not all the conditions and events are relevant
to every audit engagement and the list of examples is not necessarily complete. Refer to
ISA 315, Appendix 2 for a list of some of these examples.
TABLE 1: Conditions that may indicate audit risk

Component of
No Risk indicator Description of risk
audit risk

1 Operations in regions or The annual financial statements Inherent risk

countries with rigid/complex/ (AFS) may be materially misstated,
different regulations to South as the entity might not comply
Africa properly with the relevant laws and
regulations. Examples of such laws
and regulations include JSE Limited
regulations, Companies Act, etc.
2 • Liquidity issues The AFS may be materially misstated Inherent risk
• Operating losses as the going concern assumption
• Loss of significant might not be properly accounted for
customers or suppliers and/or disclosed.
• Constraints on availability
of capital and credit
• Changes to or loss of key
personnel
• Pending significant
litigation
• Operations in regions
or countries that are
economically unstable
• Operations exposed to
volatile markets
• Entities or business
segments likely to be sold

36
 Component of
No Risk indicator Description of risk
audit risk

3 Changes in the industry The AFS may be materially misstated Control risk if
regulations in which the due to error, as the entity might the entity is
entity operates unintentionally not comply with the aware of the
changes to the laws and regulations changes but the
in the industry within which it changes are not
operates. implemented
correctly
Inherent risk if
management
of the entity is
not aware of the
changes at all
4 Expanding into new The AFS may be materially misstated Control risk if
locations/decentralisation of due to error, as the internal controls the entity is
the entity. in the various locations might not be aware that the
operating effectively. internal controls
are not working
effectively
5 Lack of personnel with The AFS may be materially misstated Inherent risk
appropriate accounting and as errors might occur in the
financial reporting skills preparation of financial records due
to the complexity of the type of
transactions and a lack of personnel
with appropriate accounting and
financial reporting skills to record
these complex transactions.
6 New audit client Note: If the question requires you
to describe the risk of material
misstatement at the overall financial
statement level, this will not be
a risk, but if you are required to
describe audit risks, you may include
the following answers:
The AFS may be materially misstated Detection risk
as the opening balances might be
incorrect since there were different
auditors in the prior year.
The AFS may be materially misstated Detection risk
as material misstatements could
go undetected because we are not
familiar with the client.

37 AUE3701/1
 Component of
No Risk indicator Description of risk
audit risk

7 Management’s integrity The AFS may be materially misstated Control risk and
questionable: for example, as the control environment might inherent risk if
contravention of laws be compromised by management management
and regulations such who lack integrity; this could lead deliberately
as the Companies Act, to errors and misstatement due to override existing
environmental law, labour fraud in the AFS. controls
law etc. Inherent risk if
management
deliberately do
not implement
controls over
certain types of
transaction
8 Third-party reliance: for The AFS may be materially misstated Inherent risk
example, financials used to due to manipulation, as directors
obtain financing from the might engage in fraudulent
bank financial reporting, for example
overstatement of assets and revenue
and understatement of liabilities and
expenses to ensure that financing
will be obtained.
9 Use of work of a third party Note: If the question requires you Detection risk
to describe the risk of material
misstatement at the overall financial
statement level, this will not be
a risk, but if you are required to
describe audit risks, you may include
the following answer:
The AFS may be materially misstated
due to error, as the third party might
not be objective, competent and
appropriately qualified to perform
the work required to collect audit
evidence.
10 Management receive The AFS may be materially misstated Inherent risk
bonuses driven by profits due to manipulation, as directors
might engage in fraudulent
financial reporting, for example
overstatement of revenue and
understatement of expenses, to
maximise bonuses.

38
 Component of
No Risk indicator Description of risk
audit risk

11 Tight audit deadline The AFS may be materially misstated Inherent risk
due to error, as the financial results
prepared by the client might be
incomplete due to time pressure.
Note: If the question requires you
to describe the risk of material
misstatement at the overall financial
statement level, you should only
include the inherent risk mentioned
above, but if you are required to
describe audit risks, you may include
the following answer:
There is a risk that the auditor Detection risk
might not have sufficient time to
obtain the audit evidence, resulting
in material misstatement going
undetected.
12 The entity being sued The AFS may be materially misstated Inherent risk
as the entity might be liable for
legal damages resulting in negative
publicity for the entity. This
might lead to the going concern
assumption not being properly
accounted for and/or disclosed.
13 Listed on the JSE Limited The AFS might be materially Inherent risk
misstated as the company might not
comply with JSE regulations.
14 Changes in the IT The AFS may be materially misstated Control risk/
environment, for example due to error, as the financial data Inherent risk
changes to the accounting might not be properly transferred
software and tested from the old accounting
system to the new accounting
system.

39 AUE3701/1
 Component of
No Risk indicator Description of risk
audit risk

15 History of errors or significant The AFS may be materially misstated Control risk if the
adjustment at year-end as the risk exists that the AFS might errors are due to
contain errors due to the entity’s a poor control
history of errors, or the AFS might environment
contain errors due to incorrect
adjustments at year-end.
Inherent risk
Note: If the question requires if the errors
you to describe risk of material are due to
misstatement at the overall financial transactions of a
statement level, you should only complex nature
include the inherent risk mentioned
above, but if you are required to
describe audit risks, you may include Detection risk
the following answer:
The AFS may be materially misstated
due to errors that might occur in the
opening balances, which might go
undetected.
16 Managers are the owners of The AFS may be materially Control risk if
the entity misstated due to manipulation, management
as management might engage override existing
in fraudulent financial reporting internal controls
by inflating the performance Inherent risk
and position (e.g. overstatement due to the
of revenue) of the entity or by susceptibility of
reflecting a poor performance and misstatement of
position (e.g. overstatement of profits
expenses) of the entity to save on
taxation to be paid over to the South
African Revenue Services.
17 The entity is required to The AFS may be materially misstated Inherent risk
produce group financial as errors might occur during
statements/different consolidation, as it involves an
accounting policies in a intricate process possibly resulting in
group/different accounting material misstatement, for example
systems/different reporting non-elimination of intergroup
dates balances etc.

3. Risk of material misstatement at the assertion level

Read
ISA 315, paragraphs A126 to A131.

40
In the previous section we dealt with the risk of material misstatement at the overall financial
statement level. Now we focus on the risks that affect specific classes of transactions,
account balances and disclosures in the financial statements. This is referred to as the
risk of material misstatement at the assertion level.

Risk at the assertion level is very broad and therefore it is very difficult to provide clear-
cut examples of conditions and events that may indicate the existence of audit risk at
the assertion level. However, to identify such conditions and events, you should take the
following into account (refer to ISA 315, Appendix 2 for the list of these conditions and
events):

• The susceptibility of accounts to misstatement; for example, when an entity wants

to obtain financing from the bank or when inventory is imported

Note: The two situations above can be described as risks of material misstatement at
the overall financial statement level or at the assertion level. You can refer to
the differences between the descriptions of these examples in the illustrative
example that is discussed under Activity 1 later in this study unit.

• The complexity of the underlying transactions; for example sale and leaseback,
contract accounting, invoicing in foreign currency by foreign suppliers
• The degree of judgment involved in determining account balances; for example the
use of estimates when determining a balance in the financial statements
• The susceptibility of assets to loss or misappropriation; for example assets that
are highly desirable and moveable, such as cash (for example the completeness of
cash from cash sales)
• The conclusion of unusual and complex transactions; for example a once-off forward
exchange contract for goods sold to foreign customers or factoring of trade receivables
• Transactions not subjected to routine processing; for example a once-off forward
exchange contract for goods sold to foreign customers

Activity 1

Your firm was recently appointed as the auditor of Connect (Pty) Limited (Connect), a
company established by two business partners. Connect’s main business involves the
import, marketing and sale of a range of cell phones to the public.
The previous auditor resigned unexpectedly owing to personal health problems, but
he is available to answer any questions you might have relating to the prior year’s audit.
You gained the following knowledge during the planning phase of the audit after
several meetings were held with management:
• During the year Connect entered into a forward exchange contract (FEC) for cell
phones purchased from one of its once-off foreign suppliers to hedge itself against
foreign currency fluctuations.
• The Chief Financial Officer (CFO) of Connect indicated that the company would
present the audited financial statements to the bank. Owing to the global recession,
the company is currently experiencing liquidity problems and the bank will only

41 AUE3701/1
 authorise a long-term loan based on the audited financial statements for the year
ended 31 December 2013.
• The CFO requires your advice regarding the internal control system of the company.
His main concern leading to this request is that certain personnel in the finance de-
partment were involved in fraudulent activities that seem to have been continuing
for the past seven months. As soon as this was uncovered, the suspected personnel
were immediately dismissed and replaced by new personnel.
REQUIRED
(a) Identify the risk indicators and describe the risks of material misstatement at
the overall financial statement level, with respect to the financial statements of
Connect. For each risk described, you need to indicate the applicable component
of audit risk. Present your answer in tabular format.
(b) Identify the risk indicators and describe the risks of material misstatement at
the assertion level with respect to the financial statements of Connect. For each
risk described, you need to indicate the applicable assertion. Present your answer
in tabular format.

9 Feedback on Activity 1

SOLUTION TO PART A

Notes when answering Part A of this question

This question requires you to describe the risks of material misstatement at the
overall financial statement level. What does this imply?
• To refresh your memory, refer again to the term “risk of material misstatement”.
• Remember, the term “risk of material misstatement” refers only to the two
components, inherent risk and control risk. Therefore, only describe inherent
risks and control risks and exclude risks dealing with detection risk from your
answer. Detection risk only affects the auditor.
• Overall financial statement level implies that you should describe the risks
and the effect they have on the financial statements as a whole. Therefore, do
not describe risks that involve specific line items and assertions in the financial
statements, as this will be describing risks of material misstatement at the assertion
level.
How should you approach a question dealing with risks of material misstatement at
the overall financial statement level? You should apply the following steps:
Step 1: Identify the risk indicators while you read through the given scenario.
Step 2: Identify the applicable audit risk component, i.e. inherent risk or control risk.
Step 3: Describe the risk of material misstatement at the overall financial statement
level.

42
 Remember that if you described the risk indicator, you did not necessarily describe
the risk. No marks will be awarded for describing the risk indicator. You need to
link the risk indicator to the risk of material misstatement in the financial
statements in the given scenario. Therefore, always attempt to describe the risk
by starting off with one of the following sentences:
“The AFS may be materially misstated due to errors because …”
“The AFS may be materially misstated due to fraud because …”
“The AFS may be materially misstated due to manipulation because …”
“The AFS may be materially misstated due to a poor control environment because
…”
“The AFS may be materially misstated due to accounting on an inappropriate
accounting basis because …”
Then follow this up by explaining why the financial statements will contain material
misstatements. Table 1 in paragraph 2 above illustrates this clearly.
In this question, for each risk you are required to indicate the applicable risk com-
ponent. Remember, as discussed, this can only include inherent risk and control risk.
This question requires you to present your answer in tabular format. This means
that you could score an additional mark if you present your answer in the required
format.
Examination technique: Before formulating your answer, while you read through
the information line by line, highlight or jot down the risk indicators in the margin
next to the applicable sentence to make sure that you do not leave anything out.
Hint for the examination: Remember, if you work through a risk question and you
identify a lot of risk indicators that affect the same type of risk, the marks might
be limited for the same type of risk. For example, if a question contains five risk
indicators relating to possible going concern problems, the chances are that the
marks might be limited to only three of the going concern problem risk indicators.
Therefore, in order to obtain all of the necessary marks in a question, make sure that
you describe all the different types of risk that you can identify from the question.
If you then feel that you still need marks, only then describe more risk indicators
for the same type of risk.

Suggested solution to Part A

Before evaluating your solution, quickly write down the:
• Risk indicators
• Applicable audit risk components

STEP 1 STEP 2
Risk indicator Audit risk component

Type of product (competitiveness) Inherent risk

Wants to obtain financing Inherent risk
Liquidity problems Inherent risk
Fraudulent activities Control risk
New personnel Inherent risk/Control risk
Dismissal and replacement of personnel Inherent risk/Control risk
Import of goods (foreign currency Inherent risk
fluctuations)

43 AUE3701/1
STEP 3
This step entails “expanding” the risk indicator and describing it as a risk. Begin your sentence
as follows:
“The AFS may be materially misstated due to … because …”
Refer to the annual financial statements because the question requires you to identify the
risks of material misstatement at the overall financial statement level.

Description of the risk of material misstatement at the Audit risk

overall financial statement level component
(1½ marks each) (½ mark each)

(1) The AFS may be materially misstated due to accounting Inherent risk
on an inappropriate accounting basis, as cell phones are
very competitive in the market and if Connect does not
have a competitive selling price cell phones will not sell.
This could lead to possible going concern problems which
might not be properly accounted for or disclosed.
(2) The AFS may be materially misstated due to manipulation, as Inherent risk
the directors might engage in fraudulent financial reporting
by overstating assets and revenue and understating
liabilities and expenses to ensure that financing will be
obtained from the bank.
(3) The AFS may be materially misstated due to accounting on Inherent risk
an inappropriate accounting basis, as the going concern
assumption might not be properly accounted for and/
or disclosed as indicated by the liquidity problems that
Connect currently experiences.
(4) The AFS may be materially misstated due to fraud because Control risk
of the poor control environment that exists, as indicated
by the fraudulent activities that took place at Connect in
the financial department.
(5) The AFS may be materially misstated due to error, as there Control risk/
might be errors in the preparation of the financial records Inherent risk
due to a lack of knowledge and experience of the new
personnel who were recently appointed by Connect.
(6) The AFS may be materially misstated as Connect might be Inherent risk
liable for payment of compensation damages regarding the
dismissal of personnel. This could lead to misstatements in Control risk
the AFS due to accounting on an inappropriate accounting
basis, as the going concern assumption might not be
properly accounted for and/or disclosed.
The AFS may be materially misstated due to a poor control
environment because the internal controls may not be
executed effectively, due to the replacement of personnel
who might be unfamiliar with controls.
(7) The AFS may be materially misstated due to error, as Inherent risk
Connect imports cell phones and the accounting treatment
for importing and hedging is complex.

44
 SOLUTION TO PART B

Notes when answering Part B of this question

Part B of the question requires you to describe the risk of material misstatement
at the assertion level. What does this imply?
• At the assertion level it implies that you should describe the risks that affect
specific classes of transactions, account balances and disclosures in the financial
statements.
How should you approach a question dealing with risk of material misstatement at
the assertion level? You should apply the following steps:
Step 1: Identify the risk indicators by taking the conditions or events applicable to
the given scenario into account.
Step 2: Identify the significant account balances and/or classes of transactions in
the given scenario.
Step 3: For each account balance and/or class of transaction identified above, identify
the applicable assertions.
Step 4: Describe the risk of material misstatement at the assertion level.
Remember that if you described the risk indicator, you did not necessarily describe
the risk. No marks will be awarded for describing the risk indicator. You need to link
the risk indicator to the risk of material misstatement at the assertion level for
the identified account balance and/or class of transaction. Therefore, always try
to describe the risk by starting off with:
“There is a risk that revenue (for example) might be …”
Then follow this up by explaining what the risk might be. The solution to this
question illustrates this clearly.
For this question, for each risk, you are required to indicate the applicable assertion.
This question requires you to present your answer in tabular format. This means
that you could score an additional mark if you present your answer correctly.

Examination technique: Before formulating your answer, while

you read through the information line by line, highlight or jot down
the risk indicators in the margin next to the applicable sentence to
make sure that you do not leave anything out.

Solution to Part B
Before referring to the solution, quickly write down the:
• Conditions or events affecting the risk at the assertion level
• Risk indicators
• Significant account balances and/or classes of transactions
• Applicable assertions

45 AUE3701/1
 STEP 1 STEP 1 STEP 2 STEP 3

Conditions Significant
or events account
Assertions
affecting the Risk indicator balances and/
applicable
risk at the or classes of
assertion level transactions

The Import of (1) Purchases (1) Accuracy/cut-off

susceptibility goods and FEC (2) Accuracy,
of accounts to gains and valuation and
misstatement losses allocation/
(2) Trade completeness/
payables existence
(3) Inventory (3) Accuracy,
valuation and
allocation/
completeness/
existence/rights

The Type of (1) Inventory (1) Accuracy,

susceptibility product valuation and
of accounts to (short life allocation/
misstatement expectancy or existence
and/or degree susceptibility
of judgment to theft)

Undertake Once-off FEC (1) FEC gains/ (1) Accuracy

unusual and for goods losses (2) Accuracy,
complex purchased (2) Trade valuation and
transactions from a foreign payables allocation
and/or customer
complexity of
the underlying
transaction
making up
the account
balance and/or
transaction
not subject
to routine
processing

46
 STEP 1 STEP 1 STEP 2 STEP 3

Conditions Significant
or events account
Assertions
affecting the Risk indicator balances and/
applicable
risk at the or classes of
assertion level transactions

The Wishes to (1) Liabilities (1) Completeness/

susceptibility obtain finance (2) Assets accuracy,
of accounts to from the bank (3) Expenses valuation and
misstatement (4) Revenue allocation
(2) Existence/
accuracy,
valuation and
allocation
(3) Completeness
(4) Occurrence

To refresh your memory on assertions, refer to ISA 315 paragraph

A129 or to your second-year auditing knowledge (AUE2601 study
unit 3.3).

Description of the risk of material misstatement at

Assertion
the assertion level
(½ mark each)
(1½ marks each)

(1) There is a risk that purchases, inventory and trade Accuracy, valuation
payables might not be translated at the correct and allocation:
exchange rates at the transaction date or at year-end. inventory and
trade payables
Accuracy:
purchases and FEC
gains and losses

(2) There is a risk that inventory in transit at year-end may Completeness:

be incorrectly excluded where the right of ownership inventory and
has transferred to Connect (understatement). This trade payables
will also increase the risk of understatement of trade Completeness/
payables and purchases as certain suppliers’ balances cutoff: purchases
might be excluded.

(3) There is a risk that inventory in transit at year-end for Existence/rights:

which the right of ownership has not transferred to inventory
Connect may be included. This will also increase the Existence: trade
risk that the trade payables and purchases include payables
transactions that do not exist. Occurrence/cut off:
purchases

47 AUE3701/1
 Description of the risk of material misstatement at
Assertion
the assertion level
(½ mark each)
(1½ marks each)

(4) There is a risk that FEC gains or losses might not Accuracy, valuation
be accurately accounted for, which will result in and allocation:
misstatement of FEC gains and losses and trade trade payables
creditors. Accuracy: FEC gains
and losses

(5) There is a risk that cell phones can easily become Accuracy, valuation
obsolete due to short life expectancy in this fast- and allocation:
growing technological advancement, and therefore inventory
inventory might be incorrect in the AFS.
There is a risk that cell phones are susceptible to theft, Existence:
which increases the risk of misstatement of the inven- inventory
tory value if such items do not exist and are not identi-
fied and written off in the AFS.

(6) There is a risk that revenue and assets, for example Completeness/
inventory, might be overstated and expenses and accuracy, valuation
liabilities, for example trade creditors, might be and allocation:
understated because Connect wants to obtain finance liabilities
from the bank. Existence/accuracy,
valuation and
allocation: assets
Occurrence:
revenue
Completeness:
expenses

4. Significant risks
ISA 315 paragraph 27 requires the auditor to determine whether any of the risks identified
are in his/her judgment, a significant risk.
Significant risk is explained in Table 2:
TABLE 2: Significant risk

What is a significant ISA 315 paragraph 04(e)

risk? “An identified and assessed risk of material misstatement
that, in the auditor’s judgment, requires special audit
consideration.”

48
What should the ISA 315 paragraph 28
auditor consider when • Is the risk a risk of fraud?
deciding if a risk is • Is the risk related to recent significant economic, accounting
significant? or other developments and does it, therefore, require specific
attention?
• Is (are) the transaction(s) complex?
• Does the risk involve significant transactions with related
parties?
• What is the degree of subjectivity in the measurement of
financial information related to the risk?
• Does the risk involve significant transactions that are outside the
normal course of business for the entity or that appear unusual?

Why do significant ISA 315 paragraph A140

risks often relate • Non-routine transactions …
to significant non-
– are unusual (due to size or nature) and
routine transactions or
– occur infrequently
judgmental matters?
• Judgmental matters …
– may have significant measurement uncertainty (e.g.
development of accounting estimates)

Risks of material mis- ISA 315 paragraph A141 to A142

statement may be • Significant non-routine transactions arising from the following:
greater for …
– Greater management intervention to specify the accounting
treatment
– Greater manual intervention for data-collection and
processing
– Complex calculations or accounting principles
– The nature of the non-routine transaction
• Significant judgmental matters that require the development
of accounting estimates that arise from the following:
– Accounting principles for accounting estimates or revenue
recognition may be subject to differing interpretation
– Required judgment may be subjective or complex, or
require assumptions about the effects of future events,
e.g. judgment about fair value

49 AUE3701/1
How should the audi- ISA 330 paragraph 15
tor respond to a signifi- If the auditor wants to place reliance on a control(s) over a risk
cant risk? that has been identified as a significant risk, the auditor shall
test the control(s) in the current period.
ISA 330 paragraph 21
If the auditor determines that an assessed risk of material mis-
statement at the assertion level is a significant risk, he or she
has to perform substantive procedures that are responsive to
that risk.
If the approach is only to perform substantive procedures for
that significant risk, it should include tests of details.
Note: ISA 330 is explained in study unit 4.1.

What happens when ISA 240 paragraph 27

the significant risk The auditor shall obtain an understanding of the entity’s related
relates to a risk of controls, including control activities, relevant to such risks.
material misstatement
due to fraud? It is important for the auditor to obtain an understanding of
the controls that management has designed, implemented and
maintained to prevent and detect fraud (paragraph A32).
Note: ISA 240 is explained in study unit 3.4.

What if management ISA 315 paragraph A147

has not appropriately This is an indicator of a significant deficiency in internal
responded to control.
significant risks of
material misstatement Note: A significant deficiency in internal control and the audi-
by implementing tor’s response thereto is explained in ISA 265 (refer to study unit
controls over 3.10).
significant risks?

Activity 2

Refer to the scenario provided in Activity 1.

(a) Identify the risk indicators and describe the significant risks at the overall financial
statement level, with respect to the financial statements of Connect. For each risk
described, indicate the applicable component of audit risk. Present your answer
in tabular format.
(b) Identify the risk indicators and describe the significant risks related to fraud at
the overall financial statement level, with respect to the financial statements of
Connect. For each risk described, indicate the applicable component of audit risk.
Present your answer in tabular format.

50
10 Feedback on Activity 2

Solution to Part a: The solution remains exactly the same as in Activity 1. Remember,
significant risks are risks of material misstatement and all risks of material misstatement
require further consideration.
Solution to Part b: Your answer only had to include significant risks related to fraud, as
follows:

Description of the significant risks related to fraud at the Audit risk

overall financial statement level component
(1½ marks each) (½ mark each)

(1) The AFS may be materially misstated due to manipulation, as

the directors might engage in fraudulent financial reporting
by overstatement of assets and revenue and understatement Inherent risk
of liabilities and expenses to ensure that financing will be
obtained from the bank.

(2) The AFS may be materially misstated due to fraud, because

of the poor control environment that exists as indicated by
Control risk
the fraudulent activities that took place at Connect in the
financial department.

Additional comments: The auditor has additional responsibilities in terms of

ISA 240 in respect of the fraud that is identified above. These responsibilities are
discussed in study unit 3.4.

Summary
As part of planning an audit of financial statements, the auditor has to identify
and assess audit risks and risks of material misstatement at the overall financial
statement level as well as at the assertion level. This study unit explained
the auditing principles related to the identification and assessment of risk.

5 Self-assessment
After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Identify risk indicators from a scenario and for each identified risk indicator describe
the audit risks or risks of material misstatement at the …
 financial statement level and
 assertion level.

51 AUE3701/1
STUDY UNIT 3.4
THE AUDITOR’S RESPONSIBILITIES WITH RESPECT
TO FRAUD

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Evaluate the risk of material misstatement of the financial statements

due to fraud.
• Respond appropriately to fraud or suspected fraud identified during
the audit.
• Formulate audit procedures to obtain appropriate evidence in response
to the assessed fraud risk.

INTRODUCTION
The aim of this study unit is to explain the auditing principles related to …
• the identification and assessment of fraud risk factors
• the formulation of audit procedures to gather evidence in response to the risk of
material misstatement due to fraud
• the appropriate response by the auditor when fraud is identified
In the previous study unit you learned about audit risk. In some instances the risk factors
identified by the auditor point to the possibility of fraud. In such instances, the auditor has
to perform additional procedures to determine whether or not the financial statements
are materially misstated due to fraud.

Do you remember the phases in the planning stage? This study unit covers one aspect
of Stage 2 of the planning phase. See Figure 1 to refresh your memory.

52
FIGURE 1: The phases in the planning stage of an audit

Study

1. The relevant section dealing with the auditor’s responsibilities relating

to fraud in an audit of financial statements in Chapter 7 of Auditing
Notes by Jackson and Stent.
2. International Standard on Auditing (ISA). The auditor’s responsibilities
relating to fraud in an audit of financial statements (ISA 240).

FRAUD AND ERROR

The main difference between fraud and error is that fraud is intentional whereas error
is unintentional.

Now think about the examples below that may affect a company’s financial statements
materially, and point out the differences in intention that you can see:

1. A journal entry is processed to record the impairment of a major asset class, but the
debits and credits are switched around by accident.

53 AUE3701/1
2. The executive directors of a company decide to overstate profits to secure higher
performance bonuses by increasing the useful life of a major assets class to an
unrealistic level for depreciation purposes.

Feedback:

1. The first example is an unintentional error. When the auditor discovers the error,
management will be willing to correct the error to ensure that the financial statements
are accurate.
2. The second example is intentional. When the auditor discovers this error, management
may conceal their intent.

Reflect

Read paragraphs 10 and 11 of ISA 240 again and reflect on the points below:
• The auditor’s objective in identifying and assessing the risks of material
misstatement due to fraud (ISA 240, paragraph .10)
• The definitions of “fraud” and “fraud risk factors” (ISA 240, paragraph .11)

Reflect

The auditor has to be aware of the ways in which fraud can be committed
and concealed. Read the sections on “fraudulent financial reporting” and
“misappropriation of assets” (in Jackson & Stent chapter 7).

Reflect

At this point in this learning unit, now that you have encountered the
objectives of the auditor and the definitions of fraud and fraud risk factors,
you can proceed to the responsibilities of the auditor in respect of fraud.

Read
(Jackson & Stent chapter 7)
• The responsibilities of the auditor
• The responsibilities of the auditor; discussions among the audit team
• The responsibilities of the auditor; conduct risk assessment procedures and
related activities

54
 • The responsibilities of the auditor; identify and assess risk at the financial
statement and assertion levels
• The responsibilities of the auditor; determine an overall response to the risk
of material misstatement due to fraud
• Identified and assessed risks of material misstatement due to fraud should
be communicated with management, those charged with governance
and others (ISA 240, paragraphs 40–43).

Activity 1

Your firm has recently been appointed as the auditor of Pebbles Ltd, a large company
which markets sophisticated electronic equipment. The previous auditor lost the audit
as a direct result of a conflict with Ms Merry, the chief executive officer (CEO) of Pebbles
Ltd, over the company’s adoption of various questionable accounting policies. The
conflict became very heated, due mainly to Ms Merry’s aggressive nature, and led to
a qualified audit report.
Whilst familiarising yourself with the company and its environment you discover that
Ms Merry has surrounded herself with an aggressive team of loyal managers. You
consider that their loyalty is partially due to the fact that management are not paid a
salary but are given a monthly retainer, superior fringe benefits and a percentage of
reported profits.

REQUIRED
Describe the risk of material misstatement in the annual financial statements of Pebbles
Ltd as a result of fraudulent financial reporting.

11 Feedback on Activity 1

The management of Pebbles Ltd are remunerated on the basis of reported profits and
therefore have an incentive to misstate/manipulate reported information to ensure that
they maximise their personal earnings.

PLEASE NOTE: All the information necessary to answer such questions is found in
the question itself, even if you have to think “out of the box”.

Activity 2

Refer to the scenario and feedback provided in Activity 2 of study unit 3.3. In the activ-
ity, some of the risks that were identified could lead to fraud. In this activity, we will
concentrate only on the risks leading to the possibility of fraud.

55 AUE3701/1
 REQUIRED
(a) This part of the question was dealt with in the study unit relating to audit risk. The
answer remains unchanged.
(b) Describe the audit responses to the fraud risks identified in study unit 3.3. For
each response described, formulate detailed audit procedures in response to
the assessed risks of material misstatement due to fraud. Present your answer
in tabular format.

12 Feedback on Activity 2

Solution to Part b: Part b required that your answer should only include significant risks
related to fraud. Your answer should therefore only include the following (Table 1):

TABLE 1: Significant risks related to fraud

Detailed audit procedures

Significant risks
Audit responses to responsive to assessed
related to fraud at
the fraud risk risks of material
the overall financial
(1½ mark each) misstatement due to fraud
statement level
(1½ mark each)

The AFS may be • Overstatement of • Overstatement of

materially misstated revenue: revenue:
due to manipulation, overall response to – In addition to the nor-
as the directors might the fraud risk: mal inspection of invoic-
engage in fraudulent es and delivery notes for
– Increase sensitiv-
financial reporting by selected items, perform
ity in the selection
overstating revenue. substantive analytical
of the nature and
extent of docu- procedures to compare
mentation to be sales month by month,
examined for ma- per product line or busi-
terial transactions ness segment with com-
(ISA 240: A33) parable months in prior
periods. With the use of
CAATS, these compari-
sons can be done

56
 Detailed audit procedures
Significant risks
Audit responses to responsive to assessed
related to fraud at
the fraud risk risks of material
the overall financial
(1½ mark each) misstatement due to fraud
statement level
(1½ mark each)

in great detail and used

to identify unusual
circumstances for
further investigation
(ISA 240: Appendix 2).

Assign and supervise • Assign staff:

personnel: – with lots of experience
on revenue auditing
• Assign additional
– IT staff that have a
personnel with
proven success record
specialised skills
in using CAATS, or IT
and knowledge
specialists
• Appoint supervi-
– forensic experts
sors (audit man-
agers) with the • Based on the auditor’s as-
knowledge and sessment of the risk of ma-
skills to plan and terial misstatement due to
review the audit of fraud, allocate audit man-
revenue (ISA 240: agers with several years of
29(a)). experience in the client’s
• Evaluate account- type of business to super-
ing policies and vise the audit (ISA 240:
complex trans- A34–A35).
actions (ISA 240: • Evaluate accounting poli-
29(b)). cies and the treatment
• Incorporate an el- of complex transac-
ement of unpre- tions in terms of the IFRS
dictability in the framework.
audit procedures • Perform substantive proce-
(ISA 240: 29(c)). dures on accounts that are
not material, e.g. the sales
amount for scrap metal,
which in a manufacturing
company may not be mate-
rial if compared to the total
sales amount for the com-
pany. If the auditor suspects
that fraud may be commit-
ted with sales of scrap, it
should be tested; it may not
have been suspected by the
client (or staff member who
may have been committing
fraud). A surprise audit is an
effective method of discov-
ering fraud and is

57 AUE3701/1
 Detailed audit procedures
Significant risks
Audit responses to responsive to assessed
related to fraud at
the fraud risk risks of material
the overall financial
(1½ mark each) misstatement due to fraud
statement level
(1½ mark each)

unpredictable if per-
formed correctly. In-
corporate unpredicta-
bility into samples of
transactions selected
to perform substantive
procedures upon, as
well as to the locations
selected for audit

Activity 3

Refer to Activity 2. After performing the substantive analytical procedures to compare

sales month on month, per product line or business segment and with comparable
months in prior periods, you have found that revenue is materially overstated on a
product line that was discontinued years ago. The sales were recorded by means of a
journal, debiting the debtors’ account of a Close Corporation (CC) and crediting sales.
The journal was initiated by the store manager and approved by the sales manager.
The approval procedures for journals are that the initiator signs and approval for any
adjustment to sales must be by the Chief Financial Officer. After further investigation,
you could not find a deposit on the bank statement which allegedly cleared the debt-
ors’ account of the CC raised in the journal.
You contacted the CC and enquired about the payment. The accountant of the CC
provided you with a bank account number at CNA Bank into which they deposited
the funds owed. After handing this information to the forensic specialist, she obtained
a subpoena to request the information from CNA bank and established that all the
executive directors were receiving payouts from the said account.
REQUIRED
(a) Does the approval of the journal in itself confirm that fraud has been committed?
(b) If you combine the facts in a) above with the finding that the sales were raised on
a discontinued product, what is your view on fraud then?
(c) Taking all of the facts represented in the scenario into account, what is the road
forward for the auditor?

13 Feedback on Activity 3

(a) No. It may, however, cause the auditor to increase his or her professional scepticism
that management has overridden controls (ISA 240, A7–A9).

58
 (b) The incorrect approval procedures (management override) combined with the raising
of sales for a fictitious product (misstatement of financial statements due to fraud)
definitely raise professional scepticism to the maximum. The auditor has to gather
additional evidence, and any invoices or delivery notes accompanying the journal
will have to be confirmed with third parties or handed to an expert (ISA 240: A9). This
matter also becomes a significant risk (see study unit 3.3). My view on fraud is that
I definitely suspect it, but I still cannot make allegations before it is proved.
(c) After the forensic specialist has gathered the information to prove that fraud has been
committed by those charged with governance:
(i) The auditor has to obtain legal advice about communicating the fraud to those
charged with governance, because they are involved (ISA 240: A63).
(ii) The auditor should be cautious when relying on any representations made by
management or those charged with governance (ISA 240: A64).
(iii) The auditor has to treat the matter as a Reportable Irregularity and report it to
the Independent Regulatory Board for Auditors (ISA 240: A65).
(iv) The auditor has to include all evidence and documentation of decisions in the
audit documentation (ISA 240: 44–47).
(v) The auditor must decide if he or she can continue with the engagement (ISA 240:
38).

Summary

As part of planning an audit of financial statements, the auditor has to

identify and assess risks at the overall financial statement level as well as at
the assertion level. Should this assessment reveal possible fraud risks, those
fraud risks need additional treatment. This study unit explained the auditor’s
responsibilities with respect to fraud.

6 Self-assessment

After having worked through the study unit and the references to the prescribed study
material, determine if you can do the following:

(1) Evaluate the risk of material misstatement of the financial statements due to fraud.
(2) Respond appropriately to fraud or suspected fraud identified during the audit.
(3) Formulate audit procedures to obtain appropriate evidence in response to the
assessed fraud risk.

59 AUE3701/1
STUDY UNIT 3.5

CONSIDERATION OF LAWS AND REGULATIONS IN

AN AUDIT OF FINANCIAL STATEMENTS

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Describe the responsibility of the auditor towards an entity’s compliance

with laws and regulations in an audit of financial statements.

INTRODUCTION
The aim of this study unit is to explain the auditor’s responsibility to consider laws and
regulations in an audit of financial statements. The auditor considers the non-compliance
with laws and regulations by the entity during the risk assessment of the entity (this is
part of the second phase in the planning stage of an audit: see Figure 1). The auditor is
not responsible for the entity’s compliance; but the possibility that non-compliance with
laws and regulations can lead directly to material misstatement of financial statements
necessitates the auditor’s consideration of such compliance. Secondly, such non-compliance
may be fundamental to the operating aspects of the business and therefore indirectly
cause the material misstatement of financial statements.

60
Figure 1 shows that this topic relates to block number 2 of the planning stage of an audit.

FIGURE 1: The phases in the planning stage of an audit

Study

International Standard on Auditing (ISA), The consideration of laws and

regulations in an audit of financial statements (ISA 250: paragraph 2) and
the relevant section dealing with important considerations of laws and
regulations in Chapter 7 of Auditing Notes by Jackson and Stent.

Note the effect of laws and regulations on financial statements explained in this paragraph.

61 AUE3701/1
 Study

International Standard on Auditing (ISA), The consideration of laws and

regulations in an audit of financial statements (ISA 250: paragraph 11) for a
definition of non-compliance.

Activity 1

What is meant by non-compliance for the purposes of ISA 250?

14 Feedback on Activity 1

Non-compliance is an act of omission or commission by an entity, either intentional or

unintentional, which is contrary to the prevailing laws or regulations. Such acts include
transactions entered into by, or in the name of, the entity, or on its behalf, by those charged
with governance, management or employees. Non-compliance does not include personal
misconduct by those charged with governance, management or employees of the entity;
for example, the chief executive officer (CEO) has been charged for not paying fines imposed
on him personally.

Study

International Standard on Auditing (ISA), The consideration of laws and

regulations in an audit of financial statements (ISA 250: paragraph 6).

This paragraph describes the effect on financial statements as well as the effect on the
operations of the business.

Activity 2

Describe two possible consequences of non-compliance with laws and regulations

that could be fundamental to the operating aspects of the business, and as a result
may have a material effect on the financial statements.

62
15 Feedback on Activity 2

(1) An entity may not be able to continue its business; for example, enforcement by a
regulating authority to discontinue the operations of the entity (see comment below).
(2) An entity may incur material penalties (for example, non-compliance with the terms
of an operating license, non-compliance with regulatory solvency requirements, or
non-compliance with environmental regulations).
Comment: these two instances threaten the going concern assumption, and if
the financial statements are not prepared on an appropriate basis, the financial
statements may be materially misstated.

Study

International Standard on Auditing (ISA), The consideration of laws and

regulations in an audit of financial statements (ISA 250: paragraphs 4–8) and
the relevant section dealing with the auditor’s duties and responsibilities
regarding laws and regulations in Chapter 7 of Auditing Notes by Jackson
and Stent.

In these paragraphs the responsibility of the auditor regarding non-compliance with laws
and regulations is explained.

You should have noted from the above-mentioned paragraphs that the auditor’s
responsibility remains unchanged and he or she is still required to obtain reasonable
assurance that the financial statements, taken as a whole, are free from material
misstatement. If you did not note this, study the relevant paragraph in ISA 250 until you
find it.

Study

International Standard on Auditing (ISA), The consideration of laws and

regulations in an audit of financial statements (ISA 250: paragraph 10).

In this paragraph the objectives of the auditor are described. The first requirement
that the auditor must satisfy to achieve the objectives in paragraph 10 is to consider
compliance with laws and regulations. This is further detailed in paragraphs 12–17. Study
these paragraphs before attempting Activity 3.

63 AUE3701/1
 Activity 3

Certain laws and regulations are well-established, known to the entity and within the
entity’s industry or sector, and relevant to the entity’s financial statements. Examples
of such laws and regulations are the Income Tax Act (applicable to all entities) and laws
pertaining to pension funds (for all companies operating a pension fund on behalf of
their employees).
REQUIRED
List four examples of the direct effects of the non-compliance to laws and regulations
– such as the two pieces of legislation mentioned in the examples above – can have
on an entity’s financial statements.

16 Feedback on Activity 3

(1) The form and content of financial statements do not comply with an acceptable
reporting framework.
(2) Industry-specific financial reporting issues are not correctly disclosed in the financial
statements.
(3) Accounting for transactions under government contracts are not correctly disclosed
in the financial statements.
(4) The accrual or recognition of expenses for income tax or pension costs are not correctly
calculated and not properly disclosed in the financial statements.

Study

International Standard on Auditing (ISA), The consideration of laws and

regulations in an audit of financial statements (ISA 250: paragraphs 18–21)
and the relevant section dealing with the audit procedures regarding the
non-compliance with laws and regulations in Chapter 7 of Auditing Notes
by Jackson and Stent.

The second requirement that must be satisfied by the auditor in order to achieve the
objectives in paragraph 10, is to perform audit procedures when non-compliance is
identified or suspected. This is further detailed in paragraphs 18–21. Study these paragraphs
before attempting Activity 4.

Activity 4

Assume that management or those charged with governance did not take the reme-
dial action that the auditor considered appropriate in the circumstances, despite the
non-compliance not being material to the financial statements.

64
 REQUIRED
Describe the considerations and possible actions that an auditor can take in such
circumstances.

17 Feedback on Activity 4

In exceptional cases, the auditor may consider whether withdrawal from the engagement
is necessary. This applies to those cases where withdrawal is possible under applicable laws
or regulations.

When deciding whether withdrawal from the engagement is necessary, the auditor may
consider seeking legal advice. If withdrawal from the engagement is not possible, the auditor
may consider alternative actions, including describing the non-compliance in an Other
Matter paragraph in the auditor’s report. This will be dealt with in Module AUE3702 when
the audit report is explained.

Study

International Standard on Auditing (ISA), The consideration of laws and

regulations in an audit of financial statements (ISA 250: paragraph 22–29) and
the relevant section dealing with the reporting of non-compliance of the
client with laws and regulations in Chapter 7 of Auditing Notes by Jackson
and Stent.

The third requirement to be satisfied by the auditor in order to achieve the objectives in
paragraph 10 is the reporting of identified or suspected non-compliance. This is further
detailed in paragraphs 22–28. Paragraph 29 explains the documentation that must be
kept by an auditor in these circumstances. Study these paragraphs before attempting
Activity 5. Remember these documentation requirements when you study the standard
on Audit Documentation in study unit 3.9 of this module.

Activity 5

Assume that the auditor suspects that management or those charged with governance
are involved in non-compliance.
REQUIRED
Describe the reporting requirements of the auditor.

65 AUE3701/1
18 Feedback on Activity 5

The auditor shall communicate the matter to the next higher level of authority at the entity, if
it exists, such as an audit committee or supervisory board. Where no higher authority exists,
or if the auditor believes that the communication may not be acted upon or is unsure as to
the person to whom to report, the auditor shall consider the need to obtain legal advice.

Further to the reporting requirements, you should note that the auditor’s report can be
affected in various ways. This will only be explained after you have learned about the various
forms of audit opinions in Module AUE3702.

Summary

It should be clear to you that an auditor has to consider a wide variety of

factors that can affect the financial statements, even factors that you will not
encounter during your studies to become an auditor. This is a good reason
why you should study intensely and read widely. When you do your articles
as a trainee accountant, question the way in which audits are performed to
learn what factors to consider when audit plans are compiled.

7 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Describe the responsibility of the auditor towards an entity’s compliance with
laws and regulations in an audit of financial statements.

STUDY UNIT 3.6

MATERIALITY

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Calculate materiality levels.

• Describe how materiality levels and inherent risk are related, and
apply this knowledge to a scenario.

66
INTRODUCTION
We already established that the International Standard on Auditing (ISA), Planning an
audit of financial statements (ISA 300), requires that the auditor plans an audit of financial
statements (refer to study unit 3.1). We also identified that the planning stage consists
of different phases.

FIGURE 1: The phases in the planning stage of an audit

The first two phases in the planning stage of an audit, were discussed in the previous
study units. The aim of this study unit is to explain the auditing principles related to the
third phase of the planning stage of an audit, namely determining materiality during
the planning phase of an audit.

Materiality is an auditing concept that is used to help the auditor to decide whether or
not to accept the figures and disclosure in the financial statements. Remember, the audit
report is the final product. To decide whether or not to accept the reasonableness of the
financial statements, the auditor must determine materiality figures during the planning
stage of an audit (planning materiality), during the performance of an audit (performance
materiality) as well as at the final stage of the audit process (final materiality).

Besides the quantitative aspect of materiality (dealing with figures), materiality should
also relates to matters which are material in nature, i.e. qualitative. In summary, there are
two features which should be considered when dealing with materiality: the quantitative
and the qualitative aspects.

67 AUE3701/1
Please note that International Standard on Auditing (ISA) 320 deals with planning materiality
and performance materiality, whilst ISA 450 deals with final materiality. ISA 320 will be
discussed in this study unit, whilst ISA 450 will be dealt with in AUE3702.

In Auditing 2601 you mastered auditing principles relating to materiality.

Study

International Standard on Auditing (ISA), Materiality in planning and performing

an audit (ISA 320) and the relevant sections dealing with the concept of
materiality, planning materiality and performance materiality in Chapter 7
of Auditing Notes by Jackson and Stent.

Note the following in the above study sources:

• The definition of “Materiality”. (ISA 320, paragraph .02)

• The calculation of planning materiality and performance materiality is subjective in
nature. Consequently, it is based on professional judgment where different auditors
will probably come up with different materiality figures using different benchmarks.
(ISA 320, paragraph .04 and A4 and A5).
• Also note that ISA 320 recognises the use of benchmarks but does not prescribe any
percentages to be used in setting materiality figures. (ISA 320, paragraph A8, A9 and
A10). You will be given benchmarks and percentages in a scenario. When you calculate
materiality figures it is important to consider the nature of the business. For an entity
that is capital intensive you are likely to use total assets for your materiality calculation.
The materiality calculation bases will differ from audit firm to audit firm.
• The following three categories of materiality figures are calculated by an auditor:
planning materiality, performance materiality and final materiality. (ISA 320, paragraph
.05)
• Materiality doesn’t only relate to figures where an error is detected above the set
materiality figure (i.e. quantitative). It also relates to matters which are material in
nature (qualitative), for example a fraudulent activity that is quantitatively less than
the materiality figure will most definitely be material in nature. (ISA 320, paragraph .06)
• Planning materiality is also referred to as “materiality for the financial statements as a
whole” and the auditor may also establish materiality levels to be applied to classes
of transactions, account balances or disclosures. This means that in principle (and in
practice) that there will be a planning materiality level set for the financial statements,
as a whole, and planning materiality levels (of a lesser amount) to be applied to classes
of transactions, account balances and disclosures.
• The definition of performance materiality. (ISA 320, paragraph .09). Please note that
performance materiality levels are always lower than planning materiality levels.
• Planning and performance materiality can be revised as the audit progresses.
(ISA 320, paragraph .12–.13 and A14)
• Documentation of materiality levels. (ISA 320, paragraph .14)

68
 Calculation of materiality in planning an audit

Please note that the calculation of materiality in planning an audit is subjective

in nature and will differ from one audit firm to another. The following is an
example of a framework used by an audit firm to calculate materiality levels
in planning an audit:

STEP 1
Determine which figures to use
• Use the unaudited figures of the current year if these are available.
• If the unaudited figures of the current year cannot be used because they are not
available, budget and prior year audited figures should be considered.
– Use the budgeted figures if these appear to be achievable.
– If budgeted figures are not available, prior year figures should be used.
– If the previous year’s figures were audited, it must be determined if any major
changes took place in the company in the current year.
– If major changes have taken place since these figures were audited you should
adjust these figures to reflect the changes.

STEP 2
Consider the indicators (Note that each audit firm has its own policy regarding
which indicators and intervals will be used for the calculation of materiality in
planning an audit.)
• The following indicators and intervals are often used:

Indicator Interval

Turnover 0.5%–1%

Gross profit 1%–2%

Net profit before tax 5%–10%

Total assets 1%–2%

Equity 2%–5%

Note: If you are not provided with percentages to apply in a question scenario I
suggest that you use these percentages to calculate materiality.

STEP 3
Determine which of the indicators is appropriate for the calculation of materiality
in planning an audit.

69 AUE3701/1
The following factors should be considered:

• If a company made a loss, the net profit before tax indicator cannot be used.
• Expected issues with an indicator as highlighted by analytical procedures.
• Inherent characteristics of the company. For example: For an entity that is capital
intensive you are likely to use total assets for your materiality calculation or in the case
of an entity that renders services, it is likely that this entity is not capital intensive and
therefore total assets will not be an appropriate indicator to use.
• The stability of the figures. For example:
– If the turnover figure for the year under review fluctuates dramatically from the
previous year to the next, the turnover indicator cannot be used.
– If the turnover figure for the year under review increases dramatically, however the
accounts receivable figure reflects a dramatic decrease, it could be an indication
of fraud/error in either one of these balances. As a result, the turnover indicator
cannot be used.

STEP 4
Calculate the materiality interval for each of the suitable indicators.

• Both the lowest and highest limits of the intervals for each suitable indicator should
be calculated.

STEP 5
Decide on a materiality figure to use when planning an audit.

• Exclude any indicator where the range of figures is an outlier with respect to other
indicators.
• The auditor should be conservative in his decision on the materiality figure to use
when planning an audit.
• If the inherent risk is assessed as being low, a figure in the upper range of the amounts
calculated will be selected and if the inherent risk is assessed as being high, a figure in
the lower range of amounts calculated will be selected. Remember, there is an inverse
relationship between materiality and inherent risk i.e.:
– Inherent risk high: materiality set low to compensate for the risk.
– Inherent risk low: materiality set high because there is a smaller chance that a
material misstatement will occur.

Example
• Gross profit = R5 000 000
The audit firm applies the following percentages to gross profit in their materiality
calculations:
• High inherent risk: 0,5%
• Medium inherent risk: 1%
• Low inherent risk: 2%

70
 Inherent risk Set materiality Result

High (0,5%) R25 000 (low) • Increased sample sizes

• Can tolerate less errors in sample tested
• Most conservative

Medium (1%) R50 000 (medium) • Sample sizes smaller than above
• Can tolerate a bit more errors in samples
tested
• More conservative

Low (2%) R100 000 (high) • Smallest sample sizes

• Can tolerate more errors (we do not
expect a lot)
• Less conservative

• A conclusion must be drawn on a specific figure for materiality. Concluding that

materiality is with a range of figures, will not be acceptable.

Activity 1

You are a member of the team on the audit of Consumex Ltd, a listed company which
sells a wide range of consumer goods. You and other members of the team are cur-
rently discussing the materiality figure for the planning and performance of the current
audit. As a starting point you used the prior year’s planning materiality figures set for
the various account balances and classes of transactions with a clear understanding
that these figures would probably be adjusted as the identification and assessment of
the risk of material misstatement and further audit procedures got underway.
Before the discussion amongst team members got underway, Beckie Zulu, a junior
trainee posed the following question “When deciding on our planning materiality, is
there a 'cost/benefit' issue we should be considering?”
During the identification and assessment of the risk of material misstatement, the
following information was obtained.
(1) The company negotiated two large long term loans during the year. Both loans
included loan covenants which require strict adherence to specified liquidity ratios.
The company has not had to contend with this in prior years. (3)
(2) The number of major transactions with related parties increased considerably
during the year. (4)
(3) A charge of price fixing of certain consumables has been brought against Consumex
Ltd and three other companies in the same sector. The company’s legal council are
not confident that the charge can be successfully defended, but that the penalty
cannot be estimated yet. (3)
(4) Halfway through the year the company relaxed its credit terms in an attempt to
boost sales. The amount of credit made available to customers was increased
dramatically and repayment terms were extended. (4)

71 AUE3701/1
 (5) The company started trading in derivatives for the first time in its history. (4)
(6) The automated (computerised) inventory control system, which had proved
somewhat unreliable was substantially upgraded just before the end of the prior
financial year. Interim tests of controls conducted on the system by your computer
audit division found the upgraded system to be “very reliable, well designed
and capable of producing a great deal of information about the company’s
inventory.” (3)

REQUIRED
(a) Respond to the question from Beckie Zulu. (4)
(b) Indicate whether the information in each of the points 1 to 6 above would increase
or decrease (or have no affect on) the planning (and performance) materiality figures
from the prior year. Justify your decisions. (21)

19 Feedback on Activity 1

(a) Cost/benefit considerations

(1) Indirectly there are cost/benefit considerations but they should not influence the
auditor’s decisions or performance negatively.
(2) The stricter (lower) the materiality figure the greater the quantity of audit work
that must be performed and vice versa. For example, if we decide on a materiality
figure of R100 (hypothetically of course) we would get a great deal of assurance,
but we would have to do a lot of audit work. If we decide on a figure of R10 000
we would have to do a lot less audit work but would get less assurance.
(3) Our objective is to do enough audit work to reduce audit risk to an acceptable
level, so it is a question of balancing the audit work to be done with the level of
assurance we want.
(4) We don’t want to do unnecessary audit work, but at the same time we must
gather sufficient appropriate evidence to meet our audit objective and reduce
the audit risk to an acceptable level.
(5) What we cannot do is change our materiality figure to justify doing less work so
as to reduce cost. We must aim at carrying out a cost efficient but effective audit.

(b)
(1) 1.1 This is likely to result in a lower (stricter) materiality figure for those account
headings which affect the liquidity ratios specified in the loan covenant.
1.2 As auditors we will want to be satisfied that these account headings are
as fairly stated as possible; we are aware that there will be specific reliance
on liquidity ratios and that important contractual obligations which the
company did not face in the prior year, must be met.
(2) 2.1 It is debatable whether this will directly affect the materiality figure. The
key aspects of related party transactions are the identification of related
parties and related party transactions and the disclosure thereof.
2.2 Our likely response will be to intensify our search for the above and to
ensure that disclosure is in terms of the IASs.
2.3 It could also be argued that as this is potentially a significant risk, a stricter
materiality figure for the size (magnitude) of related party transactions
we want to identify, will be set, e.g. we want to identify all transactions

72
 with related parties over R10 000 instead of, say, R50 000 which may have
been the prior year figure.
2.4 However, generally speaking, it is qualitative materiality that we are more
concerned about with related parties.
(3) 3.1 This is probably a significant risk. In a general sense it may cause the auditor
some concern about the overall integrity of management and may cause
us to be more alert to the possibility of other illegal activities/fraud in our
identification and assessment of risk. This in turn may translate into stricter
figures for certain classes of transaction/account headings.
3.2 However, at this stage it is only a charge. Disclosure is the most likely
treatment in the AFS as this appears to be a contingent liability and hence
it is material due to qualitative factors.
(4) 4.1 There is increased risk here that accounts receivable will be overstated.
4.2 As credit limits have increased dramatically and credit terms were extended
there is a strong possibility that the allowance for bad debts will be
understated particularly if Consumex Ltd applies the same criteria for
setting the allowance as it did in the prior year.
4.3 Also taking into account the fact that accounts receivable will be one of
the accounts used in determining adherence to the loan covenants, a
stricter materiality figure should be set for the performance of the accounts
receivable audit.
(5) 5.1 As the company has not traded in derivatives before, we would not have
had to consider any risk associated with it in prior years.
5.2 Trading in derivatives can be very dangerous as poor trades can inflict
significant damage on a company. In addition, from a financial reporting
perspective, valuations and disclosure of derivatives and derivative dealings
can be very complex.
5.3 Depending on the extent of the trading which has occurred, we may even
consider this to be a significant risk requiring special audit attention.
5.4 It is very likely that the necessary experience and expertise will have to be
added to the audit team and that strict materiality figures will be set for
affected account headings and appropriate attention will be applied to
the qualitative aspects.
(6) 6.1 As the internal control system for a very important cycle (inventory) in
a consumer product company has improved and is regarded by our
computer audit team as “reliable and well designed”, we could in all
probability increase (make less strict) our materiality figure for performing
the inventory audit. The system is more likely to detect errors and it can
produce information we need to help with such matters as “obsolescence
etc”.
6.2 We should be mindful of the fact that inventory may be one of the account
headings affecting the loan covenants.
(Source: Graded Questions on Auditing 2012, Gower & Jackson)

73 AUE3701/1
 Comments on Activity 1
In part (b) of the question the relationship between materiality and audit risk is
clear. Please note the importance of the reasoning provided for the increase or the
decrease in the materiality levels. Marks will be awarded for the reasoning given.

Activity 2

Your firm has been appointed as the external auditor of XYZ (Pty) Ltd to perform an
audit for the eight months ending 31 January 20xx. The company only exists for eight
months.
The following extracts from the statement of comprehensive income and the state-
ment of financial position refers:

8 months ending
8 months ending 31 Janu-
31 January 20xx –
ary 20xx – Actual figures
Budgeted figures

Turnover 6 167k 5 117k

Profit before tax 2 027k 1 789k

Total assets 814k 713k

The external auditor uses the following indicators and intervals for the calculation of
materiality:

Turnover 0.5%–1%

Profit before tax 5%–10%

Total assets 1%–2%

The external auditor estimated the inherent risk as low.

REQUIRED
Compute, providing reasons, the materiality figure to be used for planning the 31 Janu-
ary 20xx audit of XYZ (Pty) Ltd.

20 Feedback on Activity 2

STEP 1
Determine which figures to use
• The calculation will be based on the draft financial statement figures for the 8 months
ending 31 January 20xx as these are available, there is no indication that these figures will

74
 change substantially and they are most likely to approximate the figures in the financial
statements on which an audit opinion has to be expressed.
• The external auditor was appointed to issue an opinion on the financial statements for
the eight months ending 31 January 20xx and therefore the actual figures for the eight
months will be used.
STEP 2
Consider the indicators
The following indicators and intervals are used by the external auditor and were provided
in the question:

Turnover 0.5%–1%

Profit before tax 5%–10%

Total assets 1%–2%

STEP 3
Determine which of the indicators is appropriate for the calculation of materiality
in planning an audit.

XYZ (Pty) Ltd made a profit for the eight months ending 31 January 20xx, therefore profit
before tax is a suitable indicator. Furthermore, the turnover and total assets indicators also
seem appropriate.

STEP 4
Calculate the materiality interval for each of the suitable indicators.

Indicator Calculation

Turnover 0.5%–1% of R6 167 000 = R30 835–R61 670

Profit before tax 5%–10% of R2 027 000 = R101 350–R202 700

Total assets 1%–2% of R814 000 = R8 140–R16 280

STEP 5
Decide on a materiality figure to use when planning the audit.
The total assets indicator should be excluded as the range of figures is an outlier with respect
to the other indicators.

In view of the inherent risk being assessed as low, the materiality figure to be used for the
planning of the audit should be set at the higher end of the two suitable indicators ranges,
thus R202 700.

75 AUE3701/1
 Comments on Activity 2
This question required you to determine the planning materiality for the financial
statements as a whole (this is determined when establishing the overall audit
strategy).
In specific circumstances, the auditor may determine materiality levels for
particular classes of transactions, account balances or disclosure.
The auditor may or may not deem it necessary to determine separate materiality
levels to be applied.

Summary

In this study unit we dealt with the practical application and calculation
of audit materiality, and the interaction between inherent risk and audit
materiality.

8 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Calculating materiality levels.

(2) Describing how materiality levels and inherent risk are related and applying this
knowledge to a scenario.

STUDY UNIT 3.7

THE OVERALL AUDIT STRATEGY

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Identify and describe the aspects that will have an influence on the
scope, timing and direction of the audit when establishing the overall
audit strategy.

76
INTRODUCTION
We have already established that the International Standard on Auditing (ISA), Planning an
audit of financial statements (ISA 300), requires that the auditor plans an audit of financial
statements (refer to study unit 3.1). We also established that the planning stage consist
of different phases.

FIGURE 1: The phases in the planning stage of an audit

The first three phases in the planning stage of an audit were discussed in the previous
study units. The aim of this study unit is to explain the auditing principles related to the
fourth phase of the planning stage of an audit, namely developing the overall audit
strategy during the planning phase of an audit.

When planning an audit, the auditor is required to establish the overall audit strategy
(ISA 300, paragraph 02). The overall audit strategy gives a preliminary idea of the scope,
timing and direction of the audit and the resources that will be needed on the audit.

At the beginning of each year we often hear people discussing their New Year’s resolutions.
What were your resolutions for the year, and did you fulfil them? Briefly discuss this with
your fellow students in the discussion forum.

Feedback: Different individuals have different New Year’s resolutions. Maybe one of your
resolutions is to pass this module, to take a vacation or to lose those extra weight by going
to the gym more often. However, many of our resolutions never come true because we
do not do the necessary planning to make our resolutions become reality.

77 AUE3701/1
Let’s refer to the following example: if your resolutions include taking a vacation during
the year, you need to have a preliminary idea of what activities you would like to do on
your vacation and when and where you want to go. For example, do you want to do
deep-sea diving in March at the coast, or do you maybe want to go to the bushveld to
see the Big Five in July? This preliminary idea can be called your strategy. Once you have
your strategy of when and where you want to go, you can start focusing on the details
of planning your vacation, for example specific dates, search for accommodation etc.

Similar to a vacation, an audit also has to be planned. If you do not plan, you will probably
not succeed in gathering sufficient audit evidence to form an audit opinion. Therefore,
as an auditor, you first have to establish an overall strategy of the range of activities you
have to perform, when the audit activities should take place and if there are specific
areas that you need to focus on during the audit. This can be called your overall audit
strategy. Once your overall audit strategy is in place, you can start working on the details
of planning the audit. This is your audit plan, which is explained in the next study unit.

Study

International Standard on Auditing (ISA), Planning an audit of financial

statements (ISA 300) paragraphs .07, .08, .12, A8 to A11, A18, A20 and the
section dealing with the overall audit strategy as part of planning in Chapter
6 of Auditing Notes by Jackson and Stent.

Note the following in the above study sources:

The audit strategy sets the scope, timing and direction of the audit (ISA 300, paragraph
.07).

Scope: Refers to the range of activities to be performed by the auditor.

For example, if the company is governed by industry-specific
regulations, the auditors should familiarise themselves with such
requirements and make sure that the reporting complies with
such requirements.

Timing: Refers to the timing when audit procedures should be performed.

The auditors can perform audit procedures as follows:
• Before year-end (interim), or
• At and after year-end, or
• Early verification just prior to year-end and roll forward at year-
end, or
• Both at interim and after year-end.

78
 Direction: Refers to the areas of focus. The auditors should consider factors
that are significant and should direct their attention to the areas
of focus.
For example, if the risk assessment procedures determined that
the company experienced going concern issues, the auditor should
direct his or her efforts to this specific area.

• The considerations in establishing the overall audit strategy (ISA 300, paragraph
.08, A8 to A11 and the Appendix.) (The Appendix has a detailed list of considerations
in establishing the overall audit strategy.)
• The overall audit strategy should be updated and changed throughout the audit
(ISA 300, paragraphs .10 and A15).
• The auditor should include the overall audit strategy in the audit documentation
(ISA 300, paragraphs .12, A18 and A20.)

Activity 1

Your audit firm has recently been appointed as the auditor of AUE (Pty) Ltd (AUE).
AUE is a subsidiary of TOE Ltd (TOE). The holding company is listed and has numerous
subsidiaries. Subsidiaries are required to comply with and report on group corporate
governance policies. The audit of AUE also has a tight deadline. All systems of the
company are automated (computerised).
TOE has a large internal audit department which it uses to carry out evaluations and
reviews at its subsidiaries. Profit margins at AUE are low and overall revenue has de-
clined over the past year.
Two months before year-end, you began planning for the audit of AUE.
Identify and describe the aspects that will have an influence on the scope, timing and
direction of the overall audit strategy on the audit of AUE.

Exam technique: When working through the scenario, approach it line-by-line

to identify the aspects that will influence your audit strategy.

21 Feedback on Activity 1
The overall audit strategy sets the scope, timing and direction of audit procedures.

To assist you in identifying the issues in the scenario that will affect the scope, timing
and direction of the audit strategy, we have included the scenario again and included
references to the suggested solution.

Your audit firm has recently been appointed as the auditor of AUE (Pty) Ltd (AUE). AUE is a
subsidiary (affects scope and direction, refer to points 1 and 6) of TOE Ltd (TOE). The

79 AUE3701/1
holding company is listed (affects scope, refer to point 1) and has numerous subsidiaries
(affects direction, refer to point 6). Subsidiaries are required to comply with and report
on group corporate governance policies (affects scope, refer to point 1). The audit of
AUE also has a tight audit deadline (affects timing, refer to point 4). All systems of the
company are automated (computerised) (affects scope, refer to point 2).
TOE has a large internal audit department which it uses to carry out evaluations
and reviews at its subsidiaries (affects scope and timing, refer to points 3 and 5).
Profit margins at AUE are low and overall revenue has declined over the past year
(affects direction, refer to point 7).
Two months before year-end, you began planning for the audit of AUE (affects
timing, refer to point 4).
The solution to Activity 1 is as follows:

AUDIT STRATEGY

Scope: (1) The fact that AUE is a subsidiary of TOE will affect the scope of
the engagement because
• The holding company is a public company and thus the audit
is a statutory audit which must comply with the Companies
Act 2008 and the Auditing Profession Act 2005. AUE’s audit
must therefore also comply with the Companies Act 2008
and the Auditing Profession Act 2005.
• The holding company is listed and thus it is likely that there
are additional reporting obligations for AUE.
• AUE has to comply with and report on group corporate
governance policies which the auditors might be required
to be involved in.
• It is likely that AUE has to adopt the group accounting policies
or disclosures with which the auditors have to familiarise
themselves.
(2) The fact that AUE uses automated (computerised) systems will
affect the scope because computer-assisted audit techniques
will be used whenever possible.
(3) The fact that the TOE has an internal audit function which
carries out evaluations and reviews at its subsidiaries, will affect
the scope of the audit because the internal audit department
may be able to assist with information relating to AUE’s internal
control system.

Timing: (4) Due to tight audit deadlines, early verification audit procedures
could be performed in the two months before year-end and roll
forward at year-end.
(5) The involvement of the internal auditors, the holding company’s
auditors and other senior personnel who should be involved in
the audit should be considered in order to schedule timeous
meetings.

80
 AUDIT STRATEGY

Direction: (6) The fact that AUE is one of numerous subsidiaries will affect
the direction of the audit, because attention should be given
to identification of related parties and disclosure of related party
relationships and transactions.
(7) The low profit margins and decline in revenue will affect the
direction of the audit because
• They raise a risk relating to the going concern of AUE, for
which a careful going concern evaluation should be carried
out.
• Attention should be given to the completeness of sales
(understatement) as the financial position might be
manipulated (decline in revenue).

Summary

This study unit explained auditing principles related to establishing the

overall audit strategy during the planning phase of an audit. The overall
audit strategy sets out the scope, timing and direction of the audit. Now
that you have a better idea of the overall audit strategy, we can explain the
development of the audit plan, which is discussed in the next study unit.

9 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Identify and describe the aspects that will have an influence on the scope, timing
and direction of the audit when establishing the overall audit strategy.

STUDY UNIT 3.8

THE AUDIT PLAN

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Identify and describe the aspects that will have an influence on the
nature, timing and extent of the audit when developing the audit plan.

81 AUE3701/1
INTRODUCTION
In study unit 3.1 you learned that the planning stage of an audit consists of different phases.

FIGURE 1: The phases in the planning stage of an audit

The first four phases in the planning stage of an audit were discussed in the previous
study units. In this study unit we will explain the last phase of the planning stage of an
audit, namely developing an audit plan.

Do you remember our discussion of planning a vacation in the previous study unit?
We said that once you have a preliminary idea (strategy) of your vacation, you can start
planning the details of your vacation (plan). As with planning a vacation, the audit plan
is guided by the completion of the overall audit strategy and is more detailed than the
audit strategy.

Remember how we explained that the overall audit strategy sets out the scope, timing
and direction of the audit (refer to study unit 3.7)? In this study unit we will explain
that the audit plan includes the nature, timing and extent of audit procedures to be
performed during the audit.

82
 Study

1. International Standard on Auditing (ISA), Planning an audit of financial

statements (ISA 300) paragraphs .09, .10, .12, A12, A13, A14, A15, A19, A20.
2. The section dealing with the audit plan as part of planning in Chapter 6
of Auditing Notes by Jackson and Stent.
3. The section dealing with general observations relating to the nature,
timing and extent of further audit procedures in Chapter 6 of Auditing
Notes by Jackson and Stent.

Note the following in the above study sources:

• The audit plan sets the nature, timing and extent of audit procedures (ISA 300,
paragraphs .09 and A12, A13, A14). More details of the nature, timing and extent of
audit procedures are discussed later in this module (refer to study unit 4.1). However,
in brief it may be summarised as follows:

Nature: Refers to the type of audit approach and purpose and type of audit
procedures to be performed (ISA 330, paragraphs A4 and A5).
The auditor can decide to follow either of the following approaches:
A combined audit approach, where both tests of controls and substantive
procedures should be performed. This approach is followed when the auditor
intends to rely on the operating effectiveness of internal controls or when
substantive procedures alone cannot provide sufficient appropriate audit
evidence.
A substantive procedure approach, where both tests of detail and analytical
procedures should be performed. This approach is followed when the risk
assessment procedures have not identified appropriate and sufficient controls
relevant to the assertion or because testing controls would be inefficient.

Timing: Refers to the timing when audit procedures should be performed (ISA 330,
paragraph A6).
The auditor can perform audit procedures as follows:
• Before year-end (interim), or
• At and after year-end, or
• Early verification just prior to year-end and roll forward at year-end, or
• Both at interim and after year-end

83 AUE3701/1
 Extent: Refers to how many tests or audit procedures and in how much detail you
will perform (ISA 330, paragraph A7).
This refers to the number of tests of detail and/or analytical procedures you
will perform; for example if the audit client has a strong control environment
you will perform tests of controls, with fewer tests of detail and more analytical
procedures.
Note: Later in your studies (in Module AUE3702) you will learn about audit
sampling to determine the sample sizes used to collect audit evidence.

• The audit plan should be updated and changed throughout the audit (ISA 300,
paragraphs .10 and A15).
• The auditor should include the audit plan in the audit documentation (ISA 300,
paragraph .12, A19 to A20.)

Note: In order for you to identify and describe aspects that will have an influence on
the nature, timing and extent of the audit plan, you may also refer to the study
unit dealing with the auditor’s responses to risks (ISA 330) where the nature,
timing and extent of audit procedures are described in more detail (refer to
study unit 4.1).

Activity 1

Note: This activity is the same activity as the one in study unit 3.7 which deals with
the overall audit strategy; however, you are now required to formulate the
audit plan.

Your audit firm has recently been appointed as the auditor of AUE (Pty) Ltd (AUE).
AUE is a subsidiary of TOE Ltd (TOE). The holding company is listed and has numerous
subsidiaries. Subsidiaries are required to comply with and report on group corporate
governance policies. The audit of AUE also has a tight deadline. All systems of the
company are automated (computerised) and reside on a local area network (LAN).
TOE has a large internal audit department that it uses to carry out evaluations and
reviews at its subsidiaries. Profit margins at AUE are low and overall revenue has de-
clined over the past year.
Two months before year-end, you began planning for the audit of AUE.
Identify and describe the aspects that will have an influence on the nature, timing and
extent of the audit when developing the audit plan for AUE.

Exam technique: When working through the scenario, approach it line-

by-line to identify the aspects that will influence your audit plan.

84
22 Feedback on Activity 1

The audit plan sets the nature, timing and extent of audit procedures.

To assist you in identifying the issues in the scenario that will affect the nature, tim-
ing and extent of the audit plan, we have included the scenario again and provided
references to the suggested solution.

Your audit firm has recently been appointed as the auditor of AUE (Pty) Ltd (AUE). AUE is
a subsidiary (affects nature) of TOE Ltd (TOE). The holding company is listed and has
numerous subsidiaries. Subsidiaries are required to comply with and report on group
corporate governance policies. The audit of AUE also has a tight audit deadline (affects
timing). All systems of the company are automated (computerised) (affects nature).

TOE has a large internal audit department (affects nature and extent) that it uses to
carry out evaluations and reviews at its subsidiaries. Profit margins at AUE are low and
overall revenue has declined over the past year (affects nature, timing and extent).

Two months before year-end, you began planning for the audit of AUE (affects
timing).

The solution to Activity 1 is as follows:

AUDIT PLAN

Nature: • Follow a combined audit approach with both tests of controls

and substantive procedures. This approach is followed because
you intend to rely on the operating effectiveness of internal
controls (due to the existence of an internal audit department),
and substantive procedures alone will not provide sufficient ap-
propriate audit evidence.
• Computer-assisted audit techniques should be used to test the
automated (computerised) applications or controls.
• Specific risks can be addressed as follows:
– Perform substantive procedures to address the going concern
risk.
– Perform substantive procedures on related parties and inter-
group transactions and balances.
– Perform substantive procedures on internal audit reports.
– Perform tests of controls and substantive procedures to test
for completeness of sales.

85 AUE3701/1
Timing: Due to tight audit deadlines, early verification audit procedures
could be performed just before year-end and rolled forward at
year-end.
For example, important balance sheet work, such as debtor’s
circularisation, creditor’s reconciliations or fixed asset verification,
could be done before year-end and “rolled forward”. Fixed asset
schedules should also be prepared before year-end and changes
before year-end could be audited after year-end.
Initial substantive procedures, for example scrutiny of books and
discussion, could take place before year-end but the final going
concern evaluation should take place after year-end.
Tests of controls and substantive audit procedures on sales
can also be performed before year-end and rolled forward at
year-end.

Extent: The number of tests or audit procedures could be reduced if you

can rely upon the internal audit department.
However, comprehensive tests should be carried out on risk areas
such as going concern, related parties and completeness of sales.

Additional comments on Activity 1

When doing the activity, did you see that there is a difference between the
overall audit strategy and the audit plan? Remember, the overall audit strategy
is a preliminary plan and sets out the scope, timing and direction of the audit,
whereas the audit plan sets out the nature, timing and extent of the audit proce-
dures. Another difference is that the overall audit strategy provides an overview
of audit procedures to be performed, whereas the audit plan is more detailed
in the sense that it provides more information on the audit procedures (nature,
timing and extent of tests of controls or substantive procedures) that should be
performed during the audit.

Summary

This study unit explained concepts related to developing the audit plan. The
audit plan sets out the nature, timing and extent of the audit procedures.
You should now have a good understanding of each of the different phases
when planning an audit (Stage Two of the audit process). Before we move
on to the next stage of the audit process, you should also familiarise yourself
with the general requirements of the audit documentation that should be
prepared and kept throughout the audit process (refer to study unit 3.9) and
with communicating deficiencies in internal control to those charged with
governance and management (refer to study unit 3.10).

86
10 Self-assessment
After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Identify and describe the aspects that will have an influence on the nature, timing
and extent of the audit when developing the audit plan.

STUDY UNIT 3.9

AUDIT DOCUMENTATION

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Explain the purpose of audit documentation.

• Explain the auditor’s objective in preparing audit documentation.
• Evaluate audit documentation against the requirements of ISA 230.
• Explain the requirements relating to the assembly of the final audit file.

INTRODUCTION
The publication of the International Standard on Auditing (ISA), Audit documentation
(ISA 230), requires the auditor to prepare audit documentation for an audit of financial
statements. Audit documentation prepared by the auditor should provide evidence that
supports the basis for the auditor’s report and evidence that the audit was planned and
performed according to the ISAs and applicable legal and regulatory requirements.

Study

Audit documentation (ISA 230), and the relevant sections dealing with audit
documentation in chapter 17 of Auditing Notes by Jackson and Stent.
Note the following in the above study sources:
• The purpose of audit documentation (ISA 230, paragraphs .02 and .03)
• The auditor’s objective in preparing audit documentation (ISA 230, paragraph .05)
• The definitions of “audit documentation”, “audit file” and “experienced auditor”
(ISA 230, paragraph .06)

87 AUE3701/1
• Audit documentation should be prepared on a timely basis (ISA 230, paragraphs .07
and A1)
• The ISA requirements of audit documentation for the audit procedures performed
and the audit evidence obtained (ISA 230, paragraphs .08–.13, A2–A20)
• The requirements regarding the assembly of the final audit file (ISA 230, paragraphs
.14–.16, A21–A24).

The auditor should prepare and update audit documentation throughout the different
stages of the audit process. In addition to the requirements of ISA 230, a list of other ISAs
with specific audit documentation requirements can be found in the Appendix of ISA
230. Figure 1 presents the list in the Appendix of ISA 230 indicating the different stages
of the audit process.

Figure 1: Specific audit documentation requirements in other ISAs for each stage of the
audit process

Activity 1

The following working paper for bank and cash was prepared by a first-year trainee
accountant on the audit of The Browns (Pty) Ltd:

88
 The Browns (Pty) Year-
Client name 30 June 20xx

Prepared by
Ltd
E Venter
end
A1
Audit section Bank and cash

BOTSWANA BNB BANK – ACCOUNT NUMBER 690191000

Description of the account:
The Browns has several bank accounts with various local and foreign banks. The
foreign bank accounts, such as the account with Botswana BNB Bank (690191000), are
mainly used to facilitate trade with foreign suppliers. Peter Havenga, the accountant,
prepares bank reconciliations on a monthly basis and these are reviewed by Trevor
Jackson, the financial manager.
This is a material account balance and the risk of misstatement relating to this account
is assessed as higher. The only relevant assertion relating to this account is valuation.
Work performed:
The bank reconciliation was inspected.

REQUIRED
Evaluate working paper A1 of The Browns (Pty) Ltd by identifying and describing the
shortcomings in terms of the requirements of audit documentation. Base your answer
on ISA 230.

23 Feedback on Activity 1

Shortcomings of working paper A1 based on ISA 230:

• The working paper indicates the name of the preparer but does not indicate the date
when it was prepared.
• The working paper does not indicate by whom it was reviewed.
• The working paper does not indicate the date when it was reviewed.
• The working paper does not contain a detailed explanation of the audit procedures
performed.
• The working paper does not contain the results of the audit procedures performed.
The following is an example of how the working paper given in Activity 1 should look in
order to comply with the requirements of ISA 230:

89 AUE3701/1
90
 Additional comments on the example
• Audit documentation is commonly referred to as “working papers” or “work
papers”.
• In practice, the form and content of audit documentation may vary considerably,
since such work papers are drawn up in accordance with the auditor’s professional
judgement. Audit documentation can be recorded on paper or on electronic
or other media. Examples of audit documentation include audit programmes,
analyses, memorandums, summaries of significant matters, letters of confirmation
and representations, checklists, correspondence (including e-mails) concerning
significant matters etc. Irrespective of the format in which work papers are kept,
all of the requirements of ISA 230 in terms of content should be complied with.
• The reviewer should evaluate if sufficient and appropriate evidence was
obtained regarding the item audited. For example, the reviewer might consider
that the audit procedures were not sufficient and might also request the audit
team to perform other audit procedures. In Activity 1 the risk was assessed as
high, which might necessitate performing other audit procedures in addition
to those described in working paper A1. For example, the reviewer may request
the audit team to reperform the bank reconciliations, trace the bank reconciling
items to supporting documentation, reperform the calculations on the bank
reconciliation, agree amounts from the General Ledger to financial statements
etc.
• Audit documentation is the property of the audit firm and the firm is in no way
obliged to make it available to the audit client or any third party unless required
to do so by law.
• The final audit file should be assembled on a timely basis, which is usually not
more than 60 days after the date of the auditor’s report. The final audit file
should be kept until the end of its retention period. If documents need
to be modified or added after the final audit file has been completed,
the auditor should comply with additional audit documentation
requirements.

Summary

Audit documentation includes all the working papers drawn up in connection

with the conduct of the audit. These working papers should be sufficiently
completed and detailed to provide an overall picture of the audit, which will
ultimately enable the auditor to express an audit opinion in the auditor’s
report.

11 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

91 AUE3701/1
 (1) Explain the purpose of audit documentation.
(2) Explain the auditor’s objective in preparing audit documentation.
(3) Evaluate audit documentation against the requirements of ISA 230.
(4) Explain the requirements relating to the assembly of the final audit file.

STUDY UNIT 3.10

COMMUNICATING DEFICIENCIES IN INTERNAL

CONTROL TO THOSE CHARGED WITH GOVERNANCE
AND MANGEMENT

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Explain the terms “deficiency in internal control” and “significant

deficiency in internal control”.
• Evaluate a report on significant deficiencies in internal controls against
the requirements of ISA 265.
• Explain the matters that the auditor could consider when determining
whether a deficiency in internal control is significant.
• Explain the possible indicators of significant deficiencies in internal
control.

INTRODUCTION
The International Standard on Auditing (ISA), Communicating deficiencies in internal control
to those charged with governance and management (ISA 265), deals with the auditor’s
responsibility to communicate appropriately with:
• Those charged with governance (for example the board of directors and the
audit committee); and
• Management regarding deficiencies in internal control that the auditor has identified
in an audit of financial statements.
Deficiencies in internal control can be identified during the planning phase of the audit
and in the execution phase of the audit.

92
 Study

International Standard on Auditing (ISA), Communicating deficiencies in internal

control to those charged with governance and management (ISA 265)

Note the following in the above study source:

• The definitions of a “Deficiency in internal control” and “Significant deficiency in

internal control” (ISA 265, paragraph .06.)
• The information that an auditor should include in the written communication of
significant deficiencies in internal control (ISA 265, paragraph .11, A28, A29 and A30).
The level of detail of the communication will depend on ISA 265, paragraph A15:
– The nature of the entity (e.g. public interest entity vs. non-public interest entity)
– The size and complexity of the entity
– The nature of the significant deficiency
– The entity’s governance composition
– Legal or regulatory requirements
• Remember that the significance of a deficiency in internal control or a combination
thereof depends not only on whether a misstatement has actually occurred, but also
on the likelihood that a misstatement could occur and the potential magnitude of
the misstatement (refer to ISA 265, paragraphs A6 and A7).
• If the auditor has noted deficiencies in internal control that are not significant, but
may be of sufficient importance to merit management attention, this communication
need not be in writing, and can be done orally.

Activity 1
BACKGROUND
You are a third-year audit trainee at the audit firm TOE Incorporated (TOE). TOE has re-
cently been appointed as the auditor of Top-Electric (Pty) Ltd (Top-Electric). The financial
director indicated that he wanted the final audit report on 20 April 20xx at the latest.
TOE has issued the following draft report on significant deficiencies to the financial
manager.

93 AUE3701/1
 Draft report on significant deficiencies in internal controls dated 7 June 20xx

TOE Incorporated’s Letterhead

Private and confidential
7 June 20xx
The Financial Manager
Top-Electric (Pty) Ltd
Address
Dear Sir
Report on significant deficiencies in internal controls
During the performance of our audit of Top-Electric (Pty) Ltd for the year ended
31 March 20xx, certain matters that we consider to be significant deficiencies in
internal control came to our attention.
Our required statutory audit procedures were designed to express an opinion on
the financial statements, as well as on the adequacy of internal controls. Accord-
ingly, we are of the opinion that the significant deficiencies in internal controls
reported on are probably the only deficiencies which may exist.
This report is furnished solely for your information and should be used by you for
this purpose only. Unless you have obtained our written consent to disclose this
report to another party, we will not assume any responsibility to the other party.
Refer to the table below for matters we consider to be significant deficiencies in
internal controls.

Observations
All the retail stores’ goods-receiving departments and warehouses are currently
not physically secured or access-controlled.
Subsequent to our audit, it has come to our attention that the warehouse at
one of the retail stores was destroyed by a flood.

We would appreciate it if you would acknowledge receipt of our report as soon as

possible. Should you wish to discuss the above, please do not hesitate to contact us.
Yours sincerely
A Morgan
Trainee accountant

Identify and describe the shortcomings in the draft report on significant deficiencies in
internal controls. State how each shortcoming can be corrected and, where appropri-
ate, provide your reasoning. Base your answer on ISA 265.

24 Feedback on Activity 1
Shortcomings in the draft report on significant deficiencies in internal controls
based on International Standards on Auditing
To assist you in matching the shortcoming in the draft report to the answer, we have included
the draft report again and provided appropriate references which link the shortcoming in
the report to the answer.

94
 Draft report on significant deficiencies in internal controls dated 7 June 20xx
(SHORTCOMING 1)

TOE Incorporated’s Letterhead

Private and confidential
7 June 20xx
The Financial Manager (SHORTCOMING 2)
Top-Electric (Pty) Ltd
Address
Dear Sir
Report on significant deficiencies in internal controls
During the performance of our audit of Top-Electric (Pty) Ltd for the year ended
31 March 20xx, certain matters that we consider to be significant deficiencies in
internal control came to our attention.
Our required statutory audit procedures were designed to express an opinion on the
financial statements, as well as on the adequacy of internal controls. (SHORTCOMING
3) Accordingly, we are of the opinion that the significant deficiencies in internal
controls reported on are probably the only (SHORTCOMING 4) deficiencies which
may exist.
This report is furnished solely for your information and should be used by you for
this purpose only. Unless you have obtained our written consent to disclose this
report to another party, we will not assume any responsibility to the other party.
Refer to the table below for matters we consider to be significant deficiencies in
internal controls.

Observations (SHORTCOMING 5)
All the retail stores’ goods-receiving departments and warehouses are currently
not physically secured or access-controlled.
Subsequent to our audit, it has come to our attention that the warehouse at one
of the retail stores was destroyed by a flood. (SHORTCOMING 6)

We would appreciate it if you would acknowledge the receipt of our report as soon as
possible. Should you wish to discuss the above, please do not hesitate to contact us.
Yours sincerely
A Morgan
Trainee accountant (SHORTCOMING 7)

SHORTCOMING 1
• As per ISA 265, paragraph 9, the auditor must communicate the significant deficien-
cies in internal controls identified during the course of the audit to those charged with
governance on a timely basis.
The report is dated 7 June 20xx. The financial director indicated that he wanted the
final audit report on 20 April 20xx at the latest. The report on significant deficiencies in
internal controls was thus not communicated on a timely basis.

95 AUE3701/1
SHORTCOMING 2
• The report is addressed to the financial manager. It should be addressed to those
charged with governance (ISA 265, paragraph 9).
Those charged with governance are the persons responsible for overseeing the strategic
direction of the entity and obligations related to the accountability of the entity. This
would not include the financial manager, but would most likely be the board of directors
of Top-Electric.

SHORTCOMING 3
• After a statutory audit, an auditor is required to issue an audit report to express an opin-
ion on the financial statements. In addition to this audit report, an auditor should also
issue a report on significant deficiencies in internal control that he or she came across
during the conduct of the statutory audit. To summarise: in the audit report an audi-
tor expresses an opinion; however the report on significant deficiencies in internal
control only reports on significant deficiencies in internal control which the auditor
came across during the statutory audit. Therefore, ISA 265, paragraph 11(b)(ii) states
that the auditor should include the following in the report on significant deficiencies in
internal control: “The audit included considerations of internal control relevant to the
preparation of the financial statements in order to design audit procedures that are ap-
propriate in the circumstances, but not for the purpose of expressing an opinion
on the effectiveness of internal control”.
The report currently states that the required statutory audit procedures were designed
to express an opinion on the financial statements as well as to determine the adequacy
of internal controls for management purposes. The Companies Act does not require
auditors to express an opinion on the effectiveness/adequacy of internal controls.

SHORTCOMING 4
• As per ISA 265, paragraph A29, the auditors may consider it appropriate to include an
indication that, if they had performed more extensive procedures on internal controls,
they might have identified more deficiencies to be reported.
The report states that the auditors are of the opinion that the significant deficiencies
in internal controls reported on are probably the only deficiencies which may exist.
This statement should not be made, as it is impossible for the auditors to conclude this
without performing more extensive procedures on internal controls.
Such extensive procedures on internal controls would require a separate specific
engagement letter and would constitute a related service engagement.

SHORTCOMING 5
• ISA 265 par 11(a) states that “The auditor shall include in the written communication
of significant deficiencies in internal control, a description of the deficiencies and an
explanation of their potential effects”.
Currently the report tables only two observations (description of the deficiencies in
internal controls), but it does not explain their potential effects.

SHORTCOMING 6
• The second observation relating to the warehouse that was destroyed by a flood is a
general statement and not a significant deficiency in internal control. It should not be
included in the report.
ISA 265, paragraph 11(b)(iii) specifically states that the matters being reported on
are limited to those deficiencies that the auditor has identified during the audit. The

96
 matter relating to the warehouse was not identified during the audit (the report states:
“Subsequent to our audit, it has come to our attention that the warehouse … by a
flood.”) and is not a significant deficiency in internal controls.

SHORTCOMING 7
• The report is signed by a trainee accountant. Since the designated engagement partner
takes overall responsibility for the audit and the auditor’s report, it would be appropriate
for this report to be signed by such designated engagement partner.

Comments on Activity 1
• Can you see from the above activity that you need to work through the draft
report line-by-line? You need to know the theory set out in ISA 265, recall it,
and use it as benchmark against the given scenario.
• Can you also see from the feedback provided that you first had to list the
requirement as per ISA 265, and then highlight the area from the scenario
which does not comply with the specific paragraph(s) included in ISA 265? In
the examination you will earn marks for providing such a detailed solution.

Summary

In this study unit we discussed and explained the communication of

deficiencies in internal control to those charged with governance and
management.

12 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Explain the terms “deficiency in internal control” and “significant deficiency in
internal control”.
(2) Evaluate a report on significant deficiencies in internal controls against the report-
ing requirements of ISA 265.
(3) Explain the matters that the auditor could consider when determining whether
a deficiency in internal control is significant.
(4) Explain the possible indicators of significant deficiencies in internal control.

97 AUE3701/1
TOPIC 4
Obtaining audit evidence

The audit process consists of four stages. The previous topic explained the second stage
of the audit process, namely the planning stage of an audit. The aim of this topic is to
explain the third stage of the audit process, namely obtaining audit evidence.

FIGURE 4.1: Stages of the audit process

98
THIS TOPIC IS DIVIDED INTO THE FOLLOWING STUDY UNITS:

Study unit Title

4.1 The auditor’s responses to risk

4.2 Test of control concepts in a manual environment

4.3 Test of control concepts in an automated (computerised) environment

The first study unit in this topic explains how the auditor responds to the risks identified
in the planning stage of the audit. As part of this study unit, you will learn that the auditor
addresses risks by designing and implementing audit responses or audit procedures
(tests of controls or substantive procedures). In the second study unit, test of control
concepts to test manual internal controls are explained. Lastly, tests of control concepts
in an automated (computerised) environment to test the automated internal controls
are explained.

In topic 5 internal control aspects are revised from a management perspective, while
topic 6 deals with the tests of controls in the various business cycles.

Learning outcomes

The learning outcomes of each of the study units are set out in the separate study units.

STUDY UNIT 4.1

THE AUDITOR’S RESPONSES TO RISK

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Apply the general concepts related to the auditor’s responses to risk

to information provided in a scenario.
• Describe which audit procedures you would implement and perform
to address identified risks.

99 AUE3701/1
INTRODUCTION
As part of the planning stage in the audit process, the auditor has to identify and assess
audit risks and risks of material misstatement at the financial statement level and at the
assertion level (refer to study unit 3.3 to refresh your memory). The aim of this study unit
is to explain how the auditor responds to the identified and assessed risks.

Do you remember the exercise where you were required to write down the risks that affect
your life on a day-to-day basis? We discussed the example of how the risk of a disease
might influence our lives and that we have to minimise the effect that it might have by
going to a doctor. If the disease is not treated it might have serious consequences.

In an audit, the auditor also has to minimise risks by addressing them. International
Standards on Auditing (ISA), The auditor’s responses to assessed risks (ISA 330), requires
the auditor to design and implement responses to the risks of material misstatement as
identified and assessed in terms of ISA 315. Risks of material misstatement at the financial
statement level are addressed by overall responses and risks of material misstatement
at the assertion level are addressed by conducting further audit procedures (tests of
controls and substantive procedures).

100
Figure 1: The auditor’s responses to address risks (adapted from AUE2601):

General concepts

Study

International Standard on Auditing (ISA), The auditor’s responses to assessed

risks (ISA 330) paragraphs 03 to 07 and A1 to A19 and the section dealing
with responding to assessed risk in chapter 6 of Auditing Notes by Jackson
and Stent.

101 AUE3701/1
You may already be familiar with some of the study material, as we briefly explained some
of it in study unit 3.8, the audit plan. However, the notes to the study material below
provide more detail.

Note the following in the above study sources:

• The objective of the auditor (ISA 330, paragraph 03).

• The definitions of a substantive procedure and tests of controls (ISA 330, paragraph
04).
• The auditor should design and implement overall responses to address the risk of
material misstatement at the financial statement level (ISA 330, paragraph 05 and
A1 to A3).
• The auditor should design and perform further audit procedures where the nature,
timing and extent are based on and are responsive to the assessed risk of material
misstatement at the assertion level (ISA 330, paragraph 06).
• The auditor must consider and determine the nature of audit procedures (ISA 330,
paragraphs A4, A5, A9 to A10).

Notes:
“Nature” refers to the type of audit approach and purpose and type of audit
procedures to be performed (ISA 330, paragraphs A4 and A5).
The auditor should consider an appropriate audit approach based on the identification
and assessment of risks at the assertion level (ISA 330, paragraph A4).
The auditor can decide to follow either of the following approaches:
A combined audit approach: Both tests of controls and substantive procedures
(including tests of detail and analytical procedures) are performed. This approach
is followed when the auditor intends to rely on the operating effectiveness of internal
controls or when substantive procedures alone cannot provide sufficient appropriate
audit evidence.
A substantive procedure approach: Substantive procedures (including tests of
detail and analytical procedures) are performed. This approach is followed when
the risk assessment procedures have not identified any effective controls relevant to
the assertion or because testing controls would be inefficient.
Remember, the auditor should always perform substantive procedures during an audit
and specifically for each material class of transactions, account balance and disclosure.
Additional comments:
Both tests of controls and substantive procedures should be performed for some
assessed risks, especially if the assessed risk is high (ISA 330, paragraph A9).
Depending on the assertion, some audit procedures may be more appropriate
than others; for example, tests of controls may be more appropriate to support the
completeness assertion for revenue, whereas substantive procedures may be more
appropriate to support the occurrence assertion of revenue (ISA 330, paragraph A9).
The auditor will then follow a combined audit approach.

102
 Sometimes it is sufficient to perform only substantive analytical procedures, especially
if the assessed risk is lower (ISA 330, paragraph A10). However, if the assessed risk is
lower because the internal controls are expected to be effective, the auditor performs
tests of controls to confirm or refute this expectation and bases his or her substantive
procedures on the results of the tests of controls.

• The auditor needs to consider and determine the timing of audit procedures (ISA 330,
paragraphs A6, A11 to A14).

Notes:
Timing refers to when audit procedures should be performed (ISA 330, paragraph A6).
The auditor can perform audit procedures as follows:
• Before year-end (interim); or
• At and after-year-end; or
• Prior to year-end (early verification) with roll forward at year-end; or
• Both at the interim stage and after year-end.
Additional comments:
If the risk of material misstatement is high, it will be more effective for the auditor to
perform substantive procedures near to or at year-end (ISA 330, paragraph A11).
In some cases, especially where fraud risks have been identified, the auditor might
even perform audit procedures unannounced or at unpredictable times (ISA 330,
paragraph A11).
The advantage of performing audit procedures before year-end is that the auditor
might be able to identify significant matters. However, it should be noted that certain
procedures can only be performed after year-end (ISA 330, paragraphs A12 and A13);
for example, requesting a confirmation of the year-end bank balance from the bank.

• The auditor needs to consider and determine the extent of audit procedures (ISA 330,
paragraphs A7, A15 to A19).

Notes:
“Extent” refers to how many audit procedures you will perform and in how much
detail these will be performed (ISA 330, paragraph A7).
This refers to the number of tests of detail and/or analytical procedures you will perform;
for example, if the audit client has a strong control environment you may perform tests
of controls, with fewer tests of detail and more analytical procedures.
Additional comments:
If the risk of material misstatement is assessed as high, the extent of audit procedures
increases (ISA 330, paragraph A15).

103 AUE3701/1
 Activity 1

Answer the following questions:

(1) How will you, as the auditor, respond to identified risks of material misstatement
at the financial statement level?
(2) How will you, as the auditor, respond to identified risks of material misstatement
at the assertion level?
(3) Describe three situations where an auditor may perform limited tests of controls.
(4) Is it true that analytical procedures can be used as risk assessment procedures and
as tests of controls? Explain your answer.

25 Feedback on Activity 1

(1) Refer to ISA 330, paragraphs .05 and A1 to A3.

(2) Refer to ISA 330, paragraphs .06 and .07.
(3) Limited tests of controls may be performed if …
• the risk assessment procedures indicate that the majority of internal controls do
not operate effectively; or
• fraud exists, for example if management overrides controls or where there is col-
lusion, or
• the cost of using a combined approach does not warrant the benefit gained.
(4) Analytical procedures can be used to assess risk but do not provide evidence of the
effectiveness of internal control. Analytical procedures are therefore not used as tests
of controls. In terms of ISA 330, paragraph 04, analytical procedures are classified as
substantive procedures.

Note: Assessment of this study unit is usually integrated with assessment of other
topics. Therefore, you should have a good understanding of these concepts
in order to answer questions at an applied and integrated level.
Now that you have a better knowledge of the nature, timing and extent of
audit procedures, refer to Activity 1 in study unit 3.8 and formulate the audit
plan again.

Tests of controls

Study

International Standard on Auditing (ISA), The auditor’s responses to assessed

risks (ISA 330), paragraphs 08 to 11 and the section dealing with performing
tests of controls in chapter 5 of Auditing Notes by Jackson and Stent.

104
Note the following in the above study sources:

• Auditors are required to perform tests of controls when the auditor’s risk assessment
includes an expectation that controls are operating effectively or when substantive
procedures alone do not provide sufficient appropriate audit evidence at the
assertion level (ISA 330, paragraph 08).
In some cases, the auditor may find it impossible to design effective substantive
procedures that by themselves provide sufficient appropriate audit evidence at the
assertion level; for example, bigger entities with numerous transactions or entities
using computers where no physical documents are produced or maintained. In such
cases, the auditor should perform tests of controls.

Tests of controls are only performed on those controls that the auditor has determined
are suitably designed to prevent, or detect and correct, a material misstatement
at the assertion level. This includes obtaining audit evidence about how controls
were applied at relevant times during the period under review, the consistency with
which they were applied and by whom or by what means they were applied (ISA
330, paragraph 10).

The auditor should perform tests of controls to obtain sufficient appropriate audit
evidence that the controls were operating effectively at relevant times during
the period under review.
• The timing of tests of controls depends on the auditor’s intended reliance on those
controls (ISA 330, paragraph 11). If the auditor tests controls at a particular time, he
or she only obtains audit evidence that the controls operated effectively at that time.
However, if the auditor tests controls throughout a period, he or she obtains audit
evidence of the effectiveness of the operation of the controls throughout that period.
• It is a matter of the auditor’s professional judgment, subject to the requirements
of the ISA, whether a control (individually or in combination with others) is relevant
to his or her considerations in assessing the risks of material misstatement as well as
designing and performing further procedures in response to assessed risks. Refer
to ISA 315, paragraph A69, for the factors relevant to the auditor’s judgement about
whether a control is relevant to the audit.

Activity 2

Answer the following questions:

(1) If the results from tests of controls demonstrate that the internal controls are
operating effectively, how will the auditor assess the levels of control risk and
detection risk?
(2) Can the auditor perform only tests of controls and no substantive procedures?
Explain your answer.

105 AUE3701/1
26 Feedback on Activity 2

(1) If the auditor determines that the internal controls are operating effectively, the level
of control risk will be assessed as low. In order to achieve an acceptable level of audit
risk, the auditor can accept a higher level of detection risk. (To refresh your memory
on the interaction between the components of audit risk, refer to your study guide
for AUE2601, study unit 3.6.)
(2) An auditor cannot perform tests of controls only and should always perform
substantive procedures. However, satisfactory results from tests of controls will reduce
the extent and nature of substantive procedures (Jackson & Stent).

Note: Tests of control concepts are explained later in this module (refer to study units
4.2 and 4.3). In order for you to formulate tests of controls you should have a
good understanding of the concepts explained above, as these concepts are
assessed with other topics on a more applied and integrated level.

Substantive procedures

Study

International Standard on Auditing (ISA), The auditor’s responses to assessed

risks (ISA 330), paragraphs 18 to 19 and A42 to A51, and the section dealing
with performing substantive procedures in chapter 5 of Auditing Notes by
Jackson and Stent.

Note the following in the above study sources:

• The auditor shall always design and perform substantive procedures for each
material class of transactions, account balance and disclosure (ISA 330, paragraphs
18 and A42 to A47).
• Remember, substantive procedures include analytical procedures and tests of detail
(refer to the definition again, ISA 330, paragraph 04).
• Timing: Substantive procedures can be performed at an interim date but the auditor
should perform further audit procedures to cover the remaining period (ISA 330,
paragraphs 22 to 23 and A54 to A58).
• Extent: If the risk of material misstatement is assessed as high and the results of the
tests of controls proves that the internal controls are not operating effectively, control
risk will be set as high, which will result in the need to reduce detection risk. The auditor
should therefore increase the extent of substantive procedures.
• If the auditor determines that a risk of material misstatement at the assertion level
is a significant risk, the auditor should perform substantive procedures that
specifically respond to that risk.

106
 Activity 3
Answer the following questions:
(1) How might the auditor change planned substantive tests if the tests of controls
indicate that the internal controls are not operating effectively?
(2) When will it be appropriate to only perform substantive analytical procedures?

27 Feedback on Activity 3

(1) The auditor should consider changing the nature and timing of substantive procedures
and increase the extent of substantive procedures (ISA 330, paragraph A46).
(2) When the auditor determines that the internal controls are operating effectively,
he or she may choose to perform only analytical substantive procedures (ISA 330,
paragraph A43).

Note: Substantive procedure concepts are explained in Module AUE3702.

In order to formulate substantive procedures, you should have a good
understanding of the concepts explained above, as these concepts are
assessed with other topics on a more applied and integrated level.

Summary

This study unit explained the auditor’s response to assessed risks. The auditor
must design and implement overall responses to address assessed risks of
material misstatement at the financial statement level. On the other hand,
assessed risks of material misstatement at the assertion level should be
addressed by designing and performing further audit procedures (tests of
controls and substantive procedures) of which the nature, timing and extent
are based on and responsive to the assessed risk.

Now that you have an overall understanding of the auditor’s responses

to assessed risks, we can go to the next step, which is formulating audit
procedures. In that module we explain test of control concepts so that
you will be able to formulate tests of controls for all the business cycles.
Substantive procedure concepts will be explained in the other third-year
auditing module (AUE3702).

13 Self-assessment
After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

107 AUE3701/1
 (1) Apply the general concepts related to the auditor’s responses to risk to information
provided in a scenario, and describe which audit procedures you would implement
and perform to address identified risks.

STUDY UNIT 4.2

TEST OF CONTROL CONCEPTS IN A MANUAL
ENVIRONMENT

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Formulate tests of controls to test the manual internal controls

provided in a scenario.

INTRODUCTION
In the previous study unit you learned that the auditor must design and implement
responses to address assessed risks of material misstatement at the financial statement
level and at the assertion level. We explained that the auditor designs and implements
overall responses to address assessed risks of material misstatement at the financial
statement level and performs further audit procedures (tests of controls and substantive
procedures) to address assessed risks of material misstatement at the assertion level.

The aim of this study unit is to explain to you how tests of controls should be formulated
when testing manual internal controls. But first, you need to refresh your memory on
auditing principles that you studied in your second year of auditing, related to assertions
and audit evidence.

Study

1. International Standard on Auditing (ISA), Identifying and assessing the risks of material
misstatement (ISA 315) A127 to A130, the section dealing with financial statement
assertions in chapter 5 of Auditing Notes by Jackson & Stent (5/23 to 5/25) and your
second-year study material (refer to AUE2601, study units 1.5 and 3.3).

108
 Note the following in the above study sources:
• There are two categories into which assertions can be divided, namely:
– Classes of transactions and events
– Account balances and related disclosure
2. International Standard on Auditing (ISA), Audit evidence (ISA 500) paragraphs A2,
A10, A11 and A14 to A25 and the section dealing with the auditor’s toolbox in chapter
5 of Auditing Notes by Jackson and Stent.

Note the following in the above study sources:

• Audit evidence is necessary to support the auditor’s opinion and report (ISA 500,
paragraph A1). Audit evidence is obtained by performing:
– Risk assessment procedures
– Further audit procedures, namely tests of controls and substantive procedures
(ISA 500 paragraph A10)
• Audit procedures to obtain audit evidence include:

Used to perform tests of controls and/or sub-

Audit procedures
stantive procedures?

Inspection Tests of controls

Substantive procedures
Observation Mostly tests of controls
Limited substantive procedures (for example,
observe the inventory count)
External confirmation Substantive procedures
Recalculation Substantive procedures
Reperformance Tests of controls
Substantive procedures
Analytical procedures Substantive procedures
Inquiry Tests of controls
Substantive procedures

(ISA 500, paragraphs A2, A11 and A14 to A25)

Activity 1

(1) Attempt Activity 15 in study unit 1.5 of AUE2601 again to refresh your memory.
(2) Attempt Activity 7 in study unit 3.3 of AUE2601 again to refresh your memory.
(3) Attempt Activity 9 in study unit 3.4 of AUE2601 again to refresh your memory.

109 AUE3701/1
28 Feedback on Activity 1

Refer to the feedback to the relevant activities in AUE2601.

How should tests of controls be formulated?

Now that you have refreshed your memory on assertions and audit procedures that can
be performed to gather audit evidence, we will explain how a test of control is formulated
to test manual internal controls.

How should a test of control be formulated?

• A test of control to test a manual internal control should address the following:
– HOW: This is the verb that describes the action to be performed. You will find these
verbs (audit procedures) in ISA 500, paragraphs A14 to A25. Remember that
the audit procedures mentioned in paragraphs A14 to A25 may be used as risk
assessment procedures, tests of controls or substantive procedures, depending
on the context in which they are applied by the auditor.
• Inspection: A good example is the inspection of reconciliations for
evidence of a signature as authorisation.
• Observation: An example is when the auditor observes the inventory
count control activities. Observation is not the best audit procedure, as it
is limited to the point in time at which observation takes place. Be careful
not to “observe” a document. Documents should be “inspected”.
• External confirmation: Not used when testing a control, only for
substantive procedures.
• Recalculation: Not used when testing a control, only for substantive
procedures.
• Reperformance: This is when the auditor reperforms a specific control
procedure carried out by the client, for example reperforming the monthly
bank reconciliation to confirm that the internal control of balancing the
cash book and the balance per the bank statement has been properly
carried out. Reperformance is also considered to be a dual-purpose test.
• Analytical procedures: Not used when testing a control, only for
substantive procedures.
• Inquiry: On its own, inquiry is not considered sufficient and therefore it
can be used in combination with other audit procedures. An example is
to enquire from the credit controller what functions each member of his
or her department carries out and what control procedures are in place.

110
From the explanations above, it is clear that you perform tests of controls mainly by inspection,
observation, reperformance and inquiry. Inspection and reperformance are the best tests
of controls to perform; alternatively, if evidence of an internal control cannot be obtained
by inspecting or reperforming, the auditor can consider whether he or she can observe or
inquire that the internal control is performed correctly.
– WHAT: Here you should make reference to the source document (e.g. the reconciliation
on which the signature is made) and/or the action (control) being performed
(e.g. counting the inventory).
– WHY: This describes the reason for performing a test of control. The internal control
objectives are referred to in ISA 315, paragraph A109)
Occurrence and authorisation:
• Occurrence: All recorded transactions and events that actually occurred
and pertain to the entity.
• Authorisation: This objective is mentioned in ISA 315, paragraph A109,
and simply means that all transactions are authorised in accordance with
entity/management policies.
Completeness and accuracy:
• Completeness: All transactions and events have been recorded.
• Cut-off: Transactions and events have been recorded in the correct
accounting period.
• Accuracy: Amounts and other data relating to recorded transactions and
events have been recorded appropriately.
• Classification: Transactions and events have been recorded in the proper
accounts.
(For further reference and guidance refer to ISA 315, paragraph A129 pertaining to the
assertions).
The following is an example of a well-worded test of control:
Example 1:
Inspect the clock card summary reconciliation for the manager’s signature as evidence of
approval.
• Inspect = HOW = verb = ISA 500, paragraph A14
• Clock card summary reconciliation = WHAT = source document
• For the manager’s signature as evidence of approval = WHY = reason = authorisation
= ISA 315, paragraph A109

Activity 2
Formulate tests of controls to test the following internal controls:
(1) Sales invoices are numbered sequentially.
(2) Ordered goods are delivered to the designated goods receiving section in the
presence of the receiving clerk, who physically counts the goods received and

111 AUE3701/1
 compares the quantity, quality and description with the delivery note and purchase
order.
(3) The acquisition manager signs all the orders before sending these to the suppliers.
(4) Outstanding orders are followed up by the administrative clerk in the acquisitions
department.
(5) During the stock count the store clerk physically compares the quantity of inventory
items on the inventory sheet with the counted items on the floor.

29 Feedback on Activity 2
(1) Inspect that invoices are numbered in sequence to confirm that all sales transactions
are recorded.
• Inspect = HOW = verb = ISA 500, paragraph A14
• Sequence of invoices = WHAT = source document
• To confirm that all sales transactions are recorded = WHY = reason = completeness
(2) Observe that the receiving clerk physically counts the goods received and compares
the quantity, quality and description to the delivery note and purchase order.
• Observe = HOW = verb = ISA 500, paragraph A17
• That the receiving clerk physically counts the goods received = WHAT = action
or control being performed
• And compare the quantity, quality and description to the delivery note and pur-
chase order = WHY = reason = accuracy
(3) Inspect a sample of orders for the signature of the acquisition manager for proof of
authorisation.
• Inspect = HOW = verb = ISA 500, paragraph A14
• A sample of orders = WHAT = source document
• For the signature of the acquisition manager for proof of authorisation = WHY =
reason = authorisation = ISA 315, paragraph A109
(4) Enquire whether outstanding orders are followed up by the administrative clerk to
confirm that all orders are received.
• Inquire = HOW = verb = ISA 500, paragraph A22
• Whether outstanding orders are followed up by the administrative clerk = WHAT
= action or control being performed
• To confirm that all orders are received = WHY = reason = completeness of orders

Note: if the internal control states that the administrative clerk should sign the register
for outstanding orders as proof that the orders are followed up, the auditor
should rather inspect the signature in the register to confirm that the action is
being performed, instead of enquiring. Remember inspection is a better test of
control than enquiring.

(5) Reperform the stock count by selecting a sample of inventory items from the inventory
sheet and comparing the quantity on the inventory sheet with the quantity of items
on the floor to test for existence of inventory.
• Reperform = HOW = verb = ISA 500, paragraph A20
• The stock count by selecting a sample of inventory items from the inventory sheet
and compare the quantity on the inventory sheet with the quantity of items on
the floor to test = WHAT = action or control being performed
• For existence of inventory = WHY = reason = existence

112
 Well done! You should now have a better understanding of how to formulate a test of control
to test manual internal controls.

Summary

This study unit explained how tests of controls are formulated to test manual
internal controls. In the next study unit we explain how tests of controls are
formulated to test automated internal controls.

14 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Formulate tests of controls to test the manual internal controls provided in a
scenario.

STUDY UNIT 4.3

TEST OF CONTROL CONCEPTS IN AN AUTOMATED
(COMPUTERISED) ENVIRONMENT

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Formulate tests of controls to test the manual and automated internal

controls provided in a scenario.

INTRODUCTION
In the previous study unit you learned how to formulate tests of controls. Tests of controls
are formulated by referring to HOW, WHAT and WHY. The aim of this study unit is to
explain how tests of controls are formulated in an automated (computerised) environment.
The underlying concepts of formulating tests of controls remain unchanged when testing

113 AUE3701/1
automated (computerised) controls; the only difference is that the auditor can use the
computer to perform certain tests of controls.

It is highly unlikely that you will ever audit in a fully manual environment. However, even
though controls in today’s business environment tend to be more automated, there will
always still be some manual controls. This means that testing manual controls will never
fall away, even if an entity has sophisticated automated controls. The only difference
when auditing in an automated environment is that in addition to testing manual controls,
the auditor may also use test data and other computer-assisted audit techniques (CAATs)
to test automated controls. However, you must be careful, as this does not mean that
automated controls are only tested by means of test data or CAATs. Activity 1 illustrates
this principle.

You should already know that controls can be both manual and automated. In order
to understand and apply test of control concepts in an automated (computerised)
environment, make sure that you have a good knowledge and understanding of the
manual and automated controls that you studied previously.

Study

The relevant sections under the heading “Computer-assisted audit techniques

(CAATs)”, namely “Introduction”, “How do CAATs fit into the audit process?”,
“System-orientated CAATs” and “Factors which will influence the decision
to use CAATs” in chapter 8 of Auditing Notes by Jackson and Stent.

Note the following in the above study sources:

• The auditor may use CAATs to perform audit procedures in an automated

(computerised) environment.
• The auditor should consider certain factors when deciding whether or not to use
CAATs.
• The auditor should decide whether to audit around the computer, through
the computer, with the computer or to combine some of these approaches.
• The auditor may use system-orientated CAATs to test the automated internal
controls in an automated (computerised) environment.

Remember that general and application controls consist of both manual (user) and
automated/computerised (programmed) controls. As you already know, manual controls
can be tested by inspection, observation, enquiry and reperformance. Automated controls
can be tested by means of system-oriented CAATs using test data, an integrated test facility,
parallel simulation or embedded audit facility. In this module you are mostly required to
test automated controls using test data.

114
 HOW SHOULD A TEST OF CONTROL BE FORMULATED USING TEST DATA?

How should a test of control be formulated to test automated internal controls?

A test of control using test data should address the following:
• HOW: This is the verb that describes the action to the performed. Previously we
identified the action verbs as inspection, observation, external confirmation,
recalculation, reperformance, analytical procedures and enquiry. We also noted
that you perform tests of controls by inspecting, observing, reperforming and
enquiring. When you are testing an internal control by means of test data, you are
reperforming the internal control to establish whether it is working effectively.
You will start most of your sentences with “Attempt to …”
• WHAT: Here you should refer to the action (control) being performed (e.g. “gain access
to the system by entering a fictitious username and password”).
• WHY: This describes the reason for performing a test of control. Your test data may
either be valid or invalid. With valid test data your action should be accepted
and with invalid test data your action should be rejected.
The following are examples of well-worded tests of controls using test data:
Example 1:
Attempt to gain access to the sales system by entering a fictitious username and password
and confirm that it is rejected.
• Attempt to = HOW = reperformance when using test data
• To gain access to the sales system by entering a fictitious username and password =
WHAT = action being performed
• And confirm that it is rejected = WHY = reason = authorisation
Example 2:
Attempt to gain access to the sales system by entering a valid username and password and
confirm that it is accepted.
• Attempt to = HOW = reperformance when using test data
• To gain access to the sales system by entering a valid username and password = WHAT
= action being performed
• And confirm that it is accepted = WHY = reason = authorisation

As previously mentioned a business environment often has both manual and automated
internal controls. Therefore, when we ask you to formulate tests of controls we often give
you a scenario containing both manual and automated controls, and you have to decide
whether to test these by means of inspecting, observing, reperforming or enquiring, or
by using test data, which is classified as reperforming an internal control. Remember
that you never test manual controls by means of test data. Test data is only used to test
automated controls.
Let us look at the following activity.

115 AUE3701/1
Activity 1

You are a first-year trainee accountant on the audit of Zimbatu Lodge (Pty) Limited
(Zimbatu), a very popular game reserve situated in Limpopo.
In preparation for the audit for the year ended 31 December 20xx, your audit senior
presents you with the following information on the reservations system of Zimbatu.
Reservations
Zimbatu has 150 units that are rented out to holidaymakers. The tariffs per person per
unit for this financial year vary according to the season, as follows:

Season Tariff per person Tariff per person sharing

Peak season R2 300 R1 900

Mid-season R2 000 R1 600

Off-peak season R1 700 R1 300

These tariffs are updated annually. The marketing director determines the dates of
the different seasons at the beginning of each year. These dates and the correspond-
ing tariffs are captured on the masterfile and approved by the marketing director by
entering his username and password.
Zimbatu uses an online reservation system. Potential holidaymakers can make a reserva-
tion request telephonically by phoning a toll-free number. One of the operators, who
staffs the terminals seven days a week from 08:00 to 19:00, will look up the availability
of a unit for the specific dates online on the system and key in the booking online if
the unit is available. The online capturing requires the operator to enter his username
and password to gain access to the reservation system before completing the com-
pulsory fields such as the date of reservation, the dates of arrival and departure, the
client’s particulars and the unit number on the reservation form. Reservation forms are
automatically numbered sequentially by the system. The reservation system automati-
cally completes the tariff for the unit number according to the dates captured on the
masterfile. The reservation system also calculates the total amount owing as well as
the deposit payable by the holidaymaker. Once the online reservation is completed,
each reservation form is posted to the masterfile.
The computer is set up to automatically print an activity report of access gained and
unsuccessful attempts to access the reservation system at the end of each day to a
printer only accessible to the financial director. The financial director is responsible for
following up on unauthorised access attempts that are indicated on the activity report.
A deposit of 50% must be made directly into Zimbatu’s bank account one week from
the date of making the reservation. A bank statement, which is obtained by means of
an internet link, is printed daily by the accounting department. Accounting staff cap-
ture deposits received onto the reservation system on a daily basis. If a deposit is not
captured within two weeks, the system automatically cancels the booking. Deposits
received after two weeks, for which the system has already cancelled the booking, are
refunded to clients by means of internet banking services.

116
 REQUIRED
Formulate the tests of controls that you will perform to evaluate Zimbatu’s manual
and automated internal controls over the online capturing of reservations. If you use
audit procedures using test data to test the automated controls, limit your answer to
invalid test data.

30 Feedback on Activity 1

To assist you in answering the question, we have listed the following guidelines:
• You are required to formulate tests of controls to test both manual and
automated internal controls.
– This means that you can test the manual controls by inspecting, observing,
reperforming and enquiring.
– Some of the automated controls can be tested by means of using test
data. Remember the question requires you to only describe invalid test
data. It is also important to note that some automated internal controls can
be tested by means of inspecting, observing, reperforming (including by
means of test data) and enquiring. Refer to the solution for such examples.
• Make sure that you do not include any substantive procedures in your question.
• Relate your answer to the information provided in the question. This means
that you should only test the internal controls described in the question.

When answering this question, your first step is thus to identify the internal controls given
in the question. Therefore, highlight all the applicable manual and automated controls in
the scenario and then attempt to formulate your audit procedures.

To assist you in identifying the manual and automated internal controls in the
scenario, we have included the scenario again and underlined the manual internal
controls. The automated internal controls are highlighted.

You are a first-year trainee accountant on the audit of Zimbatu Lodge (Pty) Limited (Zimbatu),
a very popular game reserve situated in Limpopo.
In preparation for the audit for the year ended 31 December 20xx, your audit senior presents
you with the following information on the reservations system of Zimbatu.

Reservations
Zimbatu has 150 units that are rented out to holidaymakers. The tariffs per person per unit
for this financial year vary according to the season as follows:

Season Tariff per person Tariff per person sharing

Peak season R2 300 R1 900

Mid-season R2 000 R1 600

Off-peak season R1 700 R1 300

117 AUE3701/1
These tariffs are updated annually. The marketing director determines the dates of the
different seasons at the beginning of each year. These dates and the corresponding tariffs
are captured on the masterfile and approved by the marketing director by entering his
username and password (automated authorisation controls – refer to test of control 1
below).
Zimbatu uses an online reservation system. Potential holidaymakers can make a reservation
request telephonically by phoning a toll-free number. One of the operators, who staffs the
terminals seven days a week from 08:00 to 19:00, will look up the availability of a unit for the
specific dates online on the system and key in the booking online if the unit is available. The
online capturing requires the operator to enter his username and password to gain access
(automated access controls – refer to test of control 2) to the reservation system before
completing the compulsory fields (all fields should be completed otherwise the system
will not continue – refer to test of control 3) such as the date of reservation, the dates of
arrival and departure, the client’s particulars and the unit number on the reservation form
(the required fields that should be completed are provided, which means that tests of
controls can be performed on the fields to ensure that the fields are captured correctly
– refer to tests of controls 4 and 5). Reservation forms are automatically numbered
sequentially (automated numbering – refer to 6) by the system. The reservation system
automatically completes the tariff (automated control – refer to 7) for the unit number
according to the dates captured on the masterfile. The reservation system also calculates
(automated control – refer to 8) the total amount owing as well as the deposit payable
by the holidaymaker. Once the online reservation is completed, each reservation form is
posted to the masterfile.
The computer is set up to automatically print an activity report of access gained
and unsuccessful access attempts (automated control – refer to 9) to the reservation
system at the end of each day to a printer only accessible to the financial director
(automated access controls – refer to 10). The financial director is responsible for following
up on unauthorised access attempts (manual control refer to 11) as indicated on the
activity report.
A deposit of 50% must be made directly into Zimbatu’s bank account one week from the date
of making the reservation. A bank statement, which is obtained by means of an internet link,
is printed daily by the accounting department. Accounting staff capture deposits received
onto the reservation system on a daily basis. If a deposit is not captured within two weeks,
the system automatically cancels the booking (automated control – refer to 12). Deposits
received after two weeks, for which the system has already cancelled the booking, are
refunded (manual control – refer to 13) to clients by means of internet banking services.
Solution
(1) Attempt to approve the dates and tariffs on the masterfile by entering a fictitious
username name and password.
(2) Attempt to gain access to the reservation system in order to capture a reservation by
entering a fictitious username and password.

Comments:
Students often make the mistake of testing a principle more than once and then
expecting to get more than one mark. For example, students write:
• Attempt to gain access to the reservation system by entering a fictitious
username.
• Attempt to gain access to the booking system by entering a fictitious password.
When you test one principle – in this case the access control – you only receive one
mark. Both the above answers describe audit procedures testing the access controls
to the reservation system; therefore we only award the mark once.

118
 (3) Attempt to capture an online reservation form but leave out one of the compulsory
fields (e.g. the unit number) and confirm that this has been rejected.
(4) Attempt to enter alphabetical characters or numerical digits where none should
exist. For example, enter alphabetical characters when completing the date, and unit
numbers or numerical digits when entering the client’s name and details.
(5) Attempt to enter negative amounts where none should exist (e.g. the unit number).
(6) Inspect the reservation forms and confirm that they are issued in sequence for
completeness. (Note: Even though the reservation forms are numbered automatically,
and thus it is an automated internal control, you may test the control by means of
inspecting. As mentioned before, not all automated controls are tested by means of
test data).
(7) Note: The reservation system automatically completes the tariff, which means that
the control is automated. Some automated controls can be tested both by
means of CAATs using test data and by inspecting, observing, reperforming
or enquiring. The control mentioned in the scenario can be tested as follows
(1½ mark each):
• Attempt to change the tariff by overriding the automatic generation of the correct
tariff for a unit on the reservation form.
• Reprocess a number of reservation forms and follow the tariff that automatically
appears through to the tariff list according to the masterfile.
• Inspect the tariffs on a sample of reservation forms for different seasons to con-
firm that the tariffs remained unchanged for the past 12 months, as tariffs on the
masterfile are updated annually.
(8) Reperform the calculation of the “total amount owing” and “deposit payable” fields
calculated by the computer to ensure accuracy.
(9) Note: The reservation system automatically prints the activity reports, which means
that the control is automated. Even though some automated controls are tested
by means of CAATs, for example test data, some automated controls cannot
be tested by this means. You can, however, enquire or observe whether the
activity reports are printed each day. The control mentioned in the scenario
can be tested as follows (1½ mark):
• Enquire whether an activity report on access gained to the reservation system is
printed at the end of each day.
(10) Print the activity report on access gained to the reservation system to a printer that is
accessible to someone other than the financial director.
(11) Inspect a sample of activity reports to confirm that (1½ marks each) …
• only authorised users have access to the reservation system.
• unauthorised attempts to access the reservation system have been followed up
by the financial director.
(12) Note: The reservation system automatically cancels the booking, which means that
the control is automated. Even though some automated controls are tested
by means of CAATs, for example test data, some automated controls cannot
be tested by this means. The control mentioned in the scenario can be tested
as follows:
• Inspect a sample of reservation forms for which the 50% deposit was not made
within two weeks, and confirm that the reservations have automatically been
cancelled.
(13) Inspect bank statements to confirm that all deposits made after two weeks have been
refunded to the clients.

119 AUE3701/1
Summary

This study unit explained how tests of controls are formulated in an automated
(computerised) environment. In topic 6 of this module we require you to

120
 formulate tests of controls in each of the different business cycles, using
the knowledge that you obtained in this study unit and in the previous one.
Remember that in most cases there will be both manual and automated
controls. But first you need to revise the internal control aspects from a
management perspective in topic 5.

15 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Formulate tests of controls to test the manual and automated internal controls
provided in a scenario.

121 AUE3701/1
TOPIC 5
Internal control concepts

In the previous topic, test of control concepts in a manual and an automated environment
were explained. This topic should be seen as a “stand-alone” topic that focuses on the
revision of internal control aspects from a management perspective. This topic also
explains certain internal control aspects in more detail.
This topic is important because an auditor needs to be able to …
• identify “good” controls (controls that will prevent, correct, detect a material
misstatement in the financial statements), in order to test those controls. Testing of
controls in the various business cycles will be dealt with in topic 6.
• identify weaknesses in internal control systems in order to determine the risks associated
with these weaknesses. An assessment of these risks will ultimately influence the
auditor’s audit strategy and plan. The overall audit strategy and audit plan was dealt
with in study units 3.7 and 3.8.

THIS TOPIC IS PRESENTED IN ONE STUDY UNIT:

Study unit Title

5.1 Internal control systems from a management perspective

Learning outcomes
The learning outcomes of this study unit are set out in the separate study unit.

122
STUDY UNIT 5.1
INTERNAL CONTROL SYSTEMS FROM A
MANAGEMENT PERSPECTIVE

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcomes:

• Relate internal control objectives to internal controls for manual and
automated (computerised) systems.
• Relate risks to internal control weaknesses in manual and automated
(computerised) systems.
• Identify weaknesses in internal control systems and recommend
improvements (for both manual and automated (computerised)
systems).

INTRODUCTION
In this study unit we will:
• Revise the internal control aspects that you studied in AUE2602.
• Explain in more detail certain internal control aspects from management’s perspective.
• Include internal control-related activities at a more advanced level than those included
in the AUE2602 module.

Revision

INTERNAL CONTROL ASPECTS RELEVANT TO MANAGEMENT

In AUE2602 the following internal control aspects relevant to management were discussed:
• Definition of internal control
• The various internal control objectives. Note the following:
– Internal control objectives can only be achieved with the aid of management’s
internal controls.
– If a client has a reliable accounting system and sound internal controls in place,
the information generated by the system will be more reliable. This implies that

123 AUE3701/1
 recorded transactions are accurate and complete, and have actually occurred and
been authorised (i.e. satisfy all the internal control objectives).
– The internal control objectives do not change in an automated (computerised) in-
formation system (CIS) environment. The primary requirement is that the financial
information generated by the system should be authorised, should have occurred,
and should be complete and accurate. The nature of the internal controls for CIS
can, however, differ considerably from internal controls for manual systems.
Internal control in a CIS environment is achieved by implementing and maintaining
general controls and application controls together with manual controls. The
objective of general controls is to ensure that the computer system is properly
developed, implemented and maintained, while the objective of application controls
is to ensure the authorisation, occurrence, completeness and accuracy of transactions
and data.
• The relationship between internal control objectives and the financial statement
assertions
• The limitations of internal control
• The controls in a manual and an automated (computerised) environment within
the various transaction cycles. Note that general and application controls are elaborated
upon later in this study unit.
• The relationship between operational (business) risks and internal controls. Note
the following: a client implements internal controls in order to mitigate operational
(business) risks that may influence the fair presentation of its financial statements.
• General controls cover the entire CIS environment within which each set of application
controls functions. General controls are related to all applications and provide a
framework within which the CIS department exercises control over the development,
operation and maintenance of individual applications (as shown in the figure below).

124
From the above it is evident that general controls have a pervasive influence on the
environment in which application controls operate. Any weakness in the general controls
could have an effect on all applications, unlike defects in the application controls, which
only have an effect on the specific application.

• Application controls are user and programmed controls (explained later in a table)
and are embedded in each of the data-processing functions, namely input, processing,
masterfile maintenance and output.
The aim is to ensure an acceptable level of control in every CIS. Application controls are
designed to achieve the same control objectives as the controls in manual systems do.
The specific application controls vary in accordance with the type of accounting system
and the input and processing methods used.

The following table explains the difference between user controls and programmed
controls.

125 AUE3701/1
 Controls Definition Example

User controls Controls performed These manual controls are performed

manually by the users with the use or assistance of a computer.
Examples include:
• a person using an exception report
generated by the computer to follow
up on exceptions
• a person authorising reconciliations on
the computer via a unique password

Programmed controls Controls embedded These controls are embedded in computer

in the application programs.
program code and Examples include:
applied by the
• access controls on the computer, e.g.
computer
user names and passwords
• programme checks, e.g. limit checks,
range checks, size checks, etc.
• exception reports generated by
the computer, etc.

• Batch input versus on-line input

Do you recall that input of data can be either batch input or on-line input?

These two methods can be described as follows:

Batch input

Batch input depends on two steps: data preparation and the keystroke entry of data.

Data preparation is an off-line process in batch entry systems by means of which …

• data is manually captured, which includes initiating, recommending, authorising
and preparing documentation for the transaction;
• data is collected into batches for input into the computer.
The keystroke entry of data is a process in which data is keyed in, converted and
encoded in machine-readable form and held in a transaction file on the computer
system. During this process a series of programmed application controls are applied
to make certain that the data is reliable and correct before it is processed.
On-line input
Transaction data is entered, via a keyboard, immediately as each transaction occurs.
With on-line input, batch data preparation is not required and the control approach
required differs from the approach required for batch input. The on-line input approach
involves immediate data validity testing and batch controls that operate after (instead
of before) input.

126
 Note that in a question relating to application controls it is important to first determine
the type of data-processing method used, as this will influence the various application
controls applicable to the scenario.
• Application controls applicable to masterfile amendments, input, processing
and output
Although Jackson and Stent and AUE2602 make reference to various application
controls, Attachment 1 includes additional application controls that you should
study as part of your exam preparation.
• Explanation of application controls with reference to an example
Certain of the application controls are applicable to a combination of masterfile
amendments, input, processing and output. For example, the screen aid that requires
the minimum keying of information is applicable to masterfile amendments, the
keystroke entry of data and online input. This is illustrated by the following extract
from Attachment 1:

Batch
Input
Masterfile amendments

Keystroke entry of data

Preparation of data

Online input

Processing

Output
Screen aids

Keying in of the minimum information   

ln Attachment 2 we supply only one example that pertains to either masterfile amendments
or the keystroke entry of data or online input. After the example, the relevant aspect is
indicated in brackets. The following extract from Attachment 2 serves as an example:

127 AUE3701/1
 Explanation of control with reference to an
Control
example
Keying in of the minimum information lf a sales invoice is keyed in, the client’s name
and address will automatically appear as soon
as the client number is keyed in. Because the
name and address appear automatically, possible
transcription errors are avoided.
(Keystroke entry of data)

Furthermore, the application controls included in Attachment 1 contribute to the

achievement of management’s control objectives: accurate and complete recording and
processing of transactions that have actually occurred and have been authorised. Please
bear in mind that the objectives of output controls differ slightly from input, processing
and masterfile amendments, as output control objectives relate to the correct and
confidential distribution of output, as well as the accuracy and the completeness thereof.

By now you should have an in-depth knowledge and understanding of each of the
previously mentioned control objectives. If you understand these, you should be able
to link an application control to one or more (if applicable) of these control objectives; in
other words, you should know what the purpose of the application control is.

ln Attachment 2, after the example, the control objective achieved by the relevant
application control is indicated in brackets. The following extract from Attachment 2
serves as an example:

Explanation of control with reference to an

Control
example

Keying in the minimum information lf a sales invoice is keyed in, the client’s name
and address will automatically appear as soon
as the client number is keyed in. Because the
name and address appear automatically, possible
transcription errors are avoided.
(Keystroke entry of data – accuracy)

Please note: Although Jackson and Stent and AUE2602 do not make specific reference
to the application controls that achieve the various control objectives,
in the assignments and examination you will be expected to know the
specific purpose, i.e. control objective of an application control.

The activities that follow illustrate the learning outcomes that you need to master for
this study unit.

128
Activity 1: Application controls and control objectives

ABC Auditors has been appointed as the external auditor of Cell2Me Limited (Cell2Me).
The company’s year-end is 30 June. You are the audit senior in charge of the audit of
Cell2Me. Cell2Me’s business involves selling a standard range of cellphone accessories.

Background information on internet sales

Cell2Me introduced its website, www.Cell2Me.co.za, which could be accessed from
01 January 20xx. This website makes online shopping for its cellphone accessories via
the internet available to the public. Cell2Me’s information technology (IT) department
developed the website, and will maintain and manage it. The IT department will
also be responsible for updating the masterfile for “cellphone accessory ranges and
prices”. The masterfile is integrated with the webpage to display the latest up-to-date
information to customers.

All orders placed over the internet will be processed and despatched from the head
office’s central warehouse, situated in Gauteng.

Client: Cell2Me Year end: 30 June 20xx

Prepared by: S Sing Preparation date: 16 July 20xx
Reviewed by: J Ross Review date: 18 July 20xx
Subject: System description of internet sales – information to
B1
be captured by registered customers on the webpage
Generating an order on the webpage
(1) A registered customer signs in by typing in his or her e-mail address and password
on the www.Cell2Me.co.za homepage.
(2) The webpage offers a catalogue of cellphone accessories and an ordering facility.
(3) The catalogue facility enables a customer to view pictures of the cellphone
accessories, corresponding prices and product codes, and to select accessories
to be placed in his or her online “shopping basket”.
(4) When a customer clicks on the “Check out” icon next to the shopping basket,
the sales system generates a sequenced order request where the customer
should only capture the quantity required for each of the selected accessories.
(5) If the customer is satisfied with the information detailed on the electronic order
request, he or she clicks on the “Accept order” icon.
(6) The following information should then be captured by the customer:
• credit card company
• credit card number (Cell2Me’s only payment option is credit card payment)
• expiry date of credit card
After providing the information required, the customer should click on the
“Pay now” icon.
(7) Thereafter, the following standardised message will appear on the screen:
“Thank you for supporting Cell2Me. Your order, reference number [a unique pre-
numbered internet sales order will be allocated to the customer], was processed
successfully. Your parcel will be couriered to your physical address within five
days. If you have any queries please do not hesitate to contact us at 072 445 6789.”

129 AUE3701/1
 REQUIRED
Refer to the information provided and working paper B1 entitled “System description of
internet sales – information to be captured by registered customers on the webpage”.
(a) Identify and give examples of automated application controls that should be
included on the www.Cell2Me.co.za webpage to ensure that orders captured by
customers occurred and are authorised (valid), complete and accurate.
(b) For each automated application control identified, describe the specific control
objective addressed.
Please note that your answer should not include a discussion of screen-aid
controls.
Present your answer as follows:

No (a) Automated (a) Example of (b) Control objective

application the automated (1 mark each)
control application control
(½ mark each) (1 mark each)

1. .................................. ..................................................... .............................................

(22½)
Communication skills (1½)

31 Feedback on Activity 1

a) Automated a) Example of b) Control objective

application control the automated (1 mark each)
(½ mark each) application control
(1 mark each)
Verification/validation The e-mail addresses To ensure that the
check and passwords captured customer is authorised
by registered customers to transact
should be validated and
compared against the
masterfile containing
registered customers’
e-mail addresses and
passwords.

130
a) Automated a) Example of b) Control objective
application control the automated (1 mark each)
(½ mark each) application control
(1 mark each)
Computer time-out If a customer fails to To ensure that
facilities capture information information captured on
on Cell2Me’s internet the website by registered
website for five minutes, customers occurred and
the customer should not was authorised
be allowed to continue
capturing information
until he or she has re-
entered his or her e-mail
address and password.
Automatic log-off if If a customer inputs To ensure that
incorrect password the incorrect password information captured on
provided after three more than three times, the website by registered
attempts the customer’s account customers occurred and
should automatically be was authorised
locked.
Dependency check When a customer clicks To ensure that
on the “checkout” icon information captured on
next to the shopping the website by registered
basket, and nothing is customers is complete
present in the shopping and accurate
basket, the sequenced
order request form
should not be displayed.
The computer will show
an error message and
prompt the customer
to first select cellphone
accessories to be placed
in his or her shopping
basket.

131 AUE3701/1
a) Automated a) Example of b) Control objective
application control the automated (1 mark each)
(½ mark each) application control
(1 mark each)
Reasonableness/ The computer should To ensure that orders
consistency check perform an instant check captured on the website
on the total quantity of by registered customers
cellphone accessories occurred and are
that a customer normally accurate and complete
orders (based on the
customer’s history). If a
customer usually orders
approximately five items,
the computer will display
a message querying the
entry of 1 000 items. The
customer will therefore
have a second chance to
ensure the 1 000 items
have been accurately
captured, or to make
a correction if he or
she made an error that
requires him or her to
recapture the quantity
field.
Limit check The quantity of To ensure that orders
cellphone accessories captured on the website
ordered should be no by registered customers
less than one. are accurate
Alpha-numeric check The quantity of cellphone To ensure that orders
accessories ordered captured on the website
should consist only of by registered customers
numeric characters. are accurate
OR
The credit card number
should consist only of
numeric characters.
OR
The credit card’s expiry
date should consist only
of numeric characters.
Valid character and sign The quantity of To ensure that
check cellphone accessories information captured on
ordered should contain the website by registered
only positive values. customers is accurate

132
a) Automated a) Example of b) Control objective
application control the automated (1 mark each)
(½ mark each) application control
(1 mark each)
Size check The credit card number To ensure that orders
should consist of only 16 captured on the website
characters. by registered customers
are accurate and
occurred
Mandatory field/missing If a customer fails to To ensure that orders
data check include his or her credit captured on the website
card number and clicks by registered customers
on the “pay now” icon, are complete
the computer should not
continue with processing
and should display an
error message.
OR
If a customer fails to
include his or her credit
card’s expiry date and
clicks on the “pay now”
icon, the computer
should not continue with
processing and should
display an error message.
OR
If a customer fails to
include the name of the
credit card company
and clicks on the “pay
now” icon, the computer
should not continue with
processing and should
display an error message.

133 AUE3701/1
a) Automated a) Example of b) Control objective
application control the automated (1 mark each)
(½ mark each) application control
(1 mark each)
Data approval/ As soon as the To ensure that orders
authorisation check delivery and payment captured on the website
information has been by registered customers
captured and the “Pay are accurate, that they
now” icon clicked by occurred and that they
the customer, Cell2Me are authorised
should obtain clearance
on the customer’s credit
card through a direct link
to the bank. The credit
card details should be
presented to the bank
and verified to determine
if the card has been
stolen or has expired,
and that the customer
has sufficient funds
available. If authorised,
payment will be
collected immediately. If
the bank’s authorisation
is not obtained, the
computer will display an
error message.
OR
The website and the
inventory accounting
software of Cell2Me’s
central warehouse
should be integrated
through a dedicated
online link. The
webpage’s “quantity”
field, which allows
customers to select the
number of cellphone
accessories to order,
should confirm that a
sufficient quantity of
inventory is still on hand.
If it is not available, the
computer should display
an error message and
request the customer
to order x items or
less according to the
inventory availability.

134
 a) Automated a) Example of b) Control objective
application control the automated (1 mark each)
(½ mark each) application control
(1 mark each)
Help function The website should To ensure that orders
have a “help function” captured on the website
available, where by registered customers
customers can perform are accurate
an online search for
“step-by-step” guidance
on specific areas that
they struggle with during
the capturing of an order
on the website.
(12 x 2½ = 30 marks; maximum 22½; 1½ marks communication skills; total 24
marks)

Comments on Activity 1
• Always read a question more than once to ensure you understand exactly what is
required from you. In this question an example was required, not a definition of
the control. If you misinterpreted the question and wrote down only definitions
instead of examples, ½ marks instead of full marks would have been allocated.
• You need to use the information from the scenario. When you explain the limit
check, for instance, you cannot use an example from payroll. You must use the
information provided, for example the number of cellphone accessories ordered
should not be less than one.
• It is important to name the programme checks exactly as indicated in Jackson &
Stent. You should also write full sentences and use clear language.
• You must understand the required part of the question. Programmed controls
are automated or computerised controls; hence only controls performed by
the computer are required.
• Note that programmed (automated) controls are all controls performed by
the computer, but programme checks are only those controls validating data or
information that is entered or processed.
• Only one example was required for each automated application control. The
additional examples have been provided for completeness to assist with your
understanding.
• Note that the control objectives had to be described. It is not sufficient to just
list the relevant term “occurred, authorised, accurate or complete”.
• The question specifically required that you should exclude a discussion of
screen-aid controls. You will therefore not earn marks for describing screen-aid
controls. Please do not describe information that was specifically excluded in
the “required” part – you will waste valuable time that could have been spent
on another question.

Activity 2 – Access controls

A friend of yours, Matthew Miller, recently came to see you for some advice. His busi-
ness, Screen Aids (Pty) Ltd, sells a range of television and computer-related products
such as computer games, spares etc.

135 AUE3701/1
 Currently customers (account holders only) phone orders through to Screen Aids (Pty)
Ltd, using the product catalogue that they are given by Screen Aids (Pty) Ltd. Order
clerks take down the details of the order by writing out a multipart internal sales order/
picking slip, which is then processed through picking and dispatch. As the business
has grown, this manual system has proved inefficient and more and more mistakes in
deliveries etc. have occurred. Matthew Miller sought the advice of a computer expert,
who suggested that Screen Aids (Pty) Ltd put a telesales system into operation. This
would involve training the existing sales order clerks in the use of computers. Each
clerk would be allocated to a terminal and would create the necessary documentation
on the computer.

Matthew Miller has asked you the following question:

(1) If we give each of the three buying clerks their own terminals, surely it increases
the risk of unauthorised orders being placed and our other system applications
on the network being accessed by unauthorised people. How do we control this?

REQUIRED
Respond to Matthew Miller’s question.

32 Feedback on Activity 2

The risk is increased but it can be controlled as follows:

Physical controls over the telesales

(1) The three order clerks and their terminals will be located in a “telesales” room, access
to which will be restricted by the installation of physical access controls, e.g. magnetic
card, key pad code etc.
(2) Access cards/codes will be given only to the order clerks and your sales manager.

Terminal identification and authorisation

(3) The buyers’ terminals could be “linked” only to those applications/modules to which
they need access, i.e. those applications relating to the taking of orders. This means that
even if someone manages to gain access to the system through the buyer’s terminals,
they will not be able to get into other applications, e.g. salaries, wages, etc.
Logical access
(4) The sales applications/sales order module will also be user-ID and password protected.
This means that anyone other than the three order clerks will have to identify themselves
to the system and enter their password.
(5) The computer will look at the user profile (which is stored on the computer) and if the
profile does not permit access to the sales application for that ID and password, the
person will not be able to create an internal sales order (ISO).
(6) In addition, access violations will be logged (recorded) by the computer and can be
followed up at a later date to try and identify who was trying to gain access.

(Source: Graded questions on Auditing 2012, Gower & Jackson, adapted)

136
Activity 3 – Improvements and control objectives

ABC Auditors has been appointed as the external auditor of Cell2Me Limited (Cell2Me).
The company’s year-end is 30 June. You are the audit senior in charge of the audit of
Cell2Me.
Business background of Cell2Me
Main business
Cell2Me’s business involves selling a standard range of cellphone accessories. The
company purchases these accessories directly from a local manufacturer, Supply4U
Limited (Supply4U), and stores the inventory at its head office’s central warehouse
situated in Gauteng.
Cellphone accessories are distributed from Cell2Me’s central warehouse to its four retail
branches located in Midrand, Durban, Cape Town and Bloemfontein.
Background information on franchise operations
For the financial year ended 30 June 20xx, the franchise division at the head office signed
one agreement only with a store in Bela-Bela that sells inventory on a cash basis only.
The terms of the agreement include that Cell2Me is entitled to a monthly franchise fee
of 2% of total sales made by the franchise.

137 AUE3701/1
Cell2Me’s audit committee notified the board that the external auditors should, as part
of their year-end audit, provide advisory services and evaluate the internal controls
implemented by the Bela-Bela franchise.

To maintain independence, another audit team and a partner who had never been
involved with Cell2Me in the past were assigned to perform the internal control review.
Among others, the following working paper was prepared:

Client: Cell2Me Year end: 30 June 20xx

Prepared by: S Mahlangu Preparation date: 12 July 20xx

Reviewed by: B Joubert Review date: 15 July 20xx

Subject: Franchise operations – internal control weaknesses at

A1
the Bela-Bela franchise store

After a system walkthrough test was conducted at the Bela-Bela franchise store
and an interview with the till supervisor, the following control weaknesses were
identified:
(1) There are five automated tills located at the back of the store, allowing cashiers
easy access to the restroom.
(2) The owner of the franchise supports the “going green” initiative. As a result,
cashiers recycle all their till slips after they have been printed, unless a customer
requests the slip. A security officer guards the five automated tills by rotating
every five minutes to another till. He or she ensures that a till slip is generated
for each sales transaction.
(3) When power failures occur, the cashier prepares a receipt on a blank piece of
paper and captures these receipts once the power has been restored.
(4) If the cashier rings up an item twice, he or she presses the “Void sale” button
on the keyboard of the automated till and scans the item to reverse the sales
transaction.
(5) Nobody takes over the functions of the till supervisor when he or she is absent
from work.
The franchise owner informed the audit team that he was prepared to
implement stricter internal controls, but his current cash flow situation would not
allow him to appoint additional staff or purchase additional assets.

REQUIRED Marks

Refer to the information provided and working paper A1, entitled “Franchise operations
– internal control weaknesses at the Bela-Bela franchise store”. Describe an improvement
and the specific control objective that will be achieved for each of the control weaknesses
identified.

Present your answer as follows:

Improvement Control objective

No
(1½ marks each) (1 mark each)

1. ............................................................. ............................................................. (12½)

Communication skills (1½)

138
33 Feedback on Activity 3

Improvement Control objective

No
(1½ marks each) (1 mark each)

1. The layout of the store should facili- To ensure that recorded sales are
tate the customer having to pass the complete (1)
automated tills in order to leave the To ensure the safeguarding/cus-
premises. (1½) Any automated tills tody of assets (1)
not in operation should be fenced
off to prevent customers leaving the (Maximum of 1 mark)
store without passing these auto-
mated tills. (1½) There should be a
dedicated passage through which
customers who did not purchase
any inventory should leave the
store. This passageway should lead
customers to the entry/exit of the
store, which should be guarded by
the security officer. (1½)
Maximum: (1½)

2. All customers should be provided To ensure that recorded sales are

with a till slip listing the items that complete (1)
they have purchased. (1½) Thereaf- To ensure the safeguarding/cus-
ter, the security officer, situated at tody of assets (1)
the exit of the store, should match
the items in the customer’s posses- (Maximum of 1 mark)
sion to those reflected on the till
slip. (1½)
Maximum: (1½)

3. If power failures occur that cause To ensure that recorded sales are
the POS (point-of-sales) system to complete (1)
be inoperative, the franchise store To ensure the safeguarding/cus-
should cease trading by not cap- tody of assets (1)
turing any sales transactions. (1½)
Furthermore, the shop’s door should (Maximum of 1 mark)
be closed to prevent new custom-
ers from entering the store and to
keep customers who were present
in the store when the power fail-
ure occurred, inside the store. (1½)
Customers should only be allowed
to leave the store after the secu-
rity guard has performed security
checks on the customer’s bag(s)
to ascertain that goods were not
stolen. (1½)
OR

139 AUE3701/1
 Improvement Control objective
No
(1½ marks each) (1 mark each)

Sales should be prepared on pre-

printed, pre-numbered multi-copy
documents. (1½)
Unused invoice documents should
be kept under lock and key by an
independent person, and a register
of sales documents issued should be
kept. (1½)
Maximum: (1½)

4. If overrings (mistakes) occur, the till To ensure that adjustments are

supervisor should be called. After authorised (1) and occurred (1)
the “void sale” button is pressed by (Maximum of 1 mark)
the cashier and the item is scanned,
the sale should only be reversed
after the till supervisor captures his
or her unique password on the auto-
mated till’s keyboard. (1½)

5. One of the most competent, trust- To ensure that recorded sales are
worthy till operators should be authorised (1), occurred (1) and
trained to perform the till superviso- complete (1)
ry functions when the till supervisor (Maximum of 1 mark)
is absent from work. (1½)

(5 x 2½ marks = 12½ marks, 1½ marks communication skills, total 14 marks)

Comments on Activity 3
• This question and its related answer deal with a real-life situation. All of us visit
stores almost daily. I am sure you have noticed that tills are situated in the front
of the store and that the supervisor is first called if an item is incorrectly rung up.
• Please note that the question clearly states the following: The franchise owner
informed the audit team that he was prepared to implement stricter
internal controls, but his current cash flow situation would not allow him
to appoint additional staff or purchase additional assets. This means that
for No 3 of the answer you should not write that a backup generator should be
installed, as the question states that the owner has a cash flow problem. The
same principle is applicable to No 5. If you stated that an additional person
should be appointed and trained, you would not have earned your full marks
as the question states that the owner has a cash flow problem.
• Students have difficulty in formulating control objectives. Remember that
you should write out the control objective as a sentence and not only state
the control objectives (e.g. accuracy), as the question states that you should
describe the control objective! For example, do not write “authorised and
occurred” for No 4: Instead you should write: to ensure that adjustments are
authorised and occurred.
• Remember to answer in the required format.

140
Activity 4 – Business risks relating to masterfile amendments

BZN Auditors has been appointed as the external auditor of Bacchus Wines Limited
(Bacchus Wines). The company’s year-end is 30 June. You are the audit senior in charge
of the audit for the 20xx year-end.
Background information on salaried employees
The company has seven departments within which approximately 50 salaried staff
members work, namely Farming, Production, Bottling, Marketing, Sales, Finance and
Administration, and Information Technology. Each of these departments is run by a
senior manager who reports to the general manager, Mante Shamla.

Client: Bacchus Wines Year end: 30 June 20xx

Prepared by: W Shiraz Preparation date: 16 July 20xx

Reviewed by: J Ross Review date: 18 July 20xx

Subject: Weaknesses – Salaried employees masterfile

B1
amendments

After a system walkthrough test was conducted and an interview conducted

with the senior managers of the various departments, the following control
weaknesses were identified:
(1) The personnel function is not centralised into an autonomous, human resources
department, as the authority for all appointments, dismissals and changes to
salary scales rests with the senior managers of the various departments.
(2) Unnumbered “salaried employee masterfile amendment forms” are used to
amend the salaried employees masterfile.
(3) Unnumbered “salaried employee masterfile amendment forms” are captured
without being authorised by the general manager, Mante Shamla.
(4) There is inadequate segregation of duties, as a clerical assistant in the Finance
and Administration department keeps the unused “salaried employee masterfile
amendment forms” and captures these on the salaried employees masterfile.
(5) There is no regular review by an independent employee of the log of amendments
made to the salaried employees masterfile.
(6) Individual personnel files are not updated with copies of the “salaried employee
masterfile amendment forms”.

REQUIRED Marks
For each of the internal control weaknesses evident from the scenario, describe one
business risk (consequence) for Bacchus Wines. (9)

141 AUE3701/1
34 Feedback on Activity 4

Weakness Business risk (consequence)

number (1½ marks each)
1 • With the large workforce, the senior managers may not have
adequate skills to deal with possible labour problems that require
expert knowledge of legal and administrative complexities of
human resource management.
• There may be inconsistent treatment of employees from one depart-
ment to another, leading to a dissatisfied labour force.
• The senior managers may follow incorrect dismissal procedures.
• The senior managers could hire unnecessary employees, leading
to a waste of money for the company.

2 • The salaried employees masterfile may be incomplete, as there

is a risk that all appointments, dismissals and changes to salary
scales may not be captured.
• If appointments are not captured, it will lead to unsatisfied em-
ployees as their salaries cannot be paid promptly.
• If dismissals are not captured, salaries may still be paid to em-
ployees who are no longer employed by the company, resulting
in a financial loss for the company.
• If changes to salary scales are not captured, it will lead to unsat-
isfied employees as the full salaries that they are entitled to are
not paid timeously.

3 • Unauthorised payroll amendment forms may result in invalid and/

or inaccurate amendments being made to the salaried employees
masterfile. Ultimately the company will suffer financial losses.

4 • The inadequate segregation of duties makes it possible for the

clerical assistant to commit fraud by creating a fictitious employee
by completing and capturing a “salaried employee masterfile
amendment form” and paying a salary to the fictitious employee,
resulting in a financial loss for the company.

5 • “Salaried employee masterfile amendment forms” may be in-

accurately captured (errors), resulting in payroll queries from
employees or losses for the company.
• Not all of the “Salaried employee masterfile amendment forms”
may be captured (omissions), resulting in payroll queries from
employees or losses for the company.
• Unauthorised “Salaried employee masterfile amendment forms”
may be captured, resulting in fictitious additions of employees
to the salaried employee masterfile or unauthorised changes in
salary scales. Ultimately the company will suffer financial losses
in both instances.

142
Weakness Business risk (consequence)
number (1½ marks each)
6 • Incomplete personnel files may hamper the senior manager/
personnel manager (in the human resources department) from
easily resolving queries by referring to a complete personnel file,
resulting in employee dissatisfaction if queries are not resolved
promptly.
• Incomplete personnel files may hamper the senior manager/IT
personnel from easily reconstructing or checking the “Salaried
employee masterfile” against paper copies included in person-
nel files if the “Salaried employee masterfile” is corrupted or
destroyed.

(6 x 1½ = 9 marks)

Comments on Activity 4
The question dealt with business risk. Remember that when formulating business
risks, you need to describe the consequence, not only the risk indicator. Can you
remember what a business risk is and how it links with internal controls? The term
“business risk” is defined in ISA 315 as “a risk resulting from significant conditions,
events, circumstances, actions or inactions that could adversely affect an entity’s
ability to achieve its objectives and execute its strategies, or from setting of
inappropriate objectives and strategies.” In other words, anything that might prevent
an entity from achieving its objectives is a business risk. In order to address these
risks, management implements internal controls. Internal control is defined in ISA
315 as “the process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance
about the entity’s objectives with regard to the reliability of financial reporting,
effectiveness and efficiency of operations and compliance with applicable laws
and regulations”.
Many business risks may also increase the risk of material misstatements in the
financial statements, for example:

Objective: To increase the market share of A&B (Pty) Limited.

Strategy: Increase sales by granting credit to customers on less strict

terms and conditions.

Business risk: Allowing sales on credit to customers who will not pay, resulting
in losses to the company.

Potential As not all the debtors might be able to settle their accounts,
material understatement of the allowance for credit losses and an
misstatement overstatement of trade receivables may result. The valuation
(audit risk): of the trade receivables balance will be at risk.

143 AUE3701/1
Activity 5 – Weaknesses and business risks

You are a third-year audit trainee at Jones & Co, a firm of Registered Auditors, and you
have been assigned to the 31 March 20xx year-end audit of Cherry Technology Limited
(Cherry Technology).
Business background of Cherry Technology
Main business
Cherry Technology owns and operates 15 retail stores in South Africa that provide
cellphone equipment such as stereo earphones, USB data cables, hands-free earsets
etc. to the general public for both credit and cash.

Client: Cherry Technology

Year end: 31 March 20xx Prepared by: K Nel
Date: 15 April 20xx Reviewed by: L Sithole
Subject: Information on the acquisition and payments cycle:
ordering of goods
A1
General
• Cherry Technology’s retail stores purchase goods (cellphone equipment) over
the internet and then sell the goods to the general public.
• Each of the 15 retail stores is responsible for ordering and receiving its own goods.
Standardised procedures (stipulated in the Standardised Procedures Manual),
established by Cherry Technology’s management, should be followed in this
regard by the retail stores for consistency purposes.
• Discussions with management at each of the 15 retail stores revealed that only
seven of these retail stores’ personnel were aware of the existence of such a manual.
• A predetermined mark-up percentage is added to the purchase price of an item
to calculate the selling price to the public. This mark-up percentage is stipulated
in the Standardised Procedures Manual.
• The mark-up percentages were updated five years ago.
Ordering of goods
• Cherry Technology’s management believes that the internet is the best way to
do business. They believe that the most competitive prices are obtained through
thorough internet research and bulk purchases.
• Each retail store has its own ordering department with a number of order clerks.
The number of order clerks depends on the size of the retail store. At this stage
there are 16 order clerks at the largest store and four order clerks at the smallest
store.
• Each order clerk is equipped with a personal computer with internet access.
Their main task is to search on the internet for low and competitive prices with
discounts on bulk purchases.
• As soon as an order clerk identifies a “bargain” on the internet, that clerk has the
authority to immediately place an order with the relevant supplier.
• The order clerk has to obtain an order confirmation document from the supplier,
which is then filed in an order file that is kept by each order clerk.
• A copy of this order confirmation is sent to the goods receiving department.

144
 REQUIRED Marks

Refer to the information provided and working paper A1 entitled “Information on the
acquisition and payments cycle: ordering of goods”:
(1) Describe the weaknesses relating to the ordering of goods; and
(2) Discuss the potential consequences for the business (business risk) of each
weakness described.

Note: Do not include any weaknesses or consequences relating to the use of the
internet as part of your answer.

Present your answer as follows:

(2) Potential consequences

(1) Weakness
No for the business
(1 mark each)
(1 mark each)

1. ............................................................. .............................................................. (24)

Communication skills (1)

35 Feedback on Activity 5

(2) Potential consequences for the

(1) Weakness
business
(1 mark each)
(1 mark each)
 Only seven of the 15 retail stores  Owing to a lack of consistent
were aware of the Standardised procedures and controls, possible
Procedures Manual. (1) fraud or other irregularities may not
 There appears to be a weak control be prevented and detected, which
environment (management at the could have a negative financial
retail stores seems to have a poor impact on the entity. (1)
attitude towards, and awareness of,  Owing to a lack of consistent
internal controls). (1) procedures and controls, the
effective operations or smooth
running of the business might be
affected. (1)
 The mark-up percentages were  Should the mark-up percentages
updated five years ago. (1) not be updated at regular intervals,
 Only seven of the 15 retail there is a potential risk that these
stores are aware of the mark-up percentages are outdated and sales
percentage as stipulated in the could be made at incorrect prices.
Standardised Procedures Manual. (1)
(1)  The other eight retail stores may be
incorrectly pricing goods (i.e. not
according to company policy). (1)
 This could have severe financial
implications for the entity. (1)

145 AUE3701/1
 (2) Potential consequences for the
(1) Weakness
business
(1 mark each)
(1 mark each)
 The order clerks place orders  Orders might be placed for
without receiving an authorised incorrect or unnecessary goods,
requisition based on preset resulting in liquidity problems
reorder levels or reorder quantities (as the company might purchase
(inventory levels are not checked goods that it will not be able to sell)
first). (1) and wastage. (1)
 The ordering of unauthorised
goods through fraudulent activity
could result in major losses for the
company. (1)
 Numerous orders could be placed  This could result in large amounts
by various order clerks for the same of unnecessary goods, which could
product. (1) lead to liquidity problems (as the
company might purchase goods
that they will not be able to sell)
and wastage for the entity. (1)
 When purchasing goods, an order  This could lead the entity to pay
clerk could perceive something to unnecessarily high prices for goods
be a “bargain” when it is not. (1) and could have a negative financial
 No formal or authorised price lists impact. (1)
are available for the order clerks to
use when purchasing goods from
suppliers. (1)
 Each order clerk has the authority  Order forms could be misused,
to immediately place an order with e.g. for placing orders for private
the relevant supplier without prior purchases. The company could
approval of a supervisor or senior. suffer financially, as goods that
(1) could have been sold to the general
public are stolen. (1)
 There is no list of authorised  Orders could be placed with
suppliers to purchase goods from. unsuitable or unreliable suppliers,
(1) leading to problems with … (1)
– unfulfilled orders
– orders not filled on time
– unreasonable high prices
– inferior quality products
– reputational damage to the entity
This could lead to financial losses for
the entity.
 Orders could be placed at suppliers
where order clerks receive a kick-
back. (1)
 Orders could be placed at fictitious
suppliers. (1)
(Maximum 2 marks)

146
 (2) Potential consequences for the
(1) Weakness
business
(1 mark each)
(1 mark each)
 There is no isolation of  Without proper isolation of
responsibilities, as the order clerks responsibility, it will be difficult
placing the orders do not sign the or impossible for management to
order confirmation documents. (1) pinpoint responsibility for orders
placed, and will make it easier for
order clerks to place orders for
private purposes without being
caught. This could lead to losses for
the entity. (1)
 No internal (sequentially  It will be impossible to perform a
numbered) order forms are used.(1) reconciliation of orders placed to
order confirmations. This could
expose the entity to certain
liabilities, as the entity will have no
proof that an order was not placed.
(1)
 No-one follows up on orders  Without a proper follow-up of
placed, e.g. there is no orders placed and a reconciliation
reconciliation of orders placed with of orders placed with order
order confirmation documents. (1) confirmations, orders might be
unfulfilled, not filled on time, filled
for the incorrect goods (including
quantity), etc. This could negatively
impact on the financial position or
reputation of the entity. (1)
 If no-one follows up on orders
placed, orders might take weeks or
months to reach the retail stores. As
the goods are electrical equipment,
some items might become
outdated or obsolete in this period,
which could lead to losses for the
company if these items cannot be
resold. (1)
 The order confirmation is kept with  Order confirmations could
the order clerk and is not centrally be misfiled or lost, making it
filed or no register is kept. (1) impossible for the company to
reconcile orders placed with goods
received. (1)

(1 x 31 = 31 marks, maximum 24 marks, 1 mark for communication skills, total

= 25 marks)

147 AUE3701/1
 Comments on Activity 5
• Write your answer in the applicable columns and create the specific link between
the “weakness” and the “potential consequence for the business” by writing
these next to each other.
• The question states that you should write weaknesses; please do not write
recommendations.
• When you have to describe “potential consequence for the business”, always
think of the following factors:
– Could this issue lead to liquidity problems?
– Could this issue lead to dissatisfied customers?
– Is there a risk that a figure in the financial statements might be over- or
understated?
• You need to think of the logical consequences when there is a lack of certain
controls. You can only improve this skill by practising and attempting as many
questions as possible.
• It is important to work through the given information line by line and identify
obvious weaknesses.

Activity 6 – Improvements: general controls

Promising business opportunities for guesthouses during the 2010 Soccer World Cup
motivated Mr Kaizer to establish SSS-Accommodation (Pty) Limited. Your audit firm
was recently appointed as the auditor of SSS-Accommodation (Pty) Limited.
After the successful implementation of a computerised (automated) real-time book-
ing system, Mr Kaizer requested your audit firm to advise him about improvements
to address the following general control weaknesses:
(1) Mrs Mabatho, the sales officer, is unsure how to update the room tariffs on the
automated (computerised) real-time booking system.
(2) The booking system’s central processing unit and related equipment are situated
in a secure part of the building. During the previous week, damage was caused
to the equipment when heavy rain came in through a window that had been left
open overnight. Investigations revealed that the operator had opened the window
during the day to improve ventilation.
(3) Access to the computer room after working hours is restricted by a steel gate and
an electronic surveillance system is activated by the last person to leave the room
at the end of the day.
(4) Damage to the data storage device resulted in data processing being disrupted
for a week because nobody knew how to resolve the problem.
(5) Furthermore, a fair amount of backed-up data was lost. Restructuring of the lost
data was carried out from the booking confirmations held in Mr Kaizer’s office.
REQUIRED Marks
Describe an improvement for each of the general control weaknesses identified.
Present your answer as follows:

Improvement
(1½ mark each)
....................................................................................................................................... (7½)
Communication skills (1½)

148
36 Feedback on Activity 6

Recommendations to improve the general controls

Recommended improvement
(1½ marks each)
1. A formal training programme on the new automated (computerised) real-time
booking system should be devised (1 mark), setting out in detail all personnel
to be trained, and dates and times for their training. Responsibility for training
should also be allocated to specific, capable staff. (½ mark)
A user manual/help function should be compiled and used in the training.
(1 mark)
Total = 2½ marks, maximum 1½ marks allocated
2. The physical security of the computer equipment should be improved by
installing bars the windows. (1½ marks)
In addition, a fully functioning air conditioning system should be installed.
(1½ marks)
Total = 3 marks, maximum 1½ marks allocated
3. Access to the computer room should be restricted at all times and not only
after working hours. (1½ marks)
Activating the electronic surveillance system should not be the responsibility
of the last person to leave the room. Isolation of responsibility to a security
officer should be implemented. (1½ marks)
Total = 3 marks, maximum 1½ marks allocated
4. A disaster recovery plan that lists the procedures to be carried out in the
event of a disaster must be put in place and tested. The plan should be widely
available and should detail the alternative processing arrangements.
5. Improved backup strategies must be put in place; that is, three generations of
backups should be maintained (grandfather, father, son). In addition, backups
should be stored offsite. Back up of information should be carried out regularly.
(5 x 1½ = 7½, communication skills = 1½, maximum = 9)

Summary

In this study unit we …

• related internal control objectives to internal controls for manual and
automated (computerised) systems;
• related risks to internal control weaknesses in manual and automated
(computerised) systems;
• identified weaknesses in internal control systems and recommended
improvements (for both manual and automated (computerised) systems);

149 AUE3701/1
16 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Relate internal control objectives for financial reporting to internal controls for
manual and automated (computerised) systems.
(2) Relate risks to internal control weaknesses in manual and automated (computer-
ised) systems.
(3) Identify weaknesses in internal control systems and recommended improvements
(for both manual and automated (computerised) systems).

150
TOPIC 6
Tests of controls in cycles
In the previous topics (topics 4 and 5), test of control concepts in a manual and automated
environment was explained and internal control aspects were revised from a management
perspective. In this topic, which elaborates further on the previous two topics, the tests
of controls in the various cycles are discussed.

The audit process consists of four stages.

FIGURE 6.1: Stages of the audit process

THIS TOPIC IS DIVIDED INTO THE FOLLOWING STUDY UNITS:

Study unit Title

6.1 Revenue and receipts cycle
6.2 Acquisition and payments cycle
6.3 Inventory and production cycle
6.4 Payroll and personnel cycle

151 AUE3701/1
 Learning outcomes

The learning outcomes of each of the study units are set out in the separate study units.

STUDY UNIT 6.1

TESTS OF CONTROLS IN THE REVENUE AND
RECEIPTS CYCLE

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Formulate tests of controls to test the manual and automated internal

controls in the revenue and receipts cycle.

INTRODUCTION
In the previous topic you learnt how to formulate tests of controls to test manual and
automated internal controls. Tests of controls should be formulated by referring to HOW,
WHAT and WHY (refer to study units 4.2 and 4.3 for guidance). The aim of this study unit
is to explain how tests of controls are formulated to test both manual and automated
internal controls in the revenue and receipts cycle.

Revision

• Did you revise topic 3 of AUE2602, which explained the various business cycles as
part of the accounting system?
Activity: Identify the statement of financial position balances and statement of
comprehensive income classes of transactions that relate to the revenue and receipt
cycle.
The feedback is provided in topic 3 of AUE2602.
• In order to formulate tests of controls relevant to the revenue and receipt cycle, you
should have a good understanding of the internal controls in the revenue and receipt
cycle. Therefore, revise topic 4 of AUE2602.

152
 Study

Sections 1 to 6 under the heading “Auditing the cycle” in chapter 10 of

Auditing Notes by Jackson and Stent.

Note the following in the above study source:

• Financial statement assertions in the revenue and receipt cycle (remember the
assertions are also described in ISA 315, paragraph A129).
• Remember that the auditor will mostly perform tests of controls through inspection,
observation, reperformance and enquiry (refer to study unit 4.2). Inspect and
reperform are the best tests of controls to perform; alternatively if evidence of an
internal control cannot be obtained by inspecting or reperforming, the auditor can
consider whether he or she can observe or enquire if the internal control is performed
correctly.
• As mentioned, manual and automated controls can be tested by inspection, observation,
enquiry and reperformance. Some automated controls, however, can be tested by
means of system-oriented CAATs using test data (refer to study unit 4.3).
In order to formulate tests of controls to test internal controls in the revenue and receipts
cycle, you need to be able to identify internal controls. To be able to identify internal
controls you need to be familiar with the internal control concepts in the revenue and
receipt cycle, which we requested you to revise in the revision section above.

Now that you have revised the internal control concepts in the revenue and receipt cycle
and have a better understanding of test of control concepts, do the Activity, which will
show you how test of control questions will be asked in the examination.

Activity 1

You are the audit senior in charge of the audit of CompTech Limited (CompTech). The
trainee accountants working on the audit of CompTech prepared the following work-
ing papers:

153 AUE3701/1
Client: CompTech
Year end: 30 September 20xx
Date: 15 October 20xx
Prepared by: M Mbelu
Reviewed by: L Link
Subject: System description of computer equipment sales
D
CompTech’s main business is selling computer equipment to various clients all over
South Africa, as well as installing and maintaining them. This working paper only
deals with the sale of computer equipment.
Receiving and processing of customer orders
CompTech sells computer equipment to account holders only. Customers who are
registered as current account holders are provided with a unique username and a
password that enables them to place orders electronically on CompTech’s website.
The ordering process consists of two important steps:
Step 1: Placing the order on CompTech’s website
Customers who wish to place an order can gain access to an electronic order request
on CompTech’s website by entering a unique username and password. Once access
is granted, the customer enters the account number that consists of the first three
alphabetical characters of the customer’s name and four numerical digits. If the
account number is accepted, the computer generates a sequenced order request
that the customer should complete.
The computer system requires the customer to complete all of the required fields
on the electronic order request such as the inventory item code, inventory descrip-
tion, quantity, etc. Once the customer has completed all of the required fields, he
or she clicks on the “Submit” icon. A confirmation page with all the details of the
order appears on the computer screen for the customer to review before clicking
on the “Accept order” icon. As soon as the customer has confirmed the order, the
order request is automatically sent to the electronic order mailbox in the ordering
department of CompTech. The manager in the ordering department then distributes
the order requests to one of the three order clerks.
Step 2: Uploading and finalising the order request on CompTech’s ordering system
As soon as an order clerk receives an electronic order request, he or she uploads
the order onto the ordering system. After the electronic order has been uploaded
onto the system, the ordering system performs a limit check to confirm that the
customer’s account is not in arrears for more than 30 days. If the account is in arrears,
the ordering system automatically blocks the customer’s account so that no further
orders can be processed for the customer. The customer’s details are then referred
to the credit department, where the credit manager notifies the customer of the
current situation. If the account is not in arrears, the ordering system automatically
accesses the inventory masterfile to check the availability of inventory.
After inventory availability has been confirmed, the ordering system performs a
limit check to confirm that the current sales transaction and the customer’s current
account receivable balance do not exceed a pre-established credit limit. If the credit
limit is not exceeded, the order is processed and automatically sent to the warehouse
for further action. If the credit limit is exceeded, the ordering system automatically
blocks the customer’s account so that no further orders can be processed for the
customer. The customer’s details are then referred to the credit department, where
the credit manager notifies the customer of the current situation.

154
 Client: CompTech
Year end: 30 September 20xx
Date: 15 October 20xx
Prepared by: M Mbelu
Reviewed by: L Link
Subject: Masterfile amendments for new customers
E
Prospective new customers should complete an electronic application form, which
is available on CompTech’s website. As soon as the credit department receives a
completed application form, credit record checks are conducted before the customer
is accepted as an account holder.
If the credit record check on a prospective customer is completed successfully, one
of the credit clerks in the credit department completes a prenumbered sequenced
accounts receivable masterfile amendment request form. After the form has been
completed, the credit manager authorises the masterfile amendment request form
by signing it. The masterfile amendment request form is then sent to the financial
accountant, who is responsible for adding new customers to the accounts receivable
masterfile.
To gain access to the accounts receivable masterfile, the financial accountant has
to enter his or her unique username and password. The accountant then enters the
customer’s name, account number, address, contact information and credit limit on
the electronic masterfile amendment form. The company policy states that the credit
limit granted to customers may not exceed R1 200 000. As soon as all the fields are
completed on the electronic masterfile amendment form, the financial manager
clicks on the “Submit” icon in order for the computer system to continue to the
confirmation page. The financial accountant then compares the information entered
onto the electronic masterfile amendment form to the information on the masterfile
amendment request form, after which the electronic masterfile amendment form is
approved by entering a multilevel password. The financial accountant first approves
the change on the masterfile by entering a unique password, and then an automatic
second approval request is sent to the credit manager electronically. The credit
manager confirms the information on the computer screen again before approving
the electronic masterfile amendment form by entering his or her unique password.
The computer system automatically generates a customer account number and an
approval certificate once the electronic masterfile amendment form is approved.
The credit manager then prints the approval certificate and files it with the sequenced
masterfile amendment request form and documentation regarding the checking of
the customer’s credit record that was done in the credit department.
One of the credit clerks in the credit department is responsible to follow up all
outstanding masterfile amendment approvals at the end of each month.

REQUIRED Marks
Refer to working paper D entitled “System description of computer equipment
sales”. Formulate the tests of controls that you will perform to test the manual
and automated internal controls applicable to the receiving and processing
of customer orders. (15)
Refer to working paper E entitled “Masterfile amendments for new customers”.
Formulate the tests of controls that you will perform to test the manual and
automated internal controls applicable to masterfile amendments for new
customers. (15)
Please note: If you use tests of controls using test data, limit your answer
to invalid test data.

155 AUE3701/1
37 Feedback on Activity 1

Before you look at the solution, think about how you would approach the question. To assist
you, we provide the following notes:

The question required the following:

Formulate the tests of controls that you will perform to test the manual and au-
tomated internal controls applicable to the receiving and processing of customer
orders.
Formulate the tests of controls that you will perform to test the manual and auto-
mated internal controls applicable to masterfile amendments for new customers.
Note that if you formulate tests of controls using test data, you should limit your
answer to invalid test data.
Notes:
Tests of controls are required (not substantive procedures).
• To answer this type of question, you should describe all relevant tests of controls
to test both manual and automated internal controls: for example, inspect, ob-
serve, reperform and enquire, including audit procedures using invalid test
data which is also a form of reperformance.
• Relate your answer to the information provided in the question regarding the
receiving and processing of customer orders or masterfile amendments for new
customers.
• When describing test data, do not include valid test data as this will waste time.
Also, do not repeat yourself by testing the same principle over and over again.
Additional comments:
• Formulate tests of controls in terms of HOW, WHAT and WHY.
• You first have to identify the internal controls implemented, and then formulate
tests of controls to test the identified internal controls. Remember you can only
test the internal controls described in the question. Manual and some automated
internal controls can be tested by means of inspection, observation, reperfor-
mance and enquiry. However, some automated controls (for example some ap-
plication controls) should be tested with audit procedures using test data (this
question only required you to describe invalid test data).
• In terms of wording of tests of controls: inspect and reperform are the best tests
of controls to perform; alternatively, if evidence of an internal control cannot be
obtained by inspecting or reperforming, the auditor can consider whether he
or she can observe or enquire that the internal control is performed correctly.
Students should be careful not to observe a document – documents should be
inspected. For example, “inspect a sample of masterfile amendment forms for
the signature of the manager as proof of approval” rather than “observe that the
manager signs the masterfile amendment form as proof of approval”.

156
 • When you work through the question, approach it line by line to make sure that
you identify all the internal controls. Once you have identified the internal controls,
describe the tests of controls to test the internal controls you have identified.
When working through the information, remember that the auditor will only
perform tests of controls on those controls that the auditor has determined are
suitably designed to prevent, or detect and correct, a material misstatement in
an assertion in the financial statements (ISA 330, paragraph A20). Be careful not
to test the “flow of the process” or the “description of the process”, but make sure
that you test the internal controls. For example, the following is not an internal
control but merely describes how the process works, and therefore you should not
formulate a test of control to test it: “The financial manager divides all incoming
orders between the two clerks in the ordering department”. An example of an
internal control is “The financial manager signs the order as proof of authorisa-
tion”. You should formulate a test of control to test it.

Solution

Tests of controls: receiving and processing customer orders

To assist you in identifying the internal controls, we have included the scenario again
and provided you with notes and references to the suggested solution.

The information in the question can be analysed as follows:

157 AUE3701/1
158
(1) Attempt to gain access to an electronic order request on CompTech’s website by entering
a fictitious username and password.

Comments:
Students often make the mistake of testing a principle more than once and then
expect to get more than one mark. For example, students write:
• Attempt to gain access to an electronic order request by entering a fictitious
username.
• Attempt to gain access to an electronic order request by entering a fictitious
password.
When you test one principle, in this case the access control, you only receive the
mark once because both the above answers describe audit procedures testing the
access controls to the electronic order request.

(2) Attempt to generate an electronic order request by entering an invalid customer

account number, e.g. a customer code with a different field length or alpha-numeric
combination than specified.

159 AUE3701/1
 Comments:
The comment in 1 above also applies here. Do not test the principle more than
once. Students often write numerous tests of controls to test this internal control,
for example:
• Attempt to generate an electronic order request by entering an account number
consisting of numbers only.
• Attempt to generate an electronic order request by entering an account number
consisting of alphabetical characters only.
Even though both answers are correct, you will only receive the mark once as it
tests the same principle.

(3) When completing the electronic order request, attempt to submit the electronic order
request without completing all of the required fields.
(4) When completing the required fields on the electronic order request, attempt to, for
example … (1½ marks each):
• enter negative amounts in the quantity or item code fields
• enter an alphabetical character in the quantity field
• enter a numerical digit in the inventory description field.
(5) When processing an order, attempt to enter an inventory item code that does not
appear on the inventory list.
(6) Attempt to suppress or redirect the sending of an electronic order request from the
website to CompTech’s electronic order mailbox.
(7) Attempt to upload an electronic order onto the ordering system where the customer’s
account is in arrears and confirm that the ordering system automatically blocks the
customer’s account so that no further orders could be processed for the customer.
(8) Attempt to process an order where the quantity on hand of the inventory will be
exceeded.
(9) Attempt to continue with an order where the credit limit will be exceeded when
placing the current order and confirm that the ordering system automatically blocks
the customer’s account so that no further orders can be processed for the customer.
(11 x 1½ = 16½, maximum 15)

Tests of controls: Masterfile amendments for new customers

To assist you in identifying the internal controls, we have included the scenario again
and provided you with notes and references to the suggested solution.

The information in the question can be analysed as follows:

160
161 AUE3701/1
(1) Inspect the file with the masterfile amendment request forms and confirm that the
credit record check documentation and an approval certificate is attached.
(2) Inspect the file with the masterfile amendment request forms to confirm whether
the forms are issued in sequence for completeness and investigate missing numbers.
(3) Inspect a sample of masterfile amendment request forms for the signature of the credit
manager as proof that it has been approved.
(4) Attempt to gain access to the masterfile amendment module by entering a fictitious
username and password.
(5) When completing the electronic masterfile amendment form, attempt to submit the
electronic masterfile amendment form without completing all of the required fields.

162
 (6) When completing the required fields on the electronic masterfile amendment form,
attempt to, for example … (1½ marks each):
• enter negative amounts where none should exist;
• enter an alphabetical character in the contact information or credit limit field;
• enter a numerical digit where none should exist.
(7) Attempt to enter a credit limit for a new customer which exceeds R1 200 000 and
confirm that the computer system does not allow this.
(8) Inspect a sample of masterfile amendment approval/request forms to confirm that
the credit limit does not exceed R1 200 000.
(9) Attempt to approve a masterfile amendment without entering a multilevel password
or by entering a fictitious multilevel password.
(10) Enquire from management if masterfile amendment request forms with outstanding
approval certificates are followed up at least once a month.
(12 x 1½ = 18, maximum 15)

Summary

This study unit explained how tests of controls are formulated to test manual
and automated internal controls in the revenue and receipt cycle. The next
study unit explains how tests of controls are performed in the acquisition
and payment cycle.

17 Self-assessment
After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Formulate tests of controls to test the manual and automated internal controls in
the revenue and receipts cycle.

STUDY UNIT 6.2

TESTS OF CONTROLS IN THE ACQUISITION AND
PAYMENT CYCLE

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Formulate tests of controls to test the manual and automated internal
controls in the acquisition and payment cycle.

163 AUE3701/1
INTRODUCTION
In the previous topic you learned how to formulate tests of controls to test manual and
automated internal controls in the revenue and receipt cycle. Tests of controls should
be formulated by referring to HOW, WHAT and WHY (refer to study unit 4.2 and 4.3 for
guidance). The aim of this study unit is to explain how tests of controls are formulated to
test both manual and automated internal controls in the acquisition and payment cycle.

Revision

• Did you revise topic 3 of AUE2602, which explained the various business cycles as
part of the accounting system?
Activity: Identify the statement of financial position balances and statement of
comprehensive income classes of transaction that relate to the acquisition and payment
cycle.
The feedback is provided in topic 3 of AUE2602.
• In order for you to formulate tests of controls relevant to the revenue and receipt cycle,
you should have a good understanding of the internal controls in the acquisition and
payment cycle. Therefore, revise topic 5 of AUE2602.

Study

Sections 1 to 5 under the heading “Auditing the cycle” in chapter 11 of

Auditing Notes by Jackson and Stent.

Note the following in the above study source:

• Financial statement assertions in the acquisition and payment cycle (remember
the assertions are also described in ISA 315, paragraph A129).
• Remember that the auditor will mostly perform tests of controls through inspection,
observation, reperformance and enquiry (refer study unit 4.2). Inspection and
reperformance are the best tests of controls to perform; alternatively, if evidence of
an internal control cannot be obtained by inspecting or reperforming, the auditor can
consider whether he or she can observe or enquire if the internal control is performed
correctly.
• As mentioned, manual and automated controls can be tested by inspection, observation,
enquiry and reperformance. Some automated controls, however, can be tested by
means of system-oriented CAATs using test data (refer to study unit 4.3).
In order to formulate tests of controls to test internal controls in the acquisition and
payment cycle, you need to be able to identify internal controls. To be able to identify
internal controls you need to be familiar with the internal control concepts in the acquisition
and payment cycle, which we asked you to revise in the revision section above.

164
Now that you have revised the internal control concepts in the acquisition and payment
cycle and have a better understanding of tests of controls concepts, do the Activity, which
will illustrate to you how tests of control questions can be asked in the examination.

Activity

You are a member of the audit team performing the 31 March 20xx year-end audit of
Books-4U (Pty) Limited (Books-4U). The following information relating to the company
is available to you:

BACKGROUND INFORMATION
Books-4U is a wholesaler of printed books and sells a wide range of books, including
textbooks. The company purchases its books from local and foreign publishing houses.

The following audit working paper was prepared by members of your audit team on
the audit of Books-4U for the 31 March 20xx year end:

Client: Books-4U

A
Year end: 31 March 20xx Prepared by: M van Rooyen

Date: 5 May 20xx Reviewed by: T Mbato

Subject: Acquisition and payment cycle

Books-4U uses an automated ordering system to place all its purchase orders with
suppliers. The system descriptions for the placing of orders are as follows:
Placing of orders:
Orders for books are placed electronically by Books-4U’s buying clerks at the
beginning of each month on sequenced pre-numbered purchase orders. In order
to ensure quality and reliability, orders may only be placed with a supplier that
appears on the approved supplier’s list. When capturing the electronic purchase
orders, the buying clerks choose the applicable supplier from a drop-down menu
before capturing the required quantities of books, book titles and ISBN numbers.
The computer performs checks to confirm that these fields are captured correctly.
An error message appears on the computer screen if all of the required fields are
not captured. The computer automatically completes the prices for the ordered
books on the purchase order. The prices are extracted from the electronic supplier
price list, which is updated and approved on an annual basis. Once the prices are
completed on the purchase order it is ready for approval by the acquisitions manager.
The acquisitions manager approves all purchase orders electronically by entering a
unique username and password. Passwords consist of at least eight characters with a
variation of alphabetic characters, numerical digits and symbols. After the purchase
order is approved, copies are sent to the supplier, the accounting department and
the receiving department.
Ordered books are delivered in the designated goods-receiving section. At the end
of each month the acquisition manager prints an exception report of all outstanding
orders for which books have not been received for follow-up.

165 AUE3701/1
 REQUIRED Marks
Refer to working paper A entitled “Acquisition and payment cycle”. Formulate
the tests of controls that you will perform to test the manual and automated
internal controls in the acquisition and payment cycle when placing orders.
Please note: If you make use of tests of controls using test data, limit your
answer to invalid test data. (18)

38 Feedback on Activity

Before you look at the solution, think about how you would approach the question. To assist
you, we have made the following notes:

The question required the following:

Formulate the tests of controls that you will perform to test the manual and auto-
mated internal controls in the acquisition and payment cycle when placing orders.
Note that if you formulate tests of controls using test data, you should limit your
answer to invalid test data.
Notes:
• Tests of controls are required (not substantive procedures).
• To answer this type of question, you should describe all relevant tests of controls
to test both manual and automated internal controls, for example inspect, ob-
serve, reperform and enquire, including audit procedures using invalid test
data which is also a form of reperformance.
• Relate your answer to the information provided in the question.
• When describing test data, do not include valid test data as this will waste time.
Also, do not repeat yourself by testing the same principle over and over again.
Additional comments:
• Formulate tests of controls in terms of HOW, WHAT and WHY.
• You must first identify the internal controls implemented, and then formulate
tests of controls to test the identified internal controls. Remember you can only
test the internal controls described in the question. Manual and some automated
internal controls can be tested by means of inspection, observation, reperfor-
mance and enquiry. However, some automated controls (for example some ap-
plication controls) should be tested with audit procedures using test data (this
question only required you to describe invalid test data).
• In terms of wording of tests of controls: inspect and reperform are the best tests
of controls to perform. Alternatively, if evidence of an internal control cannot
be obtained by inspecting or reperforming, the auditor can consider whether
he or she can observe or enquire if the internal control is performed correctly.
Students should be careful not to observe a document. Documents should be
inspected. For example: “Inspect a sample of masterfile amendment forms for
the signature of the manager as proof of approval” rather than “Observe that the
manager signs the masterfile amendment form as proof of approval”.

166
 • When you work through the question, approach it line by line in order to make
sure that you identify all the internal controls. Once you have identified the
internal controls, describe the tests of controls to test the internal controls you
have identified. When working through the information, remember that the
auditor will only perform tests of controls on those controls that the auditor has
determined are suitably designed to prevent, or detect and correct, a material
misstatement in an assertion in the financial statements (ISA 330, paragraph A20).
Be careful not to test the “flow of the process” or the “description of the process”,
but make sure that you test the internal controls. For example, the following is
not an internal control but merely describes how the process works, and there-
fore you should not formulate a test of control to test it: “The financial manager
divides all incoming orders between the two clerks in the ordering department”.
An example of an internal control is “The financial manager signs the order as
proof of authorisation”. You should formulate a test of control to test it.

Solution

To assist you in identifying the internal controls, we have included the scenario
again, highlighted key words relating to internal controls and provided you with
references to the tests of controls in the suggested solution.

Tests of controls when placing orders

(1) Inspect a sample of purchase orders to confirm whether the forms are issued in
sequence.
(2) Inspect a sample of purchase orders and compare the supplier on the purchase order
with the suppliers that appear on the list of approved suppliers.

167 AUE3701/1
 (3) When completing the fields on the purchase order, attempt to, for example …
(1½ marks each):
• enter alphabetical characters where none should exist: for example, enter
alphabetical characters when completing the ISBN number or quantity.
• enter negative values where none should exist: for example, enter a negative
quantity.
(4) Attempt to capture a purchase order but leave out one of the required fields (quantity,
book titles or ISBN number) and inspect that an error message appears on the computer
screen.
(5) Attempt to override the automatic generation of prices from the approved
supplier price list by trying to change the prices.
(6) Inspect a sample of purchase orders and compare the price on the purchase order
with the prices that appear on the approved supplier price list.
(7) Enquire from the CFO whether the supplier price list is updated and approved
by the CFO on an annual basis.
(8) Attempt to approve a purchase order by entering a fictitious username and
password.
(9) Attempt to approve a purchase order by entering a password that consists of fewer
than eight characters.
(10) Attempt to enter a password that consists of an incorrect combination of
characters, for example, alphabetical characters or numerical digits or symbols
only, or a combination of only two types of character: for example, only alphabetical
characters or symbols but no numerical digits.
(11) Observe that ordered books are delivered in a designated goods-receiving section.
(12) Inspect an exception report which indicates the outstanding orders for which
books have not been received and enquire whether the outstanding orders have
been followed up.

(14 x 1½ = 21, maximum 18)

Summary

This study unit explained how tests of controls are formulated to test manual
and automated internal controls in the acquisition and payment cycle. The
next study unit explains how tests of controls are performed in the inventory
and production cycle.

18 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Formulate tests of controls to test the manual and automated internal controls in
the acquisition and payment cycle.

168
STUDY UNIT 6.3
TESTS OF CONTROLS IN THE INVENTORY AND
PRODUCTION CYCLE

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Formulate tests of controls to test the manual and automated internal
controls in inventory and production cycle.

INTRODUCTION
Inventory may represent a significant balance in manufacturing, wholesale and retail
companies. In retail entities the audit of inventory is simple, as products are bought
directly from its suppliers and sold to the public. On the other hand, in a manufacturing
company, the audit of inventory is more complex as there are various processes involved
in using raw material to arrive at a final product.

Inventory forms the link between the revenue business cycle and the expenditure business
cycle, and therefore keeping records about the purchases, sale and returns of merchandise
forms part of the inventory process.

In the previous topic you learnt how to formulate tests of controls to test manual and
automated internal controls. Tests of controls should be formulated by referring to HOW,
WHAT and WHY (refer to study unit 4.2 and 4.3 for guidance). The aim of this study unit
is to explain how tests of controls are formulated to test both manual and automated
internal controls in the inventory and production cycle.

Revision

• Did you revise topic 3 of AUE2602, which explained the various business cycles as
part of the accounting system?
Activity: Identify the statement of financial position balances and statement of
comprehensive income classes of transaction that relate to the inventory and production
cycle.
The feedback is provided in topic 3 of AUE2602.

169 AUE3701/1
• In order for you to formulate tests of controls relevant to the inventory and production
cycle, you should have a good understanding of the internal controls in the inventory
and production cycle. Therefore, revise topic 6 of AUE2602.

Study

Auditing notes by Jackson and Stent: Chapter 12: “Auditing the cycle”. Exclude
the parts referring to substantive procedures. Also study the International
Standard on Auditing (ISA), Audit evidence – specific considerations for selected
items (ISA 501), paragraph .04.

Note the following in the above study sources:

• Remember that the auditor will mostly perform tests of controls through inspection,
observation, reperformance and enquiry (refer to study unit 4.2). Inspection and
reperformance are the best tests of controls to perform, as evidence obtained via
inspection and reperformance cannot be altered by the client and are completely
under the control of the auditor. Alternatively, if evidence of an internal control cannot
be obtained by inspecting or reperforming, the auditor can consider whether he or
she can observe or enquire if the internal control is performed correctly.
• As mentioned, manual and automated controls can be tested by inspection, observation,
enquiry and reperformance. Some automated controls, however, can be tested by
means of system-oriented CAATs using test data (refer to study unit 4.3).
• Attendance of the inventory count by the auditor includes both substantive procedures
and tests of controls.
In order to formulate tests of controls to test internal controls in the inventory and
production cycle, you need to be able to identify internal controls. To be able to identify
internal controls, you need to be familiar with the internal control concepts in the inventory
and production cycle, which we already requested you to revise in the revision section
above.

Now that you have revised the internal control concepts in the inventory and production
cycle and you have a better understanding of test of control concepts, do Activities 1
and 2, which illustrate how tests of control questions will be asked in the examination.

Activity 1 – Formulation of tests of controls for MANUAL control activities

You are one of the trainee accountants on the audit of Goldrush (Pty) Limited (Goldrush).
Your audit senior has presented you with the following working paper on Goldrush:

170
Client: Goldrush

A1
Year end: February 20xx Prepared by: R le Roux

Date: 26 February 20xx Reviewed by: S Chetty

Subject: Acquisition and payment cycle

Goldrush’s inventory at year-end will consist mainly of raw materials, packaging

materials and finished goods. Raw materials are gold, silver, metals, zirconia stones,
gemstones, pearls and beads. Packaging materials are mainly tin boxes in which
jewellery is sold. Finished goods are finished jewellery in its packaging ready for
delivery. Goldrush will have no jewellery still in the work-in-progress phase at
year-end.
Goldrush uses an automated perpetual inventory system. The system was
implemented two years ago and has been operating without major changes or
problems. The system operates as an online real-time system in order for authorised
users to easily download and obtain data.
The system is maintained on a central server and all computers are connected
via a wide-area network (WAN) to the central server. In order to gain access to
the automated inventory system, users must enter their unique usernames and
passwords on computers connected to the network.
Inventory count

MEMORANDUM
To: The audit team
From: Dan Brown
Date: 25/02/20xx
Subject: Inventory count of Goldrush for the year ending 28 February 20xx

A member of the audit team will attend the inventory count of Goldrush on
28 February 20xx. The COO, Dan Brown, has provided the audit team with the
following memorandum with details on how the inventory count will be conducted.
The inventory count of Goldrush will take place on 28 February 20xx at 17:00.
Manufacturing and despatching of jewellery will not take place on 28 February
20xx as the warehouse will be prepared for the inventory count between 08:00
and 16:30 that day.
Count teams will consist of two staff members each. The count teams, a floor plan
and the responsibilities of each count team will be provided to the staff members
when the count begins at 17:00.
Sequenced inventory sheets will be printed and given to the count teams. The
inventory sheets will contain a list of inventory item numbers, the inventory
descriptions, the cost prices, the quantities on hand according to the automated
inventory system, a column for the first count quantities, a column for the second
(final) count quantities and a column for differences between the quantity on hand
and the second (final) count.

171 AUE3701/1
 All inventory items are labelled with an inventory item number and description
that is indicated on the shelf where the item is stored. Before the inventory count
begins, Dan Brown will walk through the warehouse to make sure that all inventory
items are labelled.
The inventory count will take place as follows:
• The count teams should collect inventory sheets from Dan Brown and sign for
them on the inventory control sheet.
• Inventory items should be identified by comparing the inventory item number
and description on the inventory sheet with the label indicated on the shelf.
• One staff member should count the inventory items and the other staff member
should record the quantity on the inventory sheet in ink. Once the inventory item
is counted, a green sticker should be placed on the inventory label on the shelf.
• If damaged inventory items are identified, they are marked with a red sticker
and Dan Brown should be notified, as this might result in a potential write down
of inventory.
• The count teams should sign each inventory sheet when they have finished
counting the inventory items assigned to them.
• Once the count teams are finished with their first counts, they should submit
the inventory sheets to Dan Brown and sign the inventory control sheet. The
count teams should then sign for the inventory sheets of another count team in
order for them to start with a second (final) counts on inventory that has already
been counted by another team. As soon as items are counted for the second
(final) time, a blue sticker should be placed on the inventory label on the shelf.
Dan Brown will supervise the inventory count process and should be informed im-
mediately if there are any problems during the inventory count. Dan Brown should
sign next to the differences if any differences exist between the quantities on hand
and the second (final) count. Dan Brown should recount the inventory items if there
are differences between the first count and the second (final) count.
Count teams will only be formally dismissed once the count is complete and all
queries have been attended to.

REQUIRED Marks

Refer to working paper A1, entitled “Inventory”. Describe the tests of controls
(excluding audit procedures using test data) that you will perform at the
inventory count of Goldrush on 28 February 20xx. (25)

39 Feedback on Activity 1

(1) Inspect the sequence of the inventory sheets before the inventory count begins.
(2) Inspect the floor plan and confirm that the entire inventory will be counted by
comparing the inventory sheets with the different floor plan areas.
(3) Enquire from Dan Brown whether damaged or obsolete inventory is kept
separately.
(4) Enquire from Dan Brown whether he walked through the warehouse to confirm that
all inventory items were labelled.
(5) Inspect the inventory control sheet for the signatures of the staff members in the
count teams to confirm that the stationery has been controlled, as the count teams

172
 were required to sign for each inventory sheet that was taken from and brought back
to Dan Brown.
(6) Observe/enquire if the count teams for the inventory count (1½ marks for each of the
following):
• consist of two staff members each (one to count and the other to record)
• compare inventory items on the inventory sheets with the inventory item
number and description on the shelf to confirm that the correct inventory
item is counted
• place a green sticker on the inventory label on the shelf after the inventory
item has been counted
• place a red sticker on the inventory label on the shelf if the inventory item is
damaged
• place a blue sticker on the inventory label on the shelf after the inventory item
has been counted twice
(7) Inspect a sample of inventory sheets for the signatures of the staff members on
the count teams as proof that they have finished counting the sections for which
they were responsible. (At the end of the day there should be four signatures as proof
that items have been counted twice.)
(8) Inspect a sample of inventory sheets and confirm that staff members recorded
quantities in ink. (This means that no changes could be made after the inventory
count took place.)
(9) Observe that Dan Brown is present and available during the inventory count and that
he supervises the counting process.
(10) Inspect a sample of inventory sheets to identify inventory items where quantities
differ between the first and second (final) counts. Inspect Dan Brown’s signature
for authorisation of the differences for which changes or corrections should be made.
(11) Inspect a sample of inventory sheets and identify inventory items that differ
between the first and the second count, and enquire whether Dan Brown has
recounted these inventory items.
(12) Perform the following test counts … (1½ marks each)
• select a sample of inventory items from the inventory sheets and compare the
quantity on the inventory sheet with the quantity of items on the floor;
• select a sample of inventory items from the floor and compare their quantity with
the quantity of the items on the inventory sheets.
(13) Inspect the condition of the inventory items during the test count in order to identify
damaged or obsolete inventory and confirm there is a red sticker on the relevant
shelf.
(14) Enquire from Dan Brown whether he has been notified by all the count teams of
damaged or obsolete inventory (marked with a red sticker) to confirm that he
includes these items as potential write-downs.
(15) Walk through the warehouse and confirm that every item has been counted by
inspecting whether all shelf labels have green and blue stickers.
(16) Inspect the inventory control sheet and confirm that all the count sheets have been
signed in after the count teams finished the inventory count.
(17) Observe that no manufacturing or dispatching takes place during the inventory
count.
(22 x 1½ = 33, maximum 25)

173 AUE3701/1
 Comments on Activity 1
The question required the following:
Describe the tests of controls you will perform during the inventory count at Gold-
rush. Exclude audit procedures that use test data from your answer.
Note:
• Tests of controls are required and not substantive procedures.
• You should not include test data in your answer. Describe tests of controls related
to internal controls using terminology such as inspect, reperform, observe and
enquire.
Hints:
• Remember to describe tests of controls in terms of HOW, WHAT and WHY.
• You first have to identify the internal controls in the scenario and then formulate
tests of controls to test the identified internal controls.
• The wording of tests of controls: inspect and reperform provide the strongest
evidence. If evidence of an internal control cannot be obtained by inspecting
or reperforming, the auditor may consider whether he or she can observe or
enquire whether the internal control is correctly performed. Students should
be careful not to observe a document, as documents should be inspected. For
example: “Inspect a sample of masterfile amendment forms for the signature of
the manager as proof of approval” instead of “Observe that the manager signs
the masterfile amendment form as proof of approval”.
• When you work through the question, approach it line by line in order to make
sure that you identify all the internal controls. Once you have identified the
internal controls, describe the tests of controls to test the internal controls
you have identified. When you are working through the information, remember
that the auditor will only perform tests of controls on those controls he or she
has determined are suitably designed to prevent or detect and correct a mate-
rial misstatement in an assertion in the financial statements (ISA 330, paragraph
A20). Be careful not to test the “flow of the process” or the “description of the
process”, but make sure that you test the internal controls. For example: the fol-
lowing is not an internal control but merely describes how the process works,
and therefore you should not formulate a test of control to test it: “The financial
manager divides all incoming orders between the two clerks in the ordering
department”. An example of an internal control is “The financial manager signs
the order as proof of authorisation”. You should formulate a test of control to
test this internal control.
• If you are still uncertain about the formulation of manual tests of controls, please
refer to test of control concepts in study unit 4.2.

Activity 2: Formulation of tests of controls for MANUAL and AUTOMATED

control activities

You are one of the trainee accountants on the audit of Goldrush (Pty) Limited (Goldrush).
Your audit senior has presented you with the following working paper on Goldrush:

174
Client: Goldrush

B1
Year end: 29 February 20xx Prepared by: R le Roux

Date: 5 April 20xx Reviewed by: S Chetty

Subject: Inventory adjustments

After the inventory count, sequenced inventory adjustment forms are used to
account for the differences. The following is an example of an inventory adjustment
form:

Goldrush inventory adjustment form: 012

Details of the inventory item to be adjusted

Inventory item code: BG00123

Description of inventory item: Small green beads
Quantity on hand according to the automated inventory system: 132
First count: 140
Second (final) count: 140
Inventory adjustment: 8

Authorisation

Prepared by: A Reddy

Approved by: P de Beer

Inventory adjustment forms are prepared by Andrew Reddy, one of the accounting
clerks, and approved by the senior accountant Pieter de Beer, both of whom sign
the inventory adjustment form. After approval of the inventory adjustment form
it is sent to the financial manager, Patricia Adams, who is responsible for making
the changes to the inventory masterfile.
Patricia Adams gains access to the inventory masterfile by entering her unique
username and password. Once access is granted, she enters the inventory item
code, which consists of two alphabetic characters and five numeric digits. The
inventory masterfile then retrieves the details of the inventory item, such as the
description and quantity on hand, and displays it on the computer screen. Patricia
then compares the information on the screen with the information on the inventory
adjustment form and, if the information is correct, she clicks on the “Accept” icon
on the computer screen. The computer system now continues to the inventory
adjustment screen.
The inventory adjustment screen displays the inventory item code, description
and the quantity on hand. Patricia completes the second (final) count field by
entering the number as indicated on the inventory adjustment form. The system
automatically calculates the inventory adjustment and Patricia compares it with
the quantity on the inventory adjustment form. She then approves it by clicking
on the “Approve” icon.
When all of the inventory adjustments have been processed according to the
inventory adjustment form, a log with all of the inventory adjustments is e-mailed
to the CFO, Thabo Mabula. He signs the log after scrutinising it and comparing the

175 AUE3701/1
 inventory adjustments with the supporting documents. Inventory adjustments of
more than 10% of the quantity on hand should be investigated by Thabo Mabula,
who approves them electronically by entering his username and password on
the automated inventory system. After approval of the inventory adjustments, a
report is printed which indicates the previous inventory quantities, the inventory
adjustments and the current inventory quantities.
The report is then filed in the inventory masterfile adjustment file, together with
all of the other inventory adjustment forms.

REQUIRED Marks
Refer to working paper B1, entitled “Inventory adjustments”. Describe the tests
of controls that you will perform on the internal controls when adjustments
are made to the inventory. (15)
(Include tests of controls using test data in your answer but limit your answer to invalid
test data.)

40 Feedback on Activity 2

Tests of controls on masterfile changes

(1) Inspect the file with the inventory adjustment forms to confirm that the forms are
sequenced.
(2) Inspect a sample of inventory adjustment forms for the signature of Pieter de Beer
as proof that he has approved the inventory adjustment forms.
(3) Attempt to gain access to the inventory masterfile by entering a fictitious username
and password.
(4) Attempt to enter an incorrect inventory item code, for example an inventory item
code that consists of an alpha-numeric combination different to the one specified,
such as three alphabetical characters and four digits.
(5) When completing the second (final) count field on the inventory adjustment screen,
attempt to, for example: (1½ marks each):
• Enter a negative second (final) count;
• Enter an alphabetical character in the numerical field
(6) Reperform the calculation of the inventory adjustments on a sample of inventory
adjustment forms.
(7) Through reperformance, complete the second (final) count field on the inventory
adjustment screen and confirm that the inventory adjustment is calculated
correctly by comparing it to the quantity on the inventory adjustment form.
(8) Inspect the log that indicates the inventory adjustments for the signature of Thabo
Mabula, as proof that he has approved the inventory adjustments by comparing the
inventory adjustments on the log with the inventory adjustment forms.
(9) Through reperformance, attempt to make an inventory adjustment to an inventory
item of more than 10% of the quantity on hand and confirm that it has to be
approved electronically by entering a username and password on the automated
inventory system.
(10) Attempt to approve an inventory adjustment of more than 10% of the quantity
on hand by entering a fictitious username and password.
(11 x 1½ = 16½, maximum 15)

176
Comments on Activity 2
The question required the following:
Describe the tests of controls that you will perform on the internal controls when
adjustments are made to the inventory. (Include tests of controls using test data
in your answer but limit your answer to invalid test data.)
Note:
• Tests of controls, including tests of controls using test data, are required and
not substantive procedures.
• The working paper is provided below and analysed line by line to guide you in the
formulation of your answer. The value-adding comments are indicated in italics.

Client: Goldrush

B1
Year end: 29 February 20xx Prepared by: R le Roux

Date: 5 April 20xx Reviewed by: S Chetty

Subject: Inventory adjustments

After the inventory count, sequenced inventory adjustment forms are used to
account for the differences. (Comment: Inventory adjustment forms are official
documents that are recorded in the accounting records. This sentence indicates
that inventory adjustment forms are issued in sequence. It is therefore evident that
the auditor should perform a sequence test on these forms. Refer to control 1 of the
Feedback on Activity 2). The following is an example of an inventory adjustment
form:

Goldrush inventory adjustment form: 012

Details of the inventory item to be adjusted

Inventory item code: BG00123

Description of inventory item: Small green beads
Quantity on hand according to the automated inventory system: 132
First count: 140
Second (final) count: 140
Inventory adjustment: 8

Authorisation

Prepared by: A Reddy

Approved by: P de Beer

Inventory adjustment forms are prepared by Andrew Reddy, one of the accounting
clerks (Comment: The preparation of an inventory adjustment form involves the
calculation of the inventory adjustment. Refer to control 6 of the Feedback on Activity
2), and approved by the senior accountant Pieter de Beer, both of whom sign
the inventory adjustment form. (Comment: This sentence deals with the MANUAL
approval of the inventory adjustment forms. The question required you to formulate
both manual and automated (computerised) tests of controls. As the manual approval
of inventory adjustment forms is a CONTROL, this internal control should be tested.
Remember that authorisation is an important component of internal control. Please
note that you should not observe the signature, but rather inspect it. Refer to

177 AUE3701/1
control 2 of the Feedback on Activity 2.) After approval of the inventory adjustment
form it is sent to the financial manager, Patricia Adams, who is responsible for
making the changes to the inventory masterfile. (Comment: This is not an internal
control but merely describes the process. Students often write: “Observe that the
inventory adjustment form is sent to the financial manager Patricia Adams who is
responsible for making changes to the inventory masterfile”. This is wrong. You as
the auditor will not necessarily be at the client’s premises when this form is sent to
Patricia Adams, and this procedure will also not prevent, or detect and correct, material
misstatement in an assertion in the AFS.)
Patricia Adams gains access to the inventory masterfile by entering her unique
username and password. (Comment: Access control is an important component
of an entity’s internal controls and should therefore be tested. Refer to control 3
of the Feedback on Activity 2.) Once access is granted, she enters the inventory
item code that consists of two alphabetic characters and five numeric digits.
(Comment: The fields that should be completed by Patricia are provided. Tests of
controls can be performed on these fields in order to ensure that the fields have been
correctly captured. Refer to control 4 of the Feedback on Activity 2.) The inventory
masterfile then retrieves the details of the inventory item, such as the description
and quantity on hand, and displays it on the computer screen. Patricia then
compares the information on the screen with the information on the inventory
adjustment form and, if the information is correct, she clicks on the “Accept” icon
on the computer screen. The computer system now continues to the inventory
adjustment screen.
The inventory adjustment screen displays the inventory item code, description and
the quantity on hand. Patricia completes the second (final) count field by entering
the number as indicated on the inventory adjustment form. (Comment: The field
that should be completed by Patricia is provided. Tests of controls can be performed
on this field in order to ensure that the field has been correctly captured. Refer to
control 5 of the Feedback on Activity 2.) The system automatically calculates the
inventory adjustment and Patricia compares it with the quantity on the inventory
adjustment form. (Comment: This action represents a control, as Patricia performs a
“comparison” activity. This manual control activity should therefore be tested. Refer
to control 7 of the Feedback on Activity 2.) She then approves it by clicking on the
“Approve” icon. (Comment: This is not an internal control but merely describes the
process. Students often write “Observe that Patricia clicks on the “Approve” icon”. This
is incorrect. You as the auditor will not necessarily be with Patricia when she clicks on
the icon and this will also not prevent, or detect and correct material misstatement
in an assertion in the AFS.)
When all the inventory adjustments have been processed according to the in-
ventory adjustment form, a log with all the inventory adjustments is e-mailed to
the CFO, Thabo Mabula. He signs the log after scrutinising it and comparing the
inventory adjustments with the supporting documents. (Comment: The CFO uses
the output of the automated system, i.e. the log, and signs it after his “comparison”
activities. This represents a manual control that should be tested. Refer to control 8
of the Feedback on Activity 2.) Inventory adjustments of more than 10% of the
quantity on hand should be investigated by Thabo Mabula, who approves them
of more than 10% cannot be processed without an approval. This manual control
should be tested, as authorisation is an important component of internal control.

178
 Refer to control electronically by entering his username and password on the
automated inventory system. (Comment: Adjustments 9 and 10 of the Feedback on
Activity 2.) After approval of the inventory adjustments, a report is printed that
indicates the previous inventory quantities, the inventory adjustments and the
current inventory quantities.
The report is then filed in the inventory masterfile adjustment file, together with
all of the other inventory adjustment forms.
(Comment: No control activity is performed when a report is printed and then filed.
Therefore, there is nothing to test. Students often identify areas used to describe the flow
of the process as internal controls. Please do not make this mistake! If you are unsure
about control activities, please refer to your previous study material of AUE2602.)

General hints:
• Remember to describe tests of controls in terms of HOW, WHAT and WHY.
• For this question you first have to identify the MANUAL and AUTOMATED
(computerised) internal controls in the scenario and then formulate tests of
controls to test the identified MANUAL and AUTOMATED internal controls.
• To answer this type of question, you should describe all relevant tests of controls
relating to the internal controls, for example inspect, observe, reperform and
enquire, as well as audit procedures using test data that should be rejected.
• When you work through the question, approach it line by line in order to make
sure that you identify all the internal controls. Once you have identified the
internal controls, describe the tests of controls to test the internal controls
you have identified.
• Relate your answer to the information provided in the scenario.
• When describing test data, do not include test data that will be accepted, as the
“required” specifically excludes it. If you include test data that will be accepted
you will not earn marks and you will waste valuable time.
• When working through the information, remember that the auditor will only
perform tests of controls on those controls that the auditor has determined are
suitably designed to prevent, or detect and correct, a material misstatement in
an assertion in the financial statements (ISA 330, paragraph A20).
• If you are still uncertain about the formulation of manual and automated tests
of controls, please refer to test of control concepts in study units 4.2 and 4.3

Summary

This study unit explained how tests of controls are formulated to test manual
and automated internal controls in the inventory and production cycle. The
next study unit explains how tests of controls are performed in the payroll
and personnel cycle.

179 AUE3701/1
19 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Formulate tests of controls to test the manual and automated internal controls in
the inventory and production cycle.

STUDY UNIT 6.4

TESTS OF CONTROLS IN THE PAYROLL AND
PERSONNEL CYCLE

LEARNING OUTCOMES:

In this study unit we focus on the following learning outcome:

• Formulate tests of controls to test the manual and automated internal
controls in the payroll and personnel cycle.

INTRODUCTION
In the previous study units you learned how to formulate tests of controls to test manual
and automated internal controls in some of the business cycles. Tests of controls should
be formulated by referring to HOW, WHAT and WHY (refer to study units 4.2 and 4.3 for
guidance). The aim of this study unit is to explain how tests of controls are formulated to
test both manual and automated internal controls in the payroll and personnel cycle.

Revision

• The previous study units asked you to revise topic 3 of AUE2602, which explains the
various business cycles as part of the accounting system.
Activity: Identify the statement of financial position balances and statement of
comprehensive income classes of transactions that relate to the payroll and personnel
cycle.
The feedback is provided in topic 3 of AUE2602.

180
• In order to formulate tests of controls in the payroll and personnel cycle, you should
have a good understanding of the internal controls in the payroll and personnel cycle.
Therefore, revise topic 7 in AUE2602.

Study

Sections 1 to 2 under the heading “Auditing the cycle” in chapter 13 of

Auditing Notes by Jackson and Stent.

Note the following in the above study source:

• Financial statement assertions in the payroll and personnel cycle (remember the
assertions are also described in ISA 315, paragraph A129).
• Remember that the auditor will mostly perform tests of controls through inspection,
observation, reperformance and enquiry (refer to study unit 4.2). Inspect and
reperform are the best tests of controls to perform; alternatively, if evidence of an
internal control cannot be obtained by inspecting or reperforming, the auditor can
consider whether he or she can observe or enquire that the internal control is performed
correctly.
• As mentioned, manual and automated controls can be tested by inspection, observation,
enquiry and reperformance. Some automated controls, however, can be tested by
means of system-oriented CAATs using test data (refer to study unit 4.3).
In order to formulate tests of controls to test internal controls in the payroll and personnel
cycle, you need to be able to identify internal controls. To be able to identify internal
controls you need to be familiar with the internal control concepts in the payroll and
personnel cycle, which we asked you to revise in the revision section above.

Now that you have revised the internal control concepts in the payroll and personnel
cycle and have a better understanding of tests of controls concepts, do Activity 1, which
will illustrate how test of control questions will be asked in the examination.

Activity 1

You are the audit senior in charge of the audit of Clothing-4U Limited (C4U). C4U manu-
factures clothing for all Mr Clothes outlets in South Africa. The trainee accountants
working on the audit of C4U prepared the following system description on internal
controls over the payroll and personnel function of C4U:
Internal controls over the payroll and personnel function of C4U:
The manufacturing division of C4U is managed by a production manager, Mr Hat. Mr
Hat controls the work of 30 foremen and approximately 600 workers.
Hiring of new wage workers
Mr Hat must prepare a memorandum if additional wage workers are required. The
memorandum must indicate what role the new wage worker will play and which skill
is required. The memorandum is sent to the chief financial director (CFO), Mr Suit. If Mr
Suit is satisfied with the memorandum and that there are sufficient financial resources

181 AUE3701/1
available in terms of the budget, he authorises the request by signing the memorandum.
Mr Suit’s secretary then informs the human resource department that they can place
an advertisement for the new wage worker position.

Applicants who respond to the advertisement by submitting their Curriculum Vitaes

before the deadline are interviewed by Mr Hat and a human resource representative,
Ms Skirt. Proper background checks are carried out on each individual applying for
the position.

Once the appointment procedure has been completed, Ms Skirt prepares the appoint-
ment contract with conditions and notifies the successful applicant of the appointment.
As soon as the successful applicant accepts the appointment, a masterfile amendment
form is completed and authorised by the human resource manager, Ms Dress, who
signs the masterfile amendment form. Authorised masterfile amendment forms are
then sent to the financial clerk, Ms Sandal, who is responsible for adding new wage
workers on the employee masterfile.

To gain access to the employee masterfile, Ms Sandal enters her unique username and
password. C4U’s IT policy stipulates that all passwords should consist of eight characters
comprising a combination of symbols, numeric digits and alphanumeric characters.
Once access is granted to the employee masterfile, Ms Sandal enters the compulsory
fields on the electronic masterfile amendment form, namely the individual’s name,
employee number, identification number, residential and postal address, date of
employment, wage worker job grade and taxation number. The computer performs
checks to confirm that these fields are captured correctly. As soon as all the fields are
completed and accepted by Ms Sandal, Mr Hat and Mr Suit are required to approve
the masterfile amendment electronically by entering a multilevel password.

After adding the new wage worker to the employee masterfile, the appointment
contract, proof of a background check and masterfile amendment form are filed in an
employee file in the human resources department.

Pay rates
Wage workers are paid based on a predetermined hourly rate in terms of their job
description. These rates are updated on the pay rate employee masterfile annually
after negotiations have taken place.

Timekeeping of hours
Workers gain access to or exit the warehouse of C4U by means of a biometric reader
situated at the access and exit points of the warehouse. Each worker who arrives at the
warehouse may gain access to the premises by placing his or her thumb on a scanner.
The access system at the warehouse compares the scanned print to prints held in the
employee masterfile. If the scanned print matches the print stored in the employee
masterfile, the worker is granted access or exits through a turnstile to or from the
warehouse and the time of arrival or departure is recorded.

At the end of each day, each worker’s arrival and departure times are automatically
updated from the access system at the warehouse to the employee masterfile. At the
end of each week a schedule of hours worked for each employee, split between normal
and overtime hours, is printed out and carefully checked by Mr Hat. Mr Hat authorises
the hours worked by signing the schedule.

Payroll preparation
Wages are based on the hours worked during the calendar week and are paid the
following Friday.

182
 To prepare the payroll for the end of the week, the payroll administrator, Mr Socks,
accesses the payroll software by entering his unique username and password. Mr Socks
then selects the “prepare payroll” function. This function will present the payment
record by extracting information from the employee masterfile. The payment record
will reflect the wage worker’s personal details, hours worked for the week, pay rate,
deductions and net wages. Mr Socks should review and initial the payment record if
he compared the hours worked on the payment record with the hours authorised by
Mr Hat on the schedule of hours worked. Mr Suit should approve any adjustments by
signing next to the adjustments on the payment record. Once the payment records have
been reviewed and updated, the system produces the payroll for the period. Before
payments are made to wage workers, Mr Suit accesses the payroll file and performs
verification procedures and signs a print out of the payroll file if the payroll is accurate.
Payment of wages
Wages are paid to wage workers by electronic funds transfer (EFT). After EFTs have
been made to the bank accounts of the wage workers, a copy of the payroll is printed
out, signed as proof of authorisation by Mr Socks and Mr Suit and filed in period order.
Each wage worker is provided with a copy of a payslip.
Mr Socks and Mr Hat deal with any queries regarding the wages paid to the wage
workers.
REQUIRED Marks
Formulate the tests of controls that you will perform to test the manual and
automated internal controls applicable to the payroll and personnel function
of C4U.

Please note: If you make use of tests of controls using test data, limit your
answer to invalid test data.

Before you answer the question, think how you will approach it. Refer to guidance
provided in the previous study units, make your own notes and compare your
notes with your fellow students on the discussion forum; for example, share
notes on what you have learned when answering test of control questions, your
approach etc. (24)

41 Feedback on Activity 1

To assist you in identifying the internal controls, we have included the scenario again
and provided you with references to the tests of controls in the suggested solution.

You are the audit senior in charge of the audit of Clothing-4U Limited (C4U).
C4U manufactures clothing for all Mr Clothes outlets in South Africa. The trainee
accountants working on the audit of C4U prepared the following system description
on internal controls over the payroll and personnel function of C4U:
Internal controls over the payroll and personnel function of C4U
The manufacturing division of C4U is managed by a production manager, Mr Hat.
Mr Hat controls the work of 30 foremen and approximately 600 wage workers.

183 AUE3701/1
Hiring of new wage workers
Mr Hat should prepare a memorandum if additional wage workers are required. The
memorandum should indicate what role the new wage worker will play and which
skill is required. The memorandum is sent to the chief financial director (CFO), Mr
Suit. If Mr Suit is satisfied with the motivation in the memorandum and that there
are sufficient financial resources available in terms of the budget he authorises the
request by signing the memorandum. Mr Suit’s secretary then informs the human
resource department that they can place an advertisement for the new wage worker
position.
Applicants who respond to the advertisement by submitting their Curriculum Vitaes
before the deadline are interviewed by Mr Hat and a human resource representative,
Ms Skirt. Proper background checks are carried out on each individual applying for
the position.
Once the appointment procedure has been completed, Ms Skirt prepares the
appointment contract with conditions and notifies the successful applicant of
the appointment. As soon as the successful applicant accepts the appointment, a
masterfile amendment form is completed and authorised1 by the human resource
manager, Ms Dress, who signs the masterfile amendment form. Authorised masterfile
amendment forms are then sent to the financial clerk, Ms Sandal, who is responsible
for adding new wage workers on the employee masterfile.
To gain access to the employee masterfile, Ms Sandal enters her unique username
and password2. C4U’s IT policy stipulates that all passwords should consist of
eight characters comprising a combination of symbols, numeric digits and
alphanumeric characters3. Once access is granted to the employee masterfile, Ms
Sandal captures the compulsory fields4 on the electronic masterfile amendment
form, namely the individual’s name, employee number, identification number,
residential and postal address, date of employment, wage worker job grade and
taxation number. The computer performs checks to confirm that these fields are
captured correctly5. As soon as all the fields are completed and accepted by Ms
Sandal, Mr Hat and Mr Suit are required to approve the masterfile amendment
electronically by entering a multilevel password6.
After adding the new wage worker on the employee masterfile, the appointment
contract, proof of a background check and masterfile amendment form are filed in
an employee file in the human resources department.
Pay rates
Wage workers are paid based on a predetermined hourly rate in terms of the wage
worker’s job grade. These rates are updated on the pay rate employee masterfile
annually after negotiations have taken place.
Timekeeping of hours
Workers gain access to or exit the warehouse of C4U by means of a biometric reader
situated at the access and exit points of the warehouse. Each worker who arrives at
the warehouse may gain access to the premises by placing his or her thumb on a
scanner7. The access system at the warehouse compares the scanned print to prints
held in the employee masterfile. If the scanned print matches the print stored in the
employee masterfile, the worker is granted access or exits through a turnstile to or
from the warehouse and the time of arrival or departure is recorded.

184
 At the end of each day, each worker’s arrival and departure times are automatically
updated from the access system at the warehouse to the employee masterfile8.
At the end of each week a schedule of hours worked for each employee, split between
normal and overtime hours, is printed out and carefully checked by Mr Hat. Mr Hat
authorises9 the hours worked by signing the schedule.
Payroll preparation
Wages are based on the hours worked during the calendar week and are paid the
following Friday.
To prepare the payroll for the end of the week, the payroll administrator, Mr Socks,
accesses the payroll software by entering his unique username and password10.
Mr Socks then selects the “prepare payroll” function. This function will present
the payment record by extracting information from the employee masterfile. The
payment record will reflect the wage worker’s personal details, hours worked for
the week, pay rate, deductions and net wages.
Mr Socks should review and initial11 the payment record if he compared the
hours worked on the payment record with the hours authorised by Mr Hat on the
schedule of hours worked. Mr Suit should approve any adjustments by signing
next to the adjustments12 on the payment record. Once the payment records
have been reviewed and updated, the system produces the payroll for the period.
Before payments are made to wage workers, Mr Suit accesses the payroll file and
performs verification procedures and signs a print out of the payroll file if the
payroll is accurate13.
Payment of wages
Wages are paid to wage workers by electronic funds transfer (EFT). After EFTs have
been made to the bank accounts of the wage workers, a copy of the payroll is printed
out, signed14 as proof of authorisation by Mr Socks and Mr Suit and filed in period
order. Each wage worker is provided with a copy of a payslip.
Mr Socks and Mr Hat deal with any queries regarding the wages paid to the wage
workers.

Solution
(1) Inspect a sample of masterfile amendment forms for the signature of Ms Dress to
confirm that the amendment has been authorised.
(2) In order to make masterfile amendments, attempt to gain access to the employee
masterfile by entering a fictitious username and password.

Comments:
Students often make the mistake of testing a principle more than once and
then expecting to get more than one mark. For example, students write:
• Attempt to gain access to the employee masterfile by entering a fictitious
username.
• Attempt to gain access to the employee masterfile by entering a fictitious
password.
When you test one principle, in this case the access control, you only receive
one mark. Both of the above answers describe audit procedures testing the
access controls to the electronic order request, therefore we only award the
mark once.

185 AUE3701/1
 (3) Attempt to gain access to the employee masterfile by entering a password that consists
of more or fewer than eight characters, or a character combination that is incorrect
in terms of that specified in the IT policy of C4U.
(4) When completing the masterfile amendment, attempt to submit the masterfile
amendment without completing all of the required fields.
(5) When completing the required fields on the masterfile amendment, attempt to, for
example (1½ marks each):
• Enter alphabetical characters where none should exist, for example the employee
number field
• Enter numerical digits where none should exist, for example the individual’s name
• Enter characters with an incorrect field size, for example the identification number
should only consist of 13 digits.
(6) Attempt to approve a masterfile amendment by entering a fictitious password or by
entering only one password.
(7) Observe wage workers entering and exiting the warehouse to confirm that hours are
only recorded for employees presenting their thumb print.
(8) Observe a sample of wage workers and record the time of arrival or departure at the
warehouse, and compare the times with the times that are updated to the employee
masterfile to confirm that it is accurate.
(9) Inspect a sample of schedules of hours worked for the signature of Mr Hat to confirm
that the hours worked were authorised.
(10) Attempt to access the payroll software by entering a fictitious username and password.
(11) Inspect a sample of payment records for the initials of Mr Socks as proof that he reviews
the payment record to confirm that the hours worked are correct.
(12) Inspect a sample of payment records with adjustments and inspect the signature of
Mr Suit next to adjustments as proof that adjustments are approved.
(13) Inspect the payroll file for the signature of Mr Suit to confirm that he performs verification
checks in order to confirm that the payroll is accurate before payments are made.
(14) Inspect a sample of payroll copies for the signature of Mr Socks and Mr Suit as proof
of authorisation of the payroll.
(16 x 1½ = 24)

Summary

This study unit explained how tests of controls are formulated to test manual
and automated internal controls in the payroll and personnel cycle.

20 Self-assessment

After working through the study unit and the references to the prescribed study material,
determine if you can do the following:

(1) Formulate tests of controls to test the manual and automated internal controls in
the payroll and personnel cycle.

186
CONCLUSION
Well done on reaching the end of this module.

You have covered many very important building blocks in your auditing studies, because
you now know how to:
• Engage with a client to perform an audit assignment;
• Gather knowledge about a client’s business and controls;
• Perform risk assessments on the client’s accounting systems and on factors that can
affect the client’s business;
• Formulate procedures, based on the risk assessment, that can test the effective
functioning of the controls; and
• Respond to fraud.
The knowledge you have gained in this module is a prerequisite to understanding how
the audit process continues in module AUE3702, because once the testing of controls has
been completed the auditor can confirm whether the control risk (which was set after

187 AUE3701/1
gathering knowledge of the controls during the planning stage), was accurate or has to
be adjusted.

The adjustment of the control risk will impact on the detection risk, which results in
the level of overall audit risk. If the control risk has to be adjusted to a higher level, the
detection risk has to be reduced to arrive at the level of audit risk which is acceptable to
the auditor for the particular audit engagement.

Should the detection risk need downward adjustment, the extent of substantive testing
that has to be performed will increase.

Should the auditor be unable to adjust the detection risk to a sufficiently low level in order
to arrive at an acceptable audit risk, the auditor should reconsider continued involvement
with the engagement.

Enjoy AUE3702!!!

188
ATTACHMENT 1
Controls applicable to master file amendments, input, processing and output

Master file amendments

Batch Input

Online input

Processing

Output
Keystroke entry
Preparation of

of data
data
Authorisation

Signatures of supervisory personnel, or the electronic √ √

equivalent, must appear on source documents and
batch forms.

Access to the input module of an application must √ √ √

be restricted.

Access to source documents

Unused source documents must be kept by a person √ √

who is independent of the application.

Source documents must be pre numbered and a regis- √ √

ter must be kept of receipts and issues of blank source
documents.

Source document design

All information that remains unchanged must be pre √ √

printed and copies of the same document must be in
different colours.

lf a limited number of answers are applicable, the √ √

document must be designed in such a way that the
user only marks off the applicable answer.

The title of the document must indicate the purpose √ √

of the document.

Notes and instructions must appear on the document √ √

to make it easier to complete.

Boxes must be used to prevent field size errors. √ √

The fields to be filled in must appear in the sequence in √ √

which data is entered, as determined by the program.

Source documents must be pre numbered to make √ √

sequence checks possible.

189 AUE3701/1
 Master file amendments
Batch Input

Online input

Processing

Output
Keystroke entry
Preparation of

of data
data
Management review

An independent person must review another person’s √ √

work.

Audit trails of transactions, override logs and excep- √ √ √ √

tion reports must be inspected by senior personnel.

Batch controls

Source documents must be grouped into batch sizes √

and control totals must be calculated. The following are
different types of control total that can be calculated:
financial totals, hash totals and record counts.

A batch control sheet must be prepared and attached √

to a batch.

A batch register must be used to document the √ √ √ √ √ √

physical progress of a batch.

Details of the batch must be captured on a computer √ √ √ √ √ √

to create a batch header label.

Records in the batch must be captured on computer √ √ √ √ √ √

and subjected to programmed validity controls.

Once all the records in the batch have been keyed in, √ √ √ √ √ √
the computer must compute its own control total on
the basis of the information that has been captured.
The computer then compares this total with the
manually calculated control total calculated by the
user before input into the computer. The batch header
label is then automatically updated with the control
total calculated by the computer.

lf the control totals agree, the batch is accepted for √ √ √ √ √ √

processing. lf they do not agree, the batch is rejected
and returned for correction.

The computer-calculated control totals must be √ √ √ √ √ √

updated on the batch header label. The batches can
then go through the rest of the process.

190
 Master file amendments
Batch Input

Online input

Processing

Output
Keystroke entry
Preparation of

of data
data
Access controls

Access to a particular application must be restricted. √ √ √

Physical access to computers that contain sensitive √ √ √

applications must be restricted.

Access must be restricted by means of user profiles √ √ √

or access tables at both the systems level and the
application level.

Computer time-out facilities and automatic time-out √ √ √

should come into operation as soon as unauthorised
access is obtained.

User lD and computer logging of all activities must √ √ √

be introduced.

Screen aids

Keying in of the minimum information √ √ √

Fields on the computer screen must appear in the √ √

same sequence as in the source document.

Screen format: the computer screen must be formatted √ √

in the same way as the hard copy of the source
document.

Screen dialogue and prompts √ √ √

Mandatory fields √ √ √

Verbal confirmation of data √

Shading of fields √ √ √

Programme checks

Alpha-numeric check √ √ √

Range test √ √ √

Limit check √ √ √

Check digit √ √

191 AUE3701/1
 Master file amendments
Batch Input

Online input

Processing

Output
Keystroke entry
Preparation of

of data
data
Size check √ √ √

Missing data check/mandatory field check √ √ √

Reasonableness check/consistency check √ √ √

Sequence check √ √ √

Verification check/validation check √ √ √

Data approval check/authorisation check √ √ √

lnternal label check √

Generation number check √

Retention date check √

Arithmetic accuracy check √ √ √

Cross cast/accuracy check √ √ √

Run-to-run totals √

Matching check √ √ √

Dependency check √ √ √

Valid character and sign check √ √ √

Logs and reports

Audit trails √ √ √ √ √

Run-to-run balancing reports √

Override reports √ √ √ √ √

Exception reports √ √ √ √ √

Before-and-after images √

Activity reports √ √ √ √ √

Computer-generated transaction listing √ √

Access/violation reports √ √ √ √ √

192
 Master file amendments
Batch Input

Online input

Processing

Output
Keystroke entry
Preparation of

of data
data
Output handling controls

Clear report identification √

A distribution matrix must be compiled. √

Output must be recorded in a dispatch register to √

control movement.

The design of stationery must promote confidentiality. √

Confidential information for employees should not be √

e-mailed to their work PCs.

The print function for the printing of confidential √

information must be restricted to printers that are
under the supervision of appropriate officials.

All output that is not required must be shredded. √

Reconciliation and review

The control clerk reviews output. √ √

The control clerk compares the control totals from √

processing with the input control totals.

The control clerk performs sequence checks. √ √

The control clerk performs a document count on √ √

ancillary output.

The control clerk reviews output for reasonableness. √

User departments must reconcile manually calculated √ √

totals with computer-generated totals.

User departments must reconcile reports with source √

documents or physical assets.

193 AUE3701/1
ATTACHMENT 2

Explanation of controls with appropriate examples

Control Explanation of control with reference to an example

Authorisation

Signatures of supervisory personnel, Before Mr T can change the opening balance of a debtor’s
or the electronic equivalent, must account, a written request must be signed by the head
appear on source documents and of the sales department.
batch forms. (Master file amendments – occurrence and
authorisation)

Access to the input module of an Mrs X is the only person who can change the opening
application must be restricted. balances of inventory items. Management must
implement access tables to ensure that only Mrs X can
gain access to the inventory masterfile.
(Master file amendments – occurrence and
authorisation)

Access to source documents

Unused source documents must be Unused sales invoices must be kept in the operational
kept by a person who is independent manager’s safe.
of the application. (Preparation of data – occurrence and authorisation)

Source documents must be Mr T orders 100 unused, preprinted sales invoices from the
prenumbered and a register must be supplier. He asks the supplier to number the sales invoices
kept of receipts and issues of blank from 678 to 778 and bind them in sales invoice books of
source documents. ten each. Upon receipt Mr T records these ten books in
a log. As the books are issued to sales consultants, the
log is updated.
(Preparation of data – occurrence and authorisation)

Source document design

All information that remains The following information should be preprinted on a sales
unchanged must be preprinted and invoice: name of the sales agent, name of the purchaser,
copies of the same document must client code, description of the stock, quantity, total etc.
be in different colours. Three copies of the sales invoice are required. Copy 1 is
white and remains in the sales invoice book, copy 2 is
pink and is given to the purchaser, and copy 3 is yellow
and is sent to the inventory department.
(Data preparation – accuracy)

lf a limited number of answers are A company sells only three kinds of product. lnstead of
applicable, the document must be the sales consultant writing down the item sold, the sales
designed in such a way that the user invoice should be designed in such a way that it lists the
only marks off the applicable answer. three types of product. The sales consultant then merely
marks off the item(s) sold.
(Data preparation – accuracy)

194
 Control Explanation of control with reference to an example

The title of the document must The sales document must clearly indicate the following
indicate the purpose of the document. in capitals: SALES lNVOlCE.
(Data preparation – accuracy)

Notes and instructions must appear The following instructions should appear on the reverse
on the document to make it easier of the sales invoice:
to complete. • All fields of the sales invoice must be filled in.
• lf a code has not yet been assigned to the client, a code
must first be obtained from the credit department
before the other fields are filled in.
(Data preparation – accuracy)

Boxes must be used to prevent field The following could appear on a sales invoice:
size errors. Purchases code

The four boxes make it easier to complete the purchases

code field. lf the code has three or five figures, for example,
it would immediately be apparent that a mistake had
been made.
(Data preparation – accuracy)

The fields to be filled in must appear The computer program requires information to be entered
in the sequence in which data are on the sales module in the following sequence:
entered, as determined by the 1. Name of purchaser
program. 2. Purchases code
3. Date, etc.
lt is important that the above fields should appear in the
same sequence on the sales invoice.
(Data preparation – accuracy)

Source documents must be As sales take place, the following prenumbered sales
prenumbered to make sequence invoice is used in the sales book. At the end of the month
checks possible. an independent person ensures that there are no missing
numbers in the sales invoices. lf, say, sales invoice 67 is
missing, the matter would be investigated.
(Data preparation – completeness)

Management review

An independent person must review After the sales consultant has completed the sales invoice,
another person’s work. it is reviewed by the head of the sales department.
(Data preparation – occurrence and authorisation,
accuracy, completeness)

195 AUE3701/1
 Control Explanation of control with reference to an example

Audit trails of transactions, override Mr X may only change the opening balances of inventory
logs and exception reports must be items if the change involves less than five items. Changes
inspected by senior personnel. involving more than five items must be made by Mr Y.
Exception reports of all inventory item changes involving
more than five items are kept up to date by the computer.
They are inspected by a senior person to ensure that
a masterfile amendment of this nature has been duly
authorised and made by Mr Y.
(Master file amendments – occurrence and
authorisation, accuracy, completeness)

Batch controls

Source documents must be grouped At the end of each week clock cards are collected and
into batch sizes and control totals grouped into bundles of 15 clock cards each. The following
must be calculated. The following are types of control total can be computed for a batch:
different types of control total that • Financial totals: the rand value of the amount to which
can be calculated: financial totals, each of the workers is entitled, as it appears on the 15
hash totals and record counts. clock cards, is totalled.
• Cash totals: arbitrarily chosen numerical fields on the
clock cards are added, for example the employee
numbers that appear on the clock cards.
• Record count: count how many physical records there
are in the batch – e.g. there are 15 clock cards in the
batch, so the record count is 15.
Remember that these control totals serve no purpose
unless the system computes them later and compares
them with the original control totals. Control totals should
therefore be compared and calculated before and after
input, before and after processing and before and after
output to ensure that the data are still accurate, complete,
occurred and are authorised and that nothing has been
added or erased.
(Data preparation – occurrence and authorisation,
accuracy, completeness)

A batch control sheet must be There are 15 clock cards in the batch. A batch control
prepared and attached to a batch. sheet is attached to the front of each batch. The following
information appears on the batch control sheet: the batch
number (e.g. 234), the batch size (e.g. 15), what the batch
consists of (e.g. clock cards), the fields where the control
totals can be filled in before and after processing, and
before and after output. The batch control sheet could
also contain a space for the signature of the person dealing
with the batch. The batch control sheet accompanies
the batch throughout the input, processing and output
processes. This is a control that monitors the progress of
the batch during the process.
(Data preparation – accuracy, completeness)

196
 Control Explanation of control with reference to an example

A batch register must be used to The following is an example of a batch register:

document the physical progress of
a batch. Batch
Details Input Processing Output
no.
15 clock
1 Mrs Z Mr O
cards
2
3
4

lt is clear from the above representation that batch no. 1

is in the processing stage, with Mr O.
(Processing – occurrence and authorisation, accuracy
and completeness)

Details of the batch must be captured The batch details and initial control totals calculated
on a computer to create a batch before input are entered on the computer by keystroke
header label. entry. This is a machine-readable record containing the
following, for example: 15 clock cards. Control total before
input: 567 989.
(Data preparation, keystroke entry – occurrence and
authorisation, accuracy and completeness)

Records in the batch must be As information is entered, the computer carries out
captured on computer and subjected preprogrammed checks. For example, the computer has
to programmed validation controls. been preprogrammed to ensure that wage workers may
not clock more than 8 hours a day. lf a clock card on which
a worker has clocked more than 10 hours is entered, the
computer displays an error message. This test is known as
a limit test. Programmed validation controls are discussed
in detail later on.
(Keystroke data entry – occurrence and authorisation,
accuracy)

Once all the records in the batch After input the computer automatically recalculates the
have been keyed in, the computer control total, say as 567 989. The batch header label is then
must compute its own control total automatically updated. The control total that was keyed in
on the basis of the information that on the batch header label before input is compared with
has been captured. The computer the control total calculated by the computer after input.
then compares this total with the (Keystroke data entry – occurrence and authorisation,
manually calculated control total accuracy and completeness)
calculated by the user before input
into the computer. The batch header
label is then automatically updated
with the control total calculated by
the computer.

197 AUE3701/1
 Control Explanation of control with reference to an example

lf the control totals agree, the batch lf the manually calculated control total of 567 989 agrees
is accepted for processing. lf they with the computer-calculated control total after input,
don’t agree the batch is rejected and the user has the assurance that all the information is still
returned for correction. accurate, valid and complete and that processing can
proceed.
(Keystroke data entry – occurrence and authorisation,
accuracy and completeness)

The computer-calculated control The computer-calculated control total of 567 989 is

totals must be updated on the batch updated on the batch header label, after which the
header label. The batches can then computer can calculate the control total throughout the
go through the rest of the process. process. That is, the computer recalculates the control
total during input, processing and output to ensure that
the control total of 567 989 remains unchanged.
(Processing and output – occurrence and authorisation,
accuracy and completeness)

Access controls

Access to a particular application Mrs R and Mr J are the only members of staff who work
must be restricted. with the wages and salary application. A control can
therefore be introduced to ensure that this application
can only be accessed from Mrs R and Mr J’s computers.
(Master file amendments, keystroke data entry, online
input and output – occurrence and authorisation)

Access to computers that contain Mrs R and Mr J’s offices, where their computers are housed,
sensitive applications must be must be locked at all times, if they are not present. Nobody
restricted. else (except security officers in emergencies) may possess
a duplicate key.
(Master file amendments, keystroke data entry, online
input and output – occurrence and authorisation)

Access must be restricted by means Mrs R is responsible for all matters concerning wages in
of user profiles or access tables the wages and salaries application. Mr J is only concerned
at both the systems level and the with salaries in the wages and salaries application. At
application level. systems level, access to the system can be controlled by
instituting user identities for Mrs R and Mr J. At application
level, access to the wages and salaries application is
restricted to Mrs R and Mr J. Access to all wage functions
is further restricted to Mrs R and access to all salaries
functions to Mr J.
(Master file amendments, keystroke data entry, online
input and output – occurrence and authorisation)

198
 Control Explanation of control with reference to an example

Computer time-out facilities lf Mrs R does not work on the payroll functions for 15
and automatic time-out should minutes, the computer will automatically shut down.
come into operation as soon as She will only be able to gain access again by logging on
unauthorised access is obtained. and keying in her password. lf the computer suspects
that someone other than Mrs R is working on the payroll
functions, the computer will automatically shut out further
actions and no further actions will be permitted.
(Master file amendments, keystroke data entry, online
input and output – occurrence and authorisation)

User lD and computer logging of all The computer automatically logs the identities of all users
activities must be introduced. who have accessed the payroll functions as well as all the
activities carried out on the payroll functions by these
users. This log must be inspected by senior management
at the end of each week. lf this log indicates that a user
other than Mrs R has accessed the payroll functions, this
must be followed up immediately since it could indicate
fraud.
(Master file amendments, keystroke data entry, online
input and output – occurrence and authorisation)

Screen aids

Keying in the minimum information lf a sales invoice is keyed in, the client’s name and address
will automatically appear as soon as the client number
is keyed in. Because the name and address appear
automatically, possible transcription errors are avoided.
(Keystroke data entry – accuracy)

Fields on the computer screen must The information on the sales invoice is given in the
appear in the same sequence as in following sequence: debtor’s name, debtor code, sales
the source document. item(s), quantity sold etc. The computer screen must
display the information in the same sequence in order
to make keying in easier.
(Keystroke data entry – accuracy)

Screen format: the computer screen The computer screen must look exactly the same as the
must be formatted in the same sales invoice. For example, spaces must appear in exactly
way as the hard copy of the source the same places – if the sales invoice allows 10 spaces for
document. the client code, the computer screen must also show 10
spaces.
(Keystroke data entry – accuracy)

Screen dialogue and prompts An input clerk is requested by senior management to

adjust a debtor’s outstanding balance. The computer
guides the input clerk through the input process. The
cursor moves from one input field to the next to show
the clerk where to key in the information.
(Master file amendments – accuracy)

199 AUE3701/1
 Control Explanation of control with reference to an example

Mandatory fields The sales document is entered and the clerk confirms
complete input by pressing the “enter” key on the
keyboard. However, the computer displays an error
message: “Not all mandatory fields have been keyed in,
please enter the client code”. The computer will not allow
the clerk to key in any other sales documents before the
compulsory client code has been entered.
(Keystroke data entry – accuracy, completeness)

Verbal confirmation of data An enterprise receives all customer orders by telephone.

After the orders have been taken, the input operator reads
the details of the order back to the client to confirm that
the correct information has been keyed in.
(Online input – accuracy)

Shading of fields A customer’s account number and details are shaded and
cannot be changed if “clicked on”.
(Keystroke data entry – accuracy)

Programme checks

Alpha-numeric check Certain input fields may only consist of numbers and
others only of alphabetical letters. Some fields may
contain a combination of numerical and alphabetical
characters. For example, if the number of hours on a clock
card is entered on the computer as 3a instead of 31, the
computer will display an error message, since that field
may only contain numerical characters.
(Keystroke entry of data – accuracy)

Range test The computer is programmed to display an error message

if the field that is filled in falls outside predetermined
minimum and maximum values. The quantity of items
ordered per a sales order form may not be less than 1
and may not exceed 50 items. Therefore, if 51 items are
keyed in, the computer will display an error message. In
addition, if 0.5 items are keyed in, the computer will also
display an error message.
(Keystroke data entry – accuracy)

Limit check The limit of a total that may be entered is predetermined.

For example, the number of hours worked per week as
entered on the clock card must not be more than 40.
Therefore, if 41 are keyed in, the computer will display
an error message.
(Keystroke data entry – accuracy)

200
 Control Explanation of control with reference to an example

Check digit The computer calculates a check digit on the basis of

the logical relationship between the characters in a
field. An extra check digit is attached to the end of the
characters of a field. For example, an enterprise that sells
spares allocates spares numbers to each type of product.
An initial check digit is attached to the end of a spares
number. When the spares number is input during a sales
transaction, the computer recalculates the check digit and
compares it with the check digit initially allocated to the
spares number. lf they differ, the computer displays an
error message that could indicate that an error has been
made during the entry of the spares number.
(Keystroke data entry – accuracy)

Size check Certain input fields must contain a certain number of

characters. lf an employee number should consist of 8
characters, a field size check will be carried out to ensure
that 7 or 9 characters are not keyed in.
(Keystroke data entry – accuracy)

Missing data check/Mandatory field This check detects blank fields. For example, it is a
check requirement that an employee number should be keyed
into the appropriate field when clock cards are entered.
lf this field is not keyed in and the input clerk wants to
continue processing the clock card, the computer will
display an error message and request the clerk to fill in
the blank field first.
(Keystroke data entry – completeness)

Reasonableness check/Consistency lt is possible that the clock card of a half-day wage worker
check may pass the limit test if it shows 40 working hours for the
week. (According to the limit test the number of working
hours per week must be 40 or less.) However, the clock
card would not pass the reasonableness check, because
the computer would compare the number of working
hours with the employee’s status – for example a half-day
wage worker may only work 20 or less hours per week.
(Keystroke data entry – occurrence and authorisation,
accuracy and completeness)

Sequence check Your enterprise employs 20 wage workers. Their clock card
numbers are 1-20. lf the clock cards are keyed in weekly
but clock card 11 is not keyed in, the sequence test will
detect the error.
(Keystroke data entry – completeness)

201 AUE3701/1
 Control Explanation of control with reference to an example

Verification check/Validation check The computer saves a list of valid debtors’ numbers in a
masterfile. lf orders are placed telephonically and entered
by the telephone operator, the following situation may
arise: a telephonic order is only accepted if a client gives
his debtor’s number and it is accepted by the computer
system. As soon as the debtor’s number is keyed in, the
computer compares it with a list of valid debtors’ numbers.
lf the computer finds that no such debtor’s number exists,
this could mean that the clerk has made an error with the
input of the number or that the client has supplied an
invalid debtor’s number.
(Online input – occurrence and authorisation,
accuracy)

Data approval check/uthorisation The computer determines whether the transaction that
check has been entered is feasible, in other words whether it
complies with management’s policy and conditions. lt
could, for example, be management policy that a person
may not buy on credit if his account is more than 120
days in arrears. lf a sales invoice has been keyed in, the
computer will check whether the client’s account is more
than 120 days in arrears before approving the transaction.
(Keystroke data entry – occurrence and authorisation,
accuracy)

lnternal label check An internal label of a salary file will contain the name
and date of the file. lf the inventory masterfile has to be
updated with the monthly sales transactions but the salary
file is accidentally loaded for this process, the computer
will read the salary file’s internal label and immediately
indicate that the wrong file is being used to update the
inventory masterfile.
(Processing – occurrence and authorisation)

Generation number check This test ensures that the correct version of the file has
been loaded. ln other words, this test ensures that the
latest file has been loaded and not an old version. The
salaries masterfile that has to display the total income for
each employee up to the present for the 2012 financial
year is updated monthly with the latest salary file. Three
versions of the salaries masterfile are kept up to date on
a grandfather, father and son basis. lf an older version of
the salaries masterfile (e.g. the father file) is used to create
the latest masterfile by updating it with the salaries file,
the computer will immediately detect that the wrong
generation of file (e.g. the father file instead of the son
file) has been used.
(Processing – occurrence and authorisation)

202
 Control Explanation of control with reference to an example

Retention date check This is a test that a computer performs on a file to

determine whether the file has already expired. For
example, if the inventory masterfile has to be updated
with the monthly sales file, the computer will check
whether the file covers the correct sales period that must
be used during processing. lf the sales file for the period 01
January to 31 January 2012 should be used, the computer
will immediately detect the error if a sales file for the
period 01 January to 31 January 2011 is used instead.
(Processing – occurrence and authorisation)

Arithmetic accuracy check When clock cards are captured the hourly tariff is
multiplied by the number of hours worked: for example,
R20 per hour x 6 hours = R120. The multiplication is now
reversed and the answers compared to ensure that the
answer has been correctly calculated, in other words:
120/6 hours = 20.
(Keystroke data entry – accuracy)

Cross cast/accuracy test Study the following representation:

Gross Less Net
Worker Less tax
salary medical salary
X 100k 10k 20k 70k
Y 90k 10k 10k 70k
Z 80k 10k 5k 65k
Total 205k

To test the result of 205, the computer will add the totals of
the columns and use these totals to recalculate the total of
the net salaries (see the schematic representation below).
Gross Less Net
Worker Less tax
salary medical salary
X 100k 10k 20k 70k
Y 90k 10k 10k 70k
Z 80k 10k 5k 65k
Total 270k 30k 35k 205k

(Keystroke data entry – accuracy, completeness,

occurrence)

203 AUE3701/1
 Control Explanation of control with reference to an example

Run-to-run totals A final debtors balance (total of the balances of the

individual debtors’ accounts) after processing is tested
as follows: the total of the opening balances of individual
debtors accounts plus the total of the sales transactions,
minus the total payments received from the debtors is
calculated. The final debtors balance calculated in this way
is compared with the balance calculated after processing
the individual debtors’ accounts.
The following test would be carried out by the computer,
for example, to determine whether the processing result
is correct:
Opening balance of individual debtors accounts R180k
Plus: Total of sales transactions R180k
Minus: Total of debtors payments R50k
Total: R310k
The result of the above calculation of R310k is compared
with the closing balances of the individual debtors’
accounts, namely:
Debtor A: R130k
Debtor B: R100k
Debtor C: R80k
Total: R310k
(Processing – accuracy, completeness, occurrence)

Matching check The computer matches the details of an invoice received

from a supplier to the corresponding goods received note
(GRN) held in a suspense file on the system.
(Keystroke data entry – occurrence and authorisation,
accuracy)

Dependency check XYZ (Pty) Ltd allocates a credit limit to a debtor based on
its assigned status. An A-rated debtor can be allocated
a credit limit of R100 000 and a B-rated debtor a credit
limit of R50 000. Mr V captured a credit limit of R100 000
for a B-rated debtor. The system performs a dependency
check and displays a fault message.
(Keystroke data entry – occurrence and authorisation)

Valid character and sign check An employee number captured onto the system cannot
contain a minus (–) sign.
(Keystroke data entry – accuracy)

204
 Control Explanation of control with reference to an example

Logs and reports

Audit trails The computer provides a table with interest rates used
for levying interest on arrear accounts. These tables can
be studied by the senior manager to determine whether
the correct interest rates have been applied.
(Processing – occurrence and authorisation, accuracy,
completeness)

Run-to-run balancing reports These are computer-generated reports that provide

evidence that the opening balances of debtors have been
updated with sales and back payment transactions to
reflect the correct debtors’ closing balances.
(Processing – accuracy, completeness)

Override reports This is a report listing all controls that have not been
complied with and that therefore blocked the processing
of transactions, although the transactions were eventually
authorised and accepted by management. For example,
an employee on the lowest wage scale may not receive
a wage of more than R5 000 per week. A clock card is
processed and an error message displayed because an
employee has received a wage of R6 000. The senior
manager investigates the incident and ultimately approves
it because the worker worked overtime. This action by the
senior manager appears on a report and is checked by
an independent senior member of staff.
(Processing – occurrence and authorisation)

Exception reports An exception report is a report listing all transactions that

fell outside the parameters of the programmed computer
controls but that were eventually processed. For example,
all the clock cards that show more than 40 hours per
week and therefore fall outside the predetermined limit
of a maximum of 40 hours per week will appear on an
exception report.
(Processing – occurrence and authorisation, accuracy)

Before-and-after images A record is kept of database information before and after

updating, for example a database of debtors’ closing
balances before and after updating. lf it is established
that errors occurred during the updating of the debtors’
database, the database as it was before the updating can
be used again.
(Processing – occurrence and authorisation, accuracy,
completeness)

205 AUE3701/1
 Control Explanation of control with reference to an example

Activity reports This is a report showing all the activities on an application,

for example the payroll application. lt indicates who used
the application, and when and for how long they used it.
For example, if Mrs V always amends the masterfile on
the payroll application around midnight, and usually over
weekends, this may be a sign that unauthorised changes
were made.
(Master file amendments – occurrence and
authorisation)

Computer-generated transaction lf a computer automatically updates the inventory system

listing after the updating of all sales transactions, the computer
will automatically place new orders for inventory that has
reached a specific predetermined minimum quantity.
A report showing these automatically generated
transactions can be requested for review.
(Processing – occurrence and authorisation, accuracy,
completeness)

Access/violation reports This is a report showing all unauthorised users who, for
example, accessed the company’s bank account and
performed electronic fund transfers.
(Processing – occurrence and authorisation)

Output handling controls

Clear report identification The following information must appear on the front cover
of the report on the ten top-selling items:
TOP 10 BEST SELLERS
FOR THE PERlOD: 01 APRlL 2012–12 APRlL 2012
REPORT CREATED ON 12 APRlL 2012 AT 14:00
Each page of the report must be numbered in sequence,
to prevent the unauthorised removal of pages.
(Output – correct and confidential distribution,
completeness)

A distribution matrix must be The output clerk must draw up a list of all the types of
compiled. report that will be printed by a computer and the people
who are authorised to receive these reports.
(Output – correct and confidential distribution)

Output must be recorded in A dispatch register must be compiled. As soon as the

a dispatch register to control output clerk hands the report on the top 10 best sellers
movement. to Mr B, the description of the report must be recorded
in the register, after which Mr B must sign the register as
acknowledgement of receipt.
(Output – correct and confidential distribution)

The design of stationery must The salary slips printed must be of the “sealed envelope”
promote confidentiality. type.
(Output – correct and confidential distribution)

206
 Control Explanation of control with reference to an example

Confidential information for If an employee requires that a soft copy of his salary slip
employees should not be e-mailed should be e-mailed to him, this e-mail should only be
to their work PCs. sent to his personal PC.
(Output – correct and confidential distribution)

The print function for the printing Salary slips may only be printed on the printer in the office
of confidential information must be of the Head of Human Resource Management.
restricted to printers that are under (Output – correct and confidential distribution)
the supervision of appropriate
officials.

All output which is not required lf a second copy of salary slips is printed with carbon paper
must be shredded. but not used, it must be destroyed to ensure that it is not
examined or used by unauthorised users.
(Output – correct and confidential distribution)

Reconciliation and review

The control clerk reviews output A list of output that has been printed must be reviewed
and processing activity reports. by the control clerk to ensure that all output requested
has been printed.
(Output – accuracy)

The control clerk compares the The financial control total calculated during the input of
control totals from processing with the clock cards is 50 989. After processing, the financial
the input control totals. control total is calculated again and compared with the
original control total of 50 989.
(Processing – accuracy, completeness, occurrence)

The control clerk performs The control clerk checks the numerical sequence of the
sequence checks. clock cards and ensures that clock cards 1–20 for the 20
wage workers employed have been processed.
(Processing – completeness)

The control clerk performs a Cheques are issued for the payment of creditors. lf 30
document count on ancillary creditor payments are processed, the control clerk must
output. ensure that 30 cheques have been printed.
(Output – completeness, occurrence)

The user departments review Salary payments are processed and the output is shown
output for reasonableness. on the computer screen before the salary slips are printed.
The human resource manager studies the information
on the computer screen and notes that 20% of the
salaries that are being paid out are less than R10. This is
unreasonable and requires further investigation.
(Output – accuracy, completeness)

207 AUE3701/1
 Control Explanation of control with reference to an example

User departments must reconcile The foreman calculates that the wage workers have
manually calculated totals with collectively worked 6 000 hours. These 6 000 hours must
computer-generated totals. be reconciled with the total number of hours worked and
shown on the computer-generated wage report.
(Output – accuracy, completeness, occurrence)

User departments must reconcile The fixed assets purchases report indicates that 10
reports with source documents or new computers were purchased for the factory. The
physical assets. information on the report can be physically checked by
drawing the purchases invoices or walking across to the
factory to verify that the 10 new computers have in fact
been purchased.
(Output – accuracy, occurrence)

208